appellations a day ago

    Add(x,y):
       Assert( x >= 0 && y>= 0 )
        z = x + y
        Assert( z >= x && z >= y )
        return z
There’s definitely smarter ways to do this, but in practice there is always some way to encode the properties you care about in ways that your assertions will be violated. If you can’t observe a violation, it’s not a violation https://en.wikipedia.org/wiki/Identity_of_indiscernibles
Reply View 9 replies
  • [removed] a day ago
    [deleted]
    Reply View 0 replies
  • bluGill a day ago

    In some languages overflow is asserted as a can't happen and so the optimizer will remove your checks

    Reply View 7 replies
    • appellations a day ago

      Best I can tell is that overflow is undefined behavior for signed ints in C/C++ so -O3 with gcc might remove a check that could only be true if UB occurred.

      The compound predicate in my example above coupled with the fact that the compiler doesn’t reason about the precondition in the prior assert (y is non-negative) means this specific example wouldn’t be optimized away, but bluGill does have a point.

      An example of an assert that might be optimized away:

          int addFive(int x) {
        int y = x + 5;
        assert(y >= x);
        return y;
    }
      Reply View 2 replies
      • uecker a day ago

        Yes, you can not meaningfully assert anything after UB in C/C++. But you can let the compiler add the trap for overflow -fsanitize=signed-integer-overflow -sanitize-trap=all, or you could also write your assertion in a way where it does not rely on the result (e.g. ckd_add), or you use "volatile" to write in a way the compiler is not allowed to assume anything.

        Reply View 0 replies
    • appellations a day ago

      Care to share a language where the compiler infers the semantic meaning of asserts and optimizes them away? I’ve never heard of this optimization.

      Reply View 3 replies