Enable `-fstrict-overflow`

[matthiasgoergens]

At the moment we compile releases with -fwrapv which makes the code a bit safer, but disables certain optimizations. From the GCC docs:

This option instructs the compiler to assume that signed arithmetic overflow of addition, subtraction and multiplication wraps around using twos-complement representation. This flag enables some optimizations and disables others.

My experiments with running sanitisers seem to suggest that we are nearly already ready for -fno-wrapv (or -fstrict-overflow in general). Doing so could lead to quite a few speedups, but we would need to be more careful with the code we write.

It might be worthwhile to get a few benchmarks.

(To be extra precise, we give -fwrapv for clang and gcc for any build that doesn't get --with-pydebug.)

Pitch

My plan right now is to adapt the build system so that only the modules that need it are build with -fwrapv, and the rest can be build with -fstrict-overflow.

We already have config machinery that can add specific CFLAGS for specific modules only.

Perhaps the whole thing can be gated behind a configure flag, like --with-strict-overflow.

If everything goes well, and this improves performance we can consider adding this functionality to one of the standard optimization options.

We can also work on making more modules -fstrict-overflow safe.

Previous discussion

@markshannon @ericsnowcurrently

Brought up on faster-cpython/ideas#458 and inspired by #96678

Some previous issues around -fwrapv:

• https://bugs.python.org/issue11149
• https://bugs.python.org/issue1621
• https://bugs.python.org/issue1608

I'm sure there are more.

Progress so far

As far as is currently known, the three remaining modules that rely on defined integer overflow are fixed by:

• _struct: gh-96735: Fix undefined behaviour in struct unpacking functions #96739
• audioop: gh-96821: Fix undefined behaviour in audioop.c #96923
• _ctypes: gh-96821: Fix undefined behaviour in _ctypes/cfield.c #96925

Linked PRs

• gh-96821: Add config option --with-strict-overflow #96823
• gh-96821: Check for -fstrict-overflow only if --with-strict-overflow is passed #139595

[ericsnowcurrently]

This is definitely worth exploring!

[ericsnowcurrently]

but we would need to be more careful with the code we write.

What do you mean by that?

More concretely:

• what would need to be done (or not done) specifically?
• would this mean adding to PEP 7?
• what would that text say?
• would we add some explanation to the devguide?

[ericsnowcurrently]

Also, do clang and msvc have something similar?

[ericsnowcurrently]

In gh-96823 I asked about detecting compatibility for the compile flag. This is probably the better place to discuss that.

Basically, how can we detect that a C file can be built with -fstrict-overflow or that it can't?

[matthiasgoergens]

I ran clang's undefined behaviour sanitiser and address sanitiser over the test suite to detect the modules that need defined overflow.

Of course, strictly speaking a detection this way can only show the presence of the need for defined overflow, but it cannot show the absence of such a need.

But that's no different from any other bug or undefined behaviour, and we just rely on the additional assumption that our test suite has enough coverage.

Small complicating detail: when you use the conpiler flag to make signed integer overflow into defined behaviour, the sanitisers no longer complain about it.

So if you want to check if the flag is still necessary for a module, you need to temporarily turn it off.

[matthiasgoergens]

Clang definitely has this flag. We actually use clang for the sanitisers.

I don't know about msvc. There's no trace of anything like this in their docs https://docs.microsoft.com/en-us/cpp/build/reference/compiler-options-listed-by-category?view=msvc-170#code-generation

But we can just stick to the current situation here:

Only gcc and clang explicitly get flags about overflow, and for the other compilers we just hope and pray.

(The situation will actually improve for the other compilers, when we make all modules strict-overflow safe.)

For the actual implementation, I'll probably make configure check for the flags directly, instead of checking for the name and version of the compiler.

[matthiasgoergens]

I had a look at PEP 7. The relevant section is https://peps.python.org/pep-0007/#c-dialect

The PEP says to use C11 and doesn't mention any deviation from that for overflow. So our code should already avoid signed integer overflow. At this point that's more of an aspiration than reality, though.

So to some extent, we could describe the effort here as part of implementing PEP 7.

Strictly speaking we don't need to change anything, but I think pragmatically we should make a note that up to 3.11 signed integer overflow was tacitly tolerated, but that beginning from 3.12 we are sticking to the standard. I created a draft PR python/peps#2796 for how that could look like. (Please suggest better wording, if you have ideas.)

(Additionally, I also notice that when I am building I am getting a few warnings here or there, but the PEP suggests that we shouldn't be getting any warnings. Perhaps I'll spend a bit of time fixing the code (or suppressing these warnings in known instances that we can't or won't fix.))

[matthiasgoergens]

Another thing: whatever policy we decide on, we should probably fix that --with-pydebug seemingly arbitrarily gives you a different policy.