Yup! I sure did. I have red on my face!

...
In the context of the C standard, "observable behavior" is a term with a
precisely specified meaning which is NOT "behavior which can be
observed". That definition does not cover function calls, not even those
with external linkage. What the standard says about what optimizations
are permitted is in terms of "observable behavior", NOT "behavior which
can be observed".
And the C standard imposes no requirement that such behavior occur as
described by the abstract semantics. Only actual observable behavior, as
that term is defined by the C standard, must occur as if those semantics
were followed - whether or not they actually were.

...
Translation phases are specified solely for the purpose of expressing
the precedence of the corresponding semantic rules. The standard
explicitly allows for the phases to be intermingled or even done out of
order, so long as the observable behavior is behavior that would be
permitted if they had been done in the order specified.
And the standard imposes no requirements on those externally visible
features, only on some (but not ALL) of the behavior that results from
executing the program.

That is "observable" in the same sense that the size of a compiled
object file is "observable" by executing "ls -l". It is not "observable
behaviour" as defined by the C standards.

C defines "observable behaviour" for /programs/. Not for translation
units, or translated translation units (what one might call an "object
file" - be it assembly, machine code, or internal compiler-specific
formats).

For C, it makes no sense to talk about "observable behaviour" for a
unit. It is only by linking the unit to your test harness that you get
a "program", which then has "observable behaviour".
The contents of an object file - or the instructions used in a complete
program - are not "observable behaviour" in C. Again, I refer you to
5.1.2.2.2p6.
The text also says (in footnotes) that the phases are for conceptual
description only, and in practice they are typically folded together.
Removal of unreferenced material at link time is very common. In some
fields, it is standard practice to use compiler and linker flags geared
at making this easier. It is not really any different than using static
libraries - the linker will load all requested static libraries, then
throw out all parts that are not transitively reachable from non-library
code.

The inclusion or not of material in the program image is not directly
observable behaviour in C - there is no way to write portable C code to
determine if the function "foo" has been included in the image despite
never being referenced. (You can, of course, have the linker include
information about the image inside the image itself and read that with
volatile accesses from within the program.)

In small-systems embedded programming, "-ffunction-sections" and
"-fdata-sections", along with "-Wl,--gc-sections", are almost invariably
used for gcc to reduce the size of the final image. It makes it much
more practical to write re-usable code even if not all functions are
used in any given application. I have never heard of it "causing
issues", and I cannot see how it might be non-conforming. (And if it is
not a conformance issue, how is it relevant here?)
The C standard doesn't deal with CPU instructions. It does not have a
concept of "running" a translated translation unit - you can only run a
complete program, at which point there is no distinction between the
translation units that are "collected" into the program image. It's all
fused together into one big lump, with one set of observable behaviours.

An unlinked translation unit has no observable behavior in the way that
term is defined by the standard.
And a "call" instruction in a program consisting of a single translation
unit can be observed in a variety of ways. That doesn't make it
"observable behavior".

Are you using the phrase "observable behavior" in a sense other than
what's defined in N1570 5.1.2.3?

[...]
Is the "call" instruction *observable behavior* as defined in 5.1.2.3?

[...]
The standard doesn't mention either adding or removing instructions.

Running a program under a test harness is effectively running a
different program. Of course it can yield information about the
original program, but in effect you're linking the program with a
different set of libraries.

I can use a test harness to observe whether a program uses an add or inc
instruction to evaluate `i++` (assuming the CPU has both instructions).
The standard doesn't care how the increment happens, as long as the
result is correct. It doesn't care *whether* the increment happens
unless the result affects the programs *observable behavior*.

What in the description of translation phases 7 and 8 makes
behavior-preserving optimizations valid in phase 7 and forbidden in
phase 8? (Again, insert weasel words about unspecified behavior.)

Again, you are inferring far too much here. The standard is /not/
limiting like this.

Compilers can make use of all sorts of additional information. They
have always been able to do so. They can use extra information provided
by compiler extensions - such as gcc attributes. They can use
information from profiling to optimise based on real-world usage. They
can analyse source code files and use that analysis for optimisation
(and hopefully also static error checking).


Consider this:

A compiler can happily analyse each source code file in all kinds of
ways, completely independently of what the C standards (or perhaps, by
happy coincidence, using the same types of pre-processing and
interpretation). This analysis can be stored in files or some other
storage place. Do you agree that this is allowed, or do you think the C
standards somehow ban it? Note that we are calling this "analysis" -
not C compilation.

Now the compiler starts the "real" compilation, passing through the
translation phases one by one. When it gets to phase 7, it reads all
this stored analysis information. (Nothing in the standards says the
compiler can't pull in extra information - it is quite normal, for
example, to pull in code snippets as part of the compilation process.)
For each translation unit, it produces two outputs (in one "fat" object
file) - one part is a relatively dumb translation that does not make use
of the analysis, the other uses the analysis information to generate
more optimal code. Both parts make up the "translator output" for the
translation unit. Again, can you point to anything in the C standards
that would forbid this?

Then we come to phase 8. The compiler (or linker) reads all the
"translator output" files needed for the complete program. It checks
that it has the same set of input files as were used during the
pre-compilation analysis. If they are all the same, then the analysis
information about the different units is valid, and thus the
optimisations using that extra information are valid. The "dumb
translation" versions can be used as a fallback if the analysis was not
valid - otherwise they are thrown out, and the more optimised versions
are linked together.

There is nothing in the description of the translation phases that
hinders this. All the compiler has to do is ensure that the final
program - not any individual translation units - has correct observable
behaviour.


I would also refer you to section 1 of the C standards - "Scope". In
particular, note that "This document does /not/ specify the mechanism by
which C programs are transformed for use by a data-processing system".
(Emphasis mine.) The workings of the compiler are not part of the standard.
The point is that many things are local to a translation unit, such as
statics, type definitions, and so on. These are valid within the
translation unit (within their scope, of course), and independent of
identically named items in other translation units. It is about
defining a kind of "unit of compilation" for the language semantics - it
is /not/ restricting the behaviour of a compiler.

LTO does not change the language semantics in any way. The language
semantics determine the observable behaviour of the program, and we have
already established that this must be unchanged. Generated instructions
for a target are not part of the language semantics.
It does so all in terms of what a compiler /may/ do.

And there is never any specification of the result of a "translation".
It can happily be byte-code, or internal toolchain-specific formats.
No.
You could do that if you like (after manipulating things to handle
statics, type definitions, etc.).

And you would then find that if "foo()" in "foo.c" called "bar()" in
"bar.c", the call to "bar()" might be inlined, or omitted, or otherwise
optimised, just as it could be if they were both defined in the same
translation unit.

The result would be the same kind of object code as you get with LTO -
one in which the observable behaviour is as expected, but you might get
different details in the generated code.

I don't know why you would think that this kind of combination of units
is conforming, but LTO is not. It's all the same thing in principle -
the only difference is that real-world implementations of LTO are
designed to be scalable, do as much as possible in parallel, and avoid
re-doing work for files that don't change.

Some link-time optimisation or "whole program optimisation" toolchains
are aimed at small code bases (such as might fit into a small
microcontroller) and combine all the source code together then handle it
all at once. Again, the principles and the semantics are not any
different from gcc LTO - it's just a different way of splitting up the work.
No, it is not.

The C standards don't talk about LTO, or whether or not it is enabled,
or what is "default", or even what kind of code generation you get.

If the compiler knows that a function call will not have or affect
observable behaviour, it can omit that call. It does not matter how it
knows this. LTO is a very practical way to get this information, but it
might not be the only way. Profile-guided optimisation information may
provide the same information. So could attributes given in the function
declaration (and a future C standard will likely support such attributes).

But if the compiler doesn't know for sure that it is safe to omit the
call, then it must generate it. Correctness trumps optimisation!
No one is suggesting doing "nonconforming things".

To give a simple example, suppose your unit is intended to perform some
calculations and then call a callback with the result. In a test
harness, you would provide a callback that checks the result against the
expected value, and provides a pass/fail log message. In production
use, you would provide a callback that pops up a window with the value,
or sends it in an email to the user. The observable behaviour of the
production program and the test program is very different.

In fact, unless you are testing the production version, or you are
producing a test harness, you would normally expect very different
observable behaviours from any unit testing and real usage of the code.
Again, claiming this will not make it true. You need to update your
ideas about what observable behaviour actually is.
The phrase "de facto" is an admission that you understand that none of
this is part of the /actual/ standards. You have dropped from "the
official standards make this clear" down to "I think this".
All such boundaries are lost in the link stage, before observable
behaviour becomes relevant.
Nonsense.

The compiler-generated code must produce the correct observable
behaviour. It can do that however it likes. It can put a call to
"printf" directly in "foo". It can replace the "printf" with a "puts"
or a series of target-specific "write_a_char" calls if the results are
the same.

C is defined in terms of behaviour, not particular instruction
sequences. If you write "x = y * 4;", the compiler can generate
instructions that look like "x = y + y + y + y;", or "x = y * 2; x = x +
y + y;", or "x = y << 8 - (2 * y + 3 * y - y)_;", or anything it likes
as long as the result is correct (and obviously avoiding any extra
overflows).
Calling it "de facto observable behaviour" is just confusing your
understanding here. But you can well say that if B is observed, that
means A must have happened.

However, you have not in any way shown that A (in this case,
instructions to call the function "bar") is the only way to result in
the observable behaviour.
Nope.
Nope.
That would be a better way to put it. But it is still not the case here.
The compiler can omit the call to "bar" if it is sure that it results in
no observable behaviour. It cannot omit it if it is not sure of this.
It is /that/ simple.
Wrong.

This is really the crux of your misunderstandings. You have read
between the lines of the standard and imagined rules that don't exist.
Once you realise that they are imaginary, I expect the rest to fall into
place.
The C standards also don't describe drinking coffee while waiting for
the compiler. Just because something is not mentioned, does not mean it
is forbidden!
Indeed. I am "some people" in this context.
Agreed.

But "-ffast-math" was already covered, and is irrelevant precisely
because it is entirely clear that it is potentially standards-violating.
(But it is not "forbidden". I have yet to see any ISO C police
enforcers at my office door, waving a warrant.)

I wanted to know if you had other examples of what you see as
standards-violating optimisations that are not documented as such.
It would run counter to the whole point of having a standard.
Yes, but they are clear about that. (At least, gcc is - I haven't read
the documentation for clang as thoroughly, and have barely touched MSVC.)

It is absolutely fine for a compiler to have conforming and
non-conforming modes. But it is /not/ fine for it to have a major part
of its optimisation that is as critically non-conforming as you seem to
believe, and not even mention this fact.
The good reasons are that not all setups support it (it needs particular
linkers), it can significantly increase build times, it makes some kinds
of debugging nearly impossible, it plays badly with other tools such as
profilers and code coverage analysis, and you can have trouble if you
are doing weird things with compiler and linker file interaction or some
other kinds of non-standard C coding.

And like many optimisations, it can change the behaviour of incorrect
code that happens to work by luck with different choices of optimisation
settings.

Those are all very good reasons for not enabling it for default, when
the results are often only a few percent improvement in efficiency (for
some code, it can be a lot more helpful).

Most compilers don't enable /any/ significant optimisation by default.
If it /were/ nonconforming, I think that would deserve huge attention.
But it is not.

There is no question that LTO is a "valid" optimization for reasonable
definitions of valid.
That alone is a problem.
That adds up to requirements that are /obviously/ violated by LTO.

Someone might reach a different conclusion simply by reading the
black-and-white text, which obviously spells out what is required.

When reading the standard, you can't just ignore bits you think
are wrong.

It may be the case that a strictly conforming program cannot tell
whether these requirements are violated.

Strictly conforming programs are not the be all and end all of what is
important.

In the academic paradigm of a strictly conforming program, a security
problem of bytes not being nulled out (or any other such thing) does not
exist.
No, it's not that easy to address. The standard should make explicit
provisions for LTO. There should be an optional translation phase
between the current 7 and 8 in which translation units may be
partitioned into subsets, an then subject to semantic analysis
and further translation within the subsets, prior to linking.

The standard wouldn't describe how the partitioning is requested from
the implementation, since it is part of the manner in which a program is
presented to it. All implementations should support a translation mode
in which no partitioning into subsets takes place.

I /do/ understand why Kaz thinks the way he does. I am just trying to
show that his interpretation is wrong, so that he can better understand
what is going on, and how to get the behaviour he wants.
I would be entirely happy to see clearer wording in the standards here,
or at least some footnotes saying what is allowed or not allowed.
Oh, I think the C standards committee have done quite well at that. But
doing it /completely/ would clearly be impossible, as different people
have different ideas about how they think C is defined, and how they
think C compilers have to behave. In my line of work, I see plenty of
old code that makes assumptions that are not remotely justified by the C
standards, but which happened to work on the old or limited toolchain
used by the person who wrote the code. If the C standards tried to
codify such practices, or if C compilers tried to make sure that /all/
code that worked with other compilers or older versions works on newer
tools, progress on compilers would be completely stalled and we'd have
no optimisations that weren't already in common use in the 1970's.

What the standards committee try to say is that if code follows C
standard N correctly, then when it is compiled under C standard N+1 it
should have the same semantics and the same behaviour. And they do that
reasonably, but not perfectly.

It would be unreasonable to expect them to guarantee the behaviour of
code under new standards when the code did not have guaranteed behaviour
under the old standards. Using TU boundaries to "get memset to work"
has never been guaranteed.

Granted that someone might follow reasoning like the comments you
gave. Even so, some further reflection should be enough for them to
reconsider their original assessment. In particular, the following:

"A C program need not all be translated at the same time." This
excerpt from the Standard implies that C programs may be translated
in their entirety all at the same time.

Notice the lead in to section 5.1.1.2 p1, describing translation
phases, says "The precedence among the syntax rules of translation
is specified by the following phases." All of phases 1 through 8
involve translation, but they are about when various forms of
source recognition take place, not about when code is generated.

The "semantically analyzed" in translation phase 7 is nothing more
than type determination and verifying constraints are not violated.
Nothing about these analyses changes if optimizations are carried
out in translation phase 8.

Notice that translation phase 8 says translator output is collected
into a program image "which contains information needed for
execution in its execution environment." A reasonable inference
is that all code generation could occur at the end of translation
phase 8, as part of producing that information.

The first two points of paragraph 2 in section 1:
This International Standard does not specify
* the mechanism by which C programs are transformed for use
by a data-processing system;
* the mechanism by which C programs are invoked for use by a
data-processing system;

The key phrase in section 5.1.2.3: "The /least requirements/ on a
conforming implementation are: [...]" [emphasis added].

Nothing in the C standard requires an implementation to generate
executable code. The output of translation phase 7 could be a
machine-independent intermediate form. The output of translation
phase 8 could be the same machine-independent intermediate form.
Executing the program could be running an interpreter on the program
"executable" holding only the machine-independent intermediate
parts, and the interpreter might carry out optimizations at run
time. All of these possibilities are allowed in a conforming
implementation as long as the "least requirements" of 5.1.2.3 are
met.

It's a mistake to draw any firm conclusions based on reading parts
of the standard in isolation. The C standard has been written as a
cohesive whole, and it's important to understand it in the same way.

Related to that, although the C standard gives explicit definitions
for many words and phrases, it also uses words that it does not
define (and presumably are not defined in any of the normative
references, though that may be difficult to verify). When
confronted with one of these non-defined terms, often arguments are
made that a word means X or Y or Z, because of ... (fill in the
blank). It's important to remember that, whatever the case is for X
or Y or Z, what /we/ think doesn't matter; all that does matter is
what the standard's authors (and members of the ISO C committee)
think. The C standard means what the ISO C group thinks it means.
They are the ultimate and sole authority. Any discussion about what
the C standard requires that ignores that or pretends otherwise is
a meaningless exercise.

And some can do it as a side effect of an indirect load, for
example autoindexing on the PDP-8.

This is not the issue the comes up in the OP (or the issue that was
assumed as I don't think the OP has clarified).

There it is not about micro-managing the implementation of x++, but the
compiler deciding it isn't needed at all.

Well, Forth is certainly cruder than C (it's barely a language IMO). But
I don't remember seeing anything in it resembling a type system that
corresponds to the 'i8-i64 u8-u64 f32-f64' types typical in current
hardware. (Imagine trying to create a precisely laid out struct.)

It is just too weird. I think I'd rather take my chances with C.
Hmm, I think my own scripting language is better at low level than any
of these. It supports those low-level types for a start. And I can do
stuff like this:

println peek(0x40'0000, u16):"m"

fun peek(addr, t=byte) = makeref(addr, t)^

This displays 'MZ', the signature of the (low-)loaded EXE image on Windows

Possibly it is even better than C; is this little program valid (no UB)
C, even when it is known that the program is low-loaded:

#include <stdio.h>
typedef unsigned char byte;

int main(void) {
printf("%c%c\n", *(byte*)0x400000, *(byte*)0x400001);
}

This works on DMC, tcc, mcc, lccwin, but not gcc because that loads
programs at high addresses. The problem being that the address involved,
while belonging to the program, is outside of any C data objects.

I don't support arm64 as a native C (only via intermediate C). Why, is
there something peculiar about that architecture?

I would expect that 0x12345678 pattern to still be in memory but
probably not in an immediate instruction field. So if wanted to mark a
location in the code, I might need a different approach.

If I ever do directly target that processor, I'll be able to tell you more.