Disagree. UB in C can mean your program silently going off the rails in a way that isn't possible in many other languages. UB really can manifest in bizarre and scary ways on real platforms. [0][1][2][3] If it isn't manifesting that way in your case, that's just good fortune.
> I still have to find a bug or fail a test because some strange UD
I should hope your safety-critical code is not permitted to contain known instances of unintended undefined behaviour. (There can be exceptions where UB is truly intended. JIT compilation always relies on UB, for instance, not that this would apply to safety-critical code.)
If your program contains undefined behaviour, that means that at best, it works by coincidence. Safety-critical code should not work by coincidence, it should be correct by construction (to steal a term from the formal methods world).
Again, I am not saying "go ahead and don't care about UB". I know what it is; I know what it can do. Just don't make it a big deal. You (plural) make it sound like it's impossible to build a system with C or any other laguange that allows UB, because it probably runs by coincidence. Yet the world keeps spinning and super safe flashy languages are still running on top of UB-illed OS wrote in C.
> I should hope your safety-critical code is not permitted to contain known instances of unintended undefined behaviour.
It's not.
> Also, it's UB, not UD.
Now that you mention it I checked my other comments I wrote from my phone and noticed it changed UB with UD.
I don't think we are claiming what you say we are claiming.
I know I'm only responding because of your claim that you can know what your code does even in the face of undefined behavior.
I think this more accurately describes my position:
Code without undefined behavior can absolutely run just fine.
Code with undefined behavior is a problem waiting to happen.
Code with undefined behavior that happens to run the way you want is a happy accident. The longer it runs correctly the luckier you are.
Code in safety systems should not contain undefined behavior.
I would encourage everyone to be aware of undefined behavior, get rid of it when they know of it, and take steps to be proactive against it. For code in safety systems I would require these things if it were up to me.
Disagree. UB in C can mean your program silently going off the rails in a way that isn't possible in many other languages. UB really can manifest in bizarre and scary ways on real platforms. [0][1][2][3] If it isn't manifesting that way in your case, that's just good fortune.
> I still have to find a bug or fail a test because some strange UD
I should hope your safety-critical code is not permitted to contain known instances of unintended undefined behaviour. (There can be exceptions where UB is truly intended. JIT compilation always relies on UB, for instance, not that this would apply to safety-critical code.)
If your program contains undefined behaviour, that means that at best, it works by coincidence. Safety-critical code should not work by coincidence, it should be correct by construction (to steal a term from the formal methods world).
Also, it's UB, not UD.
[0] https://devblogs.microsoft.com/oldnewthing/20140627-00/?p=63...
[1] https://cryptoservices.github.io/fde/2018/11/30/undefined-be...
[2] https://blog.regehr.org/archives/759
[3] https://blog.regehr.org/archives/767