Defined behavior for shifting with oversized or negative values.

[SRNissen]

This is an outgrowth of a brief discussion I had on /r/cpp_questions

Background:

With the standardization of [[assume()]] in C++23, we have reached a point where regular C++ could chose to accept the performance sacrifice of clamping shift values to fully definine the behavior of outsized shifts, letting you opt back in to the older (faster, unclamped) behavior by stating that you assume your value is valid for shifting without clamping.

(see godbolt, or the end of this post, for an example where shifting is fully defined in the default case, and where that same shifting function emits assembly identical to an old style UB shift in the face of assumptions)

Suggestion for cppfront

In the spirit of "Safety first unless you opt in to faster unsafe behavior," I would like to suggest that shifting left and right, by any value, should be fully defined behavior unless you opt in to the faster UB implementation.

Alternatively, if changing the semantics of operators isn't in scope for this project, >> and << should emit warnings on every use and a "safe shift left" and "safe shift right" function should be available.

I have no opinion on whether a shift with a negative value should be skipped, or whether it should produce a shift in the opposite direction or, dark horse candidate, if there should only be one shift operator and the sign of the shift value determines shift direction.

Example code

Godbolt

When compiled, the safe shift emits more instructions than the two unsafe shifts, but does not do any extremely silly things like branch on the shift value.

Importantly: The unsafe shift with explicit assumptions emits the exact same assembly as the old-style unsafe shift with implicit assumptions, despite using the same shift function as the safe shift.

// Compilation: x86-64 gcc trunk, -std=c++23 -Wall -Wextra -Wpedantic -O3

#include <algorithm>

char produce_char();
int produce_integer();
void consume(char c);

inline auto shift_right(auto a, int i) -> decltype(a) {
    i = std::clamp<int>(i, 0, ((sizeof a) * 8) - 1);
    return a >> i;
}

void default_shift_right_is_safe() {
    char c = produce_char();
    int i = produce_integer();
    c = shift_right(c,i);
    consume(c);
}

void explicitly_unsafe_shift(){
    char c = produce_char();
    int i = produce_integer();
    [[assume(0 <= i && i <= 7)]]; // excplicit assumption that i is legal to shift with
    c = shift_right(c,i);
    consume(c);
}

void implicitly_unsafe_shift() {
    char c = produce_char();
    int i = produce_integer();
    c = c >> i; //Implicitly [[assumes]] that i is legal to shift with
    consume(c);
}

[SRNissen]

NB: I have only checked for shift right. I would be terribly embarrassed if it turns out this doesn't work for left shifting but my wrist is acting up so I'll let it rest.