-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to Bernd Schmidt on 12/30/2006 3:24 AM: > Paul Eggert wrote: >> That's great, but GCC has had many other hands stirring the pot. >> I daresay a careful scan would come up with many other examples of >> undefined behavior due to signed integer overflow. (No doubt >> you'll be appalled by them as well, but there they are.) > > That's handwaving, not evidence. Sorry, I'm unconvinced.
Here's an example from the intprops module of gnulib. At least we have identified the undefined behavior, but this set of macros is used in production code (various coreutils, m4, ...) to check for overflow in command line argument overflow. http://cvs.savannah.gnu.org/viewcvs/gnulib/lib/intprops.h?rev=1.7&root=gnulib&view=auto /* True if the arithmetic type T is an integer type. bool counts as an integer. */ #define TYPE_IS_INTEGER(t) ((t) 1.5 == 1) /* True if negative values of the signed integer type T use two's complement, ones' complement, or signed magnitude representation, respectively. Much GNU code assumes two's complement, but some people like to be portable to all possible C hosts. */ #define TYPE_TWOS_COMPLEMENT(t) ((t) ~ (t) 0 == (t) -1) #define TYPE_ONES_COMPLEMENT(t) ((t) ~ (t) 0 == 0) #define TYPE_SIGNED_MAGNITUDE(t) ((t) ~ (t) 0 < (t) -1) /* True if the arithmetic type T is signed. */ #define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) /* The maximum and minimum values for the integer type T. These macros have undefined behavior if T is signed and has padding bits. If this is a problem for you, please let us know how to fix it for your host. */ #define TYPE_MINIMUM(t) \ ((t) (! TYPE_SIGNED (t) \ ? (t) 0 \ : TYPE_SIGNED_MAGNITUDE (t) \ ? ~ (t) 0 \ : ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1))) #define TYPE_MAXIMUM(t) \ ((t) (! TYPE_SIGNED (t) \ ? (t) -1 \ : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1)))) I would really like to see gcc be able to warn when it is exploiting optimization opportunities based on undefined wrap semantics, so that code can easily be made robust against overflow without having to rely on tedious code audits. In my opinion, the expectation of sane overflow semantics is just too pervasive in existing code to be able to audit without compiler assistance. - -- Don't work too hard, make some time for fun as well! Eric Blake [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFlnlT84KuGfSFAYARArTEAJ0XZHGg4ry9VCqNjYReplvfnOcWFwCdGeiq eZeELW6hXlMZ9jXA7MeS3UI= =+umQ -----END PGP SIGNATURE-----
