On Tue, 19 Dec 2006, Paul Eggert wrote:
> What worries me is code like this (taken from GNU expr; the vars are
> long long int):
>
> val = l->u.i * r->u.i;
> if (! (l->u.i == 0 || r->u.i == 0
> || ((val < 0) == ((l->u.i < 0) ^ (r->u.i < 0))
> && val / l->u.i == r->u.i)))
> integer_overflow ('*');
>
> This breaks if signed integer overflow has undefined behavior.
>
> There's a lot of overflow-checking code like this in the GNU world.
> I'll bet GCC itself has some. Yes, we know this code doesn't conform
> to the C Standard sans LIA-1 because signed integer overflow has
> undefined behavior if you don't also conform to LIA-1. But there is
> no standard way to detect overflow. So we assume wraparound signed
> integer arithmetic a la Java and LIA-1. What else can we do,
> realistically?
Convert to unsigned and do the overflow tests using unsigned arithmetic.
Encapsulate reliable overflow checks for the various arithmetic operations
and types in functions or macros in gnulib (for long long multiply, in
this case).
--
Joseph S. Myers
[EMAIL PROTECTED]
