On Wed, 17 Jan 2007, Gabriel Dos Reis wrote:
> The specific cases I'm concerned about here (and if you have a chance
> to build firefox for example, you'll see) is when T and U differ only
> in signedness, that is
>
> T = int, U = unsigned
> T = long, U = unsigned long
> T = long long, U = unsigned long long
>
> those have the same value representation bits and there is no way, GCC
> can mess up -- except bugs in the compiler itself.
The point of such warnings is to detect security holes such as
void foo(void *s, int len);
void bar(void *s, unsigned len) { if (len < sizeof(S)) abort(); foo(s, len); }
where a large unsigned value gets implicitly converted to signed after a
check and this leads to a hole in foo() with a negative value.
> Furthermore, elsewhere (in the overflow thread) it has been suggested
> that people should convert to the unsigned variants, do computations there,
> and convert back to the signed variants. We have just promised an
> invariant that we will hold.
The suggestion is for *explicit* conversions (casts), the warnings (should
be) for implicit conversions.
--
Joseph S. Myers
[EMAIL PROTECTED]
