Bruno Haible wrote:
1) You're basically saying "let's use signed integer types for indices",
and you do that in the quotearg.c change.
Yes. This is not my invention; it's common in C programs generally to use int
for indexes. Using ptrdiff_t for indexes is the preferred coding style in the C
> For this purpose, it would be good if GCC had a type, say, __gcc_index_t,
> that -fsanitize=undefined will make produce a diagnostic is a value < 0
> or > PTRDIFF_MAX is assigned.
Actually, this is a special case of a range type. If we could have Ada's range
types [1] in C, with overflow check e
Hi Paul,
> I installed the patch I proposed yesterday, along with the
> additional patches attached, which merely change the x* functions to
> check for both kinds of overflow.
These changes give me some stomach-ache. I perfectly understand that
you're making a departure from 20 years of C trad
On 12/15/2016 02:09 AM, Bruno Haible wrote:
So, the limiting factor is the pointer difference operator
ptr1 - ptr2where sizeof (*ptr1,*ptr2) > 1.
Yes, it is the pointer difference operator. However, the problem occurs
even with size-1 array elements. For example:
#include
#inclu
Paul Eggert wrote:
> #include
> #include
> #include
>
> ptrdiff_t
> diff (short *a, short *b)
> {
>return a - b;
> }
>
> int
> main (void)
> {
>size_t n = PTRDIFF_MAX / sizeof (short) + 1;
>short *x = malloc (n * sizeof (short));
>return 0 < diff (x + n, x);
> }
I can reproduc
Paul Eggert wrote:
> Come to think of it, I suppose we should change xalloc_oversized to
> report an overflow if the resulting size would be greater than
> PTRDIFF_MAX. That should catch more potential problems in Gnulib and in
> Gnulib-using code.
> ...
> Here is an example of why arrays larger
On 12/14/2016 04:26 PM, Paul Eggert wrote:
I suppose we should change xalloc_oversized to report an overflow if
the resulting size would be greater than PTRDIFF_MAX. That should
catch more potential problems in Gnulib and in Gnulib-using code.
Attached is a proposed patch to do that.
From 2d
On 12/14/2016 02:56 PM, Bruno Haible wrote:
Are you saying that -fsanitize=undefined or -fsanitize=signed-integer-overflow
(or -ftrapv, when using an older GCC) can detect integer overflow for signed
integers, whereas no such option exists and won't exist for unsigned integers
(because there are
On 12/14/2016 04:56 PM, Bruno Haible wrote:
> Hi Paul,
>
> Possibly dumb questions, but:
>> over time I am
>> becoming more inclined to like the Emacs model, where object counts are
>> typically kept as nonnegative but signed integers. This approach makes C
>> code a bit more reliable, as compi
Hi Paul,
Possibly dumb questions, but:
> over time I am
> becoming more inclined to like the Emacs model, where object counts are
> typically kept as nonnegative but signed integers. This approach makes C
> code a bit more reliable, as compiling with -fsanitize=undefined is more
> likely to ca
10 matches
Mail list logo
