On 12 May, Andrey Chernov wrote:
> On 12.05.2014 21:03, Jilles Tjoelker wrote:
>> On Mon, May 12, 2014 at 08:04:32PM +0400, Andrey Chernov wrote:
>>> On 12.05.2014 8:27, Don Lewis wrote:
>>>> + if (start + amask < start) {
>>>> + DPRINTF(("start+amask wrapped around\n"));
>>>> + goto out;
>>>> + }
>>
>>> Checking for overflow _after_ it happens is unportable and dangerous,
>>> since wrapping around is not only one possible result. They should be
>>> rewritten like that:
>>
>>> if (start > ULONG_MAX - amask)
>>
>> Unsigned types wrap around per the C standard. Overflow checking after
>> it happens is fine.
>>
>> You are right for signed types.
>>
>
> You are right. The C Standard, 6.2.5, paragraph 9 [ISO/IEC 9899:2011],
> states:
>
> "A computation involving unsigned operands can never overflow, because a
> result that cannot be represented by the resulting unsigned integer type
> is reduced modulo the number that is one greater than the largest value
> that can be represented by the resulting type."
>
> I was initially confused by "integer overflow" phrase in the commit's
> comment, mechanically producing example above which supposed to be for
> signed types.
I went ahead and changed the code. I think the new version makes the
intent of the code clearer. The compiler is also likely to recognize
that "ULONG_MAX - amask" is loop invariant.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
