[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: checked integer arithmetic
From: |
Eric Blake |
Subject: |
Re: checked integer arithmetic |
Date: |
Wed, 14 Dec 2016 17:05:20 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 |
On 12/14/2016 04:56 PM, Bruno Haible wrote:
> Hi Paul,
>
> Possibly dumb questions, but:
>> over time I am
>> becoming more inclined to like the Emacs model, where object counts are
>> typically kept as nonnegative but signed integers. This approach makes C
>> code a bit more reliable, as compiling with -fsanitize=undefined is more
>> likely to catch integer overflow errors in index calculations (a real
>> problem nowadays).
>
> Are you saying that -fsanitize=undefined or -fsanitize=signed-integer-overflow
> (or -ftrapv, when using an older GCC) can detect integer overflow for signed
> integers, whereas no such option exists and won't exist for unsigned integers
> (because there are so many pieces of code that intentionally do a mod-2^32
> or mod-2^64 computation on unsigned integers?
The C standard states that there is no such thing as ill-behaved integer
overflow in unsigned numbers: operations are well-defined to wraparound
modulo 2^width. It is only signed integers where there is
implementation-defined behavior (whether that behavior is wraparound,
saturation, raising a trap, or something else), and thus where there is
implementation leeway for implementing flags like -ftrapv for
controlling that behavior in a beneficial manner.
It is still possible to compute whether an unsigned operation would
overflow, you just can't convince the compiler to do it for you, so it
becomes more verbose.
>
> And what about the gnulib 'xsize' module for checked size_t computations?
As long as the manual checks are correct, it should be fine.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- FYI: dfa: add an assertion to avoid coverity false positive, Jim Meyering, 2016/12/14
- Re: FYI: dfa: add an assertion to avoid coverity false positive, Paul Eggert, 2016/12/14
- Re: checked integer arithmetic, Bruno Haible, 2016/12/14
- Re: checked integer arithmetic,
Eric Blake <=
- Re: checked integer arithmetic, Paul Eggert, 2016/12/14
- xalloc-oversized PTRDIFF_MAX fix (was: checked integer arithmetic), Paul Eggert, 2016/12/14
- Re: checked integer arithmetic, Bruno Haible, 2016/12/14
- Re: checked integer arithmetic, Bruno Haible, 2016/12/15
- Re: checked integer arithmetic, Paul Eggert, 2016/12/15
- Re: checked integer arithmetic, Bruno Haible, 2016/12/15
- Re: checked integer arithmetic, Bruno Haible, 2016/12/15
- Re: checked integer arithmetic, Paul Eggert, 2016/12/16
Re: FYI: dfa: add an assertion to avoid coverity false positive, Paul Eggert, 2016/12/14