From owner-svn-src-all@FreeBSD.ORG Mon May 12 21:42:08 2014 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A02CFEA4; Mon, 12 May 2014 21:42:08 +0000 (UTC) Received: from gw.catspoiler.org (gw.catspoiler.org [75.1.14.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C1E32467; Mon, 12 May 2014 21:42:01 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id s4CLfn43076462; Mon, 12 May 2014 14:41:53 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201405122141.s4CLfn43076462@gw.catspoiler.org> Date: Mon, 12 May 2014 14:41:49 -0700 (PDT) From: Don Lewis Subject: Re: svn commit: r265901 - stable/10/sys/kern To: ache@FreeBSD.org In-Reply-To: <5371081A.2070703@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: svn-src-stable@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, svn-src-stable-10@FreeBSD.org, jilles@stack.nl X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 21:42:08 -0000 On 12 May, Andrey Chernov wrote: > On 12.05.2014 21:03, Jilles Tjoelker wrote: >> On Mon, May 12, 2014 at 08:04:32PM +0400, Andrey Chernov wrote: >>> On 12.05.2014 8:27, Don Lewis wrote: >>>> + if (start + amask < start) { >>>> + DPRINTF(("start+amask wrapped around\n")); >>>> + goto out; >>>> + } >> >>> Checking for overflow _after_ it happens is unportable and dangerous, >>> since wrapping around is not only one possible result. They should be >>> rewritten like that: >> >>> if (start > ULONG_MAX - amask) >> >> Unsigned types wrap around per the C standard. Overflow checking after >> it happens is fine. >> >> You are right for signed types. >> > > You are right. The C Standard, 6.2.5, paragraph 9 [ISO/IEC 9899:2011], > states: > > "A computation involving unsigned operands can never overflow, because a > result that cannot be represented by the resulting unsigned integer type > is reduced modulo the number that is one greater than the largest value > that can be represented by the resulting type." > > I was initially confused by "integer overflow" phrase in the commit's > comment, mechanically producing example above which supposed to be for > signed types. I went ahead and changed the code. I think the new version makes the intent of the code clearer. The compiler is also likely to recognize that "ULONG_MAX - amask" is loop invariant.