Date: Mon, 12 May 2014 14:41:49 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: ache@FreeBSD.org Cc: svn-src-stable@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, svn-src-stable-10@FreeBSD.org, jilles@stack.nl Subject: Re: svn commit: r265901 - stable/10/sys/kern Message-ID: <201405122141.s4CLfn43076462@gw.catspoiler.org> In-Reply-To: <5371081A.2070703@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12 May, Andrey Chernov wrote:
> On 12.05.2014 21:03, Jilles Tjoelker wrote:
>> On Mon, May 12, 2014 at 08:04:32PM +0400, Andrey Chernov wrote:
>>> On 12.05.2014 8:27, Don Lewis wrote:
>>>> + if (start + amask < start) {
>>>> + DPRINTF(("start+amask wrapped around\n"));
>>>> + goto out;
>>>> + }
>>
>>> Checking for overflow _after_ it happens is unportable and dangerous,
>>> since wrapping around is not only one possible result. They should be
>>> rewritten like that:
>>
>>> if (start > ULONG_MAX - amask)
>>
>> Unsigned types wrap around per the C standard. Overflow checking after
>> it happens is fine.
>>
>> You are right for signed types.
>>
>
> You are right. The C Standard, 6.2.5, paragraph 9 [ISO/IEC 9899:2011],
> states:
>
> "A computation involving unsigned operands can never overflow, because a
> result that cannot be represented by the resulting unsigned integer type
> is reduced modulo the number that is one greater than the largest value
> that can be represented by the resulting type."
>
> I was initially confused by "integer overflow" phrase in the commit's
> comment, mechanically producing example above which supposed to be for
> signed types.
I went ahead and changed the code. I think the new version makes the
intent of the code clearer. The compiler is also likely to recognize
that "ULONG_MAX - amask" is loop invariant.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405122141.s4CLfn43076462>