Date: Wed, 2 Nov 2011 19:11:41 +0100 From: Jilles Tjoelker <jilles@stack.nl> To: John Baldwin <jhb@freebsd.org> Cc: arch@freebsd.org Subject: Re: [PATCH] fadvise(2) system call Message-ID: <20111102181140.GA21621@stack.nl> In-Reply-To: <201110311024.07580.jhb@freebsd.org> References: <201110281426.00013.jhb@freebsd.org> <20111029214057.GB90408@stack.nl> <201110311024.07580.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 31, 2011 at 10:24:07AM -0400, John Baldwin wrote:
> > The comparisons
> > + (fa->fa_start != 0 && fa->fa_start == end + 1) ||
> > + (uap->offset != 0 && fa->fa_end + 1 == uap->offset))) {
> > should instead be something like
> > + (end != OFF_MAX && fa->fa_start == end + 1) ||
> > + (fa->fa_end != OFF_MAX && fa->fa_end + 1 == uap->offset))) {
> > to avoid integer overflow.
> Hmm, but the expressions will still work in that case, yes? I already
> check for uap->offset and uap->len being negative earlier (so fa_start
> and fa_end are always positive), and off_t is signed, so if end is
> OFF_MAX, then end + 1 will certainly not == fa_start?
Signed integer overflow is undefined behaviour; therefore, if you write
end + 1 without checking that end != OFF_MAX, the compiler may assume
that end != OFF_MAX. Whether the compiler will take advantage of this in
ways that cause breakage is another question. For example, if there were
a subsequent check for end != OFF_MAX, the compiler would be allowed to
remove that check. I think it is best not to risk it.
--
Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111102181140.GA21621>