Date: Wed, 2 Nov 2011 19:11:41 +0100 From: Jilles Tjoelker <jilles@stack.nl> To: John Baldwin <jhb@freebsd.org> Cc: arch@freebsd.org Subject: Re: [PATCH] fadvise(2) system call Message-ID: <20111102181140.GA21621@stack.nl> In-Reply-To: <201110311024.07580.jhb@freebsd.org> References: <201110281426.00013.jhb@freebsd.org> <20111029214057.GB90408@stack.nl> <201110311024.07580.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 31, 2011 at 10:24:07AM -0400, John Baldwin wrote: > > The comparisons > > + (fa->fa_start != 0 && fa->fa_start == end + 1) || > > + (uap->offset != 0 && fa->fa_end + 1 == uap->offset))) { > > should instead be something like > > + (end != OFF_MAX && fa->fa_start == end + 1) || > > + (fa->fa_end != OFF_MAX && fa->fa_end + 1 == uap->offset))) { > > to avoid integer overflow. > Hmm, but the expressions will still work in that case, yes? I already > check for uap->offset and uap->len being negative earlier (so fa_start > and fa_end are always positive), and off_t is signed, so if end is > OFF_MAX, then end + 1 will certainly not == fa_start? Signed integer overflow is undefined behaviour; therefore, if you write end + 1 without checking that end != OFF_MAX, the compiler may assume that end != OFF_MAX. Whether the compiler will take advantage of this in ways that cause breakage is another question. For example, if there were a subsequent check for end != OFF_MAX, the compiler would be allowed to remove that check. I think it is best not to risk it. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111102181140.GA21621>