From: Erik Faye-Lund <kusmabite@gmail.com>
To: git@vger.kernel.org
Subject: [PATCH] do not depend on undefined signed integer overflow
Date: Mon, 4 Oct 2010 21:43:08 +0200 [thread overview]
Message-ID: <1286221388-4908-1-git-send-email-kusmabite@gmail.com> (raw)
Signed integer overflow is not defined in C, so do not depend on it.
This fixes a problem with GCC 4.4.0 and -O3 where the optimizer would
consider "consumed_bytes > consumed_bytes + bytes" as a constant
expression, and never execute the die()-call.
Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
---
builtin/index-pack.c | 2 +-
builtin/unpack-objects.c | 2 +-
git-compat-util.h | 9 +++++++++
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/builtin/index-pack.c b/builtin/index-pack.c
index 2e680d7..e243d9d 100644
--- a/builtin/index-pack.c
+++ b/builtin/index-pack.c
@@ -161,7 +161,7 @@ static void use(int bytes)
input_offset += bytes;
/* make sure off_t is sufficiently large not to wrap */
- if (consumed_bytes > consumed_bytes + bytes)
+ if (signed_add_overflows(consumed_bytes, bytes))
die("pack too large for current definition of off_t");
consumed_bytes += bytes;
}
diff --git a/builtin/unpack-objects.c b/builtin/unpack-objects.c
index 685566e..f63973c 100644
--- a/builtin/unpack-objects.c
+++ b/builtin/unpack-objects.c
@@ -83,7 +83,7 @@ static void use(int bytes)
offset += bytes;
/* make sure off_t is sufficiently large not to wrap */
- if (consumed_bytes > consumed_bytes + bytes)
+ if (signed_add_overflows(consumed_bytes, bytes))
die("pack too large for current definition of off_t");
consumed_bytes += bytes;
}
diff --git a/git-compat-util.h b/git-compat-util.h
index 81883e7..5298747 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -28,6 +28,15 @@
#define ARRAY_SIZE(x) (sizeof(x)/sizeof(x[0]))
#define bitsizeof(x) (CHAR_BIT * sizeof(x))
+/*
+ * Signed integer overflow is undefined in C and some compilers take
+ * advantage of this when optimizing, so here's a helper macro to force
+ * wrapping when adding two integers. The size to wrap to is taken from
+ * the first parameter.
+ */
+#define signed_add_overflows(a, b) \
+ ((b) > ((INTMAX_MAX >> (bitsizeof(uintmax_t) - bitsizeof(a))) - (a)))
+
#ifdef __GNUC__
#define TYPEOF(x) (__typeof__(x))
#else
--
1.7.3.4.g28d92.dirty
next reply other threads:[~2010-10-04 19:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-04 19:43 Erik Faye-Lund [this message]
2010-10-04 19:47 ` [PATCH] do not depend on undefined signed integer overflow Erik Faye-Lund
2010-10-04 20:48 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1286221388-4908-1-git-send-email-kusmabite@gmail.com \
--to=kusmabite@gmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).