Date: Mon, 12 May 2014 21:42:50 +0400 From: Andrey Chernov <ache@freebsd.org> To: Jilles Tjoelker <jilles@stack.nl> Cc: svn-src-stable@freebsd.org, Don Lewis <truckman@FreeBSD.org>, src-committers@freebsd.org, svn-src-stable-10@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r265901 - stable/10/sys/kern Message-ID: <5371081A.2070703@freebsd.org> In-Reply-To: <20140512170322.GA2479@stack.nl> References: <201405120427.s4C4RAZf093033@svn.freebsd.org> <5370F110.5050502@freebsd.org> <20140512170322.GA2479@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12.05.2014 21:03, Jilles Tjoelker wrote: > On Mon, May 12, 2014 at 08:04:32PM +0400, Andrey Chernov wrote: >> On 12.05.2014 8:27, Don Lewis wrote: >>> + if (start + amask < start) { >>> + DPRINTF(("start+amask wrapped around\n")); >>> + goto out; >>> + } > >> Checking for overflow _after_ it happens is unportable and dangerous, >> since wrapping around is not only one possible result. They should be >> rewritten like that: > >> if (start > ULONG_MAX - amask) > > Unsigned types wrap around per the C standard. Overflow checking after > it happens is fine. > > You are right for signed types. > You are right. The C Standard, 6.2.5, paragraph 9 [ISO/IEC 9899:2011], states: "A computation involving unsigned operands can never overflow, because a result that cannot be represented by the resulting unsigned integer type is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type." I was initially confused by "integer overflow" phrase in the commit's comment, mechanically producing example above which supposed to be for signed types. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5371081A.2070703>