Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Jan 2015 18:04:41 +0000 (UTC)
From:      Stefan Esser <se@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r277798 - head/bin/expr
Message-ID:  <201501271804.t0RI4fbv072693@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: se
Date: Tue Jan 27 18:04:41 2015
New Revision: 277798
URL: https://svnweb.freebsd.org/changeset/base/277798

Log:
  Fix overflow check for multiplication:
  - Add special test to detect the case of -1 * INTMAX_MIN
  - Protect against elimination of the test division by the optimizer
  
  Garrett Cooper noticed that the overflow checks were incomplete, and Bruce
  Evans suggested the use of the "volatile" qualifier to counter the effect
  of the undefined behaviour, when the prior multiplication caused overflow,
  and he also suggested improvements to the comments.
  
  Reviewed by:	bde
  MFC after:	1 week

Modified:
  head/bin/expr/expr.y

Modified: head/bin/expr/expr.y
==============================================================================
--- head/bin/expr/expr.y	Tue Jan 27 17:46:55 2015	(r277797)
+++ head/bin/expr/expr.y	Tue Jan 27 18:04:41 2015	(r277798)
@@ -444,14 +444,26 @@ op_minus(struct val *a, struct val *b)
 	return (r);
 }
 
+/*
+ * We depend on undefined behaviour giving a result (in r).
+ * To test this result, pass it as volatile.  This prevents
+ * optimizing away of the test based on the undefined behaviour.
+ */
 void
-assert_times(intmax_t a, intmax_t b, intmax_t r)
+assert_times(intmax_t a, intmax_t b, volatile intmax_t r)
 {
 	/*
-	 * if first operand is 0, no overflow is possible,
-	 * else result of division test must match second operand
+	 * If the first operand is 0, no overflow is possible, 
+	 * else the result of the division test must match the
+	 * second operand.
+	 *
+	 * Be careful to avoid overflow in the overflow test, as
+	 * in assert_div().  Overflow in division would kill us
+	 * with a SIGFPE before getting the test wrong.  In old
+	 * buggy versions, optimization used to give a null test
+	 * instead of a SIGFPE.
 	 */
-	if (a != 0 && r / a != b)
+	if ((a == -1 && b == INTMAX_MIN) || (a != 0 && r / a != b))
 		errx(ERR_EXIT, "overflow");
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501271804.t0RI4fbv072693>