Re: [RFC v2 1/2] compiler: use compiler to detect integer overflows

From: Sasha Levin
Date: Wed Nov 26 2014 - 20:37:44 EST


On 11/26/2014 07:33 PM, Linus Torvalds wrote:
> On Wed, Nov 26, 2014 at 3:58 PM, Sasha Levin <sasha.levin@xxxxxxxxxx> wrote:
>> > We've used to detect integer overflows by causing an overflow and testing the
>> > result. For example, to test for addition overflow we would:
> So I don't like this, for a very simple reason: it doesn't work for
> older gcc versions.
>
> Your "check_add_overflow()" doesn't actually do it. It just
> perpetuates any bugs you find. For unsigned additions, it's pointless,
> and for signed additions it remains as buggy as it was before.

I understand your point. It doesn't fix bugs but rather hides them on
newer compilers.

Since the way to fix this is by properly checking for overflow rather than
the old broken (a + b > a) conditional, how about something like the following
for the non-gcc5 case:

#define IS_UNSIGNED(A) (((typeof(A))-1) >= 0)
#define TYPE_MAX(A) ((typeof(A))(~0U>>1))
#define TYPE_MIN(A) (-TYPE_MAX(A) - 1)
#define check_add_overflow(A, B) \
({ \
typeof(A) __a = (A); \
typeof(B) __b = (B); \
typeof(sizeof(__a) > sizeof(__b) ? __a : __b) __min, __max; \
if (IS_UNSIGNED(__a) || IS_UNSIGNED(__b)) \
0; \
__min = TYPE_MIN(__min); \
__max = TYPE_MAX(__max); \
(((__a > 0) && (typeof(__max))__b > (__max - ((typeof(__max))__a))) ||\
((__a < 0) && (typeof(__max))__b < (__min - ((typeof(__max))__a))));\
})

> Also, your commit message is still *very*wrong*. You can't claim that
> integer addition overflow is undefined. It's undefined onyl for
> _signed_ integer types, and that's a big big difference.

Understood. I'll be specific it's only for signed integer overflows.


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/