Re: [PATCH 02/13] msvc: avoid using minus operator on unsigned types

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dscho,

On Thu, Sep 26, 2019 at 11:01:32PM +0200, Johannes Schindelin wrote:
> Hi Denton,
> 
> On Thu, 26 Sep 2019, Denton Liu wrote:
> 
> > Hi Dscho,
> >
> > On Thu, Sep 26, 2019 at 01:30:10AM -0700, Johannes Schindelin via GitGitGadget wrote:
> > > From: Johannes Schindelin <johannes.schindelin@xxxxxx>
> > >
> > > MSVC complains about this with `-Wall`, which can be taken as a sign
> > > that this is indeed a real bug. The symptom is:
> > >
> > > 	C4146: unary minus operator applied to unsigned type, result
> > > 	still unsigned
> > >
> > > Let's avoid this warning in the minimal way, e.g. writing `-1 -
> > > <unsigned value>` instead of `-<unsigned value> - 1`.
> >
> > [...]
> >
> > > ---
> > >  read-cache.c  | 4 ++--
> > >  sha1-lookup.c | 2 +-
> > >  2 files changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/read-cache.c b/read-cache.c
> > > index c701f7f8b8..11f3357216 100644
> > > --- a/read-cache.c
> > > +++ b/read-cache.c
> > > @@ -1276,7 +1276,7 @@ static int add_index_entry_with_check(struct index_state *istate, struct cache_e
> > >  	 */
> > >  	if (istate->cache_nr > 0 &&
> > >  		strcmp(ce->name, istate->cache[istate->cache_nr - 1]->name) > 0)
> > > -		pos = -istate->cache_nr - 1;
> > > +		pos = -1 - istate->cache_nr;
> >
> > I've been thinking about this and I'm still not certain that this 100%
> > correct from a language-lawyer perspective.
> >
> > If we do `-1 - istate->cache_nr`, then the unsignedness of
> > istate->cache_nr takes over and the whole expression is a very large
> > unsigned number.
> >
> > Then, when we assign to `int pos`, we are converting an unsigned number
> > which is out of the range of the signed number. According to a
> > StackOverflow post citing the C99 standard[1]:
> >
> > 	Otherwise, the new type is signed and the value cannot be
> > 	represented in it; either the result is implementation-defined
> > 	or an implementation-defined signal is raised.
> >
> > I'm sure that most platforms that we support will handle it sanely but
> > could we write this as
> >
> > 	pos = -1 - (int) istate->cache_nr;
> >
> > to be doubly sure that no funny business will happen?
> 
> I guess we should use `signed_add_overflows()` to make extra certain
> that it does what we want it to do, kind of like `st_add()`. Or just do
> the check explicitly, like so:
> 
> 	if (istate->cache_nr > INT_MAX)
> 		die("overflow: -1 - %u", istate->cache_nr);
> 	pos = -1 - istate->cache_nr;

Could we change this to 

 	pos = -1 - (int) istate->cache_nr;

so that we alleviate the problem I was talking about above?

Other than that, it looks good. Well, it might break on one's complement
systems but I don't think we support UNIVACs anyway. ;)

> }
> >
> > >  	else
> > >  		pos = index_name_stage_pos(istate, ce->name, ce_namelen(ce), ce_stage(ce));
> > >
> > > @@ -1894,7 +1894,7 @@ static size_t estimate_cache_size(size_t ondisk_size, unsigned int entries)
> > >  	/*
> > >  	 * Account for potential alignment differences.
> > >  	 */
> > > -	per_entry += align_padding_size(sizeof(struct cache_entry), -sizeof(struct ondisk_cache_entry));
> > > +	per_entry += align_padding_size(per_entry, 0);
> > >  	return ondisk_size + entries * per_entry;
> > >  }
> > >
> > > diff --git a/sha1-lookup.c b/sha1-lookup.c
> > > index 796ab68da8..c819687730 100644
> > > --- a/sha1-lookup.c
> > > +++ b/sha1-lookup.c
> > > @@ -97,7 +97,7 @@ int sha1_pos(const unsigned char *sha1, void *table, size_t nr,
> > >  			lo = mi + 1;
> > >  		mi = lo + (hi - lo) / 2;
> > >  	} while (lo < hi);
> > > -	return -lo-1;
> > > +	return -1 - lo;
> >
> > Same thing here.
> 
> This is even more critical, as `lo` has the type `size_t`:
> 
> 	if (lo > INT_MAX)
> 		die("overflow: -1 - %"PRIuMAX, (uintmax_t)lo);
> 	return -1 - lo;

Also, could we change this to

 	return -1 - (int) lo;

Thanks,

Denton

> >
> What do you think?
> Dscho
> 
> > [1]: https://stackoverflow.com/questions/50605/signed-to-unsigned-conversion-in-c-is-it-always-safe
> >
> > >  }
> > >
> > >  int bsearch_hash(const unsigned char *sha1, const uint32_t *fanout_nbo,
> > > --
> > > gitgitgadget
> > >
> >



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux