On Mon, Jun 25, 2018 at 11:26:05AM +0200, Rasmus Villemoes wrote:
> check_shift_overflow(a, s, d) {
> unsigned _nbits = 8*sizeof(a);
> typeof(a) _a = (a);
> typeof(s) _s = (s);
> typeof(d) _d = (d);
>
> *_d = ((u64)(_a) << (_s & (_nbits-1)));
> _s >= _nbits || (_s > 0 && (_a >> (_nbits - _s -
> is_signed_type(a))) != 0);
> }
Those types are not quite right.. What about this?
check_shift_overflow(a, s, d) ({
unsigned int _nbits = 8*sizeof(d) - is_signed_type(d);
typeof(d) _a = a; // Shift is always performed on type 'd'
typeof(s) _s = s;
typeof(d) _d = d;
*_d = (_a << (_s & (_nbits-1)));
(((*_d) >> (_s & (_nbits-1)) != _a);
})
And can we use mathamatcial invertability to prove no overlow and
bound _a ? As above.
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
