Re: [PATCH rdma-next v1 1/3] overflow.h: Add arithmetic shift helper

Bart Van Assche <Bart.VanAssche@xxxxxxx> · Mon, 9 Jul 2018 18:02:09 +0000

On Sun, 2018-07-08 at 12:42 -0600, Jason Gunthorpe wrote:
> On Sun, Jul 08, 2018 at 03:31:45PM +0000, Bart Van Assche wrote:
> > On Sun, 2018-07-08 at 13:38 +0300, Leon Romanovsky wrote:
> > > +/*
> > > + * Compute *d = (a << s)
> > > + *
> > > + * Returns true if '*d' cannot hold the result or 'a << s' doesn't make sense.
> > > + * - 'a << s' causes bits to be lost when stored in d
> > > + * - 's' is garbage (eg negative) or so large that a << s is guaranteed to be 0
> > 
> > If s >= sizeof(a) * 8 then a << s triggers undefined behavior. There is no guarantee
> > that the result will be 0. See also
> > http://blog.llvm.org/2011/05/what-every-c-programmer-should-know_21.html.
> 
> This is already prevented with this:
> [ ... ]

Yes, I am aware that the code prevents overflow. What I wanted to make clear is
that the comment "guaranteed to be 0" is wrong.

> > I think the fact that the above macro stores the result in a pointer passed
> > as argument will reduce readability. How about the macro below, which
> > addresses all the shortcomings mentioned above?
> 
> We can't protect against overflow into 'd' if we don't know the type
> of 'd', so the pointer output is mandatory.
> 
> This is also the standard pattern for everything in overflow.h.

Ah, that makes sense to me. I'm in favor of consistency.

Bart.��.n��������+%������w��{.n�����{���fk��ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f