[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Autoconf manual's coverage of signed integer overflow & portability

From: Paul Eggert
Subject: Re: Autoconf manual's coverage of signed integer overflow & portability
Date: Fri, 05 Jan 2007 15:49:48 -0800
User-agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (gnu/linux)

Paolo Bonzini <address@hidden> writes:

> I think this will only confuse the matter.

I think it's worth mentioning that integer overflow, in theory at
least (we hope not in practice) actually allows that sort of
aggressive optimization.  However, I've tried to reword the example to
make it less confusing.

>> for (j = 1; 0 < j; j *= 2)
> Why not j > 0?

Leibnitz's criterion for notation (which I learned from Val Schorre)
is that notation is clearer if syntactic order reflects semantic order.

Thanks for these and the other comments.  I installed the following
patch which I hope resolves them.

2007-01-05  Paul Eggert  <address@hidden>

        Fix some wording problems noted by Paolo Bonzini in:
        * doc/autoconf.texi (Signed Overflow Examples): Give more
        discussion about the allow_superuser_privileges example,
        and change it a bit to make things clearer.
        (Optimization and Wraparound): Clarify whether the compiler
        will generate an infinite loop for the example derived from
        Autoconf's mktime test.
        (Signed Overflow Advice): Say that -ftrapv is meant for debugging.
        Also, clarify unsigned multiplication overflow.

--- doc/autoconf.texi   3 Jan 2007 07:18:38 -0000       1.1123
+++ doc/autoconf.texi   5 Jan 2007 23:43:56 -0000
@@ -15033,12 +15033,18 @@ overflow.  To take an extreme example:
 if (password == expected_password)
   allow_superuser_privileges ();
+else if (counter++ == INT_MAX)
+  abort ();
-  printf ("%d password mismatches\n", counter++);
+  printf ("%d password mismatches\n", counter);
 @end example

-If @code{counter} is an @code{int} and a compiler can deduce that
+If the @code{int} variable @code{counter} equals @code{INT_MAX},
address@hidden must overflow and the behavior is undefined, so the C
+standard allows the compiler to optimize away the test against
address@hidden and the @code{abort} call.
+Worse, if an earlier bug in the program lets the compiler deduce that
 @code{counter == INT_MAX} or that @code{counter} previously overflowed,
 the C standard allows the compiler to optimize away the password test
 and generate code that allows superuser privileges unconditionally.
@@ -15174,12 +15180,14 @@ for (j = 1; 0 < j; j *= 2)

 Here, the loop attempts to iterate through all powers of 2 that
address@hidden can represent, but some test versions of @acronym{GCC}
-optimize away the comparison to zero and thus generate an infinite loop,
address@hidden can represent, but the C standard allows a compiler to
+optimize away the comparison and generate an infinite loop,
 under the argument that behavior is undefined on overflow.  As of this
 writing this optimization is not done by any production version of
address@hidden with @option{-O2}, but it might be performed by more
-aggressive @acronym{GCC} optimization options, or by other compilers.
address@hidden with @option{-O2}, but it might be performed by other
+compilers, or by more aggressive @acronym{GCC} optimization options,
+and the @acronym{GCC} developers have not decided whether it will
+continue to work with @acronym{GCC} and @option{-O2}.

 @node Signed Overflow Advice
 @subsection Practical Advice for Signed Overflow Issues
@@ -15230,7 +15238,8 @@ transform the two comparisons in a way t
 wraparound assumption.

 If your code uses an expression like @code{(i * 2000) / 1000} and you
-actually want the multiplication to wrap around, use unsigned arithmetic
+actually want the multiplication to wrap around on overflow, use
+unsigned arithmetic
 to do it, e.g., @code{((int) (i * 2000u)) / 1000}.

 If your code assumes wraparound behavior and you want to insulate it
@@ -15241,7 +15250,7 @@ remainder, as discussed in the next sect

 If you need to port to platforms where signed integer overflow does not
 reliably wrap around (e.g., due to hardware overflow checking, or to
-highly aggressive optimizations), you should consider using
+highly aggressive optimizations), you should consider debugging with
 @acronym{GCC}'s @option{-ftrapv} option, which causes signed overflow to
 raise an exception.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]