[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISO C 23 ahead

From: Paul Eggert
Subject: Re: ISO C 23 ahead
Date: Wed, 10 Aug 2022 10:42:07 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0

On 8/10/22 06:58, Bruno Haible wrote:

But you haven't pushed the patches yet.

Oops. Pushed.

And in patch 0004, I think the module 'stdckdint' should depend on 'stdbool'
(since <stdckdint.h> includes <stdbool.h>).

Thanks, I fixed that.

I also sent the following email to people who I hope can fix the problems in the draft C standard (unfortunately they don't seem to make it easy to file bug reports...):


As one of the maintainers for the GNU Portability Library[1] I recently implemented stdckdint.h there[2] and modified some other parts of Gnulib to use stdckdint.h[3]. The GNU project has had extensive experience with stdckdint.h's behavior, as we implemented nearly-identical macros INT_ADD_WRAPV etc. in 2015 and have been using them to catch integer-overflow issues since then.

In the process of implementing and using stdckdint.h I found the following problems in the draft standard N3047, which I hope can be fixed before the standard becomes final:

A. The current wording prohibits this use:

    bool check_2_overflow (unsigned hi, unsigned lo) {
      return ckd_add (&hi, hi, ckd_add (&lo, lo, 1));

because it says arguments to ckd_add cannot be of type 'bool'. There is no reason for this restriction in ckd_add's last two arguments, as these arguments are promoted to 'int'. This sort of restriction is needed only for ckd_add's first argument. Similarly for 'char', enumeration types, and bit-precise integers.

B. The current wording says that this usage is not portable:

  bool check_size_overflow (size_t s) {
    return ckd_add (&s, s, 1);

because size_t might be a bit-precise integer, or 'char', or an enumeration type. This means that portable programs cannot use stdckdint.h when doing address arithmetic with size_t and ptrdiff_t, and similarly for other standard types, because these types might conceivably be implemented via a bit-precise integer etc.

C. Although freestanding programs are allowed to use the new <stdbit.h> header, they are not allowed to use <stdckdint.h>. This is puzzling, as the two headers fall roughly into the same category: they typically affect only how the compiler generates code and do not require library support.

I ignored these problems in Gnulib, in the hopes that they're glitches in the standard and that we won't run into any practical implementations that exploit the glitches. However, it'd be nicer if they were fixed. Here is some proposed wording to do that.

a. In section 4 paragraph 6, add <stdckdint.h> to the list of standard headers required of freestanding implementations.

b. In section 7.1.2 insert the following paragraph after paragraph 8: "Any declaration of an integer type shall not declare it to be 'bool', nor 'char', nor an enumeration type, nor a bit-precise integer type." with a footnote "This allows expressions of standard types like 'size_t' to be used in calls to macros like 'ckd_add'; see section 7.20."

c. In section 7.20.1 paragraph 3 change this:

"Both 'type2' and 'type3' shall be any integer type other than plain 'char', 'bool', a bit-precise integer type, or an enumeration type, and they need not be the same."

to this:

"Both 'type2' and 'type3' shall be any integer type, and they need not be the same."

and append the following footnote to paragraph 3: "Because standard types like 'size_t' cannot be plain 'char', 'bool', a bit-precise integer type, or an enumeration type (section 7.1.2), *result can be of a standard type like 'size_t'."

[1] https://www.gnu.org/software/gnulib/
[2] https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2eb92c362ecfb2dae9c9cb37cb9246df6989181c [3] https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=ef5a4088d9236a55283d1eb576f560aa39c09e6f

reply via email to

[Prev in Thread] Current Thread [Next in Thread]