bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed new module intoverflow


From: Paul Eggert
Subject: Re: proposed new module intoverflow
Date: Sun, 15 May 2011 09:48:42 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10

On 05/10/11 09:54, Paul Eggert wrote:
> This proposal also uses "SUM"
> instead of "ADD", "DIFFERENCE" rather than "SUBTRACT", etc., for
> reasons that escape me: I can easily change the names back if that's
> what people prefer.

Nobody expressed a preference, but I liked the old names so I changed
them back.  For the record, here's what I installed; this includes
the new intprops-test module.

>From 3e147bbf2109c91d301961a288993fd7e7984bfb Mon Sep 17 00:00:00 2001
From: Paul Eggert <address@hidden>
Date: Sun, 15 May 2011 09:35:12 -0700
Subject: [PATCH 1/2] intprops: add safe, portable integer overflow checking

* lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
(_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
(_GL_SIGNED_INT_MINIMUM, INT_ADD_RANGE_OVERFLOW):
(INT__SUBTRACT__RANGE_OVERFLOW, INT_NEGATE_RANGE_OVERFLOW):
(INT_MULTIPLY_RANGE_OVERFLOW, INT_REMAINDER_RANGE_OVERFLOW):
(INT_LEFT_SHIFT_RANGE_OVERFLOW, _GL_ADD_OVERFLOW):
(_GL__SUBTRACT__OVERFLOW, _GL_MULTIPLY_OVERFLOW, _GL_DIVIDE_OVERFLOW):
(_GL_REMAINDER_OVERFLOW, _GL_UNSIGNED_NEG_MULTIPLE, INT_ADD_OVERFLOW):
(INT__SUBTRACT__OVERFLOW, INT_NEGATE_OVERFLOW, INT_MULTIPLY_OVERFLOW):
(INT_DIVIDE_OVERFLOW, INT_REMAINDER_OVERFLOW):
(INT_LEFT_SHIFT_OVERFLOW, _GL_BINARY_OP_OVERFLOW): New macros.
---
 ChangeLog      |   15 ++++
 lib/intprops.h |  220 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 234 insertions(+), 1 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9654f9f..ef91dd2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2011-05-13  Paul Eggert  <address@hidden>
+
+       intprops: add safe, portable integer overflow checking
+       * lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
+       (_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
+       (_GL_SIGNED_INT_MINIMUM, INT_ADD_RANGE_OVERFLOW):
+       (INT__SUBTRACT__RANGE_OVERFLOW, INT_NEGATE_RANGE_OVERFLOW):
+       (INT_MULTIPLY_RANGE_OVERFLOW, INT_REMAINDER_RANGE_OVERFLOW):
+       (INT_LEFT_SHIFT_RANGE_OVERFLOW, _GL_ADD_OVERFLOW):
+       (_GL__SUBTRACT__OVERFLOW, _GL_MULTIPLY_OVERFLOW, _GL_DIVIDE_OVERFLOW):
+       (_GL_REMAINDER_OVERFLOW, _GL_UNSIGNED_NEG_MULTIPLE, INT_ADD_OVERFLOW):
+       (INT__SUBTRACT__OVERFLOW, INT_NEGATE_OVERFLOW, INT_MULTIPLY_OVERFLOW):
+       (INT_DIVIDE_OVERFLOW, INT_REMAINDER_OVERFLOW):
+       (INT_LEFT_SHIFT_OVERFLOW, _GL_BINARY_OP_OVERFLOW): New macros.
+
 2011-05-12  James Youngman  <address@hidden>
 
        Add a test for glibc's Bugzilla bug #12378.
diff --git a/lib/intprops.h b/lib/intprops.h
index 529b0fa..a84bd6a 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -22,6 +22,11 @@
 
 #include <limits.h>
 
+/* Return a integer value, converted to the same type as the integer
+   expression E after integer type promotion.  V is the unconverted value.
+   E should not have side effects.  */
+#define _GL_INT_CONVERT(e, v) ((e) - (e) + (v))
+
 /* The extra casts in the following macros work around compiler bugs,
    e.g., in Cray C 5.0.3.0.  */
 
@@ -37,13 +42,23 @@
 #define TYPE_ONES_COMPLEMENT(t) ((t) ~ (t) 0 == 0)
 #define TYPE_SIGNED_MAGNITUDE(t) ((t) ~ (t) 0 < (t) -1)
 
+/* True if the signed integer expression E uses two's complement.  */
+#define _GL_INT_TWOS_COMPLEMENT(e) (~ _GL_INT_CONVERT (e, 0) == -1)
+
 /* True if the arithmetic type T is signed.  */
 #define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
 
-/* The maximum and minimum values for the integer type T.  These
+/* Return 1 if the integer expression E, after integer promotion, has
+   a signed type.  E should not have side effects.  */
+#define _GL_INT_SIGNED(e) (_GL_INT_CONVERT (e, -1) < 0)
+
+
+/* Minimum and maximum values for integer types and expressions.  These
    macros have undefined behavior if T is signed and has padding bits.
    If this is a problem for you, please let us know how to fix it for
    your host.  */
+
+/* The maximum and minimum values for the integer type T.  */
 #define TYPE_MINIMUM(t)                                                 \
   ((t) (! TYPE_SIGNED (t)                                               \
         ? (t) 0                                                         \
@@ -55,6 +70,20 @@
         ? (t) -1                                                        \
         : ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))
 
+/* The maximum and minimum values for the type of the expression E,
+   after integer promotion.  E should not have side effects.  */
+#define _GL_INT_MINIMUM(e)                                              \
+  (_GL_INT_SIGNED (e)                                                   \
+   ? - _GL_INT_TWOS_COMPLEMENT (e) - _GL_SIGNED_INT_MAXIMUM (e)         \
+   : _GL_INT_CONVERT (e, 0))
+#define _GL_INT_MAXIMUM(e)                                              \
+  (_GL_INT_SIGNED (e)                                                   \
+   ? _GL_SIGNED_INT_MAXIMUM (e)                                         \
+   : _GL_INT_CONVERT (e, -1))
+#define _GL_SIGNED_INT_MAXIMUM(e)                                       \
+  (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1)
+
+
 /* Return 1 if the __typeof__ keyword works.  This could be done by
    'configure', but for now it's easier to do it by hand.  */
 #if 2 <= __GNUC__ || 0x5110 <= __SUNPRO_C
@@ -93,4 +122,193 @@
    including the terminating null.  */
 #define INT_BUFSIZE_BOUND(t) (INT_STRLEN_BOUND (t) + 1)
 
+
+/* Range overflow checks.
+
+   The INT_<op>_RANGE_OVERFLOW macros return 1 if the corresponding C
+   operators might not yield numerically correct answers due to
+   arithmetic overflow.  They do not rely on undefined or
+   implementation-defined behavior.  Their implementations are simple
+   and straightforward, but they are a bit harder to use than the
+   INT_<op>_OVERFLOW macros described below.
+
+   Example usage:
+
+     long int i = ...;
+     long int j = ...;
+     if (INT_MULTIPLY_RANGE_OVERFLOW (i, j, LONG_MIN, LONG_MAX))
+       printf ("multiply would overflow");
+     else
+       printf ("product is %ld", i * j);
+
+   Restrictions on *_RANGE_OVERFLOW macros:
+
+   These macros do not check for all possible numerical problems or
+   undefined or unspecified behavior: they do not check for division
+   by zero, for bad shift counts, or for shifting negative numbers.
+
+   These macros may evaluate their arguments zero or multiple times,
+   so the arguments should not have side effects.  The arithmetic
+   arguments (including the MIN and MAX arguments) must be of the same
+   integer type after the usual arithmetic conversions, and the type
+   must have minimum value MIN and maximum MAX.  Unsigned types should
+   use a zero MIN of the proper type.
+
+   These macros are tuned for constant MIN and MAX.  For commutative
+   operations such as A + B, they are also tuned for constant B.  */
+
+/* Return 1 if A + B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  */
+#define INT_ADD_RANGE_OVERFLOW(a, b, min, max)          \
+  ((b) < 0                                              \
+   ? (a) < (min) - (b)                                  \
+   : (max) - (b) < (a))
+
+/* Return 1 if A - B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  */
+#define INT_SUBTRACT_RANGE_OVERFLOW(a, b, min, max)     \
+  ((b) < 0                                              \
+   ? (max) + (b) < (a)                                  \
+   : (a) < (min) + (b))
+
+/* Return 1 if - A would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  */
+#define INT_NEGATE_RANGE_OVERFLOW(a, min, max)          \
+  ((min) < 0                                            \
+   ? (a) < - (max)                                      \
+   : 0 < (a))
+
+/* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  */
+#define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max)     \
+  ((b) < 0                                              \
+   ? ((a) < 0                                           \
+      ? (a) < (max) / (b)                               \
+      : (b) < -1 && (min) / (b) < (a))                  \
+   : (0 < (b)                                           \
+      && ((a) < 0                                       \
+          ? (a) < (min) / (b)                           \
+          : (max) / (b) < (a))))
+
+/* Return 1 if A / B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  Do not check for division by zero.  */
+#define INT_DIVIDE_RANGE_OVERFLOW(a, b, min, max)       \
+  ((min) < 0 && (b) == -1 && (a) < - (max))
+
+/* Return 1 if A % B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  Do not check for division by zero.
+   Mathematically, % should never overflow, but on x86-like hosts
+   INT_MIN % -1 traps, and the C standard permits this, so treat this
+   as an overflow too.  */
+#define INT_REMAINDER_RANGE_OVERFLOW(a, b, min, max)    \
+  INT_DIVIDE_RANGE_OVERFLOW (a, b, min, max)
+
+/* Return 1 if A << B would overflow in [MIN,MAX] arithmetic.
+   See above for restrictions.  Here, MIN and MAX are for A only, and B need
+   not be of the same type as the other arguments.  The C standard says that
+   behavior is undefined for shifts unless 0 <= B < wordwidth, and that when
+   A is negative then A << B has undefined behavior and A >> B has
+   implementation-defined behavior, but do not check these other
+   restrictions.  */
+#define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max)   \
+  ((a) < 0                                              \
+   ? (a) < (min) >> (b)                                 \
+   : (max) >> (b) < (a))
+
+
+/* The _GL*_OVERFLOW macros have the same restrictions as the
+   *_RANGE_OVERFLOW macros, except that they do not assume that operands
+   (e.g., A and B) have the same type as MIN and MAX.  Instead, they assume
+   that the result (e.g., A + B) has that type.  */
+#define _GL_ADD_OVERFLOW(a, b, min, max)                                \
+  ((min) < 0 ? INT_ADD_RANGE_OVERFLOW (a, b, min, max)                  \
+   : (a) < 0 ? (b) <= (a) + (b)                                         \
+   : (b) < 0 ? (a) <= (a) + (b)                                         \
+   : (a) + (b) < (b))
+#define _GL_SUBTRACT_OVERFLOW(a, b, min, max)                           \
+  ((min) < 0 ? INT_SUBTRACT_RANGE_OVERFLOW (a, b, min, max)             \
+   : (a) < 0 ? 1                                                        \
+   : (b) < 0 ? (a) - (b) <= (a)                                         \
+   : (a) < (b))
+#define _GL_MULTIPLY_OVERFLOW(a, b, min, max)                           \
+  (((min) == 0 && (((a) < 0 && 0 < (b)) || ((b) < 0 && 0 < (a))))       \
+   || INT_MULTIPLY_RANGE_OVERFLOW (a, b, min, max))
+#define _GL_DIVIDE_OVERFLOW(a, b, min, max)                             \
+  ((min) < 0 ? (b) == _GL_INT_CONVERT (min, -1) && (a) < - (max)        \
+   : (a) < 0 ? (b) <= (a) + (b) - 1                                     \
+   : (b) < 0 && (a) + (b) <= (a))
+#define _GL_REMAINDER_OVERFLOW(a, b, min, max)                          \
+  ((min) < 0 ? (b) == _GL_INT_CONVERT (min, -1) && (a) < - (max)        \
+   : (a) < 0 ? (a) % (b) != ((max) - (b) + 1) % (b)                     \
+   : (b) < 0 && ! _GL_UNSIGNED_NEG_MULTIPLE (a, b, max))
+
+/* Return a nonzero value if A is a mathematical multiple of B, where
+   A is unsigned, B is negative, and MAX is the maximum value of A's
+   type.  A's type must be the same as (A % B)'s type.  Normally (A %
+   -B == 0) suffices, but things get tricky if -B would overflow.  */
+#define _GL_UNSIGNED_NEG_MULTIPLE(a, b, max)                            \
+  (((b) < -_GL_SIGNED_INT_MAXIMUM (b)                                   \
+    ? (_GL_SIGNED_INT_MAXIMUM (b) == (max)                              \
+       ? (a)                                                            \
+       : (a) % (_GL_INT_CONVERT (a, _GL_SIGNED_INT_MAXIMUM (b)) + 1))   \
+    : (a) % - (b))                                                      \
+   == 0)
+
+
+/* Integer overflow checks.
+
+   The INT_<op>_OVERFLOW macros return 1 if the corresponding C operators
+   might not yield numerically correct answers due to arithmetic overflow.
+   They work correctly on all known practical hosts, and do not rely
+   on undefined behavior due to signed arithmetic overflow.
+
+   Example usage:
+
+     long int i = ...;
+     long int j = ...;
+     if (INT_MULTIPLY_OVERFLOW (i, j))
+       printf ("multiply would overflow");
+     else
+       printf ("product is %ld", i * j);
+
+   These macros do not check for all possible numerical problems or
+   undefined or unspecified behavior: they do not check for division
+   by zero, for bad shift counts, or for shifting negative numbers.
+
+   These macros may evaluate their arguments zero or multiple times, so the
+   arguments should not have side effects.
+
+   These macros are tuned for their last argument being a constant.
+
+   Return 1 if the integer expressions A * B, A - B, -A, A * B, A / B,
+   A % B, and A << B would overflow, respectively.  */
+
+#define INT_ADD_OVERFLOW(a, b) \
+  _GL_BINARY_OP_OVERFLOW (a, b, _GL_ADD_OVERFLOW)
+#define INT_SUBTRACT_OVERFLOW(a, b) \
+  _GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
+#define INT_NEGATE_OVERFLOW(a) \
+  INT_NEGATE_RANGE_OVERFLOW (a, _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
+#define INT_MULTIPLY_OVERFLOW(a, b) \
+  _GL_BINARY_OP_OVERFLOW (a, b, _GL_MULTIPLY_OVERFLOW)
+#define INT_DIVIDE_OVERFLOW(a, b) \
+  _GL_BINARY_OP_OVERFLOW (a, b, _GL_DIVIDE_OVERFLOW)
+#define INT_REMAINDER_OVERFLOW(a, b) \
+  _GL_BINARY_OP_OVERFLOW (a, b, _GL_REMAINDER_OVERFLOW)
+#define INT_LEFT_SHIFT_OVERFLOW(a, b) \
+  INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
+                                 _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
+
+/* Return 1 if the expression A <op> B would overflow,
+   where OP_RESULT_OVERFLOW (A, B, MIN, MAX) does the actual test,
+   assuming MIN and MAX are the minimum and maximum for the result type.
+
+   This macro assumes that A | B is a valid integer if both A and B are,
+   which is true of all known practical hosts.  If this is a problem
+   for you, please let us know how to fix it for your host.  */
+#define _GL_BINARY_OP_OVERFLOW(a, b, op_result_overflow)        \
+  op_result_overflow (a, b,                                     \
+                      _GL_INT_MINIMUM ((a) | (b)),              \
+                      _GL_INT_MAXIMUM ((a) | (b)))
+
 #endif /* _GL_INTPROPS_H */
-- 
1.7.5.1


>From aa31a0ed5afcc980e9b22e25f2a1dc520030ce09 Mon Sep 17 00:00:00 2001
From: Paul Eggert <address@hidden>
Date: Sun, 15 May 2011 09:37:21 -0700
Subject: [PATCH 2/2] intprops-tests: new module

* modules/intprops-tests, tests/test-intprops.c: New files.
---
 ChangeLog              |    3 +
 modules/intprops-tests |   13 +++
 tests/test-intprops.c  |  253 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 269 insertions(+), 0 deletions(-)
 create mode 100644 modules/intprops-tests
 create mode 100644 tests/test-intprops.c

diff --git a/ChangeLog b/ChangeLog
index ef91dd2..c2a67da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2011-05-13  Paul Eggert  <address@hidden>
 
+       intprops-tests: new module
+       * modules/intprops-tests, tests/test-intprops.c: New files.
+
        intprops: add safe, portable integer overflow checking
        * lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
        (_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
diff --git a/modules/intprops-tests b/modules/intprops-tests
new file mode 100644
index 0000000..4aa04d9
--- /dev/null
+++ b/modules/intprops-tests
@@ -0,0 +1,13 @@
+Files:
+tests/test-intprops.c
+
+Depends-on:
+inttypes
+stdbool
+verify
+
+configure.ac:
+
+Makefile.am:
+TESTS += test-intprops
+check_PROGRAMS += test-intprops
diff --git a/tests/test-intprops.c b/tests/test-intprops.c
new file mode 100644
index 0000000..aae2614
--- /dev/null
+++ b/tests/test-intprops.c
@@ -0,0 +1,253 @@
+/* Test intprops.h.
+   Copyright (C) 2011 Free Software Foundation, Inc.
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+
+/* Written by Paul Eggert.  */
+
+#include <config.h>
+
+#include "intprops.h"
+#include "verify.h"
+
+#include <stdbool.h>
+#include <inttypes.h>
+
+/* TYPE_IS_INTEGER.  */
+verify (TYPE_IS_INTEGER (bool));
+verify (TYPE_IS_INTEGER (char));
+verify (TYPE_IS_INTEGER (signed char));
+verify (TYPE_IS_INTEGER (unsigned char));
+verify (TYPE_IS_INTEGER (short int));
+verify (TYPE_IS_INTEGER (unsigned short int));
+verify (TYPE_IS_INTEGER (int));
+verify (TYPE_IS_INTEGER (unsigned int));
+verify (TYPE_IS_INTEGER (long int));
+verify (TYPE_IS_INTEGER (unsigned long int));
+verify (TYPE_IS_INTEGER (intmax_t));
+verify (TYPE_IS_INTEGER (uintmax_t));
+verify (! TYPE_IS_INTEGER (float));
+verify (! TYPE_IS_INTEGER (double));
+verify (! TYPE_IS_INTEGER (long double));
+
+/* Integer representation.  */
+verify (INT_MIN + INT_MAX < 0
+        ? (TYPE_TWOS_COMPLEMENT (int)
+           && ! TYPE_ONES_COMPLEMENT (int) && ! TYPE_SIGNED_MAGNITUDE (int))
+        : (! TYPE_TWOS_COMPLEMENT (int)
+           && (TYPE_ONES_COMPLEMENT (int) || TYPE_SIGNED_MAGNITUDE (int))));
+
+/* TYPE_SIGNED.  */
+/* verify (! TYPE_SIGNED (bool)); */ /* not guaranteed by gnulib substitute */
+verify (TYPE_SIGNED (signed char));
+verify (! TYPE_SIGNED (unsigned char));
+verify (TYPE_SIGNED (short int));
+verify (! TYPE_SIGNED (unsigned short int));
+verify (TYPE_SIGNED (int));
+verify (! TYPE_SIGNED (unsigned int));
+verify (TYPE_SIGNED (long int));
+verify (! TYPE_SIGNED (unsigned long int));
+verify (TYPE_SIGNED (intmax_t));
+verify (! TYPE_SIGNED (uintmax_t));
+verify (TYPE_SIGNED (float));
+verify (TYPE_SIGNED (double));
+verify (TYPE_SIGNED (long double));
+
+/* TYPE_MINIMUM, TYPE_MAXIMUM.  */
+verify (TYPE_MINIMUM (char) == CHAR_MIN);
+verify (TYPE_MAXIMUM (char) == CHAR_MAX);
+verify (TYPE_MINIMUM (unsigned char) == 0);
+verify (TYPE_MAXIMUM (unsigned char) == UCHAR_MAX);
+verify (TYPE_MINIMUM (signed char) == SCHAR_MIN);
+verify (TYPE_MAXIMUM (signed char) == SCHAR_MAX);
+verify (TYPE_MINIMUM (short int) == SHRT_MIN);
+verify (TYPE_MAXIMUM (short int) == SHRT_MAX);
+verify (TYPE_MINIMUM (unsigned short int) == 0);
+verify (TYPE_MAXIMUM (unsigned short int) == USHRT_MAX);
+verify (TYPE_MINIMUM (int) == INT_MIN);
+verify (TYPE_MAXIMUM (int) == INT_MAX);
+verify (TYPE_MINIMUM (unsigned int) == 0);
+verify (TYPE_MAXIMUM (unsigned int) == UINT_MAX);
+verify (TYPE_MINIMUM (long int) == LONG_MIN);
+verify (TYPE_MAXIMUM (long int) == LONG_MAX);
+verify (TYPE_MINIMUM (unsigned long int) == 0);
+verify (TYPE_MAXIMUM (unsigned long int) == ULONG_MAX);
+verify (TYPE_MINIMUM (intmax_t) == INTMAX_MIN);
+verify (TYPE_MAXIMUM (intmax_t) == INTMAX_MAX);
+verify (TYPE_MINIMUM (uintmax_t) == 0);
+verify (TYPE_MAXIMUM (uintmax_t) == UINTMAX_MAX);
+
+/* INT_BITS_STRLEN_BOUND.  */
+verify (INT_BITS_STRLEN_BOUND (1) == 1);
+verify (INT_BITS_STRLEN_BOUND (2620) == 789);
+
+/* INT_STRLEN_BOUND, INT_BUFSIZE_BOUND.  */
+#ifdef INT32_MAX /* POSIX guarantees int32_t; this ports to non-POSIX hosts */
+verify (INT_STRLEN_BOUND (int32_t) == sizeof ("-2147483648") - 1);
+verify (INT_BUFSIZE_BOUND (int32_t) == sizeof ("-2147483648"));
+#endif
+#ifdef INT64_MAX
+verify (INT_STRLEN_BOUND (int64_t) == sizeof ("-9223372036854775808") - 1);
+verify (INT_BUFSIZE_BOUND (int64_t) == sizeof ("-9223372036854775808"));
+#endif
+
+/* All the INT_<op>_RANGE_OVERFLOW tests are equally valid as
+   INT_<op>_OVERFLOW tests, so define a single macro to do both.  */
+#define check_binop(op, a, b, min, max, overflow)                      \
+  (INT_##op##_RANGE_OVERFLOW (a, b, min, max) == (overflow)            \
+   && INT_##op##_OVERFLOW (a, b) == (overflow))
+#define check_unop(op, a, min, max, overflow)                          \
+  (INT_##op##_RANGE_OVERFLOW (a, min, max) == (overflow)               \
+   && INT_##op##_OVERFLOW (a) == (overflow))
+
+/* INT_<op>_RANGE_OVERFLOW, INT_<op>_OVERFLOW.  */
+verify (INT_ADD_RANGE_OVERFLOW (INT_MAX, 1, INT_MIN, INT_MAX));
+verify (INT_ADD_OVERFLOW (INT_MAX, 1));
+verify (check_binop (ADD, INT_MAX, 1, INT_MIN, INT_MAX, true));
+verify (check_binop (ADD, INT_MAX, -1, INT_MIN, INT_MAX, false));
+verify (check_binop (ADD, INT_MIN, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (ADD, INT_MIN, -1, INT_MIN, INT_MAX, true));
+verify (check_binop (ADD, UINT_MAX, 1u, 0u, UINT_MAX, true));
+verify (check_binop (ADD, 0u, 1u, 0u, UINT_MAX, false));
+
+verify (check_binop (SUBTRACT, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (SUBTRACT, INT_MAX, -1, INT_MIN, INT_MAX, true));
+verify (check_binop (SUBTRACT, INT_MIN, 1, INT_MIN, INT_MAX, true));
+verify (check_binop (SUBTRACT, INT_MIN, -1, INT_MIN, INT_MAX, false));
+verify (check_binop (SUBTRACT, UINT_MAX, 1u, 0u, UINT_MAX, false));
+verify (check_binop (SUBTRACT, 0u, 1u, 0u, UINT_MAX, true));
+
+verify (check_unop (NEGATE, INT_MIN, INT_MIN, INT_MAX,
+                    TYPE_TWOS_COMPLEMENT (int)));
+verify (check_unop (NEGATE, 0, INT_MIN, INT_MAX, false));
+verify (check_unop (NEGATE, INT_MAX, INT_MIN, INT_MAX, false));
+verify (check_unop (NEGATE, 0u, 0u, UINT_MAX, false));
+verify (check_unop (NEGATE, 1u, 0u, UINT_MAX, true));
+verify (check_unop (NEGATE, UINT_MAX, 0u, UINT_MAX, true));
+
+verify (check_binop (MULTIPLY, INT_MAX, INT_MAX, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MAX, INT_MIN, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MIN, INT_MAX, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MIN, INT_MIN, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, -1, INT_MIN, INT_MIN, INT_MAX,
+                     INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (MULTIPLY, LONG_MIN / INT_MAX, (long int) INT_MAX,
+                     LONG_MIN, LONG_MIN, false));
+
+verify (check_binop (DIVIDE, INT_MIN, -1, INT_MIN, INT_MAX,
+                     INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (DIVIDE, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (DIVIDE, (unsigned int) INT_MIN,
+                     -1u, 0u, UINT_MAX, false));
+
+verify (check_binop (REMAINDER, INT_MIN, -1, INT_MIN, INT_MAX,
+                     INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (REMAINDER, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (REMAINDER, (unsigned int) INT_MIN,
+                     -1u, 0u, UINT_MAX, false));
+
+verify (check_binop (LEFT_SHIFT, UINT_MAX, 1, 0u, UINT_MAX, true));
+verify (check_binop (LEFT_SHIFT, UINT_MAX / 2 + 1, 1, 0u, UINT_MAX, true));
+verify (check_binop (LEFT_SHIFT, UINT_MAX / 2, 1, 0u, UINT_MAX, false));
+
+/* INT_<op>_OVERFLOW with mixed types.  */
+#define check_sum(a, b, overflow)                       \
+  verify (INT_ADD_OVERFLOW (a, b) == (overflow));       \
+  verify (INT_ADD_OVERFLOW (b, a) == (overflow))
+check_sum (-1, LONG_MIN, true);
+check_sum (-1, UINT_MAX, false);
+check_sum (-1L, INT_MIN, INT_MIN == LONG_MIN);
+check_sum (0u, -1, true);
+check_sum (0u, 0, false);
+check_sum (0u, 1, false);
+check_sum (1, LONG_MAX, true);
+check_sum (1, UINT_MAX, true);
+check_sum (1L, INT_MAX, INT_MAX == LONG_MAX);
+check_sum (1u, INT_MAX, INT_MAX == UINT_MAX);
+check_sum (1u, INT_MIN, true);
+
+verify (! INT_SUBTRACT_OVERFLOW (INT_MAX, 1u));
+verify (! INT_SUBTRACT_OVERFLOW (UINT_MAX, 1));
+verify (! INT_SUBTRACT_OVERFLOW (0u, -1));
+verify (INT_SUBTRACT_OVERFLOW (UINT_MAX, -1));
+verify (INT_SUBTRACT_OVERFLOW (INT_MIN, 1u));
+verify (INT_SUBTRACT_OVERFLOW (-1, 0u));
+
+#define check_product(a, b, overflow)                   \
+  verify (INT_MULTIPLY_OVERFLOW (a, b) == (overflow));   \
+  verify (INT_MULTIPLY_OVERFLOW (b, a) == (overflow))
+
+check_product (-1, 1u, true);
+check_product (-1, INT_MIN, INT_NEGATE_OVERFLOW (INT_MIN));
+check_product (-1, UINT_MAX, true);
+check_product (-12345, LONG_MAX / -12345 - 1, true);
+check_product (-12345, LONG_MAX / -12345, false);
+check_product (0, -1, false);
+check_product (0, 0, false);
+check_product (0, 0u, false);
+check_product (0, 1, false);
+check_product (0, INT_MAX, false);
+check_product (0, INT_MIN, false);
+check_product (0, UINT_MAX, false);
+check_product (0u, -1, false);
+check_product (0u, 0, false);
+check_product (0u, 0u, false);
+check_product (0u, 1, false);
+check_product (0u, INT_MAX, false);
+check_product (0u, INT_MIN, false);
+check_product (0u, UINT_MAX, false);
+check_product (1, INT_MAX, false);
+check_product (1, INT_MIN, false);
+check_product (1, UINT_MAX, false);
+check_product (1u, INT_MIN, true);
+check_product (1u, INT_MAX, UINT_MAX < INT_MAX);
+check_product (INT_MAX, UINT_MAX, true);
+check_product (INT_MAX, ULONG_MAX, true);
+check_product (INT_MIN, LONG_MAX / INT_MIN - 1, true);
+check_product (INT_MIN, LONG_MAX / INT_MIN, false);
+check_product (INT_MIN, UINT_MAX, true);
+check_product (INT_MIN, ULONG_MAX, true);
+
+verify (INT_DIVIDE_OVERFLOW (INT_MIN, -1L)
+        == (TYPE_TWOS_COMPLEMENT (long int) && INT_MIN == LONG_MIN));
+verify (! INT_DIVIDE_OVERFLOW (INT_MIN, UINT_MAX));
+verify (! INT_DIVIDE_OVERFLOW (INTMAX_MIN, UINTMAX_MAX));
+verify (! INT_DIVIDE_OVERFLOW (INTMAX_MIN, UINT_MAX));
+verify (INT_DIVIDE_OVERFLOW (-11, 10u));
+verify (INT_DIVIDE_OVERFLOW (-10, 10u));
+verify (! INT_DIVIDE_OVERFLOW (-9, 10u));
+verify (INT_DIVIDE_OVERFLOW (11u, -10));
+verify (INT_DIVIDE_OVERFLOW (10u, -10));
+verify (! INT_DIVIDE_OVERFLOW (9u, -10));
+
+verify (INT_REMAINDER_OVERFLOW (INT_MIN, -1L)
+        == (TYPE_TWOS_COMPLEMENT (long int) && INT_MIN == LONG_MIN));
+verify (INT_REMAINDER_OVERFLOW (-1, UINT_MAX));
+verify (INT_REMAINDER_OVERFLOW ((intmax_t) -1, UINTMAX_MAX));
+verify (INT_REMAINDER_OVERFLOW (INTMAX_MIN, UINT_MAX)
+        == (INTMAX_MAX < UINT_MAX
+            && - (unsigned int) INTMAX_MIN % UINT_MAX != 0));
+verify (INT_REMAINDER_OVERFLOW (INT_MIN, ULONG_MAX)
+        == (INT_MIN % ULONG_MAX != 1));
+verify (! INT_REMAINDER_OVERFLOW (1u, -1));
+verify (! INT_REMAINDER_OVERFLOW (37*39u, -39));
+verify (INT_REMAINDER_OVERFLOW (37*39u + 1, -39));
+verify (INT_REMAINDER_OVERFLOW (37*39u - 1, -39));
+verify (! INT_REMAINDER_OVERFLOW (LONG_MAX, -INT_MAX));
+
+int
+main (void)
+{
+  return 0;
+}
-- 
1.7.5.1




reply via email to

[Prev in Thread] Current Thread [Next in Thread]