[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modules xsize and idx

From: Bruno Haible
Subject: Re: Modules xsize and idx
Date: Wed, 07 Apr 2021 11:51:48 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-206-generic; KDE/5.18.0; x86_64; ; )

Hi Marc,

> What is the relationship between these two modules? Both try to minimize
> subtle bugs due to overflow.

These two modules, and the wraparound/overflow checking macros of 'intprops'
[1], are attempts to catch integer overflow.

The three approaches differ in terms of coding effort and percentage
of overflows that get caught.

With 'idx', you use signed integers, and rely on compiler options such as
'gcc -ftrapv' or 'gcc -fsanitize=undefined' to report overflows.
  - Coding effort: small.
  - Overflows caught: all.

With 'xsize', you use unsigned integers (size_t), and do a single overflow
check at the end of the computation; this check is implicit if you call
malloc, as malloc (SIZE_MAX) will always fail.
  - Coding effort: medium.
  - Overflows caught: those with explicit checks.

With 'intprops', you use signed or unsigned integers, and do an overflow
check at each step of the computation.
  - Coding effort: high.
  - Overflows caught: those with explicit checks.

> However, both approaches cannot be easily combined as xsize expects
> unsigned integers while idx is a signed one.

You don't need combine the three approaches for the same computation.
For each computation, pick the approach you prefer.

> What is the suggested use of these modules for new code?

IMO, there's no definite answer to this question. All three approaches are,
in some way, experimental. At least as long as not all distros are
compiling with 'gcc -ftrapv' systematically.

Paul, how do you see this?

(I'm thinking of adding the answers to the documentation.)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]