Re: [PATCH jiffies] Avoid undefined behavior from signed overflow

From: caf
Date: Mon Jul 29 2013 - 01:38:50 EST

Next message: Laxman Dewangan: "Re: [PATCH V2] gpio: palmas: Fix misreported GPIO out value"
Previous message: Joonsoo Kim: "[PATCH v3 2/9] mm, hugetlb: trivial commenting fix"
In reply to: Paul E. McKenney: "Re: [PATCH jiffies] Avoid undefined behavior from signed overflow"
Next in thread: Paul E. McKenney: "Re: [PATCH jiffies] Avoid undefined behavior from signed overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting "Paul E. McKenney" <paulmck@xxxxxxxxxxxxxxxxxx>:

According to the C standard 3.4.3p3, overflow of a signed integer results
in undefined behavior. This commit therefore changes the definitions
of time_after() and time_after_eq() to avoid this undefined behavior.
The trick is that the subtraction is done using unsigned arithmetic,
which according to 6.2.5p9 cannot overflow because it is defined as
modulo arithmetic. This has the added (though admittedly quite small)
benefit of shortening two lines of code by four characters each.

Note that the C standard considers the cast from signed to
unsigned to be implementation-defined, see 6.3.1.3p3. However, on a
two-complement system, an implementation that defines anything other
than a reinterpretation of the bits is free come to me, and I will be
happy to act as a witness for its being committed to an insane asylum.
(Although I have nothing against saturating arithmetic or signals in
some cases, these things really should not be the default.)

Don't worry, the case from signed to unsigned is actually well-defined -
the relevant part is 6.3.1.3p2 (in C99):

Otherwise, if the new type is unsigned, the value is converted by
repeatedly adding or subtracting one more than the maximum value that
can be represented in the new type until the value is in the range of
the new type.

...which ends up just being reinterpretation of the bits on a two's
complement system, as you'd hope (after sign-extension to the width of
the target unsigned type, that is). This actually means if you were
mad enough to implement C on a sign-magnitude system, you'd be forced to
do a non-trivial conversion in this case.

- Kevin

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Laxman Dewangan: "Re: [PATCH V2] gpio: palmas: Fix misreported GPIO out value"
Previous message: Joonsoo Kim: "[PATCH v3 2/9] mm, hugetlb: trivial commenting fix"
In reply to: Paul E. McKenney: "Re: [PATCH jiffies] Avoid undefined behavior from signed overflow"
Next in thread: Paul E. McKenney: "Re: [PATCH jiffies] Avoid undefined behavior from signed overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]