This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Why was the reallocarray function not added to glibc?

On 04/10/2017 03:15 AM, Szabolcs Nagy wrote:
>> http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/intprops.h
> that is not just ugly
Although the *implementation* of intprops.h is more complicated, its *use* is cleaner. 

> but looks wrong too (it's for signed mul).
No, INT_MULTIPLY_OVERFLOW (a, b) works for both signed and unsigned multiplication. For 'unsigned long' it generates the same code as "b && -1/b < a". 

> the idiomatic unsigned mul overflow check is
>
>   if (b && -1/b < a)
>     return 0;
>   c = a*b;
I disagree that this is "idiomatic", as most programmers don't know this idiom. It would need a comment. Also, the idiom assumes that INTERNAL_SIZE_T is at least as wide as unsigned int, something nowhere documented or checked in the code now. So the inline check should be something like this: 

   /* Return 1 if a * b overflows, 0 otherwise.  This works because
b is unsigned and because we assume it is at least as wide as int. */ 
  _Static_assert (UINT_MAX <= (INTERNAL_SIZE_T) -1,
"INTERNAL_SIZE_T must be at least as wide as 'unsigned'"); 
  return b && -1 / b < a;

In contrast:

  return INT_MULTIPLY_OVERFLOW (a, b);

is easier to maintain and will work no matter how wide INTERNAL_SIZE_T is.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]