From: Mike Frysinger <vapier@gentoo.org>
To: Joel Brobecker <brobecker@adacore.com>
Cc: gdb-patches@sourceware.org
Subject: Re: [PATCH] sim: tweak signed to unsigned local vars
Date: Mon, 12 Apr 2010 18:30:00 -0000 [thread overview]
Message-ID: <201004121429.11581.vapier@gentoo.org> (raw)
In-Reply-To: <20100412160618.GX19194@adacore.com>
[-- Attachment #1: Type: Text/Plain, Size: 1918 bytes --]
On Monday 12 April 2010 12:06:18 Joel Brobecker wrote:
> > > I'm not sure I agree on this one. "tmp" is used to store the result of
> > > a subtraction of 2 pointers. IIRC, the exact type returned is
> > > ptrdiff_t, which is a signed value...
> >
> > true, but the math should never yield a negative value. the compare is
> > between a base pointer and a pointer returned from strchr() on the base
> > pointer. so the value should always be >= 0 and it should always fit in
> > 32bits.
>
> I always tend to be very careful with this type of reasoning, probably
> because of my past writing safety-critical software (and also how
> surprisingly difficult it turned out to be to formally prove that
> a piece of code would never overflow).
>
> Even if what you are saying is true, I think that we'll have less
> conversion issues if we use the proper types. But that's just me.
> Perhaps others with more C experience than I do will agree with you
> that we're fussing over something that actually does not matter.
this is a string passed via command line option. if it were even remotely
close to the size required to overflow ("unsigned" -> "unsigned int" -> 32bit
on all systems where this socket code is going to be used), something is
terribly wrong elsewhere. even if we grant it 16bit storage, a 65k string
specifying a host:port makes no sense, especially when many systems have a
hard time swallowing a command line over 32k.
i dont have a problem coding defensively when it makes sense, but i cant see
any such requirements in any of the sim code.
further, while ptrdiff_t may make sense since we're diffing two pointers, the
value is passed straight into strncpy() which interprets the value as size_t.
so if we were going to spend the time on this (which i dont think this code
warrants), a lot more code needs to change than the variable type.
-mike
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2010-04-12 18:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-10 21:58 Mike Frysinger
2010-04-12 15:24 ` Joel Brobecker
2010-04-12 15:52 ` Mike Frysinger
2010-04-12 16:06 ` Joel Brobecker
2010-04-12 18:30 ` Mike Frysinger [this message]
2010-04-12 19:59 ` Joel Brobecker
2010-04-12 18:45 ` Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201004121429.11581.vapier@gentoo.org \
--to=vapier@gentoo.org \
--cc=brobecker@adacore.com \
--cc=gdb-patches@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox