* ISO C 23 ahead
@ 2022-08-07 16:42 Bruno Haible
2022-08-10 7:31 ` Paul Eggert
0 siblings, 1 reply; 7+ messages in thread
From: Bruno Haible @ 2022-08-07 16:42 UTC (permalink / raw
To: bug-gnulib
The final draft of ISO C 23 is available:
https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3047.pdf
and the editor was so nice to summarize what's in it:
https://thephd.dev/c23-is-coming-here-is-what-is-on-the-menu
For Gnulib, the most interesting additions are:
- <stdbit.h>
- <stdckdint.h>
- memset_explicit.
But there's more; see the Annex M.1 for details.
Bruno
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-07 16:42 ISO C 23 ahead Bruno Haible
@ 2022-08-10 7:31 ` Paul Eggert
2022-08-10 13:58 ` Bruno Haible
0 siblings, 1 reply; 7+ messages in thread
From: Paul Eggert @ 2022-08-10 7:31 UTC (permalink / raw
To: Bruno Haible; +Cc: bug-gnulib
[-- Attachment #1: Type: text/plain, Size: 541 bytes --]
On 8/7/22 09:42, Bruno Haible wrote:
> For Gnulib, the most interesting additions are:
> - <stdbit.h>
> - <stdckdint.h>
> - memset_explicit.
> But there's more; see the Annex M.1 for details.
Yes, lots more, it looks like. Thanks for the heads-up.
I took a crack at stdckdint.h by installing the attached into Gnulib,
which supports and uses stdckint.h. I suppose we can do something
similar for stdbit.h eventually, though there's no rush.
The first patch also changes verify.h to use C23's 'unreachable' macro
if available.
[-- Attachment #2: 0001-verify-port-assume-to-C23-non-GCC.patch --]
[-- Type: text/x-patch, Size: 2038 bytes --]
From 5b9755278927555b18880c138525557b5ee75bd0 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 9 Aug 2022 23:20:48 -0700
Subject: [PATCH 1/6] =?UTF-8?q?verify:=20port=20=E2=80=98assume=E2=80=99?=
=?UTF-8?q?=20to=20C23=20non-GCC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* lib/verify.h (assume): Use C23's unreachable if available
and if GCC and/or MSC primitives are not available.
---
ChangeLog | 6 ++++++
lib/verify.h | 7 +++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 0dfcb7cdd7..dcf5ae8266 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
+
+ verify: port ‘assume’ to C23 non-GCC
+ * lib/verify.h (assume): Use C23's unreachable if available
+ and if GCC and/or MSC primitives are not available.
+
2022-08-09 Bruno Haible <bruno@clisp.org>
gnulib-tool.py: Finish implementing option --conditional-dependencies.
diff --git a/lib/verify.h b/lib/verify.h
index c5c63ae97c..47b6ee661b 100644
--- a/lib/verify.h
+++ b/lib/verify.h
@@ -303,13 +303,16 @@ template <int w>
# define assume(R) ((R) ? (void) 0 : __builtin_unreachable ())
#elif 1200 <= _MSC_VER
# define assume(R) __assume (R)
+#elif 202311L <= __STDC_VERSION__
+# include <stddef.h>
+# define assume(R) ((R) ? (void) 0 : unreachable ())
#elif (defined GCC_LINT || defined lint) && _GL_HAS_BUILTIN_TRAP
/* Doing it this way helps various packages when configured with
--enable-gcc-warnings, which compiles with -Dlint. It's nicer
- when 'assume' silences warnings even with older GCCs. */
+ if 'assume' silences warnings with GCC 3.4 through GCC 4.4.7 (2012). */
# define assume(R) ((R) ? (void) 0 : __builtin_trap ())
#else
- /* Some tools grok NOTREACHED, e.g., Oracle Studio 12.6. */
+ /* Some older tools grok NOTREACHED, e.g., Oracle Studio 12.6 (2017). */
# define assume(R) ((R) ? (void) 0 : /*NOTREACHED*/ (void) 0)
#endif
--
2.34.1
[-- Attachment #3: 0002-intprops-refactor-_GL_HAS_BUILTIN_OVERFLOW_P.patch --]
[-- Type: text/x-patch, Size: 2707 bytes --]
From 7523bcf5dc9d8026006777c14e15c44430837f51 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 9 Aug 2022 23:20:49 -0700
Subject: [PATCH 2/6] intprops: refactor _GL_HAS_BUILTIN_OVERFLOW_P
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* lib/intprops.h (_GL_HAS_BUILTIN_OVERFLOW_P)
[_GL_HAS_BUILTIN_OVERFLOW_P]: Use __builtin_sub_overflow_p
directly rather than indirectly via INT_SUBTRACT_OVERFLOW.
This simplifies future changes, and doesn’t change the generated code.
---
ChangeLog | 6 ++++++
lib/intprops.h | 14 +++++++-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index dcf5ae8266..18e0f7f4f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
+ intprops: refactor _GL_HAS_BUILTIN_OVERFLOW_P
+ * lib/intprops.h (_GL_HAS_BUILTIN_OVERFLOW_P)
+ [_GL_HAS_BUILTIN_OVERFLOW_P]: Use __builtin_sub_overflow_p
+ directly rather than indirectly via INT_SUBTRACT_OVERFLOW.
+ This simplifies future changes, and doesn’t change the generated code.
+
verify: port ‘assume’ to C23 non-GCC
* lib/verify.h (assume): Use C23's unreachable if available
and if GCC and/or MSC primitives are not available.
diff --git a/lib/intprops.h b/lib/intprops.h
index d4a917f72a..40c60fc4a8 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -129,12 +129,11 @@
/* Range overflow checks.
The INT_<op>_RANGE_OVERFLOW macros return 1 if the corresponding C
- operators might not yield numerically correct answers due to
- arithmetic overflow. They do not rely on undefined or
- implementation-defined behavior. Their implementations are simple
- and straightforward, but they are harder to use and may be less
- efficient than the INT_<op>_WRAPV, INT_<op>_OK, and
- INT_<op>_OVERFLOW macros described below.
+ operators overflow arithmetically when given the same arguments.
+ These macros do not rely on undefined or implementation-defined behavior.
+ Although their implementations are simple and straightforward,
+ they are harder to use and may be less efficient than the
+ INT_<op>_WRAPV, INT_<op>_OK, and INT_<op>_OVERFLOW macros described below.
Example usage:
@@ -365,7 +364,8 @@
#define INT_SUBTRACT_OVERFLOW(a, b) \
_GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
#if _GL_HAS_BUILTIN_OVERFLOW_P
-# define INT_NEGATE_OVERFLOW(a) INT_SUBTRACT_OVERFLOW (0, a)
+# define INT_NEGATE_OVERFLOW(a) \
+ __builtin_sub_overflow_p (0, a, (__typeof__ (- (a))) 0)
#else
# define INT_NEGATE_OVERFLOW(a) \
INT_NEGATE_RANGE_OVERFLOW (a, _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
--
2.34.1
[-- Attachment #4: 0003-intprops-refactor-intprops.h-into-two.patch --]
[-- Type: text/x-patch, Size: 38143 bytes --]
From 9331caeffae1b7b5f49b65c98c2ff9cc8f3691fd Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 9 Aug 2022 23:20:49 -0700
Subject: [PATCH 3/6] intprops: refactor intprops.h into two
* lib/intprops.h: Include new file intprops-internal.h.
(_GL_INT_CONVERT, _GL_INT_NEGATE_CONVERT, _GL_INT_MINIMUM)
(_GL_INT_MAXIMUM, _GL_SIGNED_INT_MAXIMUM, LLONG_MAX, LLONG_MIN)
(_GL_HAVE___TYPEOF__, _GL_SIGNED_TYPE_OR_EXPR)
(_GL_HAS_BUILTIN_ADD_OVERFLOW, _GL_HAS_BUILTIN_MUL_OVERFLOW)
(_GL_HAS_BUILTIN_OVERFLOW_P, _GL__GENERIC_BOGUS)
(_GL_INT_OP_WRAPV, _GL_INT_OP_WRAPV_LONGISH, _GL_INT_OP_CALC)
(_GL_INT_OP_WRAPV_VIA_UNSIGNED, _GL_INT_ADD_RANGE_OVERFLOW)
(_GL_INT_SUBTRACT_RANGE_OVERFLOW)
(_GL_INT_MULTIPLY_RANGE_OVERFLOW):
Move to intprops-internal.h.
(TYPE_SIGNED, EXPR_SIGNED, TYPE_WIDTH, INT_NEGATE_RANGE_OVERFLOW)
(INT_NEGATE_OVERFLOW, INT_ADD_WRAPV, INT_SUBTRACT_WRAPV)
(INT_MULTIPLY_WRAPV): Rename to _GL_ prefix, move to
intprops-internal.h, and define here in terms of the _GL_ name.
* lib/intprops-internal.h: New file, containing the above.
* modules/intprops (Files): Add lib/intprops-internal.h.
---
ChangeLog | 19 +++
lib/intprops-internal.h | 370 ++++++++++++++++++++++++++++++++++++++++
lib/intprops.h | 332 +----------------------------------
modules/intprops | 1 +
4 files changed, 399 insertions(+), 323 deletions(-)
create mode 100644 lib/intprops-internal.h
diff --git a/ChangeLog b/ChangeLog
index 18e0f7f4f4..e977f75b65 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,24 @@
2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
+ intprops: refactor intprops.h into two
+ * lib/intprops.h: Include new file intprops-internal.h.
+ (_GL_INT_CONVERT, _GL_INT_NEGATE_CONVERT, _GL_INT_MINIMUM)
+ (_GL_INT_MAXIMUM, _GL_SIGNED_INT_MAXIMUM, LLONG_MAX, LLONG_MIN)
+ (_GL_HAVE___TYPEOF__, _GL_SIGNED_TYPE_OR_EXPR)
+ (_GL_HAS_BUILTIN_ADD_OVERFLOW, _GL_HAS_BUILTIN_MUL_OVERFLOW)
+ (_GL_HAS_BUILTIN_OVERFLOW_P, _GL__GENERIC_BOGUS)
+ (_GL_INT_OP_WRAPV, _GL_INT_OP_WRAPV_LONGISH, _GL_INT_OP_CALC)
+ (_GL_INT_OP_WRAPV_VIA_UNSIGNED, _GL_INT_ADD_RANGE_OVERFLOW)
+ (_GL_INT_SUBTRACT_RANGE_OVERFLOW)
+ (_GL_INT_MULTIPLY_RANGE_OVERFLOW):
+ Move to intprops-internal.h.
+ (TYPE_SIGNED, EXPR_SIGNED, TYPE_WIDTH, INT_NEGATE_RANGE_OVERFLOW)
+ (INT_NEGATE_OVERFLOW, INT_ADD_WRAPV, INT_SUBTRACT_WRAPV)
+ (INT_MULTIPLY_WRAPV): Rename to _GL_ prefix, move to
+ intprops-internal.h, and define here in terms of the _GL_ name.
+ * lib/intprops-internal.h: New file, containing the above.
+ * modules/intprops (Files): Add lib/intprops-internal.h.
+
intprops: refactor _GL_HAS_BUILTIN_OVERFLOW_P
* lib/intprops.h (_GL_HAS_BUILTIN_OVERFLOW_P)
[_GL_HAS_BUILTIN_OVERFLOW_P]: Use __builtin_sub_overflow_p
diff --git a/lib/intprops-internal.h b/lib/intprops-internal.h
new file mode 100644
index 0000000000..11c5ba979a
--- /dev/null
+++ b/lib/intprops-internal.h
@@ -0,0 +1,370 @@
+/* intprops-internal.h -- properties of integer types not visible to users
+
+ Copyright (C) 2001-2022 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+#ifndef _GL_INTPROPS_INTERNAL_H
+#define _GL_INTPROPS_INTERNAL_H
+
+#include <limits.h>
+
+/* Return a value with the common real type of E and V and the value of V.
+ Do not evaluate E. */
+#define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))
+
+/* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see
+ <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00406.html>. */
+#define _GL_INT_NEGATE_CONVERT(e, v) ((1 ? 0 : (e)) - (v))
+
+/* The extra casts in the following macros work around compiler bugs,
+ e.g., in Cray C 5.0.3.0. */
+
+/* True if the real type T is signed. */
+#define _GL_TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
+
+/* Return 1 if the real expression E, after promotion, has a
+ signed or floating type. Do not evaluate E. */
+#define _GL_EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
+
+
+/* Minimum and maximum values for integer types and expressions. */
+
+/* The width in bits of the integer type or expression T.
+ Do not evaluate T. T must not be a bit-field expression.
+ Padding bits are not supported; this is checked at compile-time below. */
+#define _GL_TYPE_WIDTH(t) (sizeof (t) * CHAR_BIT)
+
+/* The maximum and minimum values for the type of the expression E,
+ after integer promotion. E is not evaluated. */
+#define _GL_INT_MINIMUM(e) \
+ (_GL_EXPR_SIGNED (e) \
+ ? ~ _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_CONVERT (e, 0))
+#define _GL_INT_MAXIMUM(e) \
+ (_GL_EXPR_SIGNED (e) \
+ ? _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_NEGATE_CONVERT (e, 1))
+#define _GL_SIGNED_INT_MAXIMUM(e) \
+ (((_GL_INT_CONVERT (e, 1) << (_GL_TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)
+
+/* Work around OpenVMS incompatibility with C99. */
+#if !defined LLONG_MAX && defined __INT64_MAX
+# define LLONG_MAX __INT64_MAX
+# define LLONG_MIN __INT64_MIN
+#endif
+
+/* This include file assumes that signed types are two's complement without
+ padding bits; the above macros have undefined behavior otherwise.
+ If this is a problem for you, please let us know how to fix it for your host.
+ This assumption is tested by the intprops-tests module. */
+
+/* Does the __typeof__ keyword work? This could be done by
+ 'configure', but for now it's easier to do it by hand. */
+#if (2 <= __GNUC__ \
+ || (4 <= __clang_major__) \
+ || (1210 <= __IBMC__ && defined __IBM__TYPEOF__) \
+ || (0x5110 <= __SUNPRO_C && !__STDC__))
+# define _GL_HAVE___TYPEOF__ 1
+#else
+# define _GL_HAVE___TYPEOF__ 0
+#endif
+
+/* Return 1 if the integer type or expression T might be signed. Return 0
+ if it is definitely unsigned. T must not be a bit-field expression.
+ This macro does not evaluate its argument, and expands to an
+ integer constant expression. */
+#if _GL_HAVE___TYPEOF__
+# define _GL_SIGNED_TYPE_OR_EXPR(t) _GL_TYPE_SIGNED (__typeof__ (t))
+#else
+# define _GL_SIGNED_TYPE_OR_EXPR(t) 1
+#endif
+
+/* Return 1 if - A would overflow in [MIN,MAX] arithmetic.
+ Arguments should not have side effects, and A's type should have
+ minimum value MIN and maximum MAX. */
+#define _GL_INT_NEGATE_RANGE_OVERFLOW(a, min, max) \
+ ((min) < 0 ? (a) < - (max) : 0 < (a))
+
+/* True if __builtin_add_overflow (A, B, P) and __builtin_sub_overflow
+ (A, B, P) work when P is non-null. */
+#ifdef __EDG__
+/* EDG-based compilers like nvc 22.1 cannot add 64-bit signed to unsigned
+ <https://bugs.gnu.org/53256>. */
+# define _GL_HAS_BUILTIN_ADD_OVERFLOW 0
+#elif defined __has_builtin
+# define _GL_HAS_BUILTIN_ADD_OVERFLOW __has_builtin (__builtin_add_overflow)
+/* __builtin_{add,sub}_overflow exists but is not reliable in GCC 5.x and 6.x,
+ see <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98269>. */
+#elif 7 <= __GNUC__
+# define _GL_HAS_BUILTIN_ADD_OVERFLOW 1
+#else
+# define _GL_HAS_BUILTIN_ADD_OVERFLOW 0
+#endif
+
+/* True if __builtin_mul_overflow (A, B, P) works when P is non-null. */
+#if defined __clang_major__ && __clang_major__ < 14
+/* Work around Clang bug <https://bugs.llvm.org/show_bug.cgi?id=16404>. */
+# define _GL_HAS_BUILTIN_MUL_OVERFLOW 0
+#else
+# define _GL_HAS_BUILTIN_MUL_OVERFLOW _GL_HAS_BUILTIN_ADD_OVERFLOW
+#endif
+
+/* True if __builtin_add_overflow_p (A, B, C) works, and similarly for
+ __builtin_sub_overflow_p and __builtin_mul_overflow_p. */
+#ifdef __EDG__
+/* In EDG-based compilers like ICC 2021.3 and earlier,
+ __builtin_add_overflow_p etc. are not treated as integral constant
+ expressions even when all arguments are. */
+# define _GL_HAS_BUILTIN_OVERFLOW_P 0
+#elif defined __has_builtin
+# define _GL_HAS_BUILTIN_OVERFLOW_P __has_builtin (__builtin_mul_overflow_p)
+#else
+# define _GL_HAS_BUILTIN_OVERFLOW_P (7 <= __GNUC__)
+#endif
+
+/* Store the low-order bits of A + B, A - B, A * B, respectively, into *R.
+ Return 1 if the result overflows. See above for restrictions. */
+#if _GL_HAS_BUILTIN_ADD_OVERFLOW
+# define _GL_INT_ADD_WRAPV(a, b, r) __builtin_add_overflow (a, b, r)
+# define _GL_INT_SUBTRACT_WRAPV(a, b, r) __builtin_sub_overflow (a, b, r)
+#else
+# define _GL_INT_ADD_WRAPV(a, b, r) \
+ _GL_INT_OP_WRAPV (a, b, r, +, _GL_INT_ADD_RANGE_OVERFLOW)
+# define _GL_INT_SUBTRACT_WRAPV(a, b, r) \
+ _GL_INT_OP_WRAPV (a, b, r, -, _GL_INT_SUBTRACT_RANGE_OVERFLOW)
+#endif
+#if _GL_HAS_BUILTIN_MUL_OVERFLOW
+# if ((9 < __GNUC__ + (3 <= __GNUC_MINOR__) \
+ || (__GNUC__ == 8 && 4 <= __GNUC_MINOR__)) \
+ && !defined __EDG__)
+# define _GL_INT_MULTIPLY_WRAPV(a, b, r) __builtin_mul_overflow (a, b, r)
+# else
+ /* Work around GCC bug 91450. */
+# define _GL_INT_MULTIPLY_WRAPV(a, b, r) \
+ ((!_GL_SIGNED_TYPE_OR_EXPR (*(r)) && _GL_EXPR_SIGNED (a) && _GL_EXPR_SIGNED (b) \
+ && _GL_INT_MULTIPLY_RANGE_OVERFLOW (a, b, 0, (__typeof__ (*(r))) -1)) \
+ ? ((void) __builtin_mul_overflow (a, b, r), 1) \
+ : __builtin_mul_overflow (a, b, r))
+# endif
+#else
+# define _GL_INT_MULTIPLY_WRAPV(a, b, r) \
+ _GL_INT_OP_WRAPV (a, b, r, *, _GL_INT_MULTIPLY_RANGE_OVERFLOW)
+#endif
+
+/* Nonzero if this compiler has GCC bug 68193 or Clang bug 25390. See:
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68193
+ https://llvm.org/bugs/show_bug.cgi?id=25390
+ For now, assume all versions of GCC-like compilers generate bogus
+ warnings for _Generic. This matters only for compilers that
+ lack relevant builtins. */
+#if __GNUC__ || defined __clang__
+# define _GL__GENERIC_BOGUS 1
+#else
+# define _GL__GENERIC_BOGUS 0
+#endif
+
+/* Store the low-order bits of A <op> B into *R, where OP specifies
+ the operation and OVERFLOW the overflow predicate. Return 1 if the
+ result overflows. See above for restrictions. */
+#if 201112 <= __STDC_VERSION__ && !_GL__GENERIC_BOGUS
+# define _GL_INT_OP_WRAPV(a, b, r, op, overflow) \
+ (_Generic \
+ (*(r), \
+ signed char: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ signed char, SCHAR_MIN, SCHAR_MAX), \
+ unsigned char: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ unsigned char, 0, UCHAR_MAX), \
+ short int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ short int, SHRT_MIN, SHRT_MAX), \
+ unsigned short int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ unsigned short int, 0, USHRT_MAX), \
+ int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ int, INT_MIN, INT_MAX), \
+ unsigned int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ unsigned int, 0, UINT_MAX), \
+ long int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ long int, LONG_MIN, LONG_MAX), \
+ unsigned long int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ unsigned long int, 0, ULONG_MAX), \
+ long long int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
+ long long int, LLONG_MIN, LLONG_MAX), \
+ unsigned long long int: \
+ _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
+ unsigned long long int, 0, ULLONG_MAX)))
+#else
+/* Store the low-order bits of A <op> B into *R, where OP specifies
+ the operation and OVERFLOW the overflow predicate. If *R is
+ signed, its type is ST with bounds SMIN..SMAX; otherwise its type
+ is UT with bounds U..UMAX. ST and UT are narrower than int.
+ Return 1 if the result overflows. See above for restrictions. */
+# if _GL_HAVE___TYPEOF__
+# define _GL_INT_OP_WRAPV_SMALLISH(a,b,r,op,overflow,st,smin,smax,ut,umax) \
+ (_GL_TYPE_SIGNED (__typeof__ (*(r))) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, st, smin, smax) \
+ : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, ut, 0, umax))
+# else
+# define _GL_INT_OP_WRAPV_SMALLISH(a,b,r,op,overflow,st,smin,smax,ut,umax) \
+ (overflow (a, b, smin, smax) \
+ ? (overflow (a, b, 0, umax) \
+ ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st), 1) \
+ : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st)) < 0) \
+ : (overflow (a, b, 0, umax) \
+ ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st)) >= 0 \
+ : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st), 0)))
+# endif
+
+# define _GL_INT_OP_WRAPV(a, b, r, op, overflow) \
+ (sizeof *(r) == sizeof (signed char) \
+ ? _GL_INT_OP_WRAPV_SMALLISH (a, b, r, op, overflow, \
+ signed char, SCHAR_MIN, SCHAR_MAX, \
+ unsigned char, UCHAR_MAX) \
+ : sizeof *(r) == sizeof (short int) \
+ ? _GL_INT_OP_WRAPV_SMALLISH (a, b, r, op, overflow, \
+ short int, SHRT_MIN, SHRT_MAX, \
+ unsigned short int, USHRT_MAX) \
+ : sizeof *(r) == sizeof (int) \
+ ? (_GL_EXPR_SIGNED (*(r)) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ int, INT_MIN, INT_MAX) \
+ : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
+ unsigned int, 0, UINT_MAX)) \
+ : _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow))
+# ifdef LLONG_MAX
+# define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
+ (sizeof *(r) == sizeof (long int) \
+ ? (_GL_EXPR_SIGNED (*(r)) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ long int, LONG_MIN, LONG_MAX) \
+ : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ unsigned long int, 0, ULONG_MAX)) \
+ : (_GL_EXPR_SIGNED (*(r)) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
+ long long int, LLONG_MIN, LLONG_MAX) \
+ : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
+ unsigned long long int, 0, ULLONG_MAX)))
+# else
+# define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
+ (_GL_EXPR_SIGNED (*(r)) \
+ ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ long int, LONG_MIN, LONG_MAX) \
+ : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
+ unsigned long int, 0, ULONG_MAX))
+# endif
+#endif
+
+/* Store the low-order bits of A <op> B into *R, where the operation
+ is given by OP. Use the unsigned type UT for calculation to avoid
+ overflow problems. *R's type is T, with extrema TMIN and TMAX.
+ T must be a signed integer type. Return 1 if the result overflows. */
+#define _GL_INT_OP_CALC(a, b, r, op, overflow, ut, t, tmin, tmax) \
+ (overflow (a, b, tmin, tmax) \
+ ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 1) \
+ : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 0))
+
+/* Return 1 if the integer expressions A - B and -A would overflow,
+ respectively. Arguments should not have side effects.
+ These macros are tuned for their last input argument being a constant. */
+
+#if _GL_HAS_BUILTIN_OVERFLOW_P
+# define _GL_INT_NEGATE_OVERFLOW(a) \
+ __builtin_sub_overflow_p (0, a, (__typeof__ (- (a))) 0)
+#else
+# define _GL_INT_NEGATE_OVERFLOW(a) \
+ _GL_INT_NEGATE_RANGE_OVERFLOW (a, _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
+#endif
+
+/* Return the low-order bits of A <op> B, where the operation is given
+ by OP. Use the unsigned type UT for calculation to avoid undefined
+ behavior on signed integer overflow, and convert the result to type T.
+ UT is at least as wide as T and is no narrower than unsigned int,
+ T is two's complement, and there is no padding or trap representations.
+ Assume that converting UT to T yields the low-order bits, as is
+ done in all known two's-complement C compilers. E.g., see:
+ https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html
+
+ According to the C standard, converting UT to T yields an
+ implementation-defined result or signal for values outside T's
+ range. However, code that works around this theoretical problem
+ runs afoul of a compiler bug in Oracle Studio 12.3 x86. See:
+ https://lists.gnu.org/r/bug-gnulib/2017-04/msg00049.html
+ As the compiler bug is real, don't try to work around the
+ theoretical problem. */
+
+#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t) \
+ ((t) ((ut) (a) op (ut) (b)))
+
+/* Return true if the numeric values A + B, A - B, A * B fall outside
+ the range TMIN..TMAX. Arguments should be integer expressions
+ without side effects. TMIN should be signed and nonpositive.
+ TMAX should be positive, and should be signed unless TMIN is zero. */
+#define _GL_INT_ADD_RANGE_OVERFLOW(a, b, tmin, tmax) \
+ ((b) < 0 \
+ ? (((tmin) \
+ ? ((_GL_EXPR_SIGNED (_GL_INT_CONVERT (a, (tmin) - (b))) || (b) < (tmin)) \
+ && (a) < (tmin) - (b)) \
+ : (a) <= -1 - (b)) \
+ || ((_GL_EXPR_SIGNED (a) ? 0 <= (a) : (tmax) < (a)) && (tmax) < (a) + (b))) \
+ : (a) < 0 \
+ ? (((tmin) \
+ ? ((_GL_EXPR_SIGNED (_GL_INT_CONVERT (b, (tmin) - (a))) || (a) < (tmin)) \
+ && (b) < (tmin) - (a)) \
+ : (b) <= -1 - (a)) \
+ || ((_GL_EXPR_SIGNED (_GL_INT_CONVERT (a, b)) || (tmax) < (b)) \
+ && (tmax) < (a) + (b))) \
+ : (tmax) < (b) || (tmax) - (b) < (a))
+#define _GL_INT_SUBTRACT_RANGE_OVERFLOW(a, b, tmin, tmax) \
+ (((a) < 0) == ((b) < 0) \
+ ? ((a) < (b) \
+ ? !(tmin) || -1 - (tmin) < (b) - (a) - 1 \
+ : (tmax) < (a) - (b)) \
+ : (a) < 0 \
+ ? ((!_GL_EXPR_SIGNED (_GL_INT_CONVERT ((a) - (tmin), b)) && (a) - (tmin) < 0) \
+ || (a) - (tmin) < (b)) \
+ : ((! (_GL_EXPR_SIGNED (_GL_INT_CONVERT (tmax, b)) \
+ && _GL_EXPR_SIGNED (_GL_INT_CONVERT ((tmax) + (b), a))) \
+ && (tmax) <= -1 - (b)) \
+ || (tmax) + (b) < (a)))
+#define _GL_INT_MULTIPLY_RANGE_OVERFLOW(a, b, tmin, tmax) \
+ ((b) < 0 \
+ ? ((a) < 0 \
+ ? (_GL_EXPR_SIGNED (_GL_INT_CONVERT (tmax, b)) \
+ ? (a) < (tmax) / (b) \
+ : ((_GL_INT_NEGATE_OVERFLOW (b) \
+ ? _GL_INT_CONVERT (b, tmax) >> (_GL_TYPE_WIDTH (+ (b)) - 1) \
+ : (tmax) / -(b)) \
+ <= -1 - (a))) \
+ : _GL_INT_NEGATE_OVERFLOW (_GL_INT_CONVERT (b, tmin)) && (b) == -1 \
+ ? (_GL_EXPR_SIGNED (a) \
+ ? 0 < (a) + (tmin) \
+ : 0 < (a) && -1 - (tmin) < (a) - 1) \
+ : (tmin) / (b) < (a)) \
+ : (b) == 0 \
+ ? 0 \
+ : ((a) < 0 \
+ ? (_GL_INT_NEGATE_OVERFLOW (_GL_INT_CONVERT (a, tmin)) && (a) == -1 \
+ ? (_GL_EXPR_SIGNED (b) ? 0 < (b) + (tmin) : -1 - (tmin) < (b) - 1) \
+ : (tmin) / (a) < (b)) \
+ : (tmax) / (b) < (a)))
+
+#endif /* _GL_INTPROPS_INTERNAL_H */
diff --git a/lib/intprops.h b/lib/intprops.h
index 40c60fc4a8..3899262d5f 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -15,19 +15,10 @@
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. */
-
#ifndef _GL_INTPROPS_H
#define _GL_INTPROPS_H
-#include <limits.h>
-
-/* Return a value with the common real type of E and V and the value of V.
- Do not evaluate E. */
-#define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))
-
-/* Act like _GL_INT_CONVERT (E, -V) but work around a bug in IRIX 6.5 cc; see
- <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00406.html>. */
-#define _GL_INT_NEGATE_CONVERT(e, v) ((1 ? 0 : (e)) - (v))
+#include "intprops-internal.h"
/* The extra casts in the following macros work around compiler bugs,
e.g., in Cray C 5.0.3.0. */
@@ -37,11 +28,11 @@
#define TYPE_IS_INTEGER(t) ((t) 1.5 == 1)
/* True if the real type T is signed. */
-#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
+#define TYPE_SIGNED(t) _GL_TYPE_SIGNED (t)
/* Return 1 if the real expression E, after promotion, has a
signed or floating type. Do not evaluate E. */
-#define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
+#define EXPR_SIGNED(e) _GL_EXPR_SIGNED (e)
/* Minimum and maximum values for integer types and expressions. */
@@ -49,7 +40,7 @@
/* The width in bits of the integer type or expression T.
Do not evaluate T. T must not be a bit-field expression.
Padding bits are not supported; this is checked at compile-time below. */
-#define TYPE_WIDTH(t) (sizeof (t) * CHAR_BIT)
+#define TYPE_WIDTH(t) _GL_TYPE_WIDTH (t)
/* The maximum and minimum values for the integer type T. */
#define TYPE_MINIMUM(t) ((t) ~ TYPE_MAXIMUM (t))
@@ -58,51 +49,6 @@
? (t) -1 \
: ((((t) 1 << (TYPE_WIDTH (t) - 2)) - 1) * 2 + 1)))
-/* The maximum and minimum values for the type of the expression E,
- after integer promotion. E is not evaluated. */
-#define _GL_INT_MINIMUM(e) \
- (EXPR_SIGNED (e) \
- ? ~ _GL_SIGNED_INT_MAXIMUM (e) \
- : _GL_INT_CONVERT (e, 0))
-#define _GL_INT_MAXIMUM(e) \
- (EXPR_SIGNED (e) \
- ? _GL_SIGNED_INT_MAXIMUM (e) \
- : _GL_INT_NEGATE_CONVERT (e, 1))
-#define _GL_SIGNED_INT_MAXIMUM(e) \
- (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)
-
-/* Work around OpenVMS incompatibility with C99. */
-#if !defined LLONG_MAX && defined __INT64_MAX
-# define LLONG_MAX __INT64_MAX
-# define LLONG_MIN __INT64_MIN
-#endif
-
-/* This include file assumes that signed types are two's complement without
- padding bits; the above macros have undefined behavior otherwise.
- If this is a problem for you, please let us know how to fix it for your host.
- This assumption is tested by the intprops-tests module. */
-
-/* Does the __typeof__ keyword work? This could be done by
- 'configure', but for now it's easier to do it by hand. */
-#if (2 <= __GNUC__ \
- || (4 <= __clang_major__) \
- || (1210 <= __IBMC__ && defined __IBM__TYPEOF__) \
- || (0x5110 <= __SUNPRO_C && !__STDC__))
-# define _GL_HAVE___TYPEOF__ 1
-#else
-# define _GL_HAVE___TYPEOF__ 0
-#endif
-
-/* Return 1 if the integer type or expression T might be signed. Return 0
- if it is definitely unsigned. T must not be a bit-field expression.
- This macro does not evaluate its argument, and expands to an
- integer constant expression. */
-#if _GL_HAVE___TYPEOF__
-# define _GL_SIGNED_TYPE_OR_EXPR(t) TYPE_SIGNED (__typeof__ (t))
-#else
-# define _GL_SIGNED_TYPE_OR_EXPR(t) 1
-#endif
-
/* Bound on length of the string representing an unsigned integer
value representable in B bits. log10 (2.0) < 146/485. The
smallest value of B where this bound is not tight is 2621. */
@@ -180,9 +126,7 @@
/* Return 1 if - A would overflow in [MIN,MAX] arithmetic.
See above for restrictions. */
#define INT_NEGATE_RANGE_OVERFLOW(a, min, max) \
- ((min) < 0 \
- ? (a) < - (max) \
- : 0 < (a))
+ _GL_INT_NEGATE_RANGE_OVERFLOW (a, min, max)
/* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
See above for restrictions. Avoid && and || as they tickle
@@ -226,43 +170,6 @@
? (a) < (min) >> (b) \
: (max) >> (b) < (a))
-/* True if __builtin_add_overflow (A, B, P) and __builtin_sub_overflow
- (A, B, P) work when P is non-null. */
-#ifdef __EDG__
-/* EDG-based compilers like nvc 22.1 cannot add 64-bit signed to unsigned
- <https://bugs.gnu.org/53256>. */
-# define _GL_HAS_BUILTIN_ADD_OVERFLOW 0
-#elif defined __has_builtin
-# define _GL_HAS_BUILTIN_ADD_OVERFLOW __has_builtin (__builtin_add_overflow)
-/* __builtin_{add,sub}_overflow exists but is not reliable in GCC 5.x and 6.x,
- see <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98269>. */
-#elif 7 <= __GNUC__
-# define _GL_HAS_BUILTIN_ADD_OVERFLOW 1
-#else
-# define _GL_HAS_BUILTIN_ADD_OVERFLOW 0
-#endif
-
-/* True if __builtin_mul_overflow (A, B, P) works when P is non-null. */
-#if defined __clang_major__ && __clang_major__ < 14
-/* Work around Clang bug <https://bugs.llvm.org/show_bug.cgi?id=16404>. */
-# define _GL_HAS_BUILTIN_MUL_OVERFLOW 0
-#else
-# define _GL_HAS_BUILTIN_MUL_OVERFLOW _GL_HAS_BUILTIN_ADD_OVERFLOW
-#endif
-
-/* True if __builtin_add_overflow_p (A, B, C) works, and similarly for
- __builtin_sub_overflow_p and __builtin_mul_overflow_p. */
-#ifdef __EDG__
-/* In EDG-based compilers like ICC 2021.3 and earlier,
- __builtin_add_overflow_p etc. are not treated as integral constant
- expressions even when all arguments are. */
-# define _GL_HAS_BUILTIN_OVERFLOW_P 0
-#elif defined __has_builtin
-# define _GL_HAS_BUILTIN_OVERFLOW_P __has_builtin (__builtin_mul_overflow_p)
-#else
-# define _GL_HAS_BUILTIN_OVERFLOW_P (7 <= __GNUC__)
-#endif
-
/* The _GL*_OVERFLOW macros have the same restrictions as the
*_RANGE_OVERFLOW macros, except that they do not assume that operands
(e.g., A and B) have the same type as MIN and MAX. Instead, they assume
@@ -363,13 +270,7 @@
_GL_BINARY_OP_OVERFLOW (a, b, _GL_ADD_OVERFLOW)
#define INT_SUBTRACT_OVERFLOW(a, b) \
_GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
-#if _GL_HAS_BUILTIN_OVERFLOW_P
-# define INT_NEGATE_OVERFLOW(a) \
- __builtin_sub_overflow_p (0, a, (__typeof__ (- (a))) 0)
-#else
-# define INT_NEGATE_OVERFLOW(a) \
- INT_NEGATE_RANGE_OVERFLOW (a, _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
-#endif
+#define INT_NEGATE_OVERFLOW(a) _GL_INT_NEGATE_OVERFLOW (a)
#define INT_MULTIPLY_OVERFLOW(a, b) \
_GL_BINARY_OP_OVERFLOW (a, b, _GL_MULTIPLY_OVERFLOW)
#define INT_DIVIDE_OVERFLOW(a, b) \
@@ -391,224 +292,9 @@
/* Store the low-order bits of A + B, A - B, A * B, respectively, into *R.
Return 1 if the result overflows. See above for restrictions. */
-#if _GL_HAS_BUILTIN_ADD_OVERFLOW
-# define INT_ADD_WRAPV(a, b, r) __builtin_add_overflow (a, b, r)
-# define INT_SUBTRACT_WRAPV(a, b, r) __builtin_sub_overflow (a, b, r)
-#else
-# define INT_ADD_WRAPV(a, b, r) \
- _GL_INT_OP_WRAPV (a, b, r, +, _GL_INT_ADD_RANGE_OVERFLOW)
-# define INT_SUBTRACT_WRAPV(a, b, r) \
- _GL_INT_OP_WRAPV (a, b, r, -, _GL_INT_SUBTRACT_RANGE_OVERFLOW)
-#endif
-#if _GL_HAS_BUILTIN_MUL_OVERFLOW
-# if ((9 < __GNUC__ + (3 <= __GNUC_MINOR__) \
- || (__GNUC__ == 8 && 4 <= __GNUC_MINOR__)) \
- && !defined __EDG__)
-# define INT_MULTIPLY_WRAPV(a, b, r) __builtin_mul_overflow (a, b, r)
-# else
- /* Work around GCC bug 91450. */
-# define INT_MULTIPLY_WRAPV(a, b, r) \
- ((!_GL_SIGNED_TYPE_OR_EXPR (*(r)) && EXPR_SIGNED (a) && EXPR_SIGNED (b) \
- && _GL_INT_MULTIPLY_RANGE_OVERFLOW (a, b, 0, (__typeof__ (*(r))) -1)) \
- ? ((void) __builtin_mul_overflow (a, b, r), 1) \
- : __builtin_mul_overflow (a, b, r))
-# endif
-#else
-# define INT_MULTIPLY_WRAPV(a, b, r) \
- _GL_INT_OP_WRAPV (a, b, r, *, _GL_INT_MULTIPLY_RANGE_OVERFLOW)
-#endif
-
-/* Nonzero if this compiler has GCC bug 68193 or Clang bug 25390. See:
- https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68193
- https://llvm.org/bugs/show_bug.cgi?id=25390
- For now, assume all versions of GCC-like compilers generate bogus
- warnings for _Generic. This matters only for compilers that
- lack relevant builtins. */
-#if __GNUC__ || defined __clang__
-# define _GL__GENERIC_BOGUS 1
-#else
-# define _GL__GENERIC_BOGUS 0
-#endif
-
-/* Store the low-order bits of A <op> B into *R, where OP specifies
- the operation and OVERFLOW the overflow predicate. Return 1 if the
- result overflows. See above for restrictions. */
-#if 201112 <= __STDC_VERSION__ && !_GL__GENERIC_BOGUS
-# define _GL_INT_OP_WRAPV(a, b, r, op, overflow) \
- (_Generic \
- (*(r), \
- signed char: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- signed char, SCHAR_MIN, SCHAR_MAX), \
- unsigned char: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- unsigned char, 0, UCHAR_MAX), \
- short int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- short int, SHRT_MIN, SHRT_MAX), \
- unsigned short int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- unsigned short int, 0, USHRT_MAX), \
- int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- int, INT_MIN, INT_MAX), \
- unsigned int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- unsigned int, 0, UINT_MAX), \
- long int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- long int, LONG_MIN, LONG_MAX), \
- unsigned long int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- unsigned long int, 0, ULONG_MAX), \
- long long int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
- long long int, LLONG_MIN, LLONG_MAX), \
- unsigned long long int: \
- _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
- unsigned long long int, 0, ULLONG_MAX)))
-#else
-/* Store the low-order bits of A <op> B into *R, where OP specifies
- the operation and OVERFLOW the overflow predicate. If *R is
- signed, its type is ST with bounds SMIN..SMAX; otherwise its type
- is UT with bounds U..UMAX. ST and UT are narrower than int.
- Return 1 if the result overflows. See above for restrictions. */
-# if _GL_HAVE___TYPEOF__
-# define _GL_INT_OP_WRAPV_SMALLISH(a,b,r,op,overflow,st,smin,smax,ut,umax) \
- (TYPE_SIGNED (__typeof__ (*(r))) \
- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, st, smin, smax) \
- : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, ut, 0, umax))
-# else
-# define _GL_INT_OP_WRAPV_SMALLISH(a,b,r,op,overflow,st,smin,smax,ut,umax) \
- (overflow (a, b, smin, smax) \
- ? (overflow (a, b, 0, umax) \
- ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st), 1) \
- : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st)) < 0) \
- : (overflow (a, b, 0, umax) \
- ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st)) >= 0 \
- : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a,b,op,unsigned,st), 0)))
-# endif
-
-# define _GL_INT_OP_WRAPV(a, b, r, op, overflow) \
- (sizeof *(r) == sizeof (signed char) \
- ? _GL_INT_OP_WRAPV_SMALLISH (a, b, r, op, overflow, \
- signed char, SCHAR_MIN, SCHAR_MAX, \
- unsigned char, UCHAR_MAX) \
- : sizeof *(r) == sizeof (short int) \
- ? _GL_INT_OP_WRAPV_SMALLISH (a, b, r, op, overflow, \
- short int, SHRT_MIN, SHRT_MAX, \
- unsigned short int, USHRT_MAX) \
- : sizeof *(r) == sizeof (int) \
- ? (EXPR_SIGNED (*(r)) \
- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- int, INT_MIN, INT_MAX) \
- : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned int, \
- unsigned int, 0, UINT_MAX)) \
- : _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow))
-# ifdef LLONG_MAX
-# define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
- (sizeof *(r) == sizeof (long int) \
- ? (EXPR_SIGNED (*(r)) \
- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- long int, LONG_MIN, LONG_MAX) \
- : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- unsigned long int, 0, ULONG_MAX)) \
- : (EXPR_SIGNED (*(r)) \
- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
- long long int, LLONG_MIN, LLONG_MAX) \
- : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long long int, \
- unsigned long long int, 0, ULLONG_MAX)))
-# else
-# define _GL_INT_OP_WRAPV_LONGISH(a, b, r, op, overflow) \
- (EXPR_SIGNED (*(r)) \
- ? _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- long int, LONG_MIN, LONG_MAX) \
- : _GL_INT_OP_CALC (a, b, r, op, overflow, unsigned long int, \
- unsigned long int, 0, ULONG_MAX))
-# endif
-#endif
-
-/* Store the low-order bits of A <op> B into *R, where the operation
- is given by OP. Use the unsigned type UT for calculation to avoid
- overflow problems. *R's type is T, with extrema TMIN and TMAX.
- T must be a signed integer type. Return 1 if the result overflows. */
-#define _GL_INT_OP_CALC(a, b, r, op, overflow, ut, t, tmin, tmax) \
- (overflow (a, b, tmin, tmax) \
- ? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 1) \
- : (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 0))
-
-/* Return the low-order bits of A <op> B, where the operation is given
- by OP. Use the unsigned type UT for calculation to avoid undefined
- behavior on signed integer overflow, and convert the result to type T.
- UT is at least as wide as T and is no narrower than unsigned int,
- T is two's complement, and there is no padding or trap representations.
- Assume that converting UT to T yields the low-order bits, as is
- done in all known two's-complement C compilers. E.g., see:
- https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html
-
- According to the C standard, converting UT to T yields an
- implementation-defined result or signal for values outside T's
- range. However, code that works around this theoretical problem
- runs afoul of a compiler bug in Oracle Studio 12.3 x86. See:
- https://lists.gnu.org/r/bug-gnulib/2017-04/msg00049.html
- As the compiler bug is real, don't try to work around the
- theoretical problem. */
-
-#define _GL_INT_OP_WRAPV_VIA_UNSIGNED(a, b, op, ut, t) \
- ((t) ((ut) (a) op (ut) (b)))
-
-/* Return true if the numeric values A + B, A - B, A * B fall outside
- the range TMIN..TMAX. Arguments should be integer expressions
- without side effects. TMIN should be signed and nonpositive.
- TMAX should be positive, and should be signed unless TMIN is zero. */
-#define _GL_INT_ADD_RANGE_OVERFLOW(a, b, tmin, tmax) \
- ((b) < 0 \
- ? (((tmin) \
- ? ((EXPR_SIGNED (_GL_INT_CONVERT (a, (tmin) - (b))) || (b) < (tmin)) \
- && (a) < (tmin) - (b)) \
- : (a) <= -1 - (b)) \
- || ((EXPR_SIGNED (a) ? 0 <= (a) : (tmax) < (a)) && (tmax) < (a) + (b))) \
- : (a) < 0 \
- ? (((tmin) \
- ? ((EXPR_SIGNED (_GL_INT_CONVERT (b, (tmin) - (a))) || (a) < (tmin)) \
- && (b) < (tmin) - (a)) \
- : (b) <= -1 - (a)) \
- || ((EXPR_SIGNED (_GL_INT_CONVERT (a, b)) || (tmax) < (b)) \
- && (tmax) < (a) + (b))) \
- : (tmax) < (b) || (tmax) - (b) < (a))
-#define _GL_INT_SUBTRACT_RANGE_OVERFLOW(a, b, tmin, tmax) \
- (((a) < 0) == ((b) < 0) \
- ? ((a) < (b) \
- ? !(tmin) || -1 - (tmin) < (b) - (a) - 1 \
- : (tmax) < (a) - (b)) \
- : (a) < 0 \
- ? ((!EXPR_SIGNED (_GL_INT_CONVERT ((a) - (tmin), b)) && (a) - (tmin) < 0) \
- || (a) - (tmin) < (b)) \
- : ((! (EXPR_SIGNED (_GL_INT_CONVERT (tmax, b)) \
- && EXPR_SIGNED (_GL_INT_CONVERT ((tmax) + (b), a))) \
- && (tmax) <= -1 - (b)) \
- || (tmax) + (b) < (a)))
-#define _GL_INT_MULTIPLY_RANGE_OVERFLOW(a, b, tmin, tmax) \
- ((b) < 0 \
- ? ((a) < 0 \
- ? (EXPR_SIGNED (_GL_INT_CONVERT (tmax, b)) \
- ? (a) < (tmax) / (b) \
- : ((INT_NEGATE_OVERFLOW (b) \
- ? _GL_INT_CONVERT (b, tmax) >> (TYPE_WIDTH (+ (b)) - 1) \
- : (tmax) / -(b)) \
- <= -1 - (a))) \
- : INT_NEGATE_OVERFLOW (_GL_INT_CONVERT (b, tmin)) && (b) == -1 \
- ? (EXPR_SIGNED (a) \
- ? 0 < (a) + (tmin) \
- : 0 < (a) && -1 - (tmin) < (a) - 1) \
- : (tmin) / (b) < (a)) \
- : (b) == 0 \
- ? 0 \
- : ((a) < 0 \
- ? (INT_NEGATE_OVERFLOW (_GL_INT_CONVERT (a, tmin)) && (a) == -1 \
- ? (EXPR_SIGNED (b) ? 0 < (b) + (tmin) : -1 - (tmin) < (b) - 1) \
- : (tmin) / (a) < (b)) \
- : (tmax) / (b) < (a)))
+#define INT_ADD_WRAPV(a, b, r) _GL_INT_ADD_WRAPV (a, b, r)
+#define INT_SUBTRACT_WRAPV(a, b, r) _GL_INT_SUBTRACT_WRAPV (a, b, r)
+#define INT_MULTIPLY_WRAPV(a, b, r) _GL_INT_MULTIPLY_WRAPV (a, b, r)
/* The following macros compute A + B, A - B, and A * B, respectively.
If no overflow occurs, they set *R to the result and return 1;
diff --git a/modules/intprops b/modules/intprops
index 0680adf05a..f3392352e1 100644
--- a/modules/intprops
+++ b/modules/intprops
@@ -3,6 +3,7 @@ Properties of integer types
Files:
lib/intprops.h
+lib/intprops-internal.h
Depends-on:
--
2.34.1
[-- Attachment #5: 0004-stdckdint-h-new-module.patch --]
[-- Type: text/x-patch, Size: 18170 bytes --]
From 2eb92c362ecfb2dae9c9cb37cb9246df6989181c Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 9 Aug 2022 23:20:49 -0700
Subject: [PATCH 4/6] stdckdint-h: new module
This supports draft C23 <stdckdint.h>.
* doc/posix-headers/stdckdint.texi:
* lib/stdckdint.in.h, modules/stdckdint:
* modules/stdckdint-tests, tests/test-stdckdint.c:
New files.
* MODULES.html.sh, doc/gnulib.texi: Update for new module.
* lib/intprops-internal.h: Include <stdckdint.h> if C23 and
its macros would help and our substitute has not already
started to be included.
(_GL_INT_ADD_WRAPV, _GL_INT_SUBTRACT_WRAPV)
(_GL_INT_MULTIPLY_WRAPV): Use ckd_add, ckd_sub, ckd_mul
if they are defined and would help.
* lib/intprops-internal.h, lib/intprops.h: Improve comments.
The C23 restrictions on stdckdint macros already mostly applied to
intprops.h, so these are clarifications, not further restrictions.
* tests/test-intprops.c: If TEST_STDCKDINT is defined,
include <stdckdint.h> instead of "intprops.h", and test
it instead.
(VERIFY) [TEST_STDCKDINT]: Ignore the arg in this case.
(main) [TEST_STDCKDINT]: Skip tests irrelevant to stdckdint.h.
---
ChangeLog | 22 ++++++++++++++++
MODULES.html.sh | 15 +++++++++++
doc/gnulib.texi | 2 ++
| 21 +++++++++++++++
lib/intprops-internal.h | 40 +++++++++++++++++++++-------
lib/intprops.h | 11 ++++++--
lib/stdckdint.in.h | 37 ++++++++++++++++++++++++++
modules/stdckdint | 45 ++++++++++++++++++++++++++++++++
modules/stdckdint-tests | 15 +++++++++++
tests/test-intprops.c | 13 +++++++--
tests/test-stdckdint.c | 30 +++++++++++++++++++++
11 files changed, 238 insertions(+), 13 deletions(-)
create mode 100644 doc/posix-headers/stdckdint.texi
create mode 100644 lib/stdckdint.in.h
create mode 100644 modules/stdckdint
create mode 100644 modules/stdckdint-tests
create mode 100644 tests/test-stdckdint.c
diff --git a/ChangeLog b/ChangeLog
index e977f75b65..20c25c902a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,27 @@
2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
+ stdckdint: new module
+ This supports draft C23 <stdckdint.h>.
+ * doc/posix-headers/stdckdint.texi:
+ * lib/stdckdint.in.h, modules/stdckdint:
+ * modules/stdckdint-tests, tests/test-stdckdint.c:
+ New files.
+ * MODULES.html.sh, doc/gnulib.texi: Update for new module.
+ * lib/intprops-internal.h: Include <stdckdint.h> if C23 and
+ its macros would help and our substitute has not already
+ started to be included.
+ (_GL_INT_ADD_WRAPV, _GL_INT_SUBTRACT_WRAPV)
+ (_GL_INT_MULTIPLY_WRAPV): Use ckd_add, ckd_sub, ckd_mul
+ if they are defined and would help.
+ * lib/intprops-internal.h, lib/intprops.h: Improve comments.
+ The C23 restrictions on stdckdint macros already mostly applied to
+ intprops.h, so these are clarifications, not further restrictions.
+ * tests/test-intprops.c: If TEST_STDCKDINT is defined,
+ include <stdckdint.h> instead of "intprops.h", and test
+ it instead.
+ (VERIFY) [TEST_STDCKDINT]: Ignore the arg in this case.
+ (main) [TEST_STDCKDINT]: Skip tests irrelevant to stdckdint.h.
+
intprops: refactor intprops.h into two
* lib/intprops.h: Include new file intprops-internal.h.
(_GL_INT_CONVERT, _GL_INT_NEGATE_CONVERT, _GL_INT_MINIMUM)
diff --git a/MODULES.html.sh b/MODULES.html.sh
index 03b72a4a9f..d48912b13e 100755
--- a/MODULES.html.sh
+++ b/MODULES.html.sh
@@ -2371,6 +2371,21 @@ func_all_modules ()
func_module limits-h
func_end_table
+ element="Support for systems lacking draft ISO C 23"
+ func_section_wrap c23_ext
+ func_wrap H2
+ func_echo "$element"
+
+ element="Core language properties"
+ element=`printf "%s" "$element" | sed -e "$sed_lt" -e "$sed_gt"`
+ func_section_wrap c23_core_properties
+ func_wrap H3
+ func_echo "$element"
+
+ func_begin_table
+ func_module stdckdint
+ func_end_table
+
element="Support for GNU multiple precision arithmetic"
func_section_wrap gmp
func_wrap H2
diff --git a/doc/gnulib.texi b/doc/gnulib.texi
index 8d24699216..ec5891e57f 100644
--- a/doc/gnulib.texi
+++ b/doc/gnulib.texi
@@ -913,6 +913,7 @@ which (known) portability problems are not worked around by Gnulib.
* stdalign.h::
* stdarg.h::
* stdbool.h::
+* stdckdint.h::
* stddef.h::
* stdint.h::
* stdio.h::
@@ -1003,6 +1004,7 @@ which (known) portability problems are not worked around by Gnulib.
@include posix-headers/stdalign.texi
@include posix-headers/stdarg.texi
@include posix-headers/stdbool.texi
+@include posix-headers/stdckdint.texi
@include posix-headers/stddef.texi
@include posix-headers/stdint.texi
@include posix-headers/stdio.texi
--git a/doc/posix-headers/stdckdint.texi b/doc/posix-headers/stdckdint.texi
new file mode 100644
index 0000000000..915174f696
--- /dev/null
+++ b/doc/posix-headers/stdckdint.texi
@@ -0,0 +1,21 @@
+@node stdckdint.h
+@section @file{stdckdint.h}
+
+POSIX specification:@* Not in POSIX yet, but we expect it will be.
+ISO draft C23
+(@url{https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3047.pdf})
+section 7.20.
+
+Gnulib module: stdckdint
+
+Portability problems fixed by Gnulib:
+@itemize
+@item
+This header file is missing on many platforms.
+@end itemize
+
+Portability problems not fixed by Gnulib:
+@itemize
+@item
+In draft C23, arguments of @code{stdckdint.h} macros can have side effects.
+@end itemize
diff --git a/lib/intprops-internal.h b/lib/intprops-internal.h
index 11c5ba979a..f6455f7855 100644
--- a/lib/intprops-internal.h
+++ b/lib/intprops-internal.h
@@ -92,8 +92,8 @@
#endif
/* Return 1 if - A would overflow in [MIN,MAX] arithmetic.
- Arguments should not have side effects, and A's type should have
- minimum value MIN and maximum MAX. */
+ A should not have side effects, and A's type should be an
+ integer with minimum value MIN and maximum MAX. */
#define _GL_INT_NEGATE_RANGE_OVERFLOW(a, min, max) \
((min) < 0 ? (a) < - (max) : 0 < (a))
@@ -134,11 +134,21 @@
# define _GL_HAS_BUILTIN_OVERFLOW_P (7 <= __GNUC__)
#endif
+#if (!defined _GL_STDCKDINT_H && 202311 <= __STDC_VERSION__ \
+ && ! (_GL_HAS_BUILTIN_ADD_OVERFLOW && _GL_HAS_BUILTIN_MUL_OVERFLOW))
+# include <stdckdint.h>
+#endif
+
/* Store the low-order bits of A + B, A - B, A * B, respectively, into *R.
- Return 1 if the result overflows. See above for restrictions. */
+ Return 1 if the result overflows. Arguments should not have side
+ effects and A, B and *R can be of any integer type other than char,
+ bool, a bit-precise integer type, or an enumeration type. */
#if _GL_HAS_BUILTIN_ADD_OVERFLOW
# define _GL_INT_ADD_WRAPV(a, b, r) __builtin_add_overflow (a, b, r)
# define _GL_INT_SUBTRACT_WRAPV(a, b, r) __builtin_sub_overflow (a, b, r)
+#elif defined ckd_add && defined ckd_sub && !defined _GL_STDCKDINT_H
+# define _GL_INT_ADD_WRAPV(a, b, r) ckd_add (r, + (a), + (b))
+# define _GL_INT_SUBTRACT_WRAPV(a, b, r) ckd_sub (r, + (a), + (b))
#else
# define _GL_INT_ADD_WRAPV(a, b, r) \
_GL_INT_OP_WRAPV (a, b, r, +, _GL_INT_ADD_RANGE_OVERFLOW)
@@ -158,6 +168,8 @@
? ((void) __builtin_mul_overflow (a, b, r), 1) \
: __builtin_mul_overflow (a, b, r))
# endif
+#elif defined ckd_mul && !defined _GL_STDCKDINT_H
+# define _GL_INT_MULTIPLY_WRAPV(a, b, r) ckd_mul (r, + (a), + (b))
#else
# define _GL_INT_MULTIPLY_WRAPV(a, b, r) \
_GL_INT_OP_WRAPV (a, b, r, *, _GL_INT_MULTIPLY_RANGE_OVERFLOW)
@@ -177,7 +189,9 @@
/* Store the low-order bits of A <op> B into *R, where OP specifies
the operation and OVERFLOW the overflow predicate. Return 1 if the
- result overflows. See above for restrictions. */
+ result overflows. Arguments should not have side effects,
+ and A, B and *R can be of any integer type other than char, bool, a
+ bit-precise integer type, or an enumeration type. */
#if 201112 <= __STDC_VERSION__ && !_GL__GENERIC_BOGUS
# define _GL_INT_OP_WRAPV(a, b, r, op, overflow) \
(_Generic \
@@ -217,7 +231,9 @@
the operation and OVERFLOW the overflow predicate. If *R is
signed, its type is ST with bounds SMIN..SMAX; otherwise its type
is UT with bounds U..UMAX. ST and UT are narrower than int.
- Return 1 if the result overflows. See above for restrictions. */
+ Return 1 if the result overflows. Arguments should not have side
+ effects, and A, B and *R can be of any integer type other than
+ char, bool, a bit-precise integer type, or an enumeration type. */
# if _GL_HAVE___TYPEOF__
# define _GL_INT_OP_WRAPV_SMALLISH(a,b,r,op,overflow,st,smin,smax,ut,umax) \
(_GL_TYPE_SIGNED (__typeof__ (*(r))) \
@@ -276,14 +292,18 @@
/* Store the low-order bits of A <op> B into *R, where the operation
is given by OP. Use the unsigned type UT for calculation to avoid
overflow problems. *R's type is T, with extrema TMIN and TMAX.
- T must be a signed integer type. Return 1 if the result overflows. */
+ T can be any signed integer type other than char, bool, a
+ bit-precise integer type, or an enumeration type.
+ Return 1 if the result overflows. */
#define _GL_INT_OP_CALC(a, b, r, op, overflow, ut, t, tmin, tmax) \
(overflow (a, b, tmin, tmax) \
? (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 1) \
: (*(r) = _GL_INT_OP_WRAPV_VIA_UNSIGNED (a, b, op, ut, t), 0))
/* Return 1 if the integer expressions A - B and -A would overflow,
- respectively. Arguments should not have side effects.
+ respectively. Arguments should not have side effects,
+ and can be any signed integer type other than char, bool, a
+ bit-precise integer type, or an enumeration type.
These macros are tuned for their last input argument being a constant. */
#if _GL_HAS_BUILTIN_OVERFLOW_P
@@ -315,8 +335,10 @@
((t) ((ut) (a) op (ut) (b)))
/* Return true if the numeric values A + B, A - B, A * B fall outside
- the range TMIN..TMAX. Arguments should be integer expressions
- without side effects. TMIN should be signed and nonpositive.
+ the range TMIN..TMAX. Arguments should not have side effects
+ and can be any integer type other than char, bool,
+ a bit-precise integer type, or an enumeration type.
+ TMIN should be signed and nonpositive.
TMAX should be positive, and should be signed unless TMIN is zero. */
#define _GL_INT_ADD_RANGE_OVERFLOW(a, b, tmin, tmax) \
((b) < 0 \
diff --git a/lib/intprops.h b/lib/intprops.h
index 3899262d5f..b911384532 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -256,13 +256,18 @@
Because the WRAPV macros convert the result, they report overflow
in different circumstances than the OVERFLOW macros do. For
example, in the typical case with 16-bit 'short' and 32-bit 'int',
- if A, B and R are all of type 'short' then INT_ADD_OVERFLOW (A, B)
+ if A, B and *R are all of type 'short' then INT_ADD_OVERFLOW (A, B)
returns false because the addition cannot overflow after A and B
- are converted to 'int', whereas INT_ADD_WRAPV (A, B, &R) returns
+ are converted to 'int', whereas INT_ADD_WRAPV (A, B, R) returns
true or false depending on whether the sum fits into 'short'.
These macros are tuned for their last input argument being a constant.
+ A, B, and *R should be integers; they need not be the same type,
+ and they need not be all signed or all unsigned.
+ However, none of the integer types should be bit-precise,
+ and *R's type should not be char, bool, or an enumeration type.
+
Return 1 if the integer expressions A * B, A - B, -A, A * B, A / B,
A % B, and A << B would overflow, respectively. */
@@ -310,6 +315,8 @@
A, B, and *R should be integers; they need not be the same type,
and they need not be all signed or all unsigned.
+ However, none of the integer types should be bit-precise,
+ and *R's type should not be char, bool, or an enumeration type.
These macros work correctly on all known practical hosts, and do not rely
on undefined behavior due to signed arithmetic overflow.
diff --git a/lib/stdckdint.in.h b/lib/stdckdint.in.h
new file mode 100644
index 0000000000..90fa62e596
--- /dev/null
+++ b/lib/stdckdint.in.h
@@ -0,0 +1,37 @@
+/* stdckdint.h -- checked integer arithmetic
+
+ Copyright 2022 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+#ifndef _GL_STDCKDINT_H
+#define _GL_STDCKDINT_H
+
+#include "intprops-internal.h"
+
+#include <stdbool.h>
+
+/* Store into *R the low-order bits of A + B, A - B, A * B, respectively.
+ Return 1 if the result overflows, 0 otherwise.
+ A, B, and *R can have any integer type other than char, bool, a
+ bit-precise integer type, or an enumeration type.
+
+ These are like the standard macros introduced in C23, except that
+ arguments should not have side effects. */
+
+#define ckd_add(r, a, b) ((bool) _GL_INT_ADD_WRAPV (a, b, r))
+#define ckd_sub(r, a, b) ((bool) _GL_INT_SUBTRACT_WRAPV (a, b, r))
+#define ckd_mul(r, a, b) ((bool) _GL_INT_MULTIPLY_WRAPV (a, b, r))
+
+#endif /* _GL_STDCKDINT_H */
diff --git a/modules/stdckdint b/modules/stdckdint
new file mode 100644
index 0000000000..4b39a76d5f
--- /dev/null
+++ b/modules/stdckdint
@@ -0,0 +1,45 @@
+Description:
+An <stdckdint.h> that is like C23.
+
+Files:
+lib/stdckdint.in.h
+lib/intprops-internal.h
+
+Depends-on:
+gen-header
+
+configure.ac:
+AC_CHECK_HEADERS_ONCE([stdckdint.h])
+if test $ac_cv_header_stdckdint_h = yes; then
+ GL_GENERATE_STDCKDINT_H=false
+else
+ GL_GENERATE_STDCKDINT_H=true
+fi
+gl_CONDITIONAL_HEADER([stdckdint.h])
+AC_PROG_MKDIR_P
+
+Makefile.am:
+BUILT_SOURCES += $(STDCKDINT_H)
+
+# We need the following in order to create <stdckdint.h> when the system
+# doesn't have one that works with the given compiler.
+if GL_GENERATE_STDCKDINT_H
+stdckdint.h: stdckdint.in.h $(top_builddir)/config.status
+@NMD@ $(AM_V_GEN)$(MKDIR_P) '%reldir%'
+ $(gl_V_at)$(SED_HEADER_STDOUT) \
+ $(srcdir)/stdckdint.in.h > $@-t
+ $(AM_V_at)mv $@-t $@
+else
+stdckdint.h: $(top_builddir)/config.status
+ rm -f $@
+endif
+MOSTLYCLEANFILES += stdckdint.h stdckdint.h-t
+
+Include:
+<stdckdint.h>
+
+License:
+LGPLv2+
+
+Maintainer:
+Paul Eggert
diff --git a/modules/stdckdint-tests b/modules/stdckdint-tests
new file mode 100644
index 0000000000..153a1fbb42
--- /dev/null
+++ b/modules/stdckdint-tests
@@ -0,0 +1,15 @@
+Files:
+tests/macros.h
+tests/test-intprops.c
+tests/test-stdckdint.c
+
+Depends-on:
+inttypes
+stdbool
+verify
+
+configure.ac:
+
+Makefile.am:
+TESTS += test-stdckdint
+check_PROGRAMS += test-stdckdint
diff --git a/tests/test-intprops.c b/tests/test-intprops.c
index 277746a001..a46e9c5e4a 100644
--- a/tests/test-intprops.c
+++ b/tests/test-intprops.c
@@ -30,7 +30,11 @@
#include <config.h>
-#include "intprops.h"
+#ifdef TEST_STDCKDINT
+# include <stdckdint.h>
+#else
+# include "intprops.h"
+#endif
#include "verify.h"
#include <stdbool.h>
@@ -45,10 +49,13 @@
/* VERIFY (X) uses a static assertion for compilers that are known to work,
and falls back on a dynamic assertion for other compilers.
+ But it ignores X if testing stdckdint.h.
These tests should be checkable via 'verify' rather than 'ASSERT', but
using 'verify' would run into a bug with HP-UX 11.23 cc; see
<https://lists.gnu.org/r/bug-gnulib/2011-05/msg00401.html>. */
-#if __GNUC__ || __clang__ || __SUNPRO_C
+#ifdef TEST_STDCKDINT
+# define VERIFY(x) ((void) 0)
+#elif __GNUC__ || __clang__ || __SUNPRO_C
# define VERIFY(x) verify_stmt (x)
#else
# define VERIFY(x) ASSERT (x)
@@ -65,6 +72,7 @@ main (void)
/* Use VERIFY for tests that must be integer constant expressions,
ASSERT otherwise. */
+#ifndef TEST_STDCKDINT
/* TYPE_IS_INTEGER. */
ASSERT (TYPE_IS_INTEGER (bool));
ASSERT (TYPE_IS_INTEGER (char));
@@ -161,6 +169,7 @@ main (void)
VERIFY (INT_STRLEN_BOUND (int64_t) == sizeof ("-9223372036854775808") - 1);
VERIFY (INT_BUFSIZE_BOUND (int64_t) == sizeof ("-9223372036854775808"));
#endif
+#endif
/* All the INT_<op>_RANGE_OVERFLOW tests are equally valid as
INT_<op>_OVERFLOW tests, so define macros to do both. OP is the
diff --git a/tests/test-stdckdint.c b/tests/test-stdckdint.c
new file mode 100644
index 0000000000..c19525518c
--- /dev/null
+++ b/tests/test-stdckdint.c
@@ -0,0 +1,30 @@
+/* Test <stdckdint.h>.
+ Copyright 2022 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+/* Written by Paul Eggert. */
+
+/* Tell test-intprops.c to test <stdckdint.h> instead of <intprops.h>. */
+
+#define TEST_STDCKDINT 1
+
+#define INT_ADD_WRAPV(a, b, r) ckd_add (r, a, b)
+#define INT_SUBTRACT_WRAPV(a, b, r) ckd_sub (r, a, b)
+#define INT_MULTIPLY_WRAPV(a, b, r) ckd_mul (r, a, b)
+
+/* Luckily, test-intprops.c uses INT_NEGATE_OVERFLOW only on INT_MIN. */
+#define INT_NEGATE_OVERFLOW(a) ((a) < -INT_MAX)
+
+#include "test-intprops.c"
--
2.34.1
[-- Attachment #6: 0005-stdckdint-prefer-to-intprops-when-easy.patch --]
[-- Type: text/x-patch, Size: 15020 bytes --]
From ef5a4088d9236a55283d1eb576f560aa39c09e6f Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 9 Aug 2022 23:20:49 -0700
Subject: [PATCH 5/6] stdckdint: prefer to intprops when easy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
stdckdint.h is part of draft C23 and therefore is more likely
to be familiar to programmers in the future, so prefer it to
intprops.h in files that don’t need non-_WRAPV intprops.h macros.
* lib/alignalloc.c, lib/backupfile.c, lib/fnmatch.c, lib/fnmatch_loop.c:
* lib/group-member.c, lib/malloca.c, lib/posixtm.c, lib/reallocarray.c:
* lib/xmalloc.c:
For files that can use stdckdint.h just as easily as intprops.h,
include the former instead of the latter, and use the former’s
ckd_* macros instead of the latter’s *_WRAPV macros.
* modules/alignalloc, modules/backup-rename, modules/backupfile:
* modules/fnmatch, modules/group-member, modules/malloca:
* modules/posixtm, modules/reallocarray:
* modules/relocatable-prog-wrapper, modules/xalloc:
Depend on stdckdint instead of intprops.
---
ChangeLog | 16 ++++++++++++++++
lib/alignalloc.c | 4 ++--
lib/backupfile.c | 4 ++--
lib/fnmatch.c | 2 +-
lib/fnmatch_loop.c | 4 ++--
lib/group-member.c | 5 ++---
lib/malloca.c | 10 +++++-----
lib/posixtm.c | 4 ++--
lib/reallocarray.c | 5 ++---
lib/xmalloc.c | 12 ++++++------
modules/alignalloc | 2 +-
modules/backup-rename | 2 +-
modules/backupfile | 2 +-
modules/fnmatch | 2 +-
modules/group-member | 2 +-
modules/malloca | 2 +-
modules/posixtm | 2 +-
modules/reallocarray | 2 +-
modules/relocatable-prog-wrapper | 1 +
modules/xalloc | 2 +-
20 files changed, 50 insertions(+), 35 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 20c25c902a..5293fc104f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,21 @@
2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
+ stdckdint: prefer to intprops when easy
+ stdckdint.h is part of draft C23 and therefore is more likely
+ to be familiar to programmers in the future, so prefer it to
+ intprops.h in files that don’t need non-_WRAPV intprops.h macros.
+ * lib/alignalloc.c, lib/backupfile.c, lib/fnmatch.c, lib/fnmatch_loop.c:
+ * lib/group-member.c, lib/malloca.c, lib/posixtm.c, lib/reallocarray.c:
+ * lib/xmalloc.c:
+ For files that can use stdckdint.h just as easily as intprops.h,
+ include the former instead of the latter, and use the former’s
+ ckd_* macros instead of the latter’s *_WRAPV macros.
+ * modules/alignalloc, modules/backup-rename, modules/backupfile:
+ * modules/fnmatch, modules/group-member, modules/malloca:
+ * modules/posixtm, modules/reallocarray:
+ * modules/relocatable-prog-wrapper, modules/xalloc:
+ Depend on stdckdint instead of intprops.
+
stdckdint: new module
This supports draft C23 <stdckdint.h>.
* doc/posix-headers/stdckdint.texi:
diff --git a/lib/alignalloc.c b/lib/alignalloc.c
index 03988f11a4..1884394e3c 100644
--- a/lib/alignalloc.c
+++ b/lib/alignalloc.c
@@ -24,8 +24,8 @@
#include <limits.h>
#include <stdalign.h>
+#include <stdckdint.h>
#include <stdint.h>
-#include "intprops.h"
#include "verify.h"
#if !ALIGNALLOC_VIA_ALIGNED_ALLOC
@@ -82,7 +82,7 @@ alignalloc (idx_t alignment, idx_t size)
size_t malloc_size;
unsigned char *q;
- if (INT_ADD_WRAPV (size, alignment, &malloc_size)
+ if (ckd_add (&malloc_size, size, alignment)
|| ! (q = malloc (malloc_size)))
{
errno = ENOMEM;
diff --git a/lib/backupfile.c b/lib/backupfile.c
index d9f465a3e0..b2ab67847a 100644
--- a/lib/backupfile.c
+++ b/lib/backupfile.c
@@ -26,6 +26,7 @@
#include <errno.h>
#include <fcntl.h>
#include <stdbool.h>
+#include <stdckdint.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
@@ -34,7 +35,6 @@
#include "attribute.h"
#include "basename-lgpl.h"
#include "ialloc.h"
-#include "intprops.h"
#include "opendirat.h"
#include "renameatu.h"
@@ -272,7 +272,7 @@ numbered_backup (int dir_fd, char **buffer, idx_t buffer_size, idx_t filelen,
if (buffer_size < new_buffer_size)
{
idx_t grown;
- if (! INT_ADD_WRAPV (new_buffer_size, new_buffer_size >> 1, &grown))
+ if (! ckd_add (&grown, new_buffer_size, new_buffer_size >> 1))
new_buffer_size = grown;
char *new_buf = irealloc (buf, new_buffer_size);
if (!new_buf)
diff --git a/lib/fnmatch.c b/lib/fnmatch.c
index b33a127d98..45e326902d 100644
--- a/lib/fnmatch.c
+++ b/lib/fnmatch.c
@@ -30,6 +30,7 @@
#include <errno.h>
#include <ctype.h>
#include <string.h>
+#include <stdckdint.h>
#include <stdlib.h>
#if defined _LIBC || HAVE_ALLOCA
# include <alloca.h>
@@ -73,7 +74,6 @@ extern int fnmatch (const char *pattern, const char *string, int flags);
# include "attribute.h"
#endif
-#include <intprops.h>
#include <flexmember.h>
#ifdef _LIBC
diff --git a/lib/fnmatch_loop.c b/lib/fnmatch_loop.c
index e635953758..1b16de99b6 100644
--- a/lib/fnmatch_loop.c
+++ b/lib/fnmatch_loop.c
@@ -1039,8 +1039,8 @@ EXT (INT opt, const CHAR *pattern, const CHAR *string, const CHAR *string_end,
idx_t slen = FLEXSIZEOF (struct patternlist, str, 0); \
idx_t new_used = alloca_used + slen; \
idx_t plensize; \
- if (INT_MULTIPLY_WRAPV (plen, sizeof (CHAR), &plensize) \
- || INT_ADD_WRAPV (new_used, plensize, &new_used)) \
+ if (ckd_mul (&plensize, plen, sizeof (CHAR), &plensize) \
+ || ckd_add (&new_used, new_used, plensize)) \
{ \
retval = -2; \
goto out; \
diff --git a/lib/group-member.c b/lib/group-member.c
index 480a12616a..cd43f36f4e 100644
--- a/lib/group-member.c
+++ b/lib/group-member.c
@@ -21,12 +21,11 @@
/* Specification. */
#include <unistd.h>
+#include <stdckdint.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
-#include "intprops.h"
-
/* Most processes have no more than this many groups, and for these
processes we can avoid using malloc. */
enum { GROUPBUF_SIZE = 100 };
@@ -54,7 +53,7 @@ get_group_info (struct group_info *gi)
{
int n_group_slots = getgroups (0, NULL);
size_t nbytes;
- if (! INT_MULTIPLY_WRAPV (n_group_slots, sizeof *gi->group, &nbytes))
+ if (! ckd_mul (&nbytes, n_group_slots, sizeof *gi->group))
{
gi->group = malloc (nbytes);
if (gi->group)
diff --git a/lib/malloca.c b/lib/malloca.c
index e7beaaf066..183783a710 100644
--- a/lib/malloca.c
+++ b/lib/malloca.c
@@ -21,8 +21,9 @@
/* Specification. */
#include "malloca.h"
+#include <stdckdint.h>
+
#include "idx.h"
-#include "intprops.h"
#include "verify.h"
/* The speed critical point in this file is freea() applied to an alloca()
@@ -50,17 +51,16 @@ mmalloca (size_t n)
uintptr_t alignment2_mask = 2 * sa_alignment_max - 1;
int plus = sizeof (small_t) + alignment2_mask;
idx_t nplus;
- if (!INT_ADD_WRAPV (n, plus, &nplus) && !xalloc_oversized (nplus, 1))
+ if (!ckd_add (&nplus, n, plus) && !xalloc_oversized (nplus, 1))
{
char *mem = (char *) malloc (nplus);
if (mem != NULL)
{
uintptr_t umem = (uintptr_t)mem, umemplus;
- /* The INT_ADD_WRAPV avoids signed integer overflow on
+ /* The ckd_add avoids signed integer overflow on
theoretical platforms where UINTPTR_MAX <= INT_MAX. */
- INT_ADD_WRAPV (umem, sizeof (small_t) + sa_alignment_max - 1,
- &umemplus);
+ ckd_add (&umemplus, umem, sizeof (small_t) + sa_alignment_max - 1);
idx_t offset = ((umemplus & ~alignment2_mask)
+ sa_alignment_max - umem);
void *vp = mem + offset;
diff --git a/lib/posixtm.c b/lib/posixtm.c
index b00cef42fd..3c323782fa 100644
--- a/lib/posixtm.c
+++ b/lib/posixtm.c
@@ -24,9 +24,9 @@
#include "c-ctype.h"
#include "idx.h"
-#include "intprops.h"
#include "verify.h"
+#include <stdckdint.h>
#include <string.h>
/*
@@ -191,7 +191,7 @@ posixtime (time_t *p, const char *s, unsigned int syntax_bits)
| (tm0.tm_min ^ tm1.tm_min)
| (tm0.tm_sec ^ tm1.tm_sec)))
{
- if (INT_ADD_WRAPV (t, leapsec, &t))
+ if (ckd_add (&t, t, leapsec))
return false;
*p = t;
return true;
diff --git a/lib/reallocarray.c b/lib/reallocarray.c
index bc4cba4b61..70c1b47872 100644
--- a/lib/reallocarray.c
+++ b/lib/reallocarray.c
@@ -19,16 +19,15 @@
#include <config.h>
+#include <stdckdint.h>
#include <stdlib.h>
#include <errno.h>
-#include "intprops.h"
-
void *
reallocarray (void *ptr, size_t nmemb, size_t size)
{
size_t nbytes;
- if (INT_MULTIPLY_WRAPV (nmemb, size, &nbytes))
+ if (ckd_mul (&nbytes, nmemb, size))
{
errno = ENOMEM;
return NULL;
diff --git a/lib/xmalloc.c b/lib/xmalloc.c
index 993c1eeb75..3c3cb20799 100644
--- a/lib/xmalloc.c
+++ b/lib/xmalloc.c
@@ -22,9 +22,9 @@
#include "xalloc.h"
#include "ialloc.h"
-#include "intprops.h"
#include "minmax.h"
+#include <stdckdint.h>
#include <stdlib.h>
#include <string.h>
@@ -195,7 +195,7 @@ x2nrealloc (void *p, size_t *pn, size_t s)
else
{
/* Set N = floor (1.5 * N) + 1 to make progress even if N == 0. */
- if (INT_ADD_WRAPV (n, (n >> 1) + 1, &n))
+ if (ckd_add (&n, n, (n >> 1) + 1))
xalloc_die ();
}
@@ -236,7 +236,7 @@ xpalloc (void *pa, idx_t *pn, idx_t n_incr_min, ptrdiff_t n_max, idx_t s)
N_MAX, and what the C language can represent safely. */
idx_t n;
- if (INT_ADD_WRAPV (n0, n0 >> 1, &n))
+ if (ckd_add (&n, n0, n0 >> 1))
n = IDX_MAX;
if (0 <= n_max && n_max < n)
n = n_max;
@@ -251,7 +251,7 @@ xpalloc (void *pa, idx_t *pn, idx_t n_incr_min, ptrdiff_t n_max, idx_t s)
size_t nbytes;
#endif
idx_t adjusted_nbytes
- = (INT_MULTIPLY_WRAPV (n, s, &nbytes)
+ = (ckd_mul (&nbytes, n, s)
? MIN (IDX_MAX, SIZE_MAX)
: nbytes < DEFAULT_MXFAST ? DEFAULT_MXFAST : 0);
if (adjusted_nbytes)
@@ -263,9 +263,9 @@ xpalloc (void *pa, idx_t *pn, idx_t n_incr_min, ptrdiff_t n_max, idx_t s)
if (! pa)
*pn = 0;
if (n - n0 < n_incr_min
- && (INT_ADD_WRAPV (n0, n_incr_min, &n)
+ && (ckd_add (&n, n0, n_incr_min)
|| (0 <= n_max && n_max < n)
- || INT_MULTIPLY_WRAPV (n, s, &nbytes)))
+ || ckd_mul (&nbytes, n, s)))
xalloc_die ();
pa = xrealloc (pa, nbytes);
*pn = n;
diff --git a/modules/alignalloc b/modules/alignalloc
index 68c1b14cd4..42ca672bc2 100644
--- a/modules/alignalloc
+++ b/modules/alignalloc
@@ -10,9 +10,9 @@ Depends-on:
extensions
extern-inline
idx
-intprops
posix_memalign
stdalign
+stdckdint
stdint
verify
diff --git a/modules/backup-rename b/modules/backup-rename
index 245350a4df..54a8270a90 100644
--- a/modules/backup-rename
+++ b/modules/backup-rename
@@ -17,12 +17,12 @@ closedir
d-ino
fcntl-h
ialloc
-intprops
memcmp
opendirat
readdir
renameatu
stdbool
+stdckdint
stdint
xalloc-oversized
diff --git a/modules/backupfile b/modules/backupfile
index 3d06da9ed4..804e62d48c 100644
--- a/modules/backupfile
+++ b/modules/backupfile
@@ -17,13 +17,13 @@ closedir
d-ino
fcntl-h
ialloc
-intprops
memcmp
opendirat
readdir
realloc-gnu
renameatu
stdbool
+stdckdint
stdint
xalloc-die
diff --git a/modules/fnmatch b/modules/fnmatch
index 37ebfe2250..7de95c565a 100644
--- a/modules/fnmatch
+++ b/modules/fnmatch
@@ -15,11 +15,11 @@ btowc [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
builtin-expect [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
flexmember [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
idx [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
-intprops [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
isblank [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
iswctype [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
libc-config [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
stdbool [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
+stdckdint [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
strnlen [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
wchar [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
wctype-h [test $HAVE_FNMATCH = 0 || test $REPLACE_FNMATCH = 1]
diff --git a/modules/group-member b/modules/group-member
index c08e786e0a..d84b751c0c 100644
--- a/modules/group-member
+++ b/modules/group-member
@@ -9,8 +9,8 @@ Depends-on:
unistd
extensions
getgroups [test $HAVE_GROUP_MEMBER = 0]
-intprops [test $HAVE_GROUP_MEMBER = 0]
realloc-gnu [test $HAVE_GROUP_MEMBER = 0]
+stdckdint [test $HAVE_GROUP_MEMBER = 0]
configure.ac:
gl_FUNC_GROUP_MEMBER
diff --git a/modules/malloca b/modules/malloca
index 346d33251a..9c279c45f1 100644
--- a/modules/malloca
+++ b/modules/malloca
@@ -10,7 +10,7 @@ m4/eealloc.m4
Depends-on:
alloca-opt
idx
-intprops
+stdckdint
stdint
verify
xalloc-oversized
diff --git a/modules/posixtm b/modules/posixtm
index 5ecc016ae9..f302efac63 100644
--- a/modules/posixtm
+++ b/modules/posixtm
@@ -9,9 +9,9 @@ m4/posixtm.m4
Depends-on:
c-ctype
idx
-intprops
mktime
stdbool
+stdckdint
verify
configure.ac:
diff --git a/modules/reallocarray b/modules/reallocarray
index 9d2db6b888..380434870e 100644
--- a/modules/reallocarray
+++ b/modules/reallocarray
@@ -8,8 +8,8 @@ m4/reallocarray.m4
Depends-on:
extensions
-intprops [test $HAVE_REALLOCARRAY = 0 || test $REPLACE_REALLOCARRAY = 1]
realloc-gnu [test $HAVE_REALLOCARRAY = 0 || test $REPLACE_REALLOCARRAY = 1]
+stdckdint [test $HAVE_REALLOCARRAY = 0 || test $REPLACE_REALLOCARRAY = 1]
stdlib
configure.ac:
diff --git a/modules/relocatable-prog-wrapper b/modules/relocatable-prog-wrapper
index fa56916217..9b9d9c3abe 100644
--- a/modules/relocatable-prog-wrapper
+++ b/modules/relocatable-prog-wrapper
@@ -67,6 +67,7 @@ ssize_t
stdalign
stdbool
stddef
+stdckdint
stdint
stdlib
string
diff --git a/modules/xalloc b/modules/xalloc
index 0fc3836c2c..15059bf47f 100644
--- a/modules/xalloc
+++ b/modules/xalloc
@@ -12,11 +12,11 @@ calloc-gnu
extern-inline
ialloc
idx
-intprops
malloc-gnu
minmax
realloc-gnu
reallocarray
+stdckdint
stdint
xalloc-die
--
2.34.1
[-- Attachment #7: 0006-maint-parenthesize-macro-definiens.patch --]
[-- Type: text/x-patch, Size: 2756 bytes --]
From fe6964f010a9881ad323a770e97f17a77e2f2b7f Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 10 Aug 2022 00:17:58 -0700
Subject: [PATCH 6/6] maint: parenthesize macro definiens
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* lib/intprops.h (INT_ADD_OK, INT_SUBTRACT_OK, INT_MULTIPLY_OK):
* lib/pipe-filter-ii.c (GetLastError):
* lib/thread-optim.h (gl_multithreaded): Parenthesize
function-like macro definiens beginning with a unary operator;
needed for weird invocations like ‘m (...)[p]’.
---
ChangeLog | 9 +++++++++
lib/intprops.h | 6 +++---
lib/pipe-filter-ii.c | 2 +-
lib/thread-optim.h | 2 +-
4 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5293fc104f..f9499921dd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2022-08-10 Paul Eggert <eggert@cs.ucla.edu>
+
+ maint: parenthesize macro definiens
+ * lib/intprops.h (INT_ADD_OK, INT_SUBTRACT_OK, INT_MULTIPLY_OK):
+ * lib/pipe-filter-ii.c (GetLastError):
+ * lib/thread-optim.h (gl_multithreaded): Parenthesize
+ function-like macro definiens beginning with a unary operator;
+ needed for weird invocations like ‘m (...)[p]’.
+
2022-08-09 Paul Eggert <eggert@cs.ucla.edu>
stdckdint: prefer to intprops when easy
diff --git a/lib/intprops.h b/lib/intprops.h
index b911384532..f182ddc1fe 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -328,8 +328,8 @@
These macros are tuned for B being a constant. */
-#define INT_ADD_OK(a, b, r) ! INT_ADD_WRAPV (a, b, r)
-#define INT_SUBTRACT_OK(a, b, r) ! INT_SUBTRACT_WRAPV (a, b, r)
-#define INT_MULTIPLY_OK(a, b, r) ! INT_MULTIPLY_WRAPV (a, b, r)
+#define INT_ADD_OK(a, b, r) (! INT_ADD_WRAPV (a, b, r))
+#define INT_SUBTRACT_OK(a, b, r) (! INT_SUBTRACT_WRAPV (a, b, r))
+#define INT_MULTIPLY_OK(a, b, r) (! INT_MULTIPLY_WRAPV (a, b, r))
#endif /* _GL_INTPROPS_H */
diff --git a/lib/pipe-filter-ii.c b/lib/pipe-filter-ii.c
index 8f547791c6..06729584f0 100644
--- a/lib/pipe-filter-ii.c
+++ b/lib/pipe-filter-ii.c
@@ -98,7 +98,7 @@ CloseHandle (HANDLE h)
# define _endthreadex(x) return (x)
# define TerminateThread(h, e) DosKillThread (h->tid)
-# define GetLastError() -1
+# define GetLastError() (-1)
# ifndef ERROR_NO_DATA
# define ERROR_NO_DATA 232
diff --git a/lib/thread-optim.h b/lib/thread-optim.h
index daf887fda9..dc1ad8622c 100644
--- a/lib/thread-optim.h
+++ b/lib/thread-optim.h
@@ -52,7 +52,7 @@
#if HAVE_SYS_SINGLE_THREADED_H /* glibc >= 2.32 */
# include <sys/single_threaded.h>
-# define gl_multithreaded() !__libc_single_threaded
+# define gl_multithreaded() (!__libc_single_threaded)
#else
# define gl_multithreaded() 1
#endif
--
2.34.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-10 7:31 ` Paul Eggert
@ 2022-08-10 13:58 ` Bruno Haible
2022-08-10 17:42 ` Paul Eggert
0 siblings, 1 reply; 7+ messages in thread
From: Bruno Haible @ 2022-08-10 13:58 UTC (permalink / raw
To: Paul Eggert; +Cc: bug-gnulib
Hi Paul,
> I took a crack at stdckdint.h by installing the attached into Gnulib,
> which supports and uses stdckint.h.
This is awesome!
But you haven't pushed the patches yet.
And in patch 0004, I think the module 'stdckdint' should depend on 'stdbool'
(since <stdckdint.h> includes <stdbool.h>).
Bruno
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-10 13:58 ` Bruno Haible
@ 2022-08-10 17:42 ` Paul Eggert
2022-08-30 21:57 ` Simon Josefsson via Gnulib discussion list
0 siblings, 1 reply; 7+ messages in thread
From: Paul Eggert @ 2022-08-10 17:42 UTC (permalink / raw
To: Bruno Haible; +Cc: bug-gnulib
On 8/10/22 06:58, Bruno Haible wrote:
> But you haven't pushed the patches yet.
Oops. Pushed.
> And in patch 0004, I think the module 'stdckdint' should depend on 'stdbool'
> (since <stdckdint.h> includes <stdbool.h>).
Thanks, I fixed that.
I also sent the following email to people who I hope can fix the
problems in the draft C standard (unfortunately they don't seem to make
it easy to file bug reports...):
------
As one of the maintainers for the GNU Portability Library[1] I recently
implemented stdckdint.h there[2] and modified some other parts of Gnulib
to use stdckdint.h[3]. The GNU project has had extensive experience with
stdckdint.h's behavior, as we implemented nearly-identical macros
INT_ADD_WRAPV etc. in 2015 and have been using them to catch
integer-overflow issues since then.
In the process of implementing and using stdckdint.h I found the
following problems in the draft standard N3047, which I hope can be
fixed before the standard becomes final:
A. The current wording prohibits this use:
bool check_2_overflow (unsigned hi, unsigned lo) {
return ckd_add (&hi, hi, ckd_add (&lo, lo, 1));
}
because it says arguments to ckd_add cannot be of type 'bool'. There is
no reason for this restriction in ckd_add's last two arguments, as these
arguments are promoted to 'int'. This sort of restriction is needed only
for ckd_add's first argument. Similarly for 'char', enumeration types,
and bit-precise integers.
B. The current wording says that this usage is not portable:
bool check_size_overflow (size_t s) {
return ckd_add (&s, s, 1);
}
because size_t might be a bit-precise integer, or 'char', or an
enumeration type. This means that portable programs cannot use
stdckdint.h when doing address arithmetic with size_t and ptrdiff_t, and
similarly for other standard types, because these types might
conceivably be implemented via a bit-precise integer etc.
C. Although freestanding programs are allowed to use the new <stdbit.h>
header, they are not allowed to use <stdckdint.h>. This is puzzling, as
the two headers fall roughly into the same category: they typically
affect only how the compiler generates code and do not require library
support.
I ignored these problems in Gnulib, in the hopes that they're glitches
in the standard and that we won't run into any practical implementations
that exploit the glitches. However, it'd be nicer if they were fixed.
Here is some proposed wording to do that.
a. In section 4 paragraph 6, add <stdckdint.h> to the list of standard
headers required of freestanding implementations.
b. In section 7.1.2 insert the following paragraph after paragraph 8:
"Any declaration of an integer type shall not declare it to be 'bool',
nor 'char', nor an enumeration type, nor a bit-precise integer type."
with a footnote "This allows expressions of standard types like 'size_t'
to be used in calls to macros like 'ckd_add'; see section 7.20."
c. In section 7.20.1 paragraph 3 change this:
"Both 'type2' and 'type3' shall be any integer type other than plain
'char', 'bool', a bit-precise integer type, or an enumeration type, and
they need not be the same."
to this:
"Both 'type2' and 'type3' shall be any integer type, and they need not
be the same."
and append the following footnote to paragraph 3: "Because standard
types like 'size_t' cannot be plain 'char', 'bool', a bit-precise
integer type, or an enumeration type (section 7.1.2), *result can be of
a standard type like 'size_t'."
[1] https://www.gnu.org/software/gnulib/
[2]
https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2eb92c362ecfb2dae9c9cb37cb9246df6989181c
[3]
https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=ef5a4088d9236a55283d1eb576f560aa39c09e6f
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-10 17:42 ` Paul Eggert
@ 2022-08-30 21:57 ` Simon Josefsson via Gnulib discussion list
2022-08-30 22:40 ` Paul Eggert
0 siblings, 1 reply; 7+ messages in thread
From: Simon Josefsson via Gnulib discussion list @ 2022-08-30 21:57 UTC (permalink / raw
To: Paul Eggert; +Cc: Bruno Haible, bug-gnulib
[-- Attachment #1: Type: text/plain, Size: 2510 bytes --]
I think some of these patches introduced a build failure of GNU
InetUtils on Debian 6, see build error below. The following looks
strange:
- if (INT_MULTIPLY_WRAPV (plen, sizeof (CHAR), &plensize) \
- || INT_ADD_WRAPV (new_used, plensize, &new_used)) \
+ if (ckd_mul (&plensize, plen, sizeof (CHAR), &plensize) \
+ || ckd_add (&new_used, new_used, plensize)) \
Shouldn't it be like this:
+ if (ckd_mul (&plensize, plen, sizeof (CHAR)) \
I wonder why no self-check has caught this?
/Simon
https://gitlab.com/jas/inetutils/-/jobs/2956458571
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -Wno-cast-qual -Wno-conversion -Wno-float-equal -Wno-sign-compare -Wno-undef -Wno-unused-function -Wno-unused-parameter -Wno-sign-conversion -Wno-type-limits -g -O2 -MT libgnu_a-xasprintf.o -MD -MP -MF .deps/libgnu_a-xasprintf.Tpo -c -o libgnu_a-xasprintf.o `test -f 'xasprintf.c' || echo './'`xasprintf.c
mv -f .deps/libgnu_a-xasprintf.Tpo .deps/libgnu_a-xasprintf.Po
depbase=`echo asnprintf.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -g -O2 -MT asnprintf.o -MD -MP -MF $depbase.Tpo -c -o asnprintf.o asnprintf.c &&\
mv -f $depbase.Tpo $depbase.Po
depbase=`echo fnmatch.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -g -O2 -MT fnmatch.o -MD -MP -MF $depbase.Tpo -c -o fnmatch.o fnmatch.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from fnmatch.c:143:
fnmatch_loop.c:1067:13: error: macro "ckd_mul" passed 4 arguments, but takes just 3
In file included from fnmatch.c:143:
fnmatch_loop.c: In function 'ext_match':
fnmatch_loop.c:1067: error: 'ckd_mul' undeclared (first use in this function)
fnmatch_loop.c:1067: error: (Each undeclared identifier is reported only once
fnmatch_loop.c:1067: error: for each function it appears in.)
fnmatch_loop.c:1074:13: error: macro "ckd_mul" passed 4 arguments, but takes just 3
In file included from fnmatch.c:232:
fnmatch_loop.c:1067:1: error: macro "ckd_mul" passed 4 arguments, but takes just 3
In file included from fnmatch.c:232:
fnmatch_loop.c: In function 'ext_wmatch':
fnmatch_loop.c:1067: error: 'ckd_mul' undeclared (first use in this function)
fnmatch_loop.c:1074:1: error: macro "ckd_mul" passed 4 arguments, but takes just 3
make[4]: *** [fnmatch.o] Error 1
make[4]: Leaving directory `/builds/jas/inetutils/inetutils-2.3.4-6821/lib'
/Simon
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-30 21:57 ` Simon Josefsson via Gnulib discussion list
@ 2022-08-30 22:40 ` Paul Eggert
2022-08-31 18:51 ` Simon Josefsson via Gnulib discussion list
0 siblings, 1 reply; 7+ messages in thread
From: Paul Eggert @ 2022-08-30 22:40 UTC (permalink / raw
To: Simon Josefsson; +Cc: Bruno Haible, bug-gnulib
[-- Attachment #1: Type: text/plain, Size: 375 bytes --]
On 8/30/22 16:57, Simon Josefsson wrote:
> Shouldn't it be like this:
>
> + if (ckd_mul (&plensize, plen, sizeof (CHAR)) \
Indeed it should. Thanks for reporting that. I installed the attached.
> I wonder why no self-check has caught this?
Apparently I tested it only on platforms with working fnmatch, so the
bad code was never compiled.
[-- Attachment #2: 0001-fnmatch-fix-stdckdint-typo.patch --]
[-- Type: text/x-patch, Size: 1845 bytes --]
From a5e751e79466703045e7d11d5d3dfc9e1d1fa78b Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 30 Aug 2022 17:37:06 -0500
Subject: [PATCH] fnmatch: fix stdckdint typo
* lib/fnmatch_loop.c (NEW_PATTERN): Fix typo in previous patch.
Problem and fix reported by Simon Josefsson in:
https://lists.gnu.org/r/bug-gnulib/2022-08/msg00104.html
---
ChangeLog | 7 +++++++
lib/fnmatch_loop.c | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 904980df7d..8c181a2af1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2022-08-30 Paul Eggert <eggert@cs.ucla.edu>
+
+ fnmatch: fix stdckdint typo
+ * lib/fnmatch_loop.c (NEW_PATTERN): Fix typo in previous patch.
+ Problem and fix reported by Simon Josefsson in:
+ https://lists.gnu.org/r/bug-gnulib/2022-08/msg00104.html
+
2022-08-25 Paul Eggert <eggert@cs.ucla.edu>
tempname: simplify by omitting _LIBC code
diff --git a/lib/fnmatch_loop.c b/lib/fnmatch_loop.c
index 1b16de99b6..3050f0cdcc 100644
--- a/lib/fnmatch_loop.c
+++ b/lib/fnmatch_loop.c
@@ -1039,7 +1039,7 @@ EXT (INT opt, const CHAR *pattern, const CHAR *string, const CHAR *string_end,
idx_t slen = FLEXSIZEOF (struct patternlist, str, 0); \
idx_t new_used = alloca_used + slen; \
idx_t plensize; \
- if (ckd_mul (&plensize, plen, sizeof (CHAR), &plensize) \
+ if (ckd_mul (&plensize, plen, sizeof (CHAR)) \
|| ckd_add (&new_used, new_used, plensize)) \
{ \
retval = -2; \
--
2.37.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: ISO C 23 ahead
2022-08-30 22:40 ` Paul Eggert
@ 2022-08-31 18:51 ` Simon Josefsson via Gnulib discussion list
0 siblings, 0 replies; 7+ messages in thread
From: Simon Josefsson via Gnulib discussion list @ 2022-08-31 18:51 UTC (permalink / raw
To: Paul Eggert; +Cc: Bruno Haible, bug-gnulib
[-- Attachment #1: Type: text/plain, Size: 502 bytes --]
Paul Eggert <eggert@cs.ucla.edu> writes:
>> + if (ckd_mul (&plensize, plen, sizeof (CHAR)) \
>
> Indeed it should. Thanks for reporting that. I installed the attached.
Thank you!
>> I wonder why no self-check has caught this?
>
> Apparently I tested it only on platforms with working fnmatch, so the
> bad code was never compiled.
I'm experimenting with a Debian6 gnulib CI/CD job, not sure it will be
worthwile: https://gitlab.com/jas/gnulib-ci/-/pipelines
/Simon
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-08-31 19:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-07 16:42 ISO C 23 ahead Bruno Haible
2022-08-10 7:31 ` Paul Eggert
2022-08-10 13:58 ` Bruno Haible
2022-08-10 17:42 ` Paul Eggert
2022-08-30 21:57 ` Simon Josefsson via Gnulib discussion list
2022-08-30 22:40 ` Paul Eggert
2022-08-31 18:51 ` Simon Josefsson via Gnulib discussion list
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).