From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15881 invoked by alias); 7 Jul 2011 15:00:01 -0000 Received: (qmail 15786 invoked by uid 22791); 7 Jul 2011 15:00:00 -0000 X-SWARE-Spam-Status: No, hits=-3.3 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from cantor2.suse.de (HELO mx2.suse.de) (195.135.220.15) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 07 Jul 2011 14:59:44 +0000 Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx2.suse.de (Postfix) with ESMTP id 124108A908; Thu, 7 Jul 2011 16:59:43 +0200 (CEST) Date: Thu, 07 Jul 2011 15:02:00 -0000 From: Richard Guenther To: "Joseph S. Myers" Cc: gcc-patches@gcc.gnu.org Subject: Re: [PATCH][C] Fixup pointer-int-sum In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org X-SW-Source: 2011-07/txt/msg00486.txt.bz2 On Thu, 7 Jul 2011, Joseph S. Myers wrote: > On Thu, 7 Jul 2011, Richard Guenther wrote: > > > not overflow (what is actually the C semantics - is the > > multiplication allowed to overflow for unsigned intop? If not > > Overflow is not allowed. Formally the multiplication is as-if to infinite > precision, and then there is undefined behavior if the result of the > addition (to infinite precision) is outside the array pointed to - > wrapping around by some multiple of the whole address space is not > allowed. > > In practice, as previously discussed objects half or more of the address > space do not work reliably because of the problems doing pointer > subtraction, so always using a signed type shouldn't break anything that > actually worked reliably (though how unreliable things were with large > malloced objects - which unfortunately glibc's malloc can provide - if the > source code didn't use pointer subtraction, I don't know). > > In GCC's terms half or more of the address space generally means half the > range of size_t. (m32c has ptrdiff_t wider than size_t in some cases. On > such unusual architectures it ought to be possible to have objects whose > size is up to SIZE_MAX bytes and have pointer addition and subtraction > work reliably, which would suggest using ptrdiff_t for arithmetic in such > cases, but the code checking sizes for arrays of constant size uses the > signed type corresponding to size_t, so you could only get a larger object > through malloc or VLAs.) > > The patch is OK. Unconditionally signed is also OK, though I don't see > any advantage over this version. Ok, I'll defer the decision to the time I have settled on a final solution to get rid of the (unsigned) sizetype offset operand for POINTER_PLUS_EXPR. The least invasive idea is to introduce a new signed ptrofftype to replace all sizetype conversions at places we build POINTER_PLUS_EXPRs. That would favor unconditionally signed. The moderate invasive idea is to allow both a signed and an unsigned ptrofftype (but still force a common precision), with all the fun that arises from combining (ptr p+ off1) p+ off2 with different signs for the offset operand ... Thanks, Richard.