Warning flags for unsigned operations (unsafe)

Warning flags for unsigned operations (unsafe)

[Mathieu Malaterre]

Hello,

	I have been googling around and I couldn't find out if gcc had a 
warning flag for unsigned operation. For example, even the linear 
interpolation on [a,b] can be tricky to code:

1.
c = a + t * (b - a);  //unsafe

2.
c = (1.0 - t) * a + t * b; //safe

Number 1 will fail when both a and b are unsigned and let say b - a = -1 
(math speaking). Is there something in gcc that could warn me for this 
kind of operation ?

Thanks,
Mathieu

sizeof(union) and #pragma pack()

[Dave Trollope, Diane Barrowman]

Hi,

The following code seems to cause the sizeof() function to return a size 
that is two bytes larger than I expected. Is this the right behaviour?

struct a6 { unsigned long a; unsigned short b };
#pragma pack(2)
struct a10 {
union {
    struct a6 emedded;
    int *ptr;
}
unsigned long junk;
};
#pragma pack()

I was expecting sizeof(struct a10) to return 10 but it returns 12.

If I move the #pragma pack(2) above the first struct definition, 
sizeof(struct a10) returns 10 as expected. This is presumably because 
the packing between the structure and the union is miscalculated from 
the structure defaulting to a padded 8.

I'd like to know if this is the expected behaviour, or if this is 
something that needs fixing?

Cheers
Dave

-- 
Dave, Diane, Kringle & Baby
http://www.geocities.com/SiliconValley/7499

RE: Warning flags for unsigned operations (unsafe)

[Dave Korn]

> -----Original Message-----
> From: gcc-owner On Behalf Of Mathieu Malaterre
> Sent: 22 September 2004 01:36

> Hello,
> 
> 	I have been googling around and I couldn't find out if 
> gcc had a 
> warning flag for unsigned operation. For example, even the linear 
> interpolation on [a,b] can be tricky to code:
> 
> 1.
> c = a + t * (b - a);  //unsafe
> 
> 2.
> c = (1.0 - t) * a + t * b; //safe
> 
> Number 1 will fail when both a and b are unsigned and let say 
> b - a = -1 
> (math speaking). Is there something in gcc that could warn me 
> for this 
> kind of operation ?


  Your code has a design flaw and is not valid.  If you want to do maths
that involves negative quantities, you HAVE to use a signed variable, not an
unsigned one.  If you want to do subtraction with unsigned quantities and
have it work, you have to ensure (by a test) to always subtract the smaller
from the larger.

  Number 2 only works because you promote all the unsigned variables to
floating point quantities, which are always signed, before you subtract
them.

  If you really want to do this crazy thing with signed variables, you HAVE
to code it like this:

  c = (a < b) ? (a + t * (b - a)) : (b + (1.0 - t) * (a - b));

[erm.  not quite sure if I transformed the second part of that quite right,
but you get the point.]

  So why not just use signed variables or signed subtraction ?

c = a + t * ((int)b - (int)a);

[In fact, if I recall the sign-vs-value-preserving rules correctly, it
should suffice to cast only one of the arguments to int, shouldn't it?]

    cheers, 
      DaveK
-- 
Can't think of a witty .sigline today....

Re: Warning flags for unsigned operations (unsafe)

[Robert Dewar]

>   If you really want to do this crazy thing with signed variables, you HAVE
> to code it like this:
> 
>   c = (a < b) ? (a + t * (b - a)) : (b + (1.0 - t) * (a - b));

There is of course a typo here, Dave meant to say "crazy thing with unsigned
variables"

Re: sizeof(union) and #pragma pack()

[Geoffrey Keating]

"Dave Trollope, Diane Barrowman" <daveanddiane@kringlecottage.com> writes:

> Hi,
> 
> The following code seems to cause the sizeof() function to return a
> size that is two bytes larger than I expected. Is this the right
> behaviour?
> 
> struct a6 { unsigned long a; unsigned short b };
> #pragma pack(2)
> struct a10 {
> union {
>     struct a6 emedded;
>     int *ptr;
> }
> unsigned long junk;
> };
> #pragma pack()
> 
> I was expecting sizeof(struct a10) to return 10 but it returns 12.
> 
> If I move the #pragma pack(2) above the first struct definition,
> sizeof(struct a10) returns 10 as expected. This is presumably because
> the packing between the structure and the union is miscalculated from
> the structure defaulting to a padded 8.
> 
> I'd like to know if this is the expected behaviour, or if this is
> something that needs fixing?

This is correct.  sizeof(struct a6) is 8, and 'int *' is 4, and
8+4=12.  This is necessary for correct behaviour if you say, for instance,

struct a6 x;
struct a10 y;
memcpy (&y.emedded, x, sizeof (x));

Re: Warning flags for unsigned operations (unsafe)

[Luca Masini]

On Wed, 22 Sep 2004 14:36:36 +0100, Dave Korn <dk@artimi.com> wrote:

>> I have been googling around and I couldn't find out if
>> gcc had a warning flag for unsigned operation. For example, even the 
>> linear
>> interpolation on [a,b] can be tricky to code:
>>
>> 1. c = a + t * (b - a);  //unsafe
>> 2. c = (1.0 - t) * a + t * b; //safe
>>
>> Number 1 will fail when both a and b are unsigned and let say
>> b - a = -1
>> (math speaking). Is there something in gcc that could warn me
>> for this kind of operation ?
>
>
> Your code has a design flaw and is not valid.  If you want to do maths
> that involves negative quantities, you HAVE to use a signed variable, 
> not an unsigned one.  If you want to do subtraction with unsigned 
> quantities and
> have it work, you have to ensure (by a test) to always subtract the 
> smaller from the larger.

I'm curious too, and interested on the original question.
That is:
   GCC has the warning for that or not ?

Luca.

Re: Warning flags for unsigned operations (unsafe)

[Mathieu Malaterre]

Luca Masini wrote:
> On Wed, 22 Sep 2004 14:36:36 +0100, Dave Korn <dk@artimi.com> wrote:
> 
>>> I have been googling around and I couldn't find out if
>>> gcc had a warning flag for unsigned operation. For example, even the 
>>> linear
>>> interpolation on [a,b] can be tricky to code:
>>>
>>> 1. c = a + t * (b - a);  //unsafe
>>> 2. c = (1.0 - t) * a + t * b; //safe
>>>
>>> Number 1 will fail when both a and b are unsigned and let say
>>> b - a = -1
>>> (math speaking). Is there something in gcc that could warn me
>>> for this kind of operation ?
>>
>>
>>
>> Your code has a design flaw and is not valid.  If you want to do maths
>> that involves negative quantities, you HAVE to use a signed variable, 
>> not an unsigned one.  If you want to do subtraction with unsigned 
>> quantities and
>> have it work, you have to ensure (by a test) to always subtract the 
>> smaller from the larger.
> 
> 
> I'm curious too, and interested on the original question.
> That is:
>   GCC has the warning for that or not ?

I didn't find them if they exist...
Also as mention it doesn't seems straighforward to implement, to make 
thing worse my code is in fact a template code (I am reading image of 
certain type then do a linear interpolation). So the code could be half 
good / half bad.

I'll try to find out if there is another way to track those unsafe 
operations.

Thanks anyway
Mathieu

Re: Warning flags for unsigned operations (unsafe)

[Giovanni Bajo]

Mathieu Malaterre wrote:

> I have been googling around and I couldn't find out if gcc had a
> warning flag for unsigned operation. For example, even the linear
> interpolation on [a,b] can be tricky to code:
>
> 1.
> c = a + t * (b - a);  //unsafe
>
> 2.
> c = (1.0 - t) * a + t * b; //safe
>
> Number 1 will fail when both a and b are unsigned and let say b - a =
> -1 (math speaking). Is there something in gcc that could warn me for
> this kind of operation ?

Would you please file a bug report in Bugzilla and later mark it as a
enhancement request?

Thanks.
Giovanni Bajo

Re: Warning flags for unsigned operations (unsafe)

[Mathieu Malaterre]

Giovanni Bajo wrote:

> Mathieu Malaterre wrote:
> 
> 
>>I have been googling around and I couldn't find out if gcc had a
>>warning flag for unsigned operation. For example, even the linear
>>interpolation on [a,b] can be tricky to code:
>>
>>1.
>>c = a + t * (b - a);  //unsafe
>>
>>2.
>>c = (1.0 - t) * a + t * b; //safe
>>
>>Number 1 will fail when both a and b are unsigned and let say b - a =
>>-1 (math speaking). Is there something in gcc that could warn me for
>>this kind of operation ?
> 
> 
> Would you please file a bug report in Bugzilla and later mark it as a
> enhancement request?

Done:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17645

If I did something wrong just let me know, I'll correct it,
Mathieu

RE: Warning flags for unsigned operations (unsafe)

[Dave Korn]

> -----Original Message-----
> From: gcc-owner On Behalf Of Thomas R. Truscott
> Sent: 22 September 2004 15:36

>  >   Your code has a design flaw and is not valid.  
> 
> Uh, that misses the whole point of warning messages, doesn't it?


Um, actually it was the whole point of Mathieu's message that I missed......
I somehow thought he was referring to a signed-vs-unsigned warning and
wanting to turn it off.  I must not have had enough coffee when I
replied......


    cheers, 
      DaveK
-- 
Can't think of a witty .sigline today....

Re: Warning flags for unsigned operations (unsafe)

[Robert Dewar]

By the way, as always with suggested warnings, the best approach
is to implement the warning, and then apply it to a large body
of existing code. That gives a reasonable way of evaluating

a) if the warning is useful in the intended circumstances

b) if there is a problem with false positives

The burden for putting a warning in should be that yes, it
detects a significant number of suspicious cases, and it
does not generate too many false positives.

Re: Warning flags for unsigned operations (unsafe)

[Robert Dewar]

Thomas R. Truscott wrote:
>  > I couldn't find out if gcc had a 
>  > warning flag for unsigned operation. For example, even the linear 
>  > interpolation on [a,b] can be tricky to code:
>  > 
>  >  c = a + t * (b - a);  //unsafe
> 
> Not for this situation.  I think a warning would be appropriate
> when an unsigned quantity involving subtraction
> is widened or converted to double.

Why? The semantics are reasonable, well defined, and expected.
One assumes that in this case either the code expects the wrap
semantics (less likely) or, more likely, knows that the quantity
b-a will be non-negative.

I see nothing special about being widened or converted to double.

RE: Warning flags for unsigned operations (unsafe)

[Thomas R. Truscott]

 > I couldn't find out if gcc had a 
 > warning flag for unsigned operation. For example, even the linear 
 > interpolation on [a,b] can be tricky to code:
 > 
 >  c = a + t * (b - a);  //unsafe

Not for this situation.  I think a warning would be appropriate
when an unsigned quantity involving subtraction
is widened or converted to double.

 >   Your code has a design flaw and is not valid.  

Uh, that misses the whole point of warning messages, doesn't it?

Tom Truscott