[PATCH] nice: fix overflow checking in int_add_no_wrap()

Xi Wang xi at mit.edu
Wed Feb 20 17:45:45 UTC 2013


In C, signed integer overflow is undefined behavior.  Many compilers
optimize away checks like `a + b < a'.

Use safe precondition testing instead.

Signed-off-by: Xi Wang <xi at mit.edu>
---

Try the simplified code below.

#include <stdlib.h>
void foo(int a, int b)
{
	int s = a + b;
	if (b >= 0) {
		if (s < a)
			__builtin_trap();
        }
}
int main(int argc, char **argv)
{
	int a = atoi(argv[1]);
	int b = atoi(argv[2]);
	foo(a, b);
}

The behavior of the resulting binary varies depending on the compiler,
since signed integer overflow is undefined.

$ gcc t.c -O2
$ ./a.out 2147483647 1
Illegal instruction (core dumped)

$ icc t.c -O2
$ ./a.out 2147483647 1

$ clang t.c -O2
$ ./a.out 2147483647 1

---
 libc/sysdeps/linux/common/nice.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libc/sysdeps/linux/common/nice.c b/libc/sysdeps/linux/common/nice.c
index 3694db8..ed39946 100644
--- a/libc/sysdeps/linux/common/nice.c
+++ b/libc/sysdeps/linux/common/nice.c
@@ -25,15 +25,15 @@ static __inline__ _syscall1(int, __syscall_nice, int, incr)
 
 static __inline__ int int_add_no_wrap(int a, int b)
 {
-	int s = a + b;
-
 	if (b < 0) {
-		if (s > a) s = INT_MIN;
+		if (a < INT_MIN - b)
+			return INT_MIN;
 	} else {
-		if (s < a) s = INT_MAX;
+		if (a > INT_MAX - b)
+			return INT_MAX;
 	}
 
-	return s;
+	return a + b;
 }
 
 static __inline__ int __syscall_nice(int incr)
-- 
1.7.10.4



More information about the uClibc mailing list