Re: [PATCH 1/2] avoid shifting signed integers 31 bits
On Mon, Jan 04, 2016 at 09:52:10AM -0800, Junio C Hamano wrote: > >> We have this in cache.h, should it be fixed as well? > >> > >> /* CE_EXTENDED2 is for future extension */ > >> #define CE_EXTENDED2 (1 << 31) > > > > Sort of. We don't actually use it, and since it's a macro, that means it > > never even hits the compiler proper itself. So it's not a bug, but it's > > a bug waiting to happen. :) > > > > Let's squash an obvious change for that in to 1/2, then, before I > merge the series to 'next'. Thanks, I agree it is worth fixing while we're visiting the topic. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] avoid shifting signed integers 31 bits
Jeff King writes:
> On Thu, Dec 31, 2015 at 12:10:33PM +0700, Duy Nguyen wrote:
>
>> On Tue, Dec 29, 2015 at 1:35 PM, Jeff King wrote:
>> > We sometimes use 32-bit unsigned integers as bit-fields.
>> > It's fine to access the MSB, because it's unsigned. However,
>> > doing so as "1 << 31" is wrong, because the constant "1" is
>> > a signed int, and we shift into the sign bit, causing
>> > undefined behavior.
>> >
>> > We can fix this by using "1U" as the constant.
>>
>> We have this in cache.h, should it be fixed as well?
>>
>> /* CE_EXTENDED2 is for future extension */
>> #define CE_EXTENDED2 (1 << 31)
>
> Sort of. We don't actually use it, and since it's a macro, that means it
> never even hits the compiler proper itself. So it's not a bug, but it's
> a bug waiting to happen. :)
>
> -Peff
Let's squash an obvious change for that in to 1/2, then, before I
merge the series to 'next'.
Thanks.
-- >8 --
From: Jeff King
Date: Tue, 29 Dec 2015 01:35:46 -0500
Subject: [PATCH] avoid shifting signed integers 31 bits
We sometimes use 32-bit unsigned integers as bit-fields.
It's fine to access the MSB, because it's unsigned. However,
doing so as "1 << 31" is wrong, because the constant "1" is
a signed int, and we shift into the sign bit, causing
undefined behavior.
We can fix this by using "1U" as the constant.
Signed-off-by: Jeff King
Signed-off-by: Junio C Hamano
---
builtin/receive-pack.c | 2 +-
cache.h| 2 +-
diff.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index e6b93d0..e35ed40 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -1597,7 +1597,7 @@ static void prepare_shallow_update(struct command
*commands,
continue;
si->need_reachability_test[i]++;
for (k = 0; k < 32; k++)
- if (si->used_shallow[i][j] & (1 << k))
+ if (si->used_shallow[i][j] & (1U << k))
si->shallow_ref[j * 32 + k]++;
}
diff --git a/cache.h b/cache.h
index 6f53962..9088843 100644
--- a/cache.h
+++ b/cache.h
@@ -214,7 +214,7 @@ struct cache_entry {
#define CE_INTENT_TO_ADD (1 << 29)
#define CE_SKIP_WORKTREE (1 << 30)
/* CE_EXTENDED2 is for future extension */
-#define CE_EXTENDED2 (1 << 31)
+#define CE_EXTENDED2 (1U << 31)
#define CE_EXTENDED_FLAGS (CE_INTENT_TO_ADD | CE_SKIP_WORKTREE)
diff --git a/diff.h b/diff.h
index f7208ad..893f446 100644
--- a/diff.h
+++ b/diff.h
@@ -91,7 +91,7 @@ typedef struct strbuf *(*diff_prefix_fn_t)(struct
diff_options *opt, void *data)
#define DIFF_OPT_DIRSTAT_BY_LINE (1 << 28)
#define DIFF_OPT_FUNCCONTEXT (1 << 29)
#define DIFF_OPT_PICKAXE_IGNORE_CASE (1 << 30)
-#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1 << 31)
+#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1U << 31)
#define DIFF_OPT_TST(opts, flag)((opts)->flags & DIFF_OPT_##flag)
#define DIFF_OPT_TOUCHED(opts, flag)((opts)->touched_flags &
DIFF_OPT_##flag)
--
2.7.0-rc3-132-g73ad441
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] avoid shifting signed integers 31 bits
On Thu, Dec 31, 2015 at 12:10:33PM +0700, Duy Nguyen wrote: > On Tue, Dec 29, 2015 at 1:35 PM, Jeff King wrote: > > We sometimes use 32-bit unsigned integers as bit-fields. > > It's fine to access the MSB, because it's unsigned. However, > > doing so as "1 << 31" is wrong, because the constant "1" is > > a signed int, and we shift into the sign bit, causing > > undefined behavior. > > > > We can fix this by using "1U" as the constant. > > We have this in cache.h, should it be fixed as well? > > /* CE_EXTENDED2 is for future extension */ > #define CE_EXTENDED2 (1 << 31) Sort of. We don't actually use it, and since it's a macro, that means it never even hits the compiler proper itself. So it's not a bug, but it's a bug waiting to happen. :) -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] avoid shifting signed integers 31 bits
On Tue, Dec 29, 2015 at 1:35 PM, Jeff King wrote: > We sometimes use 32-bit unsigned integers as bit-fields. > It's fine to access the MSB, because it's unsigned. However, > doing so as "1 << 31" is wrong, because the constant "1" is > a signed int, and we shift into the sign bit, causing > undefined behavior. > > We can fix this by using "1U" as the constant. We have this in cache.h, should it be fixed as well? /* CE_EXTENDED2 is for future extension */ #define CE_EXTENDED2 (1 << 31) -- Duy -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] avoid shifting signed integers 31 bits
On Tue, Dec 29, 2015 at 04:09:21PM -0800, Junio C Hamano wrote: > > diff --git a/diff.h b/diff.h > > index f7208ad..893f446 100644 > > --- a/diff.h > > +++ b/diff.h > > @@ -91,7 +91,7 @@ typedef struct strbuf *(*diff_prefix_fn_t)(struct > > diff_options *opt, void *data) > > #define DIFF_OPT_DIRSTAT_BY_LINE (1 << 28) > > #define DIFF_OPT_FUNCCONTEXT (1 << 29) > > #define DIFF_OPT_PICKAXE_IGNORE_CASE (1 << 30) > > -#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1 << 31) > > +#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1U << 31) > > > > #define DIFF_OPT_TST(opts, flag)((opts)->flags & DIFF_OPT_##flag) > > #define DIFF_OPT_TOUCHED(opts, flag)((opts)->touched_flags & > > DIFF_OPT_##flag) > > Thanks. > > Seeing (1 << 30) and (1U <<31) together made me feel that we are way > _too_ explicit being careful about 32-bit archs (iow, it would be > more consistent to turn all of these "1 <<" into "1U <<"), but at > the same time, (1 << 30) won't be broken unless we are on 31-bit > arch in the sense that if we are on 30-bit or smaller arch the > expression is already broken with or without "U", and if we are on > 32-bit or more, then with or without "U" we are OK---which made me > feel somewhat funny. Yeah, I was tempted to convert them all, but there's no benefit except consistency. Interestingly, if we spelled these as: 0x01 0x02 ... 0x8000 that _is_ OK by the C standard (the type of the constant is "the first thing big enough to hold it" from a list of int, unsigned, etc[1]). I find that style more error-prone, though, so I don't think it's a good idea to move to it. We pretty much assume an int of at least 32-bits anyway; the flags field itself is a simple "unsigned". We could make that a uint32_t, but in practice I hope that sub-32-bit platforms are all dead, at least for general purpose application code like git. -Peff [1] The list of possible types is actually _different_ for decimal and hex constants. Which seems slightly insane, but hey, it's C. Notably, the decimal equivalent of 0x8000 is guaranteed to be signed (but would be a "long int" on a 32-bit platform). -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] avoid shifting signed integers 31 bits
Jeff King writes: > diff --git a/diff.h b/diff.h > index f7208ad..893f446 100644 > --- a/diff.h > +++ b/diff.h > @@ -91,7 +91,7 @@ typedef struct strbuf *(*diff_prefix_fn_t)(struct > diff_options *opt, void *data) > #define DIFF_OPT_DIRSTAT_BY_LINE (1 << 28) > #define DIFF_OPT_FUNCCONTEXT (1 << 29) > #define DIFF_OPT_PICKAXE_IGNORE_CASE (1 << 30) > -#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1 << 31) > +#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1U << 31) > > #define DIFF_OPT_TST(opts, flag)((opts)->flags & DIFF_OPT_##flag) > #define DIFF_OPT_TOUCHED(opts, flag)((opts)->touched_flags & > DIFF_OPT_##flag) Thanks. Seeing (1 << 30) and (1U <<31) together made me feel that we are way _too_ explicit being careful about 32-bit archs (iow, it would be more consistent to turn all of these "1 <<" into "1U <<"), but at the same time, (1 << 30) won't be broken unless we are on 31-bit arch in the sense that if we are on 30-bit or smaller arch the expression is already broken with or without "U", and if we are on 32-bit or more, then with or without "U" we are OK---which made me feel somewhat funny. In any case, these two are good changes. Thanks. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] avoid shifting signed integers 31 bits
We sometimes use 32-bit unsigned integers as bit-fields. It's fine to access the MSB, because it's unsigned. However, doing so as "1 << 31" is wrong, because the constant "1" is a signed int, and we shift into the sign bit, causing undefined behavior. We can fix this by using "1U" as the constant. Signed-off-by: Jeff King --- builtin/receive-pack.c | 2 +- diff.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c index ca38131..2b3b746 100644 --- a/builtin/receive-pack.c +++ b/builtin/receive-pack.c @@ -1618,7 +1618,7 @@ static void prepare_shallow_update(struct command *commands, continue; si->need_reachability_test[i]++; for (k = 0; k < 32; k++) - if (si->used_shallow[i][j] & (1 << k)) + if (si->used_shallow[i][j] & (1U << k)) si->shallow_ref[j * 32 + k]++; } diff --git a/diff.h b/diff.h index f7208ad..893f446 100644 --- a/diff.h +++ b/diff.h @@ -91,7 +91,7 @@ typedef struct strbuf *(*diff_prefix_fn_t)(struct diff_options *opt, void *data) #define DIFF_OPT_DIRSTAT_BY_LINE (1 << 28) #define DIFF_OPT_FUNCCONTEXT (1 << 29) #define DIFF_OPT_PICKAXE_IGNORE_CASE (1 << 30) -#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1 << 31) +#define DIFF_OPT_DEFAULT_FOLLOW_RENAMES (1U << 31) #define DIFF_OPT_TST(opts, flag)((opts)->flags & DIFF_OPT_##flag) #define DIFF_OPT_TOUCHED(opts, flag)((opts)->touched_flags & DIFF_OPT_##flag) -- 2.7.0.rc2.368.g1cbb535 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
