This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] sim: tweak signed to unsigned local vars

From: Mike Frysinger <vapier at gentoo dot org>
To: Joel Brobecker <brobecker at adacore dot com>
Cc: gdb-patches at sourceware dot org
Date: Mon, 12 Apr 2010 14:29:10 -0400
Subject: Re: [PATCH] sim: tweak signed to unsigned local vars
References: <1270936677-26654-1-git-send-email-vapier@gentoo.org> <201004121150.49169.vapier@gentoo.org> <20100412160618.GX19194@adacore.com>

On Monday 12 April 2010 12:06:18 Joel Brobecker wrote:
> > > I'm not sure I agree on this one. "tmp" is used to store the result of
> > > a subtraction of 2 pointers. IIRC, the exact type returned is
> > > ptrdiff_t, which is a signed value...
> > 
> > true, but the math should never yield a negative value.  the compare is
> > between a base pointer and a pointer returned from strchr() on the base
> > pointer.  so the value should always be >= 0 and it should always fit in
> > 32bits.
> 
> I always tend to be very careful with this type of reasoning, probably
> because of my past writing safety-critical software (and also how
> surprisingly difficult it turned out to be to formally prove that
> a piece of code would never overflow).
> 
> Even if what you are saying is true, I think that we'll have less
> conversion issues if we use the proper types.  But that's just me.
> Perhaps others with more C experience than I do will agree with you
> that we're fussing over something that actually does not matter.

this is a string passed via command line option.  if it were even remotely 
close to the size required to overflow ("unsigned" -> "unsigned int" -> 32bit 
on all systems where this socket code is going to be used), something is 
terribly wrong elsewhere.  even if we grant it 16bit storage, a 65k string 
specifying a host:port makes no sense, especially when many systems have a 
hard time swallowing a command line over 32k.

i dont have a problem coding defensively when it makes sense, but i cant see 
any such requirements in any of the sim code.

further, while ptrdiff_t may make sense since we're diffing two pointers, the 
value is passed straight into strncpy() which interprets the value as size_t.  
so if we were going to spend the time on this (which i dont think this code 
warrants), a lot more code needs to change than the variable type.
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow-Ups:
- Re: [PATCH] sim: tweak signed to unsigned local vars
  - From: Joel Brobecker

References:
- [PATCH] sim: tweak signed to unsigned local vars
  - From: Mike Frysinger
- Re: [PATCH] sim: tweak signed to unsigned local vars
  - From: Mike Frysinger
- Re: [PATCH] sim: tweak signed to unsigned local vars
  - From: Joel Brobecker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]