Signed overflow optimization hazards in the kernel

JM, the clang integer overflow checker we've used on our projects isn't part of clang proper, it's a (very useful) patch: http://embed.cs.utah.edu/ioc/

Beyond the optimization possibilities, the existence of tools like this is also a reason for keeping the undefined behavior, e.g. continue using signed values for counters that don't need the extra unsigned range: Most of the time overflow that you didn't expect (and thus couldn't wrap in a casting macro) is a sign of a logic error. By keeping it invalid you gain the possibility of dynamic instrumentation to catch those errors.

(Though I don't know if anyone has managed to get tools like this working with the kernel yet!)