Signed overflow optimization hazards in the kernel
Signed overflow optimization hazards in the kernel
Posted Aug 18, 2012 18:07 UTC (Sat) by ppisa (subscriber, #67307)In reply to: Signed overflow optimization hazards in the kernel by jimparis
Parent article: Signed overflow optimization hazards in the kernel
http://gcc.gnu.org/onlinedocs/gcc/Integers-implementation...
I use ((signed type)((unsigned type)a - (unsigned type)b) > 0) often in our embedded code and in the fact I am probably author/coauthor of that MX1 example - if that line was not not rewritten by somebody.
Paul's example behavior is correct according to my knowledge (unsigned) is equivalent to (unsigned int) ie on 32 bit target 32 bit subtraction is evaluated and then sign is extended to 64 bits when conversion to (signed it) and then 64 bit signed type is required.
What is common trap is that plain
(unsigned type) a - (unsigned type) b
is not considered (type) nor (signed type). It is signed but interpreted as so big signed to hold additional bit if it is compared with zero. So additional cast to signed type same or smaller than both inputs (a and b) has to be used.
I use next mechanism to allow cyclic comparison between different
hardware, position, time, state generation counters etc in our code.
http://ulan.git.sourceforge.net/git/gitweb.cgi?p=ulan/ulut;...
Library is licensed GPL, LGPL, MPL, but code fragment can be taken as public domain, if it helps somebody.
#ifndef ul_cyclic_gt
#define ul_cyclic_gt(x,y) \
((sizeof(x)>=sizeof(long long))&&(sizeof(y)>=sizeof(long long))? \
(long long)((unsigned long long)(x)-(unsigned long long)(y))>0: \
(sizeof(x)>=sizeof(long))&&(sizeof(y)>=sizeof(long))? \
(long)((unsigned long)(x)-(unsigned long)(y))>0: \
(sizeof(x)>=sizeof(int))&&(sizeof(y)>=sizeof(int))? \
(int)((unsigned int)(x)-(unsigned int)(y))>0: \
(sizeof(x)>=sizeof(short))&&(sizeof(y)>=sizeof(short))? \
(short)((unsigned short)(x)-(unsigned short)(y))>0: \
(signed char)((unsigned char)(x)-(unsigned char)(y))>0 \
)
#endif /*ul_cyclic_gt*/
#ifndef ul_cyclic_ge
#define ul_cyclic_ge(x,y) \
((sizeof(x)>=sizeof(long long))&&(sizeof(y)>=sizeof(long long))? \
(long long)((unsigned long long)(x)-(unsigned long long)(y))>=0: \
(sizeof(x)>=sizeof(long))&&(sizeof(y)>=sizeof(long))? \
(long)((unsigned long)(x)-(unsigned long)(y))>=0: \
(sizeof(x)>=sizeof(int))&&(sizeof(y)>=sizeof(int))? \
(int)((unsigned int)(x)-(unsigned int)(y))>=0: \
(sizeof(x)>=sizeof(short))&&(sizeof(y)>=sizeof(short))? \
(short)((unsigned short)(x)-(unsigned short)(y))>=0: \
(signed char)((unsigned char)(x)-(unsigned char)(y))>=0 \
)
#endif /*ul_cyclic_ge*/
Please, if you know about some target, compiler or intention to break assumption (at least hopefully current GCC version guarantee) that unsigned to signed conversion reinterprets MSB as a sign. As for correctness of the code, there could be problem if target specifies some basic arithmetic type with some bits unused. It short 16 bit but stored in 32 bit entity. But none of our targets has that problem.
Code is used in many targets, some of safety grade class applications so notice of possible (even future) breakage is critical for me and users.
Posted Aug 18, 2012 19:02 UTC (Sat)
by PaulMcKenney (✭ supporter ✭, #9624)
[Link] (1 responses)
But why the casts to unsigned integral types? I would instead have expected a requirement that the caller's cyclic arithmetic be carried out in unsigned integers, so that the casts were unnecessary.
Posted Aug 18, 2012 22:34 UTC (Sat)
by ppisa (subscriber, #67307)
[Link]
But main reason for casting to ensure thing works on existing code
Best wishes,
Pavel
Signed overflow optimization hazards in the kernel
Signed overflow optimization hazards in the kernel
with signed types.