Bug 52119

Summary:	[C++11] overflow in signed left shift isn't diagnosed
Product:	gcc	Reporter:	Jeffrey Yasskin <jyasskin>
Component:	c++	Assignee:	Not yet assigned to anyone <unassigned>
Status:	RESOLVED FIXED
Severity:	normal	CC:	daniel.kruegler, jason, msebor, richard-gccbugzilla
Priority:	P3	Keywords:	accepts-invalid
Version:	4.7.0
Target Milestone:	---
Host:		Target:
Build:		Known to work:
Known to fail:		Last reconfirmed:	2012-02-04 00:00:00

Description Jeffrey Yasskin 2012-02-04 01:16:27 UTC

numeric_limits<T>::min() is defined as (__glibcxx_signed (T) ? (T)1 << __glibcxx_digits (T) : (T)0). Unfortunately, shifting into the sign bit is undefined behavior (C++11[expr.shift]p2), and undefined behavior makes an expression non-constant.


clang as of (their) r149727 diagnoses this as:

$ echo '#include <limits>' | clang++ -nostdinc++ -Igcc-4.7-svn/include/c++/4.7.0/{,x86_64-unknown-linux-gnu} -std=c++11 -Wsystem-headers -fsyntax-only -x c++ -

gcc-4.7-svn/include/c++/4.7.0/limits:654:7: error: constexpr function never
      produces a constant expression
      min() _GLIBCXX_USE_NOEXCEPT { return __glibcxx_min (wchar_t); }
      ^
gcc-4.7-svn/include/c++/4.7.0/limits:654:44: note: value 2147483648 is
      outside the range of representable values of type 'int'
      min() _GLIBCXX_USE_NOEXCEPT { return __glibcxx_min (wchar_t); }
                                           ^
gcc-4.7-svn/include/c++/4.7.0/limits:131:32: note: expanded from macro
      '__glibcxx_min'
  (__glibcxx_signed (T) ? (T)1 << __glibcxx_digits (T) : (T)0)
                               ^
gcc-4.7-svn/include/c++/4.7.0/limits:784:31: warning: shift count >= width
      of type [-Wshift-count-overflow]
      min() noexcept { return __glibcxx_min (char32_t); }
                              ^~~~~~~~~~~~~~~~~~~~~~~~


A better definition might be -__glibcxx_max(T)-1.

This bug is also in 4.6.2. 4.5.0 didn't declare min() as constexpr.

Comment 1 Richard Smith 2012-02-04 02:12:41 UTC

In more detail: Under the C++11 FDIS, this is not a (core) constant expression due to the "— a result that is not mathematically deﬁned or not in the range of representable values for its type;" bullet in [expr.const]p2. Under DR1313, that rule is generalized to all undefined behavior. And a constexpr function which can't produce a constant expression is ill-formed by [dcl.constexpr]p5.

Comment 2 Paolo Carlini 2012-02-04 09:58:38 UTC

The problematic macro is extremely old. Using

#define __glibcxx_min(T) \
  (__glibcxx_signed (T) ? -__glibcxx_max(T) - 1 : (T)0)

seems indeed ok to me. Did you actually test it with clang?

Comment 3 Paolo Carlini 2012-02-04 10:04:09 UTC

And of course the interesting issue here is C++ front-end, which doesn't produce any diagnostics (thus nobody would ever notice the library issue with GCC only). Let's add Jason in CC for confirmation.

Comment 4 Jeffrey Yasskin 2012-02-05 02:04:00 UTC

I hadn't tested

#define __glibcxx_min(T) \
  (__glibcxx_signed (T) ? -__glibcxx_max(T) - 1 : (T)0)

but now I have, and it works with clang.

Comment 5 paolo@gcc.gnu.org 2012-02-05 12:58:56 UTC

Author: paolo
Date: Sun Feb  5 12:58:51 2012
New Revision: 183905

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=183905
Log:
2012-02-05  Jeffrey Yasskin  <jyasskin@gcc.gnu.org>
	    Paolo Carlini  <paolo.carlini@oracle.com>

	PR libstdc++/52119
	* include/std/limits (__glibcxx_min): Fix to avoid undefined behavior.

Modified:
    trunk/libstdc++-v3/ChangeLog
    trunk/libstdc++-v3/include/std/limits

Comment 6 Paolo Carlini 2012-02-05 13:01:17 UTC

This is now a C++ front-end issue.

Comment 7 Jason Merrill 2012-02-13 20:22:37 UTC

At the C++ meeting last week we changed that shift from undefined to implementation-defined, so there is no front end bug.

Comment 8 Richard Smith 2012-02-13 22:17:27 UTC

Signed left shift which overflows the corresponding unsigned type is still undefined, so g++ should reject this:

constexpr int n = 2 << 31;

Comment 9 Jason Merrill 2012-02-14 00:38:14 UTC

Good point.

Comment 10 ajf 2013-06-05 16:45:02 UTC

(In reply to Jeffrey Yasskin from comment #0)
> numeric_limits<T>::min() is defined as (__glibcxx_signed (T) ? (T)1 <<
> __glibcxx_digits (T) : (T)0). Unfortunately, shifting into the sign bit is
> undefined behavior (C++11[expr.shift]p2), and undefined behavior makes an
> expression non-constant.

MY apologies if I am missing something obvious, but what exactly makes shifting a 1 into the sign bit undefined behavior? Seems rather defined to me, assuming it's actually being using as a integral numerical data-type (in this case, 32-bit int, long), which would result in a signed numerical value.In other words, the sign bit, like any other bit, can only be 0 or 1, so I honestly do not understand how undefined behavior enters the equation, or what impact it may have.

Comment 11 Jason Merrill 2013-06-05 17:26:26 UTC

(In reply to ajf from comment #10)
> MY apologies if I am missing something obvious, but what exactly makes
> shifting a 1 into the sign bit undefined behavior?

You're right, it isn't:

5.8/2: ... if E1 has a signed type and non-negative value, and E1 × 2^E2 is representable in the corresponding unsigned type of the result type, then that value, converted to the result type, is the resulting value ....

Comment 12 Jeffrey Yasskin 2013-06-05 17:30:50 UTC

http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2013/n3675.html#1457 changed this between C++11 and C++14.

Comment 13 Jason Merrill 2013-06-05 17:41:11 UTC

(In reply to Jeffrey Yasskin from comment #12)
> http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2013/n3675.html#1457
> changed this between C++11 and C++14.

True, but the defect report applies to C++11.

Comment 14 Jeffrey Yasskin 2013-06-05 22:37:46 UTC

Whoops, I missed your comment 7 where you already knew the history. Sorry.

Comment 15 Martin Sebor 2019-01-29 01:37:02 UTC

Recent versions of G++ diagnose shifting into the sign bit (and reject it in constexpr contexts) so this looks resolved:

warning: result of ‘(2 << 31)’ requires 34 bits to represent, but ‘int’ only has 32 bits [-Wshift-overflow=]
 int n = 2 << 31;
         ~~^~~~~

Comment 16 Jonathan Wakely 2019-01-29 11:31:24 UTC

Fixed by r225998

            PR c++/55095
            * c-common.c (c_fully_fold_internal): Warn about left shift overflows.
            Use EXPR_LOC_OR_LOC.
            (maybe_warn_shift_overflow): New function.
            * c-common.h (maybe_warn_shift_overflow): Declare.
            * c-opts.c (c_common_post_options): Set warn_shift_overflow.
            * c.opt (Wshift-overflow): New option.
    
            * c-typeck.c (digest_init): Pass OPT_Wpedantic to pedwarn_init.
            (build_binary_op): Warn about left shift overflows.
    
            * typeck.c (cp_build_binary_op): Warn about left shift overflows.
    
            * doc/invoke.texi: Document -Wshift-overflow and -Wshift-overflow=.

Comment 17 Jonathan Wakely 2019-05-03 19:14:03 UTC

Author: redi
Date: Fri May  3 19:13:31 2019
New Revision: 270858

URL: https://gcc.gnu.org/viewcvs?rev=270858&root=gcc&view=rev
Log:
Avoid -Woverflow warning in __numeric_limits_integer

This is the same fix as was done for std::numeric_limits in r183905.

	PR libstdc++/52119
	* include/ext/numeric_traits.h (__glibcxx_min): Avoid integer
	overflow warning with -Wpedantic -Wsystem-headers.

Modified:
    trunk/libstdc++-v3/ChangeLog
    trunk/libstdc++-v3/include/ext/numeric_traits.h