This is the mail archive of the libstdc++@gcc.gnu.org mailing list for the libstdc++ project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: -Wconversion versus libstdc++

From: "Joseph S. Myers" <joseph at codesourcery dot com>
To: Gabriel Dos Reis <gdr at cs dot tamu dot edu>
Cc: Joe Buck <Joe dot Buck at synopsys dot COM>, Paolo Carlini <pcarlini at suse dot de>, Gerald Pfeifer <gerald at pfeifer dot com>, Manuel Lopez-Ibanez <lopezibanez at gmail dot com>, gcc at gcc dot gnu dot org, libstdc++ at gcc dot gnu dot org
Date: Thu, 18 Jan 2007 00:50:37 +0000 (UTC)
Subject: Re: -Wconversion versus libstdc++
References: <Pine.LNX.4.64.0701142156560.4862@acrux.dbai.tuwien.ac.at> <45AA9E97.5070200@suse.de> <6c33472e0701141448t7582f53ejf05bc82fd8754760@mail.gmail.com> <45AAB7B3.5000606@suse.de> <Pine.LNX.4.64.0701150045090.7993@acrux.dbai.tuwien.ac.at> <45AACA53.9050702@suse.de> <87bql0ntpz.fsf@soliton.cs.tamu.edu> <20070115184454.GC5272@synopsys.com> <45ABD6BA.10600@suse.de> <87ps9dmgbv.fsf@soliton.cs.tamu.edu> <20070117224749.GG31955@synopsys.com> <Pine.GSO.4.58.0701171654300.7576@sun>

On Wed, 17 Jan 2007, Gabriel Dos Reis wrote:

> The specific cases I'm concerned about here (and if you have a chance
> to build firefox for example, you'll see) is when T and U differ only
> in signedness, that is
> 
>    T = int, U = unsigned
>    T = long, U = unsigned long
>    T = long long, U = unsigned long long
> 
> those have the same value representation bits and there is no way, GCC
> can mess up -- except bugs in the compiler itself.

The point of such warnings is to detect security holes such as

void foo(void *s, int len);
void bar(void *s, unsigned len) { if (len < sizeof(S)) abort(); foo(s, len); }

where a large unsigned value gets implicitly converted to signed after a 
check and this leads to a hole in foo() with a negative value.

> Furthermore, elsewhere (in the overflow thread) it has been suggested
> that people should convert to the unsigned variants, do computations there,
> and convert back to the signed variants.  We have just promised an
> invariant that we will hold.

The suggestion is for *explicit* conversions (casts), the warnings (should 
be) for implicit conversions.

-- 
Joseph S. Myers
joseph@codesourcery.com

Follow-Ups:
- Re: -Wconversion versus libstdc++
  - From: Gabriel Dos Reis

References:
- -Wconversion versus libstdc++
  - From: Gerald Pfeifer
- Re: -Wconversion versus libstdc++
  - From: Paolo Carlini
- Re: -Wconversion versus libstdc++
  - From: Manuel López-Ibáñez
- Re: -Wconversion versus libstdc++
  - From: Paolo Carlini
- Re: -Wconversion versus libstdc++
  - From: Gerald Pfeifer
- Re: -Wconversion versus libstdc++
  - From: Paolo Carlini
- Re: -Wconversion versus libstdc++
  - From: Gabriel Dos Reis
- Re: -Wconversion versus libstdc++
  - From: Joe Buck
- Re: -Wconversion versus libstdc++
  - From: Paolo Carlini
- Re: -Wconversion versus libstdc++
  - From: Gabriel Dos Reis
- Re: -Wconversion versus libstdc++
  - From: Joe Buck
- Re: -Wconversion versus libstdc++
  - From: Gabriel Dos Reis

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]