[prev in list] [next in list] [prev in thread] [next in thread] 

List:       glibc-alpha
Subject:    Re: [PATCH 2/2] malloc: make malloc fail with requests larger than PTRDIFF_MAX
From:       Joseph Myers <joseph () codesourcery ! com>
Date:       2018-12-31 17:34:23
Message-ID: alpine.DEB.2.21.1812311726140.27287 () digraph ! polyomino ! org ! uk
[Download RAW message or body]

On Sat, 22 Dec 2018, Paul Eggert wrote:

> Joseph Myers wrote:
> > We can assume that
> > PTRDIFF_MAX == SIZE_MAX / 2 (and that ptrdiff_t, size_t and pointers have
> > the same power-of-2 width, which is at least 32).
> 
> OK, then we needn't bother with the static assertion. Is there a good place to
> document assumptions like this one, in the glibc manual I suppose?

I don't know of such a list of assumptions on the environment glibc 
supports.  I listed various other such requirements in 
<https://sourceware.org/ml/libc-alpha/2015-07/msg00761.html>.  (Of course, 
glibc code should still prefer to use logically appropriate interfaces to 
make the code clearer to the reader; for example, all glibc systems have 
size_t, ptrdiff_t, pointers and long the same width, but size_t, 
ptrdiff_t, intptr_t or uintptr_t should be used as appropriate instead of 
long if the intent is some kind of pointer-sized integer.)

> Although the point is now moot for this patch, I prefer the readability of
> 'verify'. Compare this:
> 
> verify (PTRDIFF_MAX <= SIZE_MAX / 2);
> 
> to this:
> 
> _Static_assert (PTRDIFF_MAX <= SIZE_MAX / 2,
>                 "PTRDIFF_MAX is not more than half of SIZE_MAX");
> 
> With just one static assertion it's no big deal, but Gnulib has files with
> dozens and the readability savings add up.

In about three years' time we'll be able to require GCC 9 or later to 
build glibc and thus use single-argument _Static_assert (which C2x has 
added from C++ and which I've added support for to GCC 9).

-- 
Joseph S. Myers
joseph@codesourcery.com
[prev in list] [next in list] [prev in thread] [next in thread]