On 05/10/11 09:54, Paul Eggert wrote:
> This proposal also uses "SUM"
> instead of "ADD", "DIFFERENCE" rather than "SUBTRACT", etc., for
> reasons that escape me: I can easily change the names back if that's
> what people prefer.
Nobody expressed a preference, but I liked the old names so I changed
them back. For the record, here's what I installed; this includes
the new intprops-test module.
>From 3e147bbf2109c91d301961a288993fd7e7984bfb Mon Sep 17 00:00:00 2001
From: Paul Eggert <egg...@cs.ucla.edu>
Date: Sun, 15 May 2011 09:35:12 -0700
Subject: [PATCH 1/2] intprops: add safe, portable integer overflow checking
* lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
(_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
(_GL_SIGNED_INT_MINIMUM, INT_ADD_RANGE_OVERFLOW):
(INT__SUBTRACT__RANGE_OVERFLOW, INT_NEGATE_RANGE_OVERFLOW):
(INT_MULTIPLY_RANGE_OVERFLOW, INT_REMAINDER_RANGE_OVERFLOW):
(INT_LEFT_SHIFT_RANGE_OVERFLOW, _GL_ADD_OVERFLOW):
(_GL__SUBTRACT__OVERFLOW, _GL_MULTIPLY_OVERFLOW, _GL_DIVIDE_OVERFLOW):
(_GL_REMAINDER_OVERFLOW, _GL_UNSIGNED_NEG_MULTIPLE, INT_ADD_OVERFLOW):
(INT__SUBTRACT__OVERFLOW, INT_NEGATE_OVERFLOW, INT_MULTIPLY_OVERFLOW):
(INT_DIVIDE_OVERFLOW, INT_REMAINDER_OVERFLOW):
(INT_LEFT_SHIFT_OVERFLOW, _GL_BINARY_OP_OVERFLOW): New macros.
---
ChangeLog | 15 ++++
lib/intprops.h | 220 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 234 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9654f9f..ef91dd2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2011-05-13 Paul Eggert <egg...@cs.ucla.edu>
+
+ intprops: add safe, portable integer overflow checking
+ * lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
+ (_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
+ (_GL_SIGNED_INT_MINIMUM, INT_ADD_RANGE_OVERFLOW):
+ (INT__SUBTRACT__RANGE_OVERFLOW, INT_NEGATE_RANGE_OVERFLOW):
+ (INT_MULTIPLY_RANGE_OVERFLOW, INT_REMAINDER_RANGE_OVERFLOW):
+ (INT_LEFT_SHIFT_RANGE_OVERFLOW, _GL_ADD_OVERFLOW):
+ (_GL__SUBTRACT__OVERFLOW, _GL_MULTIPLY_OVERFLOW, _GL_DIVIDE_OVERFLOW):
+ (_GL_REMAINDER_OVERFLOW, _GL_UNSIGNED_NEG_MULTIPLE, INT_ADD_OVERFLOW):
+ (INT__SUBTRACT__OVERFLOW, INT_NEGATE_OVERFLOW, INT_MULTIPLY_OVERFLOW):
+ (INT_DIVIDE_OVERFLOW, INT_REMAINDER_OVERFLOW):
+ (INT_LEFT_SHIFT_OVERFLOW, _GL_BINARY_OP_OVERFLOW): New macros.
+
2011-05-12 James Youngman <j...@gnu.org>
Add a test for glibc's Bugzilla bug #12378.
diff --git a/lib/intprops.h b/lib/intprops.h
index 529b0fa..a84bd6a 100644
--- a/lib/intprops.h
+++ b/lib/intprops.h
@@ -22,6 +22,11 @@
#include <limits.h>
+/* Return a integer value, converted to the same type as the integer
+ expression E after integer type promotion. V is the unconverted value.
+ E should not have side effects. */
+#define _GL_INT_CONVERT(e, v) ((e) - (e) + (v))
+
/* The extra casts in the following macros work around compiler bugs,
e.g., in Cray C 5.0.3.0. */
@@ -37,13 +42,23 @@
#define TYPE_ONES_COMPLEMENT(t) ((t) ~ (t) 0 == 0)
#define TYPE_SIGNED_MAGNITUDE(t) ((t) ~ (t) 0 < (t) -1)
+/* True if the signed integer expression E uses two's complement. */
+#define _GL_INT_TWOS_COMPLEMENT(e) (~ _GL_INT_CONVERT (e, 0) == -1)
+
/* True if the arithmetic type T is signed. */
#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
-/* The maximum and minimum values for the integer type T. These
+/* Return 1 if the integer expression E, after integer promotion, has
+ a signed type. E should not have side effects. */
+#define _GL_INT_SIGNED(e) (_GL_INT_CONVERT (e, -1) < 0)
+
+
+/* Minimum and maximum values for integer types and expressions. These
macros have undefined behavior if T is signed and has padding bits.
If this is a problem for you, please let us know how to fix it for
your host. */
+
+/* The maximum and minimum values for the integer type T. */
#define TYPE_MINIMUM(t) \
((t) (! TYPE_SIGNED (t) \
? (t) 0 \
@@ -55,6 +70,20 @@
? (t) -1 \
: ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))
+/* The maximum and minimum values for the type of the expression E,
+ after integer promotion. E should not have side effects. */
+#define _GL_INT_MINIMUM(e) \
+ (_GL_INT_SIGNED (e) \
+ ? - _GL_INT_TWOS_COMPLEMENT (e) - _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_CONVERT (e, 0))
+#define _GL_INT_MAXIMUM(e) \
+ (_GL_INT_SIGNED (e) \
+ ? _GL_SIGNED_INT_MAXIMUM (e) \
+ : _GL_INT_CONVERT (e, -1))
+#define _GL_SIGNED_INT_MAXIMUM(e) \
+ (((_GL_INT_CONVERT (e, 1) << (sizeof ((e) + 0) * CHAR_BIT - 2)) - 1) * 2 + 1)
+
+
/* Return 1 if the __typeof__ keyword works. This could be done by
'configure', but for now it's easier to do it by hand. */
#if 2 <= __GNUC__ || 0x5110 <= __SUNPRO_C
@@ -93,4 +122,193 @@
including the terminating null. */
#define INT_BUFSIZE_BOUND(t) (INT_STRLEN_BOUND (t) + 1)
+
+/* Range overflow checks.
+
+ The INT_<op>_RANGE_OVERFLOW macros return 1 if the corresponding C
+ operators might not yield numerically correct answers due to
+ arithmetic overflow. They do not rely on undefined or
+ implementation-defined behavior. Their implementations are simple
+ and straightforward, but they are a bit harder to use than the
+ INT_<op>_OVERFLOW macros described below.
+
+ Example usage:
+
+ long int i = ...;
+ long int j = ...;
+ if (INT_MULTIPLY_RANGE_OVERFLOW (i, j, LONG_MIN, LONG_MAX))
+ printf ("multiply would overflow");
+ else
+ printf ("product is %ld", i * j);
+
+ Restrictions on *_RANGE_OVERFLOW macros:
+
+ These macros do not check for all possible numerical problems or
+ undefined or unspecified behavior: they do not check for division
+ by zero, for bad shift counts, or for shifting negative numbers.
+
+ These macros may evaluate their arguments zero or multiple times,
+ so the arguments should not have side effects. The arithmetic
+ arguments (including the MIN and MAX arguments) must be of the same
+ integer type after the usual arithmetic conversions, and the type
+ must have minimum value MIN and maximum MAX. Unsigned types should
+ use a zero MIN of the proper type.
+
+ These macros are tuned for constant MIN and MAX. For commutative
+ operations such as A + B, they are also tuned for constant B. */
+
+/* Return 1 if A + B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. */
+#define INT_ADD_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? (a) < (min) - (b) \
+ : (max) - (b) < (a))
+
+/* Return 1 if A - B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. */
+#define INT_SUBTRACT_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? (max) + (b) < (a) \
+ : (a) < (min) + (b))
+
+/* Return 1 if - A would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. */
+#define INT_NEGATE_RANGE_OVERFLOW(a, min, max) \
+ ((min) < 0 \
+ ? (a) < - (max) \
+ : 0 < (a))
+
+/* Return 1 if A * B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. */
+#define INT_MULTIPLY_RANGE_OVERFLOW(a, b, min, max) \
+ ((b) < 0 \
+ ? ((a) < 0 \
+ ? (a) < (max) / (b) \
+ : (b) < -1 && (min) / (b) < (a)) \
+ : (0 < (b) \
+ && ((a) < 0 \
+ ? (a) < (min) / (b) \
+ : (max) / (b) < (a))))
+
+/* Return 1 if A / B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Do not check for division by zero. */
+#define INT_DIVIDE_RANGE_OVERFLOW(a, b, min, max) \
+ ((min) < 0 && (b) == -1 && (a) < - (max))
+
+/* Return 1 if A % B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Do not check for division by zero.
+ Mathematically, % should never overflow, but on x86-like hosts
+ INT_MIN % -1 traps, and the C standard permits this, so treat this
+ as an overflow too. */
+#define INT_REMAINDER_RANGE_OVERFLOW(a, b, min, max) \
+ INT_DIVIDE_RANGE_OVERFLOW (a, b, min, max)
+
+/* Return 1 if A << B would overflow in [MIN,MAX] arithmetic.
+ See above for restrictions. Here, MIN and MAX are for A only, and B need
+ not be of the same type as the other arguments. The C standard says that
+ behavior is undefined for shifts unless 0 <= B < wordwidth, and that when
+ A is negative then A << B has undefined behavior and A >> B has
+ implementation-defined behavior, but do not check these other
+ restrictions. */
+#define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max) \
+ ((a) < 0 \
+ ? (a) < (min) >> (b) \
+ : (max) >> (b) < (a))
+
+
+/* The _GL*_OVERFLOW macros have the same restrictions as the
+ *_RANGE_OVERFLOW macros, except that they do not assume that operands
+ (e.g., A and B) have the same type as MIN and MAX. Instead, they assume
+ that the result (e.g., A + B) has that type. */
+#define _GL_ADD_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? INT_ADD_RANGE_OVERFLOW (a, b, min, max) \
+ : (a) < 0 ? (b) <= (a) + (b) \
+ : (b) < 0 ? (a) <= (a) + (b) \
+ : (a) + (b) < (b))
+#define _GL_SUBTRACT_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? INT_SUBTRACT_RANGE_OVERFLOW (a, b, min, max) \
+ : (a) < 0 ? 1 \
+ : (b) < 0 ? (a) - (b) <= (a) \
+ : (a) < (b))
+#define _GL_MULTIPLY_OVERFLOW(a, b, min, max) \
+ (((min) == 0 && (((a) < 0 && 0 < (b)) || ((b) < 0 && 0 < (a)))) \
+ || INT_MULTIPLY_RANGE_OVERFLOW (a, b, min, max))
+#define _GL_DIVIDE_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? (b) == _GL_INT_CONVERT (min, -1) && (a) < - (max) \
+ : (a) < 0 ? (b) <= (a) + (b) - 1 \
+ : (b) < 0 && (a) + (b) <= (a))
+#define _GL_REMAINDER_OVERFLOW(a, b, min, max) \
+ ((min) < 0 ? (b) == _GL_INT_CONVERT (min, -1) && (a) < - (max) \
+ : (a) < 0 ? (a) % (b) != ((max) - (b) + 1) % (b) \
+ : (b) < 0 && ! _GL_UNSIGNED_NEG_MULTIPLE (a, b, max))
+
+/* Return a nonzero value if A is a mathematical multiple of B, where
+ A is unsigned, B is negative, and MAX is the maximum value of A's
+ type. A's type must be the same as (A % B)'s type. Normally (A %
+ -B == 0) suffices, but things get tricky if -B would overflow. */
+#define _GL_UNSIGNED_NEG_MULTIPLE(a, b, max) \
+ (((b) < -_GL_SIGNED_INT_MAXIMUM (b) \
+ ? (_GL_SIGNED_INT_MAXIMUM (b) == (max) \
+ ? (a) \
+ : (a) % (_GL_INT_CONVERT (a, _GL_SIGNED_INT_MAXIMUM (b)) + 1)) \
+ : (a) % - (b)) \
+ == 0)
+
+
+/* Integer overflow checks.
+
+ The INT_<op>_OVERFLOW macros return 1 if the corresponding C operators
+ might not yield numerically correct answers due to arithmetic overflow.
+ They work correctly on all known practical hosts, and do not rely
+ on undefined behavior due to signed arithmetic overflow.
+
+ Example usage:
+
+ long int i = ...;
+ long int j = ...;
+ if (INT_MULTIPLY_OVERFLOW (i, j))
+ printf ("multiply would overflow");
+ else
+ printf ("product is %ld", i * j);
+
+ These macros do not check for all possible numerical problems or
+ undefined or unspecified behavior: they do not check for division
+ by zero, for bad shift counts, or for shifting negative numbers.
+
+ These macros may evaluate their arguments zero or multiple times, so the
+ arguments should not have side effects.
+
+ These macros are tuned for their last argument being a constant.
+
+ Return 1 if the integer expressions A * B, A - B, -A, A * B, A / B,
+ A % B, and A << B would overflow, respectively. */
+
+#define INT_ADD_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_ADD_OVERFLOW)
+#define INT_SUBTRACT_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_SUBTRACT_OVERFLOW)
+#define INT_NEGATE_OVERFLOW(a) \
+ INT_NEGATE_RANGE_OVERFLOW (a, _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
+#define INT_MULTIPLY_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_MULTIPLY_OVERFLOW)
+#define INT_DIVIDE_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_DIVIDE_OVERFLOW)
+#define INT_REMAINDER_OVERFLOW(a, b) \
+ _GL_BINARY_OP_OVERFLOW (a, b, _GL_REMAINDER_OVERFLOW)
+#define INT_LEFT_SHIFT_OVERFLOW(a, b) \
+ INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
+ _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
+
+/* Return 1 if the expression A <op> B would overflow,
+ where OP_RESULT_OVERFLOW (A, B, MIN, MAX) does the actual test,
+ assuming MIN and MAX are the minimum and maximum for the result type.
+
+ This macro assumes that A | B is a valid integer if both A and B are,
+ which is true of all known practical hosts. If this is a problem
+ for you, please let us know how to fix it for your host. */
+#define _GL_BINARY_OP_OVERFLOW(a, b, op_result_overflow) \
+ op_result_overflow (a, b, \
+ _GL_INT_MINIMUM ((a) | (b)), \
+ _GL_INT_MAXIMUM ((a) | (b)))
+
#endif /* _GL_INTPROPS_H */
--
1.7.5.1
>From aa31a0ed5afcc980e9b22e25f2a1dc520030ce09 Mon Sep 17 00:00:00 2001
From: Paul Eggert <egg...@cs.ucla.edu>
Date: Sun, 15 May 2011 09:37:21 -0700
Subject: [PATCH 2/2] intprops-tests: new module
* modules/intprops-tests, tests/test-intprops.c: New files.
---
ChangeLog | 3 +
modules/intprops-tests | 13 +++
tests/test-intprops.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 269 insertions(+), 0 deletions(-)
create mode 100644 modules/intprops-tests
create mode 100644 tests/test-intprops.c
diff --git a/ChangeLog b/ChangeLog
index ef91dd2..c2a67da 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2011-05-13 Paul Eggert <egg...@cs.ucla.edu>
+ intprops-tests: new module
+ * modules/intprops-tests, tests/test-intprops.c: New files.
+
intprops: add safe, portable integer overflow checking
* lib/intprops.h (_GL_INT_CONVERT, _GL_INT_TWOS_COMPLEMENT):
(_GL_INT_SIGNED, _GL_INT_MINIMUM, _GL_INT_MAXIMUM):
diff --git a/modules/intprops-tests b/modules/intprops-tests
new file mode 100644
index 0000000..4aa04d9
--- /dev/null
+++ b/modules/intprops-tests
@@ -0,0 +1,13 @@
+Files:
+tests/test-intprops.c
+
+Depends-on:
+inttypes
+stdbool
+verify
+
+configure.ac:
+
+Makefile.am:
+TESTS += test-intprops
+check_PROGRAMS += test-intprops
diff --git a/tests/test-intprops.c b/tests/test-intprops.c
new file mode 100644
index 0000000..aae2614
--- /dev/null
+++ b/tests/test-intprops.c
@@ -0,0 +1,253 @@
+/* Test intprops.h.
+ Copyright (C) 2011 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>. */
+
+/* Written by Paul Eggert. */
+
+#include <config.h>
+
+#include "intprops.h"
+#include "verify.h"
+
+#include <stdbool.h>
+#include <inttypes.h>
+
+/* TYPE_IS_INTEGER. */
+verify (TYPE_IS_INTEGER (bool));
+verify (TYPE_IS_INTEGER (char));
+verify (TYPE_IS_INTEGER (signed char));
+verify (TYPE_IS_INTEGER (unsigned char));
+verify (TYPE_IS_INTEGER (short int));
+verify (TYPE_IS_INTEGER (unsigned short int));
+verify (TYPE_IS_INTEGER (int));
+verify (TYPE_IS_INTEGER (unsigned int));
+verify (TYPE_IS_INTEGER (long int));
+verify (TYPE_IS_INTEGER (unsigned long int));
+verify (TYPE_IS_INTEGER (intmax_t));
+verify (TYPE_IS_INTEGER (uintmax_t));
+verify (! TYPE_IS_INTEGER (float));
+verify (! TYPE_IS_INTEGER (double));
+verify (! TYPE_IS_INTEGER (long double));
+
+/* Integer representation. */
+verify (INT_MIN + INT_MAX < 0
+ ? (TYPE_TWOS_COMPLEMENT (int)
+ && ! TYPE_ONES_COMPLEMENT (int) && ! TYPE_SIGNED_MAGNITUDE (int))
+ : (! TYPE_TWOS_COMPLEMENT (int)
+ && (TYPE_ONES_COMPLEMENT (int) || TYPE_SIGNED_MAGNITUDE (int))));
+
+/* TYPE_SIGNED. */
+/* verify (! TYPE_SIGNED (bool)); */ /* not guaranteed by gnulib substitute */
+verify (TYPE_SIGNED (signed char));
+verify (! TYPE_SIGNED (unsigned char));
+verify (TYPE_SIGNED (short int));
+verify (! TYPE_SIGNED (unsigned short int));
+verify (TYPE_SIGNED (int));
+verify (! TYPE_SIGNED (unsigned int));
+verify (TYPE_SIGNED (long int));
+verify (! TYPE_SIGNED (unsigned long int));
+verify (TYPE_SIGNED (intmax_t));
+verify (! TYPE_SIGNED (uintmax_t));
+verify (TYPE_SIGNED (float));
+verify (TYPE_SIGNED (double));
+verify (TYPE_SIGNED (long double));
+
+/* TYPE_MINIMUM, TYPE_MAXIMUM. */
+verify (TYPE_MINIMUM (char) == CHAR_MIN);
+verify (TYPE_MAXIMUM (char) == CHAR_MAX);
+verify (TYPE_MINIMUM (unsigned char) == 0);
+verify (TYPE_MAXIMUM (unsigned char) == UCHAR_MAX);
+verify (TYPE_MINIMUM (signed char) == SCHAR_MIN);
+verify (TYPE_MAXIMUM (signed char) == SCHAR_MAX);
+verify (TYPE_MINIMUM (short int) == SHRT_MIN);
+verify (TYPE_MAXIMUM (short int) == SHRT_MAX);
+verify (TYPE_MINIMUM (unsigned short int) == 0);
+verify (TYPE_MAXIMUM (unsigned short int) == USHRT_MAX);
+verify (TYPE_MINIMUM (int) == INT_MIN);
+verify (TYPE_MAXIMUM (int) == INT_MAX);
+verify (TYPE_MINIMUM (unsigned int) == 0);
+verify (TYPE_MAXIMUM (unsigned int) == UINT_MAX);
+verify (TYPE_MINIMUM (long int) == LONG_MIN);
+verify (TYPE_MAXIMUM (long int) == LONG_MAX);
+verify (TYPE_MINIMUM (unsigned long int) == 0);
+verify (TYPE_MAXIMUM (unsigned long int) == ULONG_MAX);
+verify (TYPE_MINIMUM (intmax_t) == INTMAX_MIN);
+verify (TYPE_MAXIMUM (intmax_t) == INTMAX_MAX);
+verify (TYPE_MINIMUM (uintmax_t) == 0);
+verify (TYPE_MAXIMUM (uintmax_t) == UINTMAX_MAX);
+
+/* INT_BITS_STRLEN_BOUND. */
+verify (INT_BITS_STRLEN_BOUND (1) == 1);
+verify (INT_BITS_STRLEN_BOUND (2620) == 789);
+
+/* INT_STRLEN_BOUND, INT_BUFSIZE_BOUND. */
+#ifdef INT32_MAX /* POSIX guarantees int32_t; this ports to non-POSIX hosts */
+verify (INT_STRLEN_BOUND (int32_t) == sizeof ("-2147483648") - 1);
+verify (INT_BUFSIZE_BOUND (int32_t) == sizeof ("-2147483648"));
+#endif
+#ifdef INT64_MAX
+verify (INT_STRLEN_BOUND (int64_t) == sizeof ("-9223372036854775808") - 1);
+verify (INT_BUFSIZE_BOUND (int64_t) == sizeof ("-9223372036854775808"));
+#endif
+
+/* All the INT_<op>_RANGE_OVERFLOW tests are equally valid as
+ INT_<op>_OVERFLOW tests, so define a single macro to do both. */
+#define check_binop(op, a, b, min, max, overflow) \
+ (INT_##op##_RANGE_OVERFLOW (a, b, min, max) == (overflow) \
+ && INT_##op##_OVERFLOW (a, b) == (overflow))
+#define check_unop(op, a, min, max, overflow) \
+ (INT_##op##_RANGE_OVERFLOW (a, min, max) == (overflow) \
+ && INT_##op##_OVERFLOW (a) == (overflow))
+
+/* INT_<op>_RANGE_OVERFLOW, INT_<op>_OVERFLOW. */
+verify (INT_ADD_RANGE_OVERFLOW (INT_MAX, 1, INT_MIN, INT_MAX));
+verify (INT_ADD_OVERFLOW (INT_MAX, 1));
+verify (check_binop (ADD, INT_MAX, 1, INT_MIN, INT_MAX, true));
+verify (check_binop (ADD, INT_MAX, -1, INT_MIN, INT_MAX, false));
+verify (check_binop (ADD, INT_MIN, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (ADD, INT_MIN, -1, INT_MIN, INT_MAX, true));
+verify (check_binop (ADD, UINT_MAX, 1u, 0u, UINT_MAX, true));
+verify (check_binop (ADD, 0u, 1u, 0u, UINT_MAX, false));
+
+verify (check_binop (SUBTRACT, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (SUBTRACT, INT_MAX, -1, INT_MIN, INT_MAX, true));
+verify (check_binop (SUBTRACT, INT_MIN, 1, INT_MIN, INT_MAX, true));
+verify (check_binop (SUBTRACT, INT_MIN, -1, INT_MIN, INT_MAX, false));
+verify (check_binop (SUBTRACT, UINT_MAX, 1u, 0u, UINT_MAX, false));
+verify (check_binop (SUBTRACT, 0u, 1u, 0u, UINT_MAX, true));
+
+verify (check_unop (NEGATE, INT_MIN, INT_MIN, INT_MAX,
+ TYPE_TWOS_COMPLEMENT (int)));
+verify (check_unop (NEGATE, 0, INT_MIN, INT_MAX, false));
+verify (check_unop (NEGATE, INT_MAX, INT_MIN, INT_MAX, false));
+verify (check_unop (NEGATE, 0u, 0u, UINT_MAX, false));
+verify (check_unop (NEGATE, 1u, 0u, UINT_MAX, true));
+verify (check_unop (NEGATE, UINT_MAX, 0u, UINT_MAX, true));
+
+verify (check_binop (MULTIPLY, INT_MAX, INT_MAX, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MAX, INT_MIN, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MIN, INT_MAX, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, INT_MIN, INT_MIN, INT_MIN, INT_MAX, true));
+verify (check_binop (MULTIPLY, -1, INT_MIN, INT_MIN, INT_MAX,
+ INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (MULTIPLY, LONG_MIN / INT_MAX, (long int) INT_MAX,
+ LONG_MIN, LONG_MIN, false));
+
+verify (check_binop (DIVIDE, INT_MIN, -1, INT_MIN, INT_MAX,
+ INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (DIVIDE, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (DIVIDE, (unsigned int) INT_MIN,
+ -1u, 0u, UINT_MAX, false));
+
+verify (check_binop (REMAINDER, INT_MIN, -1, INT_MIN, INT_MAX,
+ INT_NEGATE_OVERFLOW (INT_MIN)));
+verify (check_binop (REMAINDER, INT_MAX, 1, INT_MIN, INT_MAX, false));
+verify (check_binop (REMAINDER, (unsigned int) INT_MIN,
+ -1u, 0u, UINT_MAX, false));
+
+verify (check_binop (LEFT_SHIFT, UINT_MAX, 1, 0u, UINT_MAX, true));
+verify (check_binop (LEFT_SHIFT, UINT_MAX / 2 + 1, 1, 0u, UINT_MAX, true));
+verify (check_binop (LEFT_SHIFT, UINT_MAX / 2, 1, 0u, UINT_MAX, false));
+
+/* INT_<op>_OVERFLOW with mixed types. */
+#define check_sum(a, b, overflow) \
+ verify (INT_ADD_OVERFLOW (a, b) == (overflow)); \
+ verify (INT_ADD_OVERFLOW (b, a) == (overflow))
+check_sum (-1, LONG_MIN, true);
+check_sum (-1, UINT_MAX, false);
+check_sum (-1L, INT_MIN, INT_MIN == LONG_MIN);
+check_sum (0u, -1, true);
+check_sum (0u, 0, false);
+check_sum (0u, 1, false);
+check_sum (1, LONG_MAX, true);
+check_sum (1, UINT_MAX, true);
+check_sum (1L, INT_MAX, INT_MAX == LONG_MAX);
+check_sum (1u, INT_MAX, INT_MAX == UINT_MAX);
+check_sum (1u, INT_MIN, true);
+
+verify (! INT_SUBTRACT_OVERFLOW (INT_MAX, 1u));
+verify (! INT_SUBTRACT_OVERFLOW (UINT_MAX, 1));
+verify (! INT_SUBTRACT_OVERFLOW (0u, -1));
+verify (INT_SUBTRACT_OVERFLOW (UINT_MAX, -1));
+verify (INT_SUBTRACT_OVERFLOW (INT_MIN, 1u));
+verify (INT_SUBTRACT_OVERFLOW (-1, 0u));
+
+#define check_product(a, b, overflow) \
+ verify (INT_MULTIPLY_OVERFLOW (a, b) == (overflow)); \
+ verify (INT_MULTIPLY_OVERFLOW (b, a) == (overflow))
+
+check_product (-1, 1u, true);
+check_product (-1, INT_MIN, INT_NEGATE_OVERFLOW (INT_MIN));
+check_product (-1, UINT_MAX, true);
+check_product (-12345, LONG_MAX / -12345 - 1, true);
+check_product (-12345, LONG_MAX / -12345, false);
+check_product (0, -1, false);
+check_product (0, 0, false);
+check_product (0, 0u, false);
+check_product (0, 1, false);
+check_product (0, INT_MAX, false);
+check_product (0, INT_MIN, false);
+check_product (0, UINT_MAX, false);
+check_product (0u, -1, false);
+check_product (0u, 0, false);
+check_product (0u, 0u, false);
+check_product (0u, 1, false);
+check_product (0u, INT_MAX, false);
+check_product (0u, INT_MIN, false);
+check_product (0u, UINT_MAX, false);
+check_product (1, INT_MAX, false);
+check_product (1, INT_MIN, false);
+check_product (1, UINT_MAX, false);
+check_product (1u, INT_MIN, true);
+check_product (1u, INT_MAX, UINT_MAX < INT_MAX);
+check_product (INT_MAX, UINT_MAX, true);
+check_product (INT_MAX, ULONG_MAX, true);
+check_product (INT_MIN, LONG_MAX / INT_MIN - 1, true);
+check_product (INT_MIN, LONG_MAX / INT_MIN, false);
+check_product (INT_MIN, UINT_MAX, true);
+check_product (INT_MIN, ULONG_MAX, true);
+
+verify (INT_DIVIDE_OVERFLOW (INT_MIN, -1L)
+ == (TYPE_TWOS_COMPLEMENT (long int) && INT_MIN == LONG_MIN));
+verify (! INT_DIVIDE_OVERFLOW (INT_MIN, UINT_MAX));
+verify (! INT_DIVIDE_OVERFLOW (INTMAX_MIN, UINTMAX_MAX));
+verify (! INT_DIVIDE_OVERFLOW (INTMAX_MIN, UINT_MAX));
+verify (INT_DIVIDE_OVERFLOW (-11, 10u));
+verify (INT_DIVIDE_OVERFLOW (-10, 10u));
+verify (! INT_DIVIDE_OVERFLOW (-9, 10u));
+verify (INT_DIVIDE_OVERFLOW (11u, -10));
+verify (INT_DIVIDE_OVERFLOW (10u, -10));
+verify (! INT_DIVIDE_OVERFLOW (9u, -10));
+
+verify (INT_REMAINDER_OVERFLOW (INT_MIN, -1L)
+ == (TYPE_TWOS_COMPLEMENT (long int) && INT_MIN == LONG_MIN));
+verify (INT_REMAINDER_OVERFLOW (-1, UINT_MAX));
+verify (INT_REMAINDER_OVERFLOW ((intmax_t) -1, UINTMAX_MAX));
+verify (INT_REMAINDER_OVERFLOW (INTMAX_MIN, UINT_MAX)
+ == (INTMAX_MAX < UINT_MAX
+ && - (unsigned int) INTMAX_MIN % UINT_MAX != 0));
+verify (INT_REMAINDER_OVERFLOW (INT_MIN, ULONG_MAX)
+ == (INT_MIN % ULONG_MAX != 1));
+verify (! INT_REMAINDER_OVERFLOW (1u, -1));
+verify (! INT_REMAINDER_OVERFLOW (37*39u, -39));
+verify (INT_REMAINDER_OVERFLOW (37*39u + 1, -39));
+verify (INT_REMAINDER_OVERFLOW (37*39u - 1, -39));
+verify (! INT_REMAINDER_OVERFLOW (LONG_MAX, -INT_MAX));
+
+int
+main (void)
+{
+ return 0;
+}
--
1.7.5.1
