At Tue, 13 May 2014 13:47:51 +0200,
Samuel Thibault wrote:
>
> Neal H. Walfield, le Tue 13 May 2014 13:44:37 +0200, a écrit :
> > At Tue, 13 May 2014 12:52:03 +0200,
> > Justus Winter wrote:
> > > Quoting Neal H. Walfield (2014-05-13 09:44:21)
> > > > At Mon, 12 May 2014 12:05:41 +0200,
> > > > Justus Winter wrote:
> > > > > +/* Decrement REF. Return the result of the operation. This function
> > > > > + uses atomic operations. It is not required to serialize calls to
> > > > > + this function. */
> > > > > +static inline unsigned int
> > > > > +refcount_deref (refcount_t *ref)
> > > > > +{
> > > > > + return __atomic_sub_fetch (ref, 1, __ATOMIC_RELAXED);
> > > > > +}
> > > >
> > > > How about adding assert(*ref >= 0)?
> > >
> > > It is there, you just can't see it because I optimized it away (as gcc
> > > would, as refcount_t is unsigned ;).
> >
> > I meant assert(*ref > 0), sorry.
>
> Well, I'd rather check that the result didn't underflow, otherwise you
> may miss it in some rare conditions.
Good point. The assert that I proposed would introduce a TOCTTOU bug.
:) Neal
