[Bug c/45034] New: "safe" conversion from unsigned to signed char gives broken code

Thu, 22 Jul 2010 14:13:39 -0700 

The following program (which I'll also attach later) gives unexpected results,
where signed char values are passed as non properly sign-extended ints:

> cat char-neg.c
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>

static void fixnum_neg(signed char x, signed char *py, int *pv)
{
    unsigned char ux, uy;

    ux = (unsigned char)x;
    uy = -ux;
    *py = (uy <= 127) ? (signed char)uy : (-(signed char)(255 - uy) - 1);
    *pv = (x == -128) ? 1 : 0;
}

void __attribute__((noinline)) foo(int x, int y, int v)
{
    printf("test_neg: -(%d) => (%d, %d)\n", x, y, v);
    if (y < -128 || y > 127)
        abort();
}

int test_neg(void)
{
    signed char x, y;
    int v, err;

    err = 0;
    x = -128;
    for (;;) {
        fixnum_neg(x, &y, &v);
        foo((int)x, (int)y, v);
        if ((v && x != -128) || (!v && x == -128))
            ++err;
        if (x == 127)
            break;
        ++x;
    }
    return err;
}

int main(void)
{
    if (CHAR_BIT != 8
        || SCHAR_MIN != -128 || SCHAR_MAX != 127
        || UCHAR_MAX != 255)
        abort();
    if (test_neg() != 0)
        abort();
    return 0;
}
> gcc -O2 -Wall -Wextra char-neg.c ; ./a.out
test_neg: -(-128) => (-128, 1)
test_neg: -(-127) => (-129, 0)
Abort

The abort shows that the `signed char' variable y is incorrectly extended to
int when passed to foo().

Passing -fwrapv eliminates the failure.  Maybe I've been staring at this for
too long, but I can't see any signed overflow in this code.

The problem occurs with gcc 4.6/4.5/4.4/4.3/4.2, but not with 4.1 or older.

The program comes from some code which attempts to emulate machine-level
integer arithmetic and condition code settings.  To validate the condition code
logic I used exhaustive testing on a smaller integer type (signed char),  but
that broke as shown above.  The assignment to *py in fixnum_neg() is one of
several attempts to cast from unsigned to signed char without (apparently)
triggering undefined behaviour due to signed overflow; other failed attempts
have included plain casts, assignment via a union, and memcpy() via a local
signed char temporary.

gcc was configured --with-gmp=... --with-mpfr=... --with-mpc=...
--disable-plugin --disable-lto --disable-nls --enable-threads=posix
--enable-checking=release --disable-libmudflap --enable-languages=c


-- 
           Summary: "safe" conversion from unsigned to signed char gives
                    broken code
           Product: gcc
           Version: 4.6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: mikpe at it dot uu dot se
GCC target triplet: i686-pc-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=45034

Reply via email to