commit 4b63c21d6faebc406260733c16b826e3e01b0d89
author Armin Rigo <arigo@tunes.org> Wed Oct 04 11:44:06 2006 +0000
committer Armin Rigo <arigo@tunes.org> Wed Oct 04 11:44:06 2006 +0000
tree bdeaa6389ccc7075550272904869d32302046572
parent c6f2f884b4789c4000ffb30a85646f088da102b1

Forward-port of r52136: a review of overflow-detecting code.

* unified the way intobject, longobject and mystrtoul handle
  values around -sys.maxint-1.

* in general, trying to entierely avoid overflows in any computation
  involving signed ints or longs is extremely involved.  Fixed a few
  simple cases where a compiler might be too clever (but that's all
  guesswork).

* more overflow checks against bad data in marshal.c.

* 2.5 specific: fixed a number of places that were still confusing int
  and Py_ssize_t.  Some of them could potentially have caused
  "real-world" breakage.

* list.pop(x): fixing overflow issues on x was messy.  I just reverted
  to PyArg_ParseTuple("n"), which does the right thing.  (An obscure
  test was trying to give a Decimal to list.pop()... doesn't make
  sense any more IMHO)

* trying to write a few tests...

Objects/intobject.c

diff --git a/Objects/intobject.c b/Objects/intobject.c
index 28f7606..a4d50be 100644
--- a/Objects/intobject.c
+++ b/Objects/intobject.c
@@ -546,6 +546,17 @@
 	}
 }
 
+/* Integer overflow checking for unary negation: on a 2's-complement
+ * box, -x overflows iff x is the most negative long.  In this case we
+ * get -x == x.  However, -x is undefined (by C) if x /is/ the most
+ * negative long (it's a signed overflow case), and some compilers care.
+ * So we cast x to unsigned long first.  However, then other compilers
+ * warn about applying unary minus to an unsigned operand.  Hence the
+ * weird "0-".
+ */
+#define UNARY_NEG_WOULD_OVERFLOW(x)	\
+	((x) < 0 && (unsigned long)(x) == 0-(unsigned long)(x))
+
 /* Return type of i_divmod */
 enum divmod_result {
 	DIVMOD_OK,		/* Correct result */
@@ -564,14 +575,8 @@
 				"integer division or modulo by zero");
 		return DIVMOD_ERROR;
 	}
-	/* (-sys.maxint-1)/-1 is the only overflow case.  x is the most
-	 * negative long iff x < 0 and, on a 2's-complement box, x == -x.
-	 * However, -x is undefined (by C) if x /is/ the most negative long
-	 * (it's a signed overflow case), and some compilers care.  So we cast
-	 * x to unsigned long first.  However, then other compilers warn about
-	 * applying unary minus to an unsigned operand.  Hence the weird "0-".
-	 */
-	if (y == -1 && x < 0 && (unsigned long)x == 0-(unsigned long)x)
+	/* (-sys.maxint-1)/-1 is the only overflow case. */
+	if (y == -1 && UNARY_NEG_WOULD_OVERFLOW(x))
 		return DIVMOD_OVERFLOW;
 	xdivy = x / y;
 	xmody = x - xdivy * y;
@@ -762,7 +767,8 @@
 {
 	register long a;
 	a = v->ob_ival;
-	if (a < 0 && (unsigned long)a == 0-(unsigned long)a) {
+        /* check for overflow */
+	if (UNARY_NEG_WOULD_OVERFLOW(a)) {
 		PyObject *o = PyLong_FromLong(a);
 		if (o != NULL) {
 			PyObject *result = PyNumber_Negative(o);