From 6b6a4d63ec585badcd69890608bc144ef4d89af7 Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Tue, 8 Jan 2019 00:22:57 +0100
Subject: assert.h: Check overflow with STRICT_ADD, STRICT_SUB

---
 src/nvim/assert.h | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'src/nvim/assert.h')

diff --git a/src/nvim/assert.h b/src/nvim/assert.h
index 761636305e..48c5363d5a 100644
--- a/src/nvim/assert.h
+++ b/src/nvim/assert.h
@@ -15,6 +15,10 @@
 # define __has_extension __has_feature
 #endif
 
+#ifndef __has_builtin
+# define __has_builtin __has_feature
+#endif
+
 /// @def STATIC_ASSERT
 /// @brief Assert at compile time if condition is not satisfied.
 ///
@@ -121,4 +125,31 @@
     ((enum { ASSERT_CONCAT(assert_line_, __LINE__) = 1/(!!(e)) }) 0)
 #endif
 
+/// @def STRICT_ADD
+///
+/// Requires GCC 5+ and Clang 3.8+
+///   https://clang.llvm.org/docs/LanguageExtensions.html
+///   https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
+///
+/// Alternative for compilers without __builtin_xx_overflow ?
+///   https://stackoverflow.com/a/44830670/152142
+///
+/// @param MAX Maximum value of the narrowest type of operand.
+///            Not used if compiler supports __builtin_add_overflow.
+#if __has_builtin(__builtin_add_overflow)
+# define STRICT_ADD(a, b, c) \
+  do { if (__builtin_add_overflow(a, b, c)) { abort(); } } while (0)
+#else
+# define STRICT_ADD(a, b, c) \
+  do { *c = a + b; } while (0)
+#endif
+
+#if __has_builtin(__builtin_sub_overflow)
+# define STRICT_SUB(a, b, c) \
+  do { if (__builtin_sub_overflow(a, b, c)) { abort(); } } while (0)
+#else
+# define STRICT_SUB(a, b, c) \
+  do { *c = a - b; } while (0)
+#endif
+
 #endif  // NVIM_ASSERT_H
-- 
cgit 


From 596f020e904b2da2dac1bc080eb69f66deb998d7 Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Sat, 5 Jan 2019 00:57:27 +0100
Subject: PVS/V1028: cast operands, not the result

---
 src/nvim/assert.h | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

(limited to 'src/nvim/assert.h')

diff --git a/src/nvim/assert.h b/src/nvim/assert.h
index 48c5363d5a..3f985475a7 100644
--- a/src/nvim/assert.h
+++ b/src/nvim/assert.h
@@ -15,10 +15,6 @@
 # define __has_extension __has_feature
 #endif
 
-#ifndef __has_builtin
-# define __has_builtin __has_feature
-#endif
-
 /// @def STATIC_ASSERT
 /// @brief Assert at compile time if condition is not satisfied.
 ///
@@ -136,20 +132,22 @@
 ///
 /// @param MAX Maximum value of the narrowest type of operand.
 ///            Not used if compiler supports __builtin_add_overflow.
-#if __has_builtin(__builtin_add_overflow)
-# define STRICT_ADD(a, b, c) \
+#if (defined(__clang__) && __has_builtin(__builtin_add_overflow)) \
+  || (__GNUC__ >= 5)
+# define STRICT_ADD(a, b, c, t) \
   do { if (__builtin_add_overflow(a, b, c)) { abort(); } } while (0)
 #else
-# define STRICT_ADD(a, b, c) \
-  do { *c = a + b; } while (0)
+# define STRICT_ADD(a, b, c, t) \
+  do { *(c) = (t)(a + b); } while (0)
 #endif
 
-#if __has_builtin(__builtin_sub_overflow)
-# define STRICT_SUB(a, b, c) \
+#if (defined(__clang__) && __has_builtin(__builtin_sub_overflow)) \
+  || (__GNUC__ >= 5)
+# define STRICT_SUB(a, b, c, t) \
   do { if (__builtin_sub_overflow(a, b, c)) { abort(); } } while (0)
 #else
-# define STRICT_SUB(a, b, c) \
-  do { *c = a - b; } while (0)
+# define STRICT_SUB(a, b, c, t) \
+  do { *(c) = (t)(a - b); } while (0)
 #endif
 
 #endif  // NVIM_ASSERT_H
-- 
cgit 


From fc4ca5bdd8c5a2b37b6efe34a9b32a1bd75c57af Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Tue, 8 Jan 2019 22:00:52 +0100
Subject: CMake: Feature-detect __builtin_{add,sub}_overflow

---
 src/nvim/assert.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src/nvim/assert.h')

diff --git a/src/nvim/assert.h b/src/nvim/assert.h
index 3f985475a7..29195a49dc 100644
--- a/src/nvim/assert.h
+++ b/src/nvim/assert.h
@@ -122,6 +122,7 @@
 #endif
 
 /// @def STRICT_ADD
+/// @brief Adds (a + b) and stores result in `c`.  Aborts on overflow.
 ///
 /// Requires GCC 5+ and Clang 3.8+
 ///   https://clang.llvm.org/docs/LanguageExtensions.html
@@ -132,8 +133,7 @@
 ///
 /// @param MAX Maximum value of the narrowest type of operand.
 ///            Not used if compiler supports __builtin_add_overflow.
-#if (defined(__clang__) && __has_builtin(__builtin_add_overflow)) \
-  || (__GNUC__ >= 5)
+#if HAVE_BUILTIN_ADD_OVERFLOW
 # define STRICT_ADD(a, b, c, t) \
   do { if (__builtin_add_overflow(a, b, c)) { abort(); } } while (0)
 #else
@@ -141,8 +141,9 @@
   do { *(c) = (t)(a + b); } while (0)
 #endif
 
-#if (defined(__clang__) && __has_builtin(__builtin_sub_overflow)) \
-  || (__GNUC__ >= 5)
+/// @def STRICT_SUB
+/// @brief Subtracts (a - b) and stores result in `c`.  Aborts on overflow.
+#if HAVE_BUILTIN_ADD_OVERFLOW
 # define STRICT_SUB(a, b, c, t) \
   do { if (__builtin_sub_overflow(a, b, c)) { abort(); } } while (0)
 #else
-- 
cgit