"John Regehr" <regehr@cs.utah.edu> writes:
> The overflow check in int4inc() from int.c is wrong.
Hm, works for me:
regression=# \set VERBOSITY verbose
regression=# select int4inc(2147483647);
ERROR: 22003: integer out of range
LOCATION: int4inc, int.c:768
> The problem is that in
> C, signed overflow is undefined. Both LLVM and GCC eliminate the overflow
> check in this function. This is easy to see by looking at the asm emitted
> by either compiler.
Note that we recommend using -fwrapv with gcc, so that it doesn't break
code that depends on this type of test. (If int4inc isn't working then
there are probably a lot of other places that are broken too.) I imagine
LLVM has the same or similar switch.
> There are several easy ways to fix this code. One would be to test arg
> against INT_MAX before incrementing. Another would be to cast arg to
> unsigned, increment it, then do the check.
None of these proposals are improvements over what's there. The
fundamental problem is that if the compiler chooses to believe that
overflow doesn't exist, it can optimize away *any* test that could only
succeed in overflow cases. Finding a form of the test that fails to be
optimized away by today's version of gcc doesn't protect you against
tomorrow's version.
regards, tom lane