[email protected] (Niels Möller) writes:
> This code needs some careful analysis, to see under what conditions hi
> might be used uninitialized, and in case there's some valid inputs for
> which this could happen fix that, and if not, back up our assumptions
> with asserts (which I hope the static analyzer will understand).
It turns out analysis isn't that subtle. The thing is, the static
analyzer thinks that the loop condition (rn >= 2*mn - bn) can be
initially false.
Now, rn is initialized to 2*mn, so this could be false only if the
subtraction ounderflows. Which is doesn't do, since valid range for bn
is 0 < bn < mn.
Question is what's the best way to make thhat clear to compilers and
analyzers.
Loops could be rewritten as do {} while (0) loops. Or we could add more
asserts, maybe it's sufficient to replace the somewhat weak
assert (sn > 0);
with
assert (bn < mn);
Since sn is size_t (unsigned), the former only checks that mn != bn.
This code is a bit hairy as is, so we should try to not make it
even more complex.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
[email protected]
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
