Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

Hi Kai,

No, I'm not aware of the report. I can't see it in our bug tracker,
where can I find it?

Cheers,
Jacek

On 08/29/15 17:16, Kai Tietz wrote:
> Hi Jacek,
>
> no I don't mind at all.  The reason I comment on this thread is a
> recent report about issues with current master's direct-x support.  it
> might be related to this.
>
> Are you aware of this report?
>
> Cheers,
> Kai
>
> 2015-08-18 12:47 GMT+02:00 Jacek Caban :
>> On 08/17/15 20:20, David Grayson wrote:
>>> On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
 The patch looks good to me.
>>> I think it's good too, but it looks like it (intsafe_2.2.1.patch)
>>> hasn't been committed to the git repository.  Can someone commit it?
>> Sorry for the delay, I was hoping to see Kai's comment, but he doesn't
>> seem around lately. I guess he is on vacations. I committed the patch,
>> hoping he won't mind.
>>
>> Thanks for the contribution,
>> Jacek
>>
>> --
>> ___
>> Mingw-w64-public mailing list
>> Mingw-w64-public@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
> --
> ___
> Mingw-w64-public mailing list
> Mingw-w64-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public


--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Kai Tietz]

Hi Jacek,

no I don't mind at all.  The reason I comment on this thread is a
recent report about issues with current master's direct-x support.  it
might be related to this.

Are you aware of this report?

Cheers,
Kai

2015-08-18 12:47 GMT+02:00 Jacek Caban :
> On 08/17/15 20:20, David Grayson wrote:
>> On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
>>> The patch looks good to me.
>> I think it's good too, but it looks like it (intsafe_2.2.1.patch)
>> hasn't been committed to the git repository.  Can someone commit it?
>
> Sorry for the delay, I was hoping to see Kai's comment, but he doesn't
> seem around lately. I guess he is on vacations. I committed the patch,
> hoping he won't mind.
>
> Thanks for the contribution,
> Jacek
>
> --
> ___
> Mingw-w64-public mailing list
> Mingw-w64-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

On 08/17/15 20:20, David Grayson wrote:
> On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
>> The patch looks good to me.
> I think it's good too, but it looks like it (intsafe_2.2.1.patch)
> hasn't been committed to the git repository.  Can someone commit it?

Sorry for the delay, I was hoping to see Kai's comment, but he doesn't
seem around lately. I guess he is on vacations. I committed the patch,
hoping he won't mind.

Thanks for the contribution,
Jacek

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Thanks, Jon!  If you want to add warn_unused_result, that seems fine
to me.  --David

On Mon, Aug 17, 2015 at 3:57 PM, JonY  wrote:
> On 8/18/2015 02:20, David Grayson wrote:
>> On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
>>> The patch looks good to me.
>>
>> I think it's good too, but it looks like it (intsafe_2.2.1.patch)
>> hasn't been committed to the git repository.  Can someone commit it?
>>
>
> Does it make sense to add the warn_unused_result attribute? I'll commit
> soon if nobody has yet.
>
>
>
> --
>
> ___
> Mingw-w64-public mailing list
> Mingw-w64-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
>

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[JonY]

On 8/18/2015 02:20, David Grayson wrote:
> On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
>> The patch looks good to me.
> 
> I think it's good too, but it looks like it (intsafe_2.2.1.patch)
> hasn't been committed to the git repository.  Can someone commit it?
> 

Does it make sense to add the warn_unused_result attribute? I'll commit
soon if nobody has yet.




0xD4EBC740.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

On Tue, Aug 11, 2015 at 6:22 AM, Jacek Caban  wrote:
> The patch looks good to me.

I think it's good too, but it looks like it (intsafe_2.2.1.patch)
hasn't been committed to the git repository.  Can someone commit it?

--David

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

Hi David,

On 08/10/15 18:11, David Grayson wrote:
> Here is a quick summary of the remaining possible compatibility issues
> between our version and the PSDK version of intsafe.h:
>
> - We include wtypesbase.h to define our types
> - Our error result is always 0, they use ~0.
> - They have some undocumented functions in intsafe.h that we don't have.
> - Our version won't work on clang or older versions of gcc because it
> uses these builtins, but at least it can be included.

The patch looks good to me.

Thanks,
Jacek

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

On 8/10/2015 3:34 AM, Jacek Caban wrote:

I'm sorry for the delay, I was sure I already replied.


That's fine, I'm not paying you.  :-)


We use #ifndef guards all over the place. PSDK headers usually use both.
That's find to add the pragma, but please don't delete existing guards.


OK, I have attached a new version of the patch (2.2.1, public domain) that just uses 
ifndef instead of the pragma.  I can see now that it could be a compatibility issue if 
their header defines "_INTSAFE_H_INCLUDED_" and our header does not, so it 
seems good to use the ifndef.  I don't see a need to use both.

Alexandre: As far as I can tell, '#pragma once' is not deprecated.  It is 
documented here:

https://gcc.gnu.org/onlinedocs/cpp/Alternatives-to-Wrapper-_0023ifndef.html


Also while I was reviewing the patch, I noticed that MS version doesn't
set output value to 0, but instead to values like ~0. Documentation
specifies this case as invalid value, so whatever we use is fine IMHO.


Yeah, I noticed that too.  I suppose I should have been upfront about all the issues like 
that.  Originally I thought that their version sometimes uses 0 and sometimes uses -1, 
but now it looks like they consistently use -1 (which is ~0 for unsigned types).  If I 
understand the C/C++ standards correctly, I think it would be safe for us to change the 
error case to "*result = -1;" and I can look into that if you want.

Here is a quick summary of the remaining possible compatibility issues between 
our version and the PSDK version of intsafe.h:

- We include wtypesbase.h to define our types
- Our error result is always 0, they use ~0.
- They have some undocumented functions in intsafe.h that we don't have.
- Our version won't work on clang or older versions of gcc because it uses 
these builtins, but at least it can be included.


Thanks for the work,
Jacek


Thanks, Jacek!

--David

diff --git a/mingw-w64-headers/include/intsafe.h 
b/mingw-w64-headers/include/intsafe.h
index 4c9459f..6f0f8dd 100644
--- a/mingw-w64-headers/include/intsafe.h
+++ b/mingw-w64-headers/include/intsafe.h
@@ -11,9 +11,388 @@
 
 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
 
+#include 
 #include 
 
 #define INTSAFE_E_ARITHMETIC_OVERFLOW ((HRESULT)0x80070216)
 
+#ifndef S_OK
+#define S_OK ((HRESULT)0)
 #endif
+
+/** The builtins we use were added in GCC 5. */
+#if __GNUC__ >= 5
+
+#ifndef __MINGW_INTSAFE_API
+#define __MINGW_INTSAFE_API FORCEINLINE
+#endif
+
+/** If CHAR is unsigned, use static inline for functions that operate
+on chars.  This avoids the risk of linking to the wrong function when
+different translation units with different types of chars are linked
+together, and code using signed chars will not be affected. */
+#ifndef __MINGW_INTSAFE_CHAR_API
+#ifdef __CHAR_UNSIGNED__
+#define __MINGW_INTSAFE_CHAR_API static inline
+#else
+#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
 #endif
+#endif
+
+#define __MINGW_INTSAFE_BODY(operation, x, y) \
+{ \
+  if (__builtin_##operation##_overflow(x, y, result)) \
+  { \
+  *result = 0; \
+  return INTSAFE_E_ARITHMETIC_OVERFLOW; \
+  } \
+  return S_OK; \
+}
+
+#define __MINGW_INTSAFE_CONV(name, type_src, type_dest) \
+HRESULT name(type_src operand, type_dest * result) \
+__MINGW_INTSAFE_BODY(add, operand, 0)
+
+#define __MINGW_INTSAFE_MATH(name, type, operation) \
+HRESULT name(type x, type y, type * result) \
+__MINGW_INTSAFE_BODY(operation, x, y)
+
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UInt8ToInt8, UINT8, INT8)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UInt8ToChar, UINT8, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ByteToInt8, BYTE, INT8)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(ByteToChar, BYTE, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUChar, INT8, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUInt8, INT8, UINT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUShort, INT8, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUInt, INT8, UINT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULong, INT8, ULONG)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUIntPtr, INT8, UINT_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULongPtr, INT8, ULONG_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULongLong, INT8, ULONGLONG)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToUChar, USHORT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToUInt8, USHORT, UINT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToByte, USHORT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToInt8, USHORT, INT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToShort, USHORT, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UShortToChar, USHORT, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToUChar, WORD, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToByte, WORD, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToShort, WORD, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(WordToChar, WORD, CHAR)
+__MINGW_INT

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Alexandre Pereira Nunes]

On Mon, Aug 10, 2015 at 7:34 AM, Jacek Caban  wrote:

> Hi David,
>
>
>
> I'm sorry for the delay, I was sure I already replied. The patch looks
> mostly good and ready to be committed IMO. There is one minor thing:
>
> -#ifndef _INTSAFE_H_INCLUDED_
> -#define _INTSAFE_H_INCLUDED_
> +#pragma once
>
> We use #ifndef guards all over the place. PSDK headers usually use both.
> That's find to add the pragma, but please don't delete existing guards.
>
> Also while I was reviewing the patch, I noticed that MS version doesn't
> set output value to 0, but instead to values like ~0. Documentation
> specifies this case as invalid value, so whatever we use is fine IMHO.
>
> Thanks for the work,
> Jacek
>
>
>From a very old gcc manual:

"The GNU C preprocessor is programmed to notice when a header file uses
this particular construct and handle it efficiently. If a header file is
contained entirely in a `#ifndef' conditional, then it records that fact.
If a subsequent `#include' specifies the same file, and the macro in the
`#ifndef' is already defined, then the file is entirely skipped, without
even reading it.

There is also an explicit directive to tell the preprocessor that it need
not include a file more than once. This is called `#pragma once', and was
used *in addition to* the `#ifndef' conditional around the contents of the
header file. `#pragma once' is now obsolete and should not be used at all."


... not sure what/if changed since then.
--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

Hi David,

On 08/04/15 18:37, David Grayson wrote:
> On 8/4/2015 9:02 AM, David Grayson wrote:
>> Thanks, Jacek.  I have included a new patch with all of your
>> suggestions (version 2.1.0).  As always, it's in the public domain.
>
> Please ignore the last patch.  Here is a new one (2.2.0) that includes
> 79 (!) more conversion functions I just discovered in a hard-to-find
> place in the MSDN documentation.  I think these were all added in
> Windows 7.
>
> I think the most complete lists of intsafe.h functions can be found at
> these links:
>
> https://msdn.microsoft.com/en-us/library/windows/desktop/ff521655
> https://msdn.microsoft.com/en-us/library/windows/desktop/ff521701
>
> The documentation is severely broken: if you try to traverse up one
> level in the heirarchy (click on "intsafe.h functions") and then you
> click on a link to go back down to the page you were on, you might
> notice that tons of functions are missing (like Int8ToUInt8 and
> LongSub).  This is why I have often been confused about what functions
> are supposed to be in intsafe.h.
>
> The PSDK version of intsafe.h seems to have even more functions hiding
> in it that are not documented at all (like LongPtrToDWordLong), but I
> am hesitant to implement undocumented functions from a copyrighted
> header.
>
> Anyway, I should have done more research before submitting the last
> patch.  Sorry for the mailing list noise.

I'm sorry for the delay, I was sure I already replied. The patch looks
mostly good and ready to be committed IMO. There is one minor thing:

-#ifndef _INTSAFE_H_INCLUDED_
-#define _INTSAFE_H_INCLUDED_
+#pragma once

We use #ifndef guards all over the place. PSDK headers usually use both.
That's find to add the pragma, but please don't delete existing guards.

Also while I was reviewing the patch, I noticed that MS version doesn't
set output value to 0, but instead to values like ~0. Documentation
specifies this case as invalid value, so whatever we use is fine IMHO.

Thanks for the work,
Jacek


--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

On 8/4/2015 9:02 AM, David Grayson wrote:

Thanks, Jacek.  I have included a new patch with all of your suggestions 
(version 2.1.0).  As always, it's in the public domain.


Please ignore the last patch.  Here is a new one (2.2.0) that includes 79 (!) 
more conversion functions I just discovered in a hard-to-find place in the MSDN 
documentation.  I think these were all added in Windows 7.

I think the most complete lists of intsafe.h functions can be found at these 
links:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff521655
https://msdn.microsoft.com/en-us/library/windows/desktop/ff521701

The documentation is severely broken: if you try to traverse up one level in the 
heirarchy (click on "intsafe.h functions") and then you click on a link to go 
back down to the page you were on, you might notice that tons of functions are missing 
(like Int8ToUInt8 and LongSub).  This is why I have often been confused about what 
functions are supposed to be in intsafe.h.

The PSDK version of intsafe.h seems to have even more functions hiding in it 
that are not documented at all (like LongPtrToDWordLong), but I am hesitant to 
implement undocumented functions from a copyrighted header.

Anyway, I should have done more research before submitting the last patch.  
Sorry for the mailing list noise.

--David


diff --git a/mingw-w64-headers/include/intsafe.h 
b/mingw-w64-headers/include/intsafe.h
index 4c9459f..e112a28 100644
--- a/mingw-w64-headers/include/intsafe.h
+++ b/mingw-w64-headers/include/intsafe.h
@@ -4,16 +4,393 @@
  * No warranty is given; refer to the file DISCLAIMER.PD within this package.
  */
 
-#ifndef _INTSAFE_H_INCLUDED_
-#define _INTSAFE_H_INCLUDED_
+#pragma once
 
 #include 
 
 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
 
+#include 
 #include 
 
 #define INTSAFE_E_ARITHMETIC_OVERFLOW ((HRESULT)0x80070216)
 
+#ifndef S_OK
+#define S_OK ((HRESULT)0)
 #endif
+
+/** The builtins we use were added in GCC 5. */
+#if __GNUC__ >= 5
+
+#ifndef __MINGW_INTSAFE_API
+#define __MINGW_INTSAFE_API FORCEINLINE
+#endif
+
+/** If CHAR is unsigned, use static inline for functions that operate
+on chars.  This avoids the risk of linking to the wrong function when
+different translation units with different types of chars are linked
+together, and code using signed chars will not be affected. */
+#ifndef __MINGW_INTSAFE_CHAR_API
+#ifdef __CHAR_UNSIGNED__
+#define __MINGW_INTSAFE_CHAR_API static inline
+#else
+#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
 #endif
+#endif
+
+#define __MINGW_INTSAFE_BODY(operation, x, y) \
+{ \
+  if (__builtin_##operation##_overflow(x, y, result)) \
+  { \
+  *result = 0; \
+  return INTSAFE_E_ARITHMETIC_OVERFLOW; \
+  } \
+  return S_OK; \
+}
+
+#define __MINGW_INTSAFE_CONV(name, type_src, type_dest) \
+HRESULT name(type_src operand, type_dest * result) \
+__MINGW_INTSAFE_BODY(add, operand, 0)
+
+#define __MINGW_INTSAFE_MATH(name, type, operation) \
+HRESULT name(type x, type y, type * result) \
+__MINGW_INTSAFE_BODY(operation, x, y)
+
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UInt8ToInt8, UINT8, INT8)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UInt8ToChar, UINT8, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ByteToInt8, BYTE, INT8)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(ByteToChar, BYTE, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUChar, INT8, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUInt8, INT8, UINT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUShort, INT8, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUInt, INT8, UINT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULong, INT8, ULONG)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToUIntPtr, INT8, UINT_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULongPtr, INT8, ULONG_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(Int8ToULongLong, INT8, ULONGLONG)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToUChar, USHORT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToUInt8, USHORT, UINT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToByte, USHORT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToInt8, USHORT, INT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToShort, USHORT, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UShortToChar, USHORT, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToUChar, WORD, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToByte, WORD, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToShort, WORD, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(WordToChar, WORD, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToUChar, SHORT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToUInt8, SHORT, UINT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToByte, SHORT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToInt8, SHORT, INT8)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToUShort, SHORT, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Thanks, Jacek.  I have included a new patch with all of your suggestions 
(version 2.1.0).  As always, it's in the public domain.

On 8/4/2015 3:48 AM, Jacek Caban wrote:

I'd personally call build system that mixes char types as broken, but
it's valid so we can support it. How about simply using static inline
functions for __MINGW_INTSAFE_CHAR_AP? This will avoid the problem of
having different declarations in different compile units.


Using static inline means that you won't get reliable results when comparing two function pointers that came 
from different translation units.  But that is such a minor point, so I can see why you would prefer to use 
"static inline" instead of introducing this "__mingw_intsafe_uchar_" prefix on the 
function variants that take a CHAR and treat it as unsigned.  I changed your suggestion slightly: in this 
latest patch, I only use "static inline" if __CHAR_UNSIGNED__ is defined, because I didn't want to 
impact/surprise the users of signed chars at all.

Thanks for all the quick feedback!

--David
diff --git a/mingw-w64-headers/include/intsafe.h 
b/mingw-w64-headers/include/intsafe.h
index 4c9459f..144e930 100644
--- a/mingw-w64-headers/include/intsafe.h
+++ b/mingw-w64-headers/include/intsafe.h
@@ -4,16 +4,314 @@
  * No warranty is given; refer to the file DISCLAIMER.PD within this package.
  */
 
-#ifndef _INTSAFE_H_INCLUDED_
-#define _INTSAFE_H_INCLUDED_
+#pragma once
 
 #include 
 
 #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
 
+#include 
 #include 
 
 #define INTSAFE_E_ARITHMETIC_OVERFLOW ((HRESULT)0x80070216)
 
+#ifndef S_OK
+#define S_OK ((HRESULT)0)
 #endif
+
+/** The builtins we use were added in GCC 5. */
+#if __GNUC__ >= 5
+
+#ifndef __MINGW_INTSAFE_API
+#define __MINGW_INTSAFE_API FORCEINLINE
+#endif
+
+/** If CHAR is unsigned, use static inline for functions that operate
+on chars.  This avoids the risk of linking to the wrong function when
+different translation units with different types of chars are linked
+together, and code using signed chars will not be affected. */
+#ifndef __MINGW_INTSAFE_CHAR_API
+#ifdef __CHAR_UNSIGNED__
+#define __MINGW_INTSAFE_CHAR_API static inline
+#else
+#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
 #endif
+#endif
+
+#define __MINGW_INTSAFE_BODY(operation, x, y) \
+{ \
+  if (__builtin_##operation##_overflow(x, y, result)) \
+  { \
+  *result = 0; \
+  return INTSAFE_E_ARITHMETIC_OVERFLOW; \
+  } \
+  return S_OK; \
+}
+
+#define __MINGW_INTSAFE_CONV(name, type_src, type_dest) \
+HRESULT name(type_src operand, type_dest * result) \
+__MINGW_INTSAFE_BODY(add, operand, 0)
+
+#define __MINGW_INTSAFE_MATH(name, type, operation) \
+HRESULT name(type x, type y, type * result) \
+__MINGW_INTSAFE_BODY(operation, x, y)
+
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToUChar, USHORT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToByte, USHORT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UShortToShort, USHORT, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UShortToChar, USHORT, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToUChar, WORD, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToByte, WORD, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(WordToShort, WORD, SHORT)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(WordToChar, WORD, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToUChar, SHORT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToByte, SHORT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToUShort, SHORT, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ShortToWord, SHORT, WORD)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(ShortToChar, SHORT, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToUChar, UINT, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToByte, UINT, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToUShort, UINT, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToWord, UINT, WORD)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToShort, UINT, SHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToInt, UINT, INT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToLong, UINT, LONG)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToIntPtr, UINT, INT_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToPtrdiffT, UINT, ptrdiff_t)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToLongPtr, UINT, LONG_PTR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(UIntToSSIZET, UINT, SSIZE_T)
+__MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_CONV(UIntToChar, UINT, CHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToUChar, ULONG, UCHAR)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToByte, ULONG, BYTE)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToUShort, ULONG, USHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToWord, ULONG, WORD)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToShort, ULONG, SHORT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToUInt, ULONG, UINT)
+__MINGW_INTSAFE_API __MINGW_INTSAFE_CONV(ULongToInt, ULONG, IN

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

On 08/03/15 19:08, David Grayson wrote:
> 8) Even with FORCEINLINE, you still sometimes need to have a non-inline 
> definition of the function available, for example if you are doing any 
> operations on a function pointer to one of the intsafe.h functions.  (Or is 
> that not something a user should be doing?)  Therefore, intsafe.h should 
> provide a mode for generating non-inline definitions:
>
> +#ifndef __MINGW_INTSAFE_API
> +#define __MINGW_INTSAFE_API inline
> +#endif
>
> However, the non-inline definition might be in a different translation unit 
> that has a different definition of what a CHAR is, due to the -funsigned-char 
> option.  Therefore, for code using -funsigned-char, we change the actual 
> function names for any function operating on a char, prepending them with 
> "__mingw_intsafe_uchar_".  Someone in a special situation might need to 
> generate non-inline definitions for both the normal functions and the 
> __mingw_intsafe_uchar_* variants, so I give them independent control over 
> whether the char functions will have non-inline definitions:
>
> +#ifndef __MINGW_INTSAFE_CHAR_API
> +#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
> +#endif
>
> I imagine a lot of developers will view this whole line of reasoning as 
> pretty far-fetched and not likely to help anyone, and that is true.  But at 
> the same time, the changes that I made to support non-inline definitions and 
> unsigned chars are pretty unobtrusive and should have no effect on someone 
> who uses signed chars, so I think there is no practical cost to doing it this 
> way.
>
> So, let me know what you think and then I'll make the next version of the 
> patch that has all the needed changes.

I'd personally call build system that mixes char types as broken, but
it's valid so we can support it. How about simply using static inline
functions for __MINGW_INTSAFE_CHAR_AP? This will avoid the problem of
having different declarations in different compile units.

Thanks,
Jacek

--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Hello, Jacek.  Thanks for taking a look at my patch!

1) I will add "#if __GNUC__ >= 5" around the parts that use the new built-ins.

2) I'll remove the change to limits.h

3) I'll remove the link to my GitHub; I was hoping people would use my script 
to regenerate the header but it's fine if they don't because it has gotten so 
simple.

4) I'll remove the MSDN links.

5) I'm not sure if we want to include wtypesbase.h either.  I generally like to 
avoid duplicating code, but if someone wants me to stop including wtypesbase.h 
and define the types myself then I'm happy to make that change.

6) I'll remove the _In_ and _Out_ annotations since they don't fit the 
mingw-w64 style.

7) I'll change inline to FORCEINLINE.

> If we use FORCEINLINE functions for them, that's not needed.

8) Even with FORCEINLINE, you still sometimes need to have a non-inline 
definition of the function available, for example if you are doing any 
operations on a function pointer to one of the intsafe.h functions.  (Or is 
that not something a user should be doing?)  Therefore, intsafe.h should 
provide a mode for generating non-inline definitions:

+#ifndef __MINGW_INTSAFE_API
+#define __MINGW_INTSAFE_API inline
+#endif

However, the non-inline definition might be in a different translation unit 
that has a different definition of what a CHAR is, due to the -funsigned-char 
option.  Therefore, for code using -funsigned-char, we change the actual 
function names for any function operating on a char, prepending them with 
"__mingw_intsafe_uchar_".  Someone in a special situation might need to 
generate non-inline definitions for both the normal functions and the 
__mingw_intsafe_uchar_* variants, so I give them independent control over 
whether the char functions will have non-inline definitions:

+#ifndef __MINGW_INTSAFE_CHAR_API
+#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
+#endif

I imagine a lot of developers will view this whole line of reasoning as pretty 
far-fetched and not likely to help anyone, and that is true.  But at the same 
time, the changes that I made to support non-inline definitions and unsigned 
chars are pretty unobtrusive and should have no effect on someone who uses 
signed chars, so I think there is no practical cost to doing it this way.

So, let me know what you think and then I'll make the next version of the patch 
that has all the needed changes.  Thanks, Jacek!

--David


On 8/3/2015 7:34 AM, Jacek Caban wrote:
> Hi David,
>
> That's a nice work, thanks!
>
> On 08/02/15 21:17, David Grayson wrote:
>> Hello.  Attached is version 2.0.0 of the patch, which is very
>> different and only supports GCC 5 and above, because it uses new
>> built-in functions.  This version is only 331 lines long (down from
>> ~1600).  It is easy for anyone to check it because it makes no
>> assumptions about the sizes, signedness, or compatibility of the types
>> involved.
>>
>> The can also read the header and find my scripts for generating it and
>> testing it here:
>>
>> https://github.com/DavidEGrayson/intsafe/blob/2.0.0/generated/intsafe.h
>>
>> I asked about signed multiplication on
>> http://codereview.stackexchange.com/q/98791/75322 and I got a great
>> suggestion to use these new built-ins, which are documented here:
>>
>> https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
>>
>> These functions were added in GCC 5.  I wasn't sure if it was
>> important to support older versions of GCC.  If it is important, we
>> can keep working on the previous patch (version 1.1.0) and ignore this
>> one.
>
> I'm not sure how important it is. The header is a new feature for
> mingw-w64, so it may be okay to not support older compilers (at least
> problem with backward compatibility is not an issue here), but I'm not
> sure. Kai, do you have an opinion?
>
> In any case, if we use it, we should make sure that older compilers may
> at least include the header. It means #ifdefing places that use those
> new __builtiin functions.
>
>>
>> These functions vastly simplify my implementation of intsafe.h because
>> every single intsafe.h function can be written as a simple wrapper
>> around __builtin_add_overflow, __builtin_sub_overflow, or
>> __builtin_mul_overflow.  Therefore, I can generate the function bodies
>> with the preprocessor, making the header way shorter.
>>
>> The change to limits.h (to fix CHAR_MIN and CHAR_MAX when
>> -funsigned-char is provided) is no longer really needed, but I still
>> think it would be a nice change so I left it in this patch.
>>
>> Every function in this patch sets the result to 0 if there was an
>> overflow.  This isn't strictly necessary.  However, poorly-written
>> code might accidentally use the output value of an intsafe.h function
>> even if the function return an error code.  An overflow might indicate
>> that your system is under attack, and we should give the attacker as
>> little control over the execution of the code as possible.
>
> I have a few comments to the code.
>
>

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Jacek Caban]

Hi David,

That's a nice work, thanks!

On 08/02/15 21:17, David Grayson wrote:
> Hello.  Attached is version 2.0.0 of the patch, which is very
> different and only supports GCC 5 and above, because it uses new
> built-in functions.  This version is only 331 lines long (down from
> ~1600).  It is easy for anyone to check it because it makes no
> assumptions about the sizes, signedness, or compatibility of the types
> involved.
>
> The can also read the header and find my scripts for generating it and
> testing it here:
>
> https://github.com/DavidEGrayson/intsafe/blob/2.0.0/generated/intsafe.h
>
> I asked about signed multiplication on
> http://codereview.stackexchange.com/q/98791/75322 and I got a great
> suggestion to use these new built-ins, which are documented here:
>
> https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
>
> These functions were added in GCC 5.  I wasn't sure if it was
> important to support older versions of GCC.  If it is important, we
> can keep working on the previous patch (version 1.1.0) and ignore this
> one.

I'm not sure how important it is. The header is a new feature for
mingw-w64, so it may be okay to not support older compilers (at least
problem with backward compatibility is not an issue here), but I'm not
sure. Kai, do you have an opinion?

In any case, if we use it, we should make sure that older compilers may
at least include the header. It means #ifdefing places that use those
new __builtiin functions.

>
> These functions vastly simplify my implementation of intsafe.h because
> every single intsafe.h function can be written as a simple wrapper
> around __builtin_add_overflow, __builtin_sub_overflow, or
> __builtin_mul_overflow.  Therefore, I can generate the function bodies
> with the preprocessor, making the header way shorter.
>
> The change to limits.h (to fix CHAR_MIN and CHAR_MAX when
> -funsigned-char is provided) is no longer really needed, but I still
> think it would be a nice change so I left it in this patch.
>
> Every function in this patch sets the result to 0 if there was an
> overflow.  This isn't strictly necessary.  However, poorly-written
> code might accidentally use the output value of an intsafe.h function
> even if the function return an error code.  An overflow might indicate
> that your system is under attack, and we should give the attacker as
> little control over the execution of the code as possible.

I have a few comments to the code.

diff --git a/mingw-w64-headers/crt/limits.h b/mingw-w64-headers/crt/limits.h
index 73dca2a..f0145df 100644
--- a/mingw-w64-headers/crt/limits.h
+++ b/mingw-w64-headers/crt/limits.h
@@ -24,8 +24,13 @@
 #define SCHAR_MAX 127
 #define UCHAR_MAX 0xff
 
+#ifdef __CHAR_UNSIGNED__
+#define CHAR_MIN 0
+#define CHAR_MAX UCHAR_MAX
+#else
 #define CHAR_MIN SCHAR_MIN
 #define CHAR_MAX SCHAR_MAX
+#endif


I'm not sure about this, but it probably makes sense. IMO it would be nice to 
have it in a separated commit and commented by Kai.

+ *
+ * This file was auto-generated from https://github.com/DavidEGrayson/intsafe

I do worry a bit about putting such comments here. As far as I understand it, 
once it's in the tree, we will be changing it directly in header, not modifying 
your scripts, is that right? This comment could suggest developer that he 
should regenerate it instead. Could you please rephrase it?

+ *
+ * This file is an implementation of Microsoft's intsafe.h header, which
+ * provides inline functions for safe integer conversions and math operations:
+ *
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/ff521693
+ *
+ * The full list of math functions is only available here:
+ *
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/ff521701

We experienced in Wine that MS URLs are not permanent and disappear after some 
time. I'd suggest not putting them in headers. Developers will find them easily.

+#include 

PSDK version doesn't include the file and instead redeclares here required 
types. It's probably done this way to make intsafe.h as light as possible. I'm 
not sure we want to follow that.

+#ifndef __MINGW_INTSAFE_API
+#define __MINGW_INTSAFE_API inline

>From our past experience, I'd suggest FORCEINLINE. inline is not enough for 
>unoptimized builds.


+#ifndef __MINGW_INTSAFE_CHAR_API
+#define __MINGW_INTSAFE_CHAR_API __MINGW_INTSAFE_API
 #endif

Why do you need separated macro for that?

+#define __MINGW_INTSAFE_CONV(name, type_src, type_dest) \
+HRESULT name(_In_ type_src operand, _Out_ type_dest * result) \
+__MINGW_INTSAFE_BODY(add, operand, 0)
+
+#define __MINGW_INTSAFE_MATH(name, type, operation) \
+HRESULT name(_In_ type x, _In_ type y, _Out_ type * result) \
+__MINGW_INTSAFE_BODY(operation, x, y)


We usually don't use stuff like _In_ and _Out_ in mingw-w64, but they won't 
hurt so it's fine.

+/* If CHAR is unsigned, use different symbol names.
+The avoids the risk of linking to the wrong function when different
+translation units w

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Hello.  Attached is version 2.0.0 of the patch, which is very different and 
only supports GCC 5 and above, because it uses new built-in functions.  This 
version is only 331 lines long (down from ~1600).  It is easy for anyone to 
check it because it makes no assumptions about the sizes, signedness, or 
compatibility of the types involved.

The can also read the header and find my scripts for generating it and testing 
it here:

https://github.com/DavidEGrayson/intsafe/blob/2.0.0/generated/intsafe.h

I asked about signed multiplication on 
http://codereview.stackexchange.com/q/98791/75322 and I got a great suggestion 
to use these new built-ins, which are documented here:

https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

These functions were added in GCC 5.  I wasn't sure if it was important to 
support older versions of GCC.  If it is important, we can keep working on the 
previous patch (version 1.1.0) and ignore this one.

These functions vastly simplify my implementation of intsafe.h because every 
single intsafe.h function can be written as a simple wrapper around 
__builtin_add_overflow, __builtin_sub_overflow, or __builtin_mul_overflow.  
Therefore, I can generate the function bodies with the preprocessor, making the 
header way shorter.

The change to limits.h (to fix CHAR_MIN and CHAR_MAX when -funsigned-char is 
provided) is no longer really needed, but I still think it would be a nice 
change so I left it in this patch.

Every function in this patch sets the result to 0 if there was an overflow.  
This isn't strictly necessary.  However, poorly-written code might accidentally 
use the output value of an intsafe.h function even if the function return an 
error code.  An overflow might indicate that your system is under attack, and 
we should give the attacker as little control over the execution of the code as 
possible.

--David Grayson



On 8/1/2015 8:56 PM, David Grayson wrote:

Hello.  Attached is a patch that adds a complete implementation of intsafe.h 
that I generated and tested using Ruby.  It would be great if someone could 
merge it in.

The version of intsafe.h included in this patch can also be viewed here:

https://github.com/DavidEGrayson/intsafe/blob/1.1.0/generated/intsafe.h

That repository also has Ruby scripts that I used to help generate and test the 
header.  Hopefully we can keep using those scripts to update intsafe.h in the 
future instead of editing it by hand.  I believe using scripts to generate a 
highly-repetitive header like this is the best way to ensure consistency and 
avoid errors.

This patch also fixes the definitions of CHAR_MIN and CHAR_MAX in limits.h so 
that they have the right values when char is unsigned (-funsigned-char).  This 
change is necessary to make intsafe.h work because I used limits defined in 
limits.h and stdint.h instead of redefining them.

Some statistics:

- The intsafe.h documentation from Microsoft defines 253 inline functions:
   - 193 integer conversion functions
   - 60 math operations (20 types with 3 operations each)
- This implementation of intsafe.h is only 1562 lines (6.2 lines per function)
   - 134 function bodies
   - 119 functions defined as a simple preprocessor macro pointing a compatible 
function
- This implementation of intsafe.h is generated from 693 lines of Ruby code
- Microsoft's bulky version from the Windows SDK takes 8570 lines (33.9 lines 
per function)

I made very light use of the preprocessor because I had Ruby at my disposal, 
and I think this resulted in very clear and easy to understand code.  One thing 
that makes the code easier to check is the lack of casting in the main 
computations.  Casting can suppress a lot of useful compiler warnings so I 
simply didn't do it, and I fixed the root causes of the warnings instead.

I have a giant auto-generated test suite to test implementations of intsafe.h, and I was 
constantly running it against all combinations of architecture (32-bit and 64-it), 
language (C and C++), and char type (signed and unsigned).  The tests were run with the 
options "-Wall -Werror -pedantic -O1".  I think I am aware of most of the 
issues regarding undefined behavior from integers and I think I avoided them all.  
Although the following conditions are not strictly necessary, I think my code conforms to 
them: no operation should ever overflow, and no value should ever get converted to a type 
that cannot represent it.  I designed every function in intsafe.h so that it is 
guaranteed to write to its output parameter at least once before returning, in order to 
protect users from the undefined behavior of reading from an uninitialized variable.

I wasn't sure if I should use the always_inline attribute, so I didn't.  
Certain things you might do in C can cause undefined reference errors because 
no non-inline definition is provided by default.  However, the header can 
easily be used to generate non-inline definitions if needed, either by the user 
or by the mingw

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Thank you, Kai.

Before Jacek or anyone spends too much time checking my
add/subtract/multiply operations, please note that I just learned
about GCC's integer overflow built-ins, and I will be rewriting the
math operations to use those and submitting a new version of this
patch:

https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

This does not mean there is a bug with the previous patch, it just
means that I could implement it in a better way that makes it easier
to review (and probably more efficient).

--David

On Sun, Aug 2, 2015 at 7:46 AM, Kai Tietz  wrote:
> Thanks for your contribution. I would like to see Jacek's comment on this
> before it gets applied.
>
> Kai
>
> Am 02.08.2015 05:57 schrieb "David Grayson" :
>>
>> Hello.  Attached is a patch that adds a complete implementation of
>> intsafe.h that I generated and tested using Ruby.  It would be great if
>> someone could merge it in.
>>
>> The version of intsafe.h included in this patch can also be viewed here:
>>
>> https://github.com/DavidEGrayson/intsafe/blob/1.1.0/generated/intsafe.h
>>
>> That repository also has Ruby scripts that I used to help generate and
>> test the header.  Hopefully we can keep using those scripts to update
>> intsafe.h in the future instead of editing it by hand.  I believe using
>> scripts to generate a highly-repetitive header like this is the best way to
>> ensure consistency and avoid errors.
>>
>> This patch also fixes the definitions of CHAR_MIN and CHAR_MAX in limits.h
>> so that they have the right values when char is unsigned (-funsigned-char).
>> This change is necessary to make intsafe.h work because I used limits
>> defined in limits.h and stdint.h instead of redefining them.
>>
>> Some statistics:
>>
>> - The intsafe.h documentation from Microsoft defines 253 inline functions:
>>   - 193 integer conversion functions
>>   - 60 math operations (20 types with 3 operations each)
>> - This implementation of intsafe.h is only 1562 lines (6.2 lines per
>> function)
>>   - 134 function bodies
>>   - 119 functions defined as a simple preprocessor macro pointing a
>> compatible function
>> - This implementation of intsafe.h is generated from 693 lines of Ruby
>> code
>> - Microsoft's bulky version from the Windows SDK takes 8570 lines (33.9
>> lines per function)
>>
>> I made very light use of the preprocessor because I had Ruby at my
>> disposal, and I think this resulted in very clear and easy to understand
>> code.  One thing that makes the code easier to check is the lack of casting
>> in the main computations.  Casting can suppress a lot of useful compiler
>> warnings so I simply didn't do it, and I fixed the root causes of the
>> warnings instead.
>>
>> I have a giant auto-generated test suite to test implementations of
>> intsafe.h, and I was constantly running it against all combinations of
>> architecture (32-bit and 64-it), language (C and C++), and char type (signed
>> and unsigned).  The tests were run with the options "-Wall -Werror -pedantic
>> -O1".  I think I am aware of most of the issues regarding undefined behavior
>> from integers and I think I avoided them all.  Although the following
>> conditions are not strictly necessary, I think my code conforms to them: no
>> operation should ever overflow, and no value should ever get converted to a
>> type that cannot represent it.  I designed every function in intsafe.h so
>> that it is guaranteed to write to its output parameter at least once before
>> returning, in order to protect users from the undefined behavior of reading
>> from an uninitialized variable.
>>
>> I wasn't sure if I should use the always_inline attribute, so I didn't.
>> Certain things you might do in C can cause undefined reference errors
>> because no non-inline definition is provided by default.  However, the
>> header can easily be used to generate non-inline definitions if needed,
>> either by the user or by the mingw-w64 developers.  Since CHAR might be
>> signed in one translation unit and unsigned in another, I took measures to
>> prevent accidentally linking to the wrong version of a function that
>> operates on a CHAR (see line 956).
>>
>> All of the files I made for this project are in the public domain.
>>
>> I am welcome to feedback, even if it is simple things like coding style or
>> mingw-w64 conventions.  I hope you guys will find this useful when porting
>> MSVC projects over to mingw-w64, and I know I will.  Thanks!
>>
>> --David Grayson
>>
>>
>> --
>>
>> ___
>> Mingw-w64-public mailing list
>> Mingw-w64-public@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
>>
>
> --
>
> ___
> Mingw-w64-public mailing list
> Mingw-w64-public@lists.sourceforge.net
> https://lists.sourceforge

Re: [Mingw-w64-public] Patch: complete implementation of intsafe.h

[Kai Tietz]

Thanks for your contribution. I would like to see Jacek's comment on this
before it gets applied.

Kai
Am 02.08.2015 05:57 schrieb "David Grayson" :

> Hello.  Attached is a patch that adds a complete implementation of
> intsafe.h that I generated and tested using Ruby.  It would be great if
> someone could merge it in.
>
> The version of intsafe.h included in this patch can also be viewed here:
>
> https://github.com/DavidEGrayson/intsafe/blob/1.1.0/generated/intsafe.h
>
> That repository also has Ruby scripts that I used to help generate and
> test the header.  Hopefully we can keep using those scripts to update
> intsafe.h in the future instead of editing it by hand.  I believe using
> scripts to generate a highly-repetitive header like this is the best way to
> ensure consistency and avoid errors.
>
> This patch also fixes the definitions of CHAR_MIN and CHAR_MAX in limits.h
> so that they have the right values when char is unsigned
> (-funsigned-char).  This change is necessary to make intsafe.h work because
> I used limits defined in limits.h and stdint.h instead of redefining them.
>
> Some statistics:
>
> - The intsafe.h documentation from Microsoft defines 253 inline functions:
>   - 193 integer conversion functions
>   - 60 math operations (20 types with 3 operations each)
> - This implementation of intsafe.h is only 1562 lines (6.2 lines per
> function)
>   - 134 function bodies
>   - 119 functions defined as a simple preprocessor macro pointing a
> compatible function
> - This implementation of intsafe.h is generated from 693 lines of Ruby code
> - Microsoft's bulky version from the Windows SDK takes 8570 lines (33.9
> lines per function)
>
> I made very light use of the preprocessor because I had Ruby at my
> disposal, and I think this resulted in very clear and easy to understand
> code.  One thing that makes the code easier to check is the lack of casting
> in the main computations.  Casting can suppress a lot of useful compiler
> warnings so I simply didn't do it, and I fixed the root causes of the
> warnings instead.
>
> I have a giant auto-generated test suite to test implementations of
> intsafe.h, and I was constantly running it against all combinations of
> architecture (32-bit and 64-it), language (C and C++), and char type
> (signed and unsigned).  The tests were run with the options "-Wall -Werror
> -pedantic -O1".  I think I am aware of most of the issues regarding
> undefined behavior from integers and I think I avoided them all.  Although
> the following conditions are not strictly necessary, I think my code
> conforms to them: no operation should ever overflow, and no value should
> ever get converted to a type that cannot represent it.  I designed every
> function in intsafe.h so that it is guaranteed to write to its output
> parameter at least once before returning, in order to protect users from
> the undefined behavior of reading from an uninitialized variable.
>
> I wasn't sure if I should use the always_inline attribute, so I didn't.
> Certain things you might do in C can cause undefined reference errors
> because no non-inline definition is provided by default.  However, the
> header can easily be used to generate non-inline definitions if needed,
> either by the user or by the mingw-w64 developers.  Since CHAR might be
> signed in one translation unit and unsigned in another, I took measures to
> prevent accidentally linking to the wrong version of a function that
> operates on a CHAR (see line 956).
>
> All of the files I made for this project are in the public domain.
>
> I am welcome to feedback, even if it is simple things like coding style or
> mingw-w64 conventions.  I hope you guys will find this useful when porting
> MSVC projects over to mingw-w64, and I know I will.  Thanks!
>
> --David Grayson
>
>
> --
>
> ___
> Mingw-w64-public mailing list
> Mingw-w64-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
>
>
--
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

[Mingw-w64-public] Patch: complete implementation of intsafe.h

[David Grayson]

Hello.  Attached is a patch that adds a complete implementation of intsafe.h 
that I generated and tested using Ruby.  It would be great if someone could 
merge it in.

The version of intsafe.h included in this patch can also be viewed here:

https://github.com/DavidEGrayson/intsafe/blob/1.1.0/generated/intsafe.h

That repository also has Ruby scripts that I used to help generate and test the 
header.  Hopefully we can keep using those scripts to update intsafe.h in the 
future instead of editing it by hand.  I believe using scripts to generate a 
highly-repetitive header like this is the best way to ensure consistency and 
avoid errors.

This patch also fixes the definitions of CHAR_MIN and CHAR_MAX in limits.h so 
that they have the right values when char is unsigned (-funsigned-char).  This 
change is necessary to make intsafe.h work because I used limits defined in 
limits.h and stdint.h instead of redefining them.

Some statistics:

- The intsafe.h documentation from Microsoft defines 253 inline functions:
  - 193 integer conversion functions
  - 60 math operations (20 types with 3 operations each)
- This implementation of intsafe.h is only 1562 lines (6.2 lines per function)
  - 134 function bodies
  - 119 functions defined as a simple preprocessor macro pointing a compatible 
function
- This implementation of intsafe.h is generated from 693 lines of Ruby code
- Microsoft's bulky version from the Windows SDK takes 8570 lines (33.9 lines 
per function)

I made very light use of the preprocessor because I had Ruby at my disposal, 
and I think this resulted in very clear and easy to understand code.  One thing 
that makes the code easier to check is the lack of casting in the main 
computations.  Casting can suppress a lot of useful compiler warnings so I 
simply didn't do it, and I fixed the root causes of the warnings instead.

I have a giant auto-generated test suite to test implementations of intsafe.h, and I was 
constantly running it against all combinations of architecture (32-bit and 64-it), 
language (C and C++), and char type (signed and unsigned).  The tests were run with the 
options "-Wall -Werror -pedantic -O1".  I think I am aware of most of the 
issues regarding undefined behavior from integers and I think I avoided them all.  
Although the following conditions are not strictly necessary, I think my code conforms to 
them: no operation should ever overflow, and no value should ever get converted to a type 
that cannot represent it.  I designed every function in intsafe.h so that it is 
guaranteed to write to its output parameter at least once before returning, in order to 
protect users from the undefined behavior of reading from an uninitialized variable.

I wasn't sure if I should use the always_inline attribute, so I didn't.  
Certain things you might do in C can cause undefined reference errors because 
no non-inline definition is provided by default.  However, the header can 
easily be used to generate non-inline definitions if needed, either by the user 
or by the mingw-w64 developers.  Since CHAR might be signed in one translation 
unit and unsigned in another, I took measures to prevent accidentally linking 
to the wrong version of a function that operates on a CHAR (see line 956).

All of the files I made for this project are in the public domain.

I am welcome to feedback, even if it is simple things like coding style or 
mingw-w64 conventions.  I hope you guys will find this useful when porting MSVC 
projects over to mingw-w64, and I know I will.  Thanks!

--David Grayson
diff --git a/mingw-w64-headers/crt/limits.h b/mingw-w64-headers/crt/limits.h
index 73dca2a..f0145df 100644
--- a/mingw-w64-headers/crt/limits.h
+++ b/mingw-w64-headers/crt/limits.h
@@ -24,8 +24,13 @@
 #define SCHAR_MAX 127
 #define UCHAR_MAX 0xff
 
+#ifdef __CHAR_UNSIGNED__
+#define CHAR_MIN 0
+#define CHAR_MAX UCHAR_MAX
+#else
 #define CHAR_MIN SCHAR_MIN
 #define CHAR_MAX SCHAR_MAX
+#endif
 
 #define MB_LEN_MAX 5
 #define SHRT_MIN (-32768)
diff --git a/mingw-w64-headers/include/intsafe.h 
b/mingw-w64-headers/include/intsafe.h
index 4c9459f..f191e00 100644
--- a/mingw-w64-headers/include/intsafe.h
+++ b/mingw-w64-headers/include/intsafe.h
@@ -2,18 +2,1561 @@
  * This file has no copyright assigned and is placed in the Public Domain.
  * This file is part of the mingw-w64 runtime package.
  * No warranty is given; refer to the file DISCLAIMER.PD within this package.
+ *
+ * This file was auto-generated from https://github.com/DavidEGrayson/intsafe
+ *
+ * This file is an implementation of Microsoft's intsafe.h header, which
+ * provides inline functions for safe integer conversions and math operations:
+ *
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/ff521693
+ *
+ * The full list of math functions is only available here:
+ *
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/ff521701
  */
 
-#ifndef _INTSAFE_H_INCLUDED_
-#define _INTSAFE_H_INCLUDED_
+/* This file is free and