For the cases where it's more than just nitems * sizeof(item),
maybe it wouldn't be a bad idea to have something like:
static __inline int
MULT_OVERFLOWS(int x, int y)
{
const intmax_t max = 1UL << sizeof(size_t) * 4;
return ((x >= max || y >= max) && x > 0 && SIZE_MAX / x < y);
}
(or maybe a macro version) in some public header someplace,
and associated assertions it where applicable.
> Index: sys/dev/ic/mfi.c
> - sc->sc_bbu_status = malloc(sizeof(*sc->sc_bbu_status) *
> - sizeof(mfi_bbu_indicators), M_DEVBUF, M_WAITOK | M_ZERO);
> + sc->sc_bbu_status = mallocarray(sizeof(mfi_bbu_indicators),
> + sizeof(*sc->sc_bbu_status), M_DEVBUF, M_WAITOK | M_ZERO);
If we're not converting (numeric constant) * sizeof(foo) because it's
cheaper not to and realistically impossible to overflow anyway, then
I think we shouldn't convert sizeof() * sizeof() for the same reason.
>>>> Tedu:
>>>> - shellargp = malloc(4 * sizeof(char *), M_EXEC, M_WAITOK);
>>>> + shellargp = mallocarray(4, sizeof(char *), M_EXEC, M_WAITOK);
>>> Theo:
>>> As for the final diff, I've been giving up on the "known constant"
>>> scenario. It seems expensive.
>> Tedu:
>> Meh. :) I think they can be changed back if necessary; in the mean
>> time it makes it easier to see what's done and what remains.
> Theo:
> It is an extra register window on sparc and sparc64.
