+2007-02-25 Paul Eggert <eggert@cs.ucla.edu>
+
+ * README: Document signed integer overflow situation more
+ accurately.
+
2007-02-25 Bruno Haible <bruno@clisp.org>
* lib/vasnprintf.c (VASNPRINTF): Fix estimate of size needed for a
require 'int' to be at least 32 bits wide, so Gnulib code assumes this
as well. Gnulib code makes the following additional assumptions:
- * Signed integer arithmetic is two's complement, without runtime
- overflow checking. This is the traditional behavior, and is
- supported by C99 implementations that conform to ISO/IEC 10967-1
- (LIA-1) and that define signed integer types as being modulo.
+ * With one exception noted below, signed integer arithmetic is two's
+ complement, without runtime overflow checking. This is the
+ traditional behavior, and is supported by C99 implementations that
+ conform to ISO/IEC 10967-1 (LIA-1) and that define signed integer
+ types as being modulo.
+
+ The exception is signed loop indexes. Here, the behavior is
+ undefined if any signed expression derived from the loop index
+ overflows. For example, the following code contains two such
+ overflows (the "i++" and the "i + 1") and therefore has undefined
+ behavior:
+
+ int i;
+ for (i = INT_MAX - 10; i <= INT_MAX; i++)
+ if (i + 1 < 0)
+ {
+ report_overflow ();
+ break;
+ }
+
+ This exception is a concession to modern optimizing compilers,
+ which can turn the above loop into code that executes the loop body
+ 11 times, even though wraparound arithmetic would cause the loop to
+ iterate forever.
* There are no "holes" in integer values: all the bits of an integer
contribute to its value in the usual way.