diff mbox series

Fix incorrect int->float conversions caught by clang -Wimplicit-int-float-conversion

Message ID 20191116010731.3jdxozzfpsqsrcc4@google.com (mailing list archive)
State New, archived
Headers show
Series Fix incorrect int->float conversions caught by clang -Wimplicit-int-float-conversion | expand

Commit Message

Fangrui Song Nov. 16, 2019, 1:07 a.m. UTC
The warning will be enabled by default in clang 10. It is not available for clang <= 9.

qemu/migration/migration.c:2038:24: error: implicit conversion from 'long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
...
qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned long' to 'double' changes value from 18446744073709550592 to 18446744073709551616 [-Werror,-Wimplicit-int-float-conversion]

Signed-off-by: Fangrui Song <i@maskray.me>
---
  migration/migration.c | 4 ++--
  util/cutils.c         | 4 ++--
  2 files changed, 4 insertions(+), 4 deletions(-)

Comments

Markus Armbruster Nov. 19, 2019, 3:14 p.m. UTC | #1
Fangrui Song <i@maskray.me> writes:

> The warning will be enabled by default in clang 10. It is not available for clang <= 9.
>
> qemu/migration/migration.c:2038:24: error: implicit conversion from 'long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
> ...
> qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned long' to 'double' changes value from 18446744073709550592 to 18446744073709551616 [-Werror,-Wimplicit-int-float-conversion]
>
> Signed-off-by: Fangrui Song <i@maskray.me>
> ---
>   migration/migration.c | 4 ++--
>   util/cutils.c         | 4 ++--
>   2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/migration/migration.c b/migration/migration.c
> index 354ad072fa..ac3ea2934a 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -53,6 +53,7 @@
>   #include "monitor/monitor.h"
>   #include "net/announce.h"
>   #include "qemu/queue.h"
> +#include <math.h>
>   
>   #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed throttling */
>   
> @@ -2035,11 +2036,10 @@ void qmp_migrate_set_downtime(double value, Error **errp)
        if (value < 0 || value > MAX_MIGRATE_DOWNTIME_SECONDS) {
            error_setg(errp, "Parameter 'downtime_limit' expects an integer in "
                             "the range of 0 to %d seconds",
                             MAX_MIGRATE_DOWNTIME_SECONDS);
            return;
>       }

@value is now in [0,2000].

>   
>       value *= 1000; /* Convert to milliseconds */

@value is in [0,2000000]

> -    value = MAX(0, MIN(INT64_MAX, value));

This does nothing.

>   
>       MigrateSetParameters p = {
>           .has_downtime_limit = true,
> -        .downtime_limit = value,
> +        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),

This does nothing and is hard to read :)

Can we simply drop the offending line statement instead?

>       };
>   
>       qmp_migrate_set_parameters(&p, errp);
> diff --git a/util/cutils.c b/util/cutils.c
> index fd591cadf0..2b4484c015 100644
> --- a/util/cutils.c
> +++ b/util/cutils.c
> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char **end,
>           goto out;
>       }
>       /*
> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>        * through double (53 bits of precision).
>        */
> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>           retval = -ERANGE;
>           goto out;
>       }
        *result = val * mul;

I figure this one is correct and hard to read.

0xfffffffffffffc00 is not representable exactly as double.  It's
half-way between the representable values 0xfffffffffffff800 and
0x10000000000000000.  Which one we get is implementation-defined.  Bad.

nextafter(0x1p64, 0) is a clever way to write 0xfffffffffffff800, the
largest uint64_t exactly representable as double.

With your patch, val * mul in [0,0xfffffffffffff800] will be accepted.

The first val * mul above this range is 0x1p64.  Rejecting it is
correct, because it overflows yint64_t.
Fangrui Song Nov. 19, 2019, 8:49 p.m. UTC | #2
> Fangrui Song <address@hidden> writes:
> 
> > The warning will be enabled by default in clang 10. It is not available for 
> > clang <= 9.
> >
> > qemu/migration/migration.c:2038:24: error: implicit conversion from 'long' to 
> > 'double' changes value from 9223372036854775807 to 9223372036854775808 
> > [-Werror,-Wimplicit-int-float-conversion]
> > ...
> > qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned long' to 
> > 'double' changes value from 18446744073709550592 to 18446744073709551616 
> > [-Werror,-Wimplicit-int-float-conversion]
> >
> > Signed-off-by: Fangrui Song <address@hidden>
> > ---
> >   migration/migration.c | 4 ++--
> >   util/cutils.c         | 4 ++--
> >   2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/migration/migration.c b/migration/migration.c
> > index 354ad072fa..ac3ea2934a 100644
> > --- a/migration/migration.c
> > +++ b/migration/migration.c
> > @@ -53,6 +53,7 @@
> >   #include "monitor/monitor.h"
> >   #include "net/announce.h"
> >   #include "qemu/queue.h"
> > +#include <math.h>
> >   
> >   #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed 
> > throttling */
> >   
> > @@ -2035,11 +2036,10 @@ void qmp_migrate_set_downtime(double value, Error 
> > **errp)
>         if (value < 0 || value > MAX_MIGRATE_DOWNTIME_SECONDS) {
>             error_setg(errp, "Parameter 'downtime_limit' expects an integer in "
>                              "the range of 0 to %d seconds",
>                              MAX_MIGRATE_DOWNTIME_SECONDS);
>             return;
> >       }
> 
> @value is now in [0,2000].
> 
> >   
> >       value *= 1000; /* Convert to milliseconds */
> 
> @value is in [0,2000000]
> 
> > -    value = MAX(0, MIN(INT64_MAX, value));
> 
> This does nothing.
> 
> >   
> >       MigrateSetParameters p = {
> >           .has_downtime_limit = true,
> > -        .downtime_limit = value,
> > +        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),
> 
> This does nothing and is hard to read :)
> 
> Can we simply drop the offending line statement instead?

Fixed in the new patch.

> >       };
> >   
> >       qmp_migrate_set_parameters(&p, errp);
> > diff --git a/util/cutils.c b/util/cutils.c
> > index fd591cadf0..2b4484c015 100644
> > --- a/util/cutils.c
> > +++ b/util/cutils.c
> > @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char 
> > **end,
> >           goto out;
> >       }
> >       /*
> > -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
> > +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
> >        * through double (53 bits of precision).
> >        */
> > -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
> > +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
> >           retval = -ERANGE;
> >           goto out;
> >       }
>         *result = val * mul;
> 
> I figure this one is correct and hard to read.
> 
> 0xfffffffffffffc00 is not representable exactly as double.  It's
> half-way between the representable values 0xfffffffffffff800 and
> 0x10000000000000000.  Which one we get is implementation-defined.  Bad.
> 
> nextafter(0x1p64, 0) is a clever way to write 0xfffffffffffff800, the
> largest uint64_t exactly representable as double.
> 
> With your patch, val * mul in [0,0xfffffffffffff800] will be accepted.
> 
> The first val * mul above this range is 0x1p64.  Rejecting it is
> correct, because it overflows yint64_t.

I am not subscribed, so apologize that this email may be off the thread.

(The binutils mailing list allows a user to download the raw email so I
can still reply to a specific email, but this list does not provide such
feature.)
Juan Quintela Nov. 20, 2019, 11:15 a.m. UTC | #3
Markus Armbruster <armbru@redhat.com> wrote:
> Fangrui Song <i@maskray.me> writes:
>
>> The warning will be enabled by default in clang 10. It is not
>> available for clang <= 9.
>>
>> qemu/migration/migration.c:2038:24: error: implicit conversion from
>> 'long' to 'double' changes value from 9223372036854775807 to
>> 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
>> ...
>> qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned
>> long' to 'double' changes value from 18446744073709550592 to
>> 18446744073709551616 [-Werror,-Wimplicit-int-float-conversion]
>>
>> Signed-off-by: Fangrui Song <i@maskray.me>
>> ---
>>   migration/migration.c | 4 ++--
>>   util/cutils.c         | 4 ++--
>>   2 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/migration/migration.c b/migration/migration.c
>> index 354ad072fa..ac3ea2934a 100644
>> --- a/migration/migration.c
>> +++ b/migration/migration.c
>> @@ -53,6 +53,7 @@
>>   #include "monitor/monitor.h"
>>   #include "net/announce.h"
>>   #include "qemu/queue.h"
>> +#include <math.h>
>>   
>>   #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed throttling */
>>   
>> @@ -2035,11 +2036,10 @@ void qmp_migrate_set_downtime(double value, Error **errp)
>         if (value < 0 || value > MAX_MIGRATE_DOWNTIME_SECONDS) {
>             error_setg(errp, "Parameter 'downtime_limit' expects an integer in "
>                              "the range of 0 to %d seconds",
>                              MAX_MIGRATE_DOWNTIME_SECONDS);
>             return;
>>       }
>
> @value is now in [0,2000].
>
>>   
>>       value *= 1000; /* Convert to milliseconds */
>
> @value is in [0,2000000]
>
>> -    value = MAX(0, MIN(INT64_MAX, value));
>
> This does nothing.
>
>>   
>>       MigrateSetParameters p = {
>>           .has_downtime_limit = true,
>> -        .downtime_limit = value,
>> +        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),
>
> This does nothing and is hard to read :)
>
> Can we simply drop the offending line statement instead?

Agreed aboutdropping the whole bussines for migration.


>>       };
>>   
>>       qmp_migrate_set_parameters(&p, errp);
>> diff --git a/util/cutils.c b/util/cutils.c
>> index fd591cadf0..2b4484c015 100644
>> --- a/util/cutils.c
>> +++ b/util/cutils.c
>> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char **end,
>>           goto out;
>>       }
>>       /*
>> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
>> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>>        * through double (53 bits of precision).
>>        */
>> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
>> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>>           retval = -ERANGE;
>>           goto out;
>>       }

This comment was really bad (it says the same that the code).
On the other hand, I can *kind of* understand what does 0xffff<more
f's here>.

But I am at a complete loss about what value is:

nextafter(0x1p64, 0).

Can we put what value is that instead?

Thanks, Juan.
Fangrui Song Nov. 20, 2019, 5:30 p.m. UTC | #4
On 2019-11-20, Juan Quintela wrote:
>Markus Armbruster <armbru@redhat.com> wrote:
>> Fangrui Song <i@maskray.me> writes:
>>
>>> The warning will be enabled by default in clang 10. It is not
>>> available for clang <= 9.
>>>
>>> qemu/migration/migration.c:2038:24: error: implicit conversion from
>>> 'long' to 'double' changes value from 9223372036854775807 to
>>> 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
>>> ...
>>> qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned
>>> long' to 'double' changes value from 18446744073709550592 to
>>> 18446744073709551616 [-Werror,-Wimplicit-int-float-conversion]
>>>
>>> Signed-off-by: Fangrui Song <i@maskray.me>
>>> ---
>>>   migration/migration.c | 4 ++--
>>>   util/cutils.c         | 4 ++--
>>>   2 files changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/migration/migration.c b/migration/migration.c
>>> index 354ad072fa..ac3ea2934a 100644
>>> --- a/migration/migration.c
>>> +++ b/migration/migration.c
>>> @@ -53,6 +53,7 @@
>>>   #include "monitor/monitor.h"
>>>   #include "net/announce.h"
>>>   #include "qemu/queue.h"
>>> +#include <math.h>
>>>
>>>   #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed throttling */
>>>
>>> @@ -2035,11 +2036,10 @@ void qmp_migrate_set_downtime(double value, Error **errp)
>>         if (value < 0 || value > MAX_MIGRATE_DOWNTIME_SECONDS) {
>>             error_setg(errp, "Parameter 'downtime_limit' expects an integer in "
>>                              "the range of 0 to %d seconds",
>>                              MAX_MIGRATE_DOWNTIME_SECONDS);
>>             return;
>>>       }
>>
>> @value is now in [0,2000].
>>
>>>
>>>       value *= 1000; /* Convert to milliseconds */
>>
>> @value is in [0,2000000]
>>
>>> -    value = MAX(0, MIN(INT64_MAX, value));
>>
>> This does nothing.
>>
>>>
>>>       MigrateSetParameters p = {
>>>           .has_downtime_limit = true,
>>> -        .downtime_limit = value,
>>> +        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),
>>
>> This does nothing and is hard to read :)
>>
>> Can we simply drop the offending line statement instead?
>
>Agreed aboutdropping the whole bussines for migration.
>
>
>>>       };
>>>
>>>       qmp_migrate_set_parameters(&p, errp);
>>> diff --git a/util/cutils.c b/util/cutils.c
>>> index fd591cadf0..2b4484c015 100644
>>> --- a/util/cutils.c
>>> +++ b/util/cutils.c
>>> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char **end,
>>>           goto out;
>>>       }
>>>       /*
>>> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
>>> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>>>        * through double (53 bits of precision).
>>>        */
>>> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
>>> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>>>           retval = -ERANGE;
>>>           goto out;
>>>       }
>
>This comment was really bad (it says the same that the code).
>On the other hand, I can *kind of* understand what does 0xffff<more
>f's here>.
>
>But I am at a complete loss about what value is:
>
>nextafter(0x1p64, 0).
>
>Can we put what value is that instead?

It is a C99 hexadecimal floating-point literal.
0x1p64 represents hex fraction 1.0 scaled by 2**64, that is 2**64.

We can write this as `val * mul > 0xfffffffffffff800p0`, but I feel that
counting the number of f's is error-prone and is not fun.

(We cannot use val * mul >= 0x1p64.
If FLT_EVAL_METHOD == 2, the intermediate computation val * mul will be
performed at long double precision, val * mul may not by representable
by a double and will overflow as (double)0x1p64.)
Richard Henderson Nov. 21, 2019, 12:18 p.m. UTC | #5
On 11/20/19 6:30 PM, Fangrui Song wrote:
> On 2019-11-20, Juan Quintela wrote:
>> Markus Armbruster <armbru@redhat.com> wrote:
>>> Fangrui Song <i@maskray.me> writes:
>>>
>>>> The warning will be enabled by default in clang 10. It is not
>>>> available for clang <= 9.
>>>>
>>>> qemu/migration/migration.c:2038:24: error: implicit conversion from
>>>> 'long' to 'double' changes value from 9223372036854775807 to
>>>> 9223372036854775808 [-Werror,-Wimplicit-int-float-conversion]
>>>> ...
>>>> qemu/util/cutils.c:245:23: error: implicit conversion from 'unsigned
>>>> long' to 'double' changes value from 18446744073709550592 to
>>>> 18446744073709551616 [-Werror,-Wimplicit-int-float-conversion]
>>>>
>>>> Signed-off-by: Fangrui Song <i@maskray.me>
>>>> ---
>>>>   migration/migration.c | 4 ++--
>>>>   util/cutils.c         | 4 ++--
>>>>   2 files changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/migration/migration.c b/migration/migration.c
>>>> index 354ad072fa..ac3ea2934a 100644
>>>> --- a/migration/migration.c
>>>> +++ b/migration/migration.c
>>>> @@ -53,6 +53,7 @@
>>>>   #include "monitor/monitor.h"
>>>>   #include "net/announce.h"
>>>>   #include "qemu/queue.h"
>>>> +#include <math.h>
>>>>
>>>>   #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed
>>>> throttling */
>>>>
>>>> @@ -2035,11 +2036,10 @@ void qmp_migrate_set_downtime(double value, Error
>>>> **errp)
>>>         if (value < 0 || value > MAX_MIGRATE_DOWNTIME_SECONDS) {
>>>             error_setg(errp, "Parameter 'downtime_limit' expects an integer
>>> in "
>>>                              "the range of 0 to %d seconds",
>>>                              MAX_MIGRATE_DOWNTIME_SECONDS);
>>>             return;
>>>>       }
>>>
>>> @value is now in [0,2000].
>>>
>>>>
>>>>       value *= 1000; /* Convert to milliseconds */
>>>
>>> @value is in [0,2000000]
>>>
>>>> -    value = MAX(0, MIN(INT64_MAX, value));
>>>
>>> This does nothing.
>>>
>>>>
>>>>       MigrateSetParameters p = {
>>>>           .has_downtime_limit = true,
>>>> -        .downtime_limit = value,
>>>> +        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),
>>>
>>> This does nothing and is hard to read :)
>>>
>>> Can we simply drop the offending line statement instead?
>>
>> Agreed aboutdropping the whole bussines for migration.
>>
>>
>>>>       };
>>>>
>>>>       qmp_migrate_set_parameters(&p, errp);
>>>> diff --git a/util/cutils.c b/util/cutils.c
>>>> index fd591cadf0..2b4484c015 100644
>>>> --- a/util/cutils.c
>>>> +++ b/util/cutils.c
>>>> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char
>>>> **end,
>>>>           goto out;
>>>>       }
>>>>       /*
>>>> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
>>>> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>>>>        * through double (53 bits of precision).
>>>>        */
>>>> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
>>>> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>>>>           retval = -ERANGE;
>>>>           goto out;
>>>>       }
>>
>> This comment was really bad (it says the same that the code).
>> On the other hand, I can *kind of* understand what does 0xffff<more
>> f's here>.
>>
>> But I am at a complete loss about what value is:
>>
>> nextafter(0x1p64, 0).
>>
>> Can we put what value is that instead?
> 
> It is a C99 hexadecimal floating-point literal.
> 0x1p64 represents hex fraction 1.0 scaled by 2**64, that is 2**64.
> 
> We can write this as `val * mul > 0xfffffffffffff800p0`, but I feel that
> counting the number of f's is error-prone and is not fun.
> 
> (We cannot use val * mul >= 0x1p64.
> If FLT_EVAL_METHOD == 2, the intermediate computation val * mul will be
> performed at long double precision, val * mul may not by representable
> by a double and will overflow as (double)0x1p64.)

I agree about not spelling out the f's, or the 0x800 at the end.  That's
something that the compiler can do for us, resolving this standard library
function at compile-time.

We just need a better comment.  Perhaps:

    /*
     * Values near UINT64_MAX overflow to 2**64 when converting
     * to double precision.  Compare against the maximum representable
     * double precision value below 2**64, computed as "the next value
     * after 2**64 (0x1p64) in the direction of 0".
     */


r~
Markus Armbruster Nov. 21, 2019, 2:51 p.m. UTC | #6
Richard Henderson <richard.henderson@linaro.org> writes:

> On 11/20/19 6:30 PM, Fangrui Song wrote:
>> On 2019-11-20, Juan Quintela wrote:
>>> Markus Armbruster <armbru@redhat.com> wrote:
>>>> Fangrui Song <i@maskray.me> writes:
[...]
>>>>> diff --git a/util/cutils.c b/util/cutils.c
>>>>> index fd591cadf0..2b4484c015 100644
>>>>> --- a/util/cutils.c
>>>>> +++ b/util/cutils.c
>>>>> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char
>>>>> **end,
>>>>>           goto out;
>>>>>       }
>>>>>       /*
>>>>> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
>>>>> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>>>>>        * through double (53 bits of precision).
>>>>>        */
>>>>> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
>>>>> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>>>>>           retval = -ERANGE;
>>>>>           goto out;
>>>>>       }
>>>
>>> This comment was really bad (it says the same that the code).
>>> On the other hand, I can *kind of* understand what does 0xffff<more
>>> f's here>.
>>>
>>> But I am at a complete loss about what value is:
>>>
>>> nextafter(0x1p64, 0).
>>>
>>> Can we put what value is that instead?
>> 
>> It is a C99 hexadecimal floating-point literal.
>> 0x1p64 represents hex fraction 1.0 scaled by 2**64, that is 2**64.
>> 
>> We can write this as `val * mul > 0xfffffffffffff800p0`, but I feel that
>> counting the number of f's is error-prone and is not fun.
>> 
>> (We cannot use val * mul >= 0x1p64.
>> If FLT_EVAL_METHOD == 2, the intermediate computation val * mul will be
>> performed at long double precision, val * mul may not by representable
>> by a double and will overflow as (double)0x1p64.)
>
> I agree about not spelling out the f's, or the 0x800 at the end.  That's
> something that the compiler can do for us, resolving this standard library
> function at compile-time.
>
> We just need a better comment.  Perhaps:
>
>     /*
>      * Values near UINT64_MAX overflow to 2**64 when converting
>      * to double precision.  Compare against the maximum representable
>      * double precision value below 2**64, computed as "the next value
>      * after 2**64 (0x1p64) in the direction of 0".
>      */

Yes, please.
Fangrui Song Nov. 21, 2019, 5:11 p.m. UTC | #7
On 2019-11-21, Markus Armbruster wrote:
>Richard Henderson <richard.henderson@linaro.org> writes:
>
>> On 11/20/19 6:30 PM, Fangrui Song wrote:
>>> On 2019-11-20, Juan Quintela wrote:
>>>> Markus Armbruster <armbru@redhat.com> wrote:
>>>>> Fangrui Song <i@maskray.me> writes:
>[...]
>>>>>> diff --git a/util/cutils.c b/util/cutils.c
>>>>>> index fd591cadf0..2b4484c015 100644
>>>>>> --- a/util/cutils.c
>>>>>> +++ b/util/cutils.c
>>>>>> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char
>>>>>> **end,
>>>>>>           goto out;
>>>>>>       }
>>>>>>       /*
>>>>>> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
>>>>>> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>>>>>>        * through double (53 bits of precision).
>>>>>>        */
>>>>>> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
>>>>>> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>>>>>>           retval = -ERANGE;
>>>>>>           goto out;
>>>>>>       }
>>>>
>>>> This comment was really bad (it says the same that the code).
>>>> On the other hand, I can *kind of* understand what does 0xffff<more
>>>> f's here>.
>>>>
>>>> But I am at a complete loss about what value is:
>>>>
>>>> nextafter(0x1p64, 0).
>>>>
>>>> Can we put what value is that instead?
>>>
>>> It is a C99 hexadecimal floating-point literal.
>>> 0x1p64 represents hex fraction 1.0 scaled by 2**64, that is 2**64.
>>>
>>> We can write this as `val * mul > 0xfffffffffffff800p0`, but I feel that
>>> counting the number of f's is error-prone and is not fun.
>>>
>>> (We cannot use val * mul >= 0x1p64.
>>> If FLT_EVAL_METHOD == 2, the intermediate computation val * mul will be
>>> performed at long double precision, val * mul may not by representable
>>> by a double and will overflow as (double)0x1p64.)
>>
>> I agree about not spelling out the f's, or the 0x800 at the end.  That's
>> something that the compiler can do for us, resolving this standard library
>> function at compile-time.
>>
>> We just need a better comment.  Perhaps:
>>
>>     /*
>>      * Values near UINT64_MAX overflow to 2**64 when converting
>>      * to double precision.  Compare against the maximum representable
>>      * double precision value below 2**64, computed as "the next value
>>      * after 2**64 (0x1p64) in the direction of 0".
>>      */
>
>Yes, please.

Thanks for the suggestion. Attached a new patch.
Eric Blake Nov. 21, 2019, 5:38 p.m. UTC | #8
On 11/19/19 2:49 PM, Fangrui Song wrote:

>>
>> Can we simply drop the offending line statement instead?
> 
> Fixed in the new patch.
> 

>> The first val * mul above this range is 0x1p64.  Rejecting it is
>> correct, because it overflows yint64_t.
> 
> I am not subscribed, so apologize that this email may be off the thread.
> 
> (The binutils mailing list allows a user to download the raw email so I
> can still reply to a specific email, but this list does not provide such
> feature.)

Actually, it's better to post a v2 patch as a new top-level thread, 
rather than buried as an attachment to a reply to v1, because our CI 
tooling doesn't see through the attachment (nor was it easy for me to 
reply to the v2 patch - I had to open the attachment to paste its text 
inline below...).

More patch submission hints at https://wiki.qemu.org/Contribute/SubmitAPatch

>>From 5f1c5a42794ddcbabb63d9af920d9f437ea90a9f Mon Sep 17 00:00:00 2001
> From: Fangrui Song <i@maskray.me>
> Date: Fri, 15 Nov 2019 16:27:47 -0800
> Subject: [PATCH] Fix incorrect integer->float conversions caught by clang
>  -Wimplicit-int-float-conversion
> To: qemu-devel@nongnu.org
> 
> The warning will be enabled by default in clang 10. It is not available for clang <= 9.
> 

> +++ b/migration/migration.c
> @@ -2035,11 +2035,10 @@ void qmp_migrate_set_downtime(double value, Error **errp)
>      }
>  
>      value *= 1000; /* Convert to milliseconds */
> -    value = MAX(0, MIN(INT64_MAX, value));
>  
>      MigrateSetParameters p = {
>          .has_downtime_limit = true,
> -        .downtime_limit = value,
> +        .downtime_limit = (int64_t)value,
>      };

The explicit cast looks odd without a comment (generally, we try to 
avoid casts, so a comment such as /* explicit cast to silence compiler 
*/ can be useful)

>  
>      qmp_migrate_set_parameters(&p, errp);
> diff --git a/util/cutils.c b/util/cutils.c
> index fd591cadf0..2b4484c015 100644
> --- a/util/cutils.c
> +++ b/util/cutils.c
> @@ -239,10 +239,10 @@ static int do_strtosz(const char *nptr, const char **end,
>          goto out;
>      }
>      /*
> -     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
> +     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
>       * through double (53 bits of precision).

I thought we agreed on more text than just this (in particular, that the 
nextafter() call represents 2^64 rounded towards zero).

>       */
> -    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
> +    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
>          retval = -ERANGE;
>          goto out;
>      }
> -- 
> 2.24.0
diff mbox series

Patch

diff --git a/migration/migration.c b/migration/migration.c
index 354ad072fa..ac3ea2934a 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -53,6 +53,7 @@ 
  #include "monitor/monitor.h"
  #include "net/announce.h"
  #include "qemu/queue.h"
+#include <math.h>
  
  #define MAX_THROTTLE  (32 << 20)      /* Migration transfer speed throttling */
  
@@ -2035,11 +2036,10 @@  void qmp_migrate_set_downtime(double value, Error **errp)
      }
  
      value *= 1000; /* Convert to milliseconds */
-    value = MAX(0, MIN(INT64_MAX, value));
  
      MigrateSetParameters p = {
          .has_downtime_limit = true,
-        .downtime_limit = value,
+        .downtime_limit = (int64_t)fmin(value, nextafter(0x1p63, 0)),
      };
  
      qmp_migrate_set_parameters(&p, errp);
diff --git a/util/cutils.c b/util/cutils.c
index fd591cadf0..2b4484c015 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -239,10 +239,10 @@  static int do_strtosz(const char *nptr, const char **end,
          goto out;
      }
      /*
-     * Values >= 0xfffffffffffffc00 overflow uint64_t after their trip
+     * Values > nextafter(0x1p64, 0) overflow uint64_t after their trip
       * through double (53 bits of precision).
       */
-    if ((val * mul >= 0xfffffffffffffc00) || val < 0) {
+    if ((val * mul > nextafter(0x1p64, 0)) || val < 0) {
          retval = -ERANGE;
          goto out;
      }