Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-97786: Fix compiler warnings in pytime.c #101826

Merged
merged 3 commits into from Feb 20, 2023
Merged

gh-97786: Fix compiler warnings in pytime.c #101826

merged 3 commits into from Feb 20, 2023
+31 −6

Conversation

mdickinson
Copy link
Member

@mdickinson mdickinson commented Feb 11, 2023
edited

This PR fixes some compiler warnings in pytime.c, and at the same time fixes our out-of-range double-to-integer checks to properly avoid undefined behaviour.

It's hard to write strictly portable code for this kind of thing, but the new check should work under a set of (very) mild assumptions, that are highly unlikely to be violated on any actual platform that we care about:

  • That time_t is a two's complement signed integer type with no trap representation. (The weakest part of this is the assumption that time_t is a signed integer type at all, but we're already making that assumption.)
  • That _PyTime_t is also a two's complement signed integer type with no trap representation. (This is already true with the current typedef int64_t _PyTime_t; declaration.)
  • That PY_TIME_T_MIN and _PyTime_MIN are within the range of a C double. These days we're assuming IEEE 754 binary64 doubles, so we're safe so long as the integer types _PyTime_t and time_t don't have a width of more than 1024.

Here's the underlying logic for the changes, for the record:

  • We want to check that a C double value x is within the range of a (potentially unknown) signed integer type I with min and max values IMIN and IMAX. More specifically, we want to be sure that a conversion from x to type I will not invoke undefined behaviour; this means that the integer part of x (discarding the fractional part, if any) must be in [IMIN, IMAX].
  • Assuming that I uses two's complement with no trap representation, IMIN must be the negation of a power of two, and IMAX == -1 - IMIN.
  • So IMIN is exactly representable as a double (assuming that it's not larger than 2**1023), and (double)IMIN does not change the value.
  • So the bottom-end check, (double)IMIN <= x, does exactly what we want it to.
  • For the top-end check, x <= IMAX is problematic since the implicit conversion of IMAX to type double may change the value. But assuming that x is an integer (which it is for all cases in this PR), x <= IMAX is mathematically equivalent to x < (IMAX + 1), which with our two's complement assumption is equivalent to x < -IMIN, and we can express this as x < -(double)IMIN.

@bedevere-bot bedevere-bot mentioned this pull request Feb 11, 2023
Open
@mdickinson mdickinson added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Feb 11, 2023
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @mdickinson for commit 32aee25 🤖

If you want to schedule another build, you need to add the :hammer: test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Feb 11, 2023
mdickinson
mdickinson commented Feb 11, 2023
View changes
Python/pytime.c Show resolved Hide resolved
mdickinson
mdickinson commented Feb 11, 2023
View changes
Python/pytime.c
@@ -910,7 +933,7 @@ py_get_system_clock(_PyTime_t *tp, _Py_clock_info_t *info, int raise_exc)
info->monotonic = 0;
info->adjustable = 1;
if (clock_getres(CLOCK_REALTIME, &res) == 0) {
info->resolution = res.tv_sec + res.tv_nsec * 1e-9;
info->resolution = (double)res.tv_sec + (double)res.tv_nsec * 1e-9;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clang's -Wimplicit-int-float-conversion was warning here; the casts silence those warnings.

mdickinson
mdickinson commented Feb 11, 2023
View changes
Python/pytime.c Show resolved Hide resolved
@mdickinson
Copy link
Member Author

mdickinson commented Feb 12, 2023
edited

I've removed the fmod asserts from the code. They were somewhat obscure, and it's not necessary for correctness that the target value is an integer.

The only possible issue with a non-integer intpart is one of false positives: if intpart is a large and negative double in the open interval (PY_TIME_T_MIN - 1, PY_TIME_T_MIN) then:

  • it's safe to cast intpart to time_t, since it's in range after discarding the fractional part, but
  • the condition if (!((double)PY_TIME_T_MIN <= intpart && intpart < -(double)PY_TIME_T_MIN)) will be true, so an overflow would be reported

So the failure mode is benign. But in any case, intpart must be an integer (or possibly an infinity or nan), so the above can't happen.

@mdickinson
Copy link
Member Author

I think this is ready to merge. @gpshead Do you have bandwidth for a quick re-review?

@gpshead gpshead merged commit b1b375e into python:main Feb 20, 2023
17 checks passed
@miss-islington
Copy link
Contributor

Thanks @mdickinson for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11.
🐍🍒🤖

@miss-islington
Copy link
Contributor

Sorry, @mdickinson and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker b1b375e2670a58fc37cb4c2629ed73b045159918 3.10

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 20, 2023
@mdickinson @miss-islington
pythongh-97786: Fix compiler warnings in pytime.c (pythonGH-101826)
7e25925 
Fixes compiler warnings in pytime.c.
(cherry picked from commit b1b375e2670a58fc37cb4c2629ed73b045159918)

Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
@bedevere-bot
Copy link

GH-102062 is a backport of this pull request to the 3.11 branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead

@brettcannon brettcannon

@pganssle pganssle

@abalkin abalkin

Assignees

@gpshead gpshead

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mdickinson @bedevere-bot @miss-islington @gpshead