| History log of /src/usr.bin/vndcompress/common.h |
| Revision | | Date | Author | Comments |
| 1.8 |
| 29-Jul-2017 |
riastradh | Clarify compile-time and run-time arithmetic safety assertions.
This is an experiment with a handful of macros for writing the
checks, most of which are compile-time:
MUL_OK(t, a, b) Does a*b avoid overflow in type t?
ADD_OK(t, a, b) Does a + b avoid overflow in type t?
TOOMANY(t, x, b, m) Are there more than m b-element blocks in x in type t?
(I.e., does ceiling(x/b) > m?)
Addenda that might make sense but are not needed here:
MUL(t, a, b, &p) Set p = a*b and return 0, or return ERANGE if overflow.
ADD(t, a, b, &s) Set s = a+b and return 0, or return ERANGE if overflow.
Example:
uint32_t a = ..., b = ..., y = ..., z = ..., x, w;
/* input validation */
error = MUL(size_t, a, b, &x);
if (error)
fail;
if (TOOMANY(uint32_t, x, BLKSIZ, MAX_NBLK))
fail;
y = HOWMANY(x, BLKSIZ);
if (z > Z_MAX)
fail;
...
/* internal computation */
__CTASSERT(MUL_OK(uint32_t, Z_MAX, MAX_NBLK));
w = z*y;
Obvious shortcomings:
1. Nothing checks your ctassert matches your subsequent arithmetic.
(Maybe we could have BOUNDED_MUL(t, x, xmax, y, ymax) with a
ctassert inside.)
2. Nothing flows the bounds needed by the arithmetic you use back
into candidate definitions of X_MAX/Y_MAX.
But at least the reviewer's job is only to make sure that (a) the
MUL_OK matches the *, and (b) the bounds in the assertion match the
bounds on the inputs -- in particular, the reviewer need not derive
the bounds from the context, only confirm they are supported by the
paths to it.
This is not meant to be a general-purpose proof assistant, or even a
special-purpose one like gfverif <http://gfverif.cryptojedi.org/>.
Rather, it is an experiment in adding a modicum of compile-time
verification with a simple C API change.
This also is not intended to serve as trapping arithmetic on
overflow. The goal here is to enable writing the program with
explicit checks on input and compile-time annotations on computation
to gain confident that overflow won't happen in the computation.
|
| 1.7 |
| 16-Apr-2017 |
riastradh | Emphasize that MAX_WINDOW_SIZE is bounded by the maximum uint32_t.
Since we store window sizes in uint32_t, the maximum had better fit
in uint32_t!
|
| 1.6 |
| 22-Jan-2014 |
riastradh | branches: 1.6.4; 1.6.8; 1.6.12; 1.6.16;
Change vndcompress to use a default window size of 512.
For vnduncompress on nonseekable input, the window size is as large
as it needs to be by default, as before. Not clear that this is the
right choice -- by default vnduncompress on nonseekable input will
just use unbounded memory unsolicited.
|
| 1.5 |
| 22-Jan-2014 |
riastradh | Rename block size option from `-s' to `-b'.
Makes more sense and makes it consistent with other utilities such as
pax and pigz. This vndcompress has never gone out in a release, so
changing the name of the option shouldn't cause too many problems...
|
| 1.4 |
| 22-Jan-2014 |
riastradh | Add option -w to vnd(un)compress to specify the window size.
|
| 1.3 |
| 22-Jan-2014 |
riastradh | Add some leading zero digits to the flags. Cosmetic change only.
|
| 1.2 |
| 22-Jan-2014 |
riastradh | Implement machinery for fixed-size windows into the offset table.
|
| 1.1 |
| 03-May-2013 |
riastradh | branches: 1.1.2;
Rewrite vndcompress to support SIGINFO and restart after interrupt.
Make it generally more robust in the process.
No objection (or comment) on tech-userlevel.
ok christos
|
| 1.1.2.3 |
| 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.1.2.2 |
| 23-Jun-2013 |
tls | resync from head
|
| 1.1.2.1 |
| 03-May-2013 |
tls | file common.h was added on branch tls-maxphys on 2013-06-23 06:29:02 +0000
|
| 1.6.16.1 |
| 21-Apr-2017 |
bouyer | Sync with HEAD
|
| 1.6.12.1 |
| 26-Apr-2017 |
pgoyette | Sync with HEAD
|
| 1.6.8.2 |
| 07-Dec-2014 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1138):
usr.bin/vndcompress/Makefile 1.3-1.13
usr.bin/vndcompress/common.h 1.1-1.6
usr.bin/vndcompress/main.c 1.1-1.3
usr.bin/vndcompress/offtab.c 1.1-1.13
usr.bin/vndcompress/offtab.h 1.1-1.2
usr.bin/vndcompress/utils.c 1.1-1.4
usr.bin/vndcompress/utils.h 1.1-1.3
usr.bin/vndcompress/vndcompress.1 1.7-1.14
usr.bin/vndcompress/vndcompress.c 1.8-1.24
usr.bin/vndcompress/vndcompress.h delete
usr.bin/vndcompress/vnduncompress.c 1.1-1.11
Rewrite vndcompress to support SIGINFO and restart after interrupt.
Make it generally more robust in the process.
|
| 1.6.8.1 |
| 22-Jan-2014 |
martin | file common.h was added on branch netbsd-6 on 2014-12-07 13:57:58 +0000
|
| 1.6.4.2 |
| 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.6.4.1 |
| 22-Jan-2014 |
yamt | file common.h was added on branch yamt-pagecache on 2014-05-22 11:42:51 +0000
|
