libstdc++: Avoid overflow in ranges::advance(i, n, bound)

When (bound - i) or n is the most negative value of its type, the negative of the value will overflow. Instead of abs(n) >= abs(bound - i) use n >= (bound - i) when positive and n <= (bound - i) when negative. The function has a precondition that they must have the same sign, so this works correctly. The precondition check can be moved into the else branch, and simplified. The standard requires calling ranges::advance(i, bound) even if i==bound is already true, which is technically observable, but that's pointless. We can just return n in that case. Similarly, for i!=bound but n==0 we are supposed to call ranges::advance(i, n), but that's pointless. An LWG issue to allow omitting the pointless calls is expected to be filed. libstdc++-v3/ChangeLog: * include/bits/ranges_base.h (ranges::advance): Avoid signed overflow. Do nothing if already equal to desired result. * testsuite/24_iterators/range_operations/advance_overflow.cc: New test.
2022-01-26 16:08:51 +00:00 · 2022-01-26 16:08:51 +00:00 · f21f22d1ba
commit f21f22d1ba
parent 66b8617118
2 changed files with 46 additions and 6 deletions
--- a/libstdc++-v3/include/bits/ranges_base.h
+++ b/libstdc++-v3/include/bits/ranges_base.h
@ -756,20 +756,23 @@ namespace ranges
 	  {
 	    const auto __diff = __bound - __it;

-	    // n and bound must not lead in opposite directions:
-	    __glibcxx_assert(__n == 0 || __diff == 0 || (__n < 0 == __diff < 0));
-	    const auto __absdiff = __diff < 0 ? -__diff : __diff;
-	    const auto __absn = __n < 0 ? -__n : __n;;
-	    if (__absn >= __absdiff)
+	    if (__diff == 0)
+	      return __n;
+	    else if (__diff > 0 ? __n >= __diff : __n <= __diff)
 	      {
 		(*this)(__it, __bound);
 		return __n - __diff;
 	      }
-	    else
+	    else if (__n != 0) [[likely]]
 	      {
+		// n and bound must not lead in opposite directions:
+		__glibcxx_assert(__n < 0 == __diff < 0);
+
 		(*this)(__it, __n);
 		return 0;
 	      }
+	    else
+	      return 0;
 	  }
 	else if (__it == __bound || __n == 0)
 	  return __n;
--- a/libstdc++-v3/testsuite/24_iterators/range_operations/advance_overflow.cc
+++ b/libstdc++-v3/testsuite/24_iterators/range_operations/advance_overflow.cc
@ -0,0 +1,37 @@
+// { dg-options "-std=gnu++20" }
+// { dg-do compile { target c++20 } }
+
+// Public domain testcase from Casey Carter, send to LWG list on 2021-07-24.
+//
+// Here's a compile-only test case for which n is INT_MIN, which will overflow
+// if simply negated to get |n|: https://godbolt.org/z/M7Wz1nW58.
+
+#include <cassert>
+#include <iterator>
+#include <limits>
+
+struct I {
+    using difference_type = int;
+    using value_type = int;
+
+    int x;
+
+    constexpr int operator*() const { return x; }
+    constexpr I& operator++() { ++x; return *this; }
+    constexpr I operator++(int) { ++x; return {x - 1}; }
+    constexpr bool operator==(const I&) const = default;
+
+    constexpr int operator-(const I& that) const { return x - that.x; }
+
+    constexpr I& operator--() { --x; return *this; }
+    constexpr I operator--(int) { --x; return {x - 1}; }
+};
+static_assert(std::bidirectional_iterator<I>);
+static_assert(std::sized_sentinel_for<I, I>);
+
+constexpr bool test() {
+    using L = std::numeric_limits<int>;
+    I i{-2};
+    return std::ranges::advance(i, L::min(), I{-4}) == L::min() + 2;
+}
+static_assert(test());