[protoPATCH] "safe" numeric casts with explicit min/max

Lionel Elie Mamane lionel at mamane.lu
Wed Feb 29 03:13:22 PST 2012


Background: we have in sc/source/filter/inc/ftools.hxx supposedly
"safe" casts that are (according to the Doxygen documentation)
supposed to be safer than just static_cast. As fdo#39589 uncovered,
they are actually so buggy as to be *less* safe.

Back in November, I wrote a prototype _actually_ safe versions, but
got sidetracked and forgot about them. I'm unearthing them again now,
attached.

The big remaining issue is that it is a WaE disaster on "warning:
comparison between signed and unsigned", because the compiler does not
notice that these comparisons are done under scope of if/else
conditions that make them safe. Also "warning: test will always be
true/false", since the code covers all cases and not all cases make
sense for all combinations of A,B in "cast a value of type A to type
B": the idea is for the compiler to prune away if/else branches that
will not be hit.

The "comparison between signed and unsigned" warnings cannot be easily
silenced by explicit casts, because the code makes use of the
compiler's automatic 'the smaller type is promoted to the bigger type'
rules. We could instead reimplement that logic manually, but I'm
rather loathe on making the code more complicated just to avoid
spurious warnings.

So maybe we could selectively disable the warnings on this file
instead? Someone knows how to do that with gcc and with MSVC?

As I wrote in November:

> That thing is devilishly hard to get right... I think I have a
> correct version now, (...)

But IMHO it needs to be unittest-ed deeply before commit.

-- 
Lionel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foo.cpp
Type: text/x-c++src
Size: 4647 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/libreoffice/attachments/20120229/e7e59e0f/attachment.cpp>


More information about the LibreOffice mailing list