u64: avoid theoretical problem with >64-bit int

* lib/u64.h: Include limits.h, for INT_MAX.  Use uint64_t only if
INT_MAX < UINT64_MAX, to avoid undefined behavior on theoretical
platforms where adding two uint64_t expressions can have undefined
behavior on signed integer overflow.

diff --git a/ChangeLog b/ChangeLog
index 33d9975bbebbd634a3f4f2719dfb343aa1ca5882..70dc1936260e4acd821ff910abb4a42a2d60920a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2025-08-31  Paul Eggert  <eggert@cs.ucla.edu>
+
+       u64: avoid theoretical problem with >64-bit int
+       * lib/u64.h: Include limits.h, for INT_MAX.  Use uint64_t only if
+       INT_MAX < UINT64_MAX, to avoid undefined behavior on theoretical
+       platforms where adding two uint64_t expressions can have undefined
+       behavior on signed integer overflow.
+
 2024-08-25  Bruno Haible  <bruno@clisp.org>
 
        nstrftime tests: Test in the UTF-8 environment on native Windows.

diff --git a/lib/u64.h b/lib/u64.h
index 6ea08969c29b1e92e7fef815fda3b814b1a62723..01135057c2ef21693a4dee82e4f8b400ad4ec21f 100644 (file)
--- a/lib/u64.h
+++ b/lib/u64.h
@@ -1,4 +1,4 @@
-/* uint64_t-like operations that work even on hosts lacking uint64_t
+/* Unsigned integers with arithmetic modulo 2**64
 
    Copyright (C) 2006, 2009-2025 Free Software Foundation, Inc.
 
@@ -22,6 +22,7 @@
  #error "Please include config.h first."
 #endif
 
+#include <limits.h>
 #include <stddef.h>
 #include <stdint.h>
 
@@ -37,7 +38,7 @@ extern "C" {
 #endif
 
 
-#ifdef UINT64_MAX
+#if defined UINT64_MAX && INT_MAX < UINT64_MAX
 
 /* Native implementations are trivial.  See below for comments on what
    these operations do.  */

diff --git a/modules/u64 b/modules/u64
index 3a78ce36910a73df004a663024ed2821b8bdffce..4a7f36157a13be6d06e0ba153cba68a26b0bc296 100644 (file)
--- a/modules/u64
+++ b/modules/u64
@@ -1,5 +1,5 @@
 Description:
-uint64_t-like operations that work even on hosts lacking uint64_t
+Unsigned integers with arithmetic modulo 2**64
 
 Files:
 lib/u64.h