git-compat-util: add signed_mult_overflows and mult_overflows macros

dscho · dscho · commit 6b70aed1b02c · 2026-05-06T22:23:26.000+02:00
The existing unsigned_mult_overflows macro detects multiplication
overflow for unsigned types by checking b &gt; MAX / a. Add the
signed counterpart and a type-generic wrapper.

signed_mult_overflows handles all four sign combinations:
positive*positive, negative*negative, positive*negative, and
negative*positive. Each case checks against
maximum_signed_value_of_type to detect both overflow (result &gt;
MAX) and underflow (result &lt; MIN, via the negation trick).

mult_overflows dispatches to the unsigned or signed variant based
on the type's signedness, using a new is_unsigned_type macro.
This is useful for types like time_t whose signedness is
implementation-defined: POSIX does not mandate whether time_t is
signed or unsigned, and platforms differ.

is_unsigned_type uses the GCC typeof extension, which is
available on all compilers git targets (GCC, Clang, MSVC's
C11 mode). The existing codebase already depends on GCC
extensions in other places (e.g., __attribute__).

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/git-compat-util.h b/git-compat-util.h
@@ -85,6 +85,8 @@ struct strbuf;
 
 #define bitsizeof(x)  (CHAR_BIT * sizeof(x))
 
+#define is_unsigned_type(a) ((typeof(a))-1 >= 0)
+
 #define maximum_signed_value_of_type(a) \
     (INTMAX_MAX >> (bitsizeof(intmax_t) - bitsizeof(a)))
 
@@ -111,6 +113,28 @@ struct strbuf;
 #define unsigned_mult_overflows(a, b) \
     ((a) && (b) > maximum_unsigned_value_of_type(a) / (a))
 
+/*
+ * Returns true if the multiplication of "a" and "b" will
+ * overflow or underflow a signed type. The types of "a" and "b"
+ * must match and must be signed. Note that this macro evaluates
+ * both "a" and "b" twice!
+ */
+#define signed_mult_overflows(a, b) \
+    (((a) > 0 && (b) > 0 && (a) > maximum_signed_value_of_type(a) / (b)) || \
+     ((a) < 0 && (b) < 0 && (a) < maximum_signed_value_of_type(a) / (b)) || \
+     ((a) > 0 && (b) < 0 && (b) < -(maximum_signed_value_of_type(a) / (a))) || \
+     ((a) < 0 && (b) > 0 && (a) < -(maximum_signed_value_of_type(b) / (b))))
+
+/*
+ * Returns true if the multiplication of "a" and "b" will overflow,
+ * regardless of whether the type is signed or unsigned.  Note that
+ * this macro evaluates both "a" and "b" twice!
+ */
+#define mult_overflows(a, b) \
+    (is_unsigned_type(a) \
+     ? unsigned_mult_overflows(a, b) \
+     : signed_mult_overflows(a, b))
+
 /*
  * Returns true if the left shift of "a" by "shift" bits will
  * overflow. The type of "a" must be unsigned.
