Add static assertion that uint32_t is unsigned int or wider

author Tim Ruffing <[email protected]>

Thu, 17 Sep 2020 11:29:55 +0000 (13:29 +0200)

committer Tim Ruffing <[email protected]>

Thu, 17 Sep 2020 11:35:37 +0000 (13:35 +0200)
author Tim Ruffing <[email protected]>
Thu, 17 Sep 2020 11:29:55 +0000 (13:29 +0200)
committer Tim Ruffing <[email protected]>
Thu, 17 Sep 2020 11:35:37 +0000 (13:35 +0200)
diff --git a/src/assumptions.h b/src/assumptions.h

index f9d4e8e7935168a358e3f8d49901db4b08f39360..77204de2b89cf9761c5965ac6b155311956b1d13 100644 (file)
--- a/src/assumptions.h
+++ b/src/assumptions.h
@@ -7,6 +7,8 @@
  #ifndef SECP256K1_ASSUMPTIONS_H
  #define SECP256K1_ASSUMPTIONS_H
  
+#include <limits.h>
+
  #include "util.h"
  
  /* This library, like most software, relies on a number of compiler implementation defined (but not undefined)
@@ -19,7 +21,11 @@ struct secp256k1_assumption_checker {
         allowed. */
      int dummy_array[(
          /* Bytes are 8 bits. */
-        CHAR_BIT == 8 &&
+        (CHAR_BIT == 8) &&
+
+        /* No integer promotion for uint32_t. This ensures that we can multiply uintXX_t values where XX >= 32
+           without signed overflow, which would be undefined behaviour. */
+        (UINT_MAX <= UINT32_MAX) &&
  
          /* Conversions from unsigned to signed outside of the bounds of the signed type are
             implementation-defined. Verify that they function as reinterpreting the lower
author	Tim Ruffing <[email protected]>
	Thu, 17 Sep 2020 11:29:55 +0000 (13:29 +0200)
committer	Tim Ruffing <[email protected]>
	Thu, 17 Sep 2020 11:35:37 +0000 (13:35 +0200)