Merge #818: Add static assertion that uint32_t is unsigned int or wider

c0041b5cfc Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing) Pull request description: Solves one item in #792 . ACKs for top commit: sipa: utACK c0041b5cfc elichai: ACK c0041b5cfc Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
2020-09-26 10:18:17 +02:00 · 2020-09-26 10:18:17 +02:00 · bb1f54280f
parent 5006895bd6 c0041b5cfc
commit bb1f54280f
1 changed files with 7 additions and 1 deletions
--- a/src/assumptions.h
+++ b/src/assumptions.h
@ -7,6 +7,8 @@
 #ifndef SECP256K1_ASSUMPTIONS_H
 #define SECP256K1_ASSUMPTIONS_H

+#include <limits.h>
+
 #include "util.h"

 /* This library, like most software, relies on a number of compiler implementation defined (but not undefined)
@ -19,7 +21,11 @@ struct secp256k1_assumption_checker {
       allowed. */
    int dummy_array[(
        /* Bytes are 8 bits. */
-        CHAR_BIT == 8 &&
+        (CHAR_BIT == 8) &&
+
+        /* No integer promotion for uint32_t. This ensures that we can multiply uintXX_t values where XX >= 32
+           without signed overflow, which would be undefined behaviour. */
+        (UINT_MAX <= UINT32_MAX) &&

        /* Conversions from unsigned to signed outside of the bounds of the signed type are
           implementation-defined. Verify that they function as reinterpreting the lower