Update support after churn in gnulib.

5 files changed, 211 insertions, 78 deletions

diff --git a/support/ChangeLog b/support/ChangeLog
index a61893b2..256e9782 100644
--- a/support/ChangeLog
+++ b/support/ChangeLog
@@ -1,3 +1,12 @@
+2021-03-29         Arnold D. Robbins     <arnold@skeeve.com>
+
+	Resettle after churn in GNULIB.
+
+	* dfa.c, intprops.h: Updated from GNULIB.
+	* xalloc.h (xpalloc): New function, was in dfa.c.
+	(MIN): New macro.
+	* idx.h: New file, imported from GNULIB (sigh).
+
 2021-02-08         Arnold D. Robbins     <arnold@skeeve.com>
 
 	* cdefs.h, dfa.c, dfa.h, flexmember.h, intprops.h, libc-config.h,
diff --git a/support/dfa.c b/support/dfa.c
index 0bf72ffd..33de2fb8 100644
--- a/support/dfa.c
+++ b/support/dfa.c
@@ -22,6 +22,11 @@
 
 #include <config.h>
 
+#include "dfa.h"
+
+#include "flexmember.h"
+#include "idx.h"
+
 #include <assert.h>
 #include <ctype.h>
 #include <stdint.h>
@@ -30,15 +35,6 @@
 #include <limits.h>
 #include <string.h>
 
-#include "dfa.h"
-#include "flexmember.h"
-
-/* Another name for ptrdiff_t, for sizes of objects and nonnegative
-   indexes into objects.  It is signed to help catch integer overflow.
-   It has its own name because it is for nonnegative values only.  */
-typedef ptrdiff_t idx_t;
-static idx_t const IDX_MAX = PTRDIFF_MAX;
-
 static bool
 streq (char const *a, char const *b)
 {
@@ -56,7 +52,6 @@ isasciidigit (char c)
 
 #include <wchar.h>
 
-#include "intprops.h"
 #include "xalloc.h"
 #include "localeinfo.h"
 
@@ -790,66 +785,6 @@ emptyset (charclass const *s)
   return w == 0;
 }
 
-/* Grow PA, which points to an array of *NITEMS items, and return the
-   location of the reallocated array, updating *NITEMS to reflect its
-   new size.  The new array will contain at least NITEMS_INCR_MIN more
-   items, but will not contain more than NITEMS_MAX items total.
-   ITEM_SIZE is the size of each item, in bytes.
-
-   ITEM_SIZE and NITEMS_INCR_MIN must be positive.  *NITEMS must be
-   nonnegative.  If NITEMS_MAX is -1, it is treated as if it were
-   infinity.
-
-   If PA is null, then allocate a new array instead of reallocating
-   the old one.
-
-   Thus, to grow an array A without saving its old contents, do
-   { free (A); A = xpalloc (NULL, &AITEMS, ...); }.  */
-
-static void *
-xpalloc (void *pa, idx_t *nitems, idx_t nitems_incr_min,
-         ptrdiff_t nitems_max, idx_t item_size)
-{
-  idx_t n0 = *nitems;
-
-  /* The approximate size to use for initial small allocation
-     requests.  This is the largest "small" request for the GNU C
-     library malloc.  */
-  enum { DEFAULT_MXFAST = 64 * sizeof (size_t) / 4 };
-
-  /* If the array is tiny, grow it to about (but no greater than)
-     DEFAULT_MXFAST bytes.  Otherwise, grow it by about 50%.
-     Adjust the growth according to three constraints: NITEMS_INCR_MIN,
-     NITEMS_MAX, and what the C language can represent safely.  */
-
-  idx_t n, nbytes;
-  if (INT_ADD_WRAPV (n0, n0 >> 1, &n))
-    n = IDX_MAX;
-  if (0 <= nitems_max && nitems_max < n)
-    n = nitems_max;
-
-  idx_t adjusted_nbytes
-    = ((INT_MULTIPLY_WRAPV (n, item_size, &nbytes) || SIZE_MAX < nbytes)
-       ? MIN (IDX_MAX, SIZE_MAX)
-       : nbytes < DEFAULT_MXFAST ? DEFAULT_MXFAST : 0);
-  if (adjusted_nbytes)
-    {
-      n = adjusted_nbytes / item_size;
-      nbytes = adjusted_nbytes - adjusted_nbytes % item_size;
-    }
-
-  if (! pa)
-    *nitems = 0;
-  if (n - n0 < nitems_incr_min
-      && (INT_ADD_WRAPV (n0, nitems_incr_min, &n)
-          || (0 <= nitems_max && nitems_max < n)
-          || INT_MULTIPLY_WRAPV (n, item_size, &nbytes)))
-    xalloc_die ();
-  pa = xrealloc (pa, nbytes);
-  *nitems = n;
-  return pa;
-}
-
 /* Ensure that the array addressed by PA holds at least I + 1 items.
    Either return PA, or reallocate the array and return its new address.
    Although PA may be null, the returned value is never null.
diff --git a/support/idx.h b/support/idx.h
new file mode 100644
index 00000000..483587ea
--- /dev/null
+++ b/support/idx.h
@@ -0,0 +1,114 @@
+/* A type for indices and sizes.
+   Copyright (C) 2020-2021 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#ifndef _IDX_H
+#define _IDX_H
+
+/* Get ptrdiff_t.  */
+#include <stddef.h>
+
+/* Get PTRDIFF_MAX.  */
+#include <stdint.h>
+
+/* The type 'idx_t' holds an (array) index or an (object) size.
+   Its implementation promotes to a signed integer type,
+   which can hold the values
+     0..2^63-1 (on 64-bit platforms) or
+     0..2^31-1 (on 32-bit platforms).
+
+   Why a signed integer type?
+
+     * Security: Signed types can be checked for overflow via
+       '-fsanitize=undefined', but unsigned types cannot.
+
+     * Comparisons without surprises: ISO C99 § 6.3.1.8 specifies a few
+       surprising results for comparisons, such as
+
+           (int) -3 < (unsigned long) 7  =>  false
+           (int) -3 < (unsigned int) 7   =>  false
+       and on 32-bit machines:
+           (long) -3 < (unsigned int) 7  =>  false
+
+       This is surprising because the natural comparison order is by
+       value in the realm of infinite-precision signed integers (ℤ).
+
+       The best way to get rid of such surprises is to use signed types
+       for numerical integer values, and use unsigned types only for
+       bit masks and enums.
+
+   Why not use 'size_t' directly?
+
+     * Because 'size_t' is an unsigned type, and a signed type is better.
+       See above.
+
+   Why not use 'ptrdiff_t' directly?
+
+     * Maintainability: When reading and modifying code, it helps to know that
+       a certain variable cannot have negative values.  For example, when you
+       have a loop
+
+         int n = ...;
+         for (int i = 0; i < n; i++) ...
+
+       or
+
+         ptrdiff_t n = ...;
+         for (ptrdiff_t i = 0; i < n; i++) ...
+
+       you have to ask yourself "what if n < 0?".  Whereas in
+
+         idx_t n = ...;
+         for (idx_t i = 0; i < n; i++) ...
+
+       you know that this case cannot happen.
+
+       Similarly, when a programmer writes
+
+         idx_t = ptr2 - ptr1;
+
+       there is an implied assertion that ptr1 and ptr2 point into the same
+       object and that ptr1 <= ptr2.
+
+     * Being future-proof: In the future, range types (integers which are
+       constrained to a certain range of values) may be added to C compilers
+       or to the C standard.  Several programming languages (Ada, Haskell,
+       Common Lisp, Pascal) already have range types.  Such range types may
+       help producing good code and good warnings.  The type 'idx_t' could
+       then be typedef'ed to a range type that is signed after promotion.  */
+
+/* In the future, idx_t could be typedef'ed to a signed range type.
+   The clang "extended integer types", supported in Clang 11 or newer
+   <https://clang.llvm.org/docs/LanguageExtensions.html#extended-integer-types>,
+   are a special case of range types.  However, these types don't support binary
+   operators with plain integer types (e.g. expressions such as x > 1).
+   Therefore, they don't behave like signed types (and not like unsigned types
+   either).  So, we cannot use them here.  */
+
+/* Use the signed type 'ptrdiff_t'.  */
+/* Note: ISO C does not mandate that 'size_t' and 'ptrdiff_t' have the same
+   size, but it is so on all platforms we have seen since 1990.  */
+typedef ptrdiff_t idx_t;
+
+/* IDX_MAX is the maximum value of an idx_t.  */
+#define IDX_MAX PTRDIFF_MAX
+
+/* So far no need has been found for an IDX_WIDTH macro.
+   Perhaps there should be another macro IDX_VALUE_BITS that does not
+   count the sign bit and is therefore one less than PTRDIFF_WIDTH.  */
+
+#endif /* _IDX_H */
diff --git a/support/intprops.h b/support/intprops.h
index 967e32ea..9d10028a 100644
--- a/support/intprops.h
+++ b/support/intprops.h
@@ -133,7 +133,8 @@
    operators might not yield numerically correct answers due to
    arithmetic overflow.  They do not rely on undefined or
    implementation-defined behavior.  Their implementations are simple
-   and straightforward, but they are a bit harder to use than the
+   and straightforward, but they are harder to use and may be less
+   efficient than the INT_<op>_WRAPV, INT_<op>_OK, and
    INT_<op>_OVERFLOW macros described below.
 
    Example usage:
@@ -158,6 +159,9 @@
    must have minimum value MIN and maximum MAX.  Unsigned types should
    use a zero MIN of the proper type.
 
+   Because all arguments are subject to integer promotions, these
+   macros typically do not work on types narrower than 'int'.
+
    These macros are tuned for constant MIN and MAX.  For commutative
    operations such as A + B, they are also tuned for constant B.  */
 
@@ -339,9 +343,15 @@
    arguments should not have side effects.
 
    The WRAPV macros are not constant expressions.  They support only
-   +, binary -, and *.  Because the WRAPV macros convert the result,
-   they report overflow in different circumstances than the OVERFLOW
-   macros do.
+   +, binary -, and *.
+
+   Because the WRAPV macros convert the result, they report overflow
+   in different circumstances than the OVERFLOW macros do.  For
+   example, in the typical case with 16-bit 'short' and 32-bit 'int',
+   if A, B and R are all of type 'short' then INT_ADD_OVERFLOW (A, B)
+   returns false because the addition cannot overflow after A and B
+   are converted to 'int', whereas INT_ADD_WRAPV (A, B, &R) returns
+   true or false depending on whether the sum fits into 'short'.
 
    These macros are tuned for their last input argument being a constant.
 
diff --git a/support/xalloc.h b/support/xalloc.h
index 722c3872..bb893294 100644
--- a/support/xalloc.h
+++ b/support/xalloc.h
@@ -20,6 +20,8 @@
 
 # include <stddef.h>
 
+#include "intprops.h"
+
 
 # ifdef __cplusplus
 extern "C" {
@@ -56,6 +58,8 @@ void *xzalloc (size_t s) ATTRIBUTE_MALLOC;
 void *xcalloc (size_t n, size_t s) ATTRIBUTE_MALLOC;
 void *xrealloc (void *p, size_t s);
 void *x2realloc (void *p, size_t *pn);
+void *xpalloc (void *pa, idx_t *nitems, idx_t nitems_incr_min,
+               ptrdiff_t nitems_max, idx_t item_size);
 void *xmemdup (void const *p, size_t s) ATTRIBUTE_MALLOC;
 char *xstrdup (char const *str) ATTRIBUTE_MALLOC;
 
@@ -223,10 +227,9 @@ xnrealloc (void *p, size_t n, size_t s)
 
 /* If P is null, allocate a block of at least *PN such objects;
    otherwise, reallocate P so that it contains more than *PN objects
-   each of S bytes.  *PN must be nonzero unless P is null, and S must
-   be nonzero.  Set *PN to the new number of objects, and return the
-   pointer to the new block.  *PN is never set to zero, and the
-   returned pointer is never null.
+   each of S bytes.  S must be nonzero.  Set *PN to the new number of
+   objects, and return the pointer to the new block.  *PN is never set
+   to zero, and the returned pointer is never null.
 
    Repeated reallocations are guaranteed to make progress, either by
    allocating an initial block with a nonzero size, or by allocating a
@@ -371,5 +374,67 @@ xmemdup (T const *p, size_t s)
 
 # endif
 
+/* Grow PA, which points to an array of *NITEMS items, and return the
+   location of the reallocated array, updating *NITEMS to reflect its
+   new size.  The new array will contain at least NITEMS_INCR_MIN more
+   items, but will not contain more than NITEMS_MAX items total.
+   ITEM_SIZE is the size of each item, in bytes.
+
+   ITEM_SIZE and NITEMS_INCR_MIN must be positive.  *NITEMS must be
+   nonnegative.  If NITEMS_MAX is -1, it is treated as if it were
+   infinity.
+
+   If PA is null, then allocate a new array instead of reallocating
+   the old one.
+
+   Thus, to grow an array A without saving its old contents, do
+   { free (A); A = xpalloc (NULL, &AITEMS, ...); }.  */
+
+#define MIN(x, y) ((x) < (y) ? (x) : (y))
+
+void *
+xpalloc (void *pa, idx_t *nitems, idx_t nitems_incr_min,
+         ptrdiff_t nitems_max, idx_t item_size)
+{
+  idx_t n0 = *nitems;
+
+  /* The approximate size to use for initial small allocation
+     requests.  This is the largest "small" request for the GNU C
+     library malloc.  */
+  enum { DEFAULT_MXFAST = 64 * sizeof (size_t) / 4 };
+
+  /* If the array is tiny, grow it to about (but no greater than)
+     DEFAULT_MXFAST bytes.  Otherwise, grow it by about 50%.
+     Adjust the growth according to three constraints: NITEMS_INCR_MIN,
+     NITEMS_MAX, and what the C language can represent safely.  */
+
+  idx_t n, nbytes;
+  if (INT_ADD_WRAPV (n0, n0 >> 1, &n))
+    n = IDX_MAX;
+  if (0 <= nitems_max && nitems_max < n)
+    n = nitems_max;
+
+  idx_t adjusted_nbytes
+    = ((INT_MULTIPLY_WRAPV (n, item_size, &nbytes) || SIZE_MAX < nbytes)
+       ? MIN (IDX_MAX, SIZE_MAX)
+       : nbytes < DEFAULT_MXFAST ? DEFAULT_MXFAST : 0);
+  if (adjusted_nbytes)
+    {
+      n = adjusted_nbytes / item_size;
+      nbytes = adjusted_nbytes - adjusted_nbytes % item_size;
+    }
+
+  if (! pa)
+    *nitems = 0;
+  if (n - n0 < nitems_incr_min
+      && (INT_ADD_WRAPV (n0, nitems_incr_min, &n)
+          || (0 <= nitems_max && nitems_max < n)
+          || INT_MULTIPLY_WRAPV (n, item_size, &nbytes)))
+    xalloc_die ();
+  pa = xrealloc (pa, nbytes);
+  *nitems = n;
+  return pa;
+}
+
 
 #endif /* !XALLOC_H_ */