mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
189. [func] isc_time_secondsastimet(), a new function, will ensure
that the number of seconds in an isc_time_t does not
exceed the range of a time_t, or return ISC_R_RANGE.
Similarly, isc_time_now(), isc_time_nowplusinterval(),
isc_time_add() and isc_time_subtract() now check the
range for overflow/underflow. In the case of
isc_time_subtract, this changed a calling requirement
(ie, something that could generate an assertion)
into merely a condition that returns an error result.
isc_time_add() and isc_time_subtract() were void-
valued before but now return isc_result_t.
The seconds member isc_time_t on Unix platforms was changed from time_t
to unsigned int.
unix/time.c now uses macros for nanoseconds per second, nanoseconds per
microsecond and microseconds per second to make sure that the right
number of zeros appears each place the constant is used.
unix/time.c functions which take initialized isc_(interval|time)_t arguments
INSIST() that the nanoseconds value is less than one full second.
unix/time.c's isc_time_microdiff was broken because it did multiplication and
addition with unsigned integers and attempted to set them a 64 bit int to
avoid overflow, but C's ints don't promote to 64 bits on machines that only
have 32 bit longs. Fixed.
Added all the pertinent documentation to time.h.
This commit is contained in:
David Lawrence
@@ -17,11 +17,12 @@
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include <windows.h>
|
||||
|
||||
@@ -29,7 +30,7 @@
|
||||
#include <isc/time.h>
|
||||
|
||||
/*
|
||||
* struct FILETIME uses "100-nanoseconds intevals".
|
||||
* struct FILETIME uses "100-nanoseconds intervals".
|
||||
* NS / S = 1000000000 (10^9).
|
||||
* While it is reasonably obvious that this makes the needed
|
||||
* conversion factor 10^7, it is coded this way for additional clarity.
|
||||
@@ -37,6 +38,7 @@
|
||||
#define NS_PER_S 1000000000
|
||||
#define NS_INTERVAL 100
|
||||
#define INTERVALS_PER_S (NS_PER_S / NS_INTERVAL)
|
||||
#define UINT64_MAX 0xffffffffffffffffui64
|
||||
|
||||
/***
|
||||
*** Intervals
|
||||
@@ -159,6 +161,9 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
|
||||
i1.LowPart = t->absolute.dwLowDateTime;
|
||||
i1.HighPart = t->absolute.dwHighDateTime;
|
||||
|
||||
if (UINT64_MAX - i1.QuadPart < i->interval)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
i1.QuadPart += i->interval;
|
||||
|
||||
t->absolute.dwLowDateTime = i1.LowPart;
|
||||
@@ -178,7 +183,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
|
||||
return ((int)CompareFileTime(&t1->absolute, &t2->absolute));
|
||||
}
|
||||
|
||||
void
|
||||
isc_result_t
|
||||
isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
|
||||
ULARGE_INTEGER i1;
|
||||
|
||||
@@ -191,13 +196,18 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
|
||||
i1.LowPart = t->absolute.dwLowDateTime;
|
||||
i1.HighPart = t->absolute.dwHighDateTime;
|
||||
|
||||
if (UINT64_MAX - i1.QuadPart < i->interval)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
i1.QuadPart += i->interval;
|
||||
|
||||
result->absolute.dwLowDateTime = i1.LowPart;
|
||||
result->absolute.dwHighDateTime = i1.HighPart;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
void
|
||||
isc_result_t
|
||||
isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
|
||||
ULARGE_INTEGER i1;
|
||||
|
||||
@@ -210,7 +220,8 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
|
||||
i1.LowPart = t->absolute.dwLowDateTime;
|
||||
i1.HighPart = t->absolute.dwHighDateTime;
|
||||
|
||||
REQUIRE(i1.QuadPart >= i->interval);
|
||||
if (i.QuadPart < i->interval)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
i1.QuadPart -= i->interval;
|
||||
|
||||
@@ -255,6 +266,99 @@ isc_time_seconds(isc_time_t *t) {
|
||||
return ((isc_uint32_t)(i.QuadPart / INTERVALS_PER_S));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
isc_time_secondsastimet(isc_time_t *t, time_t *secondsp) {
|
||||
ULARGE_INTEGER i1, i2;
|
||||
time_t seconds;
|
||||
|
||||
REQUIRE(t != NULL);
|
||||
|
||||
i1.LowPart = t->absolute.dwLowDateTime;
|
||||
i1.HighPart = t->absolute.dwHighDateTime;
|
||||
|
||||
i1.QuadPart /= INTERVALS_PER_S;
|
||||
|
||||
/*
|
||||
* Ensure that the number of seconds can be represented by a time_t.
|
||||
* Since the number seconds is an unsigned int and since time_t is
|
||||
* mostly opaque, this is trickier than it seems. (This standardized
|
||||
* opaqueness of time_t is *very* * frustrating; time_t is not even
|
||||
* limited to being an integral type.) Thought it is known at the
|
||||
* time of this writing that time_t is a signed long on the Win32
|
||||
* platform, the full treatment is given to figuring out if things
|
||||
* fit to allow for future Windows platforms where time_t is *not*
|
||||
* a signed long, or where perhaps a signed long is longer than
|
||||
* it currently is.
|
||||
*/
|
||||
seconds = (time_t)i1.QuadPart;
|
||||
|
||||
/*
|
||||
* First, only do the range tests if the type of size_t is integral.
|
||||
* Float/double easily include the maximum possible values.
|
||||
*/
|
||||
if ((time_t)0.5 != 0.5) {
|
||||
/*
|
||||
* Did all the bits make it in?
|
||||
*/
|
||||
if ((seconds & i1.QuadPart) != i1.QuadPart)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
/*
|
||||
* Is time_t signed with the high bit set?
|
||||
*
|
||||
* The first test (the sizeof comparison) determines
|
||||
* whether we can even deduce the signedness of time_t
|
||||
* by using ANSI's rule about integer conversion to
|
||||
* wider integers.
|
||||
*
|
||||
* The second test uses that ANSI rule to see whether
|
||||
* the value of time_t was sign extended into QuadPart.
|
||||
* If the test is true, then time_t is signed.
|
||||
*
|
||||
* The final test ensures the high bit is not set, or
|
||||
* the value is negative and hence there is a range error.
|
||||
*/
|
||||
if (sizeof(time_t) < sizeof(i2.QuadPart) &&
|
||||
((i2.QuadPart = (time_t)-1) ^ (time_t)-1) != 0 &&
|
||||
(seconds & (1 << (sizeof(time_t) * 8 - 1))) != 0)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
/*
|
||||
* Last test ... the size of time_t is >= that of i2.QuadPart,
|
||||
* so we can't determine its signedness. Unconditionally
|
||||
* declare anything with the high bit set as out of range.
|
||||
* Since even the maxed signed value is ludicrously far from
|
||||
* when this is being written, this rule shall not impact
|
||||
* anything for all intents and purposes.
|
||||
*
|
||||
* How far? Well ... if FILETIME is in 100 ns intervals since
|
||||
* 1600, and a QuadPart can store 9223372036854775808 such
|
||||
* intervals when interpreted as signed (ie, if sizeof(time_t)
|
||||
* == sizeof(QuadPart) but time_t is signed), that means
|
||||
* 9223372036854775808 / INTERVALS_PER_S = 922,337,203,685
|
||||
* seconds. That number divided by 60 * 60 * 24 * 365 seconds
|
||||
* per year means a signed time_t can store at least 29,247
|
||||
* years, with only 400 of those years used up since 1600 as I
|
||||
* write this in May, 2000.
|
||||
*
|
||||
* (Real date calculations are of course incredibly more
|
||||
* complex; I'm only describing the approximate scale of
|
||||
* the numbers involved here.)
|
||||
*
|
||||
* If the Galactic Federation is still running libisc's time
|
||||
* libray on a Windows platform in the year 27647 A.D., then
|
||||
* feel free to hunt down my greatgreatgreatgreatgreat(etc)
|
||||
* grandchildren and whine at them about what I did.
|
||||
*/
|
||||
if ((seconds & (1 << (sizeof(time_t) * 8 - 1))) != 0)
|
||||
return (ISC_R_RANGE);
|
||||
}
|
||||
|
||||
*secondsp = seconds;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
isc_uint32_t
|
||||
isc_time_nanoseconds(isc_time_t *t) {
|
||||
ULARGE_INTEGER i;
|
||||
|
||||
Reference in New Issue
Block a user