nisse@lysator.liu.se (Niels Möller) writes:
This code needs some careful analysis, to see under what conditions hi might be used uninitialized, and in case there's some valid inputs for which this could happen fix that, and if not, back up our assumptions with asserts (which I hope the static analyzer will understand).
It turns out analysis isn't that subtle. The thing is, the static analyzer thinks that the loop condition (rn >= 2*mn - bn) can be initially false.
Now, rn is initialized to 2*mn, so this could be false only if the subtraction ounderflows. Which is doesn't do, since valid range for bn is 0 < bn < mn.
Question is what's the best way to make thhat clear to compilers and analyzers.
Loops could be rewritten as do {} while (0) loops. Or we could add more asserts, maybe it's sufficient to replace the somewhat weak
assert (sn > 0);
with
assert (bn < mn);
Since sn is size_t (unsigned), the former only checks that mn != bn.
This code is a bit hairy as is, so we should try to not make it even more complex.
Regards, /Niels