Tom Lane wrote:
I'd change growalloc() so that its nitems-related arguments are defined as size_t not ptrdiff_t, and forget about this idea that ptrdiff_t has anything to do with the limit of what can be requested from malloc.
ptrdiff_t is relevant since zic subtracts pointers, and subtraction has undefined behavior if the result doesn't fit into ptrdiff_t. All other things being equal I prefer signed integer arithmetic to unsigned, because on some platforms overflow checking works with signed arithmetic and this can help find programming errors. This is why growalloc uses ptrdiff_t rather than size_t even though either would do.
What about doing the comparison in an #if?
#if is best avoided when possible (it can't always be). Robert Elz wrote:
if it weren't for all these (not nearly so clever) analysers attempting to second guess what is happening and getting it wrong, it would be fine as it is.
Yes, attempting to pacify all these analyzers can contort the code, which I'd rather avoid. I don't even like the INITIALIZE macro, and considered adding -Wno-maybe-uninitialized to GCC_DEBUG_FLAGS so that INITIALIZE can be removed. I kept INITIALIZE only because I use GCC and -Wmaybe-uninitialized is so useful in finding real bugs elsewhere. As far as Coverity etc. go, I would rather that people filed bug reports to get these other static analyzers fixed, as I try to do with GCC. I just now checked tzcode with Clang and found one recently-added bit of unnecessary code, which I fixed with the attached.