integer arithmetic types: correct perhaps-possible negative timeout situation

site_settimeout assumes that its timeout parameter is not before now.
Following the logic of the code this would appear to be currently
true, although I'm not absolutely certain.

Nevertheless it would be better to avoid this assumption.  Instead,
use a signed variable for the time until the timeout, and explicitly
turn negative values into zero.

The use of an int64_t will not cause an arithmetic overflow provided
that no timeouts are more than 2^64 milliseconds (around 580x10^6 yr)
in the past or the future.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/site.c b/site.c
index 8ef8f5a..c2a2303 100644 (file)
--- a/site.c
+++ b/site.c
@@ -936,7 +936,8 @@ static inline void site_settimeout(uint64_t timeout, uint64_t *now,
                                   int *timeout_io)
 {
     if (timeout) {
-       uint64_t offset=timeout-*now;
+       int64_t offset=timeout-*now;
+       if (offset<0) offset=0;
        if (offset>INT_MAX) offset=INT_MAX;
        if (*timeout_io<0 || offset<*timeout_io)
            *timeout_io=offset;