List lengths are always fixnums now

Without this patch, it was theoretically possible for a list
length to be a bignum, which means that safe-length could
signal an error (due to generating a too-large bignum) contrary
to its documentation.  Fix things to remove the theoretical
possibility, so that list lengths are always fixnums (and so
that list lenghts are always ptrdiff_t values too, since that
is assumed internally anyway).
* src/alloc.c (Fcons): Do not allocate so many conses that
a list length won’t fit into ptrdiff_t or into fixnum.
This matters only on weird platforms; on typical platforms,
list lengths always fit anyway.
* src/fns.c (list_length, Fsafe_length, proper-list-p):
Remove integer overflow checks that are no longer needed.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/alloc.c b/src/alloc.c
index 407ac725414..31e8da70161 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -2774,6 +2774,19 @@ DEFUN ("cons", Fcons, Scons, 2, 2, 0,
     {
       if (cons_block_index == CONS_BLOCK_SIZE)
         {
+          /* Maximum number of conses that should be active at any
+             given time, so that list lengths fit into a ptrdiff_t and
+             into a fixnum.  */
+          ptrdiff_t max_conses = min (PTRDIFF_MAX, MOST_POSITIVE_FIXNUM);
+
+          /* This check is typically optimized away, as a runtime
+             check is needed only on weird platforms where a count of
+             distinct conses might not fit.  */
+          if (max_conses < INTPTR_MAX / sizeof (struct Lisp_Cons)
+              && (max_conses - CONS_BLOCK_SIZE
+                  < total_free_conses + total_conses))
+            memory_full (sizeof (struct cons_block));
+
           struct cons_block *new
             = lisp_align_malloc (sizeof *new, MEM_TYPE_CONS);
           memset (new->gcmarkbits, 0, sizeof new->gcmarkbits);