In `smartlist_ensure_capacity`, in src/common/container.c: ``` if (size > sl->capacity) { int higher = sl->capacity * 2; while (size > higher) higher *= 2; tor_assert(higher > 0); /* detect overflow */ ``` Overflow of a signed integer produces undefined results. I would be surprised if GCC doesn't optimize this comparison out, just for the sake of conjuring nasal demons at people who don't code with a copy of the C ‘standard’ at hand.