[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: xsize and flexmember
From: |
Marc Nieper-Wißkirchen |
Subject: |
Re: xsize and flexmember |
Date: |
Fri, 1 May 2020 11:20:34 +0200 |
Am Fr., 1. Mai 2020 um 11:09 Uhr schrieb Bruno Haible <address@hidden>:
>
> Paul Eggert wrote:
> > I realize we have dueling conventions here, but would prefer that
> > saturated size_t arithmetic have a longer prefix or suffix than just "x".
>
> I'm open to this. What prefix would you propose instead of 'x'?
Whatever prefix instead, it should be a short as 'x'. As the functions
exported by xsize are to be used in place of the usual arithmetic
operators, their names should be short.
> Generally, 'xsize' has not caught on as I had expected. It is still a
> simple solution to the task of avoiding inadvertent overflow, especially
> in complex expressions, but
> - many people continued to prefer ad-hoc code, especially for simple
> expressions,
I'd rather use the xsize code than ad-hoc code because it expresses
the programmer's intent much better.
> - the 'xsize' module is written for size_t, therefore overflow checking
> for 'unsigned int' or 'unsigned long' still has to be done the
> manual way,
I think that size_t calculations are still the most important ones.
Thanks,
Marc
> - on glibc systems, the problem has been mitigated since malloc()
> now refuses arguments > SIZE_MAX/2, thus in a loop that grows an
> array malloc() will typically fail before the size overflows.
>
> Thoughts?
>
> Bruno
>