bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: af_alg: Comment and style improvements


From: Bruno Haible
Subject: Re: af_alg: Comment and style improvements
Date: Mon, 25 Jun 2018 21:20:51 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-128-generic; KDE/5.18.0; x86_64; ; )

Paul Eggert wrote:
> > -  /* Avoid calling both strcpy and strlen.  */
> > -  for (int i = 0; (salg.salg_name[i] = alg[i]); i++)
> > +  /* Copy alg into salg.salg_name, without calling strcpy nor strlen.  */
> > +  for (size_t i = 0; (salg.salg_name[i] = alg[i]) != '\0'; i++)

> If you don't like int due to concerns about too-large sizes (of course 
> theoretical in this case, but here we are...)

Yes, this was my point. When I see an 'int' type, a bell rings in my head:
"32 bit! too small!".

When someone is unlucky enough to pass a string that is larger than 2 GiB
in length, they should get correct behaviour nevertheless.

> I prefer to use signed integer types when possible, as it allows better 
> runtime checking (for integer overflow). This is a style encouraged 
> within Emacs and I'd like to encourage it elsewhere too.
> 
> If you don't like int due to concerns about too-large sizes (of course 
> theoretical in this case, but here we are...), then how about ptrdiff_t 
> instead?

We talked through it already. I have nothing against ptrdiff_t as a type
in principle, but I want a typedef that clearly indicates (to the reader,
to a compiler that is able to emit diagnostics, and to possible static
analysis / program verification tools that will be added in the future)
that the variable is supposed to hold values >= 0 only. [1]

Bruno

[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-06/msg00024.html




reply via email to

[Prev in Thread] Current Thread [Next in Thread]