[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] base32, base64: prefer signed to unsigned integers

From: Paul Eggert
Subject: Re: [PATCH] base32, base64: prefer signed to unsigned integers
Date: Sun, 29 Aug 2021 00:57:03 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0

On 8/28/21 7:12 AM, Bruno Haible wrote:
Or maybe the cause is the line

   assume (0 <= inlen);

At the entry point of a public function, it is better to use 'assert' than
'assume', IMO. 'assume' means "feel free to crash or press the red button
if there is an invalid argument".

'assume' was the intent. A negative idx_t arg is an error as serious as an out-of-range index in an array, and so should be undefined behavior. We shouldn't sprinkle 'assert's all over the place for this: it should be something builtin to the compiler and/or runtime system when one enables runtime checking.

I put in the 'assume' only to help GCC generate better code (to let it choose unsigned or signed division, whichever it thinks is faster). That's overkill here and the 'assume's are evidently dust magnets so I removed the 'assume's in the patch I recently installed.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]