[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] base32, base64: prefer signed to unsigned integers

From: Bruno Haible
Subject: Re: [PATCH] base32, base64: prefer signed to unsigned integers
Date: Sun, 29 Aug 2021 12:16:47 +0200

Paul Eggert wrote:
> > Or maybe the cause is the line
> > 
> >    assume (0 <= inlen);
> > 
> > At the entry point of a public function, it is better to use 'assert' than
> > 'assume', IMO. 'assume' means "feel free to crash or press the red button
> > if there is an invalid argument".
> 'assume' was the intent. A negative idx_t arg is an error as serious as 
> an out-of-range index in an array, and so should be undefined behavior. 

I could somehow agree with this, if base64_encode_alloc was a new API.
But there is an API change. There may be invocations out there, of this
function, with an argument between SIZE_MAX/2 and SIZE_MAX-1. Changing
such calls to be undefined behaviour means that these invocations now
need debugging in the packages that contain them.

IMO, it would be better to have code like this in base64_encode_alloc:

  if (inlen < 0)
    /* This argument is invalid, since the API change from 2021-08-28.  */
    abort ();

An abort() is a much better indication that something is wrong, for those
users of the function that have not updated their code yet, than a
test suite that spuriously fails.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]