|
| From: | Paul Eggert |
| Subject: | Re: [PATCH] base32, base64: prefer signed to unsigned integers |
| Date: | Sun, 29 Aug 2021 00:57:03 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 8/28/21 7:12 AM, Bruno Haible wrote:
Or maybe the cause is the line assume (0 <= inlen); At the entry point of a public function, it is better to use 'assert' than 'assume', IMO. 'assume' means "feel free to crash or press the red button if there is an invalid argument".
'assume' was the intent. A negative idx_t arg is an error as serious as an out-of-range index in an array, and so should be undefined behavior. We shouldn't sprinkle 'assert's all over the place for this: it should be something builtin to the compiler and/or runtime system when one enables runtime checking.
I put in the 'assume' only to help GCC generate better code (to let it choose unsigned or signed division, whichever it thinks is faster). That's overkill here and the 'assume's are evidently dust magnets so I removed the 'assume's in the patch I recently installed.
| [Prev in Thread] | Current Thread | [Next in Thread] |