I agree with Alex. Underflow is just as bad as overflow. —Myles
> On Jan 26, 2023, at 8:12 PM, Alex Christensen <achristen...@apple.com> wrote: > > If you are subtracting things that have not been verified to produce a > positive value, then you hopefully aren’t dealing with values that can’t be > negative, so this wouldn’t apply then. Forgetting to verify things is a bug > in many places. I also think that a buffer offset of -1 is just about as bad > as a buffer offset of 4294967295. > >> On Jan 26, 2023, at 6:44 PM, Simon Fraser via webkit-dev >> <webkit-dev@lists.webkit.org> wrote: >> >> Late to the party but…. >> >> Avoiding unsigned is usually recommended to avoid inadvertent underflow: >> >> unsigned big = 200; >> unsigned small = 100; >> auto result = small - big; // underflow >> >> This is particularly bad when doing math on buffer offsets and sizes, and >> can result in OOB bugs. I believe Apple’s media frameworks code has a “no >> unsigned usage” rule because of that. I’m surprised that no-one has raised >> it in this discussion. >> >> Simon >> >>> On Jan 24, 2023, at 2:00 AM, Myles Maxfield via webkit-dev >>> <webkit-dev@lists.webkit.org> wrote: >>> >>> Hello! >>> >>> I recently learned that the C++ core guidelines recommend against using >>> unsigned to avoid negative values. Section 4.4 on page 73 of The C++ >>> Programming Language says unsigned types should be used for bitfields and >>> not in an attempt to ensure values are positive. Some talks by people on >>> the C++ standards committee (e.g., Herb Sutter) recommend against using >>> unsigned types simply because the value is expected to by positive. >>> >>> Should we be avoiding unsigneds for these purposes? WebKit uses unsigneds >>> all over the place, and I’m assuming a fair many of them are there to >>> indicate that negative values are avoided. The C++ recommendation goes >>> against my intuition that the type is there for clarity, to indicate >>> expectations about the meaning and behavior of its value. But if it’s >>> standard practice to just use int instead, perhaps we should update the >>> style guide? >>> >>> What do you think? >>> >>> —Myles >>> _______________________________________________ >>> webkit-dev mailing list >>> webkit-dev@lists.webkit.org >>> https://lists.webkit.org/mailman/listinfo/webkit-dev >> >> _______________________________________________ >> webkit-dev mailing list >> webkit-dev@lists.webkit.org >> https://lists.webkit.org/mailman/listinfo/webkit-dev >
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
