[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: af_alg: Comment and style improvements
|
From: |
Bruno Haible |
|
Subject: |
Re: af_alg: Comment and style improvements |
|
Date: |
Mon, 25 Jun 2018 21:20:51 +0200 |
|
User-agent: |
KMail/5.1.3 (Linux/4.4.0-128-generic; KDE/5.18.0; x86_64; ; ) |
Paul Eggert wrote:
> > - /* Avoid calling both strcpy and strlen. */
> > - for (int i = 0; (salg.salg_name[i] = alg[i]); i++)
> > + /* Copy alg into salg.salg_name, without calling strcpy nor strlen. */
> > + for (size_t i = 0; (salg.salg_name[i] = alg[i]) != '\0'; i++)
> If you don't like int due to concerns about too-large sizes (of course
> theoretical in this case, but here we are...)
Yes, this was my point. When I see an 'int' type, a bell rings in my head:
"32 bit! too small!".
When someone is unlucky enough to pass a string that is larger than 2 GiB
in length, they should get correct behaviour nevertheless.
> I prefer to use signed integer types when possible, as it allows better
> runtime checking (for integer overflow). This is a style encouraged
> within Emacs and I'd like to encourage it elsewhere too.
>
> If you don't like int due to concerns about too-large sizes (of course
> theoretical in this case, but here we are...), then how about ptrdiff_t
> instead?
We talked through it already. I have nothing against ptrdiff_t as a type
in principle, but I want a typedef that clearly indicates (to the reader,
to a compiler that is able to emit diagnostics, and to possible static
analysis / program verification tools that will be added in the future)
that the variable is supposed to hold values >= 0 only. [1]
Bruno
[1] https://lists.gnu.org/archive/html/bug-gnulib/2017-06/msg00024.html