November 16, 2013 Integer undefined behaviors in crypto libs | ||||
|---|---|---|---|---|
| ||||
 | Found on Reddit: http://blog.regehr.org/archives/1054/ Some quotations from the article and its comments: >I proposed making signed left-shift work just like unsigned left-shift. In contrast, in C99, C11, and C++11, it is illegal to shift a 1 bit into, out of, or through the sign bit. Many developers are unaware of this restriction. This seemed to me like a pretty safe proposal since it isn’t clear that any existing compiler implements anything other than two’s complement semantics for signed left shifts in the first place< >Reasoning about function preconditions is hard even for experienced developers. In my opinion, some of these libraries could have used a lot more assertions to go along with their (generally perfectly adequate) test suites.< D contract programming helps. From the comments: >My personal preference would be for the standards committee to mandate 2s-complement arithmetic, which would knock out a lot of these random “language doesn’t behave the way most programmers think it does” UB bugs.< Bye, bearophile | |||
Permalink
ReplyCopyright © 1999-2021 by the D Language Foundation