www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Integer undefined behaviors in crypto libs

Found on Reddit:

Some quotations from the article and its comments:

I proposed making signed left-shift work just like unsigned 
left-shift. In contrast, in C99, C11, and C++11, it is illegal 
to shift a 1 bit into, out of, or through the sign bit. Many 
developers are unaware of this restriction. This seemed to me 
like a pretty safe proposal since it isn’t clear that any 
existing compiler implements anything other than two’s 
complement semantics for signed left shifts in the first place<
Reasoning about function preconditions is hard even for 
experienced developers. In my opinion, some of these libraries 
could have used a lot more assertions to go along with their 
(generally perfectly adequate) test suites.<
D contract programming helps. From the comments:
My personal preference would be for the standards committee to 
mandate 2s-complement arithmetic, which would knock out a lot of 
these random “language doesn’t behave the way most programmers 
think it does” UB bugs.<
Bye, bearophile
Nov 16 2013