Well, we did talk about two reasons to change it earlier in the thread; did you read that part?
This Tweet was deleted by the Tweet author. Learn more
Conversation
This Tweet was deleted by the Tweet author. Learn more
From my perspective, regardless of how people want to handle unintended overflow, explicit intended overflow for new languages and new code in older languages can reach consensus. For signed in C it's barely even a discussion since you can't rely on it while being portable.
1
1
If you want portable signed overflow, you *already* have to define functions for it, which can use __builtin_mul_overflow when available (add/sub is trivial anyway) and otherwise implement it by hand. GCC -fwrapv is also notably not complete and not a good idea to rely on too.
2
This is probably not a viable solution to using wrapping types just due to the amount of noise it adds to your code
1
It's noisy, but C doesn't support custom arithmetic types like Rust. Swift has wrapping operators. Wrapping is only commonly used for unsigned integers though. It's rarely ever wanted for signed integers, and is mostly a quirk of hardware rather than something actually used.
1
2
This Tweet was deleted by the Tweet author. Learn more
Integer overflows are a serious security issue. In C, a small portion of vulnerabilities are solely caused due to integer overflow (rather than int overflow -> memory corruption), but only because memory corruption is such a huge issue. It's a major bug class with that resolved.
1
Also a serious robustness / safety issue aside from security. It's rare for overflow (wrapping) to be intended. The vast majority of integer overflows are unintentional bugs. Addressing pervasive bug classes like this and others is a big part of making more robust software.
"It's rare for overflow to be intended" is a bold statement - I suspect it's just false, and you pulled it out of thin air.
2
I hardly pulled that out of thin air. It's clearly proven by the adoption of UBSan by many projects and the issues that had to be fixed as part of it that intended signed overflow is near non-existent. Android has also heavily adopted unsigned overflow checking.
1
1
Show replies