The UB follows from that mistake. It's easy to make though, once the type is hidden behind a typedef, or some API chooses to use negative values for error codes.
-
-
Right, but I don't believe this is something that is a surprise to most engineers and auditors. Sure, the actual issues resulting from it might, but checking the types are appropriate (e.g. size_t/ssize_t for sizes and counts) is an important and well-known step.
-
The argument is not that it is impossible to write correct code. Just that it takes effort and skilled people. It's still hard to get right, and easy to get wrong.
-
The only undefined behaviour that I've seen catch someone out (although it didn't cause any actual issues in practice, with any optimization level) was the left-shift casting to a 32-bit signed integer (e.g. (0x80 << 24) is an int, rather than an unsigned int).
-
Now, my point is that this undefined behaviour that you're talking about generally does not catch out engineers (especially with warnings emitted by modern compilers). I understand what you're trying to say but I don't find your examples compelling.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
. Besides, having bugs isn’t the issue. Resolving, reducing, and remaining well architected is the point.