Integer undefined behaviors in crypto libs
bearophile
bearophileHUGS at lycos.com
Sat Nov 16 05:39:16 PST 2013
Found on Reddit:
http://blog.regehr.org/archives/1054/
Some quotations from the article and its comments:
>I proposed making signed left-shift work just like unsigned
>left-shift. In contrast, in C99, C11, and C++11, it is illegal
>to shift a 1 bit into, out of, or through the sign bit. Many
>developers are unaware of this restriction. This seemed to me
>like a pretty safe proposal since it isn’t clear that any
>existing compiler implements anything other than two’s
>complement semantics for signed left shifts in the first place<
>Reasoning about function preconditions is hard even for
>experienced developers. In my opinion, some of these libraries
>could have used a lot more assertions to go along with their
>(generally perfectly adequate) test suites.<
D contract programming helps.
From the comments:
>My personal preference would be for the standards committee to
>mandate 2s-complement arithmetic, which would knock out a lot of
>these random “language doesn’t behave the way most programmers
>think it does” UB bugs.<
Bye,
bearophile
More information about the Digitalmars-d
mailing list