Date: Tue, 10 Dec 2024 11:28:42 -0600
(I accidentally replied off-list, re-sending on list)
Hi Tiago,
> While indexing very high values is dubiously wrong, indexing negative
values is unquestionably wrong.
Out of bounds access is just wrong, no matter which side. I don’t think it
makes sense to make a distinction here.
Indexes are often pointed to as an example where unsigned is natural since
negatives don’t make sense but the problem is unsigned doesn’t really
provide any safety. I think this cppcon lightning talk explained it better
than I can:
https://youtu.be/wvtFGa6XJDU?si=iv5F5-SI9xQn-x4X. Additionally Bjarne’s
paper offers a thoughtful argument as to why indexes and sizes should just
be signed:
https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1428r0.pdf
> Plus, if you make indexing signed you would need to perform double side
bounds checking of indexes, while with unsigned you just need to do a one
side bounds check since unsigned values can not be smaller than 0.
Fortunately this can actually codegen the same as a traditional unsigned
comparison so I don’t think it should be a concern:
https://godbolt.org/z/P7xTbxWhW
Cheers,
Jeremy
On Tue, Dec 10, 2024 at 00:32 Tiago Freire <tmiguelf_at_[hidden]> wrote:
> I agree with making things uniform, but I completely disagree with making
> "signed" the default interface for indexing.
>
> While indexing very high values is dubiously wrong, indexing negative
> values is unquestionably wrong.
> There's no such thing as negatively indexing into an array, that is always
> wrong (even if achieves the exact same effect as a too high number),
> there's also no such thing as a container with a negative amount of slots.
> Plus, if you make indexing signed you would need to perform double side
> bounds checking of indexes, while with unsigned you just need to do a one
> side bounds check since unsigned values can not be smaller than 0.
> Signed integers are weird.
> Unsigned integers should be the default, not the exception.
>
>
Hi Tiago,
> While indexing very high values is dubiously wrong, indexing negative
values is unquestionably wrong.
Out of bounds access is just wrong, no matter which side. I don’t think it
makes sense to make a distinction here.
Indexes are often pointed to as an example where unsigned is natural since
negatives don’t make sense but the problem is unsigned doesn’t really
provide any safety. I think this cppcon lightning talk explained it better
than I can:
https://youtu.be/wvtFGa6XJDU?si=iv5F5-SI9xQn-x4X. Additionally Bjarne’s
paper offers a thoughtful argument as to why indexes and sizes should just
be signed:
https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1428r0.pdf
> Plus, if you make indexing signed you would need to perform double side
bounds checking of indexes, while with unsigned you just need to do a one
side bounds check since unsigned values can not be smaller than 0.
Fortunately this can actually codegen the same as a traditional unsigned
comparison so I don’t think it should be a concern:
https://godbolt.org/z/P7xTbxWhW
Cheers,
Jeremy
On Tue, Dec 10, 2024 at 00:32 Tiago Freire <tmiguelf_at_[hidden]> wrote:
> I agree with making things uniform, but I completely disagree with making
> "signed" the default interface for indexing.
>
> While indexing very high values is dubiously wrong, indexing negative
> values is unquestionably wrong.
> There's no such thing as negatively indexing into an array, that is always
> wrong (even if achieves the exact same effect as a too high number),
> there's also no such thing as a container with a negative amount of slots.
> Plus, if you make indexing signed you would need to perform double side
> bounds checking of indexes, while with unsigned you just need to do a one
> side bounds check since unsigned values can not be smaller than 0.
> Signed integers are weird.
> Unsigned integers should be the default, not the exception.
>
>
Received on 2024-12-10 17:28:55