Hi Paul, Possibly dumb questions, but: > over time I am > becoming more inclined to like the Emacs model, where object counts are > typically kept as nonnegative but signed integers. This approach makes C > code a bit more reliable, as compiling with -fsanitize=undefined is more > likely to catch integer overflow errors in index calculations (a real > problem nowadays).
Are you saying that -fsanitize=undefined or -fsanitize=signed-integer-overflow (or -ftrapv, when using an older GCC) can detect integer overflow for signed integers, whereas no such option exists and won't exist for unsigned integers (because there are so many pieces of code that intentionally do a mod-2^32 or mod-2^64 computation on unsigned integers? And what about the gnulib 'xsize' module for checked size_t computations? Bruno
