Am Fr., 1. Mai 2020 um 11:09 Uhr schrieb Bruno Haible <br...@clisp.org>: > > Paul Eggert wrote: > > I realize we have dueling conventions here, but would prefer that > > saturated size_t arithmetic have a longer prefix or suffix than just "x". > > I'm open to this. What prefix would you propose instead of 'x'?
Whatever prefix instead, it should be a short as 'x'. As the functions exported by xsize are to be used in place of the usual arithmetic operators, their names should be short. > Generally, 'xsize' has not caught on as I had expected. It is still a > simple solution to the task of avoiding inadvertent overflow, especially > in complex expressions, but > - many people continued to prefer ad-hoc code, especially for simple > expressions, I'd rather use the xsize code than ad-hoc code because it expresses the programmer's intent much better. > - the 'xsize' module is written for size_t, therefore overflow checking > for 'unsigned int' or 'unsigned long' still has to be done the > manual way, I think that size_t calculations are still the most important ones. Thanks, Marc > - on glibc systems, the problem has been mitigated since malloc() > now refuses arguments > SIZE_MAX/2, thus in a loop that grows an > array malloc() will typically fail before the size overflows. > > Thoughts? > > Bruno >
