SafeInt Compiles on gcc!

[update 12-1-08] I now have it completely compiling on gcc, with a test harness that exercises every method of the class for every combination of types (all 15 of them). Version 3.0.12p is now moved to release status.  Once I got SafeInt posted on CodePlex, Niels Dekker grabbed a copy and started figuring out what…


Ptrdiff_t is evil

Well, not really, but here’s a code problem that confounded some really smart devs – and it looks so simple! void IncPtr( unsigned int cElements ) {     if( m_pMax – m_pCurrent > cElements )         m_pCurrent += cElements;     else         throw; } OK, so here’s the question – if an error has happened, and m_pCurrent is > m_pMax,…


More on Checking Allocations

Seems my last post met with some objections – somewhat rightfully so, as I mischaracterized one of Tom’s points – he never advocated just not checking for allocations, but instead to use an allocator that has a non-returning error handler – though it seems some of his commentors were advocating that (I think they should…


Checking Allocations & Potential for Int Mayhem

Must be synchronicity. I started out the day with a really interesting mail from Chris Wysopal talking about how allocations can go wrong, fun with signed int math, and the new[] operator. Once I got done responding to Chris, I then notice Robert Hensing’s blog pointing me to Thomas Ptacek’s comments about Mark Dowd’s new…


More Checking for Pointer Math

Someone pointed out that it isn’t sufficient to check for whether the pointer math wrapped, but that we also need to check that the resulting pointer is in our buffer. They then came to the possibly erroneous conclusion that really all you had to do was to check whether the resulting index was in range….


Evil Compiler Tricks, and Checking for Pointer Math

My favorite programming geek hobby being integer overflows, this caught my eye – “gcc silently discards some wraparound checks” Basically, what it says is that code which looks like this: ============ snip ==============         char *buf;        int len;gcc will assume that buf+len >= buf.As a result, code that…


MulDiv Mayhem

Here’s another episode in my ongoing quest to stamp out integer overflows. MulDiv is a Windows API that was around before we had 64-bit integers as native types. MulDiv is defined like so: int MulDiv(int a, int b, int c) Ironically, the problem it’s trying to get around is integer overflows. If you’ve done any…


Unsafe String Handling with strncpy

I recently ran into a piece of code that looked like this:     int len = cchIn;     strncpy(dest, src, len – 1); This is bad, because strncpy is defined as so: char *strncpy( char *strDest, const char *strSource, size_t count ); The original complaint was that we were passing a signed int into a function that…


Templatized Min/Max Solved!

I had some time to think about the overall problem, and had originally thought of a functional approach, like so: template <typename R, typename T, typename U> R Max(T t, U u); This has all the information we need to check for truncation on return, but it requires that the programmer know what the return…


Templatized Min/Max is a bad idea!

Ah, back to nice geeky C++ programming topics, which is much more fun than angry customer topics… Some well-meaning soul wrote this: template<typename T, typename U> T TMax(T t, U u){ return t > u ? t : u; } Let me count the bugs – first of all, it still runs afoul of the…