From af1005e5e53f4ac9cf9c6f0301663b49173c7a6c Mon Sep 17 00:00:00 2001 From: "Kartik K. Agaram" Date: Sun, 17 May 2015 18:41:10 -0700 Subject: 1396 --- 001help.cc | 56 ++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/001help.cc b/001help.cc index 88c78d70..3e2a5944 100644 --- a/001help.cc +++ b/001help.cc @@ -32,32 +32,56 @@ bool is_equal(char* s, const char* lit) { // I'll throw some style conventions here for want of a better place for them. // As a rule I hate style guides. Do what you want, that's my motto. But since // we're dealing with C/C++, the one big thing we want to avoid is undefined -// behavior. So, conventions: - -// 0. Initialize all primitive variables in methods and constructors. - -// 1. Avoid 'new' and 'delete' as far as possible. Rely on STL to perform -// memory management to avoid use-after-free issues (and memory leaks). - -// 2. Avoid arrays to avoid out-of-bounds access. Never use operator[] except -// with map. Use at() with STL vectors and so on. - +// behavior. If a compiler ever encounters undefined behavior it can make +// your program do anything it wants. +// +// For reference, my checklist of undefined behaviors to watch out for: +// out-of-bounds access +// uninitialized variables +// use after free +// dereferencing invalid pointers: null, a new of size 0, others +// +// casting a large number to a type too small to hold it +// +// integer overflow +// division by zero and other undefined expressions +// left-shift by negative count +// shifting values by more than or equal to the number of bits they contain +// bitwise operations on signed numbers +// +// Converting pointers to types of different alignment requirements +// T* -> void* -> T*: defined +// T* -> U* -> T*: defined if non-function pointers and alignment requirements are same +// function pointers may be cast to other function pointers +// +// Casting a numeric value into a value that can't be represented by the target type (either directly or via static_cast) +// +// To guard against these, some conventions: +// +// 0. Initialize all primitive variables in functions and constructors. +// +// 1. Minimize use of pointers and pointer arithmetic. Avoid 'new' and +// 'delete' as far as possible. Rely on STL to perform memory management to +// avoid use-after-free issues (and memory leaks). +// +// 2. Avoid naked arrays to avoid out-of-bounds access. Never use operator[] +// except with map. Use at() with STL vectors and so on. +// // 3. Valgrind all the things. - +// // 4. Avoid unsigned numbers. Not strictly an undefined-behavior issue, but // the extra range doesn't matter, and it's one less confusing category of // interaction gotchas to worry about. // -// We're screwed on overflow (undefined behavior). Use a decent compiler. But -// we're more likely to try to subtract unsigned 2 from 1 than we are to -// create integers that don't fit in 64 bits. -// // Corollary: don't use the size() method on containers, since it returns an // unsigned and that'll cause warnings about mixing signed and unsigned, // yadda-yadda. Instead use this macro below to perform an unsafe cast to // signed. We'll just give up immediately if a container's every too large. :(before "End Includes") -#define SIZE(X) (assert(X.size() < 1LL<<62), static_cast(X.size())) +#define SIZE(X) (assert(X.size() < (1LL<<62)), static_cast(X.size())) +// +// 5. Integer overflow is still impossible to guard against. Maybe after +// reading http://www.cs.utah.edu/~regehr/papers/overflow12.pdf :(before "End Includes") #include -- cgit 1.4.1-2-gfad0