time to get rid of unsigned? - C++ language (comp.lang.c++)

C++Talk.NET
C++ language newsgroups

Archives

FAQ

Memberlist

Usergroups

Profile

time to get rid of unsigned?
Goto page 1, 2, 3, 4, 5, 6, 7 Next

C++Talk.NET Forum Index -> C++ language (comp.lang.c++)

View previous topic :: View next topic

Author

Message

John Harrison
Guest

Posted: Tue Feb 17, 2004 9:10 pm Post subject: time to get rid of unsigned?

I knew that unsigned integral data types were the cause of scads of mostly spurious warning messages, but I didn't realise that they were a security risk too (see here [url]http://www.securitytracker.com/alerts/2004/Feb/1009067.html)[/url]. All for one measly extra bit. So has the time come for C++ to deprecate unsigned integral types? john

Ron Natalie
Guest

Posted: Tue Feb 17, 2004 9:20 pm Post subject: Re: time to get rid of unsigned?

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

Quote:

I knew that unsigned integral data types were the cause of scads of mostly
spurious warning messages, but I didn't realise that they were a security
risk too (see here
[url]http://www.securitytracker.com/alerts/2004/Feb/1009067.html)[/url]. All for one
measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

Actually it looks like just the opposite problem. If the calculation was
all unsigned, it wouldn't be a problem.

Claudio Puviani
Guest

Posted: Tue Feb 17, 2004 9:25 pm Post subject: Re: time to get rid of unsigned?

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

Quote:

You don't deprecate features because some people are too incompetent to use them
correctly. If you did, you'd also remove pointers, references, side-effects and
aliasing, etc. and end up with a completely different language that would
probably look a lot like ML. C++ is a power tool and needs to be used with the
appropriate caution and training. Any programming error is the fault of the
programmer, not the language.

Claudio Puviani

John Harrison
Guest

Posted: Tue Feb 17, 2004 9:58 pm Post subject: Re: time to get rid of unsigned?

"Ron Natalie" <ron (AT) sensor (DOT) com> wrote

Quote:

If it was all int it wouldn't be an issue either, the problem is the mix of
the two and the overflows that can result. Since I don't guess anyone is
proposing to remove signed integers, I'm proposing that we should drop
unsigned. Except maybe for character types.

john

John Harrison
Guest

Posted: Tue Feb 17, 2004 10:04 pm Post subject: Re: time to get rid of unsigned?

"Claudio Puviani" <puviani (AT) hotmail (DOT) com> wrote

Quote:

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote
I knew that unsigned integral data types were the cause of scads of
mostly
spurious warning messages, but I didn't realise that they were a
security
risk too (see here
[url]http://www.securitytracker.com/alerts/2004/Feb/1009067.html)[/url]. All for
one
measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

You don't deprecate features because some people are too incompetent to
use them
correctly. If you did, you'd also remove pointers, references,
side-effects and
aliasing, etc. and end up with a completely different language that would
probably look a lot like ML. C++ is a power tool and needs to be used with
the
appropriate caution and training. Any programming error is the fault of
the
programmer, not the language.

Claudio Puviani

It's fair comment of course, but my point is that unsigned integers seem to
add so little to the language (unlike the other features you mention). I
would do without them completely myself, but when I try to interface with
the standard library or third party libraries and I start to get warnings
about signed/unsigned conflicts etc. so I weaken in my resolve and start to
use them a little.

john

Jeff Schwab
Guest

Posted: Tue Feb 17, 2004 10:14 pm Post subject: Re: time to get rid of unsigned?

John Harrison wrote:

Quote:

"Claudio Puviani" <puviani (AT) hotmail (DOT) com> wrote in message
news:REvYb.87101$cE3.31206245 (AT) news4 (DOT) srv.hcvlny.cv.net...

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

I knew that unsigned integral data types were the cause of scads of
mostly

spurious warning messages, but I didn't realise that they were a

security

risk too (see here
[url]http://www.securitytracker.com/alerts/2004/Feb/1009067.html)[/url]. All for

one

measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

You don't deprecate features because some people are too incompetent to

use them

correctly. If you did, you'd also remove pointers, references,

side-effects and

aliasing, etc. and end up with a completely different language that would
probably look a lot like ML. C++ is a power tool and needs to be used with

the

appropriate caution and training. Any programming error is the fault of

the

programmer, not the language.

Claudio Puviani

It's fair comment of course, but my point is that unsigned integers seem to
add so little to the language (unlike the other features you mention). I
would do without them completely myself, but when I try to interface with
the standard library or third party libraries and I start to get warnings
about signed/unsigned conflicts etc. so I weaken in my resolve and start to
use them a little.

Why would you do without them? There is nothing wrong with using
unsigned integers. Programmers don't use them to get "one measly extra
bit." It's not an extra bit; an unsigned integer typically has the same
number of bits as its signed counterpart. The difference is just how
the bits are interpreted. To use a signed type in a context where
negative numbers are not meaningful is an odd design decision, to say
the least. To blame unsigned integers for overflow-related security
holes is just silly.

Pete Becker
Guest

Posted: Tue Feb 17, 2004 10:26 pm Post subject: Re: time to get rid of unsigned?

John Harrison wrote:

Quote:

I wrote a multiple-precision math package in Java, using its signed
integral types. Quite an exercise, having to mask the result of every
operation to avoid sign extensions. It would have been much easier with
unsigned types.

--

Pete Becker
Dinkumware, Ltd. (http://www.dinkumware.com)

John Harrison
Guest

Posted: Tue Feb 17, 2004 10:31 pm Post subject: Re: time to get rid of unsigned?

"Jeff Schwab" <jeffplus (AT) comcast (DOT) net> wrote

Quote:

John Harrison wrote:
"Claudio Puviani" <puviani (AT) hotmail (DOT) com> wrote in message
news:REvYb.87101$cE3.31206245 (AT) news4 (DOT) srv.hcvlny.cv.net...

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

I knew that unsigned integral data types were the cause of scads of
mostly

spurious warning messages, but I didn't realise that they were a

security

risk too (see here
[url]http://www.securitytracker.com/alerts/2004/Feb/1009067.html)[/url]. All for

one

measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

You don't deprecate features because some people are too incompetent to

use them

correctly. If you did, you'd also remove pointers, references,

side-effects and

aliasing, etc. and end up with a completely different language that
would
probably look a lot like ML. C++ is a power tool and needs to be used
with

the

appropriate caution and training. Any programming error is the fault of

the

programmer, not the language.

Claudio Puviani

It's fair comment of course, but my point is that unsigned integers seem
to
add so little to the language (unlike the other features you mention). I
would do without them completely myself, but when I try to interface
with
the standard library or third party libraries and I start to get
warnings
about signed/unsigned conflicts etc. so I weaken in my resolve and start
to
use them a little.

Why would you do without them? There is nothing wrong with using
unsigned integers. Programmers don't use them to get "one measly extra
bit."

What I mean is that if we were forced to use signed integers, then the range
of representable positive integers would halve, i.e. we'd loose one bit.

Quote:

It's not an extra bit; an unsigned integer typically has the same
number of bits as its signed counterpart.

I realise that.

Quote:

The difference is just how
the bits are interpreted.

I realise that too.

Quote:

To use a signed type in a context where
negative numbers are not meaningful is an odd design decision, to say
the least.

Many languages get along pertfectly well without unsigned integers.
Programmers in these languages are not forced to make odd design decisions
because of the lack of unsigned integers.

Quote:

To blame unsigned integers for overflow-related security
holes is just silly.

That particular overflow could not have happened but for the existence of
unsigned integers. Had the negative number passed to the Read function not
been silently converted to a large positive number the problem wouldn't
exist. It seems quite reasonable to blame the existence of unsigned integers
for that bug. The programmer takes some blame too of course.

john

Jeff Schwab
Guest

Posted: Tue Feb 17, 2004 10:36 pm Post subject: Re: time to get rid of unsigned?

<snip> Discussion about whether unsigned int's are inherently unsafe. </>

Quote:

Why would you do without them? There is nothing wrong with using
unsigned integers. Programmers don't use them to get "one measly extra
bit."

What I mean is that if we were forced to use signed integers, then the range
of representable positive integers would halve, i.e. we'd loose one bit.

No, it wouldn't, and no, we wouldn't. N bits can represent exactly 2^N
discrete values. Whether you call them -pow(2,N-1) through pow(2,
N-1)-1, as you do when you use a signed integer, or 0 through
pow(2,N)-1, as you do when you use an unsigned integer, does not affect
the number of values you can represent.

Quote:

It's not an extra bit; an unsigned integer typically has the same
number of bits as its signed counterpart.

I realise that.

The difference is just how the bits are interpreted.

I realise that too.

To use a signed type in a context where
negative numbers are not meaningful is an odd design decision, to say
the least.

Many languages get along pertfectly well without unsigned integers.
Programmers in these languages are not forced to make odd design decisions
because of the lack of unsigned integers.

Those languages aren't C++.

Quote:

To blame unsigned integers for overflow-related security
holes is just silly.

That particular overflow could not have happened but for the existence of
unsigned integers. Had the negative number passed to the Read function not
been silently converted to a large positive number the problem wouldn't
exist. It seems quite reasonable

to you

Quote:

to blame the existence of unsigned integers
for that bug. The programmer takes some blame too of course.

Well, it doesn't seem reasonable to me. It seems absurd. Anyway, if a
language problem did contribute to this flaw, it's the set of silent
conversion rules common to C and C++. The fact that a signed int can be
converted quietly to an unsigned int with a different numeric value is a
bit of a wart, IMHO. It's not new, though, and one might (naively)
think programmers would have learned to avoid its pitfalls by now <sigh/>.

Ron Natalie
Guest

Posted: Tue Feb 17, 2004 10:40 pm Post subject: Re: time to get rid of unsigned?

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

Quote:

That's not how I read the code. What happened is that a large unsigned number
was converted tosigned negative allowing the test to be bypassed. The same thing
would have happened if the code was written with signed values that had a larger range
than the read routine was prepared to accept.

Overflow pure and simple.

Jeff Schwab
Guest

Posted: Tue Feb 17, 2004 10:41 pm Post subject: Re: time to get rid of unsigned?

Jeff Schwab wrote:

Quote:

snip> Discussion about whether unsigned int's are inherently unsafe.
Why would you do without them? There is nothing wrong with using
unsigned integers. Programmers don't use them to get "one measly extra
bit."

What I mean is that if we were forced to use signed integers, then the
range
of representable positive integers would halve, i.e. we'd loose one bit.

No, it wouldn't, and no, we wouldn't. N bits can represent exactly 2^N
discrete values. Whether you call them -pow(2,N-1) through pow(2,
N-1)-1, as you do when you use a signed integer, or 0 through
pow(2,N)-1, as you do when you use an unsigned integer, does not affect
the number of values you can represent.

Sorry, I need to correct myself before someone else does so less kindly.
Smile

You are correct that the range of representable, *positive* integers
would be halved. Perhaps you should be even more upset about the
existence of integer types with different numbers of bits; for example,
do you realize that a short int often holds only 1/65536 as many values
as a long int???

Andre Kostur
Guest

Posted: Tue Feb 17, 2004 10:49 pm Post subject: Re: time to get rid of unsigned?

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote in
news:c0u4oo$1bngq1$1 (AT) ID-196037 (DOT) news.uni-berlin.de:

Quote:

To use a signed type in a context where
negative numbers are not meaningful is an odd design decision, to say
the least.

Many languages get along pertfectly well without unsigned integers.
Programmers in these languages are not forced to make odd design
decisions because of the lack of unsigned integers.

Arguably they do make odd design decisions. Or more accurately, they are
prohibited from making the "correct" design decision, and make do with
what the language provides. An unsigned variable is self-documenting in
a way. It tells other programmers that this negative values are
completely invalid. Like the size of an array. If that size were
represented as a signed integer, then it implicitly states that an array
may have a negative size.

Quote:

To blame unsigned integers for overflow-related security
holes is just silly.

That particular overflow could not have happened but for the existence
of unsigned integers. Had the negative number passed to the Read
function not been silently converted to a large positive number the
problem wouldn't exist. It seems quite reasonable to blame the
existence of unsigned integers for that bug. The programmer takes some
blame too of course.

That particular overflow could not have happened but for the existence of
signed integers. It seems quite reasonable to blame the programmer for
ignoring compiler warnings. Around here (where I work), the mandate is
that you crank the compiler warnings as high as you can bear (when the
compiler starts complaining about it's own header files... time to stop
cranking the warnings....), and your compile must have no warnings.

John Harrison
Guest

Posted: Tue Feb 17, 2004 11:23 pm Post subject: Re: time to get rid of unsigned?

"Ron Natalie" <ron (AT) sensor (DOT) com> wrote

Quote:

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

That particular overflow could not have happened but for the existence
of
unsigned integers. Had the negative number passed to the Read function
not
been silently converted to a large positive number the problem wouldn't
exist. It seems quite reasonable to blame the existence of unsigned
integers
for that bug. The programmer takes some blame too of course.

That's not how I read the code. What happened is that a large unsigned
number
was converted tosigned negative allowing the test to be bypassed. The
same thing
would have happened if the code was written with signed values that had a
larger range
than the read routine was prepared to accept.

Overflow pure and simple.

_bmfh.bfOffBits is an unsigned type. The bug lies in the different treatment
of cbRead here

while (_bmfh.bfOffBits > (unsigned)cbRead)

and here

cbSkip = _bmfh.bfOffBits - cbRead;

Superficially the condition in the while loop prevents cbSkip going
negative. But because of the mix of signed and unsigned types it does no
such thing. If nothing else removing unsigned types would mean that the
meaning of arithmetical expressions would be closer to people intuitions.

john

John Harrison
Guest

Posted: Tue Feb 17, 2004 11:24 pm Post subject: Re: time to get rid of unsigned?

"Pete Becker" <petebecker (AT) acm (DOT) org> wrote

Quote:

John Harrison wrote:

It's fair comment of course, but my point is that unsigned integers seem
to
add so little to the language (unlike the other features you mention). I
would do without them completely myself, but when I try to interface
with
the standard library or third party libraries and I start to get
warnings
about signed/unsigned conflicts etc. so I weaken in my resolve and start
to
use them a little.

I wrote a multiple-precision math package in Java, using its signed
integral types. Quite an exercise, having to mask the result of every
operation to avoid sign extensions. It would have been much easier with
unsigned types.

I'll grant you that, but its not something that many people have to do.

john

P.J. Plauger
Guest

Posted: Tue Feb 17, 2004 11:28 pm Post subject: Re: time to get rid of unsigned?

"John Harrison" <john_andronicus (AT) hotmail (DOT) com> wrote

Quote:

I knew that assignments were the cause of most storage alterations, some
of which can be erroneous and result in a security risk. So has the time
come for C++ to deprecate assignments?

P.J. Plauger
Dinkumware, Ltd.
http://www.dinkumware.com

Display posts from previous:

	C++Talk.NET Forum Index -> C++ language (comp.lang.c++)	All times are GMT Goto page 1, 2, 3, 4, 5, 6, 7 Next
Page 1 of 7

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum