time to get rid of unsigned?

[John Harrison]

<snip> Contortion of Ron's post by Outlook Express </>
<!-- JH basically doesn't like unsigned integers. -->

Please get a news-reader that won't butcher other folks' posts.

<snip> Buggy bit of recently leaked Windows source. </>
intuitions.

By "people intuitions," what exactly do you mean? Unsigned arithmetic
predates signed arithmetic by thousands of years. I don't know about
you, but I certainly learned to count long before I heard of negative
numbers.

I said this a few times already but its the MIX that causes the problems.

If we only had signed integer arithmetic things would be simpler. And you
are right, if we only had unsigned integer arithmetic then things would be
simpler still. But while I would be prepared to program in a language that
only had signed integers, I'd find one that only had unsigned rather
difficult.

Anyway, I think you should post your concerns in comp.std.c++.
Floats, unions, and C-style casts have survived this long, but I'm
sure the whole ISO C++ committee would agree that unsigned integers are
just more trouble than they're worth.

Well I'm not being entirely serious, but this issue is a particular bugbear
of mine, and I thought the Windows source was a good example to back it up.
I don't expect to get much agreement. (But one person agreeing with me would
be nice). At least I haven't been accused of being a troll yet.

john

 

[John Harrison]

That's a common argument: I don't have to do it, so it's not important.

I didn't say I don't have to do it, in fact writing a large integer library
is one thing I have done (and yes I did use unsigned integers). I said its
not something *many* people have to do.

john

 

[Pete Becker]

I didn't say I don't have to do it, in fact writing a large integer library
is one thing I have done (and yes I did use unsigned integers). I said its
not something *many* people have to do.

For some unspecified value of *many*. Still nonsense.

 

[John Harrison]

For some unspecified value of *many*. Still nonsense.

Huh? I don't understand. Are you saying that most programmers write large
integer libraries?

What I was trying to say that you raised a perfectly good example of when
unsigned integers are useful. I agree with you, but I still think that
example is not enough to change my mind because it doesn't figure in the
work that most programmers do most of the time. Does that make sense? I
don't think it's nonsense.

john

 

[Pete Becker]

Huh? I don't understand. Are you saying that most programmers write large
integer libraries?

Nope. I'm saying the language shouldn't be designed around what *you*
think is important.

 

[Cy Edmunds]

I knew that unsigned integral data types were the cause of scads of mostly
spurious warning messages, but I didn't realise that they were a security
risk too (see here
http://www.securitytracker.com/alerts/2004/Feb/1009067.html). All for one
measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

john

I would judge that it's too late to take unsigned integer types out of C or
C++, but I understand and appreciate your point more than many of the other
respondents seem to have done. When I use a language which lacks this
feature I never seem to miss it.

 

[lilburne]

I said this a few times already but its the MIX that causes the problems.

The last time I used Modula2 you couldn't mix Integer and
Cardinal. But that was 12 years ago so it might have changed.

Of course in C++ you don't have to use unsigned, and off
hand I can't recall doing so myself in the last 10 years.
Well perhaps once or twice for nefarious bit twiddling. I'm
certain that none of our libraries use unsigned in any of
the APIs.

 

[Bret Pehrson]

unsigned integers are commonly used to declare 'count' or 'index' or 'size'*
type variables that will never contain negative values.

signed integers should be used for ingeger math*.

Shouldn't mix the types w/ the purpose, however it does happen. When writing
self-documenting code, you should use the type that applies.

Deprecating unsigned is essentially saying that the former reason has no
perceived value in the language.

(*other reasons exist, that are not delineated here.)

 

[Jack Klein]

I knew that unsigned integral data types were the cause of scads of mostly
spurious warning messages, but I didn't realise that they were a security
risk too (see here
http://www.securitytracker.com/alerts/2004/Feb/1009067.html). All for one
measly extra bit.

So has the time come for C++ to deprecate unsigned integral types?

john

Perhaps you do not have much use for unsigned integer types, but there
are most certainly others who do.

Most of the buffer exploits around have been based on poor
programming, not on the data types used. This one is no different.

 

[Andre Kostur]

But a similar example would be the size of a block of memory. For
instance memcpy takes an unsigned type for its third parameter
presumably since you cannot copy a negative number of bytes of memory.
But this loses the chance to do some error checking.

This is a good thing:
1) The function signature correctly documents that negative numbers are
not valid
2) The called function does not have to waste time performing a
comparison for invalid data. The invalid data cannot be represented in
the parameters.

Or, you may have a strange memcpy which allows you to designate the _end_
of the block in interest, and a negative size indicates you want to copy
the X number of bytes _before_ the pointer....

For instance I might write some code like this

size_t off = p - q; // p >= q
memcpy(a, p, off);

And then I promptly beat you to a pulp (hypothetically) (OK, I promptly
explain to you...) for not range checking the relative values of p and q.
(See pretty much any of the STL algorithms which take two iterators...
the algorithms don't check to see if they are correctly ordered, that's
the programmer's responsibility. Same sort of idea).

In this code p and q are pointers to some location with the char array
a. I am assuming the off is a positive or zero quantity. But suppose
because of bugged code that is wrong, memcpy cannot refuse to copy the
very large positive number of bytes that will result, because it is
designed to copy any unsigned quantity. But if memcpy took a signed
type as its third parameter, it could then quite reasonably refuse to
copy a meaningless negative number of bytes, thus reducing the chance
of a buffer overflow.

Then you would be wasting the great majority of your calls to memcpy
checking for a condition which _might_ happen only during debugging.
Probably more effective to link against a debug version of the C runtime
which would exception on calls to memcpy of blocks larger that
0x7FFFFFFFUL (assuming 32-bit architecture...). Once you've determined
with sufficient certainty that your program is bug-free (HA! ), you
link against the release-mode memcpy which doesn't waste time checking
for a condition that will never (famous last words....) happen.

It could not have happened but for the mix. Surely you're not
proposing to ban signed integers. Now that really would be ridiculous!

No more ridiculous than banning unsigned integers...

I think if you look at the code the programmer did not ignore compiler
warnings. I'm guessing of course but I think he did add a cast to the
while loop condition because of a compiler warning, but did not to the
subtraction because that particular compiler does not produce a
warning for that.

Actually, that's worse. The compiler dutifully warned the programmer
that there might be a problem here, and the programmer willfully ignored
the warning and forced the compiler to shut up.

Of course a better reaction would have been to change the type of
cbRead to unsigned.


If only everywhere was so enlightened. But what to you do about bogus
warnings? I've known compiler to warn me about this

if (x == 0 && y <10 || y > 10)

telling me that I really should put brackets around y <10 || y > 10.
Arguably I should but it's a style issue not something a compiler
should warn me about.

Personally I'd prefer to stick in a whole bunch of extra parens in there
anyway... (I like the style.. thus: if ((x == 0) && (y != 10)) )

 

[John Harrison]

Nope. I'm saying the language shouldn't be designed around what *you*
think is important.

OK I understand, and I also agree.

john

 

[John Harrison]

I would judge that it's too late to take unsigned integer types out of C or
C++, but I understand and appreciate your point more than many of the other
respondents seem to have done. When I use a language which lacks this
feature I never seem to miss it.

Well I wasn't really being serious, instead just making the point that
unsigned types cause more problems than they solve. I too would very rarely
miss them.

I glad at least one person sees my POV.

john

 

[Claudio Puviani]

I said this a few times already but its the MIX that causes the problems.

So don't mix them!

If you write 'double v = 1/3;' v is set to 0.0 because you're mixing integer and
double arithmetic. OMG! Does this mean we should eliminate integers altogether
and only have floating point???

See how ridiculous that logic is? C++ isn't a language that's designed for the
left half of the bell curve. Unsigned ints have many uses and they should not be
removed just to protect people who can't or won't bother to learn the rules of
the language. There are languages that suit those people.

Claudio Puviani

 

[Ron Natalie]

If we only had signed integer arithmetic things would be simpler.

Just barely. The problem would have occurred with a larger signed value
as well.

 

[Gavin Deane]

By "people intuitions," what exactly do you mean? Unsigned arithmetic
predates signed arithmetic by thousands of years.

Excuse me?

Ancient Babylonian mathematicians (or whoever it was) believed that 2
- 3 == 4294967295 ??? I don't think so. But that's what my C++
implementation believes. By the time anyone writes their first C++
program, they will be absolutely certain that 2 - 3 == -1.

People understand that the result of subtracting two positive numbers
is not necessarily another positive number. The behaviour of unsigned
does *not* match this intuition. Which is why using unsigned to model
positive numbers is not necessarily helpful.

Often, values for which < 0 makes no sense have upper limits too -
when you want to know what time it is, the value of a 'minutes'
variable has to be between 0 and 59. Would you use unsigned for that?
It prevents you storing -1 minutes past the hour, but 61 minutes past
is still possible. If it's that important not to exceed the limits,
you're best off writing a class to guarantee it. In which case you
lose nothing by using a signed type inside the class.

Apart from interfacing with 3rd party APIs (including the standard
library) I only have a need for unsigned types when I'm bit-twiddling.

 

[Thomas Matthews]

If it was all int it wouldn't be an issue either, the problem is the mix of
the two and the overflows that can result. Since I don't guess anyone is
proposing to remove signed integers, I'm proposing that we should drop
unsigned. Except maybe for character types.

john

I propose we keep the unsigned types. Many embbeded applications use
all the bits of an integer type and don't consider them as signed.
A signed integer has one less bit to use, which may make a difference
in some embedded applications.

--
Thomas Matthews

C++ newsgroup welcome message:
http://www.slack.net/~shiva/welcome.txt
C++ Faq: http://www.parashift.com/c++-faq-lite
C Faq: http://www.eskimo.com/~scs/c-faq/top.html
alt.comp.lang.learn.c-c++ faq:
http://www.raos.demon.uk/acllc-c++/faq.html
Other sites:
http://www.josuttis.com -- C++ STL Library book

 

[lilburne]

A signed integer has one less bit to use, which may make a difference
in some embedded applications.

If that means there would be less mobile phones going off around me,
then I vote "kill the unsigned now".

 

[Karl Heinz Buchegger]

Excuse me?

Ancient Babylonian mathematicians (or whoever it was) believed that 2
- 3 == 4294967295 ??? I don't think so.

They didn't believe this. They didn't calculate it!
For them it was simply silly to take away more then there is.
They were practical people: "You have 2 sheep. If you take away
3 sheep, with how many sheep are you left. Stupid! You can't
calculate that, because if you take away 2 sheep, there is
nothing left to take away! Sit down, F"

 

[Thomas Matthews]

If that means there would be less mobile phones going off around me,
then I vote "kill the unsigned now".

Remember that the following are also embedded system:
Pacemakers
{Lung} Ventilators
MRI
CAT
X-RAY
Cruise Control for cars
Airplane guidance systems

We wouldn't want them having problems now, would we?

--
Thomas Matthews

C++ newsgroup welcome message:
http://www.slack.net/~shiva/welcome.txt
C++ Faq: http://www.parashift.com/c++-faq-lite
C Faq: http://www.eskimo.com/~scs/c-faq/top.html
alt.comp.lang.learn.c-c++ faq:
http://www.raos.demon.uk/acllc-c++/faq.html
Other sites:
http://www.josuttis.com -- C++ STL Library book

 

[Thomas Matthews]

Perhaps you do not have much use for unsigned integer types, but there
are most certainly others who do.

Most of the buffer exploits around have been based on poor
programming, not on the data types used. This one is no different.

To add to your response:

Using unsiqned integers to represent quantities (and distances)
allows the compiler to perform type-checking and reduce the
run-time errors. The caveat to this is that there are conversions
between the two that allow one to use a signed integer to denote
a quantity, such as an array or buffer size.

I vote to keep both. I believe that much of the problems are
due to a lack of discipline with the programmer. C and C++
are powerful languages. With out proper discipline, both
of them become unreadable and unmanageable; yet we still
keep them.

--
Thomas Matthews

C++ newsgroup welcome message:
http://www.slack.net/~shiva/welcome.txt
C++ Faq: http://www.parashift.com/c++-faq-lite
C Faq: http://www.eskimo.com/~scs/c-faq/top.html
alt.comp.lang.learn.c-c++ faq:
http://www.raos.demon.uk/acllc-c++/faq.html
Other sites:
http://www.josuttis.com -- C++ STL Library book