Am 08.10.2024 um 01:46 schrieb Patrice Dumas:
However, there is a risk to go through 0 if there is an incorrect
substraction.
The existence of that risk is not really affected by a switch of
signedness. If the code incorrectly takes a detour through negative
values, but returns back to correct, nonnegative values before the index
is actually used, the result is most likely the same anyway. It'll just
work, even though it's quite wrong.
So the primary things likely to change are the consequences of that risk
ever becoming a reality. A switch of signedness would then make the
difference between a modest-sized buffer underflow and a huge overflow.
An argument could be made that the probable segfault resulting from a
huge overflow is the more helpful failure mode, as it reduces the
possibility that the bug goes unnoticed until it turns into a deeply
buried root cause for something else.
