Thread: size_t and negative values

I have a problem with validating the values of a size_t. How do I prevent negative values assigned to a size_t variable..

Here's the code that's causing the problems:

Code:

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_ARRAY_SIZE 2

void check_allocation(void * ptr, const char * func) {
  if (!ptr) {
    fprintf(stderr, "Allocation failed for %s\n", func);
    //exit(EXIT_FAILURE);
  }
}

unsigned int* create_array(size_t length) {//This fails if length is < 0
  size_t _length = length <= 0 ? DEFAULT_ARRAY_SIZE : length;
  fprintf(stdout, "create_array _length: %ld\n", _length);
  unsigned int* ans = calloc(_length, sizeof(*ans));
  check_allocation(ans, "create_array");
  return ans;
}

unsigned int* create_array_2(signed int length) {//This does not fail if length is < 0
  size_t _length = length <= 0 ? DEFAULT_ARRAY_SIZE : length;
  fprintf(stdout, "create_array_2 _length: %ld\n", _length);  
  unsigned int* ans = calloc(_length, sizeof(*ans));
  check_allocation(ans, "create_array_2");
  return ans;
}

int main(int argc, char ** argv) {
  unsigned int * arr = create_array(-12);
  unsigned int * arr_2 = create_array_2(-12);

  fprintf(stdout, "%p %p\n", (void*)arr, (void*)arr_2);//just to block warnings about unused vars
  return 0;
}

The problem is in create_array function. If I pass a negative value to this function it fails in unpredictable ways(well unpredictable me).
If I use the function create_array_2 then I can check for a negative values and take corrective actions.

Is create_array_2 the correct way to valid the values used for something that will eventually be a size_t value?

The standard specifies that size_t is an "unsigned integer type." If you declare a parameter of type size_t and try to pass a negative value as an argument in a call to the function, the compiler should be emitting a warning about type conversion.

In addition, if you are comparing the parameter for less-than-zero, you should be getting another "wasting the CPU's time" warning message.

Finally, if you "hide" or "shadow" a parameter with a local variable, you should probably get another warning about that.

So recommendation 1 is going to be: "Compile with ALL the warnings turned on."

@Salem... That did it. Its funny that -Wall doesn't include -Wconversion.

Originally Posted by Salem

Like many warnings that are not enabled by default, they can be more annoying than useful in many cases.

Even with a warning, you might want to do this anyway.

Code:

// if length is bigger than this, maybe it's an errant negative
#define NEGATIVE_LENGTH_TRAP 10000000
// if overall size is bigger than this, bail out
#define MAX_ALLOC_SIZE 1000000000

unsigned int* create_array(size_t length) {
  if ( length >= NEGATIVE_LENGTH_TRAP ) return NULL;

  fprintf(stdout, "create_array length: %zd\n", length);
  unsigned int* ans = NULL;

  // trap for arithmetic overflow in computing length * sizeof(*ans) later on in calloc
  if ( MAX_ALLOC_SIZE / sizeof(*ans) < length ) return NULL; 

  ans = calloc(length, sizeof(*ans));
  check_allocation(ans, "create_array");
  return ans;
}

Now that encourages me to ask... Can you define the sizes on the compile line? I know you can interact with defined entities to some extent on the compile line but can you actually modify the values of defined entities from the compile line.

I'd think that would be handy. You could compile the code to certain constraints.