On 6/13/24 05:32, Zack Weinberg wrote:
there is still a need for
caution around conversions that change signedness.
Yes, just as there is need for caution around any use of unsigned types.
Unfortunately in my experience Clang's (and even GCC's) warnings about
signedness conversion are more likely to cause harm than good, with this
thread being an example of the harm.
Part of the issue here is that GCC and Clang often do a better job of
warning when constants are signed, not unsigned. For example, suppose a
program mistakenly packages termios flags along with three other bits
into an 'unsigned long', with code like this:
unsigned long
tagged_pendin (unsigned tag)
{
return (PENDIN << 3) | tag;
}
Since PENDIN is 0x20000000 Clang and GCC by default warn about the
mistake, as the signed integer overflow has undefined behavior. But if
PENDIN were changed to 0x20000000U the behavior would be well-defined,
there would be no warning even with -Wall -Wextra -Wsign-conversion, and
the code would silently behave as if PENDIN were zero, which is not
intended.
This is another reason why appending "U" to PENDIN's value would have
drawbacks as well as advantages.
