For instance:
$ cat main.c
#include
#include
void func(size_t param)
{
printf("done %zu\n", param);
}
int main()
{
int param = -1;
func(param);
return 0;
}
$ gcc -o main -Wall -Wextra main.c
$ gcc -o main -Wall -Wextra -Wconversion main.c
main.c: In function 'main':
main.c:12: warning: passing argument 1 of 'func' with different width due to prototype
As we see even with -Wall -Wextra compilation parameters, there will be no compilation warning. The warning will appear only if we explicitly request -Wconversion option.
Signed param will be passed to func with implict cast to unsigned type. This in certain circumstances may cause serious security flaw. In code above we will get 18446744073709551615 (on X64) as a result instead of -1. (not very insecure but I'm sure that you get the base).
More destructive effect of this rule can be presented by following code:
void func(size_t param)
{
if(param < 5)
printf("param less then 5\n");
else
printf("param grater then 5\n");
}
In we run this code we will see "param greater then 5", which is not what we expect, since we pass -1 as function param. This can happen if we don't make enough attention for the variable types before passing it to function. In this particular case if we want to remain the original param value to be signed, we have to make additional value checking code (assert) before we call the func.
It is worth to mention that with compiler flags -Wall -Wextra we will warn about signed/unsigned compare operation, while it will not warn about implicit type casting for function params. Like in below code, we will get warning for line with "if" while we will not get a warning for line with func(-1, 5).
void func(size_t param, size_t limit)
{
if( param > limit )
printf("greater\n");
}
int main()
{
int param = -1;
unsigned int limit = 5;
if( param > limit )
printf("greater\n");
func(-1, 5);
return 0;
}
Brak komentarzy:
Prześlij komentarz