In the program, the program often uses the size comparison between the integers, but potential dangers are often ignored. For example, a memory copy function:
Void memcpy (void * pto, void * pfrom, size_t size) {assert (pto! = null && pfrom! = null);
While (--size> = 0) {* pto = * pfrom ;}} Is this function correct? If you think it is never possible to jump out of the dead loop. SIZE_T is an unsigned integer type (VC6.0: typedef unsigned int size_t, vc7.1: type_t), so the results obtained by --Size are also the same type, and such a type of value is never less than 0 ! Then let's try to improve it:
Void memcpy (void * pto, void * pfrom, size_t size) {assert (pto! = null && pfrom! = null);
While (size-> 0) {* PTO = * PFROM ;}} Changes the loop condition in this release so that the cycle ends when Size is equal to 0. Is it dangerous? Well, eliminating most, but there is still a unpleasant place. If there is an int type variable len, use it to do size to call Memcpy, but also assume that the value of the LEN is less than 0, then what results will occur? The size has received a negative value, but because it itself is unsigned, it will explain this negative value that is unsigned, it is inevitably a positive value, so that it is imaginable. This is a typical symbolic / unsigned non-match error. Look at the code:
Unsigned long a = 0; long b = 0; long c = 1; if ((a - c) IF ((a - 1)
