mirror of
https://github.com/isocpp/CppCoreGuidelines.git
synced 2024-03-22 13:30:58 +08:00
commit
4359ca5ae5
@ -853,7 +853,7 @@ We could check earlier and improve the code:
|
||||
// ...
|
||||
}
|
||||
|
||||
Now, `m<=n` can be checked at the point of call (early) rather than later.
|
||||
Now, `m <= n` can be checked at the point of call (early) rather than later.
|
||||
If all we had was a typo so that we meant to use `n` as the bound, the code could be further simplified (eliminating the possibility of an error):
|
||||
|
||||
void use3(int m)
|
||||
@ -1874,7 +1874,7 @@ Note: `length()` is, of course, `std::strlen()` in disguise.
|
||||
|
||||
Consider:
|
||||
|
||||
void copy_n(const T* p, T* q, int n); // copy from [p:p+n) to [q:q+n)
|
||||
void copy_n(const T* p, T* q, int n); // copy from [p:p + n) to [q:q + n)
|
||||
|
||||
What if there are fewer than `n` elements in the array pointed to by `q`? Then, we overwrite some probably unrelated memory.
|
||||
What if there are fewer than `n` elements in the array pointed to by `p`? Then, we read some probably unrelated memory.
|
||||
@ -1964,13 +1964,14 @@ Having many arguments opens opportunities for confusion. Passing lots of argumen
|
||||
|
||||
The two most common reasons why functions have too many parameters are:
|
||||
|
||||
1. *Missing an abstraction.* There is an abstraction missing, so that a compound value is being
|
||||
passed as individual elements instead of as a single object that enforces an invariant.
|
||||
This not only expands the parameter list, but it leads to errors because the component values
|
||||
are no longer protected by an enforced invariant.
|
||||
1. *Missing an abstraction.*
|
||||
There is an abstraction missing, so that a compound value is being
|
||||
passed as individual elements instead of as a single object that enforces an invariant.
|
||||
This not only expands the parameter list, but it leads to errors because the component values
|
||||
are no longer protected by an enforced invariant.
|
||||
|
||||
2. *Violating "one function, one responsibility."* The function is trying to do more than one
|
||||
job and should probably be refactored.
|
||||
2. *Violating "one function, one responsibility."*
|
||||
The function is trying to do more than one job and should probably be refactored.
|
||||
|
||||
##### Example
|
||||
|
||||
@ -2040,13 +2041,13 @@ Adjacent arguments of the same type are easily swapped by mistake.
|
||||
|
||||
Consider:
|
||||
|
||||
void copy_n(T* p, T* q, int n); // copy from [p:p+n) to [q:q+n)
|
||||
void copy_n(T* p, T* q, int n); // copy from [p:p + n) to [q:q + n)
|
||||
|
||||
This is a nasty variant of a K&R C-style interface. It is easy to reverse the "to" and "from" arguments.
|
||||
|
||||
Use `const` for the "from" argument:
|
||||
|
||||
void copy_n(const T* p, T* q, int n); // copy from [p:p+n) to [q:q+n)
|
||||
void copy_n(const T* p, T* q, int n); // copy from [p:p + n) to [q:q + n)
|
||||
|
||||
##### Exception
|
||||
|
||||
@ -2389,8 +2390,8 @@ Functions with complex control structures are more likely to be long and more li
|
||||
|
||||
Consider:
|
||||
|
||||
double simpleFunc(double val, int flag1, int flag2)
|
||||
// simpleFunc: takes a value and calculates the expected ASIC output,
|
||||
double simple_func(double val, int flag1, int flag2)
|
||||
// simple_func: takes a value and calculates the expected ASIC output,
|
||||
// given the two mode flags.
|
||||
{
|
||||
double intermediate;
|
||||
@ -2433,8 +2434,8 @@ We can refactor:
|
||||
// ???
|
||||
}
|
||||
|
||||
double simpleFunc(double val, int flag1, int flag2)
|
||||
// simpleFunc: takes a value and calculates the expected ASIC output,
|
||||
double simple_func(double val, int flag1, int flag2)
|
||||
// simple_func: takes a value and calculates the expected ASIC output,
|
||||
// given the two mode flags.
|
||||
{
|
||||
if (flag1 > 0)
|
||||
@ -3191,7 +3192,7 @@ Informal/non-explicit ranges are a source of errors.
|
||||
##### Note
|
||||
|
||||
Ranges are extremely common in C++ code. Typically, they are implicit and their correct use is very hard to ensure.
|
||||
In particular, given a pair of arguments `(p, n)` designating an array \[`p`:`p+n`),
|
||||
In particular, given a pair of arguments `(p, n)` designating an array \[`p`:`p + n`),
|
||||
it is in general impossible to know if there really are `n` elements to access following `*p`.
|
||||
`span<T>` and `span_p<T>` are simple helper classes designating a \[`p`:`q`) range and a range starting with `p` and ending with the first element for which a predicate is true, respectively.
|
||||
|
||||
@ -4186,7 +4187,7 @@ For example, a derived class might be allowed to skip a run-time check because i
|
||||
int mem(int x, int y)
|
||||
{
|
||||
/* ... do something ... */
|
||||
return do_bar(x+y); // OK: derived class can bypass check
|
||||
return do_bar(x + y); // OK: derived class can bypass check
|
||||
}
|
||||
}
|
||||
|
||||
@ -6969,15 +6970,15 @@ This kind of "vector" isn't meant to be used as a base class at all.
|
||||
|
||||
##### Example, bad
|
||||
|
||||
class Shape {
|
||||
public:
|
||||
class Shape {
|
||||
public:
|
||||
// ... interface functions ...
|
||||
protected:
|
||||
protected:
|
||||
// data for use in derived classes:
|
||||
Color fill_color;
|
||||
Color edge_color;
|
||||
Style st;
|
||||
};
|
||||
};
|
||||
|
||||
Now it is up to every derived `Shape` to manipulate the protected data correctly.
|
||||
This has been popular, but also a major source of maintenance problems.
|
||||
@ -7167,7 +7168,7 @@ Without a using declaration, member functions in the derived class hide the enti
|
||||
};
|
||||
class D: public B {
|
||||
public:
|
||||
int f(int i) override { std::cout << "f(int): "; return i+1; }
|
||||
int f(int i) override { std::cout << "f(int): "; return i + 1; }
|
||||
};
|
||||
int main()
|
||||
{
|
||||
@ -7180,7 +7181,7 @@ Without a using declaration, member functions in the derived class hide the enti
|
||||
|
||||
class D: public B {
|
||||
public:
|
||||
int f(int i) override { std::cout << "f(int): "; return i+1; }
|
||||
int f(int i) override { std::cout << "f(int): "; return i + 1; }
|
||||
using B::f; // exposes f(double)
|
||||
};
|
||||
|
||||
@ -10384,17 +10385,17 @@ Readability and safety.
|
||||
|
||||
As an optimization, you may want to reuse a buffer as a scratch pad, but even then prefer to limit the variable's scope as much as possible and be careful not to cause bugs from data left in a recycled buffer as this is a common source of security bugs.
|
||||
|
||||
{
|
||||
void write_to_file() {
|
||||
std::string buffer; // to avoid reallocations on every loop iteration
|
||||
for (auto& o : objects)
|
||||
{
|
||||
// First part of the work.
|
||||
generateFirstString(buffer, o);
|
||||
writeToFile(buffer);
|
||||
generate_first_String(buffer, o);
|
||||
write_to_file(buffer);
|
||||
|
||||
// Second part of the work.
|
||||
generateSecondString(buffer, o);
|
||||
writeToFile(buffer);
|
||||
generate_second_string(buffer, o);
|
||||
write_to_file(buffer);
|
||||
|
||||
// etc...
|
||||
}
|
||||
@ -11060,11 +11061,11 @@ There are exceedingly clever used of this "idiom", but they are far rarer than t
|
||||
|
||||
##### Note
|
||||
|
||||
Unnamed function arguments are fine.
|
||||
Unnamed function arguments are fine.
|
||||
|
||||
##### Enforcement
|
||||
|
||||
Flag statements that are just a temporary
|
||||
Flag statements that are just a temporary
|
||||
|
||||
### <a name="Res-empty"></a>ES.85: Make empty statements visible
|
||||
|
||||
@ -11240,22 +11241,22 @@ Access into an array with known bounds using a constant as a subscript can be va
|
||||
{
|
||||
if (count < 2) return;
|
||||
|
||||
int* q = p + 1; // BAD
|
||||
int* q = p + 1; // BAD
|
||||
|
||||
ptrdiff_t d;
|
||||
int n;
|
||||
d = (p - &n); // OK
|
||||
d = (q - p); // OK
|
||||
d = (p - &n); // OK
|
||||
d = (q - p); // OK
|
||||
|
||||
int n = *p++; // BAD
|
||||
int n = *p++; // BAD
|
||||
|
||||
if (count < 6) return;
|
||||
|
||||
p[4] = 1; // BAD
|
||||
p[4] = 1; // BAD
|
||||
|
||||
p[count - 1] = 2; // BAD
|
||||
p[count - 1] = 2; // BAD
|
||||
|
||||
use(&p[0], 3); // BAD
|
||||
use(&p[0], 3); // BAD
|
||||
}
|
||||
|
||||
##### Example, good
|
||||
@ -11264,17 +11265,17 @@ Access into an array with known bounds using a constant as a subscript can be va
|
||||
{
|
||||
if (a.length() < 2) return;
|
||||
|
||||
int n = a[0]; // OK
|
||||
int n = a[0]; // OK
|
||||
|
||||
span<int> q = a.subspan(1); // OK
|
||||
|
||||
if (a.length() < 6) return;
|
||||
|
||||
a[4] = 1; // OK
|
||||
a[4] = 1; // OK
|
||||
|
||||
a[count - 1] = 2; // OK
|
||||
a[count - 1] = 2; // OK
|
||||
|
||||
use(a.data(), 3); // OK
|
||||
use(a.data(), 3); // OK
|
||||
}
|
||||
|
||||
##### Note
|
||||
@ -12260,7 +12261,7 @@ can be surprising for many programmers.
|
||||
##### Reason
|
||||
|
||||
Because most arithmetic is assumed to be signed;
|
||||
`x-y` yields a negative number when `y>x` except in the rare cases where you really want modulo arithmetic.
|
||||
`x - y` yields a negative number when `y > x` except in the rare cases where you really want modulo arithmetic.
|
||||
|
||||
##### Example
|
||||
|
||||
@ -12270,23 +12271,23 @@ This is even more true for mixed signed and unsigned arithmetic.
|
||||
template<typename T, typename T2>
|
||||
T subtract(T x, T2 y)
|
||||
{
|
||||
return x-y;
|
||||
return x - y;
|
||||
}
|
||||
|
||||
void test()
|
||||
{
|
||||
int s = 5;
|
||||
unsigned int us = 5;
|
||||
cout << subtract(s, 7) << '\n'; // -2
|
||||
cout << subtract(us, 7u) << '\n'; // 4294967294
|
||||
cout << subtract(s, 7u) << '\n'; // -2
|
||||
cout << subtract(us, 7) << '\n'; // 4294967294
|
||||
cout << subtract(s, us+2) << '\n'; // -2
|
||||
cout << subtract(us, s+2) << '\n'; // 4294967294
|
||||
cout << subtract(s, 7) << '\n'; // -2
|
||||
cout << subtract(us, 7u) << '\n'; // 4294967294
|
||||
cout << subtract(s, 7u) << '\n'; // -2
|
||||
cout << subtract(us, 7) << '\n'; // 4294967294
|
||||
cout << subtract(s, us + 2) << '\n'; // -2
|
||||
cout << subtract(us, s + 2) << '\n'; // 4294967294
|
||||
}
|
||||
|
||||
Here we have been very explicit about what's happening,
|
||||
but if you had seen `us-(s+2)` or `s+=2; ... us-s`, would you reliably have suspected that the result would print as `4294967294`?
|
||||
but if you had seen `us - (s + 2)` or `s += 2; ...; us - s`, would you reliably have suspected that the result would print as `4294967294`?
|
||||
|
||||
##### Exception
|
||||
|
||||
@ -12301,10 +12302,10 @@ The build-in array uses signed types for subscripts.
|
||||
This makes surprises (and bugs) inevitable.
|
||||
|
||||
int a[10];
|
||||
for (int i=0; i < 10; ++i) a[i]=i;
|
||||
for (int i = 0; i < 10; ++i) a[i] = i;
|
||||
vector<int> v(10);
|
||||
// compares signed to unsigned; some compilers warn
|
||||
for (int i=0; v.size() < 10; ++i) v[i]=i;
|
||||
for (int i = 0; v.size() < 10; ++i) v[i] = i;
|
||||
|
||||
int a2[-2]; // error: negative size
|
||||
|
||||
@ -12491,13 +12492,13 @@ To enable better error detection.
|
||||
|
||||
vector<int> vec {1, 2, 3, 4, 5};
|
||||
|
||||
for (int i=0; i < vec.size(); i+=2) // mix int and unsigned
|
||||
for (int i = 0; i < vec.size(); i += 2) // mix int and unsigned
|
||||
cout << vec[i] << '\n';
|
||||
for (unsigned i=0; i < vec.size(); i+=2) // risk wraparound
|
||||
for (unsigned i = 0; i < vec.size(); i += 2) // risk wraparound
|
||||
cout << vec[i] << '\n';
|
||||
for (vector<int>::size_type i=0; i < vec.size(); i+=2) // verbose
|
||||
for (vector<int>::size_type i = 0; i < vec.size(); i += 2) // verbose
|
||||
cout << vec[i] << '\n';
|
||||
for (auto i=0; i < vec.size(); i+=2) // mix int and unsigned
|
||||
for (auto i = 0; i < vec.size(); i += 2) // mix int and unsigned
|
||||
cout << vec[i] << '\n';
|
||||
|
||||
##### Note
|
||||
@ -15249,7 +15250,7 @@ Exception specifications make error handling brittle, impose a run-time cost, an
|
||||
// ...
|
||||
}
|
||||
|
||||
if `f()` throws an exception different from `X` and `Y` the unexpected handler is invoked, which by default terminates.
|
||||
If `f()` throws an exception different from `X` and `Y` the unexpected handler is invoked, which by default terminates.
|
||||
That's OK, but say that we have checked that this cannot happen and `f` is changed to throw a new exception `Z`,
|
||||
we now have a crash on our hands unless we change `use()` (and re-test everything).
|
||||
The snag is that `f()` may be in a library we do not control and the new exception is not anything that `use()` can do
|
||||
@ -17939,11 +17940,11 @@ The argument-type error for `bar` cannot be caught until link time because of th
|
||||
|
||||
##### Example
|
||||
|
||||
#include<string>
|
||||
#include<vector>
|
||||
#include<iostream>
|
||||
#include<memory>
|
||||
#include<algorithm>
|
||||
#include <string>
|
||||
#include <vector>
|
||||
#include <iostream>
|
||||
#include <memory>
|
||||
#include <algorithm>
|
||||
|
||||
using namespace std;
|
||||
|
||||
@ -17956,7 +17957,7 @@ could be distracting.
|
||||
|
||||
The use of `using namespace std;` leaves the programmer open to a name clash with a name from the standard library
|
||||
|
||||
#include<cmath>
|
||||
#include <cmath>
|
||||
using namespace std;
|
||||
|
||||
int g(int x)
|
||||
@ -18093,7 +18094,7 @@ but it is not required to do so by transitively including the entire `<string>`
|
||||
resulting in the popular beginner question "why doesn't `getline(cin,s);` work?"
|
||||
or even an occasional "`string`s cannot be compared with `==`).
|
||||
|
||||
The solution is to explicitly `#include<string>`:
|
||||
The solution is to explicitly `#include <string>`:
|
||||
|
||||
#include <iostream>
|
||||
#include <string>
|
||||
@ -18480,11 +18481,11 @@ Don't use C-style strings for operations that require non-trivial memory managem
|
||||
{
|
||||
int l1 = strlen(s1);
|
||||
int l2 = strlen(s2);
|
||||
char* p = (char*)malloc(l1+l2+2);
|
||||
char* p = (char*) malloc(l1 + l2 + 2);
|
||||
strcpy(p, s1, l1);
|
||||
p[l1] = '.';
|
||||
strcpy(p+l1+1, s2, l2);
|
||||
p[l1+l2+1] = 0;
|
||||
strcpy(p + l1 + 1, s2, l2);
|
||||
p[l1 + l2 + 1] = 0;
|
||||
return res;
|
||||
}
|
||||
|
||||
@ -19375,7 +19376,7 @@ Enabling a profile is implementation defined; typically, it is set in the analys
|
||||
|
||||
To suppress enforcement of a profile check, place a `suppress` annotation on a language contract. For example:
|
||||
|
||||
[[suppress(bounds)]] char* raw_find(char* p, int n, char x) // find x in p[0]..p[n-1]
|
||||
[[suppress(bounds)]] char* raw_find(char* p, int n, char x) // find x in p[0]..p[n - 1]
|
||||
{
|
||||
// ...
|
||||
}
|
||||
@ -19630,7 +19631,7 @@ These types allow the user to distinguish between owning and non-owning pointers
|
||||
|
||||
These "views" are never owners.
|
||||
|
||||
References are never owners. Note: References have many opportunities to outlive the objects they refer to (returning a local variable by reference, holding a reference to an element of a vector and doing `push_back`, binding to `std::max(x,y+1)`, etc. The Lifetime safety profile aims to address those things, but even so `owner<T&>` does not make sense and is discouraged.
|
||||
References are never owners. Note: References have many opportunities to outlive the objects they refer to (returning a local variable by reference, holding a reference to an element of a vector and doing `push_back`, binding to `std::max(x, y + 1)`, etc. The Lifetime safety profile aims to address those things, but even so `owner<T&>` does not make sense and is discouraged.
|
||||
|
||||
The names are mostly ISO standard-library style (lower case and underscore):
|
||||
|
||||
@ -19658,7 +19659,7 @@ If something is not supposed to be `nullptr`, say so:
|
||||
* `not_null<T>` // `T` is usually a pointer type (e.g., `not_null<int*>` and `not_null<owner<Foo*>>`) that may not be `nullptr`.
|
||||
`T` can be any type for which `==nullptr` is meaningful.
|
||||
|
||||
* `span<T>` // `[`p`:`p+n`)`, constructor from `{p, q}` and `{p, n}`; `T` is the pointer type
|
||||
* `span<T>` // `[`p`:`p + n`)`, constructor from `{p, q}` and `{p, n}`; `T` is the pointer type
|
||||
* `span_p<T>` // `{p, predicate}` \[`p`:`q`) where `q` is the first element for which `predicate(*p)` is true
|
||||
* `string_span` // `span<char>`
|
||||
* `cstring_span` // `span<const char>`
|
||||
@ -19695,7 +19696,7 @@ Use `not_null<zstring>` for C-style strings that cannot be `nullptr`. ??? Do we
|
||||
These assertions are currently macros (yuck!) and must appear in function definitions (only)
|
||||
pending standard committee decisions on contracts and assertion syntax.
|
||||
See [the contract proposal](http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0380r1.pdf); using the attribute syntax,
|
||||
for example, `Expects(p!=nullptr)` will become `[[expects: p!=nullptr]]`.
|
||||
for example, `Expects(p != nullptr)` will become `[[expects: p != nullptr]]`.
|
||||
|
||||
## <a name="SS-utilities"></a>GSL.util: Utilities
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user