Hi Theo, On 12/31/22 16:13, Alejandro Colomar wrote: > Hi Theo, > > On 12/31/22 15:56, Alejandro Colomar wrote: >>> >>> I do not like your proposal at all.  A function like arc4random_range() >>> is even more likely to be used wrong by passing backwards points >>> and you seem to have a lot of hubris to add a range check to it. > > I didn't understand the entire sentence, since I'm not a native English speaker. >  Sorry for that.  About adding a range check, I'm not against it.  But what to > do in that case?  abort()?  I don't see anything significantly better?  In the > Linux kernel, the used something BUILD_BUG, but I don't know those macros very > much. > > I'm really open to discussion about what would the the best behavior when max < > min. Since there's no obvious thing to do when the bounds are reversed (some may want to abort(); others may prefer to set errno?; others may just want to ignore the possibility... I tried to understand what it does with the obvious implementation: > Alejandro Colomar wrote: >> uint32_t >> arc4random_range(uint32_t min, uint32_t max) >> { >> return arc4random_uniform(max - min + 1) + min; >> } Well, let's substitute with some actual values: arc4random_range(7, 4); This will result in: arc4random_uniform(4 - 7 + 1) + 7; which evaluates to: arc4random_uniform(-2) + 7; and is equivalent to: arc4random_uniform(UINT32_MAX - 1) + 7; Let's first ignore the +7. The arc4random_uniform(UINT32_MAX - 1) call can generate 2^32 - 2 random numbers. By offsetting to 7, the 2 value that are excluded are 6 and 5. So it seems that a reversed call to arc4random_range(min, max) has an interesting property: it generates random numbers outside of the non-inclusive range (min, max), that is the compementary set of numbers that arc4random(max, min) would produce. If properly documented, it's not a bad behavior. So, I'd rather not check bounds, and instead document the behavior when the ranges are reversed. Then, anyone is free to add their own wrapper that adds checks and performs their favourite action on reversed input, which might differ from one programmer to another. Cheers, Alex > > Cheers, > > Alex > >> >> Oh, I just checked hubris in the dictionary and it seems you did mention ego. >> I'll try to rebate you with something useful. >> >> If you run `grep -rn 'arc4random_uniform('` in the OpenBSD tree, there will be >> many cases where you'd really benefit from this.  I'll just pick a few: >> >> >> sys/net/pf_lb.c:224: >>              cut = arc4random_uniform(1 + high - low) + low; >> better as: >>              cut = arc4random_range(low, high); >> >> >> sys/kern/kern_fork.c:648: >>          pid = 2 + arc4random_uniform(PID_MAX - 1); >> better as: >>          pid = arc4random_range(2, PID_MAX); >> >> >> usr.bin/nc/netcat.c:1501: >>                  cp = arc4random_uniform(x + 1); >> better as: >>                  cp = arc4random_range(0, x); >> >> --