<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Issue 4109: Instantiating templates in &sect;[rand] with int8_t/uint8_t is undefined behavior</title>
<meta property="og:title" content="Issue 4109: Instantiating templates in &sect;[rand] with int8_t/uint8_t is undefined behavior">
<meta property="og:description" content="C++ library issue. Status: New">
<meta property="og:url" content="https://cplusplus.github.io/LWG/issue4109.html">
<meta property="og:type" content="website">
<meta property="og:image" content="http://cplusplus.github.io/LWG/images/cpp_logo.png">
<meta property="og:image:alt" content="C++ logo">
<style>
  p {text-align:justify}
  li {text-align:justify}
  pre code.backtick::before { content: "`" }
  pre code.backtick::after { content: "`" }
  blockquote.note
  {
    background-color:#E0E0E0;
    padding-left: 15px;
    padding-right: 15px;
    padding-top: 1px;
    padding-bottom: 1px;
  }
  ins {background-color:#A0FFA0}
  del {background-color:#FFA0A0}
  table.issues-index { border: 1px solid; border-collapse: collapse; }
  table.issues-index th { text-align: center; padding: 4px; border: 1px solid; }
  table.issues-index td { padding: 4px; border: 1px solid; }
  table.issues-index td:nth-child(1) { text-align: right; }
  table.issues-index td:nth-child(2) { text-align: left; }
  table.issues-index td:nth-child(3) { text-align: left; }
  table.issues-index td:nth-child(4) { text-align: left; }
  table.issues-index td:nth-child(5) { text-align: center; }
  table.issues-index td:nth-child(6) { text-align: center; }
  table.issues-index td:nth-child(7) { text-align: left; }
  table.issues-index td:nth-child(5) span.no-pr { color: red; }
  @media (prefers-color-scheme: dark) {
     html {
        color: #ddd;
        background-color: black;
     }
     ins {
        background-color: #225522
     }
     del {
        background-color: #662222
     }
     a {
        color: #6af
     }
     a:visited {
        color: #6af
     }
     blockquote.note
     {
        background-color: rgba(255, 255, 255, .10)
     }
  }
</style>
</head>
<body>
<hr>
<p><em>This page is a snapshot from the LWG issues list, see the <a href="lwg-active.html">Library Active Issues List</a> for more information and the meaning of <a href="lwg-active.html#New">New</a> status.</em></p>
<h3 id="4109"><a href="lwg-active.html#4109">4109</a>. Instantiating templates in &sect;[rand] with <code>int8_t</code>/<code>uint8_t</code> is undefined behavior</h3>
<p><b>Section:</b> 29.5.3.1 <a href="https://wg21.link/rand.req.genl">[rand.req.genl]</a> <b>Status:</b> <a href="lwg-active.html#New">New</a>
 <b>Submitter:</b> Peter Dimov <b>Opened:</b> 2024-05-25 <b>Last modified:</b> 2024-05-26</p>
<p><b>Priority: </b>Not Prioritized
</p>
<p><b>View all other</b> <a href="lwg-index.html#rand.req.genl">issues</a> in [rand.req.genl].</p>
<p><b>View all issues with</b> <a href="lwg-status.html#New">New</a> status.</p>
<p><b>Discussion:</b></p>
<p>
As pointed out in LWG issue <a href="lwg-closed.html#2326" title="uniform_int_distribution&lt;unsigned char&gt; should be permitted (Status: NAD)">2326</a><sup><a href="https://cplusplus.github.io/LWG/issue2326" title="Latest snapshot">(i)</a></sup> (closed as NAD) and 
<a href="https://www.reddit.com/r/cpp/comments/1czwa5h/is_instantiating_stduniform_int_distributionuint8/">on reddit</a>, 
instantiating e.g. <code>uniform_int_distribution&lt;uint8_t&gt;</code> is undefined behavior 
because of the requirement 29.5.3.1 <a href="https://wg21.link/rand.req.genl">[rand.req.genl]</a> bullet (1.5):
</p>
<blockquote style="border-left: 3px solid #ccc;padding-left: 15px;">
<p>
-1- Throughout this subclause 29.5 <a href="https://wg21.link/rand">[rand]</a>, the effect of instantiating a template:
</p>
<ol style="list-style-type:none">
<li><p>[&hellip;]</p></li>
<li><p>(1.4) &mdash; that has a template type parameter named <code>RealType</code> is undefined 
unless the corresponding template argument is cv-unqualified and is one of <code>float</code>, 
<code>double</code>, or <code>long double</code>.</p></li>
<li><p>(1.5) &mdash; that has a template type parameter named <code>IntType</code> is undefined unless 
the corresponding template argument is cv-unqualified and is one of <code>short</code>, <code>int</code>, 
<code>long</code>, <code>long long</code>, <code>unsigned short</code>, <code>unsigned int</code>, <code>unsigned long</code>, 
or <code>unsigned long long</code>.</p></li>
<li><p>(1.6) &mdash; that has a template type parameter named <code>UIntType</code> is undefined unless 
the corresponding template argument is cv-unqualified and is one of <code>unsigned short</code>, 
<code>unsigned int</code>, <code>unsigned long</code>, or <code>unsigned long long</code>.</p></li>
</ol>
</blockquote>
<p>
This is, in my opinion, a defect; such uses should either be rejected
at compile time (made ill-formed), or permitted (as 2326 proposes.)
<p/>
UB here has undesirable safety implications, because it's possible to
write code that produces a random, or a seemingly random, sequence
of <code>uint8_t</code> numbers on platform A, but an arbitrarily non-random
sequence on platform B (e.g. all zeroes.)
<p/>
If that sequence is then used in e.g. a cryptographic algorithm, bad
things will happen on platform B, and the tests on platform A won't
catch the issue.
</p>

<p><i>[2024-05-26; Daniel comments]</i></p>

<p>
I think that all violations of the bullets 29.5.3.1 <a href="https://wg21.link/rand.req.genl">[rand.req.genl]</a> (1.4), (1.5), and (1.6)
are missed opportunities of <i>Mandates</i> (That is: Make the program ill-formed), because
they can be all checked (easily) at compile-time, regardless whether we agree on
the question to support <code>int8_t</code>/<code>uint8_t</code> (Violations of (1.1), (1.2), and (1.3)
still have to be remain undefined because of additional runtime requirements imposed).
<p/>
Given that I also think that we should consider to either normatively extend all of (1.4), (1.5), 
and (1.6) to corresponding <i>extended floating point</i> types and <i>extended (unsigned) integer types</i>, 
or to the minimum make these extended types conditionally-supported with implementation-defined 
semantics (A word of power that is used at several places).
</p>


<p id="res-4109"><b>Proposed resolution:</b></p>
<p>
This wording is relative to <a href="https://wg21.link/N4981" title=" Working Draft, Programming Languages — C++">N4981</a>.
</p>

<blockquote class="note">
<p>
[<i>Drafting Note:</i> Two mutually exclusive options are prepared, depicted below by <b>Option A</b> and 
<b>Option B</b>, respectively.] 
</p>
</blockquote>

<p>
<b>Option A:</b> As suggested in issue LWG <a href="lwg-closed.html#2326" title="uniform_int_distribution&lt;unsigned char&gt; should be permitted (Status: NAD)">2326</a><sup><a href="https://cplusplus.github.io/LWG/issue2326" title="Latest snapshot">(i)</a></sup>
</p>

<ol>

<li><p>Modify 29.5.3.1 <a href="https://wg21.link/rand.req.genl">[rand.req.genl]</a> as indicated:</p>

<blockquote>
<p>
-1- Throughout this subclause 29.5 <a href="https://wg21.link/rand">[rand]</a>, the effect of instantiating a template:
</p>
<ol style="list-style-type:none">
<li><p>[&hellip;]</p></li>
<li><p>(1.4) &mdash; that has a template type parameter named <code>RealType</code> is undefined 
unless the corresponding template argument is cv-unqualified and is one of <code>float</code>, 
<code>double</code>, or <code>long double</code>.</p></li>
<li><p>(1.5) &mdash; that has a template type parameter named <code>IntType</code> is undefined unless 
the corresponding template argument is cv-unqualified and is <ins>a standard integer type 
(6.9.2 <a href="https://wg21.link/basic.fundamental">[basic.fundamental]</a>)</ins><del>one of <code>short</code>, <code>int</code>, 
<code>long</code>, <code>long long</code>, <code>unsigned short</code>, <code>unsigned int</code>, <code>unsigned long</code>, 
or <code>unsigned long long</code></del>.</p></li>
<li><p>(1.6) &mdash; that has a template type parameter named <code>UIntType</code> is undefined unless 
the corresponding template argument is cv-unqualified and is <ins>a standard unsigned integer type 
(6.9.2 <a href="https://wg21.link/basic.fundamental">[basic.fundamental]</a>)</ins><del>one of <code>unsigned short</code>, 
<code>unsigned int</code>, <code>unsigned long</code>, or <code>unsigned long long</code></del>.</p></li>
</ol>
</blockquote>

</li>

</ol>

<p>
<b>Option B:</b> Make ill-formed.
</p>

<ol>

<li><p>Modify 29.5.3.1 <a href="https://wg21.link/rand.req.genl">[rand.req.genl]</a> as indicated:</p>

<blockquote>
<p>
-1- Throughout this subclause 29.5 <a href="https://wg21.link/rand">[rand]</a>, the effect of instantiating a template:
</p>
<ol style="list-style-type:none">
<li><p>[&hellip;]</p></li>
<li><p>(1.4) &mdash; that has a template type parameter named <code>RealType</code> is undefined 
unless the corresponding template argument is cv-unqualified and is one of <code>float</code>, 
<code>double</code>, or <code>long double</code>.</p></li>
<li><p>(1.5) &mdash; that has a template type parameter named <code>IntType</code> <ins>renders the 
program ill-formed</ins><del>is undefined</del> unless the corresponding template argument is 
cv-unqualified and is one of <code>short</code>, <code>int</code>, <code>long</code>, <code>long long</code>, 
<code>unsigned short</code>, <code>unsigned int</code>, <code>unsigned long</code>, or 
<code>unsigned long long</code>.</p></li>
<li><p>(1.6) &mdash; that has a template type parameter named <code>UIntType</code> <ins>renders the 
program ill-formed</ins><del>is undefined</del> unless the corresponding template argument is 
cv-unqualified and is one of <code>unsigned short</code>, <code>unsigned int</code>, <code>unsigned long</code>, 
or <code>unsigned long long</code>.</p></li>
</ol>
</blockquote>

</li>

</ol>





</body>
</html>
