diff --git a/doc/developer-notes.md b/doc/developer-notes.md index 21fc360bbf..65671c6b6e 100644 --- a/doc/developer-notes.md +++ b/doc/developer-notes.md @@ -407,6 +407,13 @@ class A - *Rationale*: Easier to understand what is happening, thus easier to spot mistakes, even for those that are not language lawyers + - Prefer signed ints and do not mix signed and unsigned integers. If an unsigned int is used, it should have a good + reason. The fact a value will never be negative is not a good reason. The most common reason will be that mod two + arithmetic is needed, such as in cryptographic primitives. If you need to make sure that some value is always + a non-negative one, use an assertion or exception instead. + - *Rationale*: When signed ints are mixed with unsigned ints, the signed int is converted to a unsigned + int. If the signed int is some negative `N`, it'll become `INT_MAX - N` which might cause unexpected consequences. + Strings and formatting ------------------------