[svantana]

I'm a heavy std::clamp user, but I'm considering replacing it with min+max because of the uncertainty about what will happen when lo > hi. On windows it triggers an assertion, while other platforms just do a min+max in one or the other order. Of course, this should never happen but can be difficult to guarantee when the limits are derived from user inputs.

[lpapez]

> Of course, this should never happen but can be difficult to guarantee when the limits are derived from user inputs.

Sounds to me like you are missing a validation step before calling your logic. When it comes to parsing, trusting user input is a recipe for disaster in the form of buffer overruns and potential exploits.

As they used to say in the Soviet Union: "trust, but verify".

[iknowstuff]

The answer is of course

    clamp(min(a,b), max(a,b))

classic c++

[PaulDavisThe1st]

That was what Reagan said about the Soviet Union, not what was said in the Soviet Union.

Correct me if I'm wrong.

[plucas]

https://en.wikipedia.org/wiki/Trust,_but_verify

> Trust, but verify (Russian: доверяй, но проверяй, tr. doveryay, no proveryay, IPA: [dəvʲɪˈrʲæj no prəvʲɪˈrʲæj]) is a Russian proverb, which is rhyming in Russian. The phrase became internationally known in English after Suzanne Massie, a scholar of Russian history, taught it to Ronald Reagan, then president of the United States, the latter of whom used it on several occasions in the context of nuclear disarmament discussions with the Soviet Union.

Memorably referenced in "Chernobyl": https://youtu.be/9Ebah_QdBnI?t=79

[fl0ki]

Also referenced in the Metro Exodus "Sam's Story" DLC because of the backstory of the two characters speaking, and nuclear weapons once again being part of the scenario.

[dekhn]

When I hear the phrase, I rewrite it to "don't trust, verify."

[PaulDavisThe1st]

Thanks for the clarification/explanation!

[protomolecule]

Russian here. We use that expression from time to time: https://ya.ru/search/?text="доверяй%2C+но+проверяй"

[usefulcat]

According to wikipedia you're right (about Reagan) but it's also a Russion proverb.

[lifthrasiir]

Pretty sure that their behaviors on NaN arguments will also differ.

[wegfawefgawefg]

I hope they fix it. Thats quite a basic functional unit for it to be a footgun all on its own.

[camblomquist]

Don't get your hopes up, the behavior when lo > hi is explicitly undefined.

[dahart]

Will min+max help you? What do you expect the answer to be when lo > hi? What certainty should std::clamp have? Using min+max on a number that’s between lo+hi when lo>hi will always return either lo or hi, and never your input value.

[svantana]

Sure, that was the point - min(max()) forces you to give explicit preference to lo or hi, whereas with clamp it's up to the std library. I trust my users to bend my software to their will, but I don't want different behavior on mac and windows (for example).

[dahart]

Yeah, seems reasonable. I think the outer call wins, so min(max()) will always return lo for empty intervals, right? I didn’t know std::clamp() was undefined for empty intervals. It does seem like a good idea to try to guarantee the interval is valid instead of worrying about clamp… even with a guarantee, the answer might still surprise someone, since technically the problem is mathematically undefined and the guaranteed answer is wrong.