Parsing Integers in C
Key topics
The article discusses the challenges of parsing integers in C and presents a custom implementation, sparking a discussion on the trade-offs between strictness and leniency in parsing, as well as the performance and correctness of different approaches.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
30m
Peak period
3
1-2h
Avg / period
1.5
Based on 12 loaded comments
Key moments
- 01Story posted
Nov 13, 2025 at 3:25 PM EST
about 2 months ago
Step 01 - 02First comment
Nov 13, 2025 at 3:55 PM EST
30m after posting
Step 02 - 03Peak activity
3 comments in 1-2h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 14, 2025 at 7:55 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Found this explicit rejection of the Robustness principle[1] fascinating. It comes after decades of cURL operating in the environment that was an ostensible poster child for the benefits of the principle--i.e., HTML over HTTP.
[1] https://en.wikipedia.org/wiki/Robustness_principle
An argument can be made that it was instrumental in bootstrapping the early Internet, but it's not really necessary these days. People should know what they're doing 35+ years on.
It is usually better to just state fully formally up front what is acceptable and reject anything else out of hand. Of course some stuff does need dynamic checks, e.g. ACLs and such, but that's fine... rejecting "iffy" input before we get to that stage doesn't interfere with that.
Well yes, that's because people have been misapplying and misunderstanding it. The original idea was predicated on the concept of "assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect"
But then the Fail Fast, Fail Often stupidity started spreading like wildfire and companies realized that the consequence for data breaches or other security failures was an acceptable cost of doing business (even if not always true) vs the cost of actually paying devs and sec teams to implement things properly and people kinda lost the plot on it. They just focused on the "be liberal in what you accept" part, went "Wow! That makes thing easy" and maybe only checked for the most common potential abuses/failure/exploit modes, if they bothered at all and only patched things retroactively as issues and exploits popped up in the wild.
Doing it correctly, like building anything robust and/or secure, is a non-trivial task.
Be attentive to the classes of bugs you (and your team) produce, and act accordingly to correct those.
Better advice is to not do something unexpected -- even if that unexpected result is clearly documented, but someone did not read it.
Also, the wording of the standard suggests that using strtol()/strtoll() to parse the string representation of LONG_MIN/LLONG_MIN is UB, since it kinda has to go through un-negated LONG_MAX+1/LLONG_MAX+1 which can't be represented in the return type?
Words no longer have meaning.
https://mobiarch.wordpress.com/2022/12/12/string-to-number-c...