...
Integer values must not be allowed to wrap if they are used in any of the following ways:
- as As an array index
- in In any pointer arithmetic
- as As a length or size of an object
- as As the bound of an array (for example, a loop counter)
- as As an argument to a memory allocation function
- in In security-critical code
| Anchor | ||||
|---|---|---|---|---|
|
...
This compliant solution performs a postcondition test to ensure that the result of the unsigned addition operation to i is not less than the operand ui1:
...
| Code Block |
|---|
atomic_int i;
int ui1;
/* Initialize ui1, i */
atomic_fetch_add(&i, ui1);
if (atomic_load(&i) < ui1) {
/* handle error condition */
} |
Exceptions
...
INT30-EX2. Checks for wraparound can be omitted when it can be determined at compile time that wraparound will not occur. As such, the following operations on unsigned integers require no validation:
- operations Operations on two compile-time constants
- operations Operations on a variable and 0 (except division by 0, of course)
- subtracting Subtracting any variable from its type's maximum. For instance, any
unsigned intmay safely be subtracted fromUINT_MAX - multiplying Multiplying any variable by 1
- divisionDivision, as long as the divisor is nonzero
- rightRight-shifting any type maximum by any number smaller than the type size. For instance,
UINT_MAX >> xis valid as long as 0 <= x < 32 (assuming that the size ofunsigned intis 32 bits) - leftLeft-shifting 1 by any number smaller than the type size
...