...
Integer overflow is undefined behavior, so a compiled program can do anything, including going off to play the Game of Life. Furthermore, a compiler may perform optimizations that assume an overflow will never occur, which can easily yield unexpected results. Compilers can optimize away if statements that check whether an overflow occurred. See recommendation MSC15-C. Do not depend on undefined behavior for an example.
Wiki Markup
A program that detects an integer overflow to be imminent may do one of two things: (1) signal some sort of error condition or (2) produce an integer result that is within the range of representable integers on that system. Some situations can be handled by an error condition, where an overflow causes a change in control flow (such as the system complaining about bad input and requesting alternative input from the user). Others are better handled by the latter option because it allows the computation to proceed and generate an integer result, thereby avoiding a denial-of-service attack. However, when continuing to produce an integer result in the face of overflow, the question of what integer result to return to the user must be considered.
...
range of mathematical result | result returned |
|---|---|
| |
| |
| |
Modwrap Semantics
...
In modwrap semantics (also called _modulo_ arithmetic), integer values "wrap round." That is, adding one to {{MAX}} produces {{MIN}}. This is the defined behavior for unsigned integers in the C Standard \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\], Section 6.2.5, "Types," paragraph 9. This is frequently the behavior of signed integers, as well. However, it is more sensible in many applications to use saturation semantics instead of modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow rather than suddenly becoming a very small value.
Restricted Range Usage
...
Another tool for avoiding integer overflow is to use only half the range of signed integers. For example, when using an {{int}}, use only the range \ [{{INT_MIN}}/2, {{INT_MAX}}/2\]. This has been a trick of the trade in Fortran for some time, and now that optimizing C compilers are becoming more sophisticated, it can be valuable in C.
Wiki Markup a - b}} where both a and b are in the range {{\[INT_MIN/2, INT_MAX/2\]}}, then the result will be in the range {{(INT_MIN, INT_MAX]}} for a typical two's complement machine.
Wiki Markup a < b}}, there is often an implicit subtraction happening. On a machine without condition codes, the compiler may simply issue a subtract instruction and check whether the result is negative. This is allowed because the compiler is allowed to assume there is no overflow. If all explicitly user-generated values are kept in the range {{\[INT_MIN/2, INT_MAX/2\]}}, then comparisons will always work even if the compiler performs this optimization on such hardware.
Noncompliant Code Example
...
Tool | Version | Checker | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
| ||||||||||||
|
|
|
|
...
ISO/IEC TR 24772 "FLC Numeric Conversion Errors"
Bibliography
...
\[[Lions 1996|AA. Bibliography#Lions 96]\]
...