...
Operator | Wrap |
| Operator | Wrap |
| Operator | Wrap |
| Operator | Wrap |
|---|---|---|---|---|---|---|---|---|---|---|
yes |
| yes |
| << | yes |
| < | no | ||
yes |
| yes |
| >> | no |
| > | no | ||
yes |
| /= | no |
| & | no |
| >= | no | |
/ | no |
| %= | no |
| | | no |
| <= | no |
% | no |
| yes |
| ^ | no |
| == | no | |
++ | yes |
| >>= | no |
| ~ | no |
| != | no |
-- | yes |
| &= | no |
| ! | no |
| && | no |
= | no |
| |= | no |
| un + | no |
| || | no |
yes |
| ^= | no |
| un - | yes |
| ?: | no |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, usum;
/* Initialize ui1 and ui2 */
usum = ui1 + ui2;
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, usum;
/* Initialize ui1 and ui2 */
if (UINT_MAX - ui1 < ui2) {
/* handle error condition */
}
else {
usum = ui1 + ui2;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, usum;
/* Initialize ui1 and ui2 */
usum = ui1 + ui2;
if (usum < ui1) {
/* handle error condition */
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, udiff;
/* Initialize ui1 and ui2 */
udiff = ui1 - ui2;
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, udiff;
/* Initialize ui1 and ui2 */
if (ui1 < ui2){
/* handle error condition */
}
else {
udiff = ui1 - ui2;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui1, ui2, udiff ;
/* Initialize ui1 and ui2 */
udiff = ui1 - ui2;
if (udiff > ui1) {
/* handle error condition */
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
pen->num_vertices = _cairo_pen_vertices_needed(
gstate->tolerance, radius, &gstate->ctm
);
pen->vertices = malloc(
pen->num_vertices * sizeof(cairo_pen_vertex_t)
);
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
pen->num_vertices = _cairo_pen_vertices_needed( gstate->tolerance, radius, &gstate->ctm ); if (pen->num_vertices > SIZE_MAX/sizeof(cairo_pen_vertex_t)) { /* handle error condition */ } pen->vertices = malloc( pen->num_vertices * sizeof(cairo_pen_vertex_t) ); |
Atomic Integers
The C Standard [ISO/IEC 9899:2011] defines arithmetic on atomic integer types as read-modify-write operations, with the same representation as non-atomic integer types. As a result, wrapping of atomic unsigned integers is identical to non-atomic unsigned integers and should also be prevented or detected.
This section only includes an example for the addition of atomic integer types. For other operations, you can use tests similar to the precondition tests for two’s complement integers used for non-atomic integer types.
Noncompliant Code Example
This noncompliant code example using atomic integers can result in unsigned integer overflow wrapping.
| Code Block |
|---|
atomic_int i; int ui1; /* Initialize i, ui1 */ atomic_fetch_add(&i, ui1); |
Compliant Solution
This compliant solution performs a post-condition test to ensure that the result of the unsigned addition operation to i is not less than the operand ui1.
| Code Block |
|---|
atomic_int i; int ui1; /* Initialize ui1, i */ atomic_fetch_add(&i, ui1); if (atomic_load(&i) < ui1) { /* handle error condition */ } |
Exceptions
INT30-EX1. Unsigned integers can exhibit modulo behavior (wrapping) only when this behavior is necessary for the proper execution of the program. It is recommended that the variable declaration be clearly commented as supporting modulo behavior and that each operation on that integer also be clearly commented as supporting modulo behavior.
...