Integer operations must result in an integer value within the range of the integer type (that is, the resulting value is the same as the result produced by unlimited-range integers). Frequently the range is more restrictive based on the use of the integer value, for example, as an index. Integer values can be verified by code review or by static analysis.
Integer overflow is undefined behavior, so a compiled program can do anything, including going off to play the Game of Life. Furthermore, a compiler may perform optimizations that assume an overflow will never occur, which could easily yield unexpected results. Compilers can optimize away if statements that check if an overflow occured. See MSC15-A. Do not depend on undefined behavior for an example.
| Wiki Markup |
|---|
Verifiably in range operations are often preferable to treating out of range values as an error condition because the handling of these errors has been repeatedly shown to cause denial-of-service problems in actual applications. The quintessential example of this is the failure of the Ariane 5 launcher, which occurred due to an improperly handled conversion error that resulted in the processor being shut down \[[Lions 96|AA. C References#Lions 96]\]. |
Faced with A program that detects an integer overflow , the underlying computer system to be imminent may do one of two things: (1) signal some sort of error condition, or (2) produce an integer result that is within the range of representable integers on that system. The latter semantics may be preferable in some situations Some situations can be handled by an error condition, where an overflow causes a change in control flow (such as the system complaining about bad input and requesting alternate input from the user). Others are better handled by the latter option, in that it allows the computation to proceed and generate an integer result, thus avoiding a denial-of-service attack. However, it raises when continuing to produce an integer result in the face of overflow, one must consider the question of what integer result to return to the user.
The saturation and modwrap algorithms, and the technique of restricted range usage, defined in the following subsections, produce integer results that are always within a defined range. This range is between the integer values MIN and MAX (inclusive), where MIN and MAX are two representable integers with MIN < MAX.
...
| Wiki Markup |
|---|
Another tool for avoiding integer overflow is to use only half the range of signed integers. For example, when using an {{int}}, use only the range \[{{INT_MIN}}/2, {{INT_MAX}}/2\]. This has been a trick of the trade in Fortran for some time, and now that optimizing C compilers are becoming more sophisticated, it can be valuable in C. |
Consider subtraction. If the user types the expression a - b where both a and b are in the range INT_MIN/2, INT_MAX/2, then the answer will be in the range (INT_MIN, INT_MAX] for a typical two's complement machine.
Now, if the user types a < b there is often an implicit subtraction happening. On a machine without condition codes, the compiler may simply issue a subtract instruction and check whether the result is negative. This is allowed, since the compiler is allowed to assume there is no overflow. If all explicitly user-generated values are kept in the range [INT_MIN/2, INT_MAX/2, then comparisons will always work even if the compiler performs this optimization on such hardware.
Non-Compliant Code Example
...