You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 167 Next »

Java silently wraps, providing no indication of overflow conditions. This can result in incorrect computations and unanticipated outcomes.

According to the Java Language Specification (JLS), §4.2.2, "Integer Operations"

The built-in integer operators do not indicate overflow or underflow in any way. Integer operators can throw a NullPointerException if unboxing conversion of a null reference is required. Other than that, the only integer operators that can throw an exception are the integer divide operator / and the integer remainder operator %, which throw an ArithmeticException if the right-hand operand is zero, and the increment and decrement operators ++ and -- which can throw an OutOfMemoryError if boxing conversion is required and there is not sufficient memory available to perform the conversion.

The integral types in Java are byte, short, int, and long, whose values are 8-bit, 16-bit, 32-bit and 64-bit signed two's-complement integers, respectively, and char, whose values are 16-bit unsigned integers representing UTF-16 code units.

According to the JLS, §4.2.1, "Integral Types and Values," the values of the integral types are integers in the inclusive ranges, shown in the following table:

Type

Inclusive Range

byte

-128 to 127

short

-32,768 to 32,767

int

-2,147,483,648 to 2,147,483,647

long

-9,223,372,036,854,775,808 to 9,223,372,036,854,775,807

char

\u0000 to \uffff (0 to 65,535)

The table below shows the integer overflow behavior of the integral operators.

Operator

Overflow

 

Operator

Overflow

 

Operator

Overflow

 

Operator

Overflow

+

yes

 

-=

yes

 

<<

no

 

<

no

-

yes

 

*=

yes

 

>>

no

 

>

no

*

yes

 

/=

yes

 

&

no

 

>=

no

/

yes

 

%=

no

 

\

no

 

<=

no

%

no

 

<<=

no

 

^

no

 

==

no

++

yes

 

>>=

no

 

~

no

 

!=

no

--

yes

 

&=

no

 

!

no

 

=

no

 

|=

no

 

unary +

no

 

+=

yes

 

^=

no

 

unary -

yes

 

Because the ranges of Java types are not symmetrical (the negation of minimum value is one more than each maximum value), even operations like unary negation can overflow, if applied to a mimimum value. Because the java.lang.math.abs() function returns the absolute value on any number, it can also overflow if given the minimum int or long as an argument.

Failure to account for integer overflow has resulted in failures of real systems, for example, when implementing the compareTo() method. The meaning of the return value of the compareTo() method is defined only in terms of its sign and whether it is zero; the magnitude of the return value is irrelevant. Consequently, an apparent but incorrect optimization would be to subtract the operands and return the result. For operands of opposite signs, this can result in integer overflow, consequently violating the compareTo() contract [[Bloch 2008, Item 12]].

Comparison of Compliant Techniques

The three main techniques for detecting unintended integer overflow are

  • Pre-condition testing. Check the inputs to each arithmetic operator to ensure that overflow cannot occur. Throw an ArithmeticException when the operation would overflow if it were performed; otherwise, perform the operation.
  • Upcasting. Cast the inputs to the next larger primitive integer type and perform the arithmetic in the larger size. Check each intermediate result for overflow of the original smaller type and throw an ArithmeticException if the range check fails. Note that the range check must be performed after each arithmetic operation; larger expressions without per-operation bounds checking can overflow the larger type. Downcast the final result to the original smaller type before assigning to the result variable. This approach cannot be used for type long because long is already the largest primitive integer type.
  • BigInteger. Convert the inputs into objects of type BigInteger and perform all arithmetic using BigInteger methods. Type BigInteger is the standard arbitrary-precision integer type provided by the Java standard libraries. The arithmetic operations implemented as methods of this type cannot overflow; instead, they produce the numerically correct result. As a consequence, compliant code only performs a single range check just before converting the final result to the original smaller type and throwing an ArithmeticException if the final result is outside the range of the original smaller type.

The pre-condition testing technique requires different pre-condition tests for each arithmetic operation. This can be somewhat more difficult to understand than either of the other two approaches.

The upcast technique is the preferred approach for the cases to which it applies. The checks it requires are simpler than those of the previous technique; it is substantially more efficient than using BigInteger.

The BigInteger technique is conceptually the simplest of the three techniques. However, it requires the use of method calls for each operation in place of primitive arithmetic operators; this can obscure the intended meaning of the code. Operations on objects of type BigInteger can also be significantly less efficient than operations on the original primitive integer type.

Pre-Condition Testing

The following code example shows the necessary pre-condition checks required for each arithmetic operation on arguments of type int. The checks for the other integral types are analogous. In this example, we choose to throw an exception when integer overflow would occur; any other error handling is also acceptable.

static final int safeAdd(int left, int right) throws ArithmeticException {
   if (right > 0 ? left > Integer.MAX_VALUE - right : left < Integer.MIN_VALUE - right) {
    throw new ArithmeticException("Integer overflow");
  }
  return left + right;
}

static final int safeSubtract(int left, int right) throws ArithmeticException {
  if (right > 0 ? left < Integer.MIN_VALUE + right : left > Integer.MAX_VALUE + right) {
    throw new ArithmeticException("Integer overflow");
  }
  return left - right;
}

static final int safeMultiply(int left, int right) throws ArithmeticException {
  if (right > 0 ? left > Integer.MAX_VALUE/right || left < Integer.MIN_VALUE/right :
       (right < -1 ? left > Integer.MIN_VALUE/right || left < Integer.MAX_VALUE/right :
         right == -1 && left == Integer.MIN_VALUE) ) {
    throw new ArithmeticException("Integer overflow");
  }
  return left * right;
}

static final int safeDivide(int left, int right) throws ArithmeticException {
  if ((left == Integer.MIN_VALUE) && (right == -1)) {
    throw new ArithmeticException("Integer overflow");
  }
  return left / right;
}

static final int safeNegate(int a) throws ArithmeticException {
  if (a == Integer.MIN_VALUE) {
    throw new ArithmeticException("Integer overflow");
  }
  return -a;
}

static final int safeAbs(int a) throws ArithmeticException {
  if (a == Integer.MIN_VALUE) {
    throw new ArithmeticException("Integer overflow");
  }
  return Math.abs(a);
}

These method calls are likely to be inlined by most JITs.

These checks can be simplified when the original type is char. Because the range of type char includes only positive values, all comparisons with negative values may be omitted.

Noncompliant Code Example

Either operation in this noncompliant code example could produce a result that overflows the range of int. When overflow occurs, the result will be incorrect.

public static int multAccum(int oldAcc, int newVal, int scale) {
  // May result in overflow
  return oldAcc + (newVal * scale);
}

Compliant Solution (Pre-Condition Testing)

This compliant solution uses the safeAdd() and safeMultiply() methods defined in the Pre-condition testing section to perform secure integral operations or throw ArithmeticException on overflow.

public static int multAccum(int oldAcc, int newVal, int scale) throws ArithmeticException {
  return safeAdd(oldAcc, safeMultiply(newVal, scale));
}

Compliant Solution (Upcasting)

This compliant solution shows the implementation of a method for checking whether a long value falls within the representable range of an int using the upcasting technique. The implementations of range checks for the smaller primitive integer types are similar.

public static long intRangeCheck(long value) throws ArithmeticOverflow {
  if ((value < Integer.MIN_VALUE) || (value > Integer.MAX_VALUE)) {
    throw new ArithmeticException("Integer overflow");
  }
  return value;
}

public static int multAccum(int oldAcc, int newVal, int scale) throws ArithmeticException {
  final long res =
    intRangeCheck(((long) oldAcc) + intRangeCheck((long) newVal * (long) scale));
  return (int) res; // safe down-cast
}

Note that this approach cannot be applied for type long because long is the largest primitive integral type. When the original variables are of type long, use the BigInteger technique instead.

Compliant Solution (BigInteger)

This compliant solution uses the BigInteger technique to detect overflow.

private static final BigInteger bigMaxInt = BigInteger.valueOf(Int.MAX_VALUE);
private static final BigInteger bigMinInt = BigInteger.valueOf(Int.MIN_VALUE);

public static BigInteger intRangeCheck(BigInteger val) throws ArithmeticException {
  if (val.compareTo(bigMaxInt) == 1 ||
      val.compareTo(bigMinInt) == -1) {
    throw new ArithmeticException("Integer overflow");
  }
  return val;
}

public static int multAccum(int oldAcc, int newVal, int scale) throws ArithmeticException {
  BigInteger product =
    BigInteger.valueOf(newVal).multiply(BigInteger.valueOf(scale));
  BigInteger res = intRangeCheck(BigInteger.valueOf(oldAcc).add(product));
  return res.intValue(); // safe conversion
}

Noncompliant Code Example AtomicInteger

Operations on objects of type AtomicInteger suffer from the same overflow issues as other integer types. The solutions are generally similar to those shown above; however, concurrency issues add additional complications. First, potential issues with time-of-check-time-of-use must be avoided. (See guideline "VNA02-J. Ensure that compound operations on shared variables are atomic" for more information). Secondly, use of an AtomicInteger creates happens-before relationships between the various threads that access it. Consequently, changes to the number or order of accesses can alter the execution of the overall program. In such cases, you must either choose to accept the altered execution or carefully craft the implementation of your compliant technique to preserve the exact number and order of accesses to the AtomicInteger.

This noncompliant code example uses an AtomicInteger, which is part of the concurrency utilities. The concurrency utilities lack integer overflow checks.

class InventoryManager {
  private final AtomicInteger itemsInInventory = new AtomicInteger(100);

  //...
  public final void nextItem() {
    itemsInInventory++;
  }
}

Consequently, itemsInInventory can wrap around to Integer.MIN_VALUE after the increment operation.

Compliant Solution (AtomicInteger)

This compliant solution uses the get() and compareAndSet() methods provided by AtomicInteger to guarantee successful manipulation of the shared value of itemsInInventory. This solution has the following characteristics:

  • The number and order of accesses to itemsInInventory remains unchanged from the noncompliant code example.
  • All operations on the value of itemsInInventory are performed on a temporary local copy of its value.
  • The overflow check in this example is performed in inline code, rather than encapsulated in a method call. This is an acceptable alternative implementation. The choice of method call versus inline code should be made according to your organization's standards and needs.
class InventoryManager {
  private final AtomicInteger itemsInInventory = new AtomicInteger(100);

  public final void nextItem() {
    while (true) {
      int old = itemsInInventory.get();
      if (old == Integer.MAX_VALUE) {
        throw new ArithmeticException("Integer overflow");
      }
      int next = old + 1; // Increment
      if (itemsInInventory.compareAndSet(old, next)) {
        break;
      }
    } // end while
  } // end nextItem()
}

The arguments to the compareAndSet() method are the expected value of the variable when the method is invoked and the intended new value. The variable's value is updated if, and only if, the current value and the expected value are equal. (See [[API 2006]] class AtomicInteger.) Refer to guideline "VNA02-J. Ensure that compound operations on shared variables are atomic" for more details.

Exceptions

NUM00-EX1: Depending on circumstances, integer overflow could be benign. For instance, the Object.hashcode() method could return all representable values of type int. Furthermore, many algorithms for computing hashcodes intentionally allow overflow to occur.

NUM00-EX2: The added complexity and cost of programmer-written overflow checks could exceed their value for all but the most critical code. In such cases, consider the alternative of treating integral values as though they are tainted data, using appropriate range checks as the sanitizing code. These range checks should ensure that incoming values cannot cause integer overflow. Note that sound determination of allowable ranges could require deep understanding of the details of the code protected by the range checks; correct determination of the allowable ranges could be extremely difficult.

Risk Assessment

Failure to perform appropriate range checking can lead to integer overflows, which can cause unexpected program control flow or unanticipated program behavior.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

NUM00-J

medium

unlikely

medium

P4

L3

Automated Detection

Automated detection of integer operations that can potentially overflow is straightforward. Automatic determination of which potential overflows are true errors and which are intended by the programmer is infeasible. Heuristic warnings could be helpful.

Related Guidelines

C Secure Coding Standard: "INT32-C. Ensure that operations on signed integers do not result in overflow"

C++ Secure Coding Standard: "INT32-CPP. Ensure that operations on signed integers do not result in overflow"

MITRE CWE: CWE-682 "Incorrect Calculation," CWE-190 "Integer Overflow or Wraparound," and CWE-191 "Integer Underflow (Wrap or Wraparound)"

Bibliography

[[API 2006]] class AtomicInteger
[[Bloch 2005]] Puzzle 27: Shifty i's
[[SCG 2007]] Introduction
[[JLS 2005]] §4.2.2 "Integer Operations," §15.22 "Bitwise and Logical Operators"
[[Seacord 2005]] Chapter 5. Integers
[[Tutorials 2008]] Primitive Data Types


03. Numeric Types and Operations (NUM)      03. Numeric Types and Operations (NUM)      NUM01-J. Do not assume that the remainder operator always returns a non-negative result for integral operands

  • No labels