I was reading the C Standard the other day, and noticed that unlike signed integer overflow (which is undefined), unsigned integer overflow is well defined. I've seen it used in a lot of code for maximums, etc. but given the voodoos about overflow, is this considered good programming practice? Is it in anyway insecure? I know that a lot of modern languages like Python do not support it- instead they continue to extend the size of large numbers.
+2
A:
One way where I could think of unsigned integer overflow causing a problem is when subtracting from a small unsigned value, resulting in it wrapping to a large positive value.
Practical advice for integer overflows:
http://www.gnu.org/software/hello/manual/autoconf/Integer-Overflow-Basics.html#Integer-Overflow-Basics
Suvesh Pratapa
2009-06-12 19:31:20
I'm asking about unsigned overflow
2009-06-12 19:33:31
This is unsigned. Using unsigned arithmetic, subtract 200 from 100. You'll get a large value (how large depends on the range of values). Unsigned arithmetic in C is defined as modular, or you could say wrap-around.
David Thornley
2009-06-12 19:56:11
+1
A:
I wouldn't rely on it just for readability reasons. You're going to be debugging your code for hours before you figure out where you're resetting that variable to 0.
Kai
2009-06-12 19:31:48
Not really, as long as the behavior is documented and commented upon. Besides, there are legitimate reasons for (un)signed integer overflow, for example in fixed-width timestamps, where precision is more important and overflow can be reasonably detected.
Eduard - Gabriel Munteanu
2009-06-12 19:46:56
+7
A:
Unsigned integer overflow (in the shape of wrap-around) is routinely taken advantage of in hashing functions, and has been since the year dot.
anon
2009-06-12 19:33:25
As the origins of computing are in cryptography, I suspect it is sometime in the 1940s.
anon
2009-06-12 19:51:55
Though I don't actually get why insist on *signed* integer overflow. Using an unsigned integer is just as good and can be worked around to detect overflow.
Eduard - Gabriel Munteanu
2009-06-12 19:54:04
@Martin: On UNIX. But MS has been doing it in Excel since 1900 on Windows, and 1904 on Mac.
Steve Jessop
2009-06-12 19:54:52
@eduard We are talking about UNSIGNED OVERFLOW. No one is insisting on using signed overflow - quite the reverse!
anon
2009-06-12 19:58:13
@Neil: Sorry, "signed" got stuck in my head after reading other answers/comments.
Eduard - Gabriel Munteanu
2009-06-12 22:53:10
A:
Since signed numbers on CPUs can be represented in different ways, 99.999% of all current CPUs use twos-complement notation. Since this is the majority of machines out there, it is difficult to find a different behaviour although the compiler might check it (fat chance). The C specs however must account for 100% of the compilers so have not defined its behaviour.
So it would make things more confusion, which is a good reason to avoid it. However, if you have a really good reason (say, performance boost of factor of 3 for critical part of code), then document it well and use it.
Rutger Nijlunsing
2009-06-12 19:35:24
You are referring to signed integers. The C standard documents the behavior of unsigned integers, and that's what the question is about.
David Thornley
2009-06-12 19:53:14
+2
A:
I use it all the time to tell if it is time to do something.
UInt32 now = GetCurrentTime()
if( now - then > 100 )
{
// do something
}
As long as you check the value before 'now' laps 'then', you are fine for all values of 'now' and 'then'.
EDIT: I guess this is really an underflow.
Robert
2009-06-12 19:44:37
+1
A:
Another place where unsigned overflow can be usefully used is when you have to iterate backwards from a given unsigned type:
void DownFrom( unsigned n )
{
unsigned m;
for( m = n; m != (unsigned)-1; --m )
{
DoSomething( m );
}
}
Other alternatives are not as neat. Trying to do m >= 0 doesn't work unless you change m to signed, but then you might be truncating the value of n - or worse - converting it to a negative number on initialisation.
Otherwise you have to do !=0 or >0 and then manually do the 0 case after the loop.
Charles Bailey
2009-06-12 19:45:54
Or "do {DoSomething(n);} while (n-- != 0);". With "if (n != (unsigned)-1)" at the start, if it's actually desirable that -1 is a magic input value meaning "do nothing", as it is in the above code.
Steve Jessop
2009-06-12 20:07:06
@Niki: doesn't work, your loop does nothing since m < n fails on the first time of asking.
Steve Jessop
2009-06-12 20:09:39
Yes, often (unsigned)-1 - i.e. the largest possible unsigned is a special value but it doesn't have to be.
Charles Bailey
2009-06-12 20:16:03
I think I'd want to make it explicit in the code if it is intended to be a valid input treated specially, to make sure those reading the code notice. But a comment would do that just as well as my "if", without emitting the extra comparison.
Steve Jessop
2009-06-12 20:29:39
+2
A:
To put it shortly:
It is perfectly legal/OK/safe to use unsigned integer overflow as you see fit as long as you pay attention and adhere to the definition (for whatever purpose - optimization, super clever algorithms, etc.)
Subtwo
2009-06-12 19:51:24
A:
It's fine to rely on overflow as long as you know WHEN it will occur ...
I, for example, had troubles with C implementation of MD5 when migrating to a more recent compiler... The code did expect overflow but it also expected 32 bits ints.
With 64 bits the results were wrong !
Fortunately that's what automated tests are for : I caught the problem early but this could have been a real horror story if gone unnoticed.
You could argue "but this happens rarely" : yes but that's what makes it even more dangerous ! When there is a bug, everybody is suspicious of code written in the last few days. No one is suspicious f code that "just worked for years" and usually no one still knows how it works...
siukurnin
2009-06-12 19:52:48
This is a case where a compile-time assertion to check the assumption that sizeof(int)==4 was valid would be a good thing. That would have thrown an error even before the tests were run.
RBerteig
2009-06-12 21:53:21
+1
A:
Just because you know the minutiae of the standard doesn't mean the person maintaining your code does. That person may have to waste time worrying about this while debugging later, or have to go look up the standard to verify this behavior later.
Sure, we expect proficiency with the reasonable features of a language in a working programmer -- and different companies / groups have a different expectation about where that reasonable proficiency is. But for most groups this seems to be a bit much to expect the next person to know off the top of his/her head and not have to think about it.
If that weren't enough, you're more likely to run into compiler bugs when you're working around the edges of the standard. Or worse, the person porting this code to a new platform may run into them.
In short, I vote don't do it!
Mike Kale
2009-06-12 20:00:33
A:
If you use it wisely (well commented and readable), you can benefit from it by having smaller and faster code.
codymanix
2009-06-15 15:09:28
A:
siukurnin makes a good point, that you need to know when overflows will occur. The easiest way to avoid the portability issue he described is to use the fixed-width integer types from stdint.h. uint32_t is an unsigned 32-bit integer on all platforms and OSes, and won't behave differently when compiled for a different system.
Neil
2009-06-21 17:26:07