There's (1):
// assume x,y are non-negative
if(x > max - y) error;
And (2):
// assume x,y are non-negative
int sum = x + y;
if(sum < x || sum < y) error;
Whichs is preferred or is there a better way.
3 Answers
Integer overflow is the canonical example of "undefined behaviour" in C (noting that operations on unsigned integers never overflow, they are defined to wrap-around instead). This means that once you've executed x + y, if it overflowed, you're already hosed. It's too late to do any checking - your program could have crashed already. Think of it like checking for division by zero - if you wait until after the division has been executed to check, it's already too late.
So this implies that method (1) is the only correct way to do it. For max, you can use INT_MAX from <limits.h>.
If x and/or y can be negative, then things are harder - you need to do the test in such a way that the test itself can't cause overflow.
if ((y > 0 && x > INT_MAX - y) ||
(y < 0 && x < INT_MIN - y))
{
/* Oh no, overflow */
}
else
{
sum = x + y;
}
8 Comments
Pacerier
Btw, can you comment on the performance of this solution compared to other alternative solutions?
caf
It makes little sense to compare the performance against an incorrect solution. What other correct solution did you have in mind?
Pacerier
the other usual way seem to be casting to a wider type. I'm not sure of a third alternative but there are surely more.
martinkunev
@Pacerier Casting to a wider type is not possible if you're already working with the largest type on the platform.
ilstam
@Tuntable: What every single compiler does is optimizations which can lead to horror: blog.llvm.org/2011/05/…
|
You can really only check for overflow with unsigned integers and arithmatic:
unsigned a,b,c;
a = b + c;
if (a < b) {
/* overflow */
}
The behavior of overflow with signed integers is undefined in C, but on most machines you can use
int a,b,c;
a = b + c;
if (c < 0 ? a > b : a < b) {
/* overflow */
}
This may require compile-time flags to get the compiler to enforce wrapping semantics, and won't work on machines that use any kind of saturating or trapping arithmetic
3 Comments
strcat
Checking for overflow after the fact with signed integers isn't correct. It's undefined behaviour, so compilers will happily optimize out the checks without passing a switch like
-fwrapv to enable signed wrapping as a language extension. It's not just a portability issue across architectures.
sbhatla
Overflow for signed integers can also be checked. See securecoding.cert.org/confluence/display/c/…
Peter Cordes
Nope, modern gcc breaks your signed
int example. Signed integer not overflowing on ARM64?.You only have to check one of them. If x + y overflows, it will be less than both x and y. Hence:
int sum = x + y;
if (sum < x) error;
should be sufficient.
The following site has a bunch of stuff about integer overflow:
If you want to handle negative numbers, it can be expanded:
int sum = x + y;
if (y >= 0) {
if (sum < x) error;
} else {
if (sum > x) error;
}
4 Comments
clahey
The original poster specified non-negative integers, but I've added code to handle negative numbers.
caf
This isn't correct - once
x + y has overflowed, the program has undefined behaviour. You have to check before you actually execute the overflowing operation - just as you do for integer division by zero.
Antti Haapala
If anything is more wrong than this answer, then possibly the page it links to.
Millie Smith
This is correct for unsigned though, and I think it's really good for that case.
unsignedthat have well-defined wraparound semantics, whereas overflowing a signed integer is undefined behaviour in C.sum < xandsum < y.unsignedwhere wrapping is well-defined behaviour. signedintis harder because you can't just add and then check if it overflowed, that would already be UB and thus compilers can assume there was no overflow!