Safe numerics #125
Open
Safe numerics #125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
...in the <flux/core/numeric.hpp> header
This PR does a whole lot of things. Firstly, we define some concepts for integers. Specifically, the `flux::num::integral` concept is satisfied by any `std::integral` type *except* `bool`, `char`, `wchar_t` and the various `charN_t`s. We also have corresponding `signed_integral` and `unsigned_integral` concepts. Next, we define some functions which perform *unchecked* integer operations, namely: * `unchecked_add` * `unchecked_sub` * `unchecked_mul` * `unchecked_div` * `unchecked_mod` These work call the built-in operators (and so can cause UB for signed types), but require both arguments to be the same type, and cast the result back to their argument type -- that is, there is no promotion, so `unchecked_add(short, short)` returns a `short`, not an `int`. The intention is that these can be used in places where signed UB can allow extra optimisations, and explicitly acknowledge that you're doing something dangerous. Next is a set of wrapping functions: * `wrapping_add` * `wrapping_sub` * `wrapping_mul` These work by casting their arguments to an unsigned type, performing the operation, and casting back to the starting type. They never cause UB, and can be used to specifically document that you want wrapping semantics. Next is a set of functions which check whether overflow occurred: * `overflowing_add` * `overflowing_sub` * `overflowing_mul` These return a `(T, bool)` pair which safely performs the operation (as if by wrapping) and reports whether overflow occurred. They use compiler builtins in GCC and Clang. These work for unsigned types as well as signed types, so you can test whether your size_t overflowed. Then we have a set of checked arithmetic functions: * `checked_add` * `checked_sub` * `checked_mul` * `checked_div` * `checked_mod` These raise a `flux::runtime_error` if overflow occurs (or division by zero for the last two functions), regardless of the compiled checking policy. Finally, we have * `add` * `sub` * `mul` * `div` * `mod` These perform overflow/divide-by-zero checks according to the configured policies. By default, they trap on overflow in debug mode or wrap in release mode. Phew!
Codecov ReportPatch coverage is
📢 Thoughts on this report? Let us know!. |
This adds * num::unchecked_shl * num::unchecked_shr * num::checked_shl * num::checked_shr * num::shl * num::shr Which perform left and right bitshift operations either explicitly without undefined behaviour checking, or which check whether the shift amount is out of bounds
I got them the wrong way round
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR does a whole lot of things.
Firstly, we define some concepts for integers. Specifically, the
flux::num::integralconcept is satisfied by anystd::integraltype exceptbool,char,wchar_tand the variouscharN_ts. We also have correspondingsigned_integralandunsigned_integralconcepts.Next, we define some functions which perform unchecked integer operations, namely:
unchecked_addunchecked_subunchecked_mulunchecked_divunchecked_modThese work call the built-in operators (and so can cause UB for signed types), but require both arguments to be the same type, and cast the result back to their argument type -- that is, there is no promotion, so
unchecked_add(short, short)returns ashort, not anint. The intention is that these can be used in places where signed UB can allow extra optimisations, and explicitly acknowledge that you're doing something dangerous.Next is a set of wrapping functions:
wrapping_addwrapping_subwrapping_mulThese work by casting their arguments to an unsigned type, performing the operation, and casting back to the starting type. They never cause UB, and can be used to specifically document that you want wrapping semantics.
Next is a set of functions which check whether overflow occurred:
overflowing_addoverflowing_suboverflowing_mulThese return a
(T, bool)pair which safely performs the operation (as if by wrapping) and reports whether overflow occurred. They use compiler builtins in GCC and Clang. These work for unsigned types as well as signed types, so you can test whether your size_t overflowed.Then we have a set of checked arithmetic functions:
checked_addchecked_subchecked_mulchecked_divchecked_modThese raise a
flux::runtime_errorif overflow occurs (or division by zero for the last two functions), regardless of the compiled checking policy.Finally, we have
addsubmuldivmodThese perform overflow/divide-by-zero checks according to the configured policies. By default, they trap on overflow in debug mode or wrap in release mode.
Phew!