You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Hard-coded Japanese era start date (`cpp/japanese-era/exact-era-date`) | reliability, japanese-era | This query is a combination of two old queries that were identical in purpose but separate as an implementation detail. This new query replaces Hard-coded Japanese era start date in call (`cpp/japanese-era/constructor-or-method-with-exact-era-date`) and Hard-coded Japanese era start date in struct (`cpp/japanese-era/struct-with-exact-era-date`). |
12
-
| Signed overflow check (`cpp/signed-overflow-check`) | correctness, reliability | Finds overflow checks that rely on signed integer addition to overflow, which is undefined behavior. Example: `a + b < a`. |
12
+
| Signed overflow check (`cpp/signed-overflow-check`) | correctness, reliability | Finds overflow checks that rely on signed integer addition to overflow, which has undefined behavior. Example: `a + b < a`. |
<td><tt>i + delta</tt>does not actually overflow due to <tt>int</tt> promotion</td>
51
+
</tr>
52
+
<tr>
53
+
<td> </td>
54
+
<td><tt><table>
55
+
<tr>
56
+
<td>unsigned short i, delta;</td>
57
+
</tr><tr>
58
+
<td>i > USHORT_MAX - delta</td>
59
+
</tr>
60
+
</table></tt></td>
61
+
<td>Must include <tt>limits.h</tt> or <tt>climits</tt></td>
62
+
</tr>
63
+
<tr>
64
+
<td><tt><table>
65
+
<tr>
66
+
<td>int i, delta;</td>
67
+
</tr><tr>
68
+
<td>i + delta < i</td>
69
+
</tr>
70
+
</table></tt></td>
71
+
<td><tt><table>
72
+
<tr>
73
+
<td>int i, delta;</td>
74
+
</tr><tr>
75
+
<td>i > INT_MAX - delta</td>
76
+
</tr>
77
+
</table></tt></td>
78
+
<td>Must include <tt>limits.h</tt> or <tt>climits</tt></td>
79
+
</tr>
80
+
<tr>
81
+
<td> </td>
82
+
<td><tt><table>
83
+
<tr>
84
+
<td>int i, delta;</td>
85
+
</tr><tr>
86
+
<td>(unsigned)i + delta < i</td>
87
+
</tr>
88
+
</table></tt></td>
89
+
<td>Change in program semantics</td>
90
+
</tr>
91
+
<tr>
92
+
<td> </td>
93
+
<td><tt><table>
94
+
<tr>
95
+
<td>unsigned int i, delta;</td>
96
+
</tr><tr>
97
+
<td>i + delta < i</td>
98
+
</tr>
99
+
</table></tt></td>
100
+
<td>Change in program semantics</td>
101
+
</tr>
102
+
</table>
24
103
</recommendation>
25
104
<example>
26
105
<p>
@@ -34,6 +113,17 @@ result.
34
113
</p>
35
114
<samplesrc="SignedOverflowCheck-bad1.cpp" />
36
115
<p>
116
+
The following example builds upon the previous one. Instead of
117
+
performing an addition (which could overflow), we have re-framed the
118
+
solution so that a subtraction is used instead. Since <code>delta</code>
119
+
is promoted to a <code>signed int</code> and <code>INT_MAX</code> denotes
120
+
the largest possible positive value for an <code>signed int</code>,
121
+
the expression <code>INT_MAX - delta</code> can never be less than zero
122
+
or more than <code>INT_MAX</code>. Hence, any overflow and underflow
123
+
are avoided.
124
+
</p>
125
+
<samplesrc="SignedOverflowCheck-good1.cpp" />
126
+
<p>
37
127
In the following example, even though both <code>n</code> and <code>delta</code>
38
128
have been declared <code>unsigned short</code>, both are promoted to
39
129
<code>signed int</code> prior to addition. Because we started out with the
@@ -45,26 +135,18 @@ hold true, which likely is not what the programmer intended. (see also the
45
135
</p>
46
136
<samplesrc="SignedOverflowCheck-bad2.cpp" />
47
137
<p>
48
-
The following example builds upon the previous one. Again, we have two
49
-
<code>unsigned short</code> values getting promoted to a wider type, resulting
50
-
in a comparison that always succeeds (since there is no overflow). To
51
-
test whether we have an <code>unsigned short</code> overflow, we cast the
52
-
left-hand side to it, causing the right-hand side to remain an <code>unsigned
53
-
short</code> as well.
54
-
</p>
55
-
<samplesrc="SignedOverflowCheck-good1.cpp" />
56
-
<p>
57
-
In the next example, we have two <code>signed int</code> values that we
58
-
wish to add together. Adding them "as-is" opens the possibility of
59
-
a signed integer overflow, the results of which are undefined.
60
-
By casting one of the operands to <code>unsigned</code>, the entire
61
-
expression is evaluated using <code>unsigned</code>
62
-
values, which is defined behavior per the C/C++ standard.
138
+
The next example provides a solution to the previous one. Even though
139
+
<code>i + delta</code> does not overflow, casting it to an
140
+
<code>unsigned short</code> truncates the addition modulo 2^16,
141
+
so that <code>unsigned short</code> "wrap around" may now be observed.
142
+
Furthermore, since the left-hand side is now of type <code>unsigned short</code>,
143
+
the right-hand side does not need to be promoted to a <code>signed int</code>.
63
144
</p>
64
145
<samplesrc="SignedOverflowCheck-good2.cpp" />
65
146
</example>
66
147
<references>
67
148
<li><ahref="http://c-faq.com/expr/preservingrules.html">comp.lang.c FAQ list · Question 3.19 (Preserving rules)</a></li>
68
149
<li><ahref="https://wiki.sei.cmu.edu/confluence/display/c/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data">INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data</a></li>
150
+
<li>W. Dietz,∗ P. Li, J. Regehr, V. Adve. <ahref="http://www.cs.utah.edu/~regehr/papers/overflow12.pdf">Understanding Integer Overflow in C/C++</a></li>
0 commit comments