primitive value overflow

Marco Leise Marco.Leise at gmx.de
Thu May 16 15:23:20 PDT 2013 

Am Thu, 16 May 2013 22:39:16 +0200
schrieb luka8088 <luka8088 at owave.net>:

> On 16.5.2013. 22:29, Andrej Mitrovic wrote:
> > On Thursday, 16 May 2013 at 20:24:31 UTC, luka8088 wrote:
> >> Hello everyone.
> >>
> >> Today I ran into a interesting issue. I wrote
> >>
> >> auto offset = text1.length - text2.length;
> >
> > Yeah, I don't like these bugs either. In the meantime you can swap auto
> > with 'sizediff_t' or 'ptrdiff_t', and then you can check if it's
> > non-negative.
> 
> Yes, thanks for the advice, I did something similar. =)

Now that doesn't work if you deal with some text2 that is over
2 GiB longer than text1.
My approach is to see the close relation between any offset
from beginning or length to the machine memory model. So any
byte or char array in memory naturally has an unsigned length
typed by the architecture's word size (e.g. 32 or 64 bit).
With that in mind I _only_ ever subtract two values if I know
the difference will be positive. That is the case for
file_size - valid_offset for example.
I don't know the context for your line of code, but if text1
and text2 are passed in as parameters to a function, a
contract should verify that text1 is longer (or equal) than
text2.
Now feel free to tell me I'm wrong, but with the two lengths
being natural numbers or "countable", I claim that a negative
value for your offset variable would not have been usable
anyway. It is a result that makes no sense. So on the next line
you probably check "if (offset >= 0)" which is the same as
putting "if (text1.length >= text2.length)" one line earlier
to avoid running into the situation where you can end up with
an over- or underflow because the result range of size_t -
size_t fits neither size_t nor sizediff_t.

Say text1 is 0 bytes long and text2 is 3_000_000_000 bytes
long. Then -3_000_000_000 would be the result that cannot be
stored in any 32-bit type. And thus it is important to think
about possible input to your integer calculations and place
if-else-branches there (or in-contracts), especially when the
language accepts overflows silently.
But I'd really like to see the context of your code if it is
not a secret. :)

-- 
Marco

More information about the Digitalmars-d mailing list