SecureIntegerOperations

BOOST WIKI | RecentChanges | Preferences | Page List | Links List

Rationale

C and C++ don't guarantee mathematically correct semantic for integer arithmetic. It badly affects both languages because many developers write incorrect code without realizing it.

Proposed solution

Integer operations are very frequent. The library should be very handy even for a complex expression like

size = prefix_len + n * sizeof(X) + 2 * suffix_len;

One approach is to wrap Boost lambda expression into an object that controls every operation. For example, the earlier expression would become

bool const ok = is_mathematically_correct(_1 = _2 + _3 * sizeof(T) + 2 * _4)(size, prefix_len, n, suffix_len);

The function is_mathematically_correct returns a lambda expression which is immediately evaluated and returns true if passed expression is mathematically correct, or false otherwise.

Note: although overflow is more common, it is incorrect because unsigned types never overflow.

The library should check the following

value truncation (aka numeric_cast)
overflow conditions on signed types
unsigned to signed conversion that changes sign or leads to undefined behavior
mathematically incorrect results of unsigned operations (note that they are always correct modulo 2^n operations)
division by zero
TODO: complete the list

References

http://www.cert.org/secure-coding/IntegerLib.zip

Disclaimer: This site not officially maintained by Boost Developers