26

We know CPython promotes integers to long integers (which allow arbitrary-precision arithmetic) silently when the number gets bigger.

How can we detect overflow of int and long long in pure C?

miken32
  • 42,008
  • 16
  • 111
  • 154
Dean
  • 427
  • 1
  • 4
  • 8
  • 4
    It's very tricky since you just can't add two numbers and check if the value is above some threshold (because signed integer arithmetic overflow and such). A simple solution might be to check if `x` (the value you want to check) is above a specific threshold, or if adding one goes above a threshold. If it does and the other number you want to add is larger than one, then you have an overflow situation. – Some programmer dude Apr 02 '19 at 07:11
  • 2
    Nitpick, but, it was CPython 2.7 that did this. CPython 3 doesn't "promote" anything, even internally there is just one type. – Antti Haapala -- Слава Україні Apr 02 '19 at 12:49
  • 1
    there are a lot of duplicates depending on what you want to do with the values (add/sub/mul/div/...?) [How to check if A+B exceed long long? (both A and B is long long)](https://stackoverflow.com/q/15920639/995714), [Detecting signed overflow in C/C++](https://stackoverflow.com/q/3944505/995714), [Test for overflow in integer addition](https://stackoverflow.com/q/3422709/995714) – phuclv Apr 02 '19 at 14:00
  • and add 1 more https://codereview.stackexchange.com/questions/37177/simpler-method-to-detect-int-overflow – NoChance Apr 02 '19 at 14:36

3 Answers3

32

You cannot detect signed int overflow. You have to write your code to avoid it.

Signed int overflow is Undefined Behaviour and if it is present in your program, the program is invalid and the compiler is not required to generate any specific behaviour.

Jesper Juhl
  • 30,449
  • 3
  • 47
  • 70
  • 5
    You can check you input values before doing a calculation to prevent overflow. – A.R.C. Apr 02 '19 at 07:12
  • 7
    I think, it would be nice and informative to explain why signed int overflow undefined, whereas unsigned apperantly isn't.. – hetepeperfan Apr 02 '19 at 07:17
  • 8
    @hetepeperfan It's because that's what the language standard says. – Sneftel Apr 02 '19 at 08:40
  • 6
    @sneftel thats an authoritative argument lacking an authoritative source, despise it is probably correct. On top of that, standards make more sense to people, once they start to understand the language, which is perhaps a reason they visit stackoverflow in the first place. – hetepeperfan Apr 02 '19 at 09:07
  • 2
    @hetepeperfan there surely is already a Q&A on Stackoverflow regarding the reason behind this choice. So there’s no reason to discuss it here, where the OP never asked about it. – Holger Apr 02 '19 at 09:24
  • 5
    @hetepeperfan the *reason* for why the standard is written as it is, is for the most part outside the scope of Stack Overflow. – Antti Haapala -- Слава Україні Apr 02 '19 at 12:51
  • @hetepeperfan Making it well defined has a cost on some implementations and leaving it undefined enables various compiler optimizations. – Jesper Juhl Apr 02 '19 at 13:10
  • @JesperJuhl This I understand, when your out of bits, your out. Probably C only gets more complicated when int32_t get promoted to int64_t, depending on whether the operation overflows or not. I just felt, that pointing to standards doesn't make the answer clear to a large audience. even when reading C11 N1570 6.5.3 semantic 2 says "The result of the binary*operator is the product of the operands", I've been looking, but unable to tell where in standard I can find that a overflow is undefined, although I do reasonably understand. – hetepeperfan Apr 02 '19 at 13:32
30

You can predict signed int overflow but attempting to detect it after the summation is too late. You have to test for possible overflow before you do a signed addition.

It's not possible to avoid undefined behaviour by testing for it after the summation. If the addition overflows then there is already undefined behaviour.

If it were me, I'd do something like this:

#include <limits.h>

int safe_add(int a, int b) 
{
    if (a >= 0) {
        if (b > (INT_MAX - a)) {
            /* handle overflow */
        }
    } else {
        if (b < (INT_MIN - a)) {
            /* handle underflow */
        }
    }
    return a + b;
}

Refer this paper for more information. You can also find why unsigned integer overflow is not undefined behaviour and what could be portability issues in the same paper.

EDIT:

GCC and other compilers have some provisions to detect the overflow. For example, GCC has following built-in functions allow performing simple arithmetic operations together with checking whether the operations overflowed.

bool __builtin_add_overflow (type1 a, type2 b, type3 *res)
bool __builtin_sadd_overflow (int a, int b, int *res)
bool __builtin_saddl_overflow (long int a, long int b, long int *res)
bool __builtin_saddll_overflow (long long int a, long long int b, long long int *res)
bool __builtin_uadd_overflow (unsigned int a, unsigned int b, unsigned int *res)
bool __builtin_uaddl_overflow (unsigned long int a, unsigned long int b, unsigned long int *res)
bool __builtin_uaddll_overflow (unsigned long long int a, unsigned long long int b, unsigned long long int *res)

Visit this link.

EDIT:

Regarding the question asked by someone

I think, it would be nice and informative to explain why signed int overflow undefined, whereas unsigned apperantly isn't..

The answer depends upon the implementation of the compiler. Most C implementations (compilers) just used whatever overflow behaviour was easiest to implement with the integer representation it used.

In practice, the representations for signed values may differ (according to the implementation): one's complement, two's complement, sign-magnitude. For an unsigned type there is no reason for the standard to allow variation because there is only one obvious binary representation (the standard only allows binary representation).

abhiarora
  • 9,743
  • 5
  • 32
  • 57
  • Why extra parentheses? Also you could save one test on average with `if (a >= 0) { test overflow } else { test underflow } return a + b;` – chqrlie Apr 02 '19 at 07:28
  • @chqrlie that is not sufficient because there is no possibility of overflow when `a == 0`. – Antti Haapala -- Слава Україні Apr 02 '19 at 07:30
  • It is not *necessary* to test overflow if `a == 0` but testing `a` just once saves one comparison if `a < 0`, which is half the cases. – chqrlie Apr 02 '19 at 07:32
  • 9
    Also, both are technically called overflow. Underflow means that the value is too small in *magnitude* to be representable in a floating point variable. – Antti Haapala -- Слава Україні Apr 02 '19 at 07:32
  • @chqrlie but your change was incorrect because it *ignores* the test `a == 0` which was implicit there, i.e. nothing was saved. – Antti Haapala -- Слава Україні Apr 02 '19 at 07:33
  • Here is what I mean: `if (a >= 0) { if (b > INT_MAX - a) { /* handle overflow */ }} else { if (b < INT_MIN - a) { /* handle overflow */ }} return a + b;`. 2 comparisons in all cases as opposed to 2.5 for the current answer code. – chqrlie Apr 02 '19 at 07:34
  • 3
    @AnttiHaapala it does not *ignore* the case `a == 0` where there is no possible overflow, it just handles it differently. – chqrlie Apr 02 '19 at 07:37
  • @abhiarora: you did not copy my coding suggestion proposal correctly. I took the liberty to correct the tests. – chqrlie Apr 02 '19 at 13:25
  • I carefully read documentation and I see nothing that guarantees that `INT_MIN - a` or `INT_MAX - a` itself cannot overflow. The fact that on all current architectures it seems to be true means nothing regarding to standard. – hamilyon Jun 10 '21 at 12:39
  • What if you cast the signed ints to unsigned ints? Though the overflow result is undefined, overflow of unsigned ints *is* defined. So to test if a+b is overflow, test if (uint)a + (uint)b < (uint)a. Casting the int to uint is well-defined and so is all the rest. The compiler will probably be able to cast the numbers with 0 instructions. – Eyal Aug 11 '21 at 05:45
  • @hamilyon Notice that `INT_MIN - a` is only run if `a` is less than `0`, which means that the result will be `INT_MIN` plus number number that is, at most, `INT_MAX`. So the result will be between `INT_MIN` and `0`, so no overflow. – Eyal Aug 11 '21 at 06:02
11

Signed operands must be tested before the addition is performed. Here is a safe addition function with 2 comparisons in all cases:

#include <limits.h>

int safe_add(int a, int b) {
    if (a >= 0) {
        if (b > INT_MAX - a) {
            /* handle overflow */
        } else {
            return a + b;
        }
    } else {
        if (b < INT_MIN - a) {
            /* handle negative overflow */
        } else {
            return a + b;
        }
    }
}

If the type long long is known to have a larger range than type int, you could use this approach, which might prove faster:

#include <limits.h>

int safe_add(int a, int b) {
    long long res = (long long)a + b;
    if (res > INT_MAX || res < INT_MIN) {
        /* handle overflow */
    } else {
        return (int)res;
    }
}
chqrlie
  • 131,814
  • 10
  • 121
  • 189