Rationale and FAQ

1. Is this really necessary? If I'm writing the program with the requisite care and competence, problems noted in the introduction will never arise. Should they arise, they should be fixed "at the source" and not with a "band aid" to cover up bad practice.
2. Can safe types be used as drop-in replacement for built-in types?
3. Why is Boost.Convert not used?
4. Why is the library named "safe ..." rather than something like "checked ..." ?
5. Given that the library is called "numerics" why is floating point arithmetic not addressed?
6. Isn't putting a defensive check just before any potential undefined behavior is often considered a bad practice?
7. It looks like the implementation presumes two's complement arithmetic at the hardware level. So this library is not portable - correct? What about other hardware architectures?
8. Why do you specialize numeric_limits for "safe" types? Do you need it?
9. According to C/C++ standards, unsigned integers cannot overflow - they are modular integers which "wrap around". Yet the safe numerics library detects and traps this behavior as errors. Why is that?
10. Why does the library require C++14?
11. This is a C++ library - yet you refer to C/C++. Which is it?

1.	Is this really necessary? If I'm writing the program with the requisite care and competence, problems noted in the introduction will never arise. Should they arise, they should be fixed "at the source" and not with a "band aid" to cover up bad practice.
	This surprised me when it was first raised. But some of the feedback I've received makes me thing that it's a widely held view. The best answer is to consider the examples in the Tutorials and Motivating Examples section of the library documentation.
2.	Can safe types be used as drop-in replacement for built-in types?
	Almost. Replacing all built-in types with their safe counterparts should result in a program that will compile and run as expected. In some cases compile time errors will occur and adjustments to the source code will be required. Typically these will result in code which is more correct.
3.	Why is Boost.Convert not used?
	I couldn't figure out how to use it from the documentation.
4.	Why is the library named "safe ..." rather than something like "checked ..." ?
	I used "safe" in large part this is what has been used by other similar libraries. Maybe a better word might have been "correct" but that would raise similar concerns. I'm not inclined to change this. I've tried to make it clear in the documentation what the problem that the library addressed is.
5.	Given that the library is called "numerics" why is floating point arithmetic not addressed?
	Actually, I believe that this can/should be applied to any type T which satisfies the type requirement "Numeric" type as defined in the documentation. So there should be specializations `safe<float>` and related types as well as new types like `safe<fixed_decimal>` etc. But the current version of the library only addresses integer types. Hopefully the library will evolve to match the promise implied by its name.
6.	Isn't putting a defensive check just before any potential undefined behavior is often considered a bad practice?
	By whom? Is leaving code which can produce incorrect results better? Note that the documentation contains references to various sources which recommend exactly this approach to mitigate the problems created by this C/C++ behavior. See [Seacord]
7.	It looks like the implementation presumes two's complement arithmetic at the hardware level. So this library is not portable - correct? What about other hardware architectures?
	As far as is known as of this writing, the library does not presume that the underlying hardware is two's compliment. However, this has yet to be verified in a rigorous way.
8.	Why do you specialize `numeric_limits` for "safe" types? Do you need it?
	`safe<T>` behaves like a "number" just as int does. It has max, min, etc Any code which uses numeric limits to test a type `T` should works with `safe<T>`. `safe<T>` is a drop-in replacement for `T` so it has to implement all the operations.
9.	According to C/C++ standards, unsigned integers cannot overflow - they are modular integers which "wrap around". Yet the safe numerics library detects and traps this behavior as errors. Why is that?
	The guiding purpose of the library is to trap incorrect arithmetic behavior - not just undefined behavior. Although a savvy user may understand and keep present in his mind that an unsigned integer is really a modular type, the plain reading of an arithmetic expression conveys the idea that all operands are integers. Also in many cases, unsigned integers are used in cases where modular arithmetic is not intended, such as array indexes. Finally, the modulus for such an integer would vary depending upon the machine architecture. For these reasons, in the context of this library, an unsigned integer is considered to a representation of a subset of integers. Note that this decision is consistent with [INT30-C], “Ensure that unsigned integer operations do not wrap” in the CERT C Secure Coding Standard [Seacord].
10.	Why does the library require C++14?
	The original version of the library used C++11. Feedback from CPPCon, Boost Library Incubator and Boost developer's mailing list convinced me that I had to address the issue of run-time penalty much more seriously. I resolved to eliminate or minimize it. This led to more elaborate meta-programming. But this wasn't enough. It became apparent that the only way to really minimize run-time penalty was to implement compile-time integer range arithmetic - a pretty elaborate sub library. By doing range arithmetic at compiler-time, I could skip runtime checking on many/most integer operations. C++11 constexpr wasn't quite enough to do the job. C++14 constexpr can do the job. The library currently relies very heavily on C++14 constexpr. I think that those who delve into the library will be very surprised at the extent that minor changes in user code can produce guaranteed correct integer code with zero run-time penalty.
11.	This is a C++ library - yet you refer to C/C++. Which is it?
	C++ has evolved way beyond the original C language. But C++ it's still (mostly) compatible with C. So most C programs can be compiled with a C++ compiler. The problems of incorrect arithmetic afflict both C and C++. Suppose we have a legacy C program designed for some embedded system. Replace all `int` declarations with `int16_t` and all `long` declarations with `int32_t`. Create a file containing something like the following and include it at the beginning of every source file. #ifdef TEST // using C++ on test platform #include <cstdint> #include <safe_integer.hpp> #include <cpp.hpp> using pic16_promotion = boost::numeric::cpp< 8, // char 8, // short 8, // int 16, // long 32 // long long >; // define safe types used desktop version of the program. template <typename T> // T is char, int, etc data type using safe_t = boost::numeric::safe< T, pic16_promotion, boost::numeric::throw_exception // use for compiling and running tests >; typedef safe_t<std::int16_t> int16_t; typedef safe_t<std::int32_t> int32_t; #else /* using C on embedded platform */ typedef int int16_t; typedef long int32_t; #endif Compile tests on the desktop with a C++14 compiler and with the macro TEST defined. Run the tests and change code to address any thrown exceptions. This example illustrates how this library, implemented with C++14 can be useful in the development of correct code for programs written in C.

Safe Numerics

Rationale and FAQ