boost/safe_numerics
2
0
Fork 0
mirror of https://github.com/boostorg/safe_numerics.git synced 2026-02-22 15:42:30 +00:00
Code Issues Projects Releases Wiki Activity
Files
0e08284fa79ab64be20d6e8616f50e2db6f42663
safe_numerics/doc/html/introduction.html
Robert Ramey d0ca1634fc documentation updates inspired by ACCU Overload
2017-02-03 14:24:05 -08:00

242 lines
18 KiB
HTML
Raw Blame History

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<title>Introduction</title>
<link rel="stylesheet" href="boostbook.css" type="text/css">
<meta name="generator" content="DocBook XSL Stylesheets V1.79.1">
<link rel="home" href="index.html" title="Safe Numerics">
<link rel="up" href="index.html" title="Safe Numerics">
<link rel="prev" href="index.html" title="Safe Numerics">
<link rel="next" href="tutorial.html" title="Tutorial and Motivating Examples">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table cellpadding="2" width="100%"><tr>
<td valign="top"><img href="index.html" height="164px" src="pre-boost.jpg" alt="Library Documentation Index"></td>
<td><h2>Safe Numerics</h2></td>
</tr></table>
<div class="spirit-nav">
<a accesskey="p" href="index.html"><img src="images/prev.png" alt="Prev"></a><a accesskey="u" href="index.html"><img src="images/up.png" alt="Up"></a><a accesskey="h" href="index.html"><img src="images/home.png" alt="Home"></a><a accesskey="n" href="tutorial.html"><img src="images/next.png" alt="Next"></a>
</div>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="safe_numerics.introduction"></a>Introduction</h2></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.problem">Problem</a></span></dt>
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.solution">Solution</a></span></dt>
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.implementation">How It Works</a></span></dt>
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.additional_features">Additional Features</a></span></dt>
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.requirements">Requirements</a></span></dt>
<dt><span class="section"><a href="introduction.html#safe_numerics.introduction.scope">Scope</a></span></dt>
</dl></div>
<p>This library is intended as a drop-in replacement for all built-in
integer types in any program which must:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>be demonstrably and verifiably correct.</p></li>
<li class="listitem"><p>detect every user error such as input, assignment, etc.</p></li>
<li class="listitem"><p>be efficient as possible subject to the constraints above.</p></li>
</ul></div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.problem"></a>Problem</h3></div></div></div>
<p>Arithmetic operations in C/C++ are NOT guaranteed to yield a correct
mathematical result. This feature is inherited from the early days of C.
The behavior of <code class="computeroutput">int</code>, <code class="computeroutput">unsigned int</code> and others
were designed to map closely to the underlying hardware. Computer hardware
implements these types as a fixed number of bits. When the result of
arithmetic operations exceeds this number of bits, the result will not be
arithmetically correct. The following example illustrates just one example
where this causes problems.</p>
<pre class="programlisting"><span class="keyword">int</span> <span class="identifier">f</span><span class="special">(</span><span class="keyword">int</span> <span class="identifier">x</span><span class="special">,</span> <span class="keyword">int</span> <span class="identifier">y</span><span class="special">)</span><span class="special">{</span>
<span class="comment">// this returns an invalid result for some legal values of x and y !</span>
<span class="keyword">return</span> <span class="identifier">x</span> <span class="special">+</span> <span class="identifier">y</span><span class="special">;</span>
<span class="special">}</span>
</pre>
<p>It is incumbent upon the C/C++ programmer to guarantee that this
behavior does not result in incorrect or unexpected operation of the
program. There are no language facilities which implement such a
guarantee. A programmer needs to examine each expression individually to
know that his program will not return an invalid result. There are a
number of ways to do this. In the above instance,
[<a class="citation" href="bibliography.html#seacord3"><span class="citation">INT32-C</span></a>] seems to recommend the following
approach:</p>
<pre class="programlisting"><span class="keyword">int</span> <span class="identifier">f</span><span class="special">(</span><span class="keyword">int</span> <span class="identifier">x</span><span class="special">,</span> <span class="keyword">int</span> <span class="identifier">y</span><span class="special">)</span><span class="special">{</span>
<span class="keyword">if</span> <span class="special">(</span><span class="special">(</span><span class="special">(</span><span class="identifier">y</span> <span class="special">&gt;</span> <span class="number">0</span><span class="special">)</span> <span class="special">&amp;&amp;</span> <span class="special">(</span><span class="identifier">x</span> <span class="special">&gt;</span> <span class="special">(</span><span class="identifier">INT_MAX</span> <span class="special">-</span> <span class="identifier">y</span><span class="special">)</span><span class="special">)</span><span class="special">)</span>
<span class="special">||</span> <span class="special">(</span><span class="special">(</span><span class="identifier">y</span> <span class="special">&lt;</span> <span class="number">0</span><span class="special">)</span> <span class="special">&amp;&amp;</span> <span class="special">(</span><span class="identifier">x</span> <span class="special">&lt;</span> <span class="special">(</span><span class="identifier">INT_MIN</span> <span class="special">-</span> <span class="identifier">y</span><span class="special">)</span><span class="special">)</span><span class="special">)</span><span class="special">)</span> <span class="special">{</span>
<span class="comment">/* Handle error */</span>
<span class="special">}</span>
<span class="keyword">return</span> <span class="identifier">x</span> <span class="special">+</span> <span class="identifier">y</span><span class="special">;</span>
<span class="special">}</span>
</pre>
<p>This will indeed trap the error. However, it would be tedious and
laborious for a programmer to alter his code to do so. Altering code in
this way for all arithmetic operations would likely render the code
unreadable and add another source of potential programming errors. This
approach is clearly not functional when the expression is even a little
more complex as is shown in the following example.</p>
<pre class="programlisting"><span class="keyword">int</span> <span class="identifier">f</span><span class="special">(</span><span class="keyword">int</span> <span class="identifier">x</span><span class="special">,</span> <span class="keyword">int</span> <span class="identifier">y</span><span class="special">,</span> <span class="keyword">int</span> <span class="identifier">z</span><span class="special">)</span><span class="special">{</span>
<span class="comment">// this returns an invalid result for some legal values of x and y !</span>
<span class="keyword">return</span> <span class="identifier">x</span> <span class="special">+</span> <span class="identifier">y</span> <span class="special">*</span> <span class="identifier">z</span><span class="special">;</span>
<span class="special">}</span>
</pre>
<p>This example addresses only the problem of undefined/erroneous
behavior related to overflow of the addition operation as applied to the
type <code class="computeroutput">int</code>. Similar problems occur with other built-in integer
types such as <code class="computeroutput">unsigned</code>, <code class="computeroutput">long</code>, etc. And it also
applies to other operations such as subtraction, multiplication etc. .
C/C++ often automatically and silently converts some integer types to
others in the course of implementing binary operations and similar
problems occur in this case as well. Since the problems and their solution
are similar, We'll confine the current discussion to just this one
example.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.solution"></a>Solution</h3></div></div></div>
<p>This library implements special versions of <code class="computeroutput">int</code>,
<code class="computeroutput">unsigned</code>, etc. which behave exactly like the original ones
<span class="bold"><strong>except</strong></span> that the results of these
operations are guaranteed to be either arithmetically correct or invoke an
error. Using this library, the above example would be rendered as:</p>
<pre class="programlisting"><span class="preprocessor">#include</span> <span class="special">&lt;</span><span class="identifier">boost</span><span class="special">/</span><span class="identifier">safe_numeric</span><span class="special">/</span><span class="identifier">safe_integer</span><span class="special">.</span><span class="identifier">hpp</span><span class="special">&gt;</span>
<span class="keyword">using</span> <span class="keyword">namespace</span> <span class="identifier">boost</span><span class="special">::</span><span class="identifier">numeric</span><span class="special">;</span>
<span class="identifier">safe</span><span class="special">&lt;</span><span class="keyword">int</span><span class="special">&gt;</span> <span class="identifier">f</span><span class="special">(</span><span class="identifier">safe</span><span class="special">&lt;</span><span class="keyword">int</span><span class="special">&gt;</span> <span class="identifier">x</span><span class="special">,</span> <span class="identifier">safe</span><span class="special">&lt;</span><span class="keyword">int</span><span class="special">&gt;</span> <span class="identifier">y</span><span class="special">)</span><span class="special">{</span>
<span class="keyword">return</span> <span class="identifier">x</span> <span class="special">+</span> <span class="identifier">y</span><span class="special">;</span> <span class="comment">// throw exception if correct result cannot be returned</span>
<span class="special">}</span>
</pre>
<div class="note"><table border="0" summary="Note">
<tr>
<td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="images/note.png"></td>
<th align="left">Note</th>
</tr>
<tr><td align="left" valign="top"><p>Library code in this document resides in the name space
<code class="computeroutput">boost::numeric</code>. This name space has generally been
eliminated from text, code and examples in order to improve
readability of the text.</p></td></tr>
</table></div>
<p>The addition expression is checked at runtime or (if possible) at
compile time to trap any possible errors resulting in incorrect arithmetic
behavior. This will permit one to write arithmetic expressions that cannot
produce an erroneous result. Instead, one and only one of the following is
guaranteed to occur.</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>the expression will yield the correct mathematical
result</p></li>
<li class="listitem"><p>the expression will emit a compilation error.</p></li>
<li class="listitem"><p>the expression will invoke a runtime exception.</p></li>
</ul></div>
<p>In other words, the <span class="bold"><strong>library absolutely
guarantees that no arithmetic expression will yield incorrect
results</strong></span>.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.implementation"></a>How It Works</h3></div></div></div>
<p>The library implements special versions of <code class="computeroutput">int</code>,
<code class="computeroutput">unsigned</code>, etc. named <code class="computeroutput">safe&lt;int&gt;</code>,
<code class="computeroutput">safe&lt;unsigned int&gt;</code> etc. These behave exactly like the
underlying types <span class="bold"><strong>except</strong></span> that expressions
using these types fulfill the above guarantee. These types are meant to be
"drop-in" replacements for the built-in types they are meant to replace.
So things which are legal - such as assignment of a <code class="computeroutput">signed</code> to
<code class="computeroutput">unsigned</code> value - are not trapped at compile time as they are
legal C/C++ code. Instead, they are checked at runtime to trap the case
where this (legal) operation would lead to an arithmetically incorrect
result.</p>
<p>Note that the library addresses arithmetical errors generated by
straightforward C/C++ expressions. Some of these arithmetic errors are
defined as conforming to the C/C++ standards while others are not. So
characterizing this library as addressing undefined behavior of C/C++
numeric expressions would be misleading.</p>
<p>Facilities particular to C++14 are employed to minimize any runtime
overhead. In many cases there is no runtime overhead at all. In other
cases, a program using the library can be slightly altered to achieve the
above guarantee without any runtime overhead.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.additional_features"></a>Additional Features</h3></div></div></div>
<p>Operation of safe types is determined by template parameters which
specify a pair of <a class="link" href="promotion_policies.html" title="Promotion Policies">policy
classes</a> which specify the behavior for type promotion and error
handling. In addition to the usage serving as a drop-in replacement for
standard integer types, users of the library can:</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p>Select or define an exception policy class to specify handling
of exceptions.</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>throw exception on runtime, trap at compile time.</p></li>
<li class="listitem"><p>trap at compiler time all operations which might fail at
runtime.</p></li>
<li class="listitem"><p>specify custom functions which should be called at
runtime</p></li>
</ul></div>
</li>
<li class="listitem">
<p>Select or define a promotion policy class to alter the C/C++
type promotion rules. This can be used to </p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; ">
<li class="listitem"><p>use C/C++ native type promotion rules so that, except
for throwing/trapping of exceptions on operations resulting in
incorrect arithmetic behavior, programs will operate
identically when using/not using safe types.</p></li>
<li class="listitem"><p>replace C/C++ native promotion rules with ones which are
arithmetically equivalent but minimize the need for runtime
checking of arithmetic results.</p></li>
<li class="listitem"><p>replace C/C++ native promotion rules with ones which
emulate other machine architectures. This is designed to
permit the testing of C/C++ code destined to be run on another
machine on one's development platform. Such a situation often
occurs while developing code for embedded systems.</p></li>
</ul></div>
</li>
<li class="listitem"><p>Enforce of other program requirements using ranged integer
types. The library includes the types <code class="computeroutput">safe_range(Min,
Max)</code> and <code class="computeroutput">safe_literal(N)</code>. These types can be
used to improve program correctness and performance.</p></li>
</ul></div>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.requirements"></a>Requirements</h3></div></div></div>
<p>This library is composed entirely of C++ Headers. It requires a
compiler compatible with the C++14 standard.</p>
<p>The following Boost Libraries must be installed in order to use this
library</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p>MPL</p></li>
<li class="listitem"><p>Integer</p></li>
<li class="listitem"><p>Config</p></li>
<li class="listitem"><p>Concept Checking</p></li>
<li class="listitem"><p>Tribool</p></li>
<li class="listitem"><p>Enable_if</p></li>
</ul></div>
<p>The Safe Numerics library is delivered with an exhaustive
suite of test programs. Users who choose to run this test suite will also
need to install the Boost.Preprocessor library.</p>
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="safe_numerics.introduction.scope"></a>Scope</h3></div></div></div>
<p>This library currently applies only to built-in integer types.
Analogous issues arise for floating point types but they are not currently
addressed by this version of the library. User or library defined types
such as arbitrary precision integers can also have this problem. Extension
of this library to these other types is not currently under development
but may be addressed in the future. This is one reason why the library
name is "safe numeric" rather than "safe integer" library.</p>
</div>
</div>
<table xmlns:rev="http://www.cs.rpi.edu/~gregod/boost/tools/doc/revision" width="100%"><tr>
<td align="left"></td>
<td align="right"><div class="copyright-footer">Copyright &#169; 2012 Robert Ramey<p><a href="http://www.boost.org/LICENSE_1_0.txt" target="_top">Subject to Boost
Software License</a></p>
</div></td>
</tr></table>
<hr>
<div class="spirit-nav">
<a accesskey="p" href="index.html"><img src="images/prev.png" alt="Prev"></a><a accesskey="u" href="index.html"><img src="images/up.png" alt="Up"></a><a accesskey="h" href="index.html"><img src="images/home.png" alt="Home"></a><a accesskey="n" href="tutorial.html"><img src="images/next.png" alt="Next"></a>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink