Both signed and unsigned integer operations are required to either wrap or give
undefined results in C. To my mind this is a horrible problem which gets
kicked down the road by the expansion of the size of variable size every few
years, presumably accompanies by the sacrificing of farmyard animals to some
deity or other.. But I'm pleased(!) to see it's now being exploited as an
attack vector and there's a proposal in C23 to formalise a checked integer
macro (though just for addition, subtraction, and multiplication, apparently on
the basis that Java omits checking for division so the C standards people won't
do it either?).
The implementation I've seen so far actually depends on the implementation
behaving in a sensible fashion and wrapping/truncating rather giving a totally
unpredictable result, so we'll have to see what happens with the vote on this.
This is actually what's driving this exploration. I can, I think, better
implement checked arithmetic in 32 and 64 bit modes using functions akin to the
proposed C23 standard, but using the hardware to do the checking, eg:
bool ckd_add_u32(__uint32_t *result, __uint32_t u32a, __uint32_t u32b, bool
abort) {
__uint32_t ccpm;
const __uint32_t carrybit = 0x20000000;
__uint32_t sum = u32a;
asm("alr %[r1],%[r2] \n\t"
"ipm %[r3]"
: [r1] "+r" (sum), // output
[r3] "=r" (ccpm)
: [r2] "r" (u32b) // input
: // clobbers
);
bool overflow = (ccpm & carrybit) != 0; // check if carry bit set
char msgbuf[100];
sprintf( msgbuf, "a: %11u, b: %11u, sum: %11u ccpm: 0x%08x, overflow: %s",
u32a, u32b, sum, ccpm, overflow ? "true" : "false" );
wtopc_text( msgbuf );
if (abort && overflow) {
serrc_op( (enum t_serrc)(SERRC_EXIT), 0xDEAD00, "INTEGER OVERFLOW
OCCURRED", NULL );
}
*result = sum;
return overflow;
}
which I think is relatively efficient, at least if inlined.
16, and 8, bit operations are, I think, a bit more tricky to do like this and
might have to use post-operation checks. I need to have a think about that.
Best wishes / Mejores deseos / Meilleurs vœux
Ian ...
On Thursday, April 14, 2022, 06:25:11 PM GMT+2, Paul Gilmartin
<00000014e0e4a59b-dmarc-requ...@listserv.uga.edu> wrote:
On Apr 14, 2022, at 09:21:28, Robin Vowels wrote:
>
> On 2022-04-15 00:31, Seymour J Metz wrote:
>> The S/360 architecture uses two's complement arithmetic, and that
>> remains the case through z. Accordingly, signed and unsigned
>> arithmetic are the same except for the condition code, except when
>> sign extension is an issue, e.g., adding a word to a grande register..
>
> If the relevant overflow mask bit is set,
> integer overflow causes an interrupt.
>
A couple C implementations (other than XL C/C++ which I haven't
checked) require integer overflow interrupts disabled at runtime.
ANSI C requires unsigned operations to be performed with modulo
arithmetic. For integer overflow either (I don't recall which)
the behavior is unpredictable, allowing an interrupt, or the
value or the result is unpredictable, not allowing interrupt.
Pre-ANSI C specified unsigned-preserving, so:
-1 > (unsigned) 0. /* Ugh! */
ANSI C specified value-preserving, so:
-1 < (unsigned) 0
--
gil
