問題描述

乍一看，這個問題似乎是 How檢測整數溢出?，但實際上有很大不同.

At first glance, this question may seem like a duplicate of How to detect integer overflow?, however it is actually significantly different.

我發(fā)現雖然檢測無符號整數溢出非常簡單，但檢測 C/C++ 中的有符號溢出實際上比大多數人想象的要困難.

I've found that while detecting an unsigned integer overflow is pretty trivial, detecting a signed overflow in C/C++ is actually more difficult than most people think.

最明顯但最幼稚的方法是:

The most obvious, yet naive, way to do it would be something like:

int add(int lhs, int rhs)
{
 int sum = lhs + rhs;
 if ((lhs >= 0 && sum < rhs) || (lhs < 0 && sum > rhs)) {
  /* an overflow has occurred */
  abort();
 }
 return sum; 
}

這樣做的問題是，根據 C 標準，有符號整數溢出是未定義的行為. 換句話說，根據標準，一旦您甚至導致有符號溢出，您的程序就像取消引用空指針一樣無效.所以你不能導致未定義的行為，然后在事后嘗試檢測溢出，如上面的后置條件檢查示例.

The problem with this is that according to the C standard, signed integer overflow is undefined behavior. In other words, according to the standard, as soon as you even cause a signed overflow, your program is just as invalid as if you dereferenced a null pointer. So you can't cause undefined behavior, and then try to detect the overflow after the fact, as in the above post-condition check example.

盡管上述檢查可能適用于許多編譯器，但您不能指望它.事實上，因為 C 標準說有符號整數溢出是未定義的，一些編譯器(比如 GCC)會優(yōu)化掉上面的在設置優(yōu)化標志時檢查，因為編譯器假定不可能發(fā)生有符號溢出.這完全打破了檢查溢出的嘗試.

Even though the above check is likely to work on many compilers, you can't count on it. In fact, because the C standard says signed integer overflow is undefined, some compilers (like GCC) will optimize away the above check when optimization flags are set, because the compiler assumes a signed overflow is impossible. This totally breaks the attempt to check for overflow.

因此，檢查溢出的另一種可能方法是:

So, another possible way to check for overflow would be:

int add(int lhs, int rhs)
{
 if (lhs >= 0 && rhs >= 0) {
  if (INT_MAX - lhs <= rhs) {
   /* overflow has occurred */
   abort();
  }
 }
 else if (lhs < 0 && rhs < 0) {
  if (lhs <= INT_MIN - rhs) {
   /* overflow has occurred */
   abort();
  }
 }

 return lhs + rhs;
}

這看起來更有希望，因為我們實際上不會將兩個整數相加，直到我們提前確保執(zhí)行這樣的相加不會導致溢出.因此，我們不會導致任何未定義的行為.

This seems more promising, since we don't actually add the two integers together until we make sure in advance that performing such an add will not result in overflow. Thus, we don't cause any undefined behavior.

然而，不幸的是，此解決方案的效率遠低于初始解決方案，因為您必須執(zhí)行減法運算才能測試加法運算是否有效.即使你不關心這個(小的)性能損失，我仍然不完全相信這個解決方案是足夠的.表達式 lhs <= INT_MIN - rhs 似乎與編譯器可能優(yōu)化掉的那種表達式完全一樣，認為有符號溢出是不可能的.

However, this solution is unfortunately a lot less efficient than the initial solution, since you have to perform a subtract operation just to test if your addition operation will work. And even if you don't care about this (small) performance hit, I'm still not entirely convinced this solution is adequate. The expression lhs <= INT_MIN - rhs seems exactly like the sort of expression the compiler might optimize away, thinking that signed overflow is impossible.

那么這里有更好的解決方案嗎?保證 1) 不會導致未定義行為，以及 2) 不會為編譯器提供優(yōu)化溢出檢查的機會?我在想可能有某種方法可以通過將兩個操作數強制轉換為無符號，并通過滾動您自己的二進制補碼算法來執(zhí)行檢查，但我不確定如何做到這一點.

So is there a better solution here? Something that is guaranteed to 1) not cause undefined behavior, and 2) not provide the compiler with an opportunity to optimize away overflow checks? I was thinking there might be some way to do it by casting both operands to unsigned, and performing checks by rolling your own two's-complement arithmetic, but I'm not really sure how to do that.

推薦答案

您的減法方法是正確且明確的.編譯器無法優(yōu)化它.

Your approach with subtraction is correct and well-defined. A compiler cannot optimize it away.

另一種正確的方法，如果您有更大的整數類型可用，則在較大的類型中執(zhí)行算術，然后在將其轉換回來時檢查結果是否適合較小的類型

Another correct approach, if you have a larger integer type available, is to perform the arithmetic in the larger type and then check that the result fits in the smaller type when converting it back

int sum(int a, int b)
{
    long long c;
    assert(LLONG_MAX>INT_MAX);
    c = (long long)a + b;
    if (c < INT_MIN || c > INT_MAX) abort();
    return c;
}

好的編譯器應該將整個加法和 if 語句轉換為 int 大小的加法和單個條件跳轉溢出，并且永遠不會實際執(zhí)行更大的加法.

A good compiler should convert the entire addition and if statement into an int-sized addition and a single conditional jump-on-overflow and never actually perform the larger addition.

正如斯蒂芬指出的那樣，我在使用(不太好的)編譯器 gcc 來生成正常的 asm 時遇到了麻煩.它生成的代碼并不是很慢，但肯定不是最理想的.如果有人知道此代碼的變體可以讓 gcc 做正確的事情，我很樂意看到它們.

As Stephen pointed out, I'm having trouble getting a (not-so-good) compiler, gcc, to generate the sane asm. The code it generates is not terribly slow, but certainly suboptimal. If anyone knows variants on this code that will get gcc to do the right thing, I'd love to see them.

這篇關于檢測 C/C++ 中的有符號溢出的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！