Please visit the C++Now website.

Removing undefined behavior from integer operations: the bounded::integer library
#### Log in to save this to your schedule, view media, leave feedback and see who's attending!

**Speakers**
## David Stone

## Attendees
(0)

Integer arithmetic in C-derived languages is notoriously dangerous. Signed overflow is undefined behavior; unsigned overflow silently wraps around; comparing a signed and unsigned integer implicitly promotes to unsigned, causing a signed -1 to be greater than an unsigned 12; even the guaranteed size of "int" is less than most people expect and require. Most attempts to remedy the situation add in run-time overhead to all integer operations, making them non-starters for many projects.

This talk presents the bounded::integer library (__https://bitbucket.org/davidstone/bounded_integer__). bounded::integer is a C++14 library that has the following goals:

1. Never perform a run-time check when a compile-time check would work instead.

2. Never allow a conversion that is definitely wrong.

3. Allow conversions that might be wrong (such as assigning a value between 1 and 10 to a value between 5 and 20), but

only when explicitly requested.

4. Allow implicit conversions to larger types.

5. Have no space or time overhead, assuming basic compiler optimizations like inlining, so that bounded::integer can be used on very large data sets or systems with hard real-time requirements.

bounded::integer provides these guarantees by requiring static bounds on the integer types. A typical declaration might look something like `bounded::integer<1, 10> x(5)` to create a type that is always between 1 and 10. Arithmetic expressions automatically adjust the bounds to keep the result in range. In other words, the result of `x + x` is given the type `bounded::integer<2, 20>`. Thanks to type deduction with auto and templates, the user can specify only the types that they care about and be guaranteed (at compile time) that all intermediate calculations will be correct. Even better, because the compiler knows exact bounds of all integers, the library allows space and time optimizations that actually allow code to run faster than the default "use int everywhere to avoid surprises" strategy.

This talk will include proposed idioms for using the library; prior work, such as boost::constrained_value, integer types in Ada, and the As-if Infinitely Ranged integer model; and limitations / design trade offs of the library.

This talk presents the bounded::integer library (

1. Never perform a run-time check when a compile-time check would work instead.

2. Never allow a conversion that is definitely wrong.

3. Allow conversions that might be wrong (such as assigning a value between 1 and 10 to a value between 5 and 20), but

only when explicitly requested.

4. Allow implicit conversions to larger types.

5. Have no space or time overhead, assuming basic compiler optimizations like inlining, so that bounded::integer can be used on very large data sets or systems with hard real-time requirements.

bounded::integer provides these guarantees by requiring static bounds on the integer types. A typical declaration might look something like `bounded::integer<1, 10> x(5)` to create a type that is always between 1 and 10. Arithmetic expressions automatically adjust the bounds to keep the result in range. In other words, the result of `x + x` is given the type `bounded::integer<2, 20>`. Thanks to type deduction with auto and templates, the user can specify only the types that they care about and be guaranteed (at compile time) that all intermediate calculations will be correct. Even better, because the compiler knows exact bounds of all integers, the library allows space and time optimizations that actually allow code to run faster than the default "use int everywhere to avoid surprises" strategy.

This talk will include proposed idioms for using the library; prior work, such as boost::constrained_value, integer types in Ada, and the As-if Infinitely Ranged integer model; and limitations / design trade offs of the library.

Vice President, Markit

David Stone has spoken at C++Now and Meeting C++. He is the author of the bounded::integer library: http://doublewise.net/c++/bounded/ and has a special interest in compile-time code generation and error checking, as well as machine learning. He works at Markit integrating real-time... Read More →

Tuesday May 13, 2014 4:30pm - 5:30pm MDT

Hudson

Hudson