Safe numerics #125
Merged
Safe numerics #125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
...in the <flux/core/numeric.hpp> header
This PR does a whole lot of things. Firstly, we define some concepts for integers. Specifically, the `flux::num::integral` concept is satisfied by any `std::integral` type *except* `bool`, `char`, `wchar_t` and the various `charN_t`s. We also have corresponding `signed_integral` and `unsigned_integral` concepts. Next, we define some functions which perform *unchecked* integer operations, namely: * `unchecked_add` * `unchecked_sub` * `unchecked_mul` * `unchecked_div` * `unchecked_mod` These work call the built-in operators (and so can cause UB for signed types), but require both arguments to be the same type, and cast the result back to their argument type -- that is, there is no promotion, so `unchecked_add(short, short)` returns a `short`, not an `int`. The intention is that these can be used in places where signed UB can allow extra optimisations, and explicitly acknowledge that you're doing something dangerous. Next is a set of wrapping functions: * `wrapping_add` * `wrapping_sub` * `wrapping_mul` These work by casting their arguments to an unsigned type, performing the operation, and casting back to the starting type. They never cause UB, and can be used to specifically document that you want wrapping semantics. Next is a set of functions which check whether overflow occurred: * `overflowing_add` * `overflowing_sub` * `overflowing_mul` These return a `(T, bool)` pair which safely performs the operation (as if by wrapping) and reports whether overflow occurred. They use compiler builtins in GCC and Clang. These work for unsigned types as well as signed types, so you can test whether your size_t overflowed. Then we have a set of checked arithmetic functions: * `checked_add` * `checked_sub` * `checked_mul` * `checked_div` * `checked_mod` These raise a `flux::runtime_error` if overflow occurs (or division by zero for the last two functions), regardless of the compiled checking policy. Finally, we have * `add` * `sub` * `mul` * `div` * `mod` These perform overflow/divide-by-zero checks according to the configured policies. By default, they trap on overflow in debug mode or wrap in release mode. Phew!
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #125 +/- ##
==========================================
+ Coverage 98.30% 98.81% +0.50%
==========================================
Files 71 71
Lines 2485 2534 +49
==========================================
+ Hits 2443 2504 +61
+ Misses 42 30 -12 ☔ View full report in Codecov by Sentry. |
This adds * num::unchecked_shl * num::unchecked_shr * num::checked_shl * num::checked_shr * num::shl * num::shr Which perform left and right bitshift operations either explicitly without undefined behaviour checking, or which check whether the shift amount is out of bounds
I got them the wrong way round
Results seem to be too inconsistent on CI
...where it's used. One day we might make this public again, but for now let's just have it as an implementation detail.
Originally the idea was that I wanted to allow user-defined types, e.g `enum class my_int : int {}` to be declared as "extended integers", and be used with the Flux numeric functions.
But YAGNI (at least for now) so let's keep things simple
Use the new C++20 std::in_range(), which seems to generate better code with GCC (and exactly the same with Clang)
tcbrindle
force-pushed
the
pr/safe_numerics
branch
4 times, most recently
from
4a5fbbd
to
28dba23
Compare
This function either calls `num::checked_cast` or `num::unchecked_cast` depending on the currently configured integer cast policy. In checked mode, lossy casts -- that is, those that result in a change in value -- will raise a runtime error, whereas in unchecked mode these will silently use the incorrect value.
...rather than checked_cast.
...in function arguments, because I don't think flux::chunk(seq, 'a') is something we should allow.
tcbrindle
force-pushed
the
pr/safe_numerics
branch
from
2d330a6
to
5d2dce5
Compare
...at least when using integral types.
It seems like std::invoke() in libc++18 (but not previous versions) doesn't like default function parameters in certain contexts. Reported as llvm/llvm-project#106428
Specifically, * num::unchecked_neg * num::wrapping_neg * num::overflowing_neg * num::checked_neg * num::neg Each call to `xxx_neg(val)` is semantically the same as `xxx_sub(0, val)`, but is shorter to spell and may generate better code.
It seems like MSVC doesn't consider -INT_MIN to overflow even in constexpr mode. This version generates better code with Clang and GCC anyway, so that's good.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR does a whole lot of things.
Firstly, we define some concepts for integers. Specifically, the
flux::num::integralconcept is satisfied by anystd::integraltype exceptbool,char,wchar_tand the variouscharN_ts. We also have correspondingsigned_integralandunsigned_integralconcepts.Next, we define some functions which perform unchecked integer operations, namely:
unchecked_addunchecked_subunchecked_mulunchecked_divunchecked_modThese work call the built-in operators (and so can cause UB for signed types), but require both arguments to be the same type, and cast the result back to their argument type -- that is, there is no promotion, so
unchecked_add(short, short)returns ashort, not anint. The intention is that these can be used in places where signed UB can allow extra optimisations, and explicitly acknowledge that you're doing something dangerous.Next is a set of wrapping functions:
wrapping_addwrapping_subwrapping_mulThese work by casting their arguments to an unsigned type, performing the operation, and casting back to the starting type. They never cause UB, and can be used to specifically document that you want wrapping semantics.
Next is a set of functions which check whether overflow occurred:
overflowing_addoverflowing_suboverflowing_mulThese return a
(T, bool)pair which safely performs the operation (as if by wrapping) and reports whether overflow occurred. They use compiler builtins in GCC and Clang. These work for unsigned types as well as signed types, so you can test whether your size_t overflowed.Then we have a set of checked arithmetic functions:
checked_addchecked_subchecked_mulchecked_divchecked_modThese raise a
flux::runtime_errorif overflow occurs (or division by zero for the last two functions), regardless of the compiled checking policy.Finally, we have
addsubmuldivmodThese perform overflow/divide-by-zero checks according to the configured policies. By default, they trap on overflow in debug mode or wrap in release mode.
Phew!