SafeInt Wiki & Documentation Rss Feed

Updated Wiki: Home

dcleblanc — Fri, 23 Sep 2011 07:08:16 GMT

SafeInt is a C++ header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms.

SafeInt is currently used extensively throughout Microsoft, with substantial adoption within Office and Windows. If you are compiling for the Microsoft compiler only, a very similar version is now available with Visual Studio 2010.

It can be used with any compiler that has good template support, and is known to work on Visual Studio 7.1 or later.

Thanks to help from Jeffrey Walton of the OWASP project, we now have a very complete runtime test harness. There's still a couple of files to get posted, but the files we have on the download section contain most of the new work. To avoid confusion, the test harness is now a different release than the main header.

Also thanks to Jeffrey, we have extended the list of compilers that are supported to:

Microsoft Visual Studio, version 7.1 through the latest.
Reasonably new versions of gcc, including the latest version that will compile for Apple platforms.
The Intel compiler, with some caveats - it doesn't support some of the friend overloads, but does work properly with the runtime checks.
Clang is also now supported.

The most recent version is 3.0.17. The main change between minor versions 15 and 16 is that the Intel compiler will quite vigorously optimize away some of the signed addition overflow checks. Changes have been made such that intermediate calculations are done with unsigned numbers, and unsigned overflow is defined by the standard, which means the Intel compiler won't optimize them away. There have been instances of the gcc compiler doing the same thing, but this hasn't been demonstrated in SafeInt. As of this version, there won't be a possibility of the compiler actually removing checks.

Thanks to John Regehr of the University of Utah for noticing that the compiler may also become aggressive about removing things when you attempt to perform a unary negation on a signed number, and that signed number is a compile-time constant with a value of MIN_INT. I personally have a low opinion of compilers doing this sort of thing - seems like there's an awful lot of code out there with some extremely subtle bugs when compiled with these compilers. Compiler warnings are your friend, and it seems like the more compilers you have, the better your coverage. As it turns out, Clang will warn about when this might happen, which enabled a more comprehensive scrub of the code than we were able to do in 3.0.16.

The fix for this particular issue is to go ahead and code in a dependency on 2's complement representation of negative numbers - the compiler may remove -x, but it won't remove ~(unsigned)x + 1, which emits the same bit pattern (and the same assembly code).

Important note - the runtime test harness does catch it when the compiler optimizes away tests. You should compile and run the runtime checks to verify that everything is working properly with your compiler. Note - as of 3.0.17, we have some work to do to update the runtime tests to account for compile-time constants. We'll get this updated as soon as practical.

In addition, SafeInt now compiles warning-free with all warnings enabled on both latest gcc and the Microsoft compiler. It will still emit a few warnings with the Intel compiler.

Known outstanding work - I have yet to do the work to correctly annotate the class with throw() in the case of an error handler that does something other than C++ exceptions (structured exceptions, terminate the app, etc).

Updated Wiki: Home

dcleblanc — Mon, 08 Aug 2011 17:40:52 GMT

Updated Wiki: Home

dcleblanc — Tue, 26 Jul 2011 05:13:06 GMT

Updated Wiki: Home

dcleblanc — Mon, 25 Jul 2011 00:21:15 GMT

Updated Wiki: Home

dcleblanc — Tue, 22 Mar 2011 18:23:23 GMT

Updated Wiki: Home

dcleblanc — Fri, 12 Feb 2010 23:55:59 GMT

SafeInt is a C header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms.

SafeInt is currently used extensively throughout Microsoft, with substantial adoption within Office and Windows. If you are compiling for the Microsoft compiler only, a very similar version is now available with Visual Studio 2010.

It can be used with any compiler that has good template support, and is known to work on Visual Studio 7.1 or later.

A release with 32 and 64-bit gcc support is now up as 3.0.13. See the release notes for details.

The start of a runtime test harness has been created, starting with 64-bit multiplication support.

Updated Wiki: Home

dcleblanc — Thu, 04 Feb 2010 06:08:53 GMT

SafeInt is a C header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms.

SafeInt is currently used extensively throughout Microsoft, with substantial adoption within Office and Windows.

It can be used with any compiler that has good template support, and is known to work on Visual Studio 7.1 or later.

An update - thanks to Niels Dekker, I'm going to be able to add gcc support.

A release with gcc support is now up as 3.0.12p.

Note - there is now a 3.0.13p under Planned releases which corrects a problem with x64 gcc support, and adds using intrinsics on x64 Microsoft compiler. Please read the release notes for details.

Updated Wiki: Home

dcleblanc — Sun, 30 Nov 2008 21:48:28 GMT

Updated Wiki: Home

dcleblanc — Sat, 29 Nov 2008 21:58:08 GMT

Updated Wiki: Home

dcleblanc — Sun, 23 Nov 2008 22:13:43 GMT

SafeInt is a C++ header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms.

It can be used with any compiler that has good template support, and is known to work on Visual Studio 7.1 or later.

An update - thanks to Niels Dekker, I'm going to be able to add gcc support.

A proposed release with gcc support is now up as 3.0.12p.

Updated Wiki: Home

dcleblanc — Fri, 21 Nov 2008 19:44:19 GMT

SafeInt is a C++ header containing the SafeInt class, non-throwing functions to check common operations, and the associated internal mechanisms.

It can be used with any compiler that has good template support, and is known to work on Visual Studio 7.1 or later.

An update - thanks to Niels Dekker, I'm going to be able to add gcc support. Niels has given me some bug reports that I'm addressing.