Dear Robert

boost 1_72_0 Another issue with compiling, compiler is IAR for ARM (https://www.iar.com/iar-embedded-workbench/) in file safe_compare.hpp

constexpr less_than(const T & lhs, const U & rhs) { return safe_compare_detail::less_than< std::is_signed<T>::value, std::is_signed<U>::value >::template invoke(lhs, rhs);

keyword template make here compiler error. I have commercial support, guys from support point me paragraph in c++17 standard: 17.2.5: "A name prefixed by the keyword template shall be a template-id or the name shall refer to a class template or an alias template", the same in C++14. removing "template" keyword: compile without errors, also on gcc 9.2.

/Grzegorz

setup: (1) MSVC, toolset 14.2, language C++17, boost 1.73.0 (2) gcc, C++17, but older boost 1.71.0

in (1) fails to note that 7 is out of range boost::safe_numerics::safe_unsigned_range<1910, 2099> test0 = 7 however all is ok for a signed range boost::safe_numerics::safe_signed_range<1910, 2099> test1 = 7; or for unsigned but other MIN/MAX: boost::safe_numerics::safe_unsigned_range<0, 2> test2 = 7;

I wonder how the behavior can possibly depend on the values of the bounds?

in (2) fails to throw in all 3 cases. Code:

#include <iostream>
#include <boost/safe_numerics/safe_integer_range.hpp>
int main(int argc, char* argv[])
{
    try 
    {
	boost::safe_numerics::safe_unsigned_range<1910, 2099> test0 = 7; // bug? no exception here
	std::cout << "  min: " << std::numeric_limits<decltype(test0)>::min() 
			<< "  max: " << std::numeric_limits<decltype(test0)>::max() << "\n";
	std::cout << "  test0: " << test0 << "\n";
	boost::safe_numerics::safe_signed_range<1910, 2099> test1 = 7; // ok, msvc throws
	std::cout << "  test1: " << test1 << "\n";
	boost::safe_numerics::safe_unsigned_range<0, 2> test2 = 7; // ok, msvc throws	
	std::cout << "  test2: " << test2 << "\n";
    }
    catch (const std::exception& e) 
    {
	std::cout << " exception ---  " << e.what();
    }
    return 0;
}

output (1) MSVC:

min: 1910  max: 2099
test0: 7
exception ---  converted signed value too large: positive overflow error

output (2) gcc

min: 1910  max: 2099
test0: 7
test1: 7
test2: 7

But also, the error message seams to be confusing. operator~ is well defined for signed integers. Is it just your choice to exclude it from safe<signed int>?

Dear Robert

I hope you are well in these difficult times. Am I understand correctly that for safe_numeric types, <type_traits> templates has to been overwritten?

for example: with gcc 9.2.0 and boost 1.72

this compile: static_assert(std::is_unsigned<safe>::value == false); static_assert(std::is_signed<safe>::value == false);

/Greg

As per a thread in comp.lang.c++.moderated when I naively attempted to crib code from this library to safely convert from long to double, I got unexpected results. Someone pointed out to me that this library only announced supports for integral types and I was using a floating-point type. D'oh!

So I'd like to request a feature extension, or perhaps a similar library, that supports safe conversions back and forth between integral types and floating-point types. Thanks :)

I have been experimenting with ranges using the trap policies. I have hit the following issue:

safe_unsigned_range<0, Max> x;
safe_unsigned_range<0, Max> y;
auto z = (x + y) / 2; // type is safe_unsigned_range<0, Max>
auto k = x + (y - x)/2; // type is safe_signed_range<-Max/2, 3*Max/2>

In my mind the two expressions should mostly behave the same way. Unfortunately due to the type deductions the second expression is much harder to work with especially when using the trap policy.

The problem boils down to the type system not identifying the same variables being reused in a single expression:

safe_unsigned_range<0, Max> x;
safe_unsigned_range<0, Max> y;
safe_unsigned_range<0, Max> z;
auto k = x + (y - x)/2; //this is inherently more constrained than the following expression.
auto l = z + (y - x)/2; // this has independent variables, deduced type is correct.

In my mind this requirement starts approximating symbolic manipulation and constraints. If we want to stay zero-cost it would require compile-time identifiable (eg can drive overloading) proxy objects per variable:

// []{} here is used to produce a unique type, can't think of a better solution.
auto x_p = x.get_proxy([]{}); 
auto y_p = y.get_proxy([]{});
auto z = x_p + (y_p - x_p) / 2;

It should be possible to appropriately constraint the final expression with this information. A "simple" approach would be to use some metaprogramming to take advantage of the unique proxy-objects and simplify the expression so that it only contains independent variables, then we can fall back to the current deduction algorithm.

Of course the machinary for this would be very complicated compared to the current deduction. I am also not convinced on the proper creation of such proxy objects. On the other hand if implemented, this allows to introduce arbitrary constraint solving, allowing for stricter compile-time analysis of ranges.

Any thoughts?

Dear Robert

I think something may improve significantly library, consider scenario:

 using range_0_100 =  safe_unsigned_range<0, 100>;
 void fun(range_0_100 var) {
   auto var2 = var; //EXCEPT EXCEPTION 2

   if (var2 > 100) { //EXCEPT EXCEPTION 3
     std::cout << "contract broken.." << var << "\n";
   }
 }

   range_0_100 test1 = 7;
   uint8_t &ref = reinterpret_cast<uint8_t &>(test1);
   ref = 200; 
     /* 2 lines above simulate: 
                                             1. buffer overflow
                                             2. EMI effect
                                             3. any issue with CPU or memory
                                             4. stack overflow (possible on uC)
                                             5. ugly casting as above
                                             6. intentional security attack using hardware technique
                                             7. more.. */ 
 
     fun(test1); //EXCEPT EXCEPTION 1

When I use gcc 9.2.0 (mingw, windows) I do not have exception. since I would like to expect 1 to 3 possible points of exception. Contract in function fun() is broken, unfortunately assertions is still necessary...

Such situation is obviously outside of abstraction (C++ or programming) but it really "real" in my work. If that doesn't convince you I may write a little bit more about possibly cause of failure that test1 will be not in range. Consider just power glitch on even good RAM memory.

What you think? Is i possible test range not only during "write to" but also "read from" variable?

Dear

I have issue with "drop replacement" of integers in boost::units. I think issue is connected rather with boost::units than safe, however if you may look into it we will be sure, it is ready to use example to compile. It is problem with implicitly cast one scaled unit to another scaling.

//************************************************** #include "boost/safe_numerics/safe_integer.hpp" #include "boost/units/make_scaled_unit.hpp" #include "boost/units/quantity.hpp" #include "boost/units/systems/si/power.hpp" #include "cassert" #include "iostream"

using namespace boost::units; using namespace boost::units::si; using namespace std;

using int_t = int; //using int_t = boost::safe_numerics::safe < int >; //<- this will not work

typedef make_scaled_unit<si::power, scale<10, static_rational<-3>>>::type TagMilliWat;

int main() { quantity<power, int_t> wat_1{1 * watt}; quantity<TagMilliWat, int_t> milli_wat{wat_1};

assert(wat_1.value() == 1); assert(milli_wat.value() == 1000);

cout << "success\n"; return 0; } //**************************************************

when using: using int_t = boost::safe_numerics::safe;
than compilation fails due some problem with casting, I think units try to cast by (double) even thou integers are used.

This link from the Wiki https://github.com/boostorg/safe_numerics/wiki does not work on my machine: http://htmlpreview.github.com/?https://rawgit.com/boostorg/safe_numerics/master/doc/html/index.html

#include <boost/safe_numerics/safe_integer.hpp>
struct X {};
using I = boost::safe_numerics::safe<int64_t>;
void operator>>(X, I);
void f(X x, I i) { x >> i; } // causes error deep inside SafeNumerics headers

https://godbolt.org/z/eozM1PqW8

This example in the docs (Checking of Input Values Can Be Easily Overlooked) builds an expectation that the library would signal a problem (throw an exception) in the following example:

#include <iostream>
#include <sstream>
#include <boost/safe_numerics/safe_integer.hpp>

int main() 
try {
  boost::safe_numerics::safe<unsigned> u;
  std::istringstream is{"-1"};
  is >> u;
  std::cout << u << std::endl;
}
catch (std::exception const& e)
{
  std::cerr << "ERR: " << e.what() << std::endl;
}

But instead, this program outputs a huge positive value.

It is either a bug in the implementation, or an expected result in the programming model adapted by this library. If it is the latter, I expect that the library indicates it explicitly in the docs.

The modulo interval arithmetic produces incorrect results. The resulting interval can be smaller than the possible values that could arise at runtime. I have an example on GitHub that produces this incorrect behavior in boost 1.80.

https://godbolt.org/z/36M3za3Px

    safe_signed_range<0, 100, native, loose_trap_policy> a{const_safe_t<50>{}};
    safe_signed_range<1, 100, native, loose_trap_policy> b{const_safe_t<100>{}};

    auto c = a % b;

c ends up with an interval of 0 to 0 inclusive, even though it contains the value 50.

Since https://github.com/boostorg/safe_numerics/commit/937928693d40564a72fd48f63039040908098132, building

#include <boost/safe_numerics/safe_integer.hpp>
#include <fmt/format.h>
#include <fmt/ostream.h>

template<typename Stored,
         Stored Min,
         Stored Max,
         typename P,
         typename E>
struct fmt::formatter<
    boost::safe_numerics::safe_base<
        Stored, Min, Max, P, E
    >
> : fmt::ostream_formatter
{
};

void la()
{
    fmt::print("{}", boost::safe_numerics::safe<int>{ 4 });
}

with gcc 8.2-10.4 with -std=gnu++17 -Os -Wall fails. https://godbolt.org/z/Goc3er7vc

It's clearly a gcc bug, so it would be fair game to ignore it. But it affects Ubuntu 20.04.

While working on a sample for #129 I tried the following code (godbolt.org):

using delta_safe_t = boost::safe_numerics::safe_signed_range<
  -1,
  1,
  boost::safe_numerics::native,
  boost::safe_numerics::loose_trap_policy
>;

template<int I>
using const_safe_t = boost::safe_numerics::safe_signed_literal<
  I,
  boost::safe_numerics::native,
  boost::safe_numerics::loose_trap_policy
>;

int main() {
  constexpr auto x = const_safe_t<8>{};
  std::cout << "x = " << safe_format(x) << '\n';
  constexpr auto y = delta_safe_t{1};
  std::cout << "y = " << safe_format(y) << '\n';
  constexpr auto z = y * x;
  std::cout << "z = " << safe_format(z) << '\n';
}

but it keeps failing with a lengthy error:

In file included from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base.hpp:17,
                 from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_integer.hpp:15,
                 from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_integer_range.hpp:13,
                 from <source>:3:
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/exception_policies.hpp: In instantiation of 'static constexpr void boost::safe_numerics::exception_policy<AE, IDB, UB, UV>::on_arithmetic_error(const boost::safe_numerics::safe_numerics_error&, const char*) [with AE = boost::safe_numerics::trap_exception; IDB = boost::safe_numerics::ignore_exception; UB = boost::safe_numerics::ignore_exception; UV = boost::safe_numerics::ignore_exception]':
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:60:36:   required from 'static constexpr boost::safe_numerics::checked_result<R> boost::safe_numerics::heterogeneous_checked_operation<R, Min, Max, T, F, typename std::enable_if<(std::is_integral<_Tp>::value && std::is_integral<T>::value)>::type>::cast_impl_detail::cast_impl(const T&, std::true_type, std::true_type) [with R = signed char; R Min = -1; R Max = 1; T = int; F = boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>; std::true_type = std::integral_constant<bool, true>]'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/checked_integer.hpp:148:40:   required from here
<source>:71:36:   in 'constexpr' expansion of 'boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >(1)'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:195:23:   in 'constexpr' expansion of '((boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >*)this)->boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::validated_cast<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:154:59:   in 'constexpr' expansion of 'boost::safe_numerics::validate_detail<signed char, -1, 1, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::return_value<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:146:30:   in 'constexpr' expansion of 'boost::safe_numerics::validate_detail<signed char, -1, 1, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::exception_possible::return_value<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:116:20:   in 'constexpr' expansion of 'boost::safe_numerics::heterogeneous_checked_operation<signed char, -1, 1, int, boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>, void>::cast((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/checked_integer.hpp:68:81:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>::invoke<boost::safe_numerics::safe_numerics_error::positive_overflow_error>(((const char*)"converted signed value too large"))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:92:24:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch<exception_policy<trap_exception, ignore_exception, ignore_exception, ignore_exception>, boost::safe_numerics::safe_numerics_error::positive_overflow_error>(((const char*)msg))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:82:50:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch_switch::dispatch_case<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, boost::safe_numerics::safe_numerics_actions::arithmetic_error>::invoke(boost::safe_numerics::safe_numerics_error::positive_overflow_error, msg)'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/exception_policies.hpp:28:13: error: no match for call to '(boost::safe_numerics::trap_exception) (const boost::safe_numerics::safe_numerics_error&, const char*&)'
   28 |         AE()(e, msg);
      |         ~~~~^~~~~~~~
ASM generation compiler returned: 1
In file included from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base.hpp:17,
                 from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_integer.hpp:15,
                 from /opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_integer_range.hpp:13,
                 from <source>:3:
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/exception_policies.hpp: In instantiation of 'static constexpr void boost::safe_numerics::exception_policy<AE, IDB, UB, UV>::on_arithmetic_error(const boost::safe_numerics::safe_numerics_error&, const char*) [with AE = boost::safe_numerics::trap_exception; IDB = boost::safe_numerics::ignore_exception; UB = boost::safe_numerics::ignore_exception; UV = boost::safe_numerics::ignore_exception]':
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:60:36:   required from 'static constexpr boost::safe_numerics::checked_result<R> boost::safe_numerics::heterogeneous_checked_operation<R, Min, Max, T, F, typename std::enable_if<(std::is_integral<_Tp>::value && std::is_integral<T>::value)>::type>::cast_impl_detail::cast_impl(const T&, std::true_type, std::true_type) [with R = signed char; R Min = -1; R Max = 1; T = int; F = boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>; std::true_type = std::integral_constant<bool, true>]'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/checked_integer.hpp:148:40:   required from here
<source>:71:36:   in 'constexpr' expansion of 'boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >(1)'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:195:23:   in 'constexpr' expansion of '((boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >*)this)->boost::safe_numerics::safe_base<signed char, -1, 1, boost::safe_numerics::native, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::validated_cast<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:154:59:   in 'constexpr' expansion of 'boost::safe_numerics::validate_detail<signed char, -1, 1, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::return_value<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:146:30:   in 'constexpr' expansion of 'boost::safe_numerics::validate_detail<signed char, -1, 1, boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception> >::exception_possible::return_value<int>((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:116:20:   in 'constexpr' expansion of 'boost::safe_numerics::heterogeneous_checked_operation<signed char, -1, 1, int, boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>, void>::cast((* & t))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/checked_integer.hpp:68:81:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch_and_return<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, signed char>::invoke<boost::safe_numerics::safe_numerics_error::positive_overflow_error>(((const char*)"converted signed value too large"))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:92:24:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch<exception_policy<trap_exception, ignore_exception, ignore_exception, ignore_exception>, boost::safe_numerics::safe_numerics_error::positive_overflow_error>(((const char*)msg))'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/safe_base_operations.hpp:82:50:   in 'constexpr' expansion of 'boost::safe_numerics::dispatch_switch::dispatch_case<boost::safe_numerics::exception_policy<boost::safe_numerics::trap_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception, boost::safe_numerics::ignore_exception>, boost::safe_numerics::safe_numerics_actions::arithmetic_error>::invoke(boost::safe_numerics::safe_numerics_error::positive_overflow_error, msg)'
/opt/compiler-explorer/libs/boost_1_80_0/boost/safe_numerics/exception_policies.hpp:28:13: error: no match for call to '(boost::safe_numerics::trap_exception) (const boost::safe_numerics::safe_numerics_error&, const char*&)'
   28 |         AE()(e, msg);
      |         ~~~~^~~~~~~~

What is wrong with my code?

Is it possible to somehow include non-continuous ranges? For example. in computation, I'm using an enum (converted to its underlying type). The enum has a few possible values but the values do not form a continuous range. Of course, I could take the least range covering all possible values. But this would include more values than are truly possible and I'm afraid in some cases of complex computations it could impact the resulting range.

When using safe_numerics in embedded system (kernel mode code), where exceptions are disabled, uncessary dependency on std::string is created (std::exception and friends, as well). Currently I have patched this out locally via #ifdef BOOST_NO_EXCEPTIONS, however maybe there might be better solution ?

https://github.com/boostorg/safe_numerics/blob/13ca3d6dd36db1aac2d6b5caca2c281d15c881ad/include/boost/safe_numerics/exception.hpp#L118 https://github.com/boostorg/safe_numerics/blob/13ca3d6dd36db1aac2d6b5caca2c281d15c881ad/include/boost/safe_numerics/exception.hpp#L190

There should be void operator() instead of trap_exception()

https://github.com/boostorg/safe_numerics/blob/13ca3d6dd36db1aac2d6b5caca2c281d15c881ad/include/boost/safe_numerics/exception_policies.hpp#L80