Safe Numerics
Sponsor this Library!
Reviews There are 2 reviews
There are 22 comments
Having spent some time playing with the library, I still cannot determine what its goal or scope is. I have as my input:
Library name.
Documentation.
The code.
Responses and clarifications from the author.
But they do not give me a clear, unambiguous picture of what the library is meant to be. In fact, my reception is that the different input appears to contradict one another.
I can think of the following answers to my question:
A drop-in replacement for type int: a small integer that has object int as its resource, and reports resource exhaustion via an exception.
A library that solves any problem you ever had with type int (overflows, conversions): it offers a set of otherwise unrelated tools (like safe_compare).
A library that solves any problem you ever had with types int or float (and their friends).
Honestly, I am not doing this for arguing’s sake. I cannot determine the main goal of the library. And for this reason, I cannot review it properly: I cannot compare it against its goal.
This is an issue that is especially important to me, as I have written a library that also has the goal of making integer arithmetic safe: the bounded::integer library: http://doublewise.net/c++/bounded/ . I presented this library at C++Now 2014 this year. It has a different philosophy from the Safe Numerics library. It instead has compile-time min and max bounds on each integer type, and the goal is to replace all uses of built-in integer types. The result of the arithmetic operators is a new type that is able to hold any result of the operation (so bounded::integer + bounded::integer == bounded::integer).
Hi,
I was going through the Safe Numerics library in Boost Library Incubator (my goal was to make a review), and I realized I disagree with the basic idea it is built on. I wanted to rise my concerns here.
If I were to summarize in one sentence what this library is, I would say: a drop-in replacement for type int that checks for overflow in run-time and throws an exception if it finds one. Did I get it right? The remainder of this post is based on this interpretation.
If so, I am not sure if this idea is a good one and worth promoting in Boost. BTW this is one of my criteria for letting a library into Boost: whether it promotes worthy ideas. I agree with the statement that a program should be UB-free. But I do not think that the approach of letting the programmer do what he did before, having the library or some run-time tool check for potential UB, and throwing an exception instead makes the program any better (or safer). It is just hiding the symptoms but not curing the disease. The programmer should not plant the UB in the first place – I agree. But this is different than first doing the mess and then having the run-time clean it up for you. I know it works for many people, in a number of languages, and it may even be considered a practical solution, but (by inclusion into Boost) I wouldn’t like to be sending the message “this is how you are suppose to code”.
I try to recall how I use type int. I do not think I ever use it for anything that would be close to “numeric” as I know the term from math.
Use Case 1 (an index):
for (size_t i = 0, I = v.size(); i != I; ++i) { if (i != 0) str += ","; str += v[i]; }
There doesn’t appear to be a good reason to wrap it into safe<int> here, even though the incrementation could possibly overflow. Plus, it would kill my performance.
Use Case 2 (using reasonably small range):
I used an int to represent a square on a chessboard. There is only 64 squares, so I couldn’t possibly overflow, on whatever platform. And even if there exists a platform where 64 doesn’t fit into an int, I would not use safe<int> there. I would rather go for something like double_int.
If I were to use some numeric computations on integers and I perceived any risk that I may overflow, I would not be satisfied with having the computations stop because of an exception. I would rather use a bigger type (BigInt?). I do not think int is even meant to be used in numerical computations. I believe it is supposed to be a building block for building more useful types like BigInt.
One good usage example I can think of is this. After a while of trying to chase a bug I comae up with a hypothesis that my int could be overflowing. I temporarily replace it with safe<int> and put a break point in function overflow() to trap it and support my hypothesis. I would probably use a configurable typedef then:
#ifndef NDEBUG typedef safe int_t; #else typedef int int_t; #endif
But is this the intent?
But perhaps it is just my narrow perspective. Can you give me a real-life example where substituting safe<int> for int has merit and is not controversial? I do not mean the code, just a story.
Regards,
&rzej
Just to let you know that the documentation form under the link is not browsable. I can get to index page, but when I try to click “Introduction -> Problem”, I get an error.
Unable to Display Statistics if I’m not logged 🙁
Comment on This Page
You must be logged in to post a comment.