On May 30, 2005, at 02:57, Victor STINNER wrote:
I'm using gcc "long long" type for my calculator. I have to check integer overflow. I'm using sign compare to check overflow, but it doesn't work for 10^16 * 10^4 : 10000000000000000 * 10000
I see your question went unanswered, however I do think it is relevant to the development of (not with) GCC. The ongoing discussion regarding "Ada front-end depends on signed overflow" focuses on Ada, but the same issues are true for C and C++ as well. I think this may be an other case where GCC's increased reasoning from the notion that signed integer overflow invokes undefined behavior is harmful. True, your program invokes undefined behavior according to the C standard, and as a result the behavior of the code in presence of overflow is conforming to the C standard. However, this case also shows how much 2s-complement arithmetic is ingrained in our brains. Your real-world example, highlights the fact that allowing GCC to reason from absence of overflows breaks useful code, in effect removing the overflow detection code, just like it removes Ada range checks. Defaulting to -fwrapv for all compilations in order to get the expected wraparound behavior significantly increases the quality of the compiler in my opinion. Propagating the assumption that overflow cannot occur, and removing checks based on that, unnecessarily breaks code that otherwise, with wraparound semantics, would be well-defined and correct. -Geert
