Home/ Questions/Q 6028677
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T04:46:32+00:00

I found a snippet similar to this in some (C++) code I’m preparing for

  • 0

I found a snippet similar to this in some (C++) code I’m preparing for a 64-bit port.

int n;
size_t pos, npos;

/* ... initialization ... */

while((pos = find(ch, start)) != npos)
{
    /* ... advance start position ... */

    n++; // this will overflow if the loop iterates too many times
}

While I seriously doubt this would actually cause a problem in even memory-intensive applications, it’s worth looking at from a theoretical standpoint because similar errors could surface that will cause problems. (Change n to a short in the above example and even small files could overflow the counter.)

Static analysis tools are useful, but they can’t detect this kind of error directly. (Not yet, anyway.) The counter n doesn’t participate in the while expression at all, so this isn’t as simple as other loops (where typecasting errors give the error away). Any tool would need to determine that the loop would execute more than 231 times, but that means it needs to be able to estimate how many times the expression (pos = find(ch, start)) != npos will evaluate as true—no small feat! Even if a tool could determine that the loop could execute more than 231 times (say, because it recognizes the find function is working on a string), how could it know that the loop won’t execute more than 264 times, overflowing a size_t value, too?

It seems clear that to conclusively identify and fix this kind of error requires a human eye, but are there patterns that give away this kind of error so it can be manually inspected? What similar errors exist that I should be watchful for?

EDIT 1: Since short, int and long types are inherently problematic, this kind of error could be found by examining every instance of those types. However, given their ubiquity in legacy C++ code, I’m not sure this is practical for a large piece of software. What else gives away this error? Is each while loop likely to exhibit some kind of error like this? (for loops certainly aren’t immune to it!) How bad is this kind of error if we’re not dealing with 16-bit types like short?

EDIT 2: Here’s another example, showing how this error appears in a for loop.

int i = 0;
for (iter = c.begin(); iter != c.end(); iter++, i++)
{
    /* ... */
}

It’s fundamentally the same problem: loops are counting on some variable that never directly interacts with a wider type. The variable can still overflow, but no compiler or tool detects a casting error. (Strictly speaking, there is none.)

EDIT 3: The code I’m working with is very large. (10-15 million lines of code for C++ alone.) It’s infeasible to inspect all of it, so I’m specifically interested in ways to identify this sort of problem (even if it results in a high false-positive rate) automatically.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Code reviews. Get a bunch of smart people looking at the code.

    Use of short, int, or long is a warning sign, because the range of these types isn’t defined in the standard. Most usage should be changed to the new int_fastN_t types in <stdint.h>, usage dealing with serialization to intN_t. Well, actually these <stdint.h> types should be used to typedef new application-specific types.

    This example really ought to be:

    typedef int_fast32_t linecount_appt;
linecount_appt n;

    This expresses a design assumption that linecount fits in 32 bits, and also makes it easy to fix the code if the design requirements change.

    • 0