10

Often one makes assumptions about a particular platform one is coding on, for example that signed integers use two's complement storage, or that (0xFFFFFFFF == -1), or things of that nature.

Does a tool exist which can check a codebase for the most common violations of these kinds of things (for those of us who want portable code but don't have strange non-two's-complement machines)?

(My examples above are specific to signed integers, but I'm interested in other errors (such as alignment or byte order) as well)

Billy ONeal
  • 97,781
  • 45
  • 291
  • 525
  • 1
    Just a point of terminology: the things you are talking about are implementation defined, not undefined. Alignment, byte order, signed integer representation...all of these things are defined by the implementation and specified as such within the standard. – Edward Strange Nov 29 '10 at 17:20
  • @up, true. However the OP mentions `unspecified` not `undefined`, which apparently is different. Not sure which is applicable here. - http://stackoverflow.com/questions/2397984/undefined-unspecified-and-implementation-defined-behavior – Kos Nov 29 '10 at 17:26
  • @Noah Roberts: See `1.3.25`: **unspecified behavior** behavior, for a well-formed program construct and correct data, that depends on the implementation (at least according to the C++0x FCD) – Billy ONeal Nov 29 '10 at 17:52
  • That's not the full definition. Unspecified behavior applies when the implementation is not required to document the behavior. I believe these things are implementation defined but I was only able to verify such wrt bit fields. – Edward Strange Nov 29 '10 at 18:43

4 Answers4

4

There are various levels of compiler warnings that you may wish to have switched on, and you can treat warnings as errors.

If there are other assumptions you know you make at various points in the code you can assert them. If you can do that with static asserts you will get failure at compile time.

CashCow
  • 29,087
  • 4
  • 53
  • 86
  • 1
    Well, this is of course true. Maybe there's a GCC switch I'm missing but it doesn't warn about these kinds of things. (MSVC doesn't either) – Billy ONeal Nov 29 '10 at 16:27
4

I know that CLang is very actively developing a static analyzer (as a library).

The goal is to catch errors at analysis time, however the exact extent of the errors caught is not that clear to me yet. The library is called "Checker" and T. Kremenek is the responsible for it, you can ask about it on clang-dev mailing list.

I don't have the impression that there is any kind of reference about the checks being performed, and I don't think it's mature enough yet for production tool (given the rate of changes going on) but it may be worth a look.

Matthieu M.
  • 251,718
  • 39
  • 369
  • 642
3

Maybe a static code analysis tool? I used one a few years ago and it reported errors like this. It was not perfect and still limited but maybe the tools are better now?

update: Maybe one of these: What open source C++ static analysis tools are available?

update2: I tried FlexeLint on your example (you can try it online using the Do-It-Yourself Example on http://www.gimpel-online.com/OnlineTesting.html) and it complains about it but perhaps not in a way you are looking for:

5    int i = -1;
6    if (i == 0xffffffff)
diy64.cpp  6  Warning 650:  Constant '4294967295' out of range for operator '=='
diy64.cpp  6  Info 737:  Loss of sign in promotion from int to unsigned int
diy64.cpp  6  Info 774:  Boolean within 'if' always evaluates to False [Reference: file diy64.cpp: lines 5, 6]
Community
  • 1
  • 1
rve
  • 5,374
  • 3
  • 34
  • 62
  • Yes... examples... Actually I do not remember how it was called, I think it was Coverity. All I know it was a commercial tool and costs a lot.. – rve Nov 29 '10 at 18:06
  • might be coverity then :p Actually the output from FlexeLint is quite interesting, `Loss of sign` is a red herring. – Matthieu M. Nov 29 '10 at 19:58
2

Very interesting question. I think it would be quite a challenge to write a tool to flag these usefully, because so much depends on the programmer's intent/assumptions

For example, it would be easy to recognize a construct like:

x &= -2; // round down to an even number

as being dependent on twos-complement representation, but what if the mask is a variable instead of a constant "-2"?

Yes, you could take it a step further and warn of any use of a signed int with bitwise &, any assignment of a negative constant to an unsigned int, and any assignment of a signed int to an unsigned int, etc., but I think that would lead to an awful lot of false positives.

[ sorry, not really an answer, but too long for a comment ]

David Gelhar
  • 27,533
  • 3
  • 65
  • 81
  • Well, of course no such tool could be perfect, but I think the vast majority of such things would be more simply recognisable. (Side note: Files away round down to even number algorithm.. never seen that one beforE) – Billy ONeal Nov 29 '10 at 17:49