Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼


The Safe Math Library

The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C.

To recap: The Safe C Library (available for download here) provides bound checking memory and string functions per ISO/IEC TR24731. These functions are alternative functions to the existing Standard C Library.

A complement to the Safe C Library defined by the ISO TR24731 specification the Safe Math Library, designed to catch arithmetic overflows. These are the subtle errors that occur when converting from one data size to another, converting from signed to unsigned and unsigned to signed. The library provides a set of functions for: addition, subtraction, multiply, divide, increment, decrement, modulo, negation, and absolute.

While there is no standard for such functions, the Safe Math library is modeled after the ISO TR24731 specification. It is intended to complement the Safe C Library, providing one more layer security.

The Safe Math Library supports the data types in Table 1.

Table 1

As you can see in Table 1, taking the absolute value of the minimum signed value of a data type overflows. For example, there is no corresponding value for the absolute of -128 for the signed int8_t data type. The addition of two like unsigned data types will overflow when the sum exceeds the maximum value of that unsigned data type. For example, the sum of two uint16_ts -- 65535 and 1 -- will overflow. Type casting an unsigned data type to a like signed data type can also result in the unexpected. For example, casting an unsigned short with a value of 32768 to a signed short will overflow the maximum signed short value of 32767.

When used properly, the Safe Math functions mitigate the dangers associated with arithmetic errors and the vulnerability of cyber attacks. Source code may remain vulnerable due to other bugs and security issues. The highest level of security is achieved by building in layers of security utilizing multiple strategies.

The rationale for the safe Math Library is similar to TR24731 and is itemized below:

  • Complement the Safe C Library
  • Guard against arithmetic overflows
  • Provide a library useful to existing code
  • Only require local edits to programs
  • Library-based solution, no tool chain upgrades required
  • Support compile-time checking
  • Make failures obvious through constrain handler
  • Runtime-constraint handler mechanism
  • Support re-entrant code
  • Consistent naming scheme
  • Have a uniform pattern for the function parameters and return type
  • Deference to existing technology

Similar to TR24731, the Safe Math Library verifies that the calling program does not violate the function's runtime-constraints. If a runtime-constraint is violated, the library calls the currently registered runtime-constraint handler to recorded the violation. The runtime-constraint handler might not return. If the handler does return, the Safe Math library functions whose runtime-constraint was violated does not attempt to mathematically correct the result nor does it provide a return code indicating the error. Corrective action will require scanning the logs to correct the mathematical errors in the code.

To appreciate the risk of overflows see:

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.