Skip to content

Avoid signed integer overflow in example sketch#5

Open
edgar-bonet wants to merge 1 commit intooymotion:masterfrom
edgar-bonet:no-ovf
Open

Avoid signed integer overflow in example sketch#5
edgar-bonet wants to merge 1 commit intooymotion:masterfrom
edgar-bonet:no-ovf

Conversation

@edgar-bonet
Copy link

@edgar-bonet edgar-bonet commented Apr 15, 2022

Running the example sketch SimpleEMGFilters.ino on an Arduino Uno, I got the output:

Squared Data: 1600
Squared Data: 20164
Squared Data: 4294951489

The last line is suspicious: not only is it too large to be plausible, it is even way larger than INT_MAX, which should not be possible for an int.

Further investigation revealed the source of the problem to be an integer overflow in the computation of the square of dataAfterFilter. Signed integer overflow is undefined behavior in C++. Undefined behavior means that anything can happen, including “impossible” results like above.

Computing the square as a long solves the issue.

@edgar-bonet
Avoid signed integer overflow in example sketch
82c49e8 
The `int' type is only 16-bits long in some Arduinos. On those devices,
the square of an analog reading, filtered or not, may not fit in an
`int'. Use `long' instead, in order to avoid signed integer overflow,
which in C++ is undefined behavior.
@edgar-bonet
Copy link
Author

edgar-bonet commented Apr 15, 2022

According to the letter of the C++ standard, anything (really anything!) can happen in the presence of undefined behavior. Accordingly, it may seem futile to try to second-guess what the compiler may be thinking. In this case, however, the compiler behavior turns out to be understandable. Taking a look at what it did can give some insight on the kind of surprises that undefined behavior can produce.

In this case, the filter returned 223. Then the line

int envelope = sq(dataAfterFilter);

computed the square of 223, which is 49729 (larger than INT_MAX), and overflowed modulo 216 to −15807. This value was given to Serial.println(). Within Print::print(int n, int base), the number is casted to long and passed to Print::print(long n, int base). Within this method, we have the following code path specific to base 10:

if (n < 0) {
  int t = print('-');
  n = -n;
  return printNumber(n, 10) + t;
}
return printNumber(n, 10);

And here is where things break apart: n is −15807. However, the compiler knows (through link-time optimization) that this number is a square, and it also knows that signed overflows should never happen (it's the programmer's responsibility to avoid them). It can thus legitimately assume that the number is non-negative. Thus, as an optimization, it completely omits the code handling the case n < 0, and calls printNumber(n, 10) with a negative n. Since this argument is of type unsigned long, it wraps modulo 232 to 4294951489, hence the observed behavior.

@QuinIMG
Copy link

QuinIMG commented Jun 26, 2023
edited
Loading

Hehe, I ran into this issue a few months ago after I yoinked the example code for a project I'm working on. Wish I had read this pull request back then instead of going down the rabbit hole of debugging it myself 😅.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@edgar-bonet @QuinIMG