Jump to content

Integer overflow

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Fredsmith2 (talk | contribs) at 03:15, 10 July 2017 (fixing all the bad i.e.'s with the correct e.g.'s). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Odometer rollover, a mechanical form of integer overflow. All digits are set to the maximum 9 and the next increment of the white digit causes a cascade of carry-over additions setting all digits to 0, but there is no higher digit to change to a 1, so the counter resets to zero. This is wrapping in contrast to saturating.

In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits – either larger than the maximum or lower than the minimum representable value.

The most common result of an overflow is that the least significant representable bits of the result are stored; the result is said to wrap around the maximum (e.g. modulo power of two).

An overflow condition gives incorrect results and, particularly if the possibility has not been anticipated, can compromise a program's reliability and security.

On some processors like graphics processing units (GPUs) and digital signal processors (DSPs) which support saturation arithmetic, overflown results would be "clamped", e.g. set to the minimum or the maximum value in the representable range, rather that wrapped around.

Origin

The register width of a processor determines the range of values that can be represented. Typical binary register widths for unsigned integers include:

  • 8 bits: maximum representable value 28 − 1 = 255
  • 16 bits: maximum representable value 216 − 1 = 65,535
  • 32 bits: maximum representable value 232 − 1 = 4,294,967,295 (the most common width for personal computers as of 2005),
  • 64 bits: maximum representable value 264 − 1 = 18,446,744,073,709,551,615 (the most common width for personal computer CPUs, as of 2017),
  • 128 bits: maximum representable value 2128 − 1 = 340,282,366,920,938,463,463,374,607,431,768,211,455

When an arithmetic operation produces a result larger than the maximum above for a N-bit integer, an overflow reduces the result to modulo N-th power of 2, retaining only the least significant bits of the result and effectively causing a wrap around.

In particular, multiplying or adding two integers may result in a value that is unexpectedly small, and subtracting from a small integer may cause a wrap to a large positive value (for example, 8-bit integer addition 255 + 2 results in 1, which is 257 mod 28, and similarly subtraction 0 − 1 results in 255, a two's complement representation of −1).

Such wrap around may cause security problems – if an overflown value is used as the number of bytes to allocate for a buffer, the buffer will be allocated unexpectedly small, leading to a potential buffer overflow and arbitrary code execution.

If the variable has a signed integer type, a program may make the assumption that a variable always contains a positive value. An integer overflow can cause the value to wrap and become negative, which violates the program's assumption and may lead to unexpected behavior (for example, 8-bit integer addition of 127 + 1 results in −128, a two's complement of 128).

Flags

Most computers have two dedicated processor flags to check for overflow conditions.

The carry flag is set when the result of an addition or subtraction, considering the operands and result as unsigned numbers, does not fit in the given number of bits. This indicates an overflow with a carry/borrow from the most significant bit. An immediately following add with carry or subtract with borrow operation would use the contents of this flag to modify a register or a memory location that contains the higher part of a multi-word value.

The overflow flag is set when the result of an operation on signed numbers does not have the sign that one would predict from the signs of the operands, e.g. a negative result when adding two positive numbers. This indicates that an overflow has occurred and the signed result represented in two's complement form would not fit in the given number of bits.

Methods to mitigate integer overflow problems

Main article: AddressSanitizer
Integer overflow handling in various programming languages
Language Unsigned integer Signed integer
Ada modulo the type's modulus raise Constraint_Error
C/C++ modulo power of two undefined behavior
C# modulo power of 2 in unchecked context; System.OverflowException is raised in checked context[1]
Java N/A modulo power of two
JavaScript all numbers are double-precision floating-point
Python 2 N/A convert to long type (bigint)
Seed7 N/A raise OVERFLOW_ERROR[2]
Scheme N/A convert to bigNum
Smalltalk N/A convert to LargeInteger
Swift Causes error unless using special overflow operators.[3]

There are several methods of handling overflow:

  1. Avoidance: by carefully ordering operations, checking operands in advance and selecting the correct data type, it is possible to ensure that the result will never be larger than can be stored.
  2. Handling: If it is anticipated that overflow may occur and when it happens detected and other processing done. Example: it is possible to add two numbers each two bytes wide using just a byte addition in steps: first add the low bytes then add the high bytes, but if it is necessary to carry out of the low bytes this is arithmetic overflow of the byte addition and it necessary to detect and increment the sum of the high bytes. CPUs generally have a way of detecting this to support addition of numbers larger than their register size, typically using a status bit.
  3. Propagation: if a value is too large to be stored it can be assigned a special value indicating that overflow has occurred and then have all successive operation return this flag value. This is useful so that the problem can be checked for once at the end of a long calculation rather than after each step. This is often supported in Floating Point Hardware called FPUs.

Programming languages implement various mitigation methods against an accidental overflow: Ada, Seed7 (and certain variants of functional languages), trigger an exception condition on overflow, while Python (since 2.4) seamlessly converts internal representation of the number to match its growth, eventually representing it as long – whose ability is only limited by the available memory.[4]

Run-time overflow detection implementation AddressSanitizer is also available for C compilers.

In languages with native support for Arbitrary-precision arithmetic and type safety (such as Python or Common Lisp), numbers are promoted to a larger size automatically when overflows occur, or exceptions thrown (conditions signaled) when a range constraint exists. Using such languages may thus be helpful to mitigate this issue. However, in some such languages, situations are still possible where an integer overflow can occur. An example is explicit optimization of a code path which is considered a bottleneck by the profiler. In the case of Common Lisp, this is possible by using an explicit declaration to type-annotate a variable to a machine-size word (fixnum)[5] and lower the type safety level to zero[6] for a particular code block.[7][8][9][10]

In Java 8, there are overloaded methods, for example like Math.addExact(int, int), which will throw ArithmeticException in case of overflow.

Computer emergency response team (CERT) developed the As-if Infinitely Ranged (AIR) integer model, a largely automated mechanism to eliminate integer overflow and truncation in C/C++ using run-time error handling.[11]

In computer graphics or signal processing, it is typical to work on data that ranges from 0 to 1 or from −1 to 1. An example of this is a grayscale image where 0 represents black, 1 represents white, and values in-between represent varying shades of gray. One operation that one may want to support is brightening the image by multiplying every pixel by a constant. Saturated arithmetic allows one to just blindly multiply every pixel by that constant without worrying about overflow by just sticking to a reasonable outcome that all these pixels larger than 1 (e.g. "brighter than white") just become white and all values "darker than black" just become black.

Examples

Unanticipated arithmetic overflow is a fairly common cause of program errors. Such overflow bugs may be hard to discover and diagnose because they may manifest themselves only for very large input data sets, which are less likely to be used in validation tests.

Taking the arithmetic mean of two numbers by adding them and dividing by two, as done in many search algorithms, causes error if the sum (although not the resulting mean) is too large to be represented, and hence overflows.[12]

An unhandled arithmetic overflow in the engine steering software was the primary cause of the crash of the 1996 maiden flight of the Ariane 5 rocket.[13] The software had been considered bug-free since it had been used in many previous flights, but those used smaller rockets which generated lower acceleration than Ariane 5.

On 30 April 2015, the Federal Aviation Authority announced it will order Boeing 787 operators to reset its electrical system periodically, to avoid an integer overflow which could lead to loss of electrical power and ram air turbine deployment, and Boeing deployed a software update in the fourth quarter.[14] The European Aviation Safety Agency followed on 4 May 2015.[15] The error happens after 2³¹ centiseconds (248.55134814815 days), indicating a 32-bit signed integer.

Overflow bugs are evident in computer games. In the arcade game Donkey Kong, it is impossible to advance past level 22 due to an integer overflow in its time/bonus. The game takes the level number a user is on, multiplies it by 10 and adds 40. When they reach level 22, the time/bonus number is 260, which is too large for its 8-bit 256 value register, so it resets itself to 0 and gives the remaining 4 as the time/bonus – too short to finish the level. In Donkey Kong Jr. Math, when trying to calculate a number over 10000, it shows only the first 4 digits. Overflow is the cause of the famous Split Screen in Pac-Man[16] and the Nuclear Gandhi in Civilization series. It also caused the Far Lands in Minecraft which existed from the Infdev development period to Beta 1.7.3, however it was later fixed in Beta 1.8 but still exist in the Pocket Edition and Windows 10 Edition versions of Minecraft.[17]

An integer signedness bug in the stack setup code emitted by the Pascal compiler prevented Microsoft / IBM MACRO Assembler Version 1.00 (MASM), a DOS program from 1981, and many other programs compiled with the same compiler, to run under some configurations with more than 512 KB of memory.

Microsoft / IBM MACRO Assembler (MASM) Version 1.00, and likely all other programs build by the same Pascal compiler, had an integer overflow and signedness error in the stack setup code, which prevented them from running on newer DOS machines or emulators under some common configurations with more than 512 KB of memory. The program either hangs or displays an error message and exits to DOS.[18]

In August 2016, a Casino machine at Resorts World Casino printed a prize ticket of $42,949,672.76 as a result of an overflow bug. The Casino refused to pay this amount calling it a malfunction, using in their defense that the machine clearly stated that the maximum payout was $10,000, so any prize higher than that had to be the result of a programming bug. The Iowa Supreme Court ruled in favor of the Casino.[19]

See also

References

  1. ^ http://msdn.microsoft.com/en-us/library/khy08726.aspx
  2. ^ Seed7 manual, section 15.2.3 OVERFLOW_ERROR.
  3. ^ The Swift Programming Language. Swift 2.1 Edition. October 21, 2015.
  4. ^ Python documentation, section 5.1 Arithmetic conversions.
  5. ^ "Declaration TYPE". Common Lisp HyperSpec.
  6. ^ "Declaration OPTIMIZE". Common Lisp HyperSpec.
  7. ^ Reddy, Abhishek (2008-08-22). "Features of Common Lisp".
  8. ^ Pierce, Benjamin C. (2002). Types and Programming Languages. MIT Press. ISBN 0-262-16209-1.
  9. ^ Wright, Andrew K.; Matthias Felleisen (1994). "A Syntactic Approach to Type Soundness". Information and Computation. 115 (1): 38–94. doi:10.1006/inco.1994.1093.
  10. ^ Macrakis, Stavros (April 1982). "Safety and power" (requires subscription). ACM SIGSOFT Software Engineering Notes. 7 (2): 25–26. doi:10.1145/1005937.1005941.
  11. ^ As-if Infinitely Ranged Integer Model
  12. ^ Google Research blog: Nearly All Binary Searches and Mergesorts are Broken, Joshua Bloch, 2 June 2006
  13. ^ Gleick, James (1 December 1996). "A Bug and A Crash". New York Times Magazine. Retrieved 9 December 2013.
  14. ^ Mouawad, Jad (30 April 2015). "F.A.A. Orders Fix for Possible Power Loss in Boeing 787". New York Times.
  15. ^ "US-2015-09-07 : Electrical Power – Deactivation". Airworthiness Directives. European Aviation Safety Agency. 4 May 2015.
  16. ^ Pittman, Jamey. "The Pac-Man Dossier".
  17. ^ Minecraft Gamepedia. "Minecraft Gamepedia Page".
  18. ^ Lenclud, Christophe. "Debugging IBM MACRO Assembler Version 1.00".
  19. ^ Kravets, David (June 15, 2017). "Sorry ma'am you didn't win $43M – there was a slot machine 'malfunction'". Ars Technica.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Integer_overflow&oldid=789863173"