Content deleted Content added
merge from arithmetic overflow |
|||
Line 5:
In [[computer programming]], an '''integer overflow''' occurs when an [[arithmetic]] operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits - either larger than the maximum or lower than the minimum representable value.
The most common result of an overflow is that the least significant representable bits of the result are stored
An overflow condition gives incorrect results and, particularly if the possibility has not been anticipated, can compromise a program's reliability and [[software security|security]]. On some processors like [[graphics processing unit]]s (GPUs) and [[digital signal processor]]s (DSPs), the result [[saturation arithmetic|saturates]]; that is, once the maximum value is reached, any attempt to increase it always returns the maximum integer value. == Origin ==
Line 24 ⟶ 28:
If the variable has a [[Signed number representations|signed integer]] type, a program may make the assumption that a variable always contains a positive value. An integer overflow can cause the value to wrap and become negative, which violates the program's assumption and may lead to unexpected behavior (for example, 8-bit integer addition of 127 + 1 results in -128, a two's complement of 128).
==Overflow flags==
Most computers distinguish between two kinds of overflow conditions.
A [[carry (arithmetic)|''carry'']] occurs when the result of an addition or subtraction, considering the operands and result as unsigned numbers, does not fit in the result. Therefore, it is useful to check the [[carry flag]] after adding or subtracting numbers that are interpreted as unsigned values.
An ''overflow'' proper occurs when the result does not have the sign that one would predict from the signs of the operands (e.g. a negative result when adding two positive numbers). Therefore, it is useful to check the [[overflow flag]] after adding or subtracting numbers that are represented in [[two's complement]] form (i.e. they are considered signed numbers).
==Methods to mitigate integer overflow problems==
Line 53 ⟶ 65:
|-
|}
There are several methods of handling overflow:
# Avoidance: by carefully ordering operations, checking operands in advance and selecting the correct data type, it is possible to ensure that the result will never be larger than can be stored.
# Handling: If it is anticipated that overflow may occur and when it happens detected and other processing done. Example: it is possible to add two numbers each two bytes wide using just a byte addition in steps: first add the low bytes then add the high bytes, but if it is necessary to carry out of the low bytes this is arithmetic overflow of the byte addition and it necessary to detect and increment the sum of the high bytes. [[Central processing unit|CPUs]] generally have a way of detecting this to support addition of numbers larger than their register size, typically using a status bit.
# Propagation: if a value is too large to be stored it can be assigned a special value indicating that overflow has occurred and then have all successive operation return this flag value. This is useful so that the problem can be checked for once at the end of a long calculation rather than after each step. This is often supported in Floating Point Hardware called [[floating point unit|FPU]]s.
Programming languages implement various mitigation methods against an accidental overflow: [[Ada (programming language)|Ada]], [[Seed7]] (and certain variants of functional languages), trigger an exception condition on overflow, while [[Python (programming language)|Python]] (since 2.4) seamlessly converts internal representation of the number to match its growth, eventually representing it as <code>long</code>—whose ability is only limited by the available memory.<ref>[https://docs.python.org/2/reference/expressions.html Python documentation], section 5.1 Arithmetic conversions.</ref>
Run-time overflow detection implementation <code>AddressSanitizer</code> is also available for [[C compiler]]s.
* The effects of integer-based attacks for C/C++ and how to defend against them by using subtyping in Efficient and Accurate Detection of Integer-based Attacks<ref>[http://web.archive.org/web/20121010025025/http://www.cs.cmu.edu/~dbrumley/pubs/integer-ndss-07.pdf Efficient and Accurate Detection of Integer-based Attacks]</ref>▼
* [[Computer emergency response team]] (CERT) As-if Infinitely Ranged (AIR) integer model - a largely automated mechanism to eliminate integer overflow and truncation<ref>[http://www.cert.org/archive/pdf/09tn023.pdf As-if Infinitely Ranged Integer Model]</ref>▼
In languages with native support for [[Arbitrary-precision arithmetic]] and [[type safety]] (such as [[Python (programming language)|Python]] or [[Common Lisp]]), numbers are promoted to a larger size automatically when overflows occur, or exceptions thrown (conditions signaled) when a range constraint exists. Using such languages may thus be helpful to mitigate this issue. However, in some such languages, situations are still possible where an integer overflow can occur. An example is explicit optimization of a code path which is considered a bottleneck by the profiler. In the case of Common Lisp, this is possible by using an explicit declaration to type-annotate a variable to a machine-size word (fixnum) [http://www.lispworks.com/documentation/HyperSpec/Body/d_type.htm] and lower the type safety level to zero [http://www.lispworks.com/documentation/HyperSpec/Body/d_optimi.htm] for a particular code block.<ref name="reddy">{{cite web
Line 71 ⟶ 83:
In Java 8, there are overloaded methods, for example like Math#addExact(),<ref>[https://docs.oracle.com/javase/8/docs/api/java/lang/Math.html#addExact-int-int- Math#addExact()]</ref> which will throw ArithmeticException in case of overflow.
▲
In [[computer graphics]] or [[signal processing]], it is typical to work on data that ranges from 0 to 1 or from −1 to 1. An example of this is a [[grayscale]] image where 0 represents black, 1 represents white, and values in-between represent varying shades of gray. One operation that one may want to support is brightening the image by multiplying every pixel by a constant. [[Saturated arithmetic]] allows one to just blindly multiply every [[pixel]] by that constant without worrying about overflow by just sticking to a reasonable outcome that all these pixels larger than 1 (i.e. [[high dynamic range imaging|"brighter than white"]]) just become white and all values "darker than black" just become black.
== Examples ==
On 30 April 2015, the [[Federal Aviation Authority]] announced it will order [[Boeing 787]] operators to reset its electrical system periodically, to avoid an integer overflow which could lead to loss of electrical power and [[ram air turbine]] deployment, and Boeing is going to deploy a [[software update]] in the fourth quarter.<ref>{{cite news |title= F.A.A. Orders Fix for Possible Power Loss in Boeing 787 |work= [[New York Times]] |date= 30 April 2015 |url= http://www.nytimes.com/2015/05/01/business/faa-orders-fix-for-possible-power-loss-in-boeing-787.html?_r=0}}</ref> The [[European Aviation Safety Agency]] followed on 4 May 2015.<ref>{{cite web |url= http://ad.easa.europa.eu/ad/US-2015-09-07 |work= Airworthiness Directives |title= US-2015-09-07 : Electrical Power - Deactivation |date= {{date|2015-05-04}} |publisher= [[European Aviation Safety Agency]]}}</ref> The error happens after 2³¹ centiseconds ({{#expr:2^31/100/3600/24}} days), indicating a 32-bit [[Signed number representations|signed]] [[Integer (computer science)|integer]].▼
Unanticipated arithmetic overflow is a fairly common cause of [[software bug|program errors]]. Such overflow bugs may be hard to discover and diagnose because they may manifest themselves only for very large input data sets, which are less likely to be used in validation tests.
Taking the arithmetic mean of two numbers by adding them and dividing by two, as done in many [[search algorithm]]s, causes error if the sum (although not the resulting mean) is too large to be represented, and hence overflows.<ref>[http://googleresearch.blogspot.co.uk/2006/06/extra-extra-read-all-about-it-nearly.html Google Research blog: Nearly All Binary Searches and Mergesorts are Broken, Joshua Bloch, 2 June 2006]</ref>
An unhandled arithmetic overflow in the engine steering software was the primary cause of the crash of the 1996 maiden flight of the [[Ariane 5 Flight 501|Ariane 5]] rocket.<ref>{{cite web|last=Gleick|first=James|title=A Bug and A Crash|url=http://www.around.com/ariane.html|work=New York Times Magazine|accessdate=9 December 2013|date=1 December 1996}}</ref> The software had been considered bug-free since it had been used in many previous flights, but those used smaller rockets which generated lower acceleration than Ariane 5.
In the arcade game ''[[Donkey Kong]]'', [[Kill screen|it is impossible to advance past level 22]] due to an integer overflow in its time/bonus. The game takes the level number a user is on, multiplies it by 10 and adds 40. When they reach level 22, the time/bonus number is 260, which is too large for its 8-bit 256 value register, so it resets itself to 0 and gives the remaining 4 as the time/bonus - too short to finish the level. In ''[[Donkey Kong Jr. Math]]'', when trying to calculate a number over 10000, it shows only the first 4 digits. Overflaw is the cause of the famous ''[[kill screen|Split Screen]]'' in Pac-Man <ref>{{cite web|url=http://home.comcast.net/~jpittman2/pacman/pacmandossier.html|title=The Pac-Man Dossier|author=Pittman, Jamey}}</ref> and the ''Nuclear Gandhi'' in [[Civilization series]].▼
▲On 30 April 2015, the [[Federal Aviation Authority]] announced it will order [[Boeing 787]] operators to reset its electrical system periodically, to avoid an integer overflow which could lead to loss of electrical power and [[ram air turbine]] deployment, and Boeing is going to deploy a [[software update]] in the fourth quarter.<ref>{{cite news |title= F.A.A. Orders Fix for Possible Power Loss in Boeing 787 |work= [[New York Times]] |date= 30 April 2015 |url= http://www.nytimes.com/2015/05/01/business/faa-orders-fix-for-possible-power-loss-in-boeing-787.html?_r=0}}</ref> The [[European Aviation Safety Agency]] followed on 4 May 2015.<ref>{{cite web |url= http://ad.easa.europa.eu/ad/US-2015-09-07 |work= Airworthiness Directives |title= US-2015-09-07 : Electrical Power - Deactivation |date= {{date|2015-05-04}} |publisher= [[European Aviation Safety Agency]]}}</ref> The error happens after 2³¹ centiseconds ({{#expr:2^31/100/3600/24}} days), indicating a 32-bit [[Signed number representations|signed]] [[Integer (computer science)|integer]].
▲Overflow bugs are evident in computer games. In the arcade game ''[[Donkey Kong]]'', [[Kill screen|it is impossible to advance past level 22]] due to an integer overflow in its time/bonus. The game takes the level number a user is on, multiplies it by 10 and adds 40. When they reach level 22, the time/bonus number is 260, which is too large for its 8-bit 256 value register, so it resets itself to 0 and gives the remaining 4 as the time/bonus - too short to finish the level. In ''[[Donkey Kong Jr. Math]]'', when trying to calculate a number over 10000, it shows only the first 4 digits. Overflaw is the cause of the famous ''[[kill screen|Split Screen]]'' in Pac-Man <ref>{{cite web|url=http://home.comcast.net/~jpittman2/pacman/pacmandossier.html|title=The Pac-Man Dossier|author=Pittman, Jamey}}</ref> and the ''Nuclear Gandhi'' in [[Civilization series]].
==See also==
*[[Buffer overflow]]
*[[Heap overflow]]
Line 99 ⟶ 116:
*[http://www.phrack.org/issues.html?issue=60&id=9#article Phrack #60, Big Loop Integer Protection]
*[http://thetaeng.com/TimerWrap.htm How to implement efficiently in C]
▲*
*[http://projects.webappsec.org/Integer-Overflows WASC Threat Classification - Integer Overflows]
*[http://www.cs.utah.edu/~regehr/papers/overflow12.pdf Understanding Integer Overflow in C/C++]
Line 104 ⟶ 122:
[[Category:Software bugs]]
[[Category:Computer security exploits]]
[[Category:Computer arithmetic]]
| |||