bit wise operators have issues both in concept and implementation which
I'm in the process of addressing.
I've been as how to address bit wise operations on signed integers. I've
been thinking that they are an error which should be trapped at compile
time. First of all I don't seen a use case for them and second they
have portability problems. the results are arithmetically different
depending on the size of the int. I can do it either way, it's really a
question about what the library is meant to do - insist on arithmetical
consistence and correctness - or ... what? For now I've trapped attempts
to use bit wise operations on signed integers and permitted them on
unsigned integers. But as you can see, i'm conflicted here. I wish we
had static_warning in C++ but we don't.
my implementation of this is sort of an afterthought and needs
attention. It's similar to the case as above. It's not clear what I
want to do - even to me.

int i = 1.0

I wonder what we're really doing here. In C++/C i get it. But when I
write in C++ the value 1.0 I'm mean a value which in some sense
approximates 1.0. I think it's mistake.

int j = 1.5

This is pretty clear to me. The fundamental premise of the library
would be stated.

"All expressions which change the arithmetic value are considered errors"

On the other hand, I might be OK with

int k = floor(1.5);

I'm still sorting out how I feel about going back and forth between
floats and integers.
I would expect this work and be a constexpr. But I get the same result
on clang. I looked into this a little bit.

constexpr boost::numeric::safe<int> j = 0; isn't constexpr either
because the "constexprness" is lost with literal values. For this reason
I created safe_signed_literal<0>

void f1(){
using namespace boost::numeric;
constexpr safe<int> j = 0;
constexpr safe<int> k = 3;
constexpr safe<int> l = j + k; // compile error
}

J + k can exceed the range of int and this can only be detected at
runtime. So l = j + k is not a constexpr expression.

For this I created safe_signed_literal<0> to be used in

constexpr boost::numeric::safe<int> j = safe_signed_literal<0>;

But this doesn't quite do it because in assignment to j = the
safe_signed_literal (with a range of [0,0]) get's transformed to a
variable with range of [0,65535].

then j + l has to include code
I don't think it's so much a matter of missing the tests but forgetting
the limitations of constexpr.
safe<short> = j returns at value with a compile time range of [0,65353].
So the range of 2 * j won't fit in a short any more and things will have
to be checked at runtime.

But if I use
safe_signed_literal<0> j;

it will be rendered as a std::int8_t with a range of [0,0]. Then the
range of j * j result in a safe_signed_range<0, 0, ...> which is known
at compile time to never overflow so run time checking is not necessary.

using expressions that start out with safe...literal will mean
expressions which are calculated using the smallest types possible -
faster code (usually) with no error checking required.

It's unfortunate that when safe<int> is constructed with literal values,
the result is not constexpr - the "constexpr" ness isn't transmitted to
literal function arguments. BUT we do have safe_literal which does
retain this information. The following examples should show how this works

// your example - doesn't work
void f1(){
using namespace boost::numeric;
constexpr safe<int> j = 0;
constexpr safe<int> k = 3;
constexpr safe<int> l = j + k; // compile error
}

// damn! - still doesn't work. intermediate values lose range
void f2(){
using namespace boost::numeric;
constexpr safe<int> j = boost::numeric::safe_signed_literal<0>();
constexpr safe<int> k = boost::numeric::safe_signed_literal<3>();
constexpr safe<int> l = j + k; // compile error
}

// damn! - safe literals by default have void policies so the
// binary operations require one operand to have one non-void
// policy of each type.

void f3(){
using namespace boost::numeric;
safe_signed_literal<0> j;
safe_signed_literal<3> k;
constexpr auto l = safe_signed_literal<3>();
constexpr const safe<int> l2 = j + k; // fails because no policies
}

// joy - smooth as silk - no interrupts and constexpr expression.
void f3(){
using namespace boost::numeric;
safe_signed_literal<0, native, trap_exception> j;
safe_signed_literal<3> k;
constexpr auto l = safe_signed_literal<3>();
constexpr const safe<int> l2 = j + k;
}

// auto can come in handy also!
void f4(){
using namespace boost::numeric;
constexpr auto j = safe_signed_literal<0, native, trap_exception>();
constexpr auto k = safe_signed_literal<3>();
constexpr auto l = j + k;
}
need more context to find this.
I used to have a lot of these. I boiled it down to a few that I
actually use in "utility.hpp" I think that there's a case for as small
boost library if type utilities but I don't think this is the place for it.
it's an implementation detail. Stephen has suggested that I use a
different name for this and I'm inclined to use bit_count.
Sounds too good to be true. Are you sure you tested it correctly - it
says type unsigned for the second test - I expect to see safe<unsigned>.
similar for the last test. I'm not sure what cpp_int means - is the
promotion policy?

If you had nothing else to do you could tweak the code a little to use
safe_..._range and/or safe_literal - maybe even automatic and constexpr
where possible. I would expect/hope this would yield a measurably
faster program. I have no idea how much effort this would consume.

BTY the "trap" exception policy is fun to experiment with - Really.
I do have an is_safe which is important but used only internally
base_type<T>::type does the job - used but not documented.
it is optimal. But you might not always know what the underlying type
is. See safe_..._range<MIN, MAX> which uses the smallest type that will
hold the range. Before you say anything about this - I considered using
the fastest but for no good reason I chose the smallest.
there is also
template<
class T,
T Min,
T Max,
class P,
class E
constexpr T base_value(
const safe_base<T, Min, Max, P, E> & st
) {
return static_cast<T>(st);
}

used internally but not documented. So you could easily say

safe<int> i = 42;
auto x = base_value(i); // returns integer 42
These are used extensively internally. I've specialized numeric_limits
for this purpose.

auto max = std::numeric_limits<safe<int>>::max(); // works as advertised.

so the following is very useful

auto max = std::numeric_limits<safe_signed_range<0,42>>::max();
max = 42
base_type<safe_signed_range<0,42>>::type returns uint8_t

I guess it would be interesting to make these official
I'll have a look
_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

The idea, I believe, is that if you have

safe_signed_range<0, 100> x;

and then you do

auto y = x * safe_signed_literal<2>();

you get safe_signed_range<0, 200> as the type of y. This could probably be
made less elaborate with a user-defined literal, for example

auto y = x * 2_sf;

or something like that.

Since x is not constexpr, it's not possible (I think) to achieve this result
without using a separate literal type to hold the compile-time constant 2.


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

John,

I'm going through all the issues raised in the review of the safe
numerics library. I have to say I thought I was prepared but it turns
out that there have been many more problems than I realized. I actually
wonder how it got accepted. I presume its' because no one really
understands it. Anyway there are a couple of points which are
interesting to expand upon a little. I'm sending this via private email
since I don't know that it's that interesting for the list
The whole issue of bit wise operators has had to be rethought and
reimplemented. I think it's better now
I'm still not decided what behavior I want. There is tons of code like
float f = 1 and int j = 1.5f which I personally don't like and would
like to inhibit. I'm still going back and forth on this.
constexpr IS fully supported.
Hmmm - not understanding this.
constexpr safe<int8_t> x = 120; // includes runtime check that 120 < 127
Right.

But there are differences:
a) safe_unsigned_literal<n> is more like a safe_unsigned_range<n, n>.
It keeps the range around at compile time. So if you make an expression
like uint8_t x = 42 + safe_unsigned literal<42>
no checking code need be emitted because it can be known at compile time
that no overflow can ever occur.
but
constexpr uint8_t x = 242 + safe_unsigned literal<42>
should fail at compile time.

It's been suggested that safe_literal be replaces with just integral
constant. But

b) some traits like base_type and base_value are specialized for
safe_..._literal. Specializing these traits for integral_constants
might have some unanticipated and surprising consequences

c) making integral constants a "safe" type would also have unforseen
consequences.
right - fixed the whole exception functionality which solved a lot of
problems. It was ill conceived in the first place.
Hmmm - are you referring to the functions in utility.hpp ? I conjured
up/stole/borrowed from multiple places which In now don't recall. I
added them "as needed" I can't see anyone needed these in order to use
the safe numerics library. But I'm not sure that's what you need.
Boost has a bunch of this stuff sprinkled all over the place. It would
be nice to consolidate this in one coherent "library". I don't know if
you're suggesting this.
Hmmm - the boost version
file:///Users/robertramey/WorkingProjects/modular-boost/libs/integer/doc/html/boost_integer/log2.html
is called static_log2. But I'm not wedded to the name. I like my
version as it's a lot faster to compile
// the above this sort of unbelievable to me. I notice that the title
of the second test doesn't include the word "safe" so maybe there is
mistake. - I'm still investigating
// this also looks a little too good to be true - it also doesn't say safe.
I agree - the whole thing is sort of suspcious. Here are my times on my
apple machine -
Mac mini (Late 2012)
2.3 GHz Intel Core i7

Testing type unsigned:
time = 16.775
count = 1857858
Testing type safe<unsigned>:
time = 36.6576
count = 1857858
Testing type 32-bit cpp_int:
time = 41.4232
count = 1857858
Program ended with exit code: 0

These time seem to fall in between yours. It's sort of amazing that the
unsigned versions all report the almost exact same time
This is base_type<T>::type. It's described in the SafeNumeric concept
part of the manual
casting to the underlying type is a zero cost operation. it just
returns a reference to the value
there also exists base_value(s) which returns the value. Also described
in SafeNumeric Concept.
I addressed this by using numeric_limits. In the safe library, I don't
use std::is_signed. I use std::numeric_limits<?>::is_signed. This
works for safe types because I specialize numeric_limits for all safe types.

In the "backend" which handles the primitive operations "checked_result"
(outcome if you will). I use only the std::is_signed::value since the
back end only handles the primitive operations and not the safe ones.

I'm not convinced of the utility of make_signed in this context. In
safe numerics, any time we want to change the type of something, we have
to be sure we don't change it's arithmetic value. We'll get either a
runtime or compile time error if we do. So for this
static_cast<unsigned int>(x) where x is signed will work and be checked
at compile time if possible, runtime other wise. Note that casting is
constexpr so it can be done a compile time and still work.
I need more help understanding this.

safe<int> will be implicitly converted to any other integer type. This
of course is blessing and curse. I've gone back and forth on this. Now
I've figured out what I want to do. I'm going to leave the implicit
conversion in, but permit the error policy to trap it a compile time.
So I'll be creating an "explicit_static_cast<T>(t)" for those what want
to trap the implicit ones while permitting the explicit ones. The
situation I'm addressing is where one unintentionally looses the "safe"
attribute when passing as a safe value to an unsafe integer type. You'll