Hi Everyone,
This is to inform you that safe_numerics library by Robert Ramey is
*CONDITIONALLY
ACCEPTED* to Boost. The list of conditions can be found down below.
I would like to congratulate Robert for getting the library into Boost, and
thank him for the effort to develop a useful library for the community. I
also would like to thank everyone who participated in the review and shared
their useful feedback.
I recorded five reviews with a yes/no vote:
- Paul A. Bristow (yes with conditions)
- Steven Watanabe (yes with conditions)
- John Maddock (yes with conditions)
- Antony Polukhin (yes)
- Barrett Adair (yes)
And three without a vote:
- Vicente J. Botet Escriba
- John McFarlane
- Peter Dimov
We also got some feedback from an individual nicknamed "scatters" at Reddit
(https://www.reddit.com/r/cpp/comments/5x1z67/boostsafe_
numerics_formal_review_starts_today/deew1kq/), and from Tomasz Kaminski in
private conversation.
There was a general consensus that the problem of surprises with C++ ints
deserves a solution. Some people observed that there are other ways to
approach the same problem, but it was agreed that the approach taken by
safe_numerics is sound.
The acceptance conditions mostly revolve around documenting micro-decisions
made by the library, and fixing bugs. They apply to the reviewed GIT commit
3bcfabe1cafb8ef6edf08d3bd8730a1555b1c45d, but I know Robert is already
working on fixing them, and has most of them fixed locally.
*Acceptance conditions:*
- Comply with Boost formal requirements:
1. index.html in root directory that redirects to doc/.
2. all headers in folder include/boost/numeric/.
3. Macro safe_literal: either remove it or let it follow Boost macro
naming conventions: BOOST_NUMERIC_SAFE_LITERAL().
- Automatic promotion policy: either just remove it, or fix it so that:
- it can see the range of safe_base in order to allow for slower
increase in sizeof(),
- it is clear from documentation how the promotion mechanism works.
- in particular, what type gets selected for bit-wise operators &, |
- The division bug (see below) is fixed.
- Decide and document up front how the library addresses each of the
following different situations:
- overflow upon arithmetical operation,
- unexpected promotion to unsigned when comparing signed with
unsigned number,
- arithmetic operation on unsigned int with negative value versus a
signed value (-1 + 1u).
- bit-wise operation on negative signed integers (unless they are
removed), or that would produce one as the result.
- division by zero,
- operations upon default-constructed int type with indeterminate
value,
- conversion from float to int, when float contains non-integral
value.
- conversion from float to int, when float contains an integral value
that would overflow upon native conversion
- operator% where one operand is negative (for native ints it is
implementaiton-defined)
- leftshift by 32 bits (on 32-bit int)
- Decide and document what safe's default constructor does.
- Document upon which operations safe<> throws exceptions (or, signals
arithmetic error at run-time). IOW, document in which cases safe<> never
throws exceptions (signals run-time failure) because it is able to say that
the operation will always succeed.
- Document what happens when you invoke an operation on two instances of
safe<> with different policies.
- Resolve name conflict with interval, which already exists in namespace
boost::numeric::interval. Either use a different namespace or a different
name.
- Remove anonymous namespaces from the header files. Use namespace
detail and inline functions instead.
- Improve test cases, so that they also check if numeric values of
computations are correct (not only whether an operation throws or not).
- Use enable_if (or similar) tricks to constrain the overload resolution
for your arithmetical operations, so that they only work for numeric types
rather than "any type T".
- Fix the division bug:
safe