Clang and GCC both implement it for both signed and unsigned integer overflow. It's not a hard sell to them. It's impractical to use it for unsigned overflow largely because it's well-defined and there are lots of intended overflows that are not actually bugs in the software.
Conversation
The standard permitting trapping on signed overflow for portable C code is useful regardless of what compilers do by default. A safer language would not only have memory / type safety but would consider integer overflow to be a bug unless marked as intended (Swift and Rust).
2
1
Considering it to be a bug doesn't mean that it actually MUST trap in production, but that it CAN trap. It should always trap in debug builds, and trapping in production is an option based on performance and availability vs. correctness decisions. It's a better approach.
2
1
In Rust, both signed and unsigned integer overflow is always considered a bug. Intended overflows need to be marked and it supports wrapping for both signed and unsigned via the appropriate APIs. It traps for unintended overflows in debug builds by default and can in production.
3
2
What's your disagreement with Rust's overflow behavior?
1
It gives you the option when that's what you want. Why would you want that to be the default?
1
But that's just rephrasing the question. Why would you define int math that way? Is it due to concern about unexpected traps escalating a system failure, like the one that destroyed the first Ariane 5?
1
Rust gives you a choice about how you handle these bugs in production though. You aren't forced to trap, and code can be written to handle panics within processes if it's built with unwinding support. It just draws a clear line between intended and unintended overflows.
It has full support for wrapping on overflow. It just has to be done with the appropriate methods. Intended overflow is rare, so those are rarely used in practice. On the other hand, the checked overflow methods are fairly widely used, for handling the overflow failure easily.
1
Essentially all it does is forcing clear marking of intended overflows, which is great. It also has full support for wrapping signed integers, unlike C. If you want, you can define your own types that wrap with the default operators for syntactic sugar if you need a lot of it.
1
Show replies