Comparing two numbers should be easy right? Maybe it should, yet it’s not the case in C++ even if we constrain the comparison to the domain of integral numbers.
If you try to compare a signed with an unsigned integer there are several possible outcomes. It might actually work and you will never know what you risked. Maybe it will not work as you expected and you’ll spend quite some time scratching your head about what just happened. It’s also possible that it will not work according to your expectation but it will go unnoticed.
Another option is that you get a compiler warning either by specifically turning on -Wsign-compare or -Wextra. If it’s combined with -Werror, the compilation will even break and you must fix it. In this and the coming two articles, we are going to talk about integer comparisons.
Let’s start by checking a bit deeper what can go wrong and then we walk through in detail the C++20 solution.
The problem of comparing a signed with an unsigned
What are integral types in C++?
There are quite a few of them: bool, char, char8_t, char16_t, char32_t, short, int, long, long long, and the unsigned versions of them. Let’s put aside that we can also cv qualify them and that there are a big bunch of implementation-defined types such as uint32_t et al.
Even though these are all integrals, bool and char types are not meant to store numbers. We are limiting our focus to short, int, long, long long and their unsigned versions.
If you take the signed and unsigned versions of the same type, they are going to occupy the same size in memory. For example, both a short and an unsigned short will need 2 bytes. 2 bytes give us 2**16 possibilities, 2**16 different values to store. Therefore the range of a short is from -2**8 to 2**8-1, while the range of an unsigned short is from 0 to 2**16-1.
The bitwise representations of -1 and 4294967295 are the same, but depending on how those two bytes are flagged, their interpretation will be different. Unsigned integers can only carry non-negative numbers, therefore there is no need to reserve a bit for the sign. The least significant bit represents 2^0, the next one 2^1, then 2^2 and so on.
On the other hand, a signed integer can hold both negative and positive numbers. To be able to represent all of them, it uses the two’s complement form.
- The most significant bit represents the sign (0 for positive, 1 for negative numbers)
- To convert a positive value to its negative counterpart, you invert all the bits and then add 1
But what does this mean in practice?
If you try to interpret -1 as an unsigned int - assuming a 4-byte size - the result will be something big, in this case 4294967295. -1 is represented as 111111111’111111111’111111111’111111111 in memory. The first byte shows that we deal with a negative value, then we have to negate everything bitwise and subtract -1 to get the value it stores. By negating bitwise we get 0 and if we subtract -1 we are at -1.
But if 111111111'111111111'111111111'111111111 is treated as an unsigned number we simply get the biggest possible positive number that can be represented on 32 bits.
This also means that big enough unsigned numbers cannot be represented in 2’s complement form given that the size of the variable stays the same. It’s straightforward given that there is one bit reserved to store the sign of the stored number.
This difference in representation makes it potentially unsafe to compare signed and unsigned numbers to each other.
To put in code the above, unless you use -Werror the below will compile. If you don’t use -Wextra or -Wsign-compare you won’t even get a warning.
1
2
3
4
5
6
7
8
9
int main() {
static_assert(static_cast<unsigned int>(-1) > 42);
constexpr int n = -1;
constexpr size_t m = 42;
static_assert(n > m);
return 0;
}
The modern solution
C++20 introduced the so-called “intcmp” functions in the <utility> header to provide a safe way to compare signed and unsigned integers and at the same time get mathematically reasonable results. In other words, they will treat -1 smaller than any non-negative number.
First, let’s see what are the available functions and what are their meaning:
| Function | Meaning |
|---|---|
| std::cmp_equal(n, m) | n == m |
| std::cmp_not_equal(n, m) | n != m |
| std::cmp_less(n, m) | n < m |
| std::cmp_greater(n, m) | n > m |
| std::cmp_less_equal(n, m) | n <= m |
| std::cmp_greater_equal(n, m) | n >= m |
This means that when reading out the function name the relation such as “less” is always compared to the first first parameter. The first parameter is less than or greater than the second.
While these functions are only available since C++20, they are easy to backport as they require no new language features (C++17 suffices) and the reference implementation on C++ Reference is good enough.
Let me first put here the code and then let’s go through it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/*
Template parameters T and U should be numbers that we can ensure both with concepts or with static assertions
*/
template<class T, class U>
constexpr bool cmp_equal(T t, U u) noexcept
{
if constexpr (std::is_signed_v<T> == std::is_signed_v<U>)
return t == u;
else if constexpr (std::is_signed_v<T>)
return t >= 0 && std::make_unsigned_t<T>(t) == u;
else
return u >= 0 && std::make_unsigned_t<U>(u) == t;
}
template<class T, class U>
constexpr bool cmp_not_equal(T t, U u) noexcept
{
return !cmp_equal(t, u);
}
template<class T, class U>
constexpr bool cmp_less(T t, U u) noexcept
{
if constexpr (std::is_signed_v<T> == std::is_signed_v<U>)
return t < u;
else if constexpr (std::is_signed_v<T>)
return t < 0 || std::make_unsigned_t<T>(t) < u;
else
return u >= 0 && t < std::make_unsigned_t<U>(u);
}
template<class T, class U>
constexpr bool cmp_greater(T t, U u) noexcept
{
return cmp_less(u, t);
}
template<class T, class U>
constexpr bool cmp_less_equal(T t, U u) noexcept
{
return !cmp_less(u, t);
}
template<class T, class U>
constexpr bool cmp_greater_equal(T t, U u) noexcept
{
return !cmp_less(t, u);
}
We only have to understand cmp_equal and cmp_less as the rest is implemented with the help of these two.
cmp_equal
Let’s repeat the reference implementation of cmp_equal:
1
2
3
4
5
6
7
8
9
10
template<class T, class U>
constexpr bool cmp_equal(T t, U u) noexcept
{
if constexpr (std::is_signed_v<T> == std::is_signed_v<U>)
return t == u;
else if constexpr (std::is_signed_v<T>)
return t >= 0 && std::make_unsigned_t<T>(t) == u;
else
return u >= 0 && std::make_unsigned_t<U>(u) == t;
}
What we first see when we look at the function is that we use type traits to decide how to perform a comparison:
- if both numbers are signed or both are unsigned, then we simply check if they are equal or not
- if only the first parameter is a signed number then we check if it’s non-negative and by casting it to an unsigned type does that equal to the second value
- if only the second parameter is a signed number, we do the same thing as in the previous case, just by replacing the role of the two parameters.
Let’s play with these a bit, what do they mean in practice?
Let’s ignore the case when we pass two numbers with the same signedness.
If we compare int{-5} and unsigned int{5}, we go to the second branch and we fail on the first condition as t is a negative number.
What happens if we pass int{5} and unsigned int {5}. We go to the second branch and the first condition evaluates to true. If we cast int{5} to unsigned int, it will keep its value and we can safely check if they are equal.
If we swap the two parameters, we could observe the same set of events.
Let’s go to cmp_less, it’s probably more interesting.
cmp_less
Let’s put here the reference implementation as a reminder:
1
2
3
4
5
6
7
8
9
10
template<class T, class U>
constexpr bool cmp_less(T t, U u) noexcept
{
if constexpr (std::is_signed_v<T> == std::is_signed_v<U>)
return t < u;
else if constexpr (std::is_signed_v<T>)
return t < 0 || std::make_unsigned_t<T>(t) < u;
else
return u >= 0 && t < std::make_unsigned_t<U>(u);
}
Again, at first glance, we can see that we have three compile-time if branches based on the signedness of the two parameters.
- If both are signed or if both are unsigned, we do a simple comparison
- If only the first one is signed, we check whether it’s a negative number or(!) if we cast it to the unsigned version, is it smaller than
u - If only the second parameter is signed, then we check whether it’s positive and if it is, then we cast it to unsigned and check if it’s bigger than
t
This implementation is interesting because the second and third branches follow a different logic.
Let’s go through them step by step.
If we compare int{-5} and unsigned int{5}, we go to the second branch. t’s type is signed and its value is negative, so we know that it must be smaller than any u as it’s an unsigned value, it cannot be negative. We can stop there, we know that t < u.
If we compare int{5} and unsigned int {5}, we still go to the second branch, but as t is non-negative, we can safely cast to its unsigned type and compare it to u.
If we compare unsigned int{5} to int{-5}, we go to the third branch. We check if u is non-negative, but it’s not, so we can stop there because we know that t which is unsigned in that case, must be greater.
If we compare unsigned int{5} and int {5}, we go again to the second branch. As u is positive, we can safely cast it to its unsigned type and compare it to t.
This implementation is safe, smart and correct. And if you go it through and take the time to understand it, it’s also straightforward. But it also shows that probably if you try to do this every time on your own, there is a fair chance that you’ll make some mistakes so it’s better to use the standard version now that we have one.
Conclusion
In this article, we saw why it’s error-prone to compare two integral numbers with differently signed types and how the same bitwise representations can be interpreted as two completely different numbers. Then we saw that C++20’s intcmp utilities solve this issue and we also had a deep dive into the implementation of these new utility functions.
Comparing integers with different signs is not simply error-prone, but depending on your compilation settings it might also emit warnings or even errors. In the next two articles, I’ll share with you what are the most common and most horrendous violations I’ve seen so far while I was trying to remove such warnings over the last few years.
Stay tuned.
Connect deeper
If you liked this article, please
- hit on the like button,
- subscribe to my newsletter
- and let’s connect on Twitter!
