While I wasn't looking, [C23 has standardized checked integer arithmetic functions](https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3096.pdf#page=330), replacing the old "`__builtin_mul_overflow()`" compiler intrinsics that shipped with [GCC](https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html) and [Clang](https://clang.llvm.org/docs/LanguageExtensions.html#checked-arithmetic-builtins).

```
#include <stdckdint.h>
bool ckd_add(type1 *result, type2 a, type3 b);
bool ckd_sub(type1 *result, type2 a, type3 b);
bool ckd_mul(type1 *result, type2 a, type3 b);
```

The operations are performed equivalently to doing them in the mathematically reasonable way (as normal [integers in ℤ](https://en.wikipedia.org/wiki/Integer), not modulo-something), and then truncating them to fit into the `*result` integer.
The function returns `true` if the resulting value could not be represented in `*result`'s integer type.

To check for overflow of two integers `a` and `b`, define a variable for the calculation result and do:


```good
int result;
if (ckd_mul(&result, a, b)) {
  errx(1, "a * b overflow or wraparound");
}
```

These semantics remove having to worry of the unintuitive difference between (undefined) integer overflow and (well-defined) unsigned integer wraparound.
(The "arithmetic" ways for checking overflow/wraparound differ substantially for signed and unsigned integers, otherwise.)

The feature is available in:
[GCC 14+](https://gcc.gnu.org/projects/c-status.html#c23),
[Clang 18+](https://clang.llvm.org/c_status.html#c2x),
both released in Q2 2024.

## Further references

The [Integer section](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152052) of the SEI C Coding Standard wiki has some excellent guidance for correct overflow and wraparound checks, also for older compilers.
Specifically, these sections are:

 * [INT30-C. Ensure that unsigned integer operations do not wrap](https://wiki.sei.cmu.edu/confluence/display/c/INT30-C.+Ensure+that+unsigned+integer+operations+do+not+wrap)
 * [INT32-C. Ensure that operations on signed integers do not result in overflow](https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow)

[David Svoboda](https://www.sei.cmu.edu/authors/david-svoboda/),
who is involved here,
is the same person who [proposed the extension to the C23
standard](https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2683.pdf).

[Jens Gustedt's
Blog](https://gustedt.wordpress.com/2022/12/18/checked-integer-arithmetic-in-the-prospect-of-c23/)
has a longer post on the topic as well with more practical examples
and a discussion of how to emulate the new interface based on the
older macros that GCC and LLVM offered before C23.

The `__builtin_mul_overflow()` macro and friends were introduced in
[GCC 5 (2015)](https://gcc.gnu.org/gcc-5/changes.html)
and [Clang 3.4 (2014)](https://releases.llvm.org/3.4/tools/clang/docs/ReleaseNotes.html#c-language-changes-in-clang).