# Ordering Numbers, How Hard Can It Be?

Suppose that you are a programmer, and that you have two numbers. You want to know which number, if any, is larger. Now, if both numbers have the same type, the solution is trivial in almost any programming language. Usually there is even a dedicated operator, <=, for this operation. For example, in Python:

>>> "120" <= "1132"
False


Oh. Well technically those are strings, not numbers, which typically are lexicographically sorted. Then again, they are numbers, just represented using strings. This may seem silly but it’s actually a common problem in user interfaces, e.g. a list of files. This is why you want to zero-pad your numeric filenames (frame-00001.png), or use lexicographically order-preserving representations, such as ISO 8601 for dates.

But I digress, let’s assume our numbers really are represented using numeric types. Then indeed it is easy, and <= just works:

>>> 120 <= 1132
True


Or does it?

## Mixed-type integer comparisons

What if the two numbers you are comparing do not have the same type? Your first approach might be to just use <= anyway, for example in C++:

std::cout << ((-1) <= 1u) << "\n";  // Outputs 0.


Oh. C++ automatically promoted -1 to an unsigned int which caused it to wrap around to the maximum value (which is obviously bigger than 1). Well at least a modern compiler will warn you by default, right?

$g++ -std=c++20 main.cpp && ./a.out 0  Great. Yet another reason you should not forget to turn on warnings (-Wall -pedantic). Let’s try Rust: let x: i32 = -1; let y: u32 = 1; println!("{:?}", x <= y);  error[E0308]: mismatched types --> src/main.rs:4:22 | 4 | println!("{:?}", x <= y); | ^ expected i32, found u32 | help: you can convert a u32 to an i32 and panic if the converted value doesn't fit  Well at least it doesn’t silently miscompile… The suggested solution is horrible though. There’s no reason to panic at all. The most efficient solution here is to promote both values to a type that is a superset of both. For example: println!("{:?}", (x as i64) <= (y as i64)); // Outputs true.  But what if there’s no type that’s a superset of both? At least for integer types this is not a problem. For example there is no type in Rust that is a superset of i128 and u128. But we do know that an i128 fits in an u128 if it is non-negative, and if it is negative, it is always smaller: fn less_eq(x: i128, y: u128) -> bool { if x <= 0 { true } else { x as u128 <= y } }  All of this is quite error prone, and frankly annoying. Cross-integer type comparisons are always cheap, so I don’t see a good reason why the compiler doesn’t automatically generate the above code. For example on Apple ARM the above for i64 <= u64 compiles to three instructions: example::less_eq: cmp x0, #1 ccmp x0, x1, #0, ge cset w0, ls ret  We really should automatically be doing the right thing here, instead of pushing people to hand-written conversions that may or may not be correct, or worse, silently generating wrong code. C++20 at least introduced new integer comparison functions for cross-type integer comparisons, but the regular comparison operators are still just as dangerous. ## Floating point numbers are exact Before we dive into mixed-type floating point comparisons, we have to do a quick refresher on what floating point is. When I say floating-point, I mean the binary floating point numbers defined in the IEEE 754 standard, in particular binary32 (also known as f32 or float), and binary64 (also known as f64 or double). The latest version of the standard has DOI 10.1109/IEEESTD.2019.8766229. ### IEEE 754 refresher This floating point format has various warts, but the reality is that the machine you’re reading this on almost surely uses it as its native floating point implementation. In this format a number consists of one sign bit,$w$exponent bits and$t$trailing mantissa bits. For f32 we have$w = 8$and$t = 23$, for f64 we have$w = 11, t = 52$. There is also an exponent bias$b$, which is$127$for f32 and$1023$for f64, which is used to get negative exponents. To decode a floating point number (ignoring NaNs and infinities), we first look at our$1 + w + t$bits and decode three unsigned binary integers$s$,$e$and$m$: Then, if$e = 0$the value of our number is \begin{equation}f = {(-1)}^s \times 2^{e - b + 1} \times (0 + m / 2^t),\end{equation} otherwise it is \begin{equation}f = {(-1)}^s \times 2^{e - b} \times (1 + m / 2^t).\end{equation} This is why they’re called trailing mantissa bits: the first digit of the mantissa is determined by the exponent. When the exponent field is zero (before applying the bias), the mantissa starts with a$0$, otherwise it starts with a$1$. When the mantissa starts with a$0$we call it a subnormal number. They are important because they close the otherwise relatively large gap between zero and the first floating point number. A nice way to get a feeling for all this is by playing around with the Float Toy app. ### Imprecision Now that we know all of the above, I want to explicitly state the following: IEEE 754 floating point types define a set of exact numbers. There is no ambiguity (except two representations for zero,$+0$and$-0$), nor is there a loss of precision, fuzziness, interval representations, etc. For example,$1.0$is represented exactly by the f32 with value 0x3f800000, and the next bigger f32 is 0x3f800001 with value $${(-1)}^0 \times 2^0 \times (1 + 1 / 2^{23}) = 1.00000011920928955078125.$$ For example in Rust: println!("{}", f32::from_bits(0x3f800001)); 1.0000001  Oh. Did I lie? No, it is Rust who lies: let full = format!("{:.1000}", f32::from_bits(0x3f800001)); println!("{}", full.trim_end_matches('0')); 1.00000011920928955078125  This is not a bug or an accident. Rust—and most programming languages in fact—only try to print as few digits as possible to guarantee the round-trip is correct. And indeed: println!("0x{:x}", "1.0000001".parse::<f32>().unwrap().to_bits()); 0x3f800001  However, this has some nasty implications, if you then parse the number as a more precise type: "1.0000001".parse::<f64>().unwrap() == 1.00000011920928955078125 false  Mind you that$1.00000011920928955078125$is exactly representable as both a f32 and f64 (because f32 is a strict subset of f64), yet you lose precision by printing as an f32 and parsing as an f64. The reason is that while 1.0000001 is the shortest decimal number that rounds to$1.00000011920928955078125$in the f32 floating point format, it rounds to $$1.0000001000000000583867176828789524734020233154296875$$ instead in the f64 format. Ironically, in this case it is more accurate to parse as an f32 and then convert to f64, because Rust guarantees the round-trip correctness: "1.0000001".parse::<f32>().unwrap() as f64 == 1.00000011920928955078125 true  So f32 -> f64 is lossless, as is f32 -> String -> f32 -> f64. But f32 -> String -> f64 loses precision. It is vital to understand the above, to be able to investigate and debug floating point problems. Programming languages will silently round a floating point number to the nearest representable number when you write a number in your source code, silently round it when parsing, and silently round it when printing. The way these languages round differs, and it can even differ depending on the type in question. At every step of the way you are potentially being lied to. Given how much silent rounding occurs, I do not blame you if you got the impression that floating point is ‘fuzzy’. It provides the illusion of having a ‘real number’ type. But in reality the underlying numbers are an exact, finite set of numbers. ## Mixed-type floating point comparisons Why do I place so much emphasis on the exactness of the IEEE 754 floating point numbers? Because it means that (aside from NaNs), the comparison of integers and floats is also unambiguously well-defined. They are both, after, all, exact numbers placed on the real number line. Before reading on, I challenge you: try to write a correct implementation of the following function: /// x <= y fn is_less_eq(x: i64, y: f64) -> bool { todo!() }  If you want to try in Rust, I wrote a (non-exhaustive) set of tests on the Rust playground you can plug your implementation into, which might show you an input that fails. If you want to try it in a different language, remember that the programming language might lie to you by default! For example: let x: i64 = 1 << 58; let y: f64 = x as f64; // 2^58, exactly representable. println!("{x} <= {y}: {}", x as f64 <= y); 288230376151711744 <= 288230376151711740: true  This may look like a bad comparison or conversion from i64 to f64, but it isn’t. The problem lies entirely in the rounding during formatting. The main difficulty lies in the fact that for many type combinations (e.g. i64 and f64) there does not exist a native type in the programming language that is a superset of both. For example,$2^{1000}$is exactly representable as an f64 but not i64. And$2^{53} + 1$is exactly representable in i64 but not f64. So we can’t simply convert one to the other and be done with, yet that is what many people do. In fact, it’s so common ChatGPT has learned to do so: Our above test framework shows that x as f64 <= y fails because we find that 9007199254740993 as f64 <= 9007199254740992.0  which is obviously wrong. The problem is that 9007199254740993 (which is$2^{53}+1$) is not representable as f64, and gets rounded to$2^{53}$, after which the comparison succeeds. ### The correct implementation for i64 <= f64 The trick for implementing$i \leq f$correctly is to perform the operation in the integer domain after rounding the floating point number down to the nearest integer, as for integer$i$we have $$i \leq f \iff i \leq \lfloor f \rfloor.$$ We need not worry that rounding a float up or down to the nearest integer goes wrong and skips an integer, because for IEEE 754 the floor / ceil functions are exact. This is because in the part of the number line where IEEE 754 floats are fractional it is also dense in the integers. We still have to worry about our floating point value not fitting in our integer type. Luckily when that happens our comparison is trivial. Unluckily, our integer types have a different range in the negative and positive domains, so we still have to be a bit careful, especially because we can not compare with$2^{63} - 1$(the maximum i64 value) in the float domain. fn is_less_eq(x: i64, y: f64) -> bool { if y.is_nan() { return false; } if y >= 9223372036854775808.0 { // 2^63 true // y is always bigger. } else if y >= -9223372036854775808.0 { // -2^63 x <= y.floor() as i64 // y is in [-2^63, 2^63) } else { false // y is always smaller. } }  You might think you can get away without the floor as we convert to integer immediately after. Alas, as i64 rounds towards zero, but we need to round towards negative infinity or else we will end up claiming -1 <= -1.5. ### Generalizing Ok, we can compare$i \leq f$. What about$i \geq f$? We can’t re-use the same implementation by swapping the order of the arguments because their types are different. We can however make a new implementation from scratch applying the same principle, but we must use ceil instead of floor: $$i \geq f \iff i \geq \lceil f \rceil.$$ fn is_greater_eq(x: i64, y: f64) -> bool { if y.is_nan() { return false; } if y >= 9223372036854775808.0 { // 2^63 false // y is always bigger. } else if y >= -9223372036854775808.0 { // -2^63 x >= y.ceil() as i64 // y is in [-2^63, 2^63) } else { true // y is always smaller. } }  What if we want strict inequality? Now our floor/ceil trick introduces problems surrounding equality. One way to solve this is with a separate check for equality in the integer domain followed by inequality in the float domain: fn is_less(x: i64, y: f64) -> bool { if y.is_nan() { return false; } if y >= 9223372036854775808.0 { // 2^63 true } else if y >= -9223372036854775808.0 { // -2^63 let yf = y.floor(); // y is in [-2^63, 2^63) let yfi = yf as i64; x < yfi || x == yfi && yf < y } else { false } }  You get the point. There might be a more clever and/or efficient way to do this, but at least this works. Update on 2023-02-07: Pavel Mayorov contacted me with a suggestion for a more efficient version of inequality. It works on the observation that for integer$i$we have $$i < f \iff i < \lceil f \rceil.$$ That is, instead of flooring for$\leq$we use ceiling for$<\$.

fn is_less(x: i64, y: f64) -> bool {
if y.is_nan() { return false; }
if y >= 9223372036854775808.0 { // 2^63
true
} else if y >= -9223372036854775808.0 { // -2^63
x < y.ceil() as i64 // y is in [-2^63, 2^63)
} else {
false
}
}


## Conclusion

So, ordering numbers, how hard can it be? Pretty damn hard I would say, if your language does not support it natively. From challenging a variety of people to write a correct implementation of is_less_eq, no one gets it right on their first try. And that’s after already explicitly being told that the challenge is to do it correctly for all inputs. I quote the Python standard library: “comparison is pretty much a nightmare.”

Of all the languages I looked at that have distinct integer and floating point types, Python, Julia, Ruby and Go get this right. Good job! Some warn you or disallow cross-type comparisons by default, but Kotlin for example will straight up tell you that 9007199254740993 <= 9007199254740992.0 is true.

For Rust I’ve made the num-ord crate for now that allows you to compare any two built-in numeric types correctly. But I would love to see it (and others) adopt an approach where this is done right natively. Because if it isn’t people have to do it correctly themselves, which they won’t.