base/safe_numerics.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef BASE_SAFE_NUMERICS_H_
   6 #define BASE_SAFE_NUMERICS_H_
   7
   8 #include <limits>
   9
  10 #include "base/logging.h"
  11
  12 namespace base {
  13 namespace internal {
  14
  15 template <bool SameSize, bool DestLarger,
  16           bool DestIsSigned, bool SourceIsSigned>
  17 struct IsValidNumericCastImpl;
  18
  19 #define BASE_NUMERIC_CAST_CASE_SPECIALIZATION(A, B, C, D, Code) \
  20 template <> struct IsValidNumericCastImpl<A, B, C, D> { \
  21   template <class Source, class DestBounds> static inline bool Test( \
  22       Source source, DestBounds min, DestBounds max) { \
  23     return Code; \
  24   } \
  25 }
  26
  27 #define BASE_NUMERIC_CAST_CASE_SAME_SIZE(DestSigned, SourceSigned, Code) \
  28   BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
  29       true, true, DestSigned, SourceSigned, Code); \
  30   BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
  31       true, false, DestSigned, SourceSigned, Code)
  32
  33 #define BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(DestSigned, SourceSigned, Code) \
  34   BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
  35       false, false, DestSigned, SourceSigned, Code); \
  36
  37 #define BASE_NUMERIC_CAST_CASE_DEST_LARGER(DestSigned, SourceSigned, Code) \
  38   BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
  39       false, true, DestSigned, SourceSigned, Code); \
  40
  41 // The three top level cases are:
  42 // - Same size
  43 // - Source larger
  44 // - Dest larger
  45 // And for each of those three cases, we handle the 4 different possibilities
  46 // of signed and unsigned. This gives 12 cases to handle, which we enumerate
  47 // below.
  48 //
  49 // The last argument in each of the macros is the actual comparison code. It
  50 // has three arguments available, source (the value), and min/max which are
  51 // the ranges of the destination.
  52
  53
  54 // These are the cases where both types have the same size.
  55
  56 // Both signed.
  57 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, true, true);
  58 // Both unsigned.
  59 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, false, true);
  60 // Dest unsigned, Source signed.
  61 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, true, source >= 0);
  62 // Dest signed, Source unsigned.
  63 // This cast is OK because Dest's max must be less than Source's.
  64 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, false,
  65                                  source <= static_cast<Source>(max));
  66
  67
  68 // These are the cases where Source is larger.
  69
  70 // Both unsigned.
  71 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, false, source <= max);
  72 // Both signed.
  73 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, true,
  74                                      source >= min && source <= max);
  75 // Dest is unsigned, Source is signed.
  76 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, true,
  77                                      source >= 0 && source <= max);
  78 // Dest is signed, Source is unsigned.
  79 // This cast is OK because Dest's max must be less than Source's.
  80 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, false,
  81                                      source <= static_cast<Source>(max));
  82
  83
  84 // These are the cases where Dest is larger.
  85
  86 // Both unsigned.
  87 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, false, true);
  88 // Both signed.
  89 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, true, true);
  90 // Dest is unsigned, Source is signed.
  91 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, true, source >= 0);
  92 // Dest is signed, Source is unsigned.
  93 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, false, true);
  94
  95 #undef BASE_NUMERIC_CAST_CASE_SPECIALIZATION
  96 #undef BASE_NUMERIC_CAST_CASE_SAME_SIZE
  97 #undef BASE_NUMERIC_CAST_CASE_SOURCE_LARGER
  98 #undef BASE_NUMERIC_CAST_CASE_DEST_LARGER
  99
 100
 101 // The main test for whether the conversion will under or overflow.
 102 template <class Dest, class Source>
 103 inline bool IsValidNumericCast(Source source) {
 104   typedef std::numeric_limits<Source> SourceLimits;
 105   typedef std::numeric_limits<Dest> DestLimits;
 106   COMPILE_ASSERT(SourceLimits::is_specialized, argument_must_be_numeric);
 107   COMPILE_ASSERT(SourceLimits::is_integer, argument_must_be_integral);
 108   COMPILE_ASSERT(DestLimits::is_specialized, result_must_be_numeric);
 109   COMPILE_ASSERT(DestLimits::is_integer, result_must_be_integral);
 110
 111   return IsValidNumericCastImpl<
 112       sizeof(Dest) == sizeof(Source),
 113       (sizeof(Dest) > sizeof(Source)),
 114       DestLimits::is_signed,
 115       SourceLimits::is_signed>::Test(
 116           source,
 117           DestLimits::min(),
 118           DestLimits::max());
 119 }
 120
 121 }  // namespace internal
 122
 123 // checked_numeric_cast<> is analogous to static_cast<> for numeric types,
 124 // except that it CHECKs that the specified numeric conversion will not
 125 // overflow or underflow. Floating point arguments are not currently allowed
 126 // (this is COMPILE_ASSERTd), though this could be supported if necessary.
 127 template <class Dest, class Source>
 128 inline Dest checked_numeric_cast(Source source) {
 129   CHECK(internal::IsValidNumericCast<Dest>(source));
 130   return static_cast<Dest>(source);
 131 }
 132
 133 }  // namespace base
 134
 135 #endif  // BASE_SAFE_NUMERICS_H_