| blob | 050cef8ed8e4e7c74425fc5ad2f97e7c244704a3 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 // Enable relying of Mozilla's MFBT for possibly-available C++11 features
13 #define MOZ_CHECKEDINT_USE_MFBT
15 #include <stdint.h>
17 #ifdef MOZ_CHECKEDINT_USE_MFBT
19 #else
20 # include <cassert>
21 # define MOZ_ASSERT(cond, reason) assert((cond) && reason)
22 # define MOZ_DELETE
23 #endif
25 #include <climits>
26 #include <cstddef>
34 /*
35 * Step 1: manually record supported types
36 *
37 * What's nontrivial here is that there are different families of integer
38 * types: basic integer types and stdint types. It is merrily undefined which
39 * types from one family may be just typedefs for a type from another family.
40 *
41 * For example, on GCC 4.6, aside from the basic integer types, the only other
42 * type that isn't just a typedef for some of them, is int8_t.
43 */
48 struct IsSupportedPass2
49 {
51 };
54 struct IsSupported
55 {
57 };
136 /*
137 * Step 2: some integer-traits kind of stuff.
138 */
141 struct StdintTypeForSizeAndSignedness
142 {};
177 struct UnsignedType
178 {
181 };
184 struct IsSigned
185 {
187 };
190 struct TwiceBiggerType
191 {
196 };
200 {
202 };
205 struct PositionOfSignBit
206 {
208 };
211 struct MinValue
212 {
218 // Bitwise ops may return a larger type, that's why we cast explicitly.
219 // In C++, left bit shifts on signed values is undefined by the standard
220 // unless the shifted value is representable.
221 // Notice that signed-to-unsigned conversions are always well-defined in
222 // the standard as the value congruent to 2**n, as expected. By contrast,
223 // unsigned-to-signed is only well-defined if the value is representable.
228 };
231 struct MaxValue
232 {
233 // Tricksy, but covered by the unit test.
234 // Relies heavily on the type of MinValue<IntegerType>::value
235 // being IntegerType.
237 };
239 /*
240 * Step 3: Implement the actual validity checks.
241 *
242 * Ideas taken from IntegerLib, code different.
243 */
248 {
249 // In C++, right bit shifts on negative values is undefined by the standard.
250 // Notice that signed-to-unsigned conversions are always well-defined in the
251 // standard, as the value congruent modulo 2**n as expected. By contrast,
252 // unsigned-to-signed is only well-defined if the value is representable.
255 }
257 // Bitwise ops may return a larger type, so it's good to use this inline
258 // helper guaranteeing that the result is really of type T.
260 inline T
262 {
264 }
267 typename U,
270 struct DoesRangeContainRange
271 {
272 };
276 {
278 };
282 {
284 };
288 {
290 };
293 typename U,
301 {
303 {
305 }
306 };
310 {
312 {
314 }
315 };
319 {
321 {
323 }
324 };
328 {
330 {
332 }
333 };
337 {
339 {
343 }
344 };
349 {
351 }
356 {
357 // Addition is valid if the sign of x+y is equal to either that of x or that
358 // of y. Since the value of x+y is undefined if we have a signed type, we
359 // compute it using the unsigned type of the same size.
360 // Beware! These bitwise operations can return a larger integer type,
361 // if T was a small type like int8_t, so we explicitly cast to T.
369 }
374 {
375 // Subtraction is valid if either x and y have same sign, or x-y and x have
376 // same sign. Since the value of x-y is undefined if we have a signed type,
377 // we compute it using the unsigned type of the same size.
385 }
395 {
397 {
401 }
402 };
406 {
408 {
419 }
421 // If we reach this point, we know that x < 0.
425 }
426 };
430 {
432 {
434 }
435 };
440 {
442 }
447 {
448 // Keep in mind that in the signed case, min/-1 is invalid because abs(min)>max.
451 }
459 {
461 }
463 /*
464 * Mod is pretty simple.
465 * For now, let's just use the ANSI C definition:
466 * If x or y are negative, the results are implementation defined.
467 * Consider these invalid.
468 * Undefined for y=0.
469 * The result will never exceed either x or y.
470 *
471 * Checking that x>=0 is a warning when T is unsigned.
472 */
478 }
479 };
488 }
489 };
496 {
498 {
499 // Handle negation separately for signed/unsigned, for simpler code and to
500 // avoid an MSVC warning negating an unsigned value.
502 }
503 };
507 {
509 {
510 // Watch out for the min-value, which (with twos-complement) can't be
511 // negated as -min-value is then (max-value + 1).
515 }
516 };
521 /*
522 * Step 4: Now define the CheckedInt class.
523 */
525 /**
526 * @class CheckedInt
527 * @brief Integer wrapper class checking for integer overflow and other errors
528 * @param T the integer type to wrap. Can be any type among the following:
529 * - any basic integer type such as |int|
530 * - any stdint type such as |int8_t|
531 *
532 * This class implements guarded integer arithmetic. Do a computation, check
533 * that isValid() returns true, you then have a guarantee that no problem, such
534 * as integer overflow, happened during this computation, and you can call
535 * value() to get the plain integer value.
536 *
537 * The arithmetic operators in this class are guaranteed not to raise a signal
538 * (e.g. in case of a division by zero).
539 *
540 * For example, suppose that you want to implement a function that computes
541 * (x+y)/z, that doesn't crash if z==0, and that reports on error (divide by
542 * zero or integer overflow). You could code it as follows:
543 @code
544 bool computeXPlusYOverZ(int x, int y, int z, int *result)
545 {
546 CheckedInt<int> checkedResult = (CheckedInt<int>(x) + y) / z;
547 if (checkedResult.isValid()) {
548 *result = checkedResult.value();
549 return true;
550 } else {
551 return false;
552 }
553 }
554 @endcode
555 *
556 * Implicit conversion from plain integers to checked integers is allowed. The
557 * plain integer is checked to be in range before being casted to the
558 * destination type. This means that the following lines all compile, and the
559 * resulting CheckedInts are correctly detected as valid or invalid:
560 * @code
561 // 1 is of type int, is found to be in range for uint8_t, x is valid
562 CheckedInt<uint8_t> x(1);
563 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
564 CheckedInt<uint8_t> x(-1);
565 // -1 is of type int, is found to be in range for int8_t, x is valid
566 CheckedInt<int8_t> x(-1);
567 // 1000 is of type int16_t, is found not to be in range for int8_t,
568 // x is invalid
569 CheckedInt<int8_t> x(int16_t(1000));
570 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
571 // x is invalid
572 CheckedInt<int32_t> x(uint32_t(3123456789));
573 * @endcode
574 * Implicit conversion from
575 * checked integers to plain integers is not allowed. As shown in the
576 * above example, to get the value of a checked integer as a normal integer,
577 * call value().
578 *
579 * Arithmetic operations between checked and plain integers is allowed; the
580 * result type is the type of the checked integer.
581 *
582 * Checked integers of different types cannot be used in the same arithmetic
583 * expression.
584 *
585 * There are convenience typedefs for all stdint types, of the following form
586 * (these are just 2 examples):
587 @code
588 typedef CheckedInt<int32_t> CheckedInt32;
589 typedef CheckedInt<uint16_t> CheckedUint16;
590 @endcode
591 */
593 class CheckedInt
594 {
596 T mValue;
601 {
605 }
610 /**
611 * Constructs a checked integer with given @a value. The checked integer is
612 * initialized as valid or invalid depending on whether the @a value
613 * is in range.
614 *
615 * This constructor is not explicit. Instead, the type of its argument is a
616 * separate template parameter, ensuring that no conversion is performed
617 * before this constructor is actually called. As explained in the above
618 * documentation for class CheckedInt, this constructor checks that its
619 * argument is valid.
620 */
625 {
629 }
636 {
640 }
642 /** Constructs a valid checked integer with initial value 0 */
644 {
647 }
649 /** @returns the actual value */
651 {
654 }
656 /**
657 * @returns true if the checked integer is valid, i.e. is not the result
658 * of an invalid operation or of an operation involving an invalid checked
659 * integer
660 */
662 {
664 }
697 {
699 }
701 /**
702 * @returns true if the left and right hand sides are valid
703 * and have the same value.
704 *
705 * Note that these semantics are the reason why we don't offer
706 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
707 * but that would mean that whenever a or b is invalid, a!=b
708 * is always true, which would be very confusing.
709 *
710 * For similar reasons, operators <, >, <=, >= would be very tricky to
711 * specify, so we just avoid offering them.
712 *
713 * Notice that these == semantics are made more reasonable by these facts:
714 * 1. a==b implies equality at the raw data level
715 * (the converse is false, as a==b is never true among invalids)
716 * 2. This is similar to the behavior of IEEE floats, where a==b
717 * means that a and b have the same value *and* neither is NaN.
718 */
720 {
722 }
724 /** prefix ++ */
726 {
729 }
731 /** postfix ++ */
733 {
737 }
739 /** prefix -- */
741 {
744 }
746 /** postfix -- */
748 {
752 }
755 /**
756 * The !=, <, <=, >, >= operators are disabled:
757 * see the comment on operator==.
758 */
769 };
771 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
772 template<typename T> \
773 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, \
774 const CheckedInt<T> &rhs) \
775 { \
776 if (!detail::Is##NAME##Valid(lhs.mValue, rhs.mValue)) \
777 return CheckedInt<T>(0, false); \
778 \
779 return CheckedInt<T>(lhs.mValue OP rhs.mValue, \
780 lhs.mIsValid && rhs.mIsValid); \
781 }
789 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
791 // Implement castToCheckedInt<T>(x), making sure that
792 // - it allows x to be either a CheckedInt<T> or any integer type
793 // that can be casted to T
794 // - if x is already a CheckedInt<T>, we just return a reference to it,
795 // instead of copying it (optimization)
800 struct CastToCheckedIntImpl
801 {
804 };
808 {
811 };
818 {
823 }
825 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
826 template<typename T> \
827 template<typename U> \
828 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U rhs) \
829 { \
830 *this = *this OP castToCheckedInt<T>(rhs); \
831 return *this; \
832 } \
833 template<typename T, typename U> \
834 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, U rhs) \
835 { \
836 return lhs OP castToCheckedInt<T>(rhs); \
837 } \
838 template<typename T, typename U> \
839 inline CheckedInt<T> operator OP(U lhs, const CheckedInt<T> &rhs) \
840 { \
841 return castToCheckedInt<T>(lhs) OP rhs; \
842 }
850 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
855 {
857 }
862 {
864 }
866 // Convenience typedefs.