| blob | f78b1504e992de7aee67ce8d3073f4b641e5543e |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
17 // Probe for builtin math overflow support. Disabled for 32-bit builds for now
18 // since "gcc -m32" claims to support these but its implementation is buggy.
19 // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274
20 #if defined(HAVE_64BIT_BUILD)
21 #if defined(__has_builtin)
22 #define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow))
23 #elif defined(__GNUC__)
24 // (clang also defines __GNUC__ but it supports __has_builtin since at least
25 // v3.1 (released in 2012) so it won't get here.)
26 #define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5)
27 #else
28 #define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
29 #endif
30 #else
31 #define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
32 #endif
40 /*
41 * Step 1: manually record supported types
42 *
43 * What's nontrivial here is that there are different families of integer
44 * types: basic integer types and stdint types. It is merrily undefined which
45 * types from one family may be just typedefs for a type from another family.
46 *
47 * For example, on GCC 4.6, aside from the basic integer types, the only other
48 * type that isn't just a typedef for some of them, is int8_t.
49 */
54 struct IsSupportedPass2
55 {
57 };
60 struct IsSupported
61 {
63 };
142 /*
143 * Step 2: Implement the actual validity checks.
144 *
145 * Ideas taken from IntegerLib, code different.
146 */
149 struct TwiceBiggerType
150 {
155 };
159 {
161 };
166 {
167 // In C++, right bit shifts on negative values is undefined by the standard.
168 // Notice that signed-to-unsigned conversions are always well-defined in the
169 // standard, as the value congruent modulo 2**n as expected. By contrast,
170 // unsigned-to-signed is only well-defined if the value is representable.
173 }
175 // Bitwise ops may return a larger type, so it's good to use this inline
176 // helper guaranteeing that the result is really of type T.
178 inline T
180 {
182 }
185 typename U,
188 struct DoesRangeContainRange
189 {
190 };
194 {
196 };
200 {
202 };
206 {
208 };
211 typename U,
219 {
221 {
223 }
224 };
228 {
230 {
232 }
233 };
237 {
239 {
241 }
242 };
246 {
248 {
250 }
251 };
255 {
257 {
261 }
262 };
267 {
269 }
274 {
275 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
276 T dummy;
278 #else
279 // Addition is valid if the sign of aX+aY is equal to either that of aX or
280 // that of aY. Since the value of aX+aY is undefined if we have a signed
281 // type, we compute it using the unsigned type of the same size. Beware!
282 // These bitwise operations can return a larger integer type, if T was a
283 // small type like int8_t, so we explicitly cast to T.
291 #endif
292 }
297 {
298 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
299 T dummy;
301 #else
302 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
303 // have same sign. Since the value of aX-aY is undefined if we have a signed
304 // type, we compute it using the unsigned type of the same size.
312 #endif
313 }
323 {
325 {
329 }
330 };
334 {
336 {
342 }
347 }
349 // If we reach this point, we know that aX < 0.
353 }
354 };
358 {
360 {
362 }
363 };
368 {
369 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
370 T dummy;
372 #else
374 #endif
375 }
380 {
381 // Keep in mind that in the signed case, min/-1 is invalid because
382 // abs(min)>max.
385 }
393 {
395 }
397 /*
398 * Mod is pretty simple.
399 * For now, let's just use the ANSI C definition:
400 * If aX or aY are negative, the results are implementation defined.
401 * Consider these invalid.
402 * Undefined for aY=0.
403 * The result will never exceed either aX or aY.
404 *
405 * Checking that aX>=0 is a warning when T is unsigned.
406 */
410 {
412 {
414 }
415 };
419 {
421 {
424 }
426 }
427 };
434 {
436 {
437 // Handle negation separately for signed/unsigned, for simpler code and to
438 // avoid an MSVC warning negating an unsigned value.
440 }
441 };
445 {
447 {
448 // Watch out for the min-value, which (with twos-complement) can't be
449 // negated as -min-value is then (max-value + 1).
452 }
454 }
455 };
460 /*
461 * Step 3: Now define the CheckedInt class.
462 */
464 /**
465 * @class CheckedInt
466 * @brief Integer wrapper class checking for integer overflow and other errors
467 * @param T the integer type to wrap. Can be any type among the following:
468 * - any basic integer type such as |int|
469 * - any stdint type such as |int8_t|
470 *
471 * This class implements guarded integer arithmetic. Do a computation, check
472 * that isValid() returns true, you then have a guarantee that no problem, such
473 * as integer overflow, happened during this computation, and you can call
474 * value() to get the plain integer value.
475 *
476 * The arithmetic operators in this class are guaranteed not to raise a signal
477 * (e.g. in case of a division by zero).
478 *
479 * For example, suppose that you want to implement a function that computes
480 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
481 * zero or integer overflow). You could code it as follows:
482 @code
483 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
484 {
485 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
486 if (checkedResult.isValid()) {
487 *aResult = checkedResult.value();
488 return true;
489 } else {
490 return false;
491 }
492 }
493 @endcode
494 *
495 * Implicit conversion from plain integers to checked integers is allowed. The
496 * plain integer is checked to be in range before being casted to the
497 * destination type. This means that the following lines all compile, and the
498 * resulting CheckedInts are correctly detected as valid or invalid:
499 * @code
500 // 1 is of type int, is found to be in range for uint8_t, x is valid
501 CheckedInt<uint8_t> x(1);
502 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
503 CheckedInt<uint8_t> x(-1);
504 // -1 is of type int, is found to be in range for int8_t, x is valid
505 CheckedInt<int8_t> x(-1);
506 // 1000 is of type int16_t, is found not to be in range for int8_t,
507 // x is invalid
508 CheckedInt<int8_t> x(int16_t(1000));
509 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
510 // x is invalid
511 CheckedInt<int32_t> x(uint32_t(3123456789));
512 * @endcode
513 * Implicit conversion from
514 * checked integers to plain integers is not allowed. As shown in the
515 * above example, to get the value of a checked integer as a normal integer,
516 * call value().
517 *
518 * Arithmetic operations between checked and plain integers is allowed; the
519 * result type is the type of the checked integer.
520 *
521 * Checked integers of different types cannot be used in the same arithmetic
522 * expression.
523 *
524 * There are convenience typedefs for all stdint types, of the following form
525 * (these are just 2 examples):
526 @code
527 typedef CheckedInt<int32_t> CheckedInt32;
528 typedef CheckedInt<uint16_t> CheckedUint16;
529 @endcode
530 */
532 class CheckedInt
533 {
535 T mValue;
540 {
544 }
549 /**
550 * Constructs a checked integer with given @a value. The checked integer is
551 * initialized as valid or invalid depending on whether the @a value
552 * is in range.
553 *
554 * This constructor is not explicit. Instead, the type of its argument is a
555 * separate template parameter, ensuring that no conversion is performed
556 * before this constructor is actually called. As explained in the above
557 * documentation for class CheckedInt, this constructor checks that its
558 * argument is valid.
559 */
564 {
568 }
575 {
579 }
581 /** Constructs a valid checked integer with initial value 0 */
583 {
586 }
588 /** @returns the actual value */
590 {
593 }
595 /**
596 * @returns true if the checked integer is valid, i.e. is not the result
597 * of an invalid operation or of an operation involving an invalid checked
598 * integer
599 */
601 {
603 }
641 {
643 }
645 /**
646 * @returns true if the left and right hand sides are valid
647 * and have the same value.
648 *
649 * Note that these semantics are the reason why we don't offer
650 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
651 * but that would mean that whenever a or b is invalid, a!=b
652 * is always true, which would be very confusing.
653 *
654 * For similar reasons, operators <, >, <=, >= would be very tricky to
655 * specify, so we just avoid offering them.
656 *
657 * Notice that these == semantics are made more reasonable by these facts:
658 * 1. a==b implies equality at the raw data level
659 * (the converse is false, as a==b is never true among invalids)
660 * 2. This is similar to the behavior of IEEE floats, where a==b
661 * means that a and b have the same value *and* neither is NaN.
662 */
664 {
666 }
668 /** prefix ++ */
670 {
673 }
675 /** postfix ++ */
677 {
681 }
683 /** prefix -- */
685 {
688 }
690 /** postfix -- */
692 {
696 }
699 /**
700 * The !=, <, <=, >, >= operators are disabled:
701 * see the comment on operator==.
702 */
708 };
710 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
711 template<typename T> \
712 inline CheckedInt<T> \
713 operator OP(const CheckedInt<T>& aLhs, const CheckedInt<T>& aRhs) \
714 { \
715 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
716 return CheckedInt<T>(0, false); \
717 } \
718 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
719 aLhs.mIsValid && aRhs.mIsValid); \
720 }
722 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
723 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \
724 template<typename T> \
725 inline CheckedInt<T> \
726 operator OP(const CheckedInt<T>& aLhs, const CheckedInt<T>& aRhs) \
727 { \
728 T result; \
729 if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \
730 return CheckedInt<T>(0, false); \
731 } \
732 return CheckedInt<T>(result, aLhs.mIsValid && aRhs.mIsValid); \
733 }
737 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2
738 #else
742 #endif
746 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
748 // Implement castToCheckedInt<T>(x), making sure that
749 // - it allows x to be either a CheckedInt<T> or any integer type
750 // that can be casted to T
751 // - if x is already a CheckedInt<T>, we just return a reference to it,
752 // instead of copying it (optimization)
757 struct CastToCheckedIntImpl
758 {
761 };
765 {
768 };
775 {
780 }
782 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
783 template<typename T> \
784 template<typename U> \
785 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) \
786 { \
787 *this = *this OP castToCheckedInt<T>(aRhs); \
788 return *this; \
789 } \
790 template<typename T> \
791 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(const CheckedInt<T>& aRhs) \
792 { \
793 *this = *this OP aRhs; \
794 return *this; \
795 } \
796 template<typename T, typename U> \
797 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) \
798 { \
799 return aLhs OP castToCheckedInt<T>(aRhs); \
800 } \
801 template<typename T, typename U> \
802 inline CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) \
803 { \
804 return castToCheckedInt<T>(aLhs) OP aRhs; \
805 }
813 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
818 {
820 }
825 {
827 }
829 // Convenience typedefs.