| blob | 8e1be4b4b3e7e764fa1a2673b6c016d7a2dec8ba |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
23 /*
24 * Step 1: manually record supported types
25 *
26 * What's nontrivial here is that there are different families of integer
27 * types: basic integer types and stdint types. It is merrily undefined which
28 * types from one family may be just typedefs for a type from another family.
29 *
30 * For example, on GCC 4.6, aside from the basic integer types, the only other
31 * type that isn't just a typedef for some of them, is int8_t.
32 */
37 struct IsSupportedPass2
38 {
40 };
43 struct IsSupported
44 {
46 };
125 /*
126 * Step 2: Implement the actual validity checks.
127 *
128 * Ideas taken from IntegerLib, code different.
129 */
132 struct TwiceBiggerType
133 {
138 };
142 {
144 };
149 {
150 // In C++, right bit shifts on negative values is undefined by the standard.
151 // Notice that signed-to-unsigned conversions are always well-defined in the
152 // standard, as the value congruent modulo 2**n as expected. By contrast,
153 // unsigned-to-signed is only well-defined if the value is representable.
156 }
158 // Bitwise ops may return a larger type, so it's good to use this inline
159 // helper guaranteeing that the result is really of type T.
161 inline T
163 {
165 }
168 typename U,
171 struct DoesRangeContainRange
172 {
173 };
177 {
179 };
183 {
185 };
189 {
191 };
194 typename U,
202 {
204 {
206 }
207 };
211 {
213 {
215 }
216 };
220 {
222 {
224 }
225 };
229 {
231 {
233 }
234 };
238 {
240 {
244 }
245 };
250 {
252 }
257 {
258 // Addition is valid if the sign of aX+aY is equal to either that of aX or
259 // that of aY. Since the value of aX+aY is undefined if we have a signed
260 // type, we compute it using the unsigned type of the same size. Beware!
261 // These bitwise operations can return a larger integer type, if T was a
262 // small type like int8_t, so we explicitly cast to T.
270 }
275 {
276 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
277 // have same sign. Since the value of aX-aY is undefined if we have a signed
278 // type, we compute it using the unsigned type of the same size.
286 }
296 {
298 {
302 }
303 };
307 {
309 {
315 }
320 }
322 // If we reach this point, we know that aX < 0.
326 }
327 };
331 {
333 {
335 }
336 };
341 {
343 }
348 {
349 // Keep in mind that in the signed case, min/-1 is invalid because
350 // abs(min)>max.
353 }
361 {
363 }
365 /*
366 * Mod is pretty simple.
367 * For now, let's just use the ANSI C definition:
368 * If aX or aY are negative, the results are implementation defined.
369 * Consider these invalid.
370 * Undefined for aY=0.
371 * The result will never exceed either aX or aY.
372 *
373 * Checking that aX>=0 is a warning when T is unsigned.
374 */
378 {
380 {
382 }
383 };
387 {
389 {
392 }
394 }
395 };
402 {
404 {
405 // Handle negation separately for signed/unsigned, for simpler code and to
406 // avoid an MSVC warning negating an unsigned value.
408 }
409 };
413 {
415 {
416 // Watch out for the min-value, which (with twos-complement) can't be
417 // negated as -min-value is then (max-value + 1).
420 }
422 }
423 };
428 /*
429 * Step 3: Now define the CheckedInt class.
430 */
432 /**
433 * @class CheckedInt
434 * @brief Integer wrapper class checking for integer overflow and other errors
435 * @param T the integer type to wrap. Can be any type among the following:
436 * - any basic integer type such as |int|
437 * - any stdint type such as |int8_t|
438 *
439 * This class implements guarded integer arithmetic. Do a computation, check
440 * that isValid() returns true, you then have a guarantee that no problem, such
441 * as integer overflow, happened during this computation, and you can call
442 * value() to get the plain integer value.
443 *
444 * The arithmetic operators in this class are guaranteed not to raise a signal
445 * (e.g. in case of a division by zero).
446 *
447 * For example, suppose that you want to implement a function that computes
448 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
449 * zero or integer overflow). You could code it as follows:
450 @code
451 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
452 {
453 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
454 if (checkedResult.isValid()) {
455 *aResult = checkedResult.value();
456 return true;
457 } else {
458 return false;
459 }
460 }
461 @endcode
462 *
463 * Implicit conversion from plain integers to checked integers is allowed. The
464 * plain integer is checked to be in range before being casted to the
465 * destination type. This means that the following lines all compile, and the
466 * resulting CheckedInts are correctly detected as valid or invalid:
467 * @code
468 // 1 is of type int, is found to be in range for uint8_t, x is valid
469 CheckedInt<uint8_t> x(1);
470 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
471 CheckedInt<uint8_t> x(-1);
472 // -1 is of type int, is found to be in range for int8_t, x is valid
473 CheckedInt<int8_t> x(-1);
474 // 1000 is of type int16_t, is found not to be in range for int8_t,
475 // x is invalid
476 CheckedInt<int8_t> x(int16_t(1000));
477 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
478 // x is invalid
479 CheckedInt<int32_t> x(uint32_t(3123456789));
480 * @endcode
481 * Implicit conversion from
482 * checked integers to plain integers is not allowed. As shown in the
483 * above example, to get the value of a checked integer as a normal integer,
484 * call value().
485 *
486 * Arithmetic operations between checked and plain integers is allowed; the
487 * result type is the type of the checked integer.
488 *
489 * Checked integers of different types cannot be used in the same arithmetic
490 * expression.
491 *
492 * There are convenience typedefs for all stdint types, of the following form
493 * (these are just 2 examples):
494 @code
495 typedef CheckedInt<int32_t> CheckedInt32;
496 typedef CheckedInt<uint16_t> CheckedUint16;
497 @endcode
498 */
500 class CheckedInt
501 {
503 T mValue;
508 {
512 }
517 /**
518 * Constructs a checked integer with given @a value. The checked integer is
519 * initialized as valid or invalid depending on whether the @a value
520 * is in range.
521 *
522 * This constructor is not explicit. Instead, the type of its argument is a
523 * separate template parameter, ensuring that no conversion is performed
524 * before this constructor is actually called. As explained in the above
525 * documentation for class CheckedInt, this constructor checks that its
526 * argument is valid.
527 */
532 {
536 }
543 {
547 }
549 /** Constructs a valid checked integer with initial value 0 */
551 {
554 }
556 /** @returns the actual value */
558 {
561 }
563 /**
564 * @returns true if the checked integer is valid, i.e. is not the result
565 * of an invalid operation or of an operation involving an invalid checked
566 * integer
567 */
569 {
571 }
609 {
611 }
613 /**
614 * @returns true if the left and right hand sides are valid
615 * and have the same value.
616 *
617 * Note that these semantics are the reason why we don't offer
618 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
619 * but that would mean that whenever a or b is invalid, a!=b
620 * is always true, which would be very confusing.
621 *
622 * For similar reasons, operators <, >, <=, >= would be very tricky to
623 * specify, so we just avoid offering them.
624 *
625 * Notice that these == semantics are made more reasonable by these facts:
626 * 1. a==b implies equality at the raw data level
627 * (the converse is false, as a==b is never true among invalids)
628 * 2. This is similar to the behavior of IEEE floats, where a==b
629 * means that a and b have the same value *and* neither is NaN.
630 */
632 {
634 }
636 /** prefix ++ */
638 {
641 }
643 /** postfix ++ */
645 {
649 }
651 /** prefix -- */
653 {
656 }
658 /** postfix -- */
660 {
664 }
667 /**
668 * The !=, <, <=, >, >= operators are disabled:
669 * see the comment on operator==.
670 */
676 };
678 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
679 template<typename T> \
680 inline CheckedInt<T> \
681 operator OP(const CheckedInt<T>& aLhs, const CheckedInt<T>& aRhs) \
682 { \
683 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
684 return CheckedInt<T>(0, false); \
685 } \
686 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
687 aLhs.mIsValid && aRhs.mIsValid); \
688 }
696 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
698 // Implement castToCheckedInt<T>(x), making sure that
699 // - it allows x to be either a CheckedInt<T> or any integer type
700 // that can be casted to T
701 // - if x is already a CheckedInt<T>, we just return a reference to it,
702 // instead of copying it (optimization)
707 struct CastToCheckedIntImpl
708 {
711 };
715 {
718 };
725 {
730 }
732 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
733 template<typename T> \
734 template<typename U> \
735 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) \
736 { \
737 *this = *this OP castToCheckedInt<T>(aRhs); \
738 return *this; \
739 } \
740 template<typename T> \
741 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(const CheckedInt<T>& aRhs) \
742 { \
743 *this = *this OP aRhs; \
744 return *this; \
745 } \
746 template<typename T, typename U> \
747 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) \
748 { \
749 return aLhs OP castToCheckedInt<T>(aRhs); \
750 } \
751 template<typename T, typename U> \
752 inline CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) \
753 { \
754 return castToCheckedInt<T>(aLhs) OP aRhs; \
755 }
763 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
768 {
770 }
775 {
777 }
779 // Convenience typedefs.