| blob | b56ac42b19c0ff8b80aa3cabeba8de3b4e42900e |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
4 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6 /* Provides checked integers, detecting integer overflow and divide-by-0. */
8 #ifndef mozilla_CheckedInt_h_
9 #define mozilla_CheckedInt_h_
11 /*
12 * Build options. Comment out these #defines to disable the corresponding
13 * optional feature. Disabling features may be useful for code using
14 * CheckedInt outside of Mozilla (e.g. WebKit)
15 */
17 // Enable usage of MOZ_STATIC_ASSERT to check for unsupported types.
18 // If disabled, static asserts are replaced by regular assert().
19 #define MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS
21 /*
22 * End of build options
23 */
26 #ifdef MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS
28 #else
29 # ifndef MOZ_STATIC_ASSERT
30 # include <cassert>
31 # define MOZ_STATIC_ASSERT(cond, reason) assert((cond) && reason)
32 # define MOZ_ASSERT(cond, reason) assert((cond) && reason)
33 # endif
34 #endif
38 #include <climits>
39 #include <cstddef>
45 /*
46 * Step 1: manually record supported types
47 *
48 * What's nontrivial here is that there are different families of integer
49 * types: basic integer types and stdint types. It is merrily undefined which
50 * types from one family may be just typedefs for a type from another family.
51 *
52 * For example, on GCC 4.6, aside from the basic integer types, the only other
53 * type that isn't just a typedef for some of them, is int8_t.
54 */
59 struct IsSupportedPass2
60 {
62 };
65 struct IsSupported
66 {
68 };
136 /*
137 * Step 2: some integer-traits kind of stuff.
138 */
141 struct StdintTypeForSizeAndSignedness
142 {};
177 struct UnsignedType
178 {
181 };
184 struct IsSigned
185 {
187 };
190 struct TwiceBiggerType
191 {
196 };
200 {
202 };
205 struct PositionOfSignBit
206 {
208 };
211 struct MinValue
212 {
218 // Bitwise ops may return a larger type, that's why we cast explicitly.
219 // In C++, left bit shifts on signed values is undefined by the standard
220 // unless the shifted value is representable.
221 // Notice that signed-to-unsigned conversions are always well-defined in
222 // the standard as the value congruent to 2**n, as expected. By contrast,
223 // unsigned-to-signed is only well-defined if the value is representable.
228 };
231 struct MaxValue
232 {
233 // Tricksy, but covered by the unit test.
234 // Relies heavily on the type of MinValue<IntegerType>::value
235 // being IntegerType.
237 };
239 /*
240 * Step 3: Implement the actual validity checks.
241 *
242 * Ideas taken from IntegerLib, code different.
243 */
248 {
249 // In C++, right bit shifts on negative values is undefined by the standard.
250 // Notice that signed-to-unsigned conversions are always well-defined in the
251 // standard, as the value congruent modulo 2**n as expected. By contrast,
252 // unsigned-to-signed is only well-defined if the value is representable.
255 }
257 // Bitwise ops may return a larger type, so it's good to use this inline
258 // helper guaranteeing that the result is really of type T.
260 inline T
262 {
264 }
267 typename U,
270 struct DoesRangeContainRange
271 {
272 };
276 {
278 };
282 {
284 };
288 {
290 };
293 typename U,
301 {
303 {
305 }
306 };
310 {
312 {
314 }
315 };
319 {
321 {
323 }
324 };
328 {
330 {
332 }
333 };
337 {
339 {
343 }
344 };
349 {
351 }
356 {
357 // Addition is valid if the sign of x+y is equal to either that of x or that
358 // of y. Since the value of x+y is undefined if we have a signed type, we
359 // compute it using the unsigned type of the same size.
360 // Beware! These bitwise operations can return a larger integer type,
361 // if T was a small type like int8_t, so we explicitly cast to T.
369 }
374 {
375 // Subtraction is valid if either x and y have same sign, or x-y and x have
376 // same sign. Since the value of x-y is undefined if we have a signed type,
377 // we compute it using the unsigned type of the same size.
385 }
395 {
397 {
401 }
402 };
406 {
408 {
419 }
421 // If we reach this point, we know that x < 0.
425 }
426 };
430 {
432 {
434 }
435 };
440 {
442 }
447 {
448 // Keep in mind that in the signed case, min/-1 is invalid because abs(min)>max.
451 }
453 // This is just to shut up msvc warnings about negating unsigned ints.
455 struct OppositeIfSignedImpl
456 {
458 };
461 {
463 };
465 inline T
467 {
469 }
474 /*
475 * Step 4: Now define the CheckedInt class.
476 */
478 /**
479 * @class CheckedInt
480 * @brief Integer wrapper class checking for integer overflow and other errors
481 * @param T the integer type to wrap. Can be any type among the following:
482 * - any basic integer type such as |int|
483 * - any stdint type such as |int8_t|
484 *
485 * This class implements guarded integer arithmetic. Do a computation, check
486 * that isValid() returns true, you then have a guarantee that no problem, such
487 * as integer overflow, happened during this computation, and you can call
488 * value() to get the plain integer value.
489 *
490 * The arithmetic operators in this class are guaranteed not to raise a signal
491 * (e.g. in case of a division by zero).
492 *
493 * For example, suppose that you want to implement a function that computes
494 * (x+y)/z, that doesn't crash if z==0, and that reports on error (divide by
495 * zero or integer overflow). You could code it as follows:
496 @code
497 bool computeXPlusYOverZ(int x, int y, int z, int *result)
498 {
499 CheckedInt<int> checkedResult = (CheckedInt<int>(x) + y) / z;
500 if (checkedResult.isValid()) {
501 *result = checkedResult.value();
502 return true;
503 } else {
504 return false;
505 }
506 }
507 @endcode
508 *
509 * Implicit conversion from plain integers to checked integers is allowed. The
510 * plain integer is checked to be in range before being casted to the
511 * destination type. This means that the following lines all compile, and the
512 * resulting CheckedInts are correctly detected as valid or invalid:
513 * @code
514 // 1 is of type int, is found to be in range for uint8_t, x is valid
515 CheckedInt<uint8_t> x(1);
516 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
517 CheckedInt<uint8_t> x(-1);
518 // -1 is of type int, is found to be in range for int8_t, x is valid
519 CheckedInt<int8_t> x(-1);
520 // 1000 is of type int16_t, is found not to be in range for int8_t,
521 // x is invalid
522 CheckedInt<int8_t> x(int16_t(1000));
523 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
524 // x is invalid
525 CheckedInt<int32_t> x(uint32_t(3123456789));
526 * @endcode
527 * Implicit conversion from
528 * checked integers to plain integers is not allowed. As shown in the
529 * above example, to get the value of a checked integer as a normal integer,
530 * call value().
531 *
532 * Arithmetic operations between checked and plain integers is allowed; the
533 * result type is the type of the checked integer.
534 *
535 * Checked integers of different types cannot be used in the same arithmetic
536 * expression.
537 *
538 * There are convenience typedefs for all stdint types, of the following form
539 * (these are just 2 examples):
540 @code
541 typedef CheckedInt<int32_t> CheckedInt32;
542 typedef CheckedInt<uint16_t> CheckedUint16;
543 @endcode
544 */
546 class CheckedInt
547 {
549 T mValue;
554 {
557 }
560 /**
561 * Constructs a checked integer with given @a value. The checked integer is
562 * initialized as valid or invalid depending on whether the @a value
563 * is in range.
564 *
565 * This constructor is not explicit. Instead, the type of its argument is a
566 * separate template parameter, ensuring that no conversion is performed
567 * before this constructor is actually called. As explained in the above
568 * documentation for class CheckedInt, this constructor checks that its
569 * argument is valid.
570 */
575 {
578 }
580 /** Constructs a valid checked integer with initial value 0 */
582 {
585 }
587 /** @returns the actual value */
589 {
592 }
594 /**
595 * @returns true if the checked integer is valid, i.e. is not the result
596 * of an invalid operation or of an operation involving an invalid checked
597 * integer
598 */
600 {
602 }
626 {
627 // Circumvent msvc warning about - applied to unsigned int.
628 // if we're unsigned, the only valid case anyway is 0
629 // in which case - is a no-op.
631 /* Help the compiler perform RVO (return value optimization). */
634 mValue));
635 }
637 /**
638 * @returns true if the left and right hand sides are valid
639 * and have the same value.
640 *
641 * Note that these semantics are the reason why we don't offer
642 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
643 * but that would mean that whenever a or b is invalid, a!=b
644 * is always true, which would be very confusing.
645 *
646 * For similar reasons, operators <, >, <=, >= would be very tricky to
647 * specify, so we just avoid offering them.
648 *
649 * Notice that these == semantics are made more reasonable by these facts:
650 * 1. a==b implies equality at the raw data level
651 * (the converse is false, as a==b is never true among invalids)
652 * 2. This is similar to the behavior of IEEE floats, where a==b
653 * means that a and b have the same value *and* neither is NaN.
654 */
656 {
658 }
660 /** prefix ++ */
662 {
665 }
667 /** postfix ++ */
669 {
673 }
675 /** prefix -- */
677 {
680 }
682 /** postfix -- */
684 {
688 }
691 /**
692 * The !=, <, <=, >, >= operators are disabled:
693 * see the comment on operator==.
694 */
705 };
707 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
708 template<typename T> \
709 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, \
710 const CheckedInt<T> &rhs) \
711 { \
712 if (!detail::Is##NAME##Valid(lhs.mValue, rhs.mValue)) \
713 return CheckedInt<T>(0, false); \
714 \
715 return CheckedInt<T>(lhs.mValue OP rhs.mValue, \
716 lhs.mIsValid && rhs.mIsValid); \
717 }
724 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
726 // Implement castToCheckedInt<T>(x), making sure that
727 // - it allows x to be either a CheckedInt<T> or any integer type
728 // that can be casted to T
729 // - if x is already a CheckedInt<T>, we just return a reference to it,
730 // instead of copying it (optimization)
735 struct CastToCheckedIntImpl
736 {
739 };
743 {
746 };
753 {
755 }
757 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
758 template<typename T> \
759 template<typename U> \
760 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U rhs) \
761 { \
762 *this = *this OP castToCheckedInt<T>(rhs); \
763 return *this; \
764 } \
765 template<typename T, typename U> \
766 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, U rhs) \
767 { \
768 return lhs OP castToCheckedInt<T>(rhs); \
769 } \
770 template<typename T, typename U> \
771 inline CheckedInt<T> operator OP(U lhs, const CheckedInt<T> &rhs) \
772 { \
773 return castToCheckedInt<T>(lhs) OP rhs; \
774 }
781 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
786 {
788 }
793 {
795 }
797 // Convenience typedefs.