| blob | 4e8f13a41e34d59ae5e03185ef918662e674c3a4 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
16 #include <limits>
18 #define MOZILLA_CHECKEDINT_COMPARABLE_VERSION(major, minor, patch) \
19 (major << 16 | minor << 8 | patch)
21 // Probe for builtin math overflow support. Disabled for 32-bit builds for now
22 // since "gcc -m32" claims to support these but its implementation is buggy.
23 // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274
24 // Also disabled for clang before version 7 (resp. Xcode clang 10.0.1): while
25 // clang 5 and 6 have a working __builtin_add_overflow, it is not constexpr.
26 #if defined(HAVE_64BIT_BUILD)
27 # if defined(__has_builtin) && \
28 (!defined(__clang_major__) || \
29 (!defined(__apple_build_version__) && __clang_major__ >= 7) || \
30 (defined(__apple_build_version__) && \
31 MOZILLA_CHECKEDINT_COMPARABLE_VERSION( \
32 __clang_major__, __clang_minor__, __clang_patchlevel__) >= \
33 MOZILLA_CHECKEDINT_COMPARABLE_VERSION(10, 0, 1)))
34 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow))
35 # elif defined(__GNUC__)
36 // (clang also defines __GNUC__ but it supports __has_builtin since at least
37 // v3.1 (released in 2012) so it won't get here.)
38 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5)
39 # else
40 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
41 # endif
42 #else
43 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
44 #endif
46 #undef MOZILLA_CHECKEDINT_COMPARABLE_VERSION
55 /*
56 * Step 1: manually record supported types
57 *
58 * What's nontrivial here is that there are different families of integer
59 * types: basic integer types and stdint types. It is merrily undefined which
60 * types from one family may be just typedefs for a type from another family.
61 *
62 * For example, on GCC 4.6, aside from the basic integer types, the only other
63 * type that isn't just a typedef for some of them, is int8_t.
64 */
71 };
76 };
81 };
86 };
91 };
96 };
101 };
106 };
111 };
116 };
121 };
126 };
131 };
136 };
141 };
146 };
151 };
156 };
161 };
166 };
171 };
173 /*
174 * Step 2: Implement the actual validity checks.
175 *
176 * Ideas taken from IntegerLib, code different.
177 */
183 };
188 };
192 // In C++, right bit shifts on negative values is undefined by the standard.
193 // Notice that signed-to-unsigned conversions are always well-defined in the
194 // standard, as the value congruent modulo 2**n as expected. By contrast,
195 // unsigned-to-signed is only well-defined if the value is representable.
198 }
200 // Bitwise ops may return a larger type, so it's good to use this inline
201 // helper guaranteeing that the result is really of type T.
205 }
214 };
219 };
224 };
234 };
241 }
242 };
248 }
249 };
255 }
256 };
264 }
265 };
270 }
274 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
275 T dummy;
277 #else
278 // Addition is valid if the sign of aX+aY is equal to either that of aX or
279 // that of aY. Since the value of aX+aY is undefined if we have a signed
280 // type, we compute it using the unsigned type of the same size. Beware!
281 // These bitwise operations can return a larger integer type, if T was a
282 // small type like int8_t, so we explicitly cast to T.
290 #endif
291 }
295 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
296 T dummy;
298 #else
299 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
300 // have same sign. Since the value of aX-aY is undefined if we have a signed
301 // type, we compute it using the unsigned type of the same size.
309 #endif
310 }
323 }
324 };
334 }
337 }
339 // If we reach this point, we know that aX < 0.
341 }
342 };
348 }
349 };
353 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
354 T dummy;
356 #else
358 #endif
359 }
363 // Keep in mind that in the signed case, min/-1 is invalid because
364 // abs(min)>max.
367 }
375 }
377 /*
378 * Mod is pretty simple.
379 * For now, let's just use the ANSI C definition:
380 * If aX or aY are negative, the results are implementation defined.
381 * Consider these invalid.
382 * Undefined for aY=0.
383 * The result will never exceed either aX or aY.
384 *
385 * Checking that aX>=0 is a warning when T is unsigned.
386 */
391 };
398 }
400 }
401 };
409 // Handle negation separately for signed/unsigned, for simpler code and to
410 // avoid an MSVC warning negating an unsigned value.
412 }
413 };
418 // Watch out for the min-value, which (with twos-complement) can't be
419 // negated as -min-value is then (max-value + 1).
422 }
424 }
425 };
429 /*
430 * Step 3: Now define the CheckedInt class.
431 */
433 /**
434 * @class CheckedInt
435 * @brief Integer wrapper class checking for integer overflow and other errors
436 * @param T the integer type to wrap. Can be any type among the following:
437 * - any basic integer type such as |int|
438 * - any stdint type such as |int8_t|
439 *
440 * This class implements guarded integer arithmetic. Do a computation, check
441 * that isValid() returns true, you then have a guarantee that no problem, such
442 * as integer overflow, happened during this computation, and you can call
443 * value() to get the plain integer value.
444 *
445 * The arithmetic operators in this class are guaranteed not to raise a signal
446 * (e.g. in case of a division by zero).
447 *
448 * For example, suppose that you want to implement a function that computes
449 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
450 * zero or integer overflow). You could code it as follows:
451 @code
452 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
453 {
454 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
455 if (checkedResult.isValid()) {
456 *aResult = checkedResult.value();
457 return true;
458 } else {
459 return false;
460 }
461 }
462 @endcode
463 *
464 * Implicit conversion from plain integers to checked integers is allowed. The
465 * plain integer is checked to be in range before being casted to the
466 * destination type. This means that the following lines all compile, and the
467 * resulting CheckedInts are correctly detected as valid or invalid:
468 * @code
469 // 1 is of type int, is found to be in range for uint8_t, x is valid
470 CheckedInt<uint8_t> x(1);
471 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
472 CheckedInt<uint8_t> x(-1);
473 // -1 is of type int, is found to be in range for int8_t, x is valid
474 CheckedInt<int8_t> x(-1);
475 // 1000 is of type int16_t, is found not to be in range for int8_t,
476 // x is invalid
477 CheckedInt<int8_t> x(int16_t(1000));
478 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
479 // x is invalid
480 CheckedInt<int32_t> x(uint32_t(3123456789));
481 * @endcode
482 * Implicit conversion from
483 * checked integers to plain integers is not allowed. As shown in the
484 * above example, to get the value of a checked integer as a normal integer,
485 * call value().
486 *
487 * Arithmetic operations between checked and plain integers is allowed; the
488 * result type is the type of the checked integer.
489 *
490 * Checked integers of different types cannot be used in the same arithmetic
491 * expression.
492 *
493 * There are convenience typedefs for all stdint types, of the following form
494 * (these are just 2 examples):
495 @code
496 typedef CheckedInt<int32_t> CheckedInt32;
497 typedef CheckedInt<uint16_t> CheckedUint16;
498 @endcode
499 */
503 T mValue;
512 }
517 /**
518 * Constructs a checked integer with given @a value. The checked integer is
519 * initialized as valid or invalid depending on whether the @a value
520 * is in range.
521 *
522 * This constructor is not explicit. Instead, the type of its argument is a
523 * separate template parameter, ensuring that no conversion is performed
524 * before this constructor is actually called. As explained in the above
525 * documentation for class CheckedInt, this constructor checks that its
526 * argument is valid.
527 */
534 }
544 }
546 /** Constructs a valid checked integer with initial value 0 */
550 }
552 /** @returns the actual value */
555 mIsValid,
558 }
560 /**
561 * @returns true if the checked integer is valid, i.e. is not the result
562 * of an invalid operation or of an operation involving an invalid checked
563 * integer
564 */
604 }
606 /**
607 * @returns true if the left and right hand sides are valid
608 * and have the same value.
609 *
610 * Note that these semantics are the reason why we don't offer
611 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
612 * but that would mean that whenever a or b is invalid, a!=b
613 * is always true, which would be very confusing.
614 *
615 * For similar reasons, operators <, >, <=, >= would be very tricky to
616 * specify, so we just avoid offering them.
617 *
618 * Notice that these == semantics are made more reasonable by these facts:
619 * 1. a==b implies equality at the raw data level
620 * (the converse is false, as a==b is never true among invalids)
621 * 2. This is similar to the behavior of IEEE floats, where a==b
622 * means that a and b have the same value *and* neither is NaN.
623 */
626 }
628 /** prefix ++ */
632 }
634 /** postfix ++ */
639 }
641 /** prefix -- */
645 }
647 /** postfix -- */
652 }
655 /**
656 * The !=, <, <=, >, >= operators are disabled:
657 * see the comment on operator==.
658 */
669 };
671 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
672 template <typename T> \
673 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
674 const CheckedInt<T>& aRhs) { \
675 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
676 return CheckedInt<T>(0, false); \
677 } \
678 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
679 aLhs.mIsValid && aRhs.mIsValid); \
680 }
682 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
683 # define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \
684 template <typename T> \
685 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
686 const CheckedInt<T>& aRhs) { \
687 auto result = T{}; \
688 if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \
689 return CheckedInt<T>(0, false); \
690 } \
691 return CheckedInt<T>(result, aLhs.mIsValid && aRhs.mIsValid); \
692 }
696 # undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2
697 #else
701 #endif
705 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
707 // Implement castToCheckedInt<T>(x), making sure that
708 // - it allows x to be either a CheckedInt<T> or any integer type
709 // that can be casted to T
710 // - if x is already a CheckedInt<T>, we just return a reference to it,
711 // instead of copying it (optimization)
719 };
726 }
727 };
737 }
739 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
740 template <typename T> \
741 template <typename U> \
742 constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) { \
743 *this = *this OP castToCheckedInt<T>(aRhs); \
744 return *this; \
745 } \
746 template <typename T> \
747 constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP( \
748 const CheckedInt<T>& aRhs) { \
749 *this = *this OP aRhs; \
750 return *this; \
751 } \
752 template <typename T, typename U> \
753 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) { \
754 return aLhs OP castToCheckedInt<T>(aRhs); \
755 } \
756 template <typename T, typename U> \
757 constexpr CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) { \
758 return castToCheckedInt<T>(aLhs) OP aRhs; \
759 }
767 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
772 }
777 }
779 // Convenience typedefs.