| blob | 945e83e2b1ceeb0b800833f113e78a00d1fcb394 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
17 // Probe for builtin math overflow support. Disabled for 32-bit builds for now
18 // since "gcc -m32" claims to support these but its implementation is buggy.
19 // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274
20 #if defined(HAVE_64BIT_BUILD)
21 # if defined(__has_builtin)
22 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow))
23 # elif defined(__GNUC__)
24 // (clang also defines __GNUC__ but it supports __has_builtin since at least
25 // v3.1 (released in 2012) so it won't get here.)
26 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5)
27 # else
28 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
29 # endif
30 #else
31 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
32 #endif
41 /*
42 * Step 1: manually record supported types
43 *
44 * What's nontrivial here is that there are different families of integer
45 * types: basic integer types and stdint types. It is merrily undefined which
46 * types from one family may be just typedefs for a type from another family.
47 *
48 * For example, on GCC 4.6, aside from the basic integer types, the only other
49 * type that isn't just a typedef for some of them, is int8_t.
50 */
57 };
62 };
67 };
72 };
77 };
82 };
87 };
92 };
97 };
102 };
107 };
112 };
117 };
122 };
127 };
132 };
137 };
142 };
147 };
152 };
157 };
159 /*
160 * Step 2: Implement the actual validity checks.
161 *
162 * Ideas taken from IntegerLib, code different.
163 */
169 };
174 };
178 // In C++, right bit shifts on negative values is undefined by the standard.
179 // Notice that signed-to-unsigned conversions are always well-defined in the
180 // standard, as the value congruent modulo 2**n as expected. By contrast,
181 // unsigned-to-signed is only well-defined if the value is representable.
184 }
186 // Bitwise ops may return a larger type, so it's good to use this inline
187 // helper guaranteeing that the result is really of type T.
191 }
200 };
205 };
210 };
220 };
226 }
227 };
232 };
238 }
239 };
246 }
247 };
252 }
256 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
257 T dummy;
259 #else
260 // Addition is valid if the sign of aX+aY is equal to either that of aX or
261 // that of aY. Since the value of aX+aY is undefined if we have a signed
262 // type, we compute it using the unsigned type of the same size. Beware!
263 // These bitwise operations can return a larger integer type, if T was a
264 // small type like int8_t, so we explicitly cast to T.
272 #endif
273 }
277 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
278 T dummy;
280 #else
281 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
282 // have same sign. Since the value of aX-aY is undefined if we have a signed
283 // type, we compute it using the unsigned type of the same size.
291 #endif
292 }
305 }
306 };
316 }
319 }
321 // If we reach this point, we know that aX < 0.
323 }
324 };
330 }
331 };
335 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
336 T dummy;
338 #else
340 #endif
341 }
345 // Keep in mind that in the signed case, min/-1 is invalid because
346 // abs(min)>max.
349 }
357 }
359 /*
360 * Mod is pretty simple.
361 * For now, let's just use the ANSI C definition:
362 * If aX or aY are negative, the results are implementation defined.
363 * Consider these invalid.
364 * Undefined for aY=0.
365 * The result will never exceed either aX or aY.
366 *
367 * Checking that aX>=0 is a warning when T is unsigned.
368 */
373 };
380 }
382 }
383 };
391 // Handle negation separately for signed/unsigned, for simpler code and to
392 // avoid an MSVC warning negating an unsigned value.
394 }
395 };
400 // Watch out for the min-value, which (with twos-complement) can't be
401 // negated as -min-value is then (max-value + 1).
404 }
406 }
407 };
411 /*
412 * Step 3: Now define the CheckedInt class.
413 */
415 /**
416 * @class CheckedInt
417 * @brief Integer wrapper class checking for integer overflow and other errors
418 * @param T the integer type to wrap. Can be any type among the following:
419 * - any basic integer type such as |int|
420 * - any stdint type such as |int8_t|
421 *
422 * This class implements guarded integer arithmetic. Do a computation, check
423 * that isValid() returns true, you then have a guarantee that no problem, such
424 * as integer overflow, happened during this computation, and you can call
425 * value() to get the plain integer value.
426 *
427 * The arithmetic operators in this class are guaranteed not to raise a signal
428 * (e.g. in case of a division by zero).
429 *
430 * For example, suppose that you want to implement a function that computes
431 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
432 * zero or integer overflow). You could code it as follows:
433 @code
434 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
435 {
436 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
437 if (checkedResult.isValid()) {
438 *aResult = checkedResult.value();
439 return true;
440 } else {
441 return false;
442 }
443 }
444 @endcode
445 *
446 * Implicit conversion from plain integers to checked integers is allowed. The
447 * plain integer is checked to be in range before being casted to the
448 * destination type. This means that the following lines all compile, and the
449 * resulting CheckedInts are correctly detected as valid or invalid:
450 * @code
451 // 1 is of type int, is found to be in range for uint8_t, x is valid
452 CheckedInt<uint8_t> x(1);
453 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
454 CheckedInt<uint8_t> x(-1);
455 // -1 is of type int, is found to be in range for int8_t, x is valid
456 CheckedInt<int8_t> x(-1);
457 // 1000 is of type int16_t, is found not to be in range for int8_t,
458 // x is invalid
459 CheckedInt<int8_t> x(int16_t(1000));
460 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
461 // x is invalid
462 CheckedInt<int32_t> x(uint32_t(3123456789));
463 * @endcode
464 * Implicit conversion from
465 * checked integers to plain integers is not allowed. As shown in the
466 * above example, to get the value of a checked integer as a normal integer,
467 * call value().
468 *
469 * Arithmetic operations between checked and plain integers is allowed; the
470 * result type is the type of the checked integer.
471 *
472 * Checked integers of different types cannot be used in the same arithmetic
473 * expression.
474 *
475 * There are convenience typedefs for all stdint types, of the following form
476 * (these are just 2 examples):
477 @code
478 typedef CheckedInt<int32_t> CheckedInt32;
479 typedef CheckedInt<uint16_t> CheckedUint16;
480 @endcode
481 */
485 T mValue;
493 }
498 /**
499 * Constructs a checked integer with given @a value. The checked integer is
500 * initialized as valid or invalid depending on whether the @a value
501 * is in range.
502 *
503 * This constructor is not explicit. Instead, the type of its argument is a
504 * separate template parameter, ensuring that no conversion is performed
505 * before this constructor is actually called. As explained in the above
506 * documentation for class CheckedInt, this constructor checks that its
507 * argument is valid.
508 */
515 }
525 }
527 /** Constructs a valid checked integer with initial value 0 */
531 }
533 /** @returns the actual value */
536 mIsValid,
539 }
541 /**
542 * @returns true if the checked integer is valid, i.e. is not the result
543 * of an invalid operation or of an operation involving an invalid checked
544 * integer
545 */
585 /**
586 * @returns true if the left and right hand sides are valid
587 * and have the same value.
588 *
589 * Note that these semantics are the reason why we don't offer
590 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
591 * but that would mean that whenever a or b is invalid, a!=b
592 * is always true, which would be very confusing.
593 *
594 * For similar reasons, operators <, >, <=, >= would be very tricky to
595 * specify, so we just avoid offering them.
596 *
597 * Notice that these == semantics are made more reasonable by these facts:
598 * 1. a==b implies equality at the raw data level
599 * (the converse is false, as a==b is never true among invalids)
600 * 2. This is similar to the behavior of IEEE floats, where a==b
601 * means that a and b have the same value *and* neither is NaN.
602 */
605 }
607 /** prefix ++ */
611 }
613 /** postfix ++ */
618 }
620 /** prefix -- */
624 }
626 /** postfix -- */
631 }
634 /**
635 * The !=, <, <=, >, >= operators are disabled:
636 * see the comment on operator==.
637 */
648 };
650 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
651 template <typename T> \
652 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
653 const CheckedInt<T>& aRhs) { \
654 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
655 return CheckedInt<T>(0, false); \
656 } \
657 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
658 aLhs.mIsValid && aRhs.mIsValid); \
659 }
661 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
662 # define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \
663 template <typename T> \
664 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
665 const CheckedInt<T>& aRhs) { \
666 T result; \
667 if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \
668 return CheckedInt<T>(0, false); \
669 } \
670 return CheckedInt<T>(result, aLhs.mIsValid && aRhs.mIsValid); \
671 }
675 # undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2
676 #else
680 #endif
684 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
686 // Implement castToCheckedInt<T>(x), making sure that
687 // - it allows x to be either a CheckedInt<T> or any integer type
688 // that can be casted to T
689 // - if x is already a CheckedInt<T>, we just return a reference to it,
690 // instead of copying it (optimization)
698 };
704 };
710 U aU) {
714 }
716 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
717 template <typename T> \
718 template <typename U> \
719 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) { \
720 *this = *this OP castToCheckedInt<T>(aRhs); \
721 return *this; \
722 } \
723 template <typename T> \
724 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP( \
725 const CheckedInt<T>& aRhs) { \
726 *this = *this OP aRhs; \
727 return *this; \
728 } \
729 template <typename T, typename U> \
730 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) { \
731 return aLhs OP castToCheckedInt<T>(aRhs); \
732 } \
733 template <typename T, typename U> \
734 inline CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) { \
735 return castToCheckedInt<T>(aLhs) OP aRhs; \
736 }
744 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
749 }
754 }
756 // Convenience typedefs.