| blob | 8b3f6352acc35084074a81a08e6e58cff86a0529 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
17 #define MOZILLA_CHECKEDINT_COMPARABLE_VERSION(major, minor, patch) \
18 (major << 16 | minor << 8 | patch)
20 // Probe for builtin math overflow support. Disabled for 32-bit builds for now
21 // since "gcc -m32" claims to support these but its implementation is buggy.
22 // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274
23 // Also disabled for clang before version 7 (resp. Xcode clang 10.0.1): while
24 // clang 5 and 6 have a working __builtin_add_overflow, it is not constexpr.
25 #if defined(HAVE_64BIT_BUILD)
26 # if defined(__has_builtin) && \
27 (!defined(__clang_major__) || \
28 (!defined(__apple_build_version__) && __clang_major__ >= 7) || \
29 (defined(__apple_build_version__) && \
30 MOZILLA_CHECKEDINT_COMPARABLE_VERSION( \
31 __clang_major__, __clang_minor__, __clang_patchlevel__) >= \
32 MOZILLA_CHECKEDINT_COMPARABLE_VERSION(10, 0, 1)))
33 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow))
34 # elif defined(__GNUC__)
35 // (clang also defines __GNUC__ but it supports __has_builtin since at least
36 // v3.1 (released in 2012) so it won't get here.)
37 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5)
38 # else
39 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
40 # endif
41 #else
42 # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0)
43 #endif
45 #undef MOZILLA_CHECKEDINT_COMPARABLE_VERSION
54 /*
55 * Step 1: manually record supported types
56 *
57 * What's nontrivial here is that there are different families of integer
58 * types: basic integer types and stdint types. It is merrily undefined which
59 * types from one family may be just typedefs for a type from another family.
60 *
61 * For example, on GCC 4.6, aside from the basic integer types, the only other
62 * type that isn't just a typedef for some of them, is int8_t.
63 */
70 };
75 };
80 };
85 };
90 };
95 };
100 };
105 };
110 };
115 };
120 };
125 };
130 };
135 };
140 };
145 };
150 };
155 };
160 };
165 };
170 };
172 /*
173 * Step 2: Implement the actual validity checks.
174 *
175 * Ideas taken from IntegerLib, code different.
176 */
182 };
187 };
191 // In C++, right bit shifts on negative values is undefined by the standard.
192 // Notice that signed-to-unsigned conversions are always well-defined in the
193 // standard, as the value congruent modulo 2**n as expected. By contrast,
194 // unsigned-to-signed is only well-defined if the value is representable.
197 }
199 // Bitwise ops may return a larger type, so it's good to use this inline
200 // helper guaranteeing that the result is really of type T.
204 }
213 };
218 };
223 };
233 };
239 }
240 };
245 };
251 }
252 };
259 }
260 };
265 }
269 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
270 T dummy;
272 #else
273 // Addition is valid if the sign of aX+aY is equal to either that of aX or
274 // that of aY. Since the value of aX+aY is undefined if we have a signed
275 // type, we compute it using the unsigned type of the same size. Beware!
276 // These bitwise operations can return a larger integer type, if T was a
277 // small type like int8_t, so we explicitly cast to T.
285 #endif
286 }
290 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
291 T dummy;
293 #else
294 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
295 // have same sign. Since the value of aX-aY is undefined if we have a signed
296 // type, we compute it using the unsigned type of the same size.
304 #endif
305 }
318 }
319 };
329 }
332 }
334 // If we reach this point, we know that aX < 0.
336 }
337 };
343 }
344 };
348 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
349 T dummy;
351 #else
353 #endif
354 }
358 // Keep in mind that in the signed case, min/-1 is invalid because
359 // abs(min)>max.
362 }
370 }
372 /*
373 * Mod is pretty simple.
374 * For now, let's just use the ANSI C definition:
375 * If aX or aY are negative, the results are implementation defined.
376 * Consider these invalid.
377 * Undefined for aY=0.
378 * The result will never exceed either aX or aY.
379 *
380 * Checking that aX>=0 is a warning when T is unsigned.
381 */
386 };
393 }
395 }
396 };
404 // Handle negation separately for signed/unsigned, for simpler code and to
405 // avoid an MSVC warning negating an unsigned value.
407 }
408 };
413 // Watch out for the min-value, which (with twos-complement) can't be
414 // negated as -min-value is then (max-value + 1).
417 }
419 }
420 };
424 /*
425 * Step 3: Now define the CheckedInt class.
426 */
428 /**
429 * @class CheckedInt
430 * @brief Integer wrapper class checking for integer overflow and other errors
431 * @param T the integer type to wrap. Can be any type among the following:
432 * - any basic integer type such as |int|
433 * - any stdint type such as |int8_t|
434 *
435 * This class implements guarded integer arithmetic. Do a computation, check
436 * that isValid() returns true, you then have a guarantee that no problem, such
437 * as integer overflow, happened during this computation, and you can call
438 * value() to get the plain integer value.
439 *
440 * The arithmetic operators in this class are guaranteed not to raise a signal
441 * (e.g. in case of a division by zero).
442 *
443 * For example, suppose that you want to implement a function that computes
444 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
445 * zero or integer overflow). You could code it as follows:
446 @code
447 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
448 {
449 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
450 if (checkedResult.isValid()) {
451 *aResult = checkedResult.value();
452 return true;
453 } else {
454 return false;
455 }
456 }
457 @endcode
458 *
459 * Implicit conversion from plain integers to checked integers is allowed. The
460 * plain integer is checked to be in range before being casted to the
461 * destination type. This means that the following lines all compile, and the
462 * resulting CheckedInts are correctly detected as valid or invalid:
463 * @code
464 // 1 is of type int, is found to be in range for uint8_t, x is valid
465 CheckedInt<uint8_t> x(1);
466 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
467 CheckedInt<uint8_t> x(-1);
468 // -1 is of type int, is found to be in range for int8_t, x is valid
469 CheckedInt<int8_t> x(-1);
470 // 1000 is of type int16_t, is found not to be in range for int8_t,
471 // x is invalid
472 CheckedInt<int8_t> x(int16_t(1000));
473 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
474 // x is invalid
475 CheckedInt<int32_t> x(uint32_t(3123456789));
476 * @endcode
477 * Implicit conversion from
478 * checked integers to plain integers is not allowed. As shown in the
479 * above example, to get the value of a checked integer as a normal integer,
480 * call value().
481 *
482 * Arithmetic operations between checked and plain integers is allowed; the
483 * result type is the type of the checked integer.
484 *
485 * Checked integers of different types cannot be used in the same arithmetic
486 * expression.
487 *
488 * There are convenience typedefs for all stdint types, of the following form
489 * (these are just 2 examples):
490 @code
491 typedef CheckedInt<int32_t> CheckedInt32;
492 typedef CheckedInt<uint16_t> CheckedUint16;
493 @endcode
494 */
498 T mValue;
507 }
512 /**
513 * Constructs a checked integer with given @a value. The checked integer is
514 * initialized as valid or invalid depending on whether the @a value
515 * is in range.
516 *
517 * This constructor is not explicit. Instead, the type of its argument is a
518 * separate template parameter, ensuring that no conversion is performed
519 * before this constructor is actually called. As explained in the above
520 * documentation for class CheckedInt, this constructor checks that its
521 * argument is valid.
522 */
529 }
539 }
541 /** Constructs a valid checked integer with initial value 0 */
545 }
547 /** @returns the actual value */
550 mIsValid,
553 }
555 /**
556 * @returns true if the checked integer is valid, i.e. is not the result
557 * of an invalid operation or of an operation involving an invalid checked
558 * integer
559 */
599 }
601 /**
602 * @returns true if the left and right hand sides are valid
603 * and have the same value.
604 *
605 * Note that these semantics are the reason why we don't offer
606 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
607 * but that would mean that whenever a or b is invalid, a!=b
608 * is always true, which would be very confusing.
609 *
610 * For similar reasons, operators <, >, <=, >= would be very tricky to
611 * specify, so we just avoid offering them.
612 *
613 * Notice that these == semantics are made more reasonable by these facts:
614 * 1. a==b implies equality at the raw data level
615 * (the converse is false, as a==b is never true among invalids)
616 * 2. This is similar to the behavior of IEEE floats, where a==b
617 * means that a and b have the same value *and* neither is NaN.
618 */
621 }
623 /** prefix ++ */
627 }
629 /** postfix ++ */
634 }
636 /** prefix -- */
640 }
642 /** postfix -- */
647 }
650 /**
651 * The !=, <, <=, >, >= operators are disabled:
652 * see the comment on operator==.
653 */
664 };
666 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
667 template <typename T> \
668 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
669 const CheckedInt<T>& aRhs) { \
670 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
671 return CheckedInt<T>(0, false); \
672 } \
673 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
674 aLhs.mIsValid && aRhs.mIsValid); \
675 }
677 #if MOZ_HAS_BUILTIN_OP_OVERFLOW
678 # define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \
679 template <typename T> \
680 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \
681 const CheckedInt<T>& aRhs) { \
682 auto result = T{}; \
683 if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \
684 return CheckedInt<T>(0, false); \
685 } \
686 return CheckedInt<T>(result, aLhs.mIsValid && aRhs.mIsValid); \
687 }
691 # undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2
692 #else
696 #endif
700 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
702 // Implement castToCheckedInt<T>(x), making sure that
703 // - it allows x to be either a CheckedInt<T> or any integer type
704 // that can be casted to T
705 // - if x is already a CheckedInt<T>, we just return a reference to it,
706 // instead of copying it (optimization)
714 };
721 }
722 };
732 }
734 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
735 template <typename T> \
736 template <typename U> \
737 constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) { \
738 *this = *this OP castToCheckedInt<T>(aRhs); \
739 return *this; \
740 } \
741 template <typename T> \
742 constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP( \
743 const CheckedInt<T>& aRhs) { \
744 *this = *this OP aRhs; \
745 return *this; \
746 } \
747 template <typename T, typename U> \
748 constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) { \
749 return aLhs OP castToCheckedInt<T>(aRhs); \
750 } \
751 template <typename T, typename U> \
752 constexpr CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) { \
753 return castToCheckedInt<T>(aLhs) OP aRhs; \
754 }
762 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
767 }
772 }
774 // Convenience typedefs.