| blob | 714e8a57ab492a849666d6531936cb15cde4f0b7 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Provides checked integers, detecting integer overflow and divide-by-0. */
9 #ifndef mozilla_CheckedInt_h
10 #define mozilla_CheckedInt_h
12 #include <stdint.h>
22 /*
23 * Step 1: manually record supported types
24 *
25 * What's nontrivial here is that there are different families of integer
26 * types: basic integer types and stdint types. It is merrily undefined which
27 * types from one family may be just typedefs for a type from another family.
28 *
29 * For example, on GCC 4.6, aside from the basic integer types, the only other
30 * type that isn't just a typedef for some of them, is int8_t.
31 */
36 struct IsSupportedPass2
37 {
39 };
42 struct IsSupported
43 {
45 };
124 /*
125 * Step 2: Implement the actual validity checks.
126 *
127 * Ideas taken from IntegerLib, code different.
128 */
131 struct TwiceBiggerType
132 {
137 };
141 {
143 };
148 {
149 // In C++, right bit shifts on negative values is undefined by the standard.
150 // Notice that signed-to-unsigned conversions are always well-defined in the
151 // standard, as the value congruent modulo 2**n as expected. By contrast,
152 // unsigned-to-signed is only well-defined if the value is representable.
155 }
157 // Bitwise ops may return a larger type, so it's good to use this inline
158 // helper guaranteeing that the result is really of type T.
160 inline T
162 {
164 }
167 typename U,
170 struct DoesRangeContainRange
171 {
172 };
176 {
178 };
182 {
184 };
188 {
190 };
193 typename U,
201 {
203 {
205 }
206 };
210 {
212 {
214 }
215 };
219 {
221 {
223 }
224 };
228 {
230 {
232 }
233 };
237 {
239 {
243 }
244 };
249 {
251 }
256 {
257 // Addition is valid if the sign of aX+aY is equal to either that of aX or
258 // that of aY. Since the value of aX+aY is undefined if we have a signed
259 // type, we compute it using the unsigned type of the same size. Beware!
260 // These bitwise operations can return a larger integer type, if T was a
261 // small type like int8_t, so we explicitly cast to T.
269 }
274 {
275 // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX
276 // have same sign. Since the value of aX-aY is undefined if we have a signed
277 // type, we compute it using the unsigned type of the same size.
285 }
295 {
297 {
301 }
302 };
306 {
308 {
314 }
319 }
321 // If we reach this point, we know that aX < 0.
325 }
326 };
330 {
332 {
334 }
335 };
340 {
342 }
347 {
348 // Keep in mind that in the signed case, min/-1 is invalid because
349 // abs(min)>max.
352 }
360 {
362 }
364 /*
365 * Mod is pretty simple.
366 * For now, let's just use the ANSI C definition:
367 * If aX or aY are negative, the results are implementation defined.
368 * Consider these invalid.
369 * Undefined for aY=0.
370 * The result will never exceed either aX or aY.
371 *
372 * Checking that aX>=0 is a warning when T is unsigned.
373 */
377 {
379 {
381 }
382 };
386 {
388 {
391 }
393 }
394 };
401 {
403 {
404 // Handle negation separately for signed/unsigned, for simpler code and to
405 // avoid an MSVC warning negating an unsigned value.
407 }
408 };
412 {
414 {
415 // Watch out for the min-value, which (with twos-complement) can't be
416 // negated as -min-value is then (max-value + 1).
419 }
421 }
422 };
427 /*
428 * Step 3: Now define the CheckedInt class.
429 */
431 /**
432 * @class CheckedInt
433 * @brief Integer wrapper class checking for integer overflow and other errors
434 * @param T the integer type to wrap. Can be any type among the following:
435 * - any basic integer type such as |int|
436 * - any stdint type such as |int8_t|
437 *
438 * This class implements guarded integer arithmetic. Do a computation, check
439 * that isValid() returns true, you then have a guarantee that no problem, such
440 * as integer overflow, happened during this computation, and you can call
441 * value() to get the plain integer value.
442 *
443 * The arithmetic operators in this class are guaranteed not to raise a signal
444 * (e.g. in case of a division by zero).
445 *
446 * For example, suppose that you want to implement a function that computes
447 * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by
448 * zero or integer overflow). You could code it as follows:
449 @code
450 bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult)
451 {
452 CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ;
453 if (checkedResult.isValid()) {
454 *aResult = checkedResult.value();
455 return true;
456 } else {
457 return false;
458 }
459 }
460 @endcode
461 *
462 * Implicit conversion from plain integers to checked integers is allowed. The
463 * plain integer is checked to be in range before being casted to the
464 * destination type. This means that the following lines all compile, and the
465 * resulting CheckedInts are correctly detected as valid or invalid:
466 * @code
467 // 1 is of type int, is found to be in range for uint8_t, x is valid
468 CheckedInt<uint8_t> x(1);
469 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
470 CheckedInt<uint8_t> x(-1);
471 // -1 is of type int, is found to be in range for int8_t, x is valid
472 CheckedInt<int8_t> x(-1);
473 // 1000 is of type int16_t, is found not to be in range for int8_t,
474 // x is invalid
475 CheckedInt<int8_t> x(int16_t(1000));
476 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
477 // x is invalid
478 CheckedInt<int32_t> x(uint32_t(3123456789));
479 * @endcode
480 * Implicit conversion from
481 * checked integers to plain integers is not allowed. As shown in the
482 * above example, to get the value of a checked integer as a normal integer,
483 * call value().
484 *
485 * Arithmetic operations between checked and plain integers is allowed; the
486 * result type is the type of the checked integer.
487 *
488 * Checked integers of different types cannot be used in the same arithmetic
489 * expression.
490 *
491 * There are convenience typedefs for all stdint types, of the following form
492 * (these are just 2 examples):
493 @code
494 typedef CheckedInt<int32_t> CheckedInt32;
495 typedef CheckedInt<uint16_t> CheckedUint16;
496 @endcode
497 */
499 class CheckedInt
500 {
502 T mValue;
507 {
511 }
516 /**
517 * Constructs a checked integer with given @a value. The checked integer is
518 * initialized as valid or invalid depending on whether the @a value
519 * is in range.
520 *
521 * This constructor is not explicit. Instead, the type of its argument is a
522 * separate template parameter, ensuring that no conversion is performed
523 * before this constructor is actually called. As explained in the above
524 * documentation for class CheckedInt, this constructor checks that its
525 * argument is valid.
526 */
531 {
535 }
542 {
546 }
548 /** Constructs a valid checked integer with initial value 0 */
550 {
553 }
555 /** @returns the actual value */
557 {
560 }
562 /**
563 * @returns true if the checked integer is valid, i.e. is not the result
564 * of an invalid operation or of an operation involving an invalid checked
565 * integer
566 */
568 {
570 }
603 {
605 }
607 /**
608 * @returns true if the left and right hand sides are valid
609 * and have the same value.
610 *
611 * Note that these semantics are the reason why we don't offer
612 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
613 * but that would mean that whenever a or b is invalid, a!=b
614 * is always true, which would be very confusing.
615 *
616 * For similar reasons, operators <, >, <=, >= would be very tricky to
617 * specify, so we just avoid offering them.
618 *
619 * Notice that these == semantics are made more reasonable by these facts:
620 * 1. a==b implies equality at the raw data level
621 * (the converse is false, as a==b is never true among invalids)
622 * 2. This is similar to the behavior of IEEE floats, where a==b
623 * means that a and b have the same value *and* neither is NaN.
624 */
626 {
628 }
630 /** prefix ++ */
632 {
635 }
637 /** postfix ++ */
639 {
643 }
645 /** prefix -- */
647 {
650 }
652 /** postfix -- */
654 {
658 }
661 /**
662 * The !=, <, <=, >, >= operators are disabled:
663 * see the comment on operator==.
664 */
670 };
672 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
673 template<typename T> \
674 inline CheckedInt<T> \
675 operator OP(const CheckedInt<T>& aLhs, const CheckedInt<T>& aRhs) \
676 { \
677 if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \
678 return CheckedInt<T>(0, false); \
679 } \
680 return CheckedInt<T>(aLhs.mValue OP aRhs.mValue, \
681 aLhs.mIsValid && aRhs.mIsValid); \
682 }
690 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
692 // Implement castToCheckedInt<T>(x), making sure that
693 // - it allows x to be either a CheckedInt<T> or any integer type
694 // that can be casted to T
695 // - if x is already a CheckedInt<T>, we just return a reference to it,
696 // instead of copying it (optimization)
701 struct CastToCheckedIntImpl
702 {
705 };
709 {
712 };
719 {
724 }
726 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
727 template<typename T> \
728 template<typename U> \
729 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) \
730 { \
731 *this = *this OP castToCheckedInt<T>(aRhs); \
732 return *this; \
733 } \
734 template<typename T, typename U> \
735 inline CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) \
736 { \
737 return aLhs OP castToCheckedInt<T>(aRhs); \
738 } \
739 template<typename T, typename U> \
740 inline CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) \
741 { \
742 return castToCheckedInt<T>(aLhs) OP aRhs; \
743 }
751 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
756 {
758 }
763 {
765 }
767 // Convenience typedefs.