| blob | 7988cf9fe3b85a45e85f8815d60d7f7356cf0c5b |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim:set ts=2 sw=2 sts=2 et cindent: */
3 /* ***** BEGIN LICENSE BLOCK *****
4 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 *
6 * The contents of this file are subject to the Mozilla Public License Version
7 * 1.1 (the "License"); you may not use this file except in compliance with
8 * the License. You may obtain a copy of the License at
9 * http://www.mozilla.org/MPL/
10 *
11 * Software distributed under the License is distributed on an "AS IS" basis,
12 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 * for the specific language governing rights and limitations under the
14 * License.
15 *
16 * The Original Code is Mozilla code.
17 *
18 * The Initial Developer of the Original Code is the Mozilla Corporation.
19 * Portions created by the Initial Developer are Copyright (C) 2009
20 * the Initial Developer. All Rights Reserved.
21 *
22 * Contributor(s):
23 * Benoit Jacob <bjacob@mozilla.com>
24 * Jeff Muizelaar <jmuizelaar@mozilla.com>
25 *
26 * Alternatively, the contents of this file may be used under the terms of
27 * either the GNU General Public License Version 2 or later (the "GPL"), or
28 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 * in which case the provisions of the GPL or the LGPL are applicable instead
30 * of those above. If you wish to allow use of your version of this file only
31 * under the terms of either the GPL or the LGPL, and not to allow others to
32 * use your version of this file under the terms of the MPL, indicate your
33 * decision by deleting the provisions above and replace them with the notice
34 * and other provisions required by the GPL or the LGPL. If you do not delete
35 * the provisions above, a recipient may use your version of this file under
36 * the terms of any one of the MPL, the GPL or the LGPL.
37 *
38 * ***** END LICENSE BLOCK ***** */
40 #ifndef mozilla_CheckedInt_h
41 #define mozilla_CheckedInt_h
45 #include <climits>
51 /* we don't want to use std::numeric_limits here because PRInt... types may not support it,
52 * depending on the platform, e.g. on certain platforms they use nonstandard built-in types
53 */
55 /*** Step 1: manually record information for all the types that we want to support
56 ***/
61 {
65 };
68 #define CHECKEDINT_REGISTER_SUPPORTED_TYPE(T,_twice_bigger_type,_unsigned_type) \
69 template<> struct integer_type_manually_recorded_info<T> \
70 { \
71 enum { is_supported = 1 }; \
72 typedef _twice_bigger_type twice_bigger_type; \
73 typedef _unsigned_type unsigned_type; \
74 static void TYPE_NOT_SUPPORTED_BY_CheckedInt() {} \
75 };
77 // Type Twice Bigger Type Unsigned Type
88 /*** Step 2: record some info about a given integer type,
89 *** including whether it is supported, whether a twice bigger integer type
90 *** is supported, what that twice bigger type is, and some stuff as found
91 *** in std::numeric_limits (which we don't use because PRInt.. types may
92 *** not support it, if they are defined directly from compiler built-in types).
93 *** We use function names min_value() and max_value() instead of min() and max()
94 *** because of stupid min/max macros in Windows headers.
95 ***/
101 {
107 twice_bigger_type_is_supported
114 };
117 {
118 // bitwise ops may return a larger type, that's why we cast explicitly to T
119 // in C++, left bit shifts on signed values is undefined by the standard unless the shifted value is representable.
120 // notice that signed-to-unsigned conversions are always well-defined in the standard,
121 // as the value congruent to 2^n as expected. By contrast, unsigned-to-signed is only well-defined if the value is
122 // representable.
124 }
127 {
129 }
130 };
132 /*** Step 3: Implement the actual validity checks --- ideas taken from IntegerLib, code different.
133 ***/
135 // bitwise ops may return a larger type, so it's good to use these inline helpers guaranteeing that
136 // the result is really of type T
139 {
140 // in C++, right bit shifts on negative values is undefined by the standard.
141 // notice that signed-to-unsigned conversions are always well-defined in the standard,
142 // as the value congruent modulo 2^n as expected. By contrast, unsigned-to-signed is only well-defined if the value is
143 // representable. Here the unsigned-to-signed conversion is OK because the value (the result of the shift) is 0 or 1.
146 }
149 {
151 }
160 {
162 {
165 }
166 };
170 {
172 {
174 }
175 };
179 {
181 {
184 else
186 }
187 };
191 {
193 {
196 else
198 }
199 };
202 {
204 }
207 {
209 // addition is valid if the sign of x+y is equal to either that of x or that of y.
210 // Beware! These bitwise operations can return a larger integer type, if T was a
211 // small type like int8, so we explicitly cast to T.
213 :
215 }
218 {
220 // substraction is valid if either x and y have same sign, or x-y and x have same sign
222 :
224 }
233 {
235 {
239 }
240 };
244 {
246 {
255 else
260 else
262 }
263 }
264 };
268 {
270 {
274 }
275 };
278 {
280 }
283 {
285 // keep in mind that min/-1 is invalid because abs(min)>max
287 :
289 }
291 // this is just to shut up msvc warnings about negating unsigned ints.
293 struct opposite_if_signed_impl
294 {
296 };
299 {
301 };
310 /*** Step 4: Now define the CheckedInt class.
311 ***/
313 /** \class CheckedInt
314 * \brief Integer wrapper class checking for integer overflow and other errors
315 * \param T the integer type to wrap. Can be any of PRInt8, PRUint8, PRInt16, PRUint16,
316 * PRInt32, PRUint32, PRInt64, PRUint64.
317 *
318 * This class implements guarded integer arithmetic. Do a computation, check that
319 * valid() returns true, you then have a guarantee that no problem, such as integer overflow,
320 * happened during this computation.
321 *
322 * The arithmetic operators in this class are guaranteed not to crash your app
323 * in case of a division by zero.
324 *
325 * For example, suppose that you want to implement a function that computes (x+y)/z,
326 * that doesn't crash if z==0, and that reports on error (divide by zero or integer overflow).
327 * You could code it as follows:
328 \code
329 PRBool compute_x_plus_y_over_z(PRInt32 x, PRInt32 y, PRInt32 z, PRInt32 *result)
330 {
331 CheckedInt<PRInt32> checked_result = (CheckedInt<PRInt32>(x) + y) / z;
332 *result = checked_result.value();
333 return checked_result.valid();
334 }
335 \endcode
336 *
337 * Implicit conversion from plain integers to checked integers is allowed. The plain integer
338 * is checked to be in range before being casted to the destination type. This means that the following
339 * lines all compile, and the resulting CheckedInts are correctly detected as valid or invalid:
340 * \code
341 CheckedInt<PRUint8> x(1); // 1 is of type int, is found to be in range for PRUint8, x is valid
342 CheckedInt<PRUint8> x(-1); // -1 is of type int, is found not to be in range for PRUint8, x is invalid
343 CheckedInt<PRInt8> x(-1); // -1 is of type int, is found to be in range for PRInt8, x is valid
344 CheckedInt<PRInt8> x(PRInt16(1000)); // 1000 is of type PRInt16, is found not to be in range for PRInt8, x is invalid
345 CheckedInt<PRInt32> x(PRUint32(3123456789)); // 3123456789 is of type PRUint32, is found not to be in range
346 // for PRInt32, x is invalid
347 * \endcode
348 * Implicit conversion from
349 * checked integers to plain integers is not allowed. As shown in the
350 * above example, to get the value of a checked integer as a normal integer, call value().
351 *
352 * Arithmetic operations between checked and plain integers is allowed; the result type
353 * is the type of the checked integer.
354 *
355 * Checked integers of different types cannot be used in the same arithmetic expression.
356 *
357 * There are convenience typedefs for all PR integer types, of the following form (these are just 2 examples):
358 \code
359 typedef CheckedInt<PRInt32> CheckedInt32;
360 typedef CheckedInt<PRUint16> CheckedUint16;
361 \endcode
362 */
364 class CheckedInt
365 {
367 T mValue;
369 // evaluating nested arithmetic expressions.
373 {
376 }
379 /** Constructs a checked integer with given \a value. The checked integer is initialized as valid or invalid
380 * depending on whether the \a value is in range.
381 *
382 * This constructor is not explicit. Instead, the type of its argument is a separate template parameter,
383 * ensuring that no conversion is performed before this constructor is actually called.
384 * As explained in the above documentation for class CheckedInt, this constructor checks that its argument is
385 * valid.
386 */
391 {
394 }
396 /** Constructs a valid checked integer with initial value 0 */
398 {
401 }
403 /** \returns the actual value */
406 /** \returns PR_TRUE if the checked integer is valid, i.e. is not the result
407 * of an invalid operation or of an operation involving an invalid checked integer
408 */
410 {
412 }
414 /** \returns the sum. Checks for overflow. */
415 template<typename U> friend CheckedInt<U> operator +(const CheckedInt<U>& lhs, const CheckedInt<U>& rhs);
416 /** Adds. Checks for overflow. \returns self reference */
418 /** \returns the difference. Checks for overflow. */
419 template<typename U> friend CheckedInt<U> operator -(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
420 /** Substracts. Checks for overflow. \returns self reference */
422 /** \returns the product. Checks for overflow. */
423 template<typename U> friend CheckedInt<U> operator *(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
424 /** Multiplies. Checks for overflow. \returns self reference */
426 /** \returns the quotient. Checks for overflow and for divide-by-zero. */
427 template<typename U> friend CheckedInt<U> operator /(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
428 /** Divides. Checks for overflow and for divide-by-zero. \returns self reference */
431 /** \returns the opposite value. Checks for overflow. */
433 {
434 // circumvent msvc warning about - applied to unsigned int.
435 // if we're unsigned, the only valid case anyway is 0 in which case - is a no-op.
437 /* give the compiler a good chance to perform RVO */
440 }
442 /** \returns true if the left and right hand sides are valid and have the same value. */
444 {
446 }
448 /** prefix ++ */
450 {
453 }
455 /** postfix ++ */
457 {
461 }
463 /** prefix -- */
465 {
468 }
470 /** postfix -- */
472 {
476 }
479 /** operator!= is disabled. Indeed, (a!=b) should be the same as !(a==b) but that
480 * would mean that if a or b is invalid, (a!=b) is always true, which is very tricky.
481 */
484 };
486 #define CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
487 template<typename T> \
488 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, const CheckedInt<T> &rhs) \
489 { \
490 T x = lhs.mValue; \
491 T y = rhs.mValue; \
492 T result = x OP y; \
493 T is_op_valid \
494 = CheckedInt_internal::is_##NAME##_valid(x, y, result); \
496 return CheckedInt<T>(result, \
497 lhs.mIsValid & rhs.mIsValid & is_op_valid); \
498 }
504 // division can't be implemented by CHECKEDINT_BASIC_BINARY_OPERATOR
505 // because if rhs == 0, we are not allowed to even try to compute the quotient.
508 {
513 /* give the compiler a good chance to perform RVO */
516 }
518 // implement cast_to_CheckedInt<T>(x), making sure that
519 // - it allows x to be either a CheckedInt<T> or any integer type that can be casted to T
520 // - if x is already a CheckedInt<T>, we just return a reference to it, instead of copying it (optimization)
523 struct cast_to_CheckedInt_impl
524 {
527 };
531 {
534 };
539 {
541 }
543 #define CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
544 template<typename T> \
545 template<typename U> \
546 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U rhs) \
547 { \
548 *this = *this OP cast_to_CheckedInt<T>(rhs); \
549 return *this; \
550 } \
551 template<typename T, typename U> \
552 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, U rhs) \
553 { \
554 return lhs OP cast_to_CheckedInt<T>(rhs); \
555 } \
556 template<typename T, typename U> \
557 inline CheckedInt<T> operator OP(U lhs, const CheckedInt<T> &rhs) \
558 { \
559 return cast_to_CheckedInt<T>(lhs) OP rhs; \
560 }
569 {
571 }
575 {
577 }
579 // convenience typedefs.
580 // the use of a macro here helps make sure that we don't let a typo slip into some of these.
581 #define CHECKEDINT_MAKE_TYPEDEF(Type) \
582 typedef CheckedInt<PR##Type> Checked##Type;