| blob | a8b65c80dfb0c160d9b5617424015162a21c2d0f |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim:set ts=2 sw=2 sts=2 et cindent: */
3 /* ***** BEGIN LICENSE BLOCK *****
4 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 *
6 * The contents of this file are subject to the Mozilla Public License Version
7 * 1.1 (the "License"); you may not use this file except in compliance with
8 * the License. You may obtain a copy of the License at
9 * http://www.mozilla.org/MPL/
10 *
11 * Software distributed under the License is distributed on an "AS IS" basis,
12 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 * for the specific language governing rights and limitations under the
14 * License.
15 *
16 * The Original Code is Mozilla code.
17 *
18 * The Initial Developer of the Original Code is the Mozilla Corporation.
19 * Portions created by the Initial Developer are Copyright (C) 2009
20 * the Initial Developer. All Rights Reserved.
21 *
22 * Contributor(s):
23 * Benoit Jacob <bjacob@mozilla.com>
24 * Jeff Muizelaar <jmuizelaar@mozilla.com>
25 *
26 * Alternatively, the contents of this file may be used under the terms of
27 * either the GNU General Public License Version 2 or later (the "GPL"), or
28 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 * in which case the provisions of the GPL or the LGPL are applicable instead
30 * of those above. If you wish to allow use of your version of this file only
31 * under the terms of either the GPL or the LGPL, and not to allow others to
32 * use your version of this file under the terms of the MPL, indicate your
33 * decision by deleting the provisions above and replace them with the notice
34 * and other provisions required by the GPL or the LGPL. If you do not delete
35 * the provisions above, a recipient may use your version of this file under
36 * the terms of any one of the MPL, the GPL or the LGPL.
37 *
38 * ***** END LICENSE BLOCK ***** */
40 #ifndef mozilla_CheckedInt_h
41 #define mozilla_CheckedInt_h
45 #include <climits>
51 /* we don't want to use std::numeric_limits here because PRInt... types may not support it,
52 * depending on the platform, e.g. on certain platforms they use nonstandard built-in types
53 */
55 /*** Step 1: manually record information for all the types that we want to support
56 ***/
61 {
65 };
68 #define CHECKEDINT_REGISTER_SUPPORTED_TYPE(T,_twice_bigger_type,_unsigned_type) \
69 template<> struct integer_type_manually_recorded_info<T> \
70 { \
71 enum { is_supported = 1 }; \
72 typedef _twice_bigger_type twice_bigger_type; \
73 typedef _unsigned_type unsigned_type; \
74 static void TYPE_NOT_SUPPORTED_BY_CheckedInt() {} \
75 };
77 // Type Twice Bigger Type Unsigned Type
88 /*** Step 2: record some info about a given integer type,
89 *** including whether it is supported, whether a twice bigger integer type
90 *** is supported, what that twice bigger type is, and some stuff as found
91 *** in std::numeric_limits (which we don't use because PRInt.. types may
92 *** not support it, if they are defined directly from compiler built-in types).
93 *** We use function names min_value() and max_value() instead of min() and max()
94 *** because of stupid min/max macros in Windows headers.
95 ***/
101 {
107 twice_bigger_type_is_supported
114 };
117 {
118 // bitwise ops may return a larger type, that's why we cast explicitly to T
119 // in C++, left bit shifts on signed values is undefined by the standard unless the shifted value is representable.
120 // notice that signed-to-unsigned conversions are always well-defined in the standard,
121 // as the value congruent to 2^n as expected. By contrast, unsigned-to-signed is only well-defined if the value is
122 // representable.
124 }
127 {
129 }
130 };
132 /*** Step 3: Implement the actual validity checks --- ideas taken from IntegerLib, code different.
133 ***/
135 // bitwise ops may return a larger type, so it's good to use these inline helpers guaranteeing that
136 // the result is really of type T
139 {
140 // in C++, right bit shifts on negative values is undefined by the standard.
141 // notice that signed-to-unsigned conversions are always well-defined in the standard,
142 // as the value congruent modulo 2^n as expected. By contrast, unsigned-to-signed is only well-defined if the value is
143 // representable. Here the unsigned-to-signed conversion is OK because the value (the result of the shift) is 0 or 1.
146 }
149 {
151 }
160 {
162 {
165 }
166 };
170 {
172 {
174 }
175 };
179 {
181 {
184 else
186 }
187 };
191 {
193 {
196 else
198 }
199 };
202 {
204 }
207 {
209 // addition is valid if the sign of x+y is equal to either that of x or that of y.
210 // Beware! These bitwise operations can return a larger integer type, if T was a
211 // small type like int8, so we explicitly cast to T.
213 :
215 }
218 {
220 // substraction is valid if either x and y have same sign, or x-y and x have same sign
222 :
224 }
233 {
235 {
239 }
240 };
244 {
246 {
255 else
260 else
262 }
263 }
264 };
268 {
270 {
274 }
275 };
278 {
280 }
283 {
285 // keep in mind that min/-1 is invalid because abs(min)>max
287 :
289 }
294 /*** Step 4: Now define the CheckedInt class.
295 ***/
297 /** \class CheckedInt
298 * \brief Integer wrapper class checking for integer overflow and other errors
299 * \param T the integer type to wrap. Can be any of PRInt8, PRUint8, PRInt16, PRUint16,
300 * PRInt32, PRUint32, PRInt64, PRUint64.
301 *
302 * This class implements guarded integer arithmetic. Do a computation, check that
303 * valid() returns true, you then have a guarantee that no problem, such as integer overflow,
304 * happened during this computation.
305 *
306 * The arithmetic operators in this class are guaranteed not to crash your app
307 * in case of a division by zero.
308 *
309 * For example, suppose that you want to implement a function that computes (x+y)/z,
310 * that doesn't crash if z==0, and that reports on error (divide by zero or integer overflow).
311 * You could code it as follows:
312 \code
313 PRBool compute_x_plus_y_over_z(PRInt32 x, PRInt32 y, PRInt32 z, PRInt32 *result)
314 {
315 CheckedInt<PRInt32> checked_result = (CheckedInt<PRInt32>(x) + y) / z;
316 *result = checked_result.value();
317 return checked_result.valid();
318 }
319 \endcode
320 *
321 * Implicit conversion from plain integers to checked integers is allowed. The plain integer
322 * is checked to be in range before being casted to the destination type. This means that the following
323 * lines all compile, and the resulting CheckedInts are correctly detected as valid or invalid:
324 * \code
325 CheckedInt<PRUint8> x(1); // 1 is of type int, is found to be in range for PRUint8, x is valid
326 CheckedInt<PRUint8> x(-1); // -1 is of type int, is found not to be in range for PRUint8, x is invalid
327 CheckedInt<PRInt8> x(-1); // -1 is of type int, is found to be in range for PRInt8, x is valid
328 CheckedInt<PRInt8> x(PRInt16(1000)); // 1000 is of type PRInt16, is found not to be in range for PRInt8, x is invalid
329 CheckedInt<PRInt32> x(PRUint32(3123456789)); // 3123456789 is of type PRUint32, is found not to be in range
330 // for PRInt32, x is invalid
331 * \endcode
332 * Implicit conversion from
333 * checked integers to plain integers is not allowed. As shown in the
334 * above example, to get the value of a checked integer as a normal integer, call value().
335 *
336 * Arithmetic operations between checked and plain integers is allowed; the result type
337 * is the type of the checked integer.
338 *
339 * Checked integers of different types cannot be used in the same arithmetic expression.
340 *
341 * There are convenience typedefs for all PR integer types, of the following form (these are just 2 examples):
342 \code
343 typedef CheckedInt<PRInt32> CheckedInt32;
344 typedef CheckedInt<PRUint16> CheckedUint16;
345 \endcode
346 */
348 class CheckedInt
349 {
351 T mValue;
353 // evaluating nested arithmetic expressions.
357 {
360 }
363 /** Constructs a checked integer with given \a value. The checked integer is initialized as valid or invalid
364 * depending on whether the \a value is in range.
365 *
366 * This constructor is not explicit. Instead, the type of its argument is a separate template parameter,
367 * ensuring that no conversion is performed before this constructor is actually called.
368 * As explained in the above documentation for class CheckedInt, this constructor checks that its argument is
369 * valid.
370 */
375 {
378 }
380 /** Constructs a valid checked integer with uninitialized value */
382 {
385 }
387 /** \returns the actual value */
390 /** \returns PR_TRUE if the checked integer is valid, i.e. is not the result
391 * of an invalid operation or of an operation involving an invalid checked integer
392 */
394 {
396 }
398 /** \returns the sum. Checks for overflow. */
399 template<typename U> friend CheckedInt<U> operator +(const CheckedInt<U>& lhs, const CheckedInt<U>& rhs);
400 /** Adds. Checks for overflow. \returns self reference */
402 /** \returns the difference. Checks for overflow. */
403 template<typename U> friend CheckedInt<U> operator -(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
404 /** Substracts. Checks for overflow. \returns self reference */
406 /** \returns the product. Checks for overflow. */
407 template<typename U> friend CheckedInt<U> operator *(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
408 /** Multiplies. Checks for overflow. \returns self reference */
410 /** \returns the quotient. Checks for overflow and for divide-by-zero. */
411 template<typename U> friend CheckedInt<U> operator /(const CheckedInt<U>& lhs, const CheckedInt<U> &rhs);
412 /** Divides. Checks for overflow and for divide-by-zero. \returns self reference */
415 /** \returns the opposite value. Checks for overflow. */
417 {
419 /* give the compiler a good chance to perform RVO */
422 }
424 /** \returns true if the left and right hand sides are valid and have the same value. */
426 {
428 }
430 /** prefix ++ */
432 {
435 }
437 /** postfix ++ */
439 {
443 }
445 /** prefix -- */
447 {
450 }
452 /** postfix -- */
454 {
458 }
461 /** operator!= is disabled. Indeed, (a!=b) should be the same as !(a==b) but that
462 * would mean that if a or b is invalid, (a!=b) is always true, which is very tricky.
463 */
466 };
468 #define CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
469 template<typename T> \
470 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, const CheckedInt<T> &rhs) \
471 { \
472 T x = lhs.value(); \
473 T y = rhs.value(); \
474 T result = x OP y; \
475 T is_op_valid \
476 = CheckedInt_internal::is_##NAME##_valid(x, y, result); \
478 return CheckedInt<T>(result, \
479 lhs.mIsValid & rhs.mIsValid & is_op_valid); \
480 }
486 // division can't be implemented by CHECKEDINT_BASIC_BINARY_OPERATOR
487 // because if rhs == 0, we are not allowed to even try to compute the quotient.
490 {
495 /* give the compiler a good chance to perform RVO */
498 }
500 // implement cast_to_CheckedInt<T>(x), making sure that
501 // - it allows x to be either a CheckedInt<T> or any integer type that can be casted to T
502 // - if x is already a CheckedInt<T>, we just return a reference to it, instead of copying it (optimization)
505 struct cast_to_CheckedInt_impl
506 {
509 };
513 {
516 };
521 {
523 }
525 #define CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
526 template<typename T> \
527 template<typename U> \
528 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(const U &rhs) \
529 { \
530 *this = *this OP cast_to_CheckedInt<T>(rhs); \
531 return *this; \
532 } \
533 template<typename T, typename U> \
534 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, const U &rhs) \
535 { \
536 return lhs OP cast_to_CheckedInt<T>(rhs); \
537 } \
538 template<typename T, typename U> \
539 inline CheckedInt<T> operator OP(const U & lhs, const CheckedInt<T> &rhs) \
540 { \
541 return cast_to_CheckedInt<T>(lhs) OP rhs; \
542 }
551 {
553 }
557 {
559 }
561 // convenience typedefs.
562 // the use of a macro here helps make sure that we don't let a typo slip into some of these.
563 #define CHECKEDINT_MAKE_TYPEDEF(Type) \
564 typedef CheckedInt<PR##Type> Checked##Type;