| blob | 940399302faa2e67ba2fc0031df6100bc25e80c7 |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
4 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6 /* Provides checked integers, detecting integer overflow and divide-by-0. */
8 // Necessary modifications are made to the original CheckedInt.h file when
9 // incorporating it into WebKit:
10 // 1) Comment out #define MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS
11 // 2) Comment out #include "mozilla/StandardInteger.h"
12 // 3) Define MOZ_DELETE
13 // 4) Change namespace mozilla to namespace blink
15 #ifndef mozilla_CheckedInt_h_
16 #define mozilla_CheckedInt_h_
18 /*
19 * Build options. Comment out these #defines to disable the corresponding
20 * optional feature. Disabling features may be useful for code using
21 * CheckedInt outside of Mozilla (e.g. WebKit)
22 */
24 // Enable usage of MOZ_STATIC_ASSERT to check for unsupported types.
25 // If disabled, static asserts are replaced by regular assert().
26 // #define MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS
28 /*
29 * End of build options
30 */
32 #ifdef MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS
34 #else
35 # ifndef MOZ_STATIC_ASSERT
36 # include <cassert>
37 # define MOZ_STATIC_ASSERT(cond, reason) assert((cond) && reason)
38 # define MOZ_ASSERT(cond, reason) assert((cond) && reason)
39 # endif
40 #endif
42 // #include "mozilla/StandardInteger.h"
44 #ifndef MOZ_DELETE
45 #define MOZ_DELETE
46 #endif
48 #include <climits>
54 /*
55 * Step 1: manually record supported types
56 *
57 * What's nontrivial here is that there are different families of integer
58 * types: basic integer types and stdint types. It is merrily undefined which
59 * types from one family may be just typedefs for a type from another family.
60 *
61 * For example, on GCC 4.6, aside from the basic integer types, the only other
62 * type that isn't just a typedef for some of them, is int8_t.
63 */
68 struct IsSupportedPass2
69 {
71 };
74 struct IsSupported
75 {
77 };
145 /*
146 * Step 2: some integer-traits kind of stuff.
147 */
150 struct StdintTypeForSizeAndSignedness
151 {};
186 struct UnsignedType
187 {
190 };
193 struct IsSigned
194 {
196 };
199 struct TwiceBiggerType
200 {
205 };
209 {
211 };
214 struct PositionOfSignBit
215 {
217 };
220 struct MinValue
221 {
227 // Bitwise ops may return a larger type, that's why we cast explicitly.
228 // In C++, left bit shifts on signed values is undefined by the standard
229 // unless the shifted value is representable.
230 // Notice that signed-to-unsigned conversions are always well-defined in
231 // the standard as the value congruent to 2**n, as expected. By contrast,
232 // unsigned-to-signed is only well-defined if the value is representable.
237 };
240 struct MaxValue
241 {
242 // Tricksy, but covered by the unit test.
243 // Relies heavily on the type of MinValue<IntegerType>::value
244 // being IntegerType.
246 };
248 /*
249 * Step 3: Implement the actual validity checks.
250 *
251 * Ideas taken from IntegerLib, code different.
252 */
257 {
258 // In C++, right bit shifts on negative values is undefined by the standard.
259 // Notice that signed-to-unsigned conversions are always well-defined in the
260 // standard, as the value congruent modulo 2**n as expected. By contrast,
261 // unsigned-to-signed is only well-defined if the value is representable.
264 }
266 // Bitwise ops may return a larger type, so it's good to use this inline
267 // helper guaranteeing that the result is really of type T.
269 inline T
271 {
273 }
276 typename U,
279 struct DoesRangeContainRange
280 {
281 };
285 {
287 };
291 {
293 };
297 {
299 };
302 typename U,
310 {
312 {
314 }
315 };
319 {
321 {
323 }
324 };
328 {
330 {
332 }
333 };
337 {
339 {
341 }
342 };
346 {
348 {
352 }
353 };
358 {
360 }
365 {
366 // Addition is valid if the sign of x+y is equal to either that of x or that
367 // of y. Since the value of x+y is undefined if we have a signed type, we
368 // compute it using the unsigned type of the same size.
369 // Beware! These bitwise operations can return a larger integer type,
370 // if T was a small type like int8_t, so we explicitly cast to T.
378 }
383 {
384 // Subtraction is valid if either x and y have same sign, or x-y and x have
385 // same sign. Since the value of x-y is undefined if we have a signed type,
386 // we compute it using the unsigned type of the same size.
394 }
404 {
406 {
410 }
411 };
415 {
417 {
428 }
430 // If we reach this point, we know that x < 0.
434 }
435 };
439 {
441 {
443 }
444 };
449 {
451 }
456 {
457 // Keep in mind that in the signed case, min/-1 is invalid because abs(min)>max.
460 }
462 // This is just to shut up msvc warnings about negating unsigned ints.
464 struct OppositeIfSignedImpl
465 {
467 };
470 {
472 };
474 inline T
476 {
478 }
483 /*
484 * Step 4: Now define the CheckedInt class.
485 */
487 /**
488 * @class CheckedInt
489 * @brief Integer wrapper class checking for integer overflow and other errors
490 * @param T the integer type to wrap. Can be any type among the following:
491 * - any basic integer type such as |int|
492 * - any stdint type such as |int8_t|
493 *
494 * This class implements guarded integer arithmetic. Do a computation, check
495 * that isValid() returns true, you then have a guarantee that no problem, such
496 * as integer overflow, happened during this computation, and you can call
497 * value() to get the plain integer value.
498 *
499 * The arithmetic operators in this class are guaranteed not to raise a signal
500 * (e.g. in case of a division by zero).
501 *
502 * For example, suppose that you want to implement a function that computes
503 * (x+y)/z, that doesn't crash if z==0, and that reports on error (divide by
504 * zero or integer overflow). You could code it as follows:
505 @code
506 bool computeXPlusYOverZ(int x, int y, int z, int *result)
507 {
508 CheckedInt<int> checkedResult = (CheckedInt<int>(x) + y) / z;
509 if (checkedResult.isValid()) {
510 *result = checkedResult.value();
511 return true;
512 } else {
513 return false;
514 }
515 }
516 @endcode
517 *
518 * Implicit conversion from plain integers to checked integers is allowed. The
519 * plain integer is checked to be in range before being casted to the
520 * destination type. This means that the following lines all compile, and the
521 * resulting CheckedInts are correctly detected as valid or invalid:
522 * @code
523 // 1 is of type int, is found to be in range for uint8_t, x is valid
524 CheckedInt<uint8_t> x(1);
525 // -1 is of type int, is found not to be in range for uint8_t, x is invalid
526 CheckedInt<uint8_t> x(-1);
527 // -1 is of type int, is found to be in range for int8_t, x is valid
528 CheckedInt<int8_t> x(-1);
529 // 1000 is of type int16_t, is found not to be in range for int8_t,
530 // x is invalid
531 CheckedInt<int8_t> x(int16_t(1000));
532 // 3123456789 is of type uint32_t, is found not to be in range for int32_t,
533 // x is invalid
534 CheckedInt<int32_t> x(uint32_t(3123456789));
535 * @endcode
536 * Implicit conversion from
537 * checked integers to plain integers is not allowed. As shown in the
538 * above example, to get the value of a checked integer as a normal integer,
539 * call value().
540 *
541 * Arithmetic operations between checked and plain integers is allowed; the
542 * result type is the type of the checked integer.
543 *
544 * Checked integers of different types cannot be used in the same arithmetic
545 * expression.
546 *
547 * There are convenience typedefs for all stdint types, of the following form
548 * (these are just 2 examples):
549 @code
550 typedef CheckedInt<int32_t> CheckedInt32;
551 typedef CheckedInt<uint16_t> CheckedUint16;
552 @endcode
553 */
555 class CheckedInt
556 {
558 T mValue;
563 {
566 }
569 /**
570 * Constructs a checked integer with given @a value. The checked integer is
571 * initialized as valid or invalid depending on whether the @a value
572 * is in range.
573 *
574 * This constructor is not explicit. Instead, the type of its argument is a
575 * separate template parameter, ensuring that no conversion is performed
576 * before this constructor is actually called. As explained in the above
577 * documentation for class CheckedInt, this constructor checks that its
578 * argument is valid.
579 */
584 {
587 }
589 /** Constructs a valid checked integer with initial value 0 */
591 {
594 }
596 /** @returns the actual value */
598 {
601 }
603 /**
604 * @returns true if the checked integer is valid, i.e. is not the result
605 * of an invalid operation or of an operation involving an invalid checked
606 * integer
607 */
609 {
611 }
635 {
636 // Circumvent msvc warning about - applied to unsigned int.
637 // if we're unsigned, the only valid case anyway is 0
638 // in which case - is a no-op.
640 /* Help the compiler perform RVO (return value optimization). */
643 mValue));
644 }
646 /**
647 * @returns true if the left and right hand sides are valid
648 * and have the same value.
649 *
650 * Note that these semantics are the reason why we don't offer
651 * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b)
652 * but that would mean that whenever a or b is invalid, a!=b
653 * is always true, which would be very confusing.
654 *
655 * For similar reasons, operators <, >, <=, >= would be very tricky to
656 * specify, so we just avoid offering them.
657 *
658 * Notice that these == semantics are made more reasonable by these facts:
659 * 1. a==b implies equality at the raw data level
660 * (the converse is false, as a==b is never true among invalids)
661 * 2. This is similar to the behavior of IEEE floats, where a==b
662 * means that a and b have the same value *and* neither is NaN.
663 */
665 {
667 }
669 /** prefix ++ */
671 {
674 }
676 /** postfix ++ */
678 {
682 }
684 /** prefix -- */
686 {
689 }
691 /** postfix -- */
693 {
697 }
700 /**
701 * The !=, <, <=, >, >= operators are disabled:
702 * see the comment on operator==.
703 */
714 };
716 #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \
717 template<typename T> \
718 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, \
719 const CheckedInt<T> &rhs) \
720 { \
721 if (!detail::Is##NAME##Valid(lhs.mValue, rhs.mValue)) \
722 return CheckedInt<T>(0, false); \
723 \
724 return CheckedInt<T>(lhs.mValue OP rhs.mValue, \
725 lhs.mIsValid && rhs.mIsValid); \
726 }
733 #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR
735 // Implement castToCheckedInt<T>(x), making sure that
736 // - it allows x to be either a CheckedInt<T> or any integer type
737 // that can be casted to T
738 // - if x is already a CheckedInt<T>, we just return a reference to it,
739 // instead of copying it (optimization)
744 struct CastToCheckedIntImpl
745 {
748 };
752 {
755 };
762 {
764 }
766 #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \
767 template<typename T> \
768 template<typename U> \
769 CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U rhs) \
770 { \
771 *this = *this OP castToCheckedInt<T>(rhs); \
772 return *this; \
773 } \
774 template<typename T, typename U> \
775 inline CheckedInt<T> operator OP(const CheckedInt<T> &lhs, U rhs) \
776 { \
777 return lhs OP castToCheckedInt<T>(rhs); \
778 } \
779 template<typename T, typename U> \
780 inline CheckedInt<T> operator OP(U lhs, const CheckedInt<T> &rhs) \
781 { \
782 return castToCheckedInt<T>(lhs) OP rhs; \
783 }
790 #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS
795 {
797 }
802 {
804 }
806 // Convenience typedefs.