/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* Provides checked integers, detecting integer overflow and divide-by-0. */ #ifndef mozilla_CheckedInt_h #define mozilla_CheckedInt_h #include #include "mozilla/Assertions.h" #include "mozilla/Attributes.h" #include "mozilla/IntegerTypeTraits.h" #include #include #define MOZILLA_CHECKEDINT_COMPARABLE_VERSION(major, minor, patch) \ (major << 16 | minor << 8 | patch) // Probe for builtin math overflow support. Disabled for 32-bit builds for now // since "gcc -m32" claims to support these but its implementation is buggy. // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274 // Also disabled for clang before version 7 (resp. Xcode clang 10.0.1): while // clang 5 and 6 have a working __builtin_add_overflow, it is not constexpr. #if defined(HAVE_64BIT_BUILD) # if defined(__has_builtin) && \ (!defined(__clang_major__) || \ (!defined(__apple_build_version__) && __clang_major__ >= 7) || \ (defined(__apple_build_version__) && \ MOZILLA_CHECKEDINT_COMPARABLE_VERSION( \ __clang_major__, __clang_minor__, __clang_patchlevel__) >= \ MOZILLA_CHECKEDINT_COMPARABLE_VERSION(10, 0, 1))) # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow)) # elif defined(__GNUC__) // (clang also defines __GNUC__ but it supports __has_builtin since at least // v3.1 (released in 2012) so it won't get here.) # define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5) # else # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0) # endif #else # define MOZ_HAS_BUILTIN_OP_OVERFLOW (0) #endif #undef MOZILLA_CHECKEDINT_COMPARABLE_VERSION namespace mozilla { template class CheckedInt; namespace detail { /* * Step 1: manually record supported types * * What's nontrivial here is that there are different families of integer * types: basic integer types and stdint types. It is merrily undefined which * types from one family may be just typedefs for a type from another family. * * For example, on GCC 4.6, aside from the basic integer types, the only other * type that isn't just a typedef for some of them, is int8_t. */ struct UnsupportedType {}; template struct IsSupportedPass2 { static const bool value = false; }; template struct IsSupported { static const bool value = IsSupportedPass2::value; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupported { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; template <> struct IsSupportedPass2 { static const bool value = true; }; /* * Step 2: Implement the actual validity checks. * * Ideas taken from IntegerLib, code different. */ template struct TwiceBiggerType { typedef typename detail::StdintTypeForSizeAndSignedness< sizeof(IntegerType) * 2, std::is_signed_v>::Type Type; }; template struct TwiceBiggerType { typedef UnsupportedType Type; }; template constexpr bool HasSignBit(T aX) { // In C++, right bit shifts on negative values is undefined by the standard. // Notice that signed-to-unsigned conversions are always well-defined in the // standard, as the value congruent modulo 2**n as expected. By contrast, // unsigned-to-signed is only well-defined if the value is representable. return bool(std::make_unsigned_t(aX) >> PositionOfSignBit::value); } // Bitwise ops may return a larger type, so it's good to use this inline // helper guaranteeing that the result is really of type T. template constexpr T BinaryComplement(T aX) { return ~aX; } template , bool IsUSigned = std::is_signed_v> struct DoesRangeContainRange {}; template struct DoesRangeContainRange { static const bool value = sizeof(T) >= sizeof(U); }; template struct DoesRangeContainRange { static const bool value = sizeof(T) > sizeof(U); }; template struct DoesRangeContainRange { static const bool value = false; }; template , bool IsUSigned = std::is_signed_v, bool DoesTRangeContainURange = DoesRangeContainRange::value> struct IsInRangeImpl {}; template struct IsInRangeImpl { static constexpr bool run(U) { return true; } }; template struct IsInRangeImpl { static constexpr bool run(U aX) { return aX <= std::numeric_limits::max() && aX >= std::numeric_limits::min(); } }; template struct IsInRangeImpl { static constexpr bool run(U aX) { return aX <= std::numeric_limits::max(); } }; template struct IsInRangeImpl { static constexpr bool run(U aX) { return sizeof(T) > sizeof(U) || aX <= U(std::numeric_limits::max()); } }; template struct IsInRangeImpl { static constexpr bool run(U aX) { return sizeof(T) >= sizeof(U) ? aX >= 0 : aX >= 0 && aX <= U(std::numeric_limits::max()); } }; template constexpr bool IsInRange(U aX) { return IsInRangeImpl::run(aX); } template constexpr bool IsAddValid(T aX, T aY) { #if MOZ_HAS_BUILTIN_OP_OVERFLOW T dummy; return !__builtin_add_overflow(aX, aY, &dummy); #else // Addition is valid if the sign of aX+aY is equal to either that of aX or // that of aY. Since the value of aX+aY is undefined if we have a signed // type, we compute it using the unsigned type of the same size. Beware! // These bitwise operations can return a larger integer type, if T was a // small type like int8_t, so we explicitly cast to T. std::make_unsigned_t ux = aX; std::make_unsigned_t uy = aY; std::make_unsigned_t result = ux + uy; return std::is_signed_v ? HasSignBit(BinaryComplement(T((result ^ aX) & (result ^ aY)))) : BinaryComplement(aX) >= aY; #endif } template constexpr bool IsSubValid(T aX, T aY) { #if MOZ_HAS_BUILTIN_OP_OVERFLOW T dummy; return !__builtin_sub_overflow(aX, aY, &dummy); #else // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX // have same sign. Since the value of aX-aY is undefined if we have a signed // type, we compute it using the unsigned type of the same size. std::make_unsigned_t ux = aX; std::make_unsigned_t uy = aY; std::make_unsigned_t result = ux - uy; return std::is_signed_v ? HasSignBit(BinaryComplement(T((result ^ aX) & (aX ^ aY)))) : aX >= aY; #endif } template , bool TwiceBiggerTypeIsSupported = IsSupported::Type>::value> struct IsMulValidImpl {}; template struct IsMulValidImpl { static constexpr bool run(T aX, T aY) { typedef typename TwiceBiggerType::Type TwiceBiggerType; TwiceBiggerType product = TwiceBiggerType(aX) * TwiceBiggerType(aY); return IsInRange(product); } }; template struct IsMulValidImpl { static constexpr bool run(T aX, T aY) { const T max = std::numeric_limits::max(); const T min = std::numeric_limits::min(); if (aX == 0 || aY == 0) { return true; } if (aX > 0) { return aY > 0 ? aX <= max / aY : aY >= min / aX; } // If we reach this point, we know that aX < 0. return aY > 0 ? aX >= min / aY : aY >= max / aX; } }; template struct IsMulValidImpl { static constexpr bool run(T aX, T aY) { return aY == 0 || aX <= std::numeric_limits::max() / aY; } }; template constexpr bool IsMulValid(T aX, T aY) { #if MOZ_HAS_BUILTIN_OP_OVERFLOW T dummy; return !__builtin_mul_overflow(aX, aY, &dummy); #else return IsMulValidImpl::run(aX, aY); #endif } template constexpr bool IsDivValid(T aX, T aY) { // Keep in mind that in the signed case, min/-1 is invalid because // abs(min)>max. return aY != 0 && !(std::is_signed_v && aX == std::numeric_limits::min() && aY == T(-1)); } template > struct IsModValidImpl; template constexpr bool IsModValid(T aX, T aY) { return IsModValidImpl::run(aX, aY); } /* * Mod is pretty simple. * For now, let's just use the ANSI C definition: * If aX or aY are negative, the results are implementation defined. * Consider these invalid. * Undefined for aY=0. * The result will never exceed either aX or aY. * * Checking that aX>=0 is a warning when T is unsigned. */ template struct IsModValidImpl { static constexpr bool run(T aX, T aY) { return aY >= 1; } }; template struct IsModValidImpl { static constexpr bool run(T aX, T aY) { if (aX < 0) { return false; } return aY >= 1; } }; template > struct NegateImpl; template struct NegateImpl { static constexpr CheckedInt negate(const CheckedInt& aVal) { // Handle negation separately for signed/unsigned, for simpler code and to // avoid an MSVC warning negating an unsigned value. static_assert(detail::IsInRange(0), "Integer type can't represent 0"); return CheckedInt(T(0), aVal.isValid() && aVal.mValue == 0); } }; template struct NegateImpl { static constexpr CheckedInt negate(const CheckedInt& aVal) { // Watch out for the min-value, which (with twos-complement) can't be // negated as -min-value is then (max-value + 1). if (!aVal.isValid() || aVal.mValue == std::numeric_limits::min()) { return CheckedInt(aVal.mValue, false); } /* For some T, arithmetic ops automatically promote to a wider type, so * explitly do the narrowing cast here. The narrowing cast is valid because * we did the check for min value above. */ return CheckedInt(T(-aVal.mValue), true); } }; } // namespace detail /* * Step 3: Now define the CheckedInt class. */ /** * @class CheckedInt * @brief Integer wrapper class checking for integer overflow and other errors * @param T the integer type to wrap. Can be any type among the following: * - any basic integer type such as |int| * - any stdint type such as |int8_t| * * This class implements guarded integer arithmetic. Do a computation, check * that isValid() returns true, you then have a guarantee that no problem, such * as integer overflow, happened during this computation, and you can call * value() to get the plain integer value. * * The arithmetic operators in this class are guaranteed not to raise a signal * (e.g. in case of a division by zero). * * For example, suppose that you want to implement a function that computes * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by * zero or integer overflow). You could code it as follows: @code bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult) { CheckedInt checkedResult = (CheckedInt(aX) + aY) / aZ; if (checkedResult.isValid()) { *aResult = checkedResult.value(); return true; } else { return false; } } @endcode * * Implicit conversion from plain integers to checked integers is allowed. The * plain integer is checked to be in range before being casted to the * destination type. This means that the following lines all compile, and the * resulting CheckedInts are correctly detected as valid or invalid: * @code // 1 is of type int, is found to be in range for uint8_t, x is valid CheckedInt x(1); // -1 is of type int, is found not to be in range for uint8_t, x is invalid CheckedInt x(-1); // -1 is of type int, is found to be in range for int8_t, x is valid CheckedInt x(-1); // 1000 is of type int16_t, is found not to be in range for int8_t, // x is invalid CheckedInt x(int16_t(1000)); // 3123456789 is of type uint32_t, is found not to be in range for int32_t, // x is invalid CheckedInt x(uint32_t(3123456789)); * @endcode * Implicit conversion from * checked integers to plain integers is not allowed. As shown in the * above example, to get the value of a checked integer as a normal integer, * call value(). * * Arithmetic operations between checked and plain integers is allowed; the * result type is the type of the checked integer. * * Checked integers of different types cannot be used in the same arithmetic * expression. * * There are convenience typedefs for all stdint types, of the following form * (these are just 2 examples): @code typedef CheckedInt CheckedInt32; typedef CheckedInt CheckedUint16; @endcode */ template class CheckedInt { protected: T mValue; bool mIsValid; template constexpr CheckedInt(U aValue, bool aIsValid) : mValue(aValue), mIsValid(aIsValid) { static_assert(std::is_same_v, "this constructor must accept only T values"); static_assert(detail::IsSupported::value, "This type is not supported by CheckedInt"); } friend struct detail::NegateImpl; public: /** * Constructs a checked integer with given @a value. The checked integer is * initialized as valid or invalid depending on whether the @a value * is in range. * * This constructor is not explicit. Instead, the type of its argument is a * separate template parameter, ensuring that no conversion is performed * before this constructor is actually called. As explained in the above * documentation for class CheckedInt, this constructor checks that its * argument is valid. */ template MOZ_IMPLICIT MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT constexpr CheckedInt(U aValue) : mValue(T(aValue)), mIsValid(detail::IsInRange(aValue)) { static_assert( detail::IsSupported::value && detail::IsSupported::value, "This type is not supported by CheckedInt"); } template friend class CheckedInt; template constexpr CheckedInt toChecked() const { CheckedInt ret(mValue); ret.mIsValid = ret.mIsValid && mIsValid; return ret; } /** Constructs a valid checked integer with initial value 0 */ constexpr CheckedInt() : mValue(T(0)), mIsValid(true) { static_assert(detail::IsSupported::value, "This type is not supported by CheckedInt"); static_assert(detail::IsInRange(0), "Integer type can't represent 0"); } /** @returns the actual value */ constexpr T value() const { MOZ_DIAGNOSTIC_ASSERT( mIsValid, "Invalid checked integer (division by zero or integer overflow)"); return mValue; } /** * @returns true if the checked integer is valid, i.e. is not the result * of an invalid operation or of an operation involving an invalid checked * integer */ constexpr bool isValid() const { return mIsValid; } template friend constexpr CheckedInt operator+(const CheckedInt& aLhs, const CheckedInt& aRhs); template constexpr CheckedInt& operator+=(U aRhs); constexpr CheckedInt& operator+=(const CheckedInt& aRhs); template friend constexpr CheckedInt operator-(const CheckedInt& aLhs, const CheckedInt& aRhs); template constexpr CheckedInt& operator-=(U aRhs); constexpr CheckedInt& operator-=(const CheckedInt& aRhs); template friend constexpr CheckedInt operator*(const CheckedInt& aLhs, const CheckedInt& aRhs); template constexpr CheckedInt& operator*=(U aRhs); constexpr CheckedInt& operator*=(const CheckedInt& aRhs); template friend constexpr CheckedInt operator/(const CheckedInt& aLhs, const CheckedInt& aRhs); template constexpr CheckedInt& operator/=(U aRhs); constexpr CheckedInt& operator/=(const CheckedInt& aRhs); template friend constexpr CheckedInt operator%(const CheckedInt& aLhs, const CheckedInt& aRhs); template constexpr CheckedInt& operator%=(U aRhs); constexpr CheckedInt& operator%=(const CheckedInt& aRhs); constexpr CheckedInt operator-() const { return detail::NegateImpl::negate(*this); } /** * @returns true if the left and right hand sides are valid * and have the same value. * * Note that these semantics are the reason why we don't offer * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b) * but that would mean that whenever a or b is invalid, a!=b * is always true, which would be very confusing. * * For similar reasons, operators <, >, <=, >= would be very tricky to * specify, so we just avoid offering them. * * Notice that these == semantics are made more reasonable by these facts: * 1. a==b implies equality at the raw data level * (the converse is false, as a==b is never true among invalids) * 2. This is similar to the behavior of IEEE floats, where a==b * means that a and b have the same value *and* neither is NaN. */ constexpr bool operator==(const CheckedInt& aOther) const { return mIsValid && aOther.mIsValid && mValue == aOther.mValue; } /** prefix ++ */ constexpr CheckedInt& operator++() { *this += 1; return *this; } /** postfix ++ */ constexpr CheckedInt operator++(int) { CheckedInt tmp = *this; *this += 1; return tmp; } /** prefix -- */ constexpr CheckedInt& operator--() { *this -= 1; return *this; } /** postfix -- */ constexpr CheckedInt operator--(int) { CheckedInt tmp = *this; *this -= 1; return tmp; } private: /** * The !=, <, <=, >, >= operators are disabled: * see the comment on operator==. */ template bool operator!=(U aOther) const = delete; template bool operator<(U aOther) const = delete; template bool operator<=(U aOther) const = delete; template bool operator>(U aOther) const = delete; template bool operator>=(U aOther) const = delete; }; #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \ template \ constexpr CheckedInt operator OP(const CheckedInt& aLhs, \ const CheckedInt& aRhs) { \ if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \ static_assert(detail::IsInRange(0), \ "Integer type can't represent 0"); \ return CheckedInt(T(0), false); \ } \ /* For some T, arithmetic ops automatically promote to a wider type, so \ * explitly do the narrowing cast here. The narrowing cast is valid \ * because we did the "Is##NAME##Valid" check above. */ \ return CheckedInt(T(aLhs.mValue OP aRhs.mValue), \ aLhs.mIsValid && aRhs.mIsValid); \ } #if MOZ_HAS_BUILTIN_OP_OVERFLOW # define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \ template \ constexpr CheckedInt operator OP(const CheckedInt& aLhs, \ const CheckedInt& aRhs) { \ auto result = T{}; \ if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \ static_assert(detail::IsInRange(0), \ "Integer type can't represent 0"); \ return CheckedInt(T(0), false); \ } \ return CheckedInt(result, aLhs.mIsValid && aRhs.mIsValid); \ } MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Add, +, __builtin_add_overflow) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Sub, -, __builtin_sub_overflow) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Mul, *, __builtin_mul_overflow) # undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2 #else MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Add, +) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Sub, -) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Mul, *) #endif MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Div, /) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Mod, %) #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR // Implement castToCheckedInt(x), making sure that // - it allows x to be either a CheckedInt or any integer type // that can be casted to T // - if x is already a CheckedInt, we just return a reference to it, // instead of copying it (optimization) namespace detail { template struct CastToCheckedIntImpl { typedef CheckedInt ReturnType; static constexpr CheckedInt run(U aU) { return aU; } }; template struct CastToCheckedIntImpl> { typedef const CheckedInt& ReturnType; static constexpr const CheckedInt& run(const CheckedInt& aU) { return aU; } }; } // namespace detail template constexpr typename detail::CastToCheckedIntImpl::ReturnType castToCheckedInt(U aU) { static_assert(detail::IsSupported::value && detail::IsSupported::value, "This type is not supported by CheckedInt"); return detail::CastToCheckedIntImpl::run(aU); } #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \ template \ template \ constexpr CheckedInt& CheckedInt::operator COMPOUND_OP(U aRhs) { \ *this = *this OP castToCheckedInt(aRhs); \ return *this; \ } \ template \ constexpr CheckedInt& CheckedInt::operator COMPOUND_OP( \ const CheckedInt& aRhs) { \ *this = *this OP aRhs; \ return *this; \ } \ template \ constexpr CheckedInt operator OP(const CheckedInt& aLhs, U aRhs) { \ return aLhs OP castToCheckedInt(aRhs); \ } \ template \ constexpr CheckedInt operator OP(U aLhs, const CheckedInt& aRhs) { \ return castToCheckedInt(aLhs) OP aRhs; \ } MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(+, +=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(*, *=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(-, -=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(/, /=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(%, %=) #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS template constexpr bool operator==(const CheckedInt& aLhs, U aRhs) { return aLhs == castToCheckedInt(aRhs); } template constexpr bool operator==(U aLhs, const CheckedInt& aRhs) { return castToCheckedInt(aLhs) == aRhs; } // Convenience typedefs. typedef CheckedInt CheckedInt8; typedef CheckedInt CheckedUint8; typedef CheckedInt CheckedInt16; typedef CheckedInt CheckedUint16; typedef CheckedInt CheckedInt32; typedef CheckedInt CheckedUint32; typedef CheckedInt CheckedInt64; typedef CheckedInt CheckedUint64; } // namespace mozilla #endif /* mozilla_CheckedInt_h */