diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /mfbt/CheckedInt.h | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'mfbt/CheckedInt.h')
-rw-r--r-- | mfbt/CheckedInt.h | 804 |
1 files changed, 804 insertions, 0 deletions
diff --git a/mfbt/CheckedInt.h b/mfbt/CheckedInt.h new file mode 100644 index 0000000000..d784376d8c --- /dev/null +++ b/mfbt/CheckedInt.h @@ -0,0 +1,804 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* Provides checked integers, detecting integer overflow and divide-by-0. */ + +#ifndef mozilla_CheckedInt_h +#define mozilla_CheckedInt_h + +#include <stdint.h> +#include "mozilla/Assertions.h" +#include "mozilla/Attributes.h" +#include "mozilla/IntegerTypeTraits.h" +#include <limits> +#include <type_traits> + +#define MOZILLA_CHECKEDINT_COMPARABLE_VERSION(major, minor, patch) \ + (major << 16 | minor << 8 | patch) + +// Probe for builtin math overflow support. Disabled for 32-bit builds for now +// since "gcc -m32" claims to support these but its implementation is buggy. +// https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82274 +// Also disabled for clang before version 7 (resp. Xcode clang 10.0.1): while +// clang 5 and 6 have a working __builtin_add_overflow, it is not constexpr. +#if defined(HAVE_64BIT_BUILD) +# if defined(__has_builtin) && \ + (!defined(__clang_major__) || \ + (!defined(__apple_build_version__) && __clang_major__ >= 7) || \ + (defined(__apple_build_version__) && \ + MOZILLA_CHECKEDINT_COMPARABLE_VERSION( \ + __clang_major__, __clang_minor__, __clang_patchlevel__) >= \ + MOZILLA_CHECKEDINT_COMPARABLE_VERSION(10, 0, 1))) +# define MOZ_HAS_BUILTIN_OP_OVERFLOW (__has_builtin(__builtin_add_overflow)) +# elif defined(__GNUC__) +// (clang also defines __GNUC__ but it supports __has_builtin since at least +// v3.1 (released in 2012) so it won't get here.) +# define MOZ_HAS_BUILTIN_OP_OVERFLOW (__GNUC__ >= 5) +# else +# define MOZ_HAS_BUILTIN_OP_OVERFLOW (0) +# endif +#else +# define MOZ_HAS_BUILTIN_OP_OVERFLOW (0) +#endif + +#undef MOZILLA_CHECKEDINT_COMPARABLE_VERSION + +namespace mozilla { + +template <typename T> +class CheckedInt; + +namespace detail { + +/* + * Step 1: manually record supported types + * + * What's nontrivial here is that there are different families of integer + * types: basic integer types and stdint types. It is merrily undefined which + * types from one family may be just typedefs for a type from another family. + * + * For example, on GCC 4.6, aside from the basic integer types, the only other + * type that isn't just a typedef for some of them, is int8_t. + */ + +struct UnsupportedType {}; + +template <typename IntegerType> +struct IsSupportedPass2 { + static const bool value = false; +}; + +template <typename IntegerType> +struct IsSupported { + static const bool value = IsSupportedPass2<IntegerType>::value; +}; + +template <> +struct IsSupported<int8_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<uint8_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<int16_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<uint16_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<int32_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<uint32_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<int64_t> { + static const bool value = true; +}; + +template <> +struct IsSupported<uint64_t> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<char> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<signed char> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<unsigned char> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<short> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<unsigned short> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<int> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<unsigned int> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<long> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<unsigned long> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<long long> { + static const bool value = true; +}; + +template <> +struct IsSupportedPass2<unsigned long long> { + static const bool value = true; +}; + +/* + * Step 2: Implement the actual validity checks. + * + * Ideas taken from IntegerLib, code different. + */ + +template <typename IntegerType, size_t Size = sizeof(IntegerType)> +struct TwiceBiggerType { + typedef typename detail::StdintTypeForSizeAndSignedness< + sizeof(IntegerType) * 2, std::is_signed_v<IntegerType>>::Type Type; +}; + +template <typename IntegerType> +struct TwiceBiggerType<IntegerType, 8> { + typedef UnsupportedType Type; +}; + +template <typename T> +constexpr bool HasSignBit(T aX) { + // In C++, right bit shifts on negative values is undefined by the standard. + // Notice that signed-to-unsigned conversions are always well-defined in the + // standard, as the value congruent modulo 2**n as expected. By contrast, + // unsigned-to-signed is only well-defined if the value is representable. + return bool(std::make_unsigned_t<T>(aX) >> PositionOfSignBit<T>::value); +} + +// Bitwise ops may return a larger type, so it's good to use this inline +// helper guaranteeing that the result is really of type T. +template <typename T> +constexpr T BinaryComplement(T aX) { + return ~aX; +} + +template <typename T, typename U, bool IsTSigned = std::is_signed_v<T>, + bool IsUSigned = std::is_signed_v<U>> +struct DoesRangeContainRange {}; + +template <typename T, typename U, bool Signedness> +struct DoesRangeContainRange<T, U, Signedness, Signedness> { + static const bool value = sizeof(T) >= sizeof(U); +}; + +template <typename T, typename U> +struct DoesRangeContainRange<T, U, true, false> { + static const bool value = sizeof(T) > sizeof(U); +}; + +template <typename T, typename U> +struct DoesRangeContainRange<T, U, false, true> { + static const bool value = false; +}; + +template <typename T, typename U, bool IsTSigned = std::is_signed_v<T>, + bool IsUSigned = std::is_signed_v<U>, + bool DoesTRangeContainURange = DoesRangeContainRange<T, U>::value> +struct IsInRangeImpl {}; + +template <typename T, typename U, bool IsTSigned, bool IsUSigned> +struct IsInRangeImpl<T, U, IsTSigned, IsUSigned, true> { + static constexpr bool run(U) { return true; } +}; + +template <typename T, typename U> +struct IsInRangeImpl<T, U, true, true, false> { + static constexpr bool run(U aX) { + return aX <= std::numeric_limits<T>::max() && + aX >= std::numeric_limits<T>::min(); + } +}; + +template <typename T, typename U> +struct IsInRangeImpl<T, U, false, false, false> { + static constexpr bool run(U aX) { + return aX <= std::numeric_limits<T>::max(); + } +}; + +template <typename T, typename U> +struct IsInRangeImpl<T, U, true, false, false> { + static constexpr bool run(U aX) { + return sizeof(T) > sizeof(U) || aX <= U(std::numeric_limits<T>::max()); + } +}; + +template <typename T, typename U> +struct IsInRangeImpl<T, U, false, true, false> { + static constexpr bool run(U aX) { + return sizeof(T) >= sizeof(U) + ? aX >= 0 + : aX >= 0 && aX <= U(std::numeric_limits<T>::max()); + } +}; + +template <typename T, typename U> +constexpr bool IsInRange(U aX) { + return IsInRangeImpl<T, U>::run(aX); +} + +template <typename T> +constexpr bool IsAddValid(T aX, T aY) { +#if MOZ_HAS_BUILTIN_OP_OVERFLOW + T dummy; + return !__builtin_add_overflow(aX, aY, &dummy); +#else + // Addition is valid if the sign of aX+aY is equal to either that of aX or + // that of aY. Since the value of aX+aY is undefined if we have a signed + // type, we compute it using the unsigned type of the same size. Beware! + // These bitwise operations can return a larger integer type, if T was a + // small type like int8_t, so we explicitly cast to T. + + std::make_unsigned_t<T> ux = aX; + std::make_unsigned_t<T> uy = aY; + std::make_unsigned_t<T> result = ux + uy; + return std::is_signed_v<T> + ? HasSignBit(BinaryComplement(T((result ^ aX) & (result ^ aY)))) + : BinaryComplement(aX) >= aY; +#endif +} + +template <typename T> +constexpr bool IsSubValid(T aX, T aY) { +#if MOZ_HAS_BUILTIN_OP_OVERFLOW + T dummy; + return !__builtin_sub_overflow(aX, aY, &dummy); +#else + // Subtraction is valid if either aX and aY have same sign, or aX-aY and aX + // have same sign. Since the value of aX-aY is undefined if we have a signed + // type, we compute it using the unsigned type of the same size. + std::make_unsigned_t<T> ux = aX; + std::make_unsigned_t<T> uy = aY; + std::make_unsigned_t<T> result = ux - uy; + + return std::is_signed_v<T> + ? HasSignBit(BinaryComplement(T((result ^ aX) & (aX ^ aY)))) + : aX >= aY; +#endif +} + +template <typename T, bool IsTSigned = std::is_signed_v<T>, + bool TwiceBiggerTypeIsSupported = + IsSupported<typename TwiceBiggerType<T>::Type>::value> +struct IsMulValidImpl {}; + +template <typename T, bool IsTSigned> +struct IsMulValidImpl<T, IsTSigned, true> { + static constexpr bool run(T aX, T aY) { + typedef typename TwiceBiggerType<T>::Type TwiceBiggerType; + TwiceBiggerType product = TwiceBiggerType(aX) * TwiceBiggerType(aY); + return IsInRange<T>(product); + } +}; + +template <typename T> +struct IsMulValidImpl<T, true, false> { + static constexpr bool run(T aX, T aY) { + const T max = std::numeric_limits<T>::max(); + const T min = std::numeric_limits<T>::min(); + + if (aX == 0 || aY == 0) { + return true; + } + if (aX > 0) { + return aY > 0 ? aX <= max / aY : aY >= min / aX; + } + + // If we reach this point, we know that aX < 0. + return aY > 0 ? aX >= min / aY : aY >= max / aX; + } +}; + +template <typename T> +struct IsMulValidImpl<T, false, false> { + static constexpr bool run(T aX, T aY) { + return aY == 0 || aX <= std::numeric_limits<T>::max() / aY; + } +}; + +template <typename T> +constexpr bool IsMulValid(T aX, T aY) { +#if MOZ_HAS_BUILTIN_OP_OVERFLOW + T dummy; + return !__builtin_mul_overflow(aX, aY, &dummy); +#else + return IsMulValidImpl<T>::run(aX, aY); +#endif +} + +template <typename T> +constexpr bool IsDivValid(T aX, T aY) { + // Keep in mind that in the signed case, min/-1 is invalid because + // abs(min)>max. + return aY != 0 && !(std::is_signed_v<T> && + aX == std::numeric_limits<T>::min() && aY == T(-1)); +} + +template <typename T, bool IsTSigned = std::is_signed_v<T>> +struct IsModValidImpl; + +template <typename T> +constexpr bool IsModValid(T aX, T aY) { + return IsModValidImpl<T>::run(aX, aY); +} + +/* + * Mod is pretty simple. + * For now, let's just use the ANSI C definition: + * If aX or aY are negative, the results are implementation defined. + * Consider these invalid. + * Undefined for aY=0. + * The result will never exceed either aX or aY. + * + * Checking that aX>=0 is a warning when T is unsigned. + */ + +template <typename T> +struct IsModValidImpl<T, false> { + static constexpr bool run(T aX, T aY) { return aY >= 1; } +}; + +template <typename T> +struct IsModValidImpl<T, true> { + static constexpr bool run(T aX, T aY) { + if (aX < 0) { + return false; + } + return aY >= 1; + } +}; + +template <typename T, bool IsSigned = std::is_signed_v<T>> +struct NegateImpl; + +template <typename T> +struct NegateImpl<T, false> { + static constexpr CheckedInt<T> negate(const CheckedInt<T>& aVal) { + // Handle negation separately for signed/unsigned, for simpler code and to + // avoid an MSVC warning negating an unsigned value. + static_assert(detail::IsInRange<T>(0), "Integer type can't represent 0"); + return CheckedInt<T>(T(0), aVal.isValid() && aVal.mValue == 0); + } +}; + +template <typename T> +struct NegateImpl<T, true> { + static constexpr CheckedInt<T> negate(const CheckedInt<T>& aVal) { + // Watch out for the min-value, which (with twos-complement) can't be + // negated as -min-value is then (max-value + 1). + if (!aVal.isValid() || aVal.mValue == std::numeric_limits<T>::min()) { + return CheckedInt<T>(aVal.mValue, false); + } + /* For some T, arithmetic ops automatically promote to a wider type, so + * explitly do the narrowing cast here. The narrowing cast is valid because + * we did the check for min value above. */ + return CheckedInt<T>(T(-aVal.mValue), true); + } +}; + +} // namespace detail + +/* + * Step 3: Now define the CheckedInt class. + */ + +/** + * @class CheckedInt + * @brief Integer wrapper class checking for integer overflow and other errors + * @param T the integer type to wrap. Can be any type among the following: + * - any basic integer type such as |int| + * - any stdint type such as |int8_t| + * + * This class implements guarded integer arithmetic. Do a computation, check + * that isValid() returns true, you then have a guarantee that no problem, such + * as integer overflow, happened during this computation, and you can call + * value() to get the plain integer value. + * + * The arithmetic operators in this class are guaranteed not to raise a signal + * (e.g. in case of a division by zero). + * + * For example, suppose that you want to implement a function that computes + * (aX+aY)/aZ, that doesn't crash if aZ==0, and that reports on error (divide by + * zero or integer overflow). You could code it as follows: + @code + bool computeXPlusYOverZ(int aX, int aY, int aZ, int* aResult) + { + CheckedInt<int> checkedResult = (CheckedInt<int>(aX) + aY) / aZ; + if (checkedResult.isValid()) { + *aResult = checkedResult.value(); + return true; + } else { + return false; + } + } + @endcode + * + * Implicit conversion from plain integers to checked integers is allowed. The + * plain integer is checked to be in range before being casted to the + * destination type. This means that the following lines all compile, and the + * resulting CheckedInts are correctly detected as valid or invalid: + * @code + // 1 is of type int, is found to be in range for uint8_t, x is valid + CheckedInt<uint8_t> x(1); + // -1 is of type int, is found not to be in range for uint8_t, x is invalid + CheckedInt<uint8_t> x(-1); + // -1 is of type int, is found to be in range for int8_t, x is valid + CheckedInt<int8_t> x(-1); + // 1000 is of type int16_t, is found not to be in range for int8_t, + // x is invalid + CheckedInt<int8_t> x(int16_t(1000)); + // 3123456789 is of type uint32_t, is found not to be in range for int32_t, + // x is invalid + CheckedInt<int32_t> x(uint32_t(3123456789)); + * @endcode + * Implicit conversion from + * checked integers to plain integers is not allowed. As shown in the + * above example, to get the value of a checked integer as a normal integer, + * call value(). + * + * Arithmetic operations between checked and plain integers is allowed; the + * result type is the type of the checked integer. + * + * Checked integers of different types cannot be used in the same arithmetic + * expression. + * + * There are convenience typedefs for all stdint types, of the following form + * (these are just 2 examples): + @code + typedef CheckedInt<int32_t> CheckedInt32; + typedef CheckedInt<uint16_t> CheckedUint16; + @endcode + */ +template <typename T> +class CheckedInt { + protected: + T mValue; + bool mIsValid; + + template <typename U> + constexpr CheckedInt(U aValue, bool aIsValid) + : mValue(aValue), mIsValid(aIsValid) { + static_assert(std::is_same_v<T, U>, + "this constructor must accept only T values"); + static_assert(detail::IsSupported<T>::value, + "This type is not supported by CheckedInt"); + } + + friend struct detail::NegateImpl<T>; + + public: + /** + * Constructs a checked integer with given @a value. The checked integer is + * initialized as valid or invalid depending on whether the @a value + * is in range. + * + * This constructor is not explicit. Instead, the type of its argument is a + * separate template parameter, ensuring that no conversion is performed + * before this constructor is actually called. As explained in the above + * documentation for class CheckedInt, this constructor checks that its + * argument is valid. + */ + template <typename U> + MOZ_IMPLICIT MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT constexpr CheckedInt(U aValue) + : mValue(T(aValue)), mIsValid(detail::IsInRange<T>(aValue)) { + static_assert( + detail::IsSupported<T>::value && detail::IsSupported<U>::value, + "This type is not supported by CheckedInt"); + } + + template <typename U> + friend class CheckedInt; + + template <typename U> + constexpr CheckedInt<U> toChecked() const { + CheckedInt<U> ret(mValue); + ret.mIsValid = ret.mIsValid && mIsValid; + return ret; + } + + /** Constructs a valid checked integer with initial value 0 */ + constexpr CheckedInt() : mValue(T(0)), mIsValid(true) { + static_assert(detail::IsSupported<T>::value, + "This type is not supported by CheckedInt"); + static_assert(detail::IsInRange<T>(0), "Integer type can't represent 0"); + } + + /** @returns the actual value */ + constexpr T value() const { + MOZ_DIAGNOSTIC_ASSERT( + mIsValid, + "Invalid checked integer (division by zero or integer overflow)"); + return mValue; + } + + /** + * @returns true if the checked integer is valid, i.e. is not the result + * of an invalid operation or of an operation involving an invalid checked + * integer + */ + constexpr bool isValid() const { return mIsValid; } + + template <typename U> + friend constexpr CheckedInt<U> operator+(const CheckedInt<U>& aLhs, + const CheckedInt<U>& aRhs); + template <typename U> + constexpr CheckedInt& operator+=(U aRhs); + constexpr CheckedInt& operator+=(const CheckedInt<T>& aRhs); + + template <typename U> + friend constexpr CheckedInt<U> operator-(const CheckedInt<U>& aLhs, + const CheckedInt<U>& aRhs); + template <typename U> + constexpr CheckedInt& operator-=(U aRhs); + constexpr CheckedInt& operator-=(const CheckedInt<T>& aRhs); + + template <typename U> + friend constexpr CheckedInt<U> operator*(const CheckedInt<U>& aLhs, + const CheckedInt<U>& aRhs); + template <typename U> + constexpr CheckedInt& operator*=(U aRhs); + constexpr CheckedInt& operator*=(const CheckedInt<T>& aRhs); + + template <typename U> + friend constexpr CheckedInt<U> operator/(const CheckedInt<U>& aLhs, + const CheckedInt<U>& aRhs); + template <typename U> + constexpr CheckedInt& operator/=(U aRhs); + constexpr CheckedInt& operator/=(const CheckedInt<T>& aRhs); + + template <typename U> + friend constexpr CheckedInt<U> operator%(const CheckedInt<U>& aLhs, + const CheckedInt<U>& aRhs); + template <typename U> + constexpr CheckedInt& operator%=(U aRhs); + constexpr CheckedInt& operator%=(const CheckedInt<T>& aRhs); + + constexpr CheckedInt operator-() const { + return detail::NegateImpl<T>::negate(*this); + } + + /** + * @returns true if the left and right hand sides are valid + * and have the same value. + * + * Note that these semantics are the reason why we don't offer + * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b) + * but that would mean that whenever a or b is invalid, a!=b + * is always true, which would be very confusing. + * + * For similar reasons, operators <, >, <=, >= would be very tricky to + * specify, so we just avoid offering them. + * + * Notice that these == semantics are made more reasonable by these facts: + * 1. a==b implies equality at the raw data level + * (the converse is false, as a==b is never true among invalids) + * 2. This is similar to the behavior of IEEE floats, where a==b + * means that a and b have the same value *and* neither is NaN. + */ + constexpr bool operator==(const CheckedInt& aOther) const { + return mIsValid && aOther.mIsValid && mValue == aOther.mValue; + } + + /** prefix ++ */ + constexpr CheckedInt& operator++() { + *this += 1; + return *this; + } + + /** postfix ++ */ + constexpr CheckedInt operator++(int) { + CheckedInt tmp = *this; + *this += 1; + return tmp; + } + + /** prefix -- */ + constexpr CheckedInt& operator--() { + *this -= 1; + return *this; + } + + /** postfix -- */ + constexpr CheckedInt operator--(int) { + CheckedInt tmp = *this; + *this -= 1; + return tmp; + } + + private: + /** + * The !=, <, <=, >, >= operators are disabled: + * see the comment on operator==. + */ + template <typename U> + bool operator!=(U aOther) const = delete; + template <typename U> + bool operator<(U aOther) const = delete; + template <typename U> + bool operator<=(U aOther) const = delete; + template <typename U> + bool operator>(U aOther) const = delete; + template <typename U> + bool operator>=(U aOther) const = delete; +}; + +#define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \ + template <typename T> \ + constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \ + const CheckedInt<T>& aRhs) { \ + if (!detail::Is##NAME##Valid(aLhs.mValue, aRhs.mValue)) { \ + static_assert(detail::IsInRange<T>(0), \ + "Integer type can't represent 0"); \ + return CheckedInt<T>(T(0), false); \ + } \ + /* For some T, arithmetic ops automatically promote to a wider type, so \ + * explitly do the narrowing cast here. The narrowing cast is valid \ + * because we did the "Is##NAME##Valid" check above. */ \ + return CheckedInt<T>(T(aLhs.mValue OP aRhs.mValue), \ + aLhs.mIsValid && aRhs.mIsValid); \ + } + +#if MOZ_HAS_BUILTIN_OP_OVERFLOW +# define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(NAME, OP, FUN) \ + template <typename T> \ + constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, \ + const CheckedInt<T>& aRhs) { \ + auto result = T{}; \ + if (FUN(aLhs.mValue, aRhs.mValue, &result)) { \ + static_assert(detail::IsInRange<T>(0), \ + "Integer type can't represent 0"); \ + return CheckedInt<T>(T(0), false); \ + } \ + return CheckedInt<T>(result, aLhs.mIsValid && aRhs.mIsValid); \ + } +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Add, +, __builtin_add_overflow) +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Sub, -, __builtin_sub_overflow) +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2(Mul, *, __builtin_mul_overflow) +# undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR2 +#else +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Add, +) +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Sub, -) +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Mul, *) +#endif + +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Div, /) +MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Mod, %) +#undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR + +// Implement castToCheckedInt<T>(x), making sure that +// - it allows x to be either a CheckedInt<T> or any integer type +// that can be casted to T +// - if x is already a CheckedInt<T>, we just return a reference to it, +// instead of copying it (optimization) + +namespace detail { + +template <typename T, typename U> +struct CastToCheckedIntImpl { + typedef CheckedInt<T> ReturnType; + static constexpr CheckedInt<T> run(U aU) { return aU; } +}; + +template <typename T> +struct CastToCheckedIntImpl<T, CheckedInt<T>> { + typedef const CheckedInt<T>& ReturnType; + static constexpr const CheckedInt<T>& run(const CheckedInt<T>& aU) { + return aU; + } +}; + +} // namespace detail + +template <typename T, typename U> +constexpr typename detail::CastToCheckedIntImpl<T, U>::ReturnType +castToCheckedInt(U aU) { + static_assert(detail::IsSupported<T>::value && detail::IsSupported<U>::value, + "This type is not supported by CheckedInt"); + return detail::CastToCheckedIntImpl<T, U>::run(aU); +} + +#define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \ + template <typename T> \ + template <typename U> \ + constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP(U aRhs) { \ + *this = *this OP castToCheckedInt<T>(aRhs); \ + return *this; \ + } \ + template <typename T> \ + constexpr CheckedInt<T>& CheckedInt<T>::operator COMPOUND_OP( \ + const CheckedInt<T>& aRhs) { \ + *this = *this OP aRhs; \ + return *this; \ + } \ + template <typename T, typename U> \ + constexpr CheckedInt<T> operator OP(const CheckedInt<T>& aLhs, U aRhs) { \ + return aLhs OP castToCheckedInt<T>(aRhs); \ + } \ + template <typename T, typename U> \ + constexpr CheckedInt<T> operator OP(U aLhs, const CheckedInt<T>& aRhs) { \ + return castToCheckedInt<T>(aLhs) OP aRhs; \ + } + +MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(+, +=) +MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(*, *=) +MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(-, -=) +MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(/, /=) +MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(%, %=) + +#undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS + +template <typename T, typename U> +constexpr bool operator==(const CheckedInt<T>& aLhs, U aRhs) { + return aLhs == castToCheckedInt<T>(aRhs); +} + +template <typename T, typename U> +constexpr bool operator==(U aLhs, const CheckedInt<T>& aRhs) { + return castToCheckedInt<T>(aLhs) == aRhs; +} + +// Convenience typedefs. +typedef CheckedInt<int8_t> CheckedInt8; +typedef CheckedInt<uint8_t> CheckedUint8; +typedef CheckedInt<int16_t> CheckedInt16; +typedef CheckedInt<uint16_t> CheckedUint16; +typedef CheckedInt<int32_t> CheckedInt32; +typedef CheckedInt<uint32_t> CheckedUint32; +typedef CheckedInt<int64_t> CheckedInt64; +typedef CheckedInt<uint64_t> CheckedUint64; + +} // namespace mozilla + +#endif /* mozilla_CheckedInt_h */ |