1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Cast operations to supplement the built-in casting operations. */
#ifndef mozilla_Casting_h
#define mozilla_Casting_h
#include "mozilla/Assertions.h"
#include <cstring>
#include <limits.h>
#include <type_traits>
namespace mozilla {
/**
* Sets the outparam value of type |To| with the same underlying bit pattern of
* |aFrom|.
*
* |To| and |From| must be types of the same size; be careful of cross-platform
* size differences, or this might fail to compile on some but not all
* platforms.
*
* There is also a variant that returns the value directly. In most cases, the
* two variants should be identical. However, in the specific case of x86
* chips, the behavior differs: returning floating-point values directly is done
* through the x87 stack, and x87 loads and stores turn signaling NaNs into
* quiet NaNs... silently. Returning floating-point values via outparam,
* however, is done entirely within the SSE registers when SSE2 floating-point
* is enabled in the compiler, which has semantics-preserving behavior you would
* expect.
*
* If preserving the distinction between signaling NaNs and quiet NaNs is
* important to you, you should use the outparam version. In all other cases,
* you should use the direct return version.
*/
template <typename To, typename From>
inline void BitwiseCast(const From aFrom, To* aResult) {
static_assert(sizeof(From) == sizeof(To),
"To and From must have the same size");
// We could maybe downgrade these to std::is_trivially_copyable, but the
// various STLs we use don't all provide it.
static_assert(std::is_trivial<From>::value,
"shouldn't bitwise-copy a type having non-trivial "
"initialization");
static_assert(std::is_trivial<To>::value,
"shouldn't bitwise-copy a type having non-trivial "
"initialization");
std::memcpy(static_cast<void*>(aResult), static_cast<const void*>(&aFrom),
sizeof(From));
}
template <typename To, typename From>
inline To BitwiseCast(const From aFrom) {
To temp;
BitwiseCast<To, From>(aFrom, &temp);
return temp;
}
namespace detail {
enum ToSignedness { ToIsSigned, ToIsUnsigned };
enum FromSignedness { FromIsSigned, FromIsUnsigned };
template <typename From, typename To,
FromSignedness =
std::is_signed_v<From> ? FromIsSigned : FromIsUnsigned,
ToSignedness = std::is_signed_v<To> ? ToIsSigned : ToIsUnsigned>
struct BoundsCheckImpl;
// Implicit conversions on operands to binary operations make this all a bit
// hard to verify. Attempt to ease the pain below by *only* comparing values
// that are obviously the same type (and will undergo no further conversions),
// even when it's not strictly necessary, for explicitness.
enum UUComparison { FromIsBigger, FromIsNotBigger };
// Unsigned-to-unsigned range check
template <typename From, typename To,
UUComparison =
(sizeof(From) > sizeof(To)) ? FromIsBigger : FromIsNotBigger>
struct UnsignedUnsignedCheck;
template <typename From, typename To>
struct UnsignedUnsignedCheck<From, To, FromIsBigger> {
public:
static bool checkBounds(const From aFrom) { return aFrom <= From(To(-1)); }
};
template <typename From, typename To>
struct UnsignedUnsignedCheck<From, To, FromIsNotBigger> {
public:
static bool checkBounds(const From aFrom) { return true; }
};
template <typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsUnsigned, ToIsUnsigned> {
public:
static bool checkBounds(const From aFrom) {
return UnsignedUnsignedCheck<From, To>::checkBounds(aFrom);
}
};
// Signed-to-unsigned range check
template <typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsSigned, ToIsUnsigned> {
public:
static bool checkBounds(const From aFrom) {
if (aFrom < 0) {
return false;
}
if (sizeof(To) >= sizeof(From)) {
return true;
}
return aFrom <= From(To(-1));
}
};
// Unsigned-to-signed range check
enum USComparison { FromIsSmaller, FromIsNotSmaller };
template <typename From, typename To,
USComparison =
(sizeof(From) < sizeof(To)) ? FromIsSmaller : FromIsNotSmaller>
struct UnsignedSignedCheck;
template <typename From, typename To>
struct UnsignedSignedCheck<From, To, FromIsSmaller> {
public:
static bool checkBounds(const From aFrom) { return true; }
};
template <typename From, typename To>
struct UnsignedSignedCheck<From, To, FromIsNotSmaller> {
public:
static bool checkBounds(const From aFrom) {
const To MaxValue = To((1ULL << (CHAR_BIT * sizeof(To) - 1)) - 1);
return aFrom <= From(MaxValue);
}
};
template <typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsUnsigned, ToIsSigned> {
public:
static bool checkBounds(const From aFrom) {
return UnsignedSignedCheck<From, To>::checkBounds(aFrom);
}
};
// Signed-to-signed range check
template <typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsSigned, ToIsSigned> {
public:
static bool checkBounds(const From aFrom) {
if (sizeof(From) <= sizeof(To)) {
return true;
}
const To MaxValue = To((1ULL << (CHAR_BIT * sizeof(To) - 1)) - 1);
const To MinValue = -MaxValue - To(1);
return From(MinValue) <= aFrom && From(aFrom) <= From(MaxValue);
}
};
template <typename From, typename To,
bool TypesAreIntegral =
std::is_integral_v<From>&& std::is_integral_v<To>>
class BoundsChecker;
template <typename From>
class BoundsChecker<From, From, true> {
public:
static bool checkBounds(const From aFrom) { return true; }
};
template <typename From, typename To>
class BoundsChecker<From, To, true> {
public:
static bool checkBounds(const From aFrom) {
return BoundsCheckImpl<From, To>::checkBounds(aFrom);
}
};
template <typename From, typename To>
inline bool IsInBounds(const From aFrom) {
return BoundsChecker<From, To>::checkBounds(aFrom);
}
} // namespace detail
/**
* Cast a value of integral type |From| to a value of integral type |To|,
* asserting that the cast will be a safe cast per C++ (that is, that |to| is in
* the range of values permitted for the type |From|).
*/
template <typename To, typename From>
inline To AssertedCast(const From aFrom) {
MOZ_ASSERT((detail::IsInBounds<From, To>(aFrom)));
return static_cast<To>(aFrom);
}
/**
* Cast a value of integral type |From| to a value of integral type |To|,
* release asserting that the cast will be a safe cast per C++ (that is, that
* |to| is in the range of values permitted for the type |From|).
*/
template <typename To, typename From>
inline To ReleaseAssertedCast(const From aFrom) {
MOZ_RELEASE_ASSERT((detail::IsInBounds<From, To>(aFrom)));
return static_cast<To>(aFrom);
}
} // namespace mozilla
#endif /* mozilla_Casting_h */
|