/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ /* Provides checked integers, detecting integer overflow and divide-by-0. */ #ifndef mozilla_CheckedInt_h_ #define mozilla_CheckedInt_h_ /* * Build options. Comment out these #defines to disable the corresponding * optional feature. Disabling features may be useful for code using * CheckedInt outside of Mozilla (e.g. WebKit) */ // Enable usage of MOZ_STATIC_ASSERT to check for unsupported types. // If disabled, static asserts are replaced by regular assert(). #define MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS /* * End of build options */ #ifdef MOZ_CHECKEDINT_ENABLE_MOZ_ASSERTS # include "mozilla/Assertions.h" #else # ifndef MOZ_STATIC_ASSERT # include # define MOZ_STATIC_ASSERT(cond, reason) assert((cond) && reason) # define MOZ_ASSERT(cond, reason) assert((cond) && reason) # endif #endif #include "mozilla/StandardInteger.h" #include #include namespace mozilla { namespace detail { /* * Step 1: manually record supported types * * What's nontrivial here is that there are different families of integer * types: basic integer types and stdint types. It is merrily undefined which * types from one family may be just typedefs for a type from another family. * * For example, on GCC 4.6, aside from the basic integer types, the only other * type that isn't just a typedef for some of them, is int8_t. */ struct UnsupportedType {}; template struct IsSupportedPass2 { static const bool value = false; }; template struct IsSupported { static const bool value = IsSupportedPass2::value; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupported { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; template<> struct IsSupportedPass2 { static const bool value = true; }; /* * Step 2: some integer-traits kind of stuff. */ template struct StdintTypeForSizeAndSignedness {}; template<> struct StdintTypeForSizeAndSignedness<1, true> { typedef int8_t Type; }; template<> struct StdintTypeForSizeAndSignedness<1, false> { typedef uint8_t Type; }; template<> struct StdintTypeForSizeAndSignedness<2, true> { typedef int16_t Type; }; template<> struct StdintTypeForSizeAndSignedness<2, false> { typedef uint16_t Type; }; template<> struct StdintTypeForSizeAndSignedness<4, true> { typedef int32_t Type; }; template<> struct StdintTypeForSizeAndSignedness<4, false> { typedef uint32_t Type; }; template<> struct StdintTypeForSizeAndSignedness<8, true> { typedef int64_t Type; }; template<> struct StdintTypeForSizeAndSignedness<8, false> { typedef uint64_t Type; }; template struct UnsignedType { typedef typename StdintTypeForSizeAndSignedness::Type Type; }; template struct IsSigned { static const bool value = IntegerType(-1) <= IntegerType(0); }; template struct TwiceBiggerType { typedef typename StdintTypeForSizeAndSignedness< sizeof(IntegerType) * 2, IsSigned::value >::Type Type; }; template struct TwiceBiggerType { typedef UnsupportedType Type; }; template struct PositionOfSignBit { static const size_t value = CHAR_BIT * sizeof(IntegerType) - 1; }; template struct MinValue { private: typedef typename UnsignedType::Type UnsignedIntegerType; static const size_t PosOfSignBit = PositionOfSignBit::value; public: // Bitwise ops may return a larger type, that's why we cast explicitly. // In C++, left bit shifts on signed values is undefined by the standard // unless the shifted value is representable. // Notice that signed-to-unsigned conversions are always well-defined in // the standard as the value congruent to 2**n, as expected. By contrast, // unsigned-to-signed is only well-defined if the value is representable. static const IntegerType value = IsSigned::value ? IntegerType(UnsignedIntegerType(1) << PosOfSignBit) : IntegerType(0); }; template struct MaxValue { // Tricksy, but covered by the unit test. // Relies heavily on the type of MinValue::value // being IntegerType. static const IntegerType value = ~MinValue::value; }; /* * Step 3: Implement the actual validity checks. * * Ideas taken from IntegerLib, code different. */ // Bitwise ops may return a larger type, so it's good to use these inline // helpers guaranteeing that the result is really of type T. template inline T HasSignBit(T x) { // In C++, right bit shifts on negative values is undefined by the standard. // Notice that signed-to-unsigned conversions are always well-defined in the // standard, as the value congruent modulo 2**n as expected. By contrast, // unsigned-to-signed is only well-defined if the value is representable. // Here the unsigned-to-signed conversion is OK because the value // (the result of the shift) is 0 or 1. return T(typename UnsignedType::Type(x) >> PositionOfSignBit::value); } template inline T BinaryComplement(T x) { return ~x; } template::value, bool IsUSigned = IsSigned::value> struct IsInRangeImpl {}; template struct IsInRangeImpl { static bool run(U x) { return x <= MaxValue::value && x >= MinValue::value; } }; template struct IsInRangeImpl { static bool run(U x) { return x <= MaxValue::value; } }; template struct IsInRangeImpl { static bool run(U x) { return sizeof(T) > sizeof(U) || x <= U(MaxValue::value); } }; template struct IsInRangeImpl { static bool run(U x) { return sizeof(T) >= sizeof(U) ? x >= 0 : x >= 0 && x <= U(MaxValue::value); } }; template inline bool IsInRange(U x) { return IsInRangeImpl::run(x); } template inline bool IsAddValid(T x, T y) { // Addition is valid if the sign of x+y is equal to either that of x or that // of y. Since the value of x+y is undefined if we have a signed type, we // compute it using the unsigned type of the same size. // Beware! These bitwise operations can return a larger integer type, // if T was a small type like int8_t, so we explicitly cast to T. typename UnsignedType::Type ux = x; typename UnsignedType::Type uy = y; typename UnsignedType::Type result = ux + uy; return IsSigned::value ? HasSignBit(BinaryComplement(T((result ^ x) & (result ^ y)))) : BinaryComplement(x) >= y; } template inline bool IsSubValid(T x, T y) { // Subtraction is valid if either x and y have same sign, or x-y and x have // same sign. Since the value of x-y is undefined if we have a signed type, // we compute it using the unsigned type of the same size. typename UnsignedType::Type ux = x; typename UnsignedType::Type uy = y; typename UnsignedType::Type result = ux - uy; return IsSigned::value ? HasSignBit(BinaryComplement(T((result ^ x) & (x ^ y)))) : x >= y; } template::value, bool TwiceBiggerTypeIsSupported = IsSupported::Type>::value> struct IsMulValidImpl {}; template struct IsMulValidImpl { static bool run(T x, T y) { typedef typename TwiceBiggerType::Type TwiceBiggerType; TwiceBiggerType product = TwiceBiggerType(x) * TwiceBiggerType(y); return IsInRange(product); } }; template struct IsMulValidImpl { static bool run(T x, T y) { const T max = MaxValue::value; const T min = MinValue::value; if (x == 0 || y == 0) return true; if (x > 0) { return y > 0 ? x <= max / y : y >= min / x; } // If we reach this point, we know that x < 0. return y > 0 ? x >= min / y : y >= max / x; } }; template struct IsMulValidImpl { static bool run(T x, T y) { return y == 0 || x <= MaxValue::value / y; } }; template inline bool IsMulValid(T x, T y) { return IsMulValidImpl::run(x, y); } template inline bool IsDivValid(T x, T y) { // Keep in mind that in the signed case, min/-1 is invalid because abs(min)>max. return y != 0 && !(IsSigned::value && x == MinValue::value && y == T(-1)); } // This is just to shut up msvc warnings about negating unsigned ints. template::value> struct OppositeIfSignedImpl { static T run(T x) { return -x; } }; template struct OppositeIfSignedImpl { static T run(T x) { return x; } }; template inline T OppositeIfSigned(T x) { return OppositeIfSignedImpl::run(x); } } // namespace detail /* * Step 4: Now define the CheckedInt class. */ /** * @class CheckedInt * @brief Integer wrapper class checking for integer overflow and other errors * @param T the integer type to wrap. Can be any type among the following: * - any basic integer type such as |int| * - any stdint type such as |int8_t| * * This class implements guarded integer arithmetic. Do a computation, check * that isValid() returns true, you then have a guarantee that no problem, such * as integer overflow, happened during this computation, and you can call * value() to get the plain integer value. * * The arithmetic operators in this class are guaranteed not to raise a signal * (e.g. in case of a division by zero). * * For example, suppose that you want to implement a function that computes * (x+y)/z, that doesn't crash if z==0, and that reports on error (divide by * zero or integer overflow). You could code it as follows: @code bool computeXPlusYOverZ(int x, int y, int z, int *result) { CheckedInt checkedResult = (CheckedInt(x) + y) / z; if (checkedResult.isValid()) { *result = checkedResult.value(); return true; } else { return false; } } @endcode * * Implicit conversion from plain integers to checked integers is allowed. The * plain integer is checked to be in range before being casted to the * destination type. This means that the following lines all compile, and the * resulting CheckedInts are correctly detected as valid or invalid: * @code // 1 is of type int, is found to be in range for uint8_t, x is valid CheckedInt x(1); // -1 is of type int, is found not to be in range for uint8_t, x is invalid CheckedInt x(-1); // -1 is of type int, is found to be in range for int8_t, x is valid CheckedInt x(-1); // 1000 is of type int16_t, is found not to be in range for int8_t, // x is invalid CheckedInt x(int16_t(1000)); // 3123456789 is of type uint32_t, is found not to be in range for int32_t, // x is invalid CheckedInt x(uint32_t(3123456789)); * @endcode * Implicit conversion from * checked integers to plain integers is not allowed. As shown in the * above example, to get the value of a checked integer as a normal integer, * call value(). * * Arithmetic operations between checked and plain integers is allowed; the * result type is the type of the checked integer. * * Checked integers of different types cannot be used in the same arithmetic * expression. * * There are convenience typedefs for all stdint types, of the following form * (these are just 2 examples): @code typedef CheckedInt CheckedInt32; typedef CheckedInt CheckedUint16; @endcode */ template class CheckedInt { protected: T mValue; bool mIsValid; template CheckedInt(U value, bool isValid) : mValue(value), mIsValid(isValid) { MOZ_STATIC_ASSERT(detail::IsSupported::value, "This type is not supported by CheckedInt"); } public: /** * Constructs a checked integer with given @a value. The checked integer is * initialized as valid or invalid depending on whether the @a value * is in range. * * This constructor is not explicit. Instead, the type of its argument is a * separate template parameter, ensuring that no conversion is performed * before this constructor is actually called. As explained in the above * documentation for class CheckedInt, this constructor checks that its * argument is valid. */ template CheckedInt(U value) : mValue(T(value)), mIsValid(detail::IsInRange(value)) { MOZ_STATIC_ASSERT(detail::IsSupported::value, "This type is not supported by CheckedInt"); } /** Constructs a valid checked integer with initial value 0 */ CheckedInt() : mValue(0), mIsValid(true) { MOZ_STATIC_ASSERT(detail::IsSupported::value, "This type is not supported by CheckedInt"); } /** @returns the actual value */ T value() const { MOZ_ASSERT(mIsValid, "Invalid checked integer (division by zero or integer overflow)"); return mValue; } /** * @returns true if the checked integer is valid, i.e. is not the result * of an invalid operation or of an operation involving an invalid checked * integer */ bool isValid() const { return mIsValid; } template friend CheckedInt operator +(const CheckedInt& lhs, const CheckedInt& rhs); template CheckedInt& operator +=(U rhs); template friend CheckedInt operator -(const CheckedInt& lhs, const CheckedInt &rhs); template CheckedInt& operator -=(U rhs); template friend CheckedInt operator *(const CheckedInt& lhs, const CheckedInt &rhs); template CheckedInt& operator *=(U rhs); template friend CheckedInt operator /(const CheckedInt& lhs, const CheckedInt &rhs); template CheckedInt& operator /=(U rhs); CheckedInt operator -() const { // Circumvent msvc warning about - applied to unsigned int. // if we're unsigned, the only valid case anyway is 0 // in which case - is a no-op. T result = detail::OppositeIfSigned(mValue); /* Help the compiler perform RVO (return value optimization). */ return CheckedInt(result, mIsValid && detail::IsSubValid(T(0), mValue)); } /** * @returns true if the left and right hand sides are valid * and have the same value. * * Note that these semantics are the reason why we don't offer * a operator!=. Indeed, we'd want to have a!=b be equivalent to !(a==b) * but that would mean that whenever a or b is invalid, a!=b * is always true, which would be very confusing. * * For similar reasons, operators <, >, <=, >= would be very tricky to * specify, so we just avoid offering them. * * Notice that these == semantics are made more reasonable by these facts: * 1. a==b implies equality at the raw data level * (the converse is false, as a==b is never true among invalids) * 2. This is similar to the behavior of IEEE floats, where a==b * means that a and b have the same value *and* neither is NaN. */ bool operator ==(const CheckedInt& other) const { return mIsValid && other.mIsValid && mValue == other.mValue; } /** prefix ++ */ CheckedInt& operator++() { *this += 1; return *this; } /** postfix ++ */ CheckedInt operator++(int) { CheckedInt tmp = *this; *this += 1; return tmp; } /** prefix -- */ CheckedInt& operator--() { *this -= 1; return *this; } /** postfix -- */ CheckedInt operator--(int) { CheckedInt tmp = *this; *this -= 1; return tmp; } private: /** * The !=, <, <=, >, >= operators are disabled: * see the comment on operator==. */ template bool operator !=(U other) const MOZ_DELETE; template bool operator <(U other) const MOZ_DELETE; template bool operator <=(U other) const MOZ_DELETE; template bool operator >(U other) const MOZ_DELETE; template bool operator >=(U other) const MOZ_DELETE; }; #define MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(NAME, OP) \ template \ inline CheckedInt operator OP(const CheckedInt &lhs, \ const CheckedInt &rhs) \ { \ T x = lhs.mValue; \ T y = rhs.mValue; \ T result = x OP y; \ T isOpValid = detail::Is##NAME##Valid(x, y); \ /* Help the compiler perform RVO (return value optimization). */ \ return CheckedInt(result, \ lhs.mIsValid && rhs.mIsValid && isOpValid); \ } MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Add, +) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Sub, -) MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR(Mul, *) #undef MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR // Division can't be implemented by MOZ_CHECKEDINT_BASIC_BINARY_OPERATOR // because if rhs == 0, we are not allowed to even try to compute the quotient. template inline CheckedInt operator /(const CheckedInt &lhs, const CheckedInt &rhs) { T x = lhs.mValue; T y = rhs.mValue; bool isOpValid = detail::IsDivValid(x, y); T result = isOpValid ? (x / y) : 0; /* give the compiler a good chance to perform RVO */ return CheckedInt(result, lhs.mIsValid && rhs.mIsValid && isOpValid); } // Implement castToCheckedInt(x), making sure that // - it allows x to be either a CheckedInt or any integer type // that can be casted to T // - if x is already a CheckedInt, we just return a reference to it, // instead of copying it (optimization) namespace detail { template struct CastToCheckedIntImpl { typedef CheckedInt ReturnType; static CheckedInt run(U u) { return u; } }; template struct CastToCheckedIntImpl > { typedef const CheckedInt& ReturnType; static const CheckedInt& run(const CheckedInt& u) { return u; } }; } // namespace detail template inline typename detail::CastToCheckedIntImpl::ReturnType castToCheckedInt(U u) { return detail::CastToCheckedIntImpl::run(u); } #define MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(OP, COMPOUND_OP) \ template \ template \ CheckedInt& CheckedInt::operator COMPOUND_OP(U rhs) \ { \ *this = *this OP castToCheckedInt(rhs); \ return *this; \ } \ template \ inline CheckedInt operator OP(const CheckedInt &lhs, U rhs) \ { \ return lhs OP castToCheckedInt(rhs); \ } \ template \ inline CheckedInt operator OP(U lhs, const CheckedInt &rhs) \ { \ return castToCheckedInt(lhs) OP rhs; \ } MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(+, +=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(*, *=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(-, -=) MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS(/, /=) #undef MOZ_CHECKEDINT_CONVENIENCE_BINARY_OPERATORS template inline bool operator ==(const CheckedInt &lhs, U rhs) { return lhs == castToCheckedInt(rhs); } template inline bool operator ==(U lhs, const CheckedInt &rhs) { return castToCheckedInt(lhs) == rhs; } // Convenience typedefs. typedef CheckedInt CheckedInt8; typedef CheckedInt CheckedUint8; typedef CheckedInt CheckedInt16; typedef CheckedInt CheckedUint16; typedef CheckedInt CheckedInt32; typedef CheckedInt CheckedUint32; typedef CheckedInt CheckedInt64; typedef CheckedInt CheckedUint64; } // namespace mozilla #endif /* mozilla_CheckedInt_h_ */