// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef BASE_NUMERICS_SAFE_MATH_H_ #define BASE_NUMERICS_SAFE_MATH_H_ #include #include "base/numerics/safe_math_impl.h" namespace base { namespace internal { // CheckedNumeric implements all the logic and operators for detecting integer // boundary conditions such as overflow, underflow, and invalid conversions. // The CheckedNumeric type implicitly converts from floating point and integer // data types, and contains overloads for basic arithmetic operations (i.e.: +, // -, *, /, %). // // The following methods convert from CheckedNumeric to standard numeric values: // IsValid() - Returns true if the underlying numeric value is valid (i.e. has // has not wrapped and is not the result of an invalid conversion). // ValueOrDie() - Returns the underlying value. If the state is not valid this // call will crash on a CHECK. // ValueOrDefault() - Returns the current value, or the supplied default if the // state is not valid. // ValueFloating() - Returns the underlying floating point value (valid only // only for floating point CheckedNumeric types). // // Bitwise operations are explicitly not supported, because correct // handling of some cases (e.g. sign manipulation) is ambiguous. Comparison // operations are explicitly not supported because they could result in a crash // on a CHECK condition. You should use patterns like the following for these // operations: // Bitwise operation: // CheckedNumeric checked_int = untrusted_input_value; // int x = checked_int.ValueOrDefault(0) | kFlagValues; // Comparison: // CheckedNumeric checked_size = untrusted_input_value; // checked_size += HEADER LENGTH; // if (checked_size.IsValid() && checked_size.ValueOrDie() < buffer_size) // Do stuff... template class CheckedNumeric { public: typedef T type; CheckedNumeric() {} // Copy constructor. template CheckedNumeric(const CheckedNumeric& rhs) : state_(rhs.ValueUnsafe(), rhs.validity()) {} template CheckedNumeric(Src value, RangeConstraint validity) : state_(value, validity) {} // This is not an explicit constructor because we implicitly upgrade regular // numerics to CheckedNumerics to make them easier to use. template CheckedNumeric(Src value) : state_(value) { static_assert(std::numeric_limits::is_specialized, "Argument must be numeric."); } // This is not an explicit constructor because we want a seamless conversion // from StrictNumeric types. template CheckedNumeric(StrictNumeric value) : state_(static_cast(value)) { } // IsValid() is the public API to test if a CheckedNumeric is currently valid. bool IsValid() const { return validity() == RANGE_VALID; } // ValueOrDie() The primary accessor for the underlying value. If the current // state is not valid it will CHECK and crash. T ValueOrDie() const { CHECK(IsValid()); return state_.value(); } // ValueOrDefault(T default_value) A convenience method that returns the // current value if the state is valid, and the supplied default_value for // any other state. T ValueOrDefault(T default_value) const { return IsValid() ? state_.value() : default_value; } // ValueFloating() - Since floating point values include their validity state, // we provide an easy method for extracting them directly, without a risk of // crashing on a CHECK. T ValueFloating() const { static_assert(std::numeric_limits::is_iec559, "Argument must be float."); return CheckedNumeric::cast(*this).ValueUnsafe(); } // validity() - DO NOT USE THIS IN EXTERNAL CODE - It is public right now for // tests and to avoid a big matrix of friend operator overloads. But the // values it returns are likely to change in the future. // Returns: current validity state (i.e. valid, overflow, underflow, nan). // TODO(jschuh): crbug.com/332611 Figure out and implement semantics for // saturation/wrapping so we can expose this state consistently and implement // saturated arithmetic. RangeConstraint validity() const { return state_.validity(); } // ValueUnsafe() - DO NOT USE THIS IN EXTERNAL CODE - It is public right now // for tests and to avoid a big matrix of friend operator overloads. But the // values it returns are likely to change in the future. // Returns: the raw numeric value, regardless of the current state. // TODO(jschuh): crbug.com/332611 Figure out and implement semantics for // saturation/wrapping so we can expose this state consistently and implement // saturated arithmetic. T ValueUnsafe() const { return state_.value(); } // Prototypes for the supported arithmetic operator overloads. template CheckedNumeric& operator+=(Src rhs); template CheckedNumeric& operator-=(Src rhs); template CheckedNumeric& operator*=(Src rhs); template CheckedNumeric& operator/=(Src rhs); template CheckedNumeric& operator%=(Src rhs); CheckedNumeric operator-() const { RangeConstraint validity; T value = CheckedNeg(state_.value(), &validity); // Negation is always valid for floating point. if (std::numeric_limits::is_iec559) return CheckedNumeric(value); validity = GetRangeConstraint(state_.validity() | validity); return CheckedNumeric(value, validity); } CheckedNumeric Abs() const { RangeConstraint validity; T value = CheckedAbs(state_.value(), &validity); // Absolute value is always valid for floating point. if (std::numeric_limits::is_iec559) return CheckedNumeric(value); validity = GetRangeConstraint(state_.validity() | validity); return CheckedNumeric(value, validity); } // This function is available only for integral types. It returns an unsigned // integer of the same width as the source type, containing the absolute value // of the source, and properly handling signed min. CheckedNumeric::type> UnsignedAbs() const { return CheckedNumeric::type>( CheckedUnsignedAbs(state_.value()), state_.validity()); } CheckedNumeric& operator++() { *this += 1; return *this; } CheckedNumeric operator++(int) { CheckedNumeric value = *this; *this += 1; return value; } CheckedNumeric& operator--() { *this -= 1; return *this; } CheckedNumeric operator--(int) { CheckedNumeric value = *this; *this -= 1; return value; } // These static methods behave like a convenience cast operator targeting // the desired CheckedNumeric type. As an optimization, a reference is // returned when Src is the same type as T. template static CheckedNumeric cast( Src u, typename std::enable_if::is_specialized, int>::type = 0) { return u; } template static CheckedNumeric cast( const CheckedNumeric& u, typename std::enable_if::value, int>::type = 0) { return u; } static const CheckedNumeric& cast(const CheckedNumeric& u) { return u; } private: template struct UnderlyingType { using type = NumericType; }; template struct UnderlyingType> { using type = NumericType; }; CheckedNumericState state_; }; // This is the boilerplate for the standard arithmetic operator overloads. A // macro isn't the prettiest solution, but it beats rewriting these five times. // Some details worth noting are: // * We apply the standard arithmetic promotions. // * We skip range checks for floating points. // * We skip range checks for destination integers with sufficient range. // TODO(jschuh): extract these out into templates. #define BASE_NUMERIC_ARITHMETIC_OPERATORS(NAME, OP, COMPOUND_OP) \ /* Binary arithmetic operator for CheckedNumerics of the same type. */ \ template \ CheckedNumeric::type> operator OP( \ const CheckedNumeric& lhs, const CheckedNumeric& rhs) { \ typedef typename ArithmeticPromotion::type Promotion; \ /* Floating point always takes the fast path */ \ if (std::numeric_limits::is_iec559) \ return CheckedNumeric(lhs.ValueUnsafe() OP rhs.ValueUnsafe()); \ if (IsIntegerArithmeticSafe::value) \ return CheckedNumeric( \ lhs.ValueUnsafe() OP rhs.ValueUnsafe(), \ GetRangeConstraint(rhs.validity() | lhs.validity())); \ RangeConstraint validity = RANGE_VALID; \ T result = static_cast(Checked##NAME( \ static_cast(lhs.ValueUnsafe()), \ static_cast(rhs.ValueUnsafe()), \ &validity)); \ return CheckedNumeric( \ result, \ GetRangeConstraint(validity | lhs.validity() | rhs.validity())); \ } \ /* Assignment arithmetic operator implementation from CheckedNumeric. */ \ template \ template \ CheckedNumeric& CheckedNumeric::operator COMPOUND_OP(Src rhs) { \ *this = CheckedNumeric::cast(*this) \ OP CheckedNumeric::type>::cast(rhs); \ return *this; \ } \ /* Binary arithmetic operator for CheckedNumeric of different type. */ \ template \ CheckedNumeric::type> operator OP( \ const CheckedNumeric& lhs, const CheckedNumeric& rhs) { \ typedef typename ArithmeticPromotion::type Promotion; \ if (IsIntegerArithmeticSafe::value) \ return CheckedNumeric( \ lhs.ValueUnsafe() OP rhs.ValueUnsafe(), \ GetRangeConstraint(rhs.validity() | lhs.validity())); \ return CheckedNumeric::cast(lhs) \ OP CheckedNumeric::cast(rhs); \ } \ /* Binary arithmetic operator for left CheckedNumeric and right numeric. */ \ template \ CheckedNumeric::type> operator OP( \ const CheckedNumeric& lhs, Src rhs) { \ typedef typename ArithmeticPromotion::type Promotion; \ if (IsIntegerArithmeticSafe::value) \ return CheckedNumeric(lhs.ValueUnsafe() OP rhs, \ lhs.validity()); \ return CheckedNumeric::cast(lhs) \ OP CheckedNumeric::cast(rhs); \ } \ /* Binary arithmetic operator for right numeric and left CheckedNumeric. */ \ template \ CheckedNumeric::type> operator OP( \ Src lhs, const CheckedNumeric& rhs) { \ typedef typename ArithmeticPromotion::type Promotion; \ if (IsIntegerArithmeticSafe::value) \ return CheckedNumeric(lhs OP rhs.ValueUnsafe(), \ rhs.validity()); \ return CheckedNumeric::cast(lhs) \ OP CheckedNumeric::cast(rhs); \ } BASE_NUMERIC_ARITHMETIC_OPERATORS(Add, +, += ) BASE_NUMERIC_ARITHMETIC_OPERATORS(Sub, -, -= ) BASE_NUMERIC_ARITHMETIC_OPERATORS(Mul, *, *= ) BASE_NUMERIC_ARITHMETIC_OPERATORS(Div, /, /= ) BASE_NUMERIC_ARITHMETIC_OPERATORS(Mod, %, %= ) #undef BASE_NUMERIC_ARITHMETIC_OPERATORS } // namespace internal using internal::CheckedNumeric; } // namespace base #endif // BASE_NUMERICS_SAFE_MATH_H_