blob: ed36cfa89d40c487967a0c9b8e5b96e218ffc34d [file] [log] [blame]
/*
* Copyright (C) 2011-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include <wtf/Assertions.h>
#include <limits>
#include <stdint.h>
#include <type_traits>
/* On Linux with clang, libgcc is usually used instead of compiler-rt, and it does
* not provide the __mulodi4 symbol used by clang for __builtin_mul_overflow
*/
#if COMPILER(GCC) || (COMPILER(CLANG) && !(CPU(ARM) && OS(LINUX)))
#define USE_MUL_OVERFLOW 1
#endif
/* Checked<T>
*
* This class provides a mechanism to perform overflow-safe integer arithmetic
* without having to manually ensure that you have all the required bounds checks
* directly in your code.
*
* There are two modes of operation:
* - The default is Checked<T, CrashOnOverflow>, and crashes at the point
* and overflow has occurred.
* - The alternative is Checked<T, RecordOverflow>, which uses an additional
* byte of storage to track whether an overflow has occurred, subsequent
* unchecked operations will crash if an overflow has occured
*
* It is possible to provide a custom overflow handler, in which case you need
* to support these functions:
* - void overflowed();
* This function is called when an operation has produced an overflow.
* - bool hasOverflowed();
* This function must return true if overflowed() has been called on an
* instance and false if it has not.
* - void clearOverflow();
* Used to reset overflow tracking when a value is being overwritten with
* a new value.
*
* Checked<T> works for all integer types, with the following caveats:
* - Mixing signedness of operands is only supported for types narrower than
* 64bits.
* - It does have a performance impact, so tight loops may want to be careful
* when using it.
*
*/
namespace WTF {
enum class CheckedState {
DidOverflow,
DidNotOverflow
};
class AssertNoOverflow {
public:
static NO_RETURN_DUE_TO_ASSERT void overflowed()
{
ASSERT_NOT_REACHED();
}
void clearOverflow() { }
static NO_RETURN_DUE_TO_CRASH void crash()
{
CRASH();
}
public:
constexpr bool hasOverflowed() const { return false; }
};
class CrashOnOverflow {
public:
static NO_RETURN_DUE_TO_CRASH void overflowed()
{
crash();
}
void clearOverflow() { }
static NO_RETURN_DUE_TO_CRASH void crash()
{
CRASH();
}
public:
bool hasOverflowed() const { return false; }
};
class RecordOverflow {
protected:
RecordOverflow()
: m_overflowed(false)
{
}
void clearOverflow()
{
m_overflowed = false;
}
static NO_RETURN_DUE_TO_CRASH void crash()
{
CRASH();
}
public:
bool hasOverflowed() const { return m_overflowed; }
void overflowed() { m_overflowed = true; }
private:
unsigned char m_overflowed;
};
template <typename T, class OverflowHandler = CrashOnOverflow> class Checked;
template <typename T> struct RemoveChecked;
template <typename T> struct RemoveChecked<Checked<T>>;
template <typename Target, typename Source, bool isTargetBigger = sizeof(Target) >= sizeof(Source), bool targetSigned = std::numeric_limits<Target>::is_signed, bool sourceSigned = std::numeric_limits<Source>::is_signed> struct BoundsChecker;
template <typename Target, typename Source> struct BoundsChecker<Target, Source, false, false, false> {
static bool constexpr inBounds(Source value)
{
// Same signedness so implicit type conversion will always increase precision to widest type.
return value <= std::numeric_limits<Target>::max();
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, false, true, true> {
static bool constexpr inBounds(Source value)
{
// Same signedness so implicit type conversion will always increase precision to widest type.
return std::numeric_limits<Target>::min() <= value && value <= std::numeric_limits<Target>::max();
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, false, false, true> {
static bool constexpr inBounds(Source value)
{
// When converting value to unsigned Source, value will become a big value if value is negative.
// Casted value will become bigger than Target::max as Source is bigger than Target.
return static_cast<std::make_unsigned_t<Source>>(value) <= std::numeric_limits<Target>::max();
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, false, true, false> {
static bool constexpr inBounds(Source value)
{
// The unsigned Source type has greater precision than the target so max(Target) -> Source will widen.
return value <= static_cast<Source>(std::numeric_limits<Target>::max());
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, true, false, false> {
static bool constexpr inBounds(Source)
{
// Same sign, greater or same precision.
return true;
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, true, true, true> {
static bool constexpr inBounds(Source)
{
// Same sign, greater or same precision.
return true;
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, true, true, false> {
static bool constexpr inBounds(Source value)
{
// Target is signed with greater or same precision. If strictly greater, it is always safe.
if (sizeof(Target) > sizeof(Source))
return true;
return value <= static_cast<Source>(std::numeric_limits<Target>::max());
}
};
template <typename Target, typename Source> struct BoundsChecker<Target, Source, true, false, true> {
static bool constexpr inBounds(Source value)
{
// Target is unsigned with greater precision.
return value >= 0;
}
};
template <typename Target, typename Source> static inline constexpr bool isInBounds(Source value)
{
return BoundsChecker<Target, Source>::inBounds(value);
}
template <typename Target, typename Source> static inline constexpr bool convertSafely(Source input, Target& output)
{
if (!isInBounds<Target>(input))
return false;
output = static_cast<Target>(input);
return true;
}
template <typename T> struct RemoveChecked {
typedef T CleanType;
static constexpr CleanType DefaultValue = 0;
};
template <typename T> struct RemoveChecked<Checked<T, CrashOnOverflow>> {
typedef typename RemoveChecked<T>::CleanType CleanType;
static constexpr CleanType DefaultValue = 0;
};
template <typename T> struct RemoveChecked<Checked<T, RecordOverflow>> {
typedef typename RemoveChecked<T>::CleanType CleanType;
static constexpr CleanType DefaultValue = 0;
};
// The ResultBase and SignednessSelector are used to workaround typeof not being
// available in MSVC
template <typename U, typename V, bool uIsBigger = (sizeof(U) > sizeof(V)), bool sameSize = (sizeof(U) == sizeof(V))> struct ResultBase;
template <typename U, typename V> struct ResultBase<U, V, true, false> {
typedef U ResultType;
};
template <typename U, typename V> struct ResultBase<U, V, false, false> {
typedef V ResultType;
};
template <typename U> struct ResultBase<U, U, false, true> {
typedef U ResultType;
};
template <typename U, typename V, bool uIsSigned = std::numeric_limits<U>::is_signed, bool vIsSigned = std::numeric_limits<V>::is_signed> struct SignednessSelector;
template <typename U, typename V> struct SignednessSelector<U, V, true, true> {
typedef U ResultType;
};
template <typename U, typename V> struct SignednessSelector<U, V, false, false> {
typedef U ResultType;
};
template <typename U, typename V> struct SignednessSelector<U, V, true, false> {
typedef V ResultType;
};
template <typename U, typename V> struct SignednessSelector<U, V, false, true> {
typedef U ResultType;
};
template <typename U, typename V> struct ResultBase<U, V, false, true> {
typedef typename SignednessSelector<U, V>::ResultType ResultType;
};
template <typename U, typename V> struct Result : ResultBase<typename RemoveChecked<U>::CleanType, typename RemoveChecked<V>::CleanType> {
};
template <typename LHS, typename RHS, typename ResultType = typename Result<LHS, RHS>::ResultType,
bool lhsSigned = std::numeric_limits<LHS>::is_signed, bool rhsSigned = std::numeric_limits<RHS>::is_signed> struct ArithmeticOperations;
template <typename LHS, typename RHS, typename ResultType> struct ArithmeticOperations<LHS, RHS, ResultType, true, true> {
// LHS and RHS are signed types
// Helper function
static inline bool signsMatch(LHS lhs, RHS rhs)
{
return (lhs ^ rhs) >= 0;
}
static inline bool add(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
#if COMPILER(GCC_COMPATIBLE)
#if !HAVE(INT128_T)
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
ResultType temp;
if (__builtin_add_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T)
}
#endif
#endif
if (signsMatch(lhs, rhs)) {
if (lhs >= 0) {
if ((std::numeric_limits<ResultType>::max() - rhs) < lhs)
return false;
} else {
ResultType temp = lhs - std::numeric_limits<ResultType>::min();
if (rhs < -temp)
return false;
}
} // if the signs do not match this operation can't overflow
result = lhs + rhs;
return true;
}
static inline bool sub(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
#if COMPILER(GCC_COMPATIBLE)
#if !HAVE(INT128_T)
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
ResultType temp;
if (__builtin_sub_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T)
}
#endif
#endif
if (!signsMatch(lhs, rhs)) {
if (lhs >= 0) {
if (lhs > std::numeric_limits<ResultType>::max() + rhs)
return false;
} else {
if (lhs < std::numeric_limits<ResultType>::min() + rhs)
return false;
}
} // if the signs match this operation can't overflow
result = lhs - rhs;
return true;
}
static inline bool multiply(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
#if USE(MUL_OVERFLOW)
// Don't use the builtin if the int128 type is WTF::[U]Int128Impl.
// Also don't use the builtin for __[u]int128_t on Clang/Linux.
// See https://bugs.llvm.org/show_bug.cgi?id=16404
#if !HAVE(INT128_T) || (COMPILER(CLANG) && OS(LINUX))
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
ResultType temp;
if (__builtin_mul_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T) || (COMPILER(CLANG) && OS(LINUX))
}
#endif
#endif
if (signsMatch(lhs, rhs)) {
if (lhs >= 0) {
if (lhs && (std::numeric_limits<ResultType>::max() / lhs) < rhs)
return false;
} else {
if (static_cast<ResultType>(lhs) == std::numeric_limits<ResultType>::min() || static_cast<ResultType>(rhs) == std::numeric_limits<ResultType>::min())
return false;
if ((std::numeric_limits<ResultType>::max() / -lhs) < -rhs)
return false;
}
} else {
if (lhs < 0) {
if (rhs && lhs < (std::numeric_limits<ResultType>::min() / rhs))
return false;
} else {
if (lhs && rhs < (std::numeric_limits<ResultType>::min() / lhs))
return false;
}
}
result = lhs * rhs;
return true;
}
static inline bool divide(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
if (!rhs)
return false;
result = lhs / rhs;
return true;
}
static inline bool equals(LHS lhs, RHS rhs) { return lhs == rhs; }
};
template <typename LHS, typename RHS, typename ResultType> struct ArithmeticOperations<LHS, RHS, ResultType, false, false> {
// LHS and RHS are unsigned types so bounds checks are nice and easy
static inline bool add(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
ResultType temp;
#if COMPILER(GCC_COMPATIBLE)
#if !HAVE(INT128_T)
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
if (__builtin_add_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T)
}
#endif
#endif
temp = lhs + rhs;
if (temp < lhs)
return false;
result = temp;
return true;
}
static inline bool sub(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
ResultType temp;
#if COMPILER(GCC_COMPATIBLE)
#if !HAVE(INT128_T)
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
if (__builtin_sub_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T)
}
#endif
#endif
temp = lhs - rhs;
if (temp > lhs)
return false;
result = temp;
return true;
}
static inline bool multiply(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
#if USE(MUL_OVERFLOW)
// Don't use the builtin if the int128 type is WTF::Int128Impl.
// Also don't use the builtin for __int128_t on Clang/Linux.
// See https://bugs.llvm.org/show_bug.cgi?id=16404
#if !HAVE(INT128_T) || (COMPILER(CLANG) && OS(LINUX))
if constexpr (sizeof(LHS) <= sizeof(uint64_t) || sizeof(RHS) <= sizeof(uint64_t)) {
#endif
ResultType temp;
if (__builtin_mul_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#if !HAVE(INT128_T) || (COMPILER(CLANG) && OS(LINUX))
}
#endif
#endif
if (!lhs || !rhs) {
result = 0;
return true;
}
if (std::numeric_limits<ResultType>::max() / lhs < rhs)
return false;
result = lhs * rhs;
return true;
}
static inline bool divide(LHS lhs, RHS rhs, ResultType& result) WARN_UNUSED_RETURN
{
if (!rhs)
return false;
result = lhs / rhs;
return true;
}
static inline bool equals(LHS lhs, RHS rhs) { return lhs == rhs; }
};
template <typename ResultType> struct ArithmeticOperations<int, unsigned, ResultType, true, false> {
static inline bool add(int64_t lhs, int64_t rhs, ResultType& result)
{
#if COMPILER(GCC_COMPATIBLE)
ResultType temp;
if (__builtin_add_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#else
int64_t temp = lhs + rhs;
if (temp < std::numeric_limits<ResultType>::min())
return false;
if (temp > std::numeric_limits<ResultType>::max())
return false;
result = static_cast<ResultType>(temp);
return true;
#endif
}
static inline bool sub(int64_t lhs, int64_t rhs, ResultType& result)
{
#if COMPILER(GCC_COMPATIBLE)
ResultType temp;
if (__builtin_sub_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#else
int64_t temp = lhs - rhs;
if (temp < std::numeric_limits<ResultType>::min())
return false;
if (temp > std::numeric_limits<ResultType>::max())
return false;
result = static_cast<ResultType>(temp);
return true;
#endif
}
static inline bool multiply(int64_t lhs, int64_t rhs, ResultType& result)
{
#if USE(MUL_OVERFLOW)
ResultType temp;
if (__builtin_mul_overflow(lhs, rhs, &temp))
return false;
result = temp;
return true;
#else
int64_t temp = lhs * rhs;
if (temp < std::numeric_limits<ResultType>::min())
return false;
if (temp > std::numeric_limits<ResultType>::max())
return false;
result = static_cast<ResultType>(temp);
return true;
#endif
}
static inline bool divide(int64_t lhs, int64_t rhs, ResultType& result)
{
if (!rhs)
return false;
int64_t temp = lhs / rhs;
result = static_cast<ResultType>(temp);
return true;
}
static inline bool equals(int lhs, unsigned rhs)
{
return static_cast<int64_t>(lhs) == static_cast<int64_t>(rhs);
}
};
template <typename ResultType> struct ArithmeticOperations<unsigned, int, ResultType, false, true> {
static inline bool add(int64_t lhs, int64_t rhs, ResultType& result)
{
return ArithmeticOperations<int, unsigned, ResultType>::add(rhs, lhs, result);
}
static inline bool sub(int64_t lhs, int64_t rhs, ResultType& result)
{
return ArithmeticOperations<int, unsigned, ResultType>::sub(lhs, rhs, result);
}
static inline bool multiply(int64_t lhs, int64_t rhs, ResultType& result)
{
return ArithmeticOperations<int, unsigned, ResultType>::multiply(lhs, rhs, result);
}
static inline bool divide(int64_t lhs, int64_t rhs, ResultType& result)
{
return ArithmeticOperations<int, unsigned, ResultType>::divide(lhs, rhs, result);
}
static inline bool equals(unsigned lhs, int rhs)
{
return ArithmeticOperations<int, unsigned, ResultType>::equals(rhs, lhs);
}
};
template <class OverflowHandler, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
inline constexpr bool observesOverflow() { return true; }
template <>
inline constexpr bool observesOverflow<AssertNoOverflow>() { return ASSERT_ENABLED; }
template <typename U, typename V, typename R> static inline bool safeAdd(U lhs, V rhs, R& result)
{
return ArithmeticOperations<U, V, R>::add(lhs, rhs, result);
return true;
}
template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
static inline bool safeAdd(U lhs, V rhs, R& result)
{
if (observesOverflow<OverflowHandler>())
return safeAdd(lhs, rhs, result);
result = lhs + rhs;
return true;
}
template <typename U, typename V, typename R> static inline bool safeSub(U lhs, V rhs, R& result)
{
return ArithmeticOperations<U, V, R>::sub(lhs, rhs, result);
}
template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
static inline bool safeSub(U lhs, V rhs, R& result)
{
if (observesOverflow<OverflowHandler>())
return safeSub(lhs, rhs, result);
result = lhs - rhs;
return true;
}
template <typename U, typename V, typename R> static inline bool safeMultiply(U lhs, V rhs, R& result)
{
return ArithmeticOperations<U, V, R>::multiply(lhs, rhs, result);
}
template <typename U, typename V, typename R> static inline bool safeDivide(U lhs, V rhs, R& result)
{
return ArithmeticOperations<U, V, R>::divide(lhs, rhs, result);
}
template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
static inline bool safeMultiply(U lhs, V rhs, R& result)
{
if (observesOverflow<OverflowHandler>())
return safeMultiply(lhs, rhs, result);
result = lhs * rhs;
return true;
}
template <class OverflowHandler, typename U, typename V, typename R, typename = std::enable_if_t<!std::is_scalar<OverflowHandler>::value>>
static inline bool safeDivide(U lhs, V rhs, R& result)
{
if (observesOverflow<OverflowHandler>())
return safeDivide(lhs, rhs, result);
result = lhs / rhs;
return true;
}
template <typename U, typename V> static inline bool safeEquals(U lhs, V rhs)
{
return ArithmeticOperations<U, V>::equals(lhs, rhs);
}
enum ResultOverflowedTag { ResultOverflowed };
template <typename T, class OverflowHandler> class Checked : public OverflowHandler {
public:
template <typename _T, class _OverflowHandler> friend class Checked;
Checked()
: m_value(0)
{
}
Checked(ResultOverflowedTag)
: m_value(0)
{
this->overflowed();
}
Checked(const Checked& value)
{
if (value.hasOverflowed())
this->overflowed();
m_value = static_cast<T>(value.m_value);
}
template <typename U> Checked(U value)
{
if (!isInBounds<T>(value))
this->overflowed();
m_value = static_cast<T>(value);
}
template <typename V> Checked(const Checked<T, V>& rhs)
: m_value(rhs.m_value)
{
if (rhs.hasOverflowed())
this->overflowed();
}
template <typename U> Checked(const Checked<U, OverflowHandler>& rhs)
: OverflowHandler(rhs)
{
if (!isInBounds<T>(rhs.m_value))
this->overflowed();
m_value = static_cast<T>(rhs.m_value);
}
template <typename U, typename V> Checked(const Checked<U, V>& rhs)
{
if (rhs.hasOverflowed())
this->overflowed();
if (!isInBounds<T>(rhs.m_value))
this->overflowed();
m_value = static_cast<T>(rhs.m_value);
}
Checked& operator=(Checked rhs)
{
this->clearOverflow();
if (rhs.hasOverflowed())
this->overflowed();
m_value = static_cast<T>(rhs.m_value);
return *this;
}
template <typename U> Checked& operator=(U value)
{
return *this = Checked(value);
}
template <typename U, typename V> Checked& operator=(const Checked<U, V>& rhs)
{
return *this = Checked(rhs);
}
// prefix
Checked& operator++()
{
if (m_value == std::numeric_limits<T>::max())
this->overflowed();
m_value++;
return *this;
}
Checked& operator--()
{
if (m_value == std::numeric_limits<T>::min())
this->overflowed();
m_value--;
return *this;
}
// postfix operators
Checked operator++(int)
{
if (m_value == std::numeric_limits<T>::max())
this->overflowed();
return Checked(m_value++);
}
Checked operator--(int)
{
if (m_value == std::numeric_limits<T>::min())
this->overflowed();
return Checked(m_value--);
}
// Boolean operators
bool operator!() const
{
if (UNLIKELY(this->hasOverflowed()))
this->crash();
return !m_value;
}
explicit operator bool() const
{
if (UNLIKELY(this->hasOverflowed()))
this->crash();
return m_value;
}
operator T() const
{
if (UNLIKELY(this->hasOverflowed()))
this->crash();
return m_value;
}
// Value accessors. value() will crash if there's been an overflow.
template<typename U = T>
U value() const
{
if (UNLIKELY(this->hasOverflowed()))
this->crash();
return static_cast<U>(m_value);
}
// Mutating assignment
template <typename U> Checked& operator+=(U rhs)
{
if (!safeAdd<OverflowHandler>(m_value, rhs, m_value))
this->overflowed();
return *this;
}
template <typename U> Checked& operator-=(U rhs)
{
if (!safeSub<OverflowHandler>(m_value, rhs, m_value))
this->overflowed();
return *this;
}
template <typename U> Checked& operator*=(U rhs)
{
if (!safeMultiply<OverflowHandler>(m_value, rhs, m_value))
this->overflowed();
return *this;
}
template <typename U> Checked& operator/=(U rhs)
{
if (!safeDivide<OverflowHandler>(m_value, rhs, m_value))
this->overflowed();
return *this;
}
template <typename U, typename V> Checked& operator+=(Checked<U, V> rhs)
{
if (rhs.hasOverflowed())
this->overflowed();
return *this += rhs.m_value;
}
template <typename U, typename V> Checked& operator-=(Checked<U, V> rhs)
{
if (rhs.hasOverflowed())
this->overflowed();
return *this -= rhs.m_value;
}
template <typename U, typename V> Checked& operator*=(Checked<U, V> rhs)
{
if (rhs.hasOverflowed())
this->overflowed();
return *this *= rhs.m_value;
}
// Equality comparisons
template <typename V> bool operator==(Checked<T, V> rhs)
{
return value() == rhs.value();
}
template <typename U> bool operator==(U rhs)
{
if (this->hasOverflowed())
this->crash();
return safeEquals(m_value, rhs);
}
template <typename U, typename V> bool operator==(Checked<U, V> rhs)
{
return value() == Checked(rhs.value());
}
template <typename U> bool operator!=(U rhs)
{
return !(*this == rhs);
}
// Other comparisons
template <typename V> bool operator<(Checked<T, V> rhs) const
{
return value() < rhs.value();
}
template <typename V> bool operator<=(Checked<T, V> rhs) const
{
return value() <= rhs.value();
}
template <typename V> bool operator>(Checked<T, V> rhs) const
{
return value() > rhs.value();
}
template <typename V> bool operator>=(Checked<T, V> rhs) const
{
return value() >= rhs.value();
}
private:
// Disallow implicit conversion of floating point to integer types
Checked(float);
Checked(double);
void operator=(float);
void operator=(double);
void operator+=(float);
void operator+=(double);
void operator-=(float);
void operator-=(double);
T m_value;
};
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator+(Checked<U, OverflowHandler> lhs, Checked<V, OverflowHandler> rhs)
{
if (UNLIKELY(lhs.hasOverflowed() || rhs.hasOverflowed()))
return ResultOverflowed;
typename Result<U, V>::ResultType result = 0;
if (UNLIKELY(!safeAdd<OverflowHandler>(lhs.value(), rhs.value(), result)))
return ResultOverflowed;
return result;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator-(Checked<U, OverflowHandler> lhs, Checked<V, OverflowHandler> rhs)
{
if (UNLIKELY(lhs.hasOverflowed() || rhs.hasOverflowed()))
return ResultOverflowed;
typename Result<U, V>::ResultType result = 0;
if (UNLIKELY(!safeSub<OverflowHandler>(lhs.value(), rhs.value(), result)))
return ResultOverflowed;
return result;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator*(Checked<U, OverflowHandler> lhs, Checked<V, OverflowHandler> rhs)
{
if (UNLIKELY(lhs.hasOverflowed() || rhs.hasOverflowed()))
return ResultOverflowed;
typename Result<U, V>::ResultType result = 0;
if (UNLIKELY(!safeMultiply<OverflowHandler>(lhs.value(), rhs.value(), result)))
return ResultOverflowed;
return result;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator/(Checked<U, OverflowHandler> lhs, Checked<V, OverflowHandler> rhs)
{
if (UNLIKELY(lhs.hasOverflowed() || rhs.hasOverflowed()))
return ResultOverflowed;
typename Result<U, V>::ResultType result = 0;
if (UNLIKELY(!safeDivide<OverflowHandler>(lhs.value(), rhs.value(), result)))
return ResultOverflowed;
return result;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator+(Checked<U, OverflowHandler> lhs, V rhs)
{
return lhs + Checked<V, OverflowHandler>(rhs);
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator-(Checked<U, OverflowHandler> lhs, V rhs)
{
return lhs - Checked<V, OverflowHandler>(rhs);
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator*(Checked<U, OverflowHandler> lhs, V rhs)
{
return lhs * Checked<V, OverflowHandler>(rhs);
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator/(Checked<U, OverflowHandler> lhs, V rhs)
{
return lhs / Checked<V, OverflowHandler>(rhs);
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator+(U lhs, Checked<V, OverflowHandler> rhs)
{
return Checked<U, OverflowHandler>(lhs) + rhs;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator-(U lhs, Checked<V, OverflowHandler> rhs)
{
return Checked<U, OverflowHandler>(lhs) - rhs;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator*(U lhs, Checked<V, OverflowHandler> rhs)
{
return Checked<U, OverflowHandler>(lhs) * rhs;
}
template <typename U, typename V, typename OverflowHandler> static inline Checked<typename Result<U, V>::ResultType, OverflowHandler> operator/(U lhs, Checked<V, OverflowHandler> rhs)
{
return Checked<U, OverflowHandler>(lhs) / rhs;
}
// Convenience typedefs.
typedef Checked<int8_t, RecordOverflow> CheckedInt8;
typedef Checked<uint8_t, RecordOverflow> CheckedUint8;
typedef Checked<int16_t, RecordOverflow> CheckedInt16;
typedef Checked<uint16_t, RecordOverflow> CheckedUint16;
typedef Checked<int32_t, RecordOverflow> CheckedInt32;
typedef Checked<uint32_t, RecordOverflow> CheckedUint32;
typedef Checked<int64_t, RecordOverflow> CheckedInt64;
typedef Checked<uint64_t, RecordOverflow> CheckedUint64;
typedef Checked<size_t, RecordOverflow> CheckedSize;
template<typename T, typename U>
Checked<T, RecordOverflow> checkedSum(U value)
{
return Checked<T, RecordOverflow>(value);
}
template<typename T, typename U, typename... Args>
Checked<T, RecordOverflow> checkedSum(U value, Args... args)
{
return Checked<T, RecordOverflow>(value) + checkedSum<T>(args...);
}
template<typename T, typename U, typename V>
Checked<T, RecordOverflow> checkedDifference(U left, V right)
{
return Checked<T, RecordOverflow>(left) - Checked<T, RecordOverflow>(right);
}
// Sometimes, you just want to check if some math would overflow - the code to do the math is
// already in place, and you want to guard it.
template<typename T, typename... Args> bool sumOverflows(Args... args)
{
return checkedSum<T>(args...).hasOverflowed();
}
template<typename T, typename U> bool differenceOverflows(U left, U right)
{
return checkedDifference<T>(left, right).hasOverflowed();
}
template<typename T, typename U>
Checked<T, RecordOverflow> checkedProduct(U value)
{
return Checked<T, RecordOverflow>(value);
}
template<typename T, typename U, typename... Args>
Checked<T, RecordOverflow> checkedProduct(U value, Args... args)
{
return Checked<T, RecordOverflow>(value) * checkedProduct<T>(args...);
}
// Sometimes, you just want to check if some math would overflow - the code to do the math is
// already in place, and you want to guard it.
template<typename T, typename... Args> bool productOverflows(Args... args)
{
return checkedProduct<T>(args...).hasOverflowed();
}
template<typename T> bool isSumSmallerThanOrEqual(T a, T b, T bound)
{
Checked<T, RecordOverflow> sum = a;
sum += b;
return !sum.hasOverflowed() && sum.value() <= bound;
}
}
using WTF::AssertNoOverflow;
using WTF::Checked;
using WTF::CheckedState;
using WTF::CheckedInt8;
using WTF::CheckedUint8;
using WTF::CheckedInt16;
using WTF::CheckedUint16;
using WTF::CheckedInt32;
using WTF::CheckedUint32;
using WTF::CheckedInt64;
using WTF::CheckedUint64;
using WTF::CheckedSize;
using WTF::CrashOnOverflow;
using WTF::RecordOverflow;
using WTF::checkedSum;
using WTF::checkedDifference;
using WTF::checkedProduct;
using WTF::differenceOverflows;
using WTF::isInBounds;
using WTF::productOverflows;
using WTF::sumOverflows;
using WTF::isSumSmallerThanOrEqual;