// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef PDFIUM_THIRD_PARTY_BASE_NUMERICS_SAFE_MATH_IMPL_H_ #define PDFIUM_THIRD_PARTY_BASE_NUMERICS_SAFE_MATH_IMPL_H_ #include #include #include #include #include #include #include #include "third_party/base/numerics/safe_conversions.h" namespace pdfium { namespace base { namespace internal { // Everything from here up to the floating point operations is portable C++, // but it may not be fast. This code could be split based on // platform/architecture and replaced with potentially faster implementations. // This is used for UnsignedAbs, where we need to support floating-point // template instantiations even though we don't actually support the operations. // However, there is no corresponding implementation of e.g. SafeUnsignedAbs, // so the float versions will not compile. template ::value, bool IsFloat = std::is_floating_point::value> struct UnsignedOrFloatForSize; template struct UnsignedOrFloatForSize { using type = typename std::make_unsigned::type; }; template struct UnsignedOrFloatForSize { using type = Numeric; }; // Probe for builtin math overflow support on Clang and version check on GCC. #if defined(__has_builtin) #define USE_OVERFLOW_BUILTINS (__has_builtin(__builtin_add_overflow)) #elif defined(__GNUC__) #define USE_OVERFLOW_BUILTINS (__GNUC__ >= 5) #else #define USE_OVERFLOW_BUILTINS (0) #endif template bool CheckedAddImpl(T x, T y, T* result) { static_assert(std::is_integral::value, "Type must be integral"); // Since the value of x+y is undefined if we have a signed type, we compute // it using the unsigned type of the same size. using UnsignedDst = typename std::make_unsigned::type; using SignedDst = typename std::make_signed::type; UnsignedDst ux = static_cast(x); UnsignedDst uy = static_cast(y); UnsignedDst uresult = static_cast(ux + uy); *result = static_cast(uresult); // Addition is valid if the sign of (x + y) is equal to either that of x or // that of y. return (std::is_signed::value) ? static_cast((uresult ^ ux) & (uresult ^ uy)) >= 0 : uresult >= uy; // Unsigned is either valid or underflow. } template struct CheckedAddOp {}; template struct CheckedAddOp::value && std::is_integral::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { #if USE_OVERFLOW_BUILTINS return !__builtin_add_overflow(x, y, result); #else using Promotion = typename BigEnoughPromotion::type; Promotion presult; // Fail if either operand is out of range for the promoted type. // TODO(jschuh): This could be made to work for a broader range of values. bool is_valid = IsValueInRangeForNumericType(x) && IsValueInRangeForNumericType(y); if (IsIntegerArithmeticSafe::value) { presult = static_cast(x) + static_cast(y); } else { is_valid &= CheckedAddImpl(static_cast(x), static_cast(y), &presult); } *result = static_cast(presult); return is_valid && IsValueInRangeForNumericType(presult); #endif } }; template bool CheckedSubImpl(T x, T y, T* result) { static_assert(std::is_integral::value, "Type must be integral"); // Since the value of x+y is undefined if we have a signed type, we compute // it using the unsigned type of the same size. using UnsignedDst = typename std::make_unsigned::type; using SignedDst = typename std::make_signed::type; UnsignedDst ux = static_cast(x); UnsignedDst uy = static_cast(y); UnsignedDst uresult = static_cast(ux - uy); *result = static_cast(uresult); // Subtraction is valid if either x and y have same sign, or (x-y) and x have // the same sign. return (std::is_signed::value) ? static_cast((uresult ^ ux) & (ux ^ uy)) >= 0 : x >= y; } template struct CheckedSubOp {}; template struct CheckedSubOp::value && std::is_integral::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { #if USE_OVERFLOW_BUILTINS return !__builtin_sub_overflow(x, y, result); #else using Promotion = typename BigEnoughPromotion::type; Promotion presult; // Fail if either operand is out of range for the promoted type. // TODO(jschuh): This could be made to work for a broader range of values. bool is_valid = IsValueInRangeForNumericType(x) && IsValueInRangeForNumericType(y); if (IsIntegerArithmeticSafe::value) { presult = static_cast(x) - static_cast(y); } else { is_valid &= CheckedSubImpl(static_cast(x), static_cast(y), &presult); } *result = static_cast(presult); return is_valid && IsValueInRangeForNumericType(presult); #endif } }; template bool CheckedMulImpl(T x, T y, T* result) { static_assert(std::is_integral::value, "Type must be integral"); // Since the value of x*y is potentially undefined if we have a signed type, // we compute it using the unsigned type of the same size. using UnsignedDst = typename std::make_unsigned::type; using SignedDst = typename std::make_signed::type; const UnsignedDst ux = SafeUnsignedAbs(x); const UnsignedDst uy = SafeUnsignedAbs(y); UnsignedDst uresult = static_cast(ux * uy); const bool is_negative = std::is_signed::value && static_cast(x ^ y) < 0; *result = is_negative ? 0 - uresult : uresult; // We have a fast out for unsigned identity or zero on the second operand. // After that it's an unsigned overflow check on the absolute value, with // a +1 bound for a negative result. return uy <= UnsignedDst(!std::is_signed::value || is_negative) || ux <= (std::numeric_limits::max() + UnsignedDst(is_negative)) / uy; } template struct CheckedMulOp {}; template struct CheckedMulOp::value && std::is_integral::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { #if USE_OVERFLOW_BUILTINS #if defined(__clang__) // TODO(jschuh): Get the Clang runtime library issues sorted out so we can // support full-width, mixed-sign multiply builtins. // https://crbug.com/613003 static const bool kUseMaxInt = // Narrower type than uintptr_t is always safe. std::numeric_limits<__typeof__(x * y)>::digits < std::numeric_limits::digits || // Safe for intptr_t and uintptr_t if the sign matches. (IntegerBitsPlusSign<__typeof__(x * y)>::value == IntegerBitsPlusSign::value && std::is_signed::value == std::is_signed::value); #else static const bool kUseMaxInt = true; #endif if (kUseMaxInt) return !__builtin_mul_overflow(x, y, result); #endif using Promotion = typename FastIntegerArithmeticPromotion::type; Promotion presult; // Fail if either operand is out of range for the promoted type. // TODO(jschuh): This could be made to work for a broader range of values. bool is_valid = IsValueInRangeForNumericType(x) && IsValueInRangeForNumericType(y); if (IsIntegerArithmeticSafe::value) { presult = static_cast(x) * static_cast(y); } else { is_valid &= CheckedMulImpl(static_cast(x), static_cast(y), &presult); } *result = static_cast(presult); return is_valid && IsValueInRangeForNumericType(presult); } }; // Avoid poluting the namespace once we're done with the macro. #undef USE_OVERFLOW_BUILTINS // Division just requires a check for a zero denominator or an invalid negation // on signed min/-1. template bool CheckedDivImpl(T x, T y, T* result) { static_assert(std::is_integral::value, "Type must be integral"); if (y && (!std::is_signed::value || x != std::numeric_limits::lowest() || y != static_cast(-1))) { *result = x / y; return true; } return false; } template struct CheckedDivOp {}; template struct CheckedDivOp::value && std::is_integral::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { using Promotion = typename BigEnoughPromotion::type; Promotion presult; // Fail if either operand is out of range for the promoted type. // TODO(jschuh): This could be made to work for a broader range of values. bool is_valid = IsValueInRangeForNumericType(x) && IsValueInRangeForNumericType(y); is_valid &= CheckedDivImpl(static_cast(x), static_cast(y), &presult); *result = static_cast(presult); return is_valid && IsValueInRangeForNumericType(presult); } }; template bool CheckedModImpl(T x, T y, T* result) { static_assert(std::is_integral::value, "Type must be integral"); if (y > 0) { *result = static_cast(x % y); return true; } return false; } template struct CheckedModOp {}; template struct CheckedModOp::value && std::is_integral::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { using Promotion = typename BigEnoughPromotion::type; Promotion presult; bool is_valid = CheckedModImpl(static_cast(x), static_cast(y), &presult); *result = static_cast(presult); return is_valid && IsValueInRangeForNumericType(presult); } }; template struct CheckedLshOp {}; // Left shift. Shifts less than 0 or greater than or equal to the number // of bits in the promoted type are undefined. Shifts of negative values // are undefined. Otherwise it is defined when the result fits. template struct CheckedLshOp::value && std::is_integral::value>::type> { using result_type = T; template static bool Do(T x, U shift, V* result) { using ShiftType = typename std::make_unsigned::type; static const ShiftType kBitWidth = IntegerBitsPlusSign::value; const ShiftType real_shift = static_cast(shift); // Signed shift is not legal on negative values. if (!IsValueNegative(x) && real_shift < kBitWidth) { // Just use a multiplication because it's easy. // TODO(jschuh): This could probably be made more efficient. if (!std::is_signed::value || real_shift != kBitWidth - 1) return CheckedMulOp::Do(x, static_cast(1) << shift, result); return !x; // Special case zero for a full width signed shift. } return false; } }; template struct CheckedRshOp {}; // Right shift. Shifts less than 0 or greater than or equal to the number // of bits in the promoted type are undefined. Otherwise, it is always defined, // but a right shift of a negative value is implementation-dependent. template struct CheckedRshOp::value && std::is_integral::value>::type> { using result_type = T; template static bool Do(T x, U shift, V* result) { // Use the type conversion push negative values out of range. using ShiftType = typename std::make_unsigned::type; if (static_cast(shift) < IntegerBitsPlusSign::value) { T tmp = x >> shift; *result = static_cast(tmp); return IsValueInRangeForNumericType(tmp); } return false; } }; template struct CheckedAndOp {}; // For simplicity we support only unsigned integer results. template struct CheckedAndOp::value && std::is_integral::value>::type> { using result_type = typename std::make_unsigned< typename MaxExponentPromotion::type>::type; template static bool Do(T x, U y, V* result) { result_type tmp = static_cast(x) & static_cast(y); *result = static_cast(tmp); return IsValueInRangeForNumericType(tmp); } }; template struct CheckedOrOp {}; // For simplicity we support only unsigned integers. template struct CheckedOrOp::value && std::is_integral::value>::type> { using result_type = typename std::make_unsigned< typename MaxExponentPromotion::type>::type; template static bool Do(T x, U y, V* result) { result_type tmp = static_cast(x) | static_cast(y); *result = static_cast(tmp); return IsValueInRangeForNumericType(tmp); } }; template struct CheckedXorOp {}; // For simplicity we support only unsigned integers. template struct CheckedXorOp::value && std::is_integral::value>::type> { using result_type = typename std::make_unsigned< typename MaxExponentPromotion::type>::type; template static bool Do(T x, U y, V* result) { result_type tmp = static_cast(x) ^ static_cast(y); *result = static_cast(tmp); return IsValueInRangeForNumericType(tmp); } }; // Max doesn't really need to be implemented this way because it can't fail, // but it makes the code much cleaner to use the MathOp wrappers. template struct CheckedMaxOp {}; template struct CheckedMaxOp< T, U, typename std::enable_if::value && std::is_arithmetic::value>::type> { using result_type = typename MaxExponentPromotion::type; template static bool Do(T x, U y, V* result) { *result = IsGreater::Test(x, y) ? static_cast(x) : static_cast(y); return true; } }; // Min doesn't really need to be implemented this way because it can't fail, // but it makes the code much cleaner to use the MathOp wrappers. template struct CheckedMinOp {}; template struct CheckedMinOp< T, U, typename std::enable_if::value && std::is_arithmetic::value>::type> { using result_type = typename LowestValuePromotion::type; template static bool Do(T x, U y, V* result) { *result = IsLess::Test(x, y) ? static_cast(x) : static_cast(y); return true; } }; // This is just boilerplate that wraps the standard floating point arithmetic. // A macro isn't the nicest solution, but it beats rewriting these repeatedly. #define BASE_FLOAT_ARITHMETIC_OPS(NAME, OP) \ template \ struct Checked##NAME##Op< \ T, U, typename std::enable_if::value || \ std::is_floating_point::value>::type> { \ using result_type = typename MaxExponentPromotion::type; \ template \ static bool Do(T x, U y, V* result) { \ using Promotion = typename MaxExponentPromotion::type; \ Promotion presult = x OP y; \ *result = static_cast(presult); \ return IsValueInRangeForNumericType(presult); \ } \ }; BASE_FLOAT_ARITHMETIC_OPS(Add, +) BASE_FLOAT_ARITHMETIC_OPS(Sub, -) BASE_FLOAT_ARITHMETIC_OPS(Mul, *) BASE_FLOAT_ARITHMETIC_OPS(Div, /) #undef BASE_FLOAT_ARITHMETIC_OPS // Wrap the unary operations to allow SFINAE when instantiating integrals versus // floating points. These don't perform any overflow checking. Rather, they // exhibit well-defined overflow semantics and rely on the caller to detect // if an overflow occured. template ::value>::type* = nullptr> constexpr T NegateWrapper(T value) { using UnsignedT = typename std::make_unsigned::type; // This will compile to a NEG on Intel, and is normal negation on ARM. return static_cast(UnsignedT(0) - static_cast(value)); } template < typename T, typename std::enable_if::value>::type* = nullptr> constexpr T NegateWrapper(T value) { return -value; } template ::value>::type* = nullptr> constexpr typename std::make_unsigned::type InvertWrapper(T value) { return ~value; } template ::value>::type* = nullptr> constexpr T AbsWrapper(T value) { return static_cast(SafeUnsignedAbs(value)); } template < typename T, typename std::enable_if::value>::type* = nullptr> constexpr T AbsWrapper(T value) { return value < 0 ? -value : value; } // Floats carry around their validity state with them, but integers do not. So, // we wrap the underlying value in a specialization in order to hide that detail // and expose an interface via accessors. enum NumericRepresentation { NUMERIC_INTEGER, NUMERIC_FLOATING, NUMERIC_UNKNOWN }; template struct GetNumericRepresentation { static const NumericRepresentation value = std::is_integral::value ? NUMERIC_INTEGER : (std::is_floating_point::value ? NUMERIC_FLOATING : NUMERIC_UNKNOWN); }; template ::value> class CheckedNumericState {}; // Integrals require quite a bit of additional housekeeping to manage state. template class CheckedNumericState { private: // is_valid_ precedes value_ because member intializers in the constructors // are evaluated in field order, and is_valid_ must be read when initializing // value_. bool is_valid_; T value_; // Ensures that a type conversion does not trigger undefined behavior. template static constexpr T WellDefinedConversionOrZero(const Src value, const bool is_valid) { using SrcType = typename internal::UnderlyingType::type; return (std::is_integral::value || is_valid) ? static_cast(value) : static_cast(0); } public: template friend class CheckedNumericState; constexpr CheckedNumericState() : is_valid_(true), value_(0) {} template constexpr CheckedNumericState(Src value, bool is_valid) : is_valid_(is_valid && IsValueInRangeForNumericType(value)), value_(WellDefinedConversionOrZero(value, is_valid_)) { static_assert(std::is_arithmetic::value, "Argument must be numeric."); } // Copy constructor. template constexpr CheckedNumericState(const CheckedNumericState& rhs) : is_valid_(rhs.IsValid()), value_(WellDefinedConversionOrZero(rhs.value(), is_valid_)) {} template constexpr explicit CheckedNumericState(Src value) : is_valid_(IsValueInRangeForNumericType(value)), value_(WellDefinedConversionOrZero(value, is_valid_)) {} constexpr bool is_valid() const { return is_valid_; } constexpr T value() const { return value_; } }; // Floating points maintain their own validity, but need translation wrappers. template class CheckedNumericState { private: T value_; // Ensures that a type conversion does not trigger undefined behavior. template static constexpr T WellDefinedConversionOrNaN(const Src value, const bool is_valid) { using SrcType = typename internal::UnderlyingType::type; return (StaticDstRangeRelationToSrcRange::value == NUMERIC_RANGE_CONTAINED || is_valid) ? static_cast(value) : std::numeric_limits::quiet_NaN(); } public: template friend class CheckedNumericState; constexpr CheckedNumericState() : value_(0.0) {} template constexpr CheckedNumericState(Src value, bool is_valid) : value_(WellDefinedConversionOrNaN(value, is_valid)) {} template constexpr explicit CheckedNumericState(Src value) : value_(WellDefinedConversionOrNaN( value, IsValueInRangeForNumericType(value))) {} // Copy constructor. template constexpr CheckedNumericState(const CheckedNumericState& rhs) : value_(WellDefinedConversionOrNaN( rhs.value(), rhs.is_valid() && IsValueInRangeForNumericType(rhs.value()))) {} constexpr bool is_valid() const { // Written this way because std::isfinite is not reliably constexpr. // TODO(jschuh): Fix this if the libraries ever get fixed. return value_ <= std::numeric_limits::max() && value_ >= std::numeric_limits::lowest(); } constexpr T value() const { return value_; } }; template