1 /* 2 * 3 * Copyright (C) 2015 The Android Open Source Project 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18 // Functions for safe arithmetic (guarded against overflow) on integer types. 19 20 #ifndef __dng_safe_arithmetic__ 21 #define __dng_safe_arithmetic__ 22 23 #include <cstddef> 24 #include <cstdint> 25 #include <limits> 26 27 #include "dng_exceptions.h" 28 29 #ifndef __has_builtin 30 #define __has_builtin(x) 0 // Compatibility with non-Clang compilers. 31 #endif 32 33 #if !defined(DNG_HAS_INT128) && defined(__SIZEOF_INT128__) 34 #define DNG_HAS_INT128 35 #endif 36 37 // If the result of adding arg1 and arg2 will fit in an int32_t (without 38 // under-/overflow), stores this result in *result and returns true. Otherwise, 39 // returns false and leaves *result unchanged. 40 bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result); 41 42 // Returns the result of adding arg1 and arg2 if it will fit in the result type 43 // (without under-/overflow). Otherwise, throws a dng_exception with error code 44 // dng_error_unknown. 45 std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2); 46 std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2); 47 48 // If the result of adding arg1 and arg2 will fit in a uint32_t (without 49 // wraparound), stores this result in *result and returns true. Otherwise, 50 // returns false and leaves *result unchanged. 51 bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2, 52 std::uint32_t *result); 53 54 // Returns the result of adding arg1 and arg2 if it will fit in the result type 55 // (without wraparound). Otherwise, throws a dng_exception with error code 56 // dng_error_unknown. 57 std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2); 58 std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2); 59 60 // If the subtraction of arg2 from arg1 will not result in an int32_t under- or 61 // overflow, stores this result in *result and returns true. Otherwise, 62 // returns false and leaves *result unchanged. 63 bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result); 64 65 // Returns the result of subtracting arg2 from arg1 if this operation will not 66 // result in an int32_t under- or overflow. Otherwise, throws a dng_exception 67 // with error code dng_error_unknown. 68 std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2); 69 70 // Returns the result of subtracting arg2 from arg1 if this operation will not 71 // result in wraparound. Otherwise, throws a dng_exception with error code 72 // dng_error_unknown. 73 std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2); 74 75 // Returns the result of multiplying arg1 and arg2 if it will fit in a int32_t 76 // (without overflow). Otherwise, throws a dng_exception with error code 77 // dng_error_unknown. 78 std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2); 79 80 // If the result of multiplying arg1, ..., argn will fit in a uint32_t (without 81 // wraparound), stores this result in *result and returns true. Otherwise, 82 // returns false and leaves *result unchanged. 83 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, 84 std::uint32_t *result); 85 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, 86 std::uint32_t *result); 87 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, 88 std::uint32_t arg4, std::uint32_t *result); 89 90 // Returns the result of multiplying arg1, ..., argn if it will fit in a 91 // uint32_t (without wraparound). Otherwise, throws a dng_exception with error 92 // code dng_error_unknown. 93 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2); 94 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, 95 std::uint32_t arg3); 96 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, 97 std::uint32_t arg3, std::uint32_t arg4); 98 99 // Returns the result of multiplying arg1 and arg2 if it will fit in a size_t 100 // (without overflow). Otherwise, throws a dng_exception with error code 101 // dng_error_unknown. 102 std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2); 103 104 namespace dng_internal { 105 106 // Internal function used as fallback for SafeInt64Mult() if other optimized 107 // computation is not supported. Don't call this function directly. 108 std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2); 109 110 // Internal function used as optimization for SafeInt64Mult() if Clang 111 // __builtin_smull_overflow is supported. Don't call this function directly. 112 #if __has_builtin(__builtin_smull_overflow) 113 inline std::int64_t SafeInt64MultByClang(std::int64_t arg1, std::int64_t arg2) { 114 std::int64_t result; 115 #if (__WORDSIZE == 64) && !defined(__APPLE__) 116 if (__builtin_smull_overflow(arg1, arg2, &result)) { 117 #else 118 if (__builtin_smulll_overflow(arg1, arg2, &result)) { 119 #endif 120 ThrowProgramError("Arithmetic overflow"); 121 abort(); // Never reached. 122 } 123 return result; 124 } 125 #endif 126 127 // Internal function used as optimization for SafeInt64Mult() if __int128 type 128 // is supported. Don't call this function directly. 129 #ifdef DNG_HAS_INT128 130 inline std::int64_t SafeInt64MultByInt128(std::int64_t arg1, 131 std::int64_t arg2) { 132 const __int128 kInt64Max = 133 static_cast<__int128>(std::numeric_limits<std::int64_t>::max()); 134 const __int128 kInt64Min = 135 static_cast<__int128>(std::numeric_limits<std::int64_t>::min()); 136 __int128 result = static_cast<__int128>(arg1) * static_cast<__int128>(arg2); 137 if (result > kInt64Max || result < kInt64Min) { 138 ThrowProgramError("Arithmetic overflow"); 139 } 140 return static_cast<std::int64_t>(result); 141 } 142 #endif 143 144 } // namespace dng_internal 145 146 // Returns the result of multiplying arg1 and arg2 if it will fit in an int64_t 147 // (without overflow). Otherwise, throws a dng_exception with error code 148 // dng_error_unknown. 149 inline std::int64_t SafeInt64Mult(std::int64_t arg1, std::int64_t arg2) { 150 #if __has_builtin(__builtin_smull_overflow) 151 return dng_internal::SafeInt64MultByClang(arg1, arg2); 152 #elif defined(DNG_HAS_INT128) 153 return dng_internal::SafeInt64MultByInt128(arg1, arg2); 154 #else 155 return dng_internal::SafeInt64MultSlow(arg1, arg2); 156 #endif 157 } 158 159 // Returns the result of dividing arg1 by arg2; if the result is not an integer, 160 // rounds up to the next integer. If arg2 is zero, throws a dng_exception with 161 // error code dng_error_unknown. 162 // The function is safe against wraparound and will return the correct result 163 // for all combinations of arg1 and arg2. 164 std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2); 165 166 // Finds the smallest integer multiple of 'multiple_of' that is greater than or 167 // equal to 'val'. If this value will fit in a uint32_t, stores it in *result 168 // and returns true. Otherwise, or if 'multiple_of' is zero, returns false and 169 // leaves *result unchanged. 170 bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of, 171 std::uint32_t *result); 172 173 // Returns the smallest integer multiple of 'multiple_of' that is greater than 174 // or equal to 'val'. If the result will not fit in a std::uint32_t or if 175 // 'multiple_of' is zero, throws a dng_exception with error code 176 // dng_error_unknown. 177 std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val, 178 std::uint32_t multiple_of); 179 180 // If the uint32_t value val will fit in a int32_t, converts it to a int32_t and 181 // stores it in *result. Otherwise, returns false and leaves *result unchanged. 182 bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result); 183 184 // Returns the result of converting val to an int32_t if it can be converted 185 // without overflow. Otherwise, throws a dng_exception with error code 186 // dng_error_unknown. 187 std::int32_t ConvertUint32ToInt32(std::uint32_t val); 188 189 // Converts a value of the unsigned integer type TSrc to the unsigned integer 190 // type TDest. If the value in 'src' cannot be converted to the type TDest 191 // without truncation, throws a dng_exception with error code dng_error_unknown. 192 // 193 // Note: Though this function is typically used where TDest is a narrower type 194 // than TSrc, it is designed to work also if TDest is wider than from TSrc or 195 // identical to TSrc. This is useful in situations where the width of the types 196 // involved can change depending on the architecture -- for example, the 197 // conversion from size_t to uint32_t may either be narrowing, identical or even 198 // widening (though the latter admittedly happens only on architectures that 199 // aren't relevant to us). 200 template <class TSrc, class TDest> 201 static void ConvertUnsigned(TSrc src, TDest *dest) { 202 static_assert(std::numeric_limits<TSrc>::is_integer && 203 !std::numeric_limits<TSrc>::is_signed && 204 std::numeric_limits<TDest>::is_integer && 205 !std::numeric_limits<TDest>::is_signed, 206 "TSrc and TDest must be unsigned integer types"); 207 208 const TDest converted = static_cast<TDest>(src); 209 210 // Convert back to TSrc to check whether truncation occurred in the 211 // conversion to TDest. 212 if (static_cast<TSrc>(converted) != src) { 213 ThrowProgramError("Overflow in unsigned integer conversion"); 214 } 215 216 *dest = converted; 217 } 218 219 // Returns the result of converting val to the result type using truncation if 220 // val is in range of the result type values. Otherwise, throws a dng_exception 221 // with error code dng_error_unknown. 222 std::int32_t ConvertDoubleToInt32(double val); 223 std::uint32_t ConvertDoubleToUint32(double val); 224 225 // Returns the result of converting val to float. If val is outside of 226 // [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is 227 // returned as NaN. 228 float ConvertDoubleToFloat(double val); 229 230 #endif // __dng_safe_arithmetic__ 231