Home | History | Annotate | Download | only in source 
      1 /*
      2  *
      3  * Copyright (C) 2015 The Android Open Source Project
      4  *
      5  * Licensed under the Apache License, Version 2.0 (the "License");
      6  * you may not use this file except in compliance with the License.
      7  * You may obtain a copy of the License at
      8  *
      9  *      http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  * Unless required by applicable law or agreed to in writing, software
     12  * distributed under the License is distributed on an "AS IS" BASIS,
     13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  * See the License for the specific language governing permissions and
     15  * limitations under the License.
     16  */
     17 
     18 // Functions for safe arithmetic (guarded against overflow) on integer types.
     19 
     20 #ifndef __dng_safe_arithmetic__
     21 #define __dng_safe_arithmetic__
     22 
     23 #include <cstddef>
     24 #include <cstdint>
     25 #include <limits>
     26 
     27 #include "dng_exceptions.h"
     28 
     29 #ifndef __has_builtin
     30 #define __has_builtin(x) 0  // Compatibility with non-Clang compilers.
     31 #endif
     32 
     33 #if !defined(DNG_HAS_INT128) && defined(__SIZEOF_INT128__)
     34 #define DNG_HAS_INT128
     35 #endif
     36 
     37 // If the result of adding arg1 and arg2 will fit in an int32_t (without
     38 // under-/overflow), stores this result in *result and returns true. Otherwise,
     39 // returns false and leaves *result unchanged.
     40 bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
     41 
     42 // Returns the result of adding arg1 and arg2 if it will fit in the result type
     43 // (without under-/overflow). Otherwise, throws a dng_exception with error code
     44 // dng_error_unknown.
     45 std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2);
     46 std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2);
     47 
     48 // If the result of adding arg1 and arg2 will fit in a uint32_t (without
     49 // wraparound), stores this result in *result and returns true. Otherwise,
     50 // returns false and leaves *result unchanged.
     51 bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2,
     52                    std::uint32_t *result);
     53 
     54 // Returns the result of adding arg1 and arg2 if it will fit in the result type
     55 // (without wraparound). Otherwise, throws a dng_exception with error code
     56 // dng_error_unknown.
     57 std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2);
     58 std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2);
     59 
     60 // If the subtraction of arg2 from arg1 will not result in an int32_t under- or
     61 // overflow, stores this result in *result and returns true. Otherwise,
     62 // returns false and leaves *result unchanged.
     63 bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
     64 
     65 // Returns the result of subtracting arg2 from arg1 if this operation will not
     66 // result in an int32_t under- or overflow. Otherwise, throws a dng_exception
     67 // with error code dng_error_unknown.
     68 std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2);
     69 
     70 // Returns the result of subtracting arg2 from arg1 if this operation will not
     71 // result in wraparound. Otherwise, throws a dng_exception with error code
     72 // dng_error_unknown.
     73 std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2);
     74 
     75 // Returns the result of multiplying arg1 and arg2 if it will fit in a int32_t
     76 // (without overflow). Otherwise, throws a dng_exception with error code
     77 // dng_error_unknown.
     78 std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2);
     79 
     80 // If the result of multiplying arg1, ..., argn will fit in a uint32_t (without
     81 // wraparound), stores this result in *result and returns true. Otherwise,
     82 // returns false and leaves *result unchanged.
     83 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
     84                     std::uint32_t *result);
     85 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
     86                     std::uint32_t *result);
     87 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
     88                     std::uint32_t arg4, std::uint32_t *result);
     89 
     90 // Returns the result of multiplying arg1, ..., argn if it will fit in a
     91 // uint32_t (without wraparound). Otherwise, throws a dng_exception with error
     92 // code dng_error_unknown.
     93 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2);
     94 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
     95                              std::uint32_t arg3);
     96 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
     97                              std::uint32_t arg3, std::uint32_t arg4);
     98 
     99 // Returns the result of multiplying arg1 and arg2 if it will fit in a size_t
    100 // (without overflow). Otherwise, throws a dng_exception with error code
    101 // dng_error_unknown.
    102 std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2);
    103 
    104 namespace dng_internal {
    105 
    106 // Internal function used as fallback for SafeInt64Mult() if other optimized
    107 // computation is not supported. Don't call this function directly.
    108 std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2);
    109 
    110 // Internal function used as optimization for SafeInt64Mult() if Clang
    111 // __builtin_smull_overflow is supported. Don't call this function directly.
    112 #if __has_builtin(__builtin_smull_overflow)
    113 inline std::int64_t SafeInt64MultByClang(std::int64_t arg1, std::int64_t arg2) {
    114   std::int64_t result;
    115 #if (__WORDSIZE == 64) && !defined(__APPLE__)
    116   if (__builtin_smull_overflow(arg1, arg2, &result)) {
    117 #else
    118   if (__builtin_smulll_overflow(arg1, arg2, &result)) {
    119 #endif
    120     ThrowProgramError("Arithmetic overflow");
    121     abort();  // Never reached.
    122   }
    123   return result;
    124 }
    125 #endif
    126 
    127 // Internal function used as optimization for SafeInt64Mult() if __int128 type
    128 // is supported. Don't call this function directly.
    129 #ifdef DNG_HAS_INT128
    130 inline std::int64_t SafeInt64MultByInt128(std::int64_t arg1,
    131                                           std::int64_t arg2) {
    132   const __int128 kInt64Max =
    133       static_cast<__int128>(std::numeric_limits<std::int64_t>::max());
    134   const __int128 kInt64Min =
    135       static_cast<__int128>(std::numeric_limits<std::int64_t>::min());
    136   __int128 result = static_cast<__int128>(arg1) * static_cast<__int128>(arg2);
    137   if (result > kInt64Max || result < kInt64Min) {
    138     ThrowProgramError("Arithmetic overflow");
    139   }
    140   return static_cast<std::int64_t>(result);
    141 }
    142 #endif
    143 
    144 }  // namespace dng_internal
    145 
    146 // Returns the result of multiplying arg1 and arg2 if it will fit in an int64_t
    147 // (without overflow). Otherwise, throws a dng_exception with error code
    148 // dng_error_unknown.
    149 inline std::int64_t SafeInt64Mult(std::int64_t arg1, std::int64_t arg2) {
    150 #if __has_builtin(__builtin_smull_overflow)
    151   return dng_internal::SafeInt64MultByClang(arg1, arg2);
    152 #elif defined(DNG_HAS_INT128)
    153   return dng_internal::SafeInt64MultByInt128(arg1, arg2);
    154 #else
    155   return dng_internal::SafeInt64MultSlow(arg1, arg2);
    156 #endif
    157 }
    158 
    159 // Returns the result of dividing arg1 by arg2; if the result is not an integer,
    160 // rounds up to the next integer. If arg2 is zero, throws a dng_exception with
    161 // error code dng_error_unknown.
    162 // The function is safe against wraparound and will return the correct result
    163 // for all combinations of arg1 and arg2.
    164 std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2);
    165 
    166 // Finds the smallest integer multiple of 'multiple_of' that is greater than or
    167 // equal to 'val'. If this value will fit in a uint32_t, stores it in *result
    168 // and returns true. Otherwise, or if 'multiple_of' is zero, returns false and
    169 // leaves *result unchanged.
    170 bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of,
    171                              std::uint32_t *result);
    172 
    173 // Returns the smallest integer multiple of 'multiple_of' that is greater than
    174 // or equal to 'val'. If the result will not fit in a std::uint32_t or if
    175 // 'multiple_of' is zero, throws a dng_exception with error code
    176 // dng_error_unknown.
    177 std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val,
    178                                       std::uint32_t multiple_of);
    179 
    180 // If the uint32_t value val will fit in a int32_t, converts it to a int32_t and
    181 // stores it in *result. Otherwise, returns false and leaves *result unchanged.
    182 bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result);
    183 
    184 // Returns the result of converting val to an int32_t if it can be converted
    185 // without overflow. Otherwise, throws a dng_exception with error code
    186 // dng_error_unknown.
    187 std::int32_t ConvertUint32ToInt32(std::uint32_t val);
    188 
    189 // Converts a value of the unsigned integer type TSrc to the unsigned integer
    190 // type TDest. If the value in 'src' cannot be converted to the type TDest
    191 // without truncation, throws a dng_exception with error code dng_error_unknown.
    192 //
    193 // Note: Though this function is typically used where TDest is a narrower type
    194 // than TSrc, it is designed to work also if TDest is wider than from TSrc or
    195 // identical to TSrc. This is useful in situations where the width of the types
    196 // involved can change depending on the architecture -- for example, the
    197 // conversion from size_t to uint32_t may either be narrowing, identical or even
    198 // widening (though the latter admittedly happens only on architectures that
    199 // aren't relevant to us).
    200 template <class TSrc, class TDest>
    201 static void ConvertUnsigned(TSrc src, TDest *dest) {
    202   static_assert(std::numeric_limits<TSrc>::is_integer &&
    203                     !std::numeric_limits<TSrc>::is_signed &&
    204                     std::numeric_limits<TDest>::is_integer &&
    205                     !std::numeric_limits<TDest>::is_signed,
    206                 "TSrc and TDest must be unsigned integer types");
    207 
    208   const TDest converted = static_cast<TDest>(src);
    209 
    210   // Convert back to TSrc to check whether truncation occurred in the
    211   // conversion to TDest.
    212   if (static_cast<TSrc>(converted) != src) {
    213     ThrowProgramError("Overflow in unsigned integer conversion");
    214   }
    215 
    216   *dest = converted;
    217 }
    218 
    219 // Returns the result of converting val to the result type using truncation if
    220 // val is in range of the result type values. Otherwise, throws a dng_exception
    221 // with error code dng_error_unknown.
    222 std::int32_t ConvertDoubleToInt32(double val);
    223 std::uint32_t ConvertDoubleToUint32(double val);
    224 
    225 // Returns the result of converting val to float. If val is outside of
    226 // [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is
    227 // returned as NaN.
    228 float ConvertDoubleToFloat(double val);
    229 
    230 #endif  // __dng_safe_arithmetic__
    231