1 /*
2 *
3 * Copyright (C) 2015 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 // Functions for safe arithmetic (guarded against overflow) on integer types.
19
20 #ifndef __dng_safe_arithmetic__
21 #define __dng_safe_arithmetic__
22
23 #include <cstddef>
24 #include <cstdint>
25 #include <limits>
26
27 #include "dng_exceptions.h"
28
29 #ifndef __has_builtin
30 #define __has_builtin(x) 0 // Compatibility with non-Clang compilers.
31 #endif
32
33 #if !defined(DNG_HAS_INT128) && defined(__SIZEOF_INT128__)
34 #define DNG_HAS_INT128
35 #endif
36
37 // If the result of adding arg1 and arg2 will fit in an int32_t (without
38 // under-/overflow), stores this result in *result and returns true. Otherwise,
39 // returns false and leaves *result unchanged.
40 bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
41
42 // Returns the result of adding arg1 and arg2 if it will fit in the result type
43 // (without under-/overflow). Otherwise, throws a dng_exception with error code
44 // dng_error_unknown.
45 std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2);
46 std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2);
47
48 // If the result of adding arg1 and arg2 will fit in a uint32_t (without
49 // wraparound), stores this result in *result and returns true. Otherwise,
50 // returns false and leaves *result unchanged.
51 bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2,
52 std::uint32_t *result);
53
54 // Returns the result of adding arg1 and arg2 if it will fit in the result type
55 // (without wraparound). Otherwise, throws a dng_exception with error code
56 // dng_error_unknown.
57 std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2);
58 std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2);
59
60 // If the subtraction of arg2 from arg1 will not result in an int32_t under- or
61 // overflow, stores this result in *result and returns true. Otherwise,
62 // returns false and leaves *result unchanged.
63 bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
64
65 // Returns the result of subtracting arg2 from arg1 if this operation will not
66 // result in an int32_t under- or overflow. Otherwise, throws a dng_exception
67 // with error code dng_error_unknown.
68 std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2);
69
70 // Returns the result of subtracting arg2 from arg1 if this operation will not
71 // result in wraparound. Otherwise, throws a dng_exception with error code
72 // dng_error_unknown.
73 std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2);
74
75 // Returns the result of multiplying arg1 and arg2 if it will fit in a int32_t
76 // (without overflow). Otherwise, throws a dng_exception with error code
77 // dng_error_unknown.
78 std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2);
79
80 // If the result of multiplying arg1, ..., argn will fit in a uint32_t (without
81 // wraparound), stores this result in *result and returns true. Otherwise,
82 // returns false and leaves *result unchanged.
83 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
84 std::uint32_t *result);
85 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
86 std::uint32_t *result);
87 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
88 std::uint32_t arg4, std::uint32_t *result);
89
90 // Returns the result of multiplying arg1, ..., argn if it will fit in a
91 // uint32_t (without wraparound). Otherwise, throws a dng_exception with error
92 // code dng_error_unknown.
93 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2);
94 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
95 std::uint32_t arg3);
96 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
97 std::uint32_t arg3, std::uint32_t arg4);
98
99 // Returns the result of multiplying arg1 and arg2 if it will fit in a size_t
100 // (without overflow). Otherwise, throws a dng_exception with error code
101 // dng_error_unknown.
102 std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2);
103
104 namespace dng_internal {
105
106 // Internal function used as fallback for SafeInt64Mult() if other optimized
107 // computation is not supported. Don't call this function directly.
108 std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2);
109
110 // Internal function used as optimization for SafeInt64Mult() if Clang
111 // __builtin_smull_overflow is supported. Don't call this function directly.
112 #if __has_builtin(__builtin_smull_overflow)
SafeInt64MultByClang(std::int64_t arg1,std::int64_t arg2)113 inline std::int64_t SafeInt64MultByClang(std::int64_t arg1, std::int64_t arg2) {
114 std::int64_t result;
115 #if (__WORDSIZE == 64) && !defined(__APPLE__)
116 if (__builtin_smull_overflow(arg1, arg2, reinterpret_cast<long*>(&result))) {
117 #else
118 if (__builtin_smulll_overflow(arg1, arg2, reinterpret_cast<long long*>(&result))) {
119 #endif
120 ThrowProgramError("Arithmetic overflow");
121 abort(); // Never reached.
122 }
123 return result;
124 }
125 #endif
126
127 // Internal function used as optimization for SafeInt64Mult() if __int128 type
128 // is supported. Don't call this function directly.
129 #ifdef DNG_HAS_INT128
130 inline std::int64_t SafeInt64MultByInt128(std::int64_t arg1,
131 std::int64_t arg2) {
132 const __int128 kInt64Max =
133 static_cast<__int128>(std::numeric_limits<std::int64_t>::max());
134 const __int128 kInt64Min =
135 static_cast<__int128>(std::numeric_limits<std::int64_t>::min());
136 __int128 result = static_cast<__int128>(arg1) * static_cast<__int128>(arg2);
137 if (result > kInt64Max || result < kInt64Min) {
138 ThrowProgramError("Arithmetic overflow");
139 }
140 return static_cast<std::int64_t>(result);
141 }
142 #endif
143
144 } // namespace dng_internal
145
146 // Returns the result of multiplying arg1 and arg2 if it will fit in an int64_t
147 // (without overflow). Otherwise, throws a dng_exception with error code
148 // dng_error_unknown.
SafeInt64Mult(std::int64_t arg1,std::int64_t arg2)149 inline std::int64_t SafeInt64Mult(std::int64_t arg1, std::int64_t arg2) {
150 #if __has_builtin(__builtin_smull_overflow)
151 return dng_internal::SafeInt64MultByClang(arg1, arg2);
152 #elif defined(DNG_HAS_INT128)
153 return dng_internal::SafeInt64MultByInt128(arg1, arg2);
154 #else
155 return dng_internal::SafeInt64MultSlow(arg1, arg2);
156 #endif
157 }
158
159 // Returns the result of dividing arg1 by arg2; if the result is not an integer,
160 // rounds up to the next integer. If arg2 is zero, throws a dng_exception with
161 // error code dng_error_unknown.
162 // The function is safe against wraparound and will return the correct result
163 // for all combinations of arg1 and arg2.
164 std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2);
165
166 // Finds the smallest integer multiple of 'multiple_of' that is greater than or
167 // equal to 'val'. If this value will fit in a uint32_t, stores it in *result
168 // and returns true. Otherwise, or if 'multiple_of' is zero, returns false and
169 // leaves *result unchanged.
170 bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of,
171 std::uint32_t *result);
172
173 // Returns the smallest integer multiple of 'multiple_of' that is greater than
174 // or equal to 'val'. If the result will not fit in a std::uint32_t or if
175 // 'multiple_of' is zero, throws a dng_exception with error code
176 // dng_error_unknown.
177 std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val,
178 std::uint32_t multiple_of);
179
180 // If the uint32_t value val will fit in a int32_t, converts it to a int32_t and
181 // stores it in *result. Otherwise, returns false and leaves *result unchanged.
182 bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result);
183
184 // Returns the result of converting val to an int32_t if it can be converted
185 // without overflow. Otherwise, throws a dng_exception with error code
186 // dng_error_unknown.
187 std::int32_t ConvertUint32ToInt32(std::uint32_t val);
188
189 // Converts a value of the unsigned integer type TSrc to the unsigned integer
190 // type TDest. If the value in 'src' cannot be converted to the type TDest
191 // without truncation, throws a dng_exception with error code dng_error_unknown.
192 //
193 // Note: Though this function is typically used where TDest is a narrower type
194 // than TSrc, it is designed to work also if TDest is wider than from TSrc or
195 // identical to TSrc. This is useful in situations where the width of the types
196 // involved can change depending on the architecture -- for example, the
197 // conversion from size_t to uint32_t may either be narrowing, identical or even
198 // widening (though the latter admittedly happens only on architectures that
199 // aren't relevant to us).
200 template <class TSrc, class TDest>
ConvertUnsigned(TSrc src,TDest * dest)201 static void ConvertUnsigned(TSrc src, TDest *dest) {
202 static_assert(std::numeric_limits<TSrc>::is_integer &&
203 !std::numeric_limits<TSrc>::is_signed &&
204 std::numeric_limits<TDest>::is_integer &&
205 !std::numeric_limits<TDest>::is_signed,
206 "TSrc and TDest must be unsigned integer types");
207
208 const TDest converted = static_cast<TDest>(src);
209
210 // Convert back to TSrc to check whether truncation occurred in the
211 // conversion to TDest.
212 if (static_cast<TSrc>(converted) != src) {
213 ThrowProgramError("Overflow in unsigned integer conversion");
214 }
215
216 *dest = converted;
217 }
218
219 // Returns the result of converting val to the result type using truncation if
220 // val is in range of the result type values. Otherwise, throws a dng_exception
221 // with error code dng_error_unknown.
222 std::int32_t ConvertDoubleToInt32(double val);
223 std::uint32_t ConvertDoubleToUint32(double val);
224
225 // Returns the result of converting val to float. If val is outside of
226 // [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is
227 // returned as NaN.
228 float ConvertDoubleToFloat(double val);
229
230 #endif // __dng_safe_arithmetic__
231