1 // Protocol Buffers - Google's data interchange format
2 // Copyright 2008 Google Inc. All rights reserved.
3 //
4 // Use of this source code is governed by a BSD-style
5 // license that can be found in the LICENSE file or at
6 // https://developers.google.com/open-source/licenses/bsd
7
8 #ifndef GOOGLE_PROTOBUF_PYTHON_CPP_SAFE_NUMERICS_H__
9 #define GOOGLE_PROTOBUF_PYTHON_CPP_SAFE_NUMERICS_H__
10 // Copied from chromium with only changes to the namespace.
11
12 #include <limits>
13
14 #include "absl/log/absl_check.h"
15
16 namespace google {
17 namespace protobuf {
18 namespace python {
19
20 template <bool SameSize, bool DestLarger,
21 bool DestIsSigned, bool SourceIsSigned>
22 struct IsValidNumericCastImpl;
23
24 #define BASE_NUMERIC_CAST_CASE_SPECIALIZATION(A, B, C, D, Code) \
25 template <> struct IsValidNumericCastImpl<A, B, C, D> { \
26 template <class Source, class DestBounds> static inline bool Test( \
27 Source source, DestBounds min, DestBounds max) { \
28 return Code; \
29 } \
30 }
31
32 #define BASE_NUMERIC_CAST_CASE_SAME_SIZE(DestSigned, SourceSigned, Code) \
33 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
34 true, true, DestSigned, SourceSigned, Code); \
35 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
36 true, false, DestSigned, SourceSigned, Code)
37
38 #define BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(DestSigned, SourceSigned, Code) \
39 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
40 false, false, DestSigned, SourceSigned, Code); \
41
42 #define BASE_NUMERIC_CAST_CASE_DEST_LARGER(DestSigned, SourceSigned, Code) \
43 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \
44 false, true, DestSigned, SourceSigned, Code); \
45
46 // The three top level cases are:
47 // - Same size
48 // - Source larger
49 // - Dest larger
50 // And for each of those three cases, we handle the 4 different possibilities
51 // of signed and unsigned. This gives 12 cases to handle, which we enumerate
52 // below.
53 //
54 // The last argument in each of the macros is the actual comparison code. It
55 // has three arguments available, source (the value), and min/max which are
56 // the ranges of the destination.
57
58
59 // These are the cases where both types have the same size.
60
61 // Both signed.
62 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, true, true);
63 // Both unsigned.
64 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, false, true);
65 // Dest unsigned, Source signed.
66 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, true, source >= 0);
67 // Dest signed, Source unsigned.
68 // This cast is OK because Dest's max must be less than Source's.
69 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, false,
70 source <= static_cast<Source>(max));
71
72
73 // These are the cases where Source is larger.
74
75 // Both unsigned.
76 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, false, source <= max);
77 // Both signed.
78 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, true,
79 source >= min && source <= max);
80 // Dest is unsigned, Source is signed.
81 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, true,
82 source >= 0 && source <= max);
83 // Dest is signed, Source is unsigned.
84 // This cast is OK because Dest's max must be less than Source's.
85 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, false,
86 source <= static_cast<Source>(max));
87
88
89 // These are the cases where Dest is larger.
90
91 // Both unsigned.
92 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, false, true);
93 // Both signed.
94 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, true, true);
95 // Dest is unsigned, Source is signed.
96 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, true, source >= 0);
97 // Dest is signed, Source is unsigned.
98 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, false, true);
99
100 #undef BASE_NUMERIC_CAST_CASE_SPECIALIZATION
101 #undef BASE_NUMERIC_CAST_CASE_SAME_SIZE
102 #undef BASE_NUMERIC_CAST_CASE_SOURCE_LARGER
103 #undef BASE_NUMERIC_CAST_CASE_DEST_LARGER
104
105
106 // The main test for whether the conversion will under or overflow.
107 template <class Dest, class Source>
IsValidNumericCast(Source source)108 inline bool IsValidNumericCast(Source source) {
109 typedef std::numeric_limits<Source> SourceLimits;
110 typedef std::numeric_limits<Dest> DestLimits;
111 static_assert(SourceLimits::is_specialized, "argument must be numeric");
112 static_assert(SourceLimits::is_integer, "argument must be integral");
113 static_assert(DestLimits::is_specialized, "result must be numeric");
114 static_assert(DestLimits::is_integer, "result must be integral");
115
116 return IsValidNumericCastImpl<
117 sizeof(Dest) == sizeof(Source),
118 (sizeof(Dest) > sizeof(Source)),
119 DestLimits::is_signed,
120 SourceLimits::is_signed>::Test(
121 source,
122 DestLimits::min(),
123 DestLimits::max());
124 }
125
126 // checked_numeric_cast<> is analogous to static_cast<> for numeric types,
127 // except that it CHECKs that the specified numeric conversion will not
128 // overflow or underflow. Floating point arguments are not currently allowed
129 // (this is static_asserted), though this could be supported if necessary.
130 template <class Dest, class Source>
checked_numeric_cast(Source source)131 inline Dest checked_numeric_cast(Source source) {
132 ABSL_CHECK(IsValidNumericCast<Dest>(source));
133 return static_cast<Dest>(source);
134 }
135
136 } // namespace python
137 } // namespace protobuf
138 } // namespace google
139
140 #endif // GOOGLE_PROTOBUF_PYTHON_CPP_SAFE_NUMERICS_H__
141