1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef PDFIUM_THIRD_PARTY_BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
6 #define PDFIUM_THIRD_PARTY_BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
7
8 #include <stdint.h>
9
10 #include <limits>
11 #include <type_traits>
12
13 namespace pdfium {
14 namespace base {
15 namespace internal {
16
17 // The std library doesn't provide a binary max_exponent for integers, however
18 // we can compute an analog using std::numeric_limits<>::digits.
19 template <typename NumericType>
20 struct MaxExponent {
21 static const int value = std::is_floating_point<NumericType>::value
22 ? std::numeric_limits<NumericType>::max_exponent
23 : std::numeric_limits<NumericType>::digits + 1;
24 };
25
26 // The number of bits (including the sign) in an integer. Eliminates sizeof
27 // hacks.
28 template <typename NumericType>
29 struct IntegerBitsPlusSign {
30 static const int value = std::numeric_limits<NumericType>::digits +
31 std::is_signed<NumericType>::value;
32 };
33
34 // Helper templates for integer manipulations.
35
36 template <typename Integer>
37 struct PositionOfSignBit {
38 static const size_t value = IntegerBitsPlusSign<Integer>::value - 1;
39 };
40
41 // Determines if a numeric value is negative without throwing compiler
42 // warnings on: unsigned(value) < 0.
43 template <typename T,
44 typename std::enable_if<std::is_signed<T>::value>::type* = nullptr>
IsValueNegative(T value)45 constexpr bool IsValueNegative(T value) {
46 static_assert(std::is_arithmetic<T>::value, "Argument must be numeric.");
47 return value < 0;
48 }
49
50 template <typename T,
51 typename std::enable_if<!std::is_signed<T>::value>::type* = nullptr>
IsValueNegative(T)52 constexpr bool IsValueNegative(T) {
53 static_assert(std::is_arithmetic<T>::value, "Argument must be numeric.");
54 return false;
55 }
56
57 // This performs a fast negation, returning a signed value. It works on unsigned
58 // arguments, but probably doesn't do what you want for any unsigned value
59 // larger than max / 2 + 1 (i.e. signed min cast to unsigned).
60 template <typename T>
ConditionalNegate(T x,bool is_negative)61 constexpr typename std::make_signed<T>::type ConditionalNegate(
62 T x,
63 bool is_negative) {
64 static_assert(std::is_integral<T>::value, "Type must be integral");
65 using SignedT = typename std::make_signed<T>::type;
66 using UnsignedT = typename std::make_unsigned<T>::type;
67 return static_cast<SignedT>(
68 (static_cast<UnsignedT>(x) ^ -SignedT(is_negative)) + is_negative);
69 }
70
71 // This performs a safe, absolute value via unsigned overflow.
72 template <typename T>
SafeUnsignedAbs(T value)73 constexpr typename std::make_unsigned<T>::type SafeUnsignedAbs(T value) {
74 static_assert(std::is_integral<T>::value, "Type must be integral");
75 using UnsignedT = typename std::make_unsigned<T>::type;
76 return IsValueNegative(value) ? 0 - static_cast<UnsignedT>(value)
77 : static_cast<UnsignedT>(value);
78 }
79
80 enum IntegerRepresentation {
81 INTEGER_REPRESENTATION_UNSIGNED,
82 INTEGER_REPRESENTATION_SIGNED
83 };
84
85 // A range for a given nunmeric Src type is contained for a given numeric Dst
86 // type if both numeric_limits<Src>::max() <= numeric_limits<Dst>::max() and
87 // numeric_limits<Src>::lowest() >= numeric_limits<Dst>::lowest() are true.
88 // We implement this as template specializations rather than simple static
89 // comparisons to ensure type correctness in our comparisons.
90 enum NumericRangeRepresentation {
91 NUMERIC_RANGE_NOT_CONTAINED,
92 NUMERIC_RANGE_CONTAINED
93 };
94
95 // Helper templates to statically determine if our destination type can contain
96 // maximum and minimum values represented by the source type.
97
98 template <typename Dst,
99 typename Src,
100 IntegerRepresentation DstSign = std::is_signed<Dst>::value
101 ? INTEGER_REPRESENTATION_SIGNED
102 : INTEGER_REPRESENTATION_UNSIGNED,
103 IntegerRepresentation SrcSign = std::is_signed<Src>::value
104 ? INTEGER_REPRESENTATION_SIGNED
105 : INTEGER_REPRESENTATION_UNSIGNED>
106 struct StaticDstRangeRelationToSrcRange;
107
108 // Same sign: Dst is guaranteed to contain Src only if its range is equal or
109 // larger.
110 template <typename Dst, typename Src, IntegerRepresentation Sign>
111 struct StaticDstRangeRelationToSrcRange<Dst, Src, Sign, Sign> {
112 static const NumericRangeRepresentation value =
113 MaxExponent<Dst>::value >= MaxExponent<Src>::value
114 ? NUMERIC_RANGE_CONTAINED
115 : NUMERIC_RANGE_NOT_CONTAINED;
116 };
117
118 // Unsigned to signed: Dst is guaranteed to contain source only if its range is
119 // larger.
120 template <typename Dst, typename Src>
121 struct StaticDstRangeRelationToSrcRange<Dst,
122 Src,
123 INTEGER_REPRESENTATION_SIGNED,
124 INTEGER_REPRESENTATION_UNSIGNED> {
125 static const NumericRangeRepresentation value =
126 MaxExponent<Dst>::value > MaxExponent<Src>::value
127 ? NUMERIC_RANGE_CONTAINED
128 : NUMERIC_RANGE_NOT_CONTAINED;
129 };
130
131 // Signed to unsigned: Dst cannot be statically determined to contain Src.
132 template <typename Dst, typename Src>
133 struct StaticDstRangeRelationToSrcRange<Dst,
134 Src,
135 INTEGER_REPRESENTATION_UNSIGNED,
136 INTEGER_REPRESENTATION_SIGNED> {
137 static const NumericRangeRepresentation value = NUMERIC_RANGE_NOT_CONTAINED;
138 };
139
140 // This class wraps the range constraints as separate booleans so the compiler
141 // can identify constants and eliminate unused code paths.
142 class RangeCheck {
143 public:
144 constexpr RangeCheck(bool is_in_lower_bound, bool is_in_upper_bound)
145 : is_underflow_(!is_in_lower_bound), is_overflow_(!is_in_upper_bound) {}
146 constexpr RangeCheck() : is_underflow_(false), is_overflow_(false) {}
147 constexpr bool IsValid() const { return !is_overflow_ && !is_underflow_; }
148 constexpr bool IsInvalid() const { return is_overflow_ && is_underflow_; }
149 constexpr bool IsOverflow() const { return is_overflow_ && !is_underflow_; }
150 constexpr bool IsUnderflow() const { return !is_overflow_ && is_underflow_; }
151 constexpr bool IsOverflowFlagSet() const { return is_overflow_; }
152 constexpr bool IsUnderflowFlagSet() const { return is_underflow_; }
153 constexpr bool operator==(const RangeCheck rhs) const {
154 return is_underflow_ == rhs.is_underflow_ &&
155 is_overflow_ == rhs.is_overflow_;
156 }
157 constexpr bool operator!=(const RangeCheck rhs) const {
158 return !(*this == rhs);
159 }
160
161 private:
162 // Do not change the order of these member variables. The integral conversion
163 // optimization depends on this exact order.
164 const bool is_underflow_;
165 const bool is_overflow_;
166 };
167
168 // The following helper template addresses a corner case in range checks for
169 // conversion from a floating-point type to an integral type of smaller range
170 // but larger precision (e.g. float -> unsigned). The problem is as follows:
171 // 1. Integral maximum is always one less than a power of two, so it must be
172 // truncated to fit the mantissa of the floating point. The direction of
173 // rounding is implementation defined, but by default it's always IEEE
174 // floats, which round to nearest and thus result in a value of larger
175 // magnitude than the integral value.
176 // Example: float f = UINT_MAX; // f is 4294967296f but UINT_MAX
177 // // is 4294967295u.
178 // 2. If the floating point value is equal to the promoted integral maximum
179 // value, a range check will erroneously pass.
180 // Example: (4294967296f <= 4294967295u) // This is true due to a precision
181 // // loss in rounding up to float.
182 // 3. When the floating point value is then converted to an integral, the
183 // resulting value is out of range for the target integral type and
184 // thus is implementation defined.
185 // Example: unsigned u = (float)INT_MAX; // u will typically overflow to 0.
186 // To fix this bug we manually truncate the maximum value when the destination
187 // type is an integral of larger precision than the source floating-point type,
188 // such that the resulting maximum is represented exactly as a floating point.
189 template <typename Dst, typename Src, template <typename> class Bounds>
190 struct NarrowingRange {
191 using SrcLimits = std::numeric_limits<Src>;
192 using DstLimits = typename std::numeric_limits<Dst>;
193
194 // Computes the mask required to make an accurate comparison between types.
195 static const int kShift =
196 (MaxExponent<Src>::value > MaxExponent<Dst>::value &&
197 SrcLimits::digits < DstLimits::digits)
198 ? (DstLimits::digits - SrcLimits::digits)
199 : 0;
200 template <
201 typename T,
202 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr>
203
204 // Masks out the integer bits that are beyond the precision of the
205 // intermediate type used for comparison.
206 static constexpr T Adjust(T value) {
207 static_assert(std::is_same<T, Dst>::value, "");
208 static_assert(kShift < DstLimits::digits, "");
209 return static_cast<T>(
210 ConditionalNegate(SafeUnsignedAbs(value) & ~((T(1) << kShift) - T(1)),
211 IsValueNegative(value)));
212 }
213
214 template <typename T,
215 typename std::enable_if<std::is_floating_point<T>::value>::type* =
216 nullptr>
217 static constexpr T Adjust(T value) {
218 static_assert(std::is_same<T, Dst>::value, "");
219 static_assert(kShift == 0, "");
220 return value;
221 }
222
223 static constexpr Dst max() { return Adjust(Bounds<Dst>::max()); }
224 static constexpr Dst lowest() { return Adjust(Bounds<Dst>::lowest()); }
225 };
226
227 template <typename Dst,
228 typename Src,
229 template <typename> class Bounds,
230 IntegerRepresentation DstSign = std::is_signed<Dst>::value
231 ? INTEGER_REPRESENTATION_SIGNED
232 : INTEGER_REPRESENTATION_UNSIGNED,
233 IntegerRepresentation SrcSign = std::is_signed<Src>::value
234 ? INTEGER_REPRESENTATION_SIGNED
235 : INTEGER_REPRESENTATION_UNSIGNED,
236 NumericRangeRepresentation DstRange =
237 StaticDstRangeRelationToSrcRange<Dst, Src>::value>
238 struct DstRangeRelationToSrcRangeImpl;
239
240 // The following templates are for ranges that must be verified at runtime. We
241 // split it into checks based on signedness to avoid confusing casts and
242 // compiler warnings on signed an unsigned comparisons.
243
244 // Same sign narrowing: The range is contained for normal limits.
245 template <typename Dst,
246 typename Src,
247 template <typename> class Bounds,
248 IntegerRepresentation DstSign,
249 IntegerRepresentation SrcSign>
250 struct DstRangeRelationToSrcRangeImpl<Dst,
251 Src,
252 Bounds,
253 DstSign,
254 SrcSign,
255 NUMERIC_RANGE_CONTAINED> {
256 static constexpr RangeCheck Check(Src value) {
257 using SrcLimits = std::numeric_limits<Src>;
258 using DstLimits = NarrowingRange<Dst, Src, Bounds>;
259 return RangeCheck(
260 static_cast<Dst>(SrcLimits::lowest()) >= DstLimits::lowest() ||
261 static_cast<Dst>(value) >= DstLimits::lowest(),
262 static_cast<Dst>(SrcLimits::max()) <= DstLimits::max() ||
263 static_cast<Dst>(value) <= DstLimits::max());
264 }
265 };
266
267 // Signed to signed narrowing: Both the upper and lower boundaries may be
268 // exceeded for standard limits.
269 template <typename Dst, typename Src, template <typename> class Bounds>
270 struct DstRangeRelationToSrcRangeImpl<Dst,
271 Src,
272 Bounds,
273 INTEGER_REPRESENTATION_SIGNED,
274 INTEGER_REPRESENTATION_SIGNED,
275 NUMERIC_RANGE_NOT_CONTAINED> {
276 static constexpr RangeCheck Check(Src value) {
277 using DstLimits = NarrowingRange<Dst, Src, Bounds>;
278 return RangeCheck(value >= DstLimits::lowest(), value <= DstLimits::max());
279 }
280 };
281
282 // Unsigned to unsigned narrowing: Only the upper bound can be exceeded for
283 // standard limits.
284 template <typename Dst, typename Src, template <typename> class Bounds>
285 struct DstRangeRelationToSrcRangeImpl<Dst,
286 Src,
287 Bounds,
288 INTEGER_REPRESENTATION_UNSIGNED,
289 INTEGER_REPRESENTATION_UNSIGNED,
290 NUMERIC_RANGE_NOT_CONTAINED> {
291 static constexpr RangeCheck Check(Src value) {
292 using DstLimits = NarrowingRange<Dst, Src, Bounds>;
293 return RangeCheck(
294 DstLimits::lowest() == Dst(0) || value >= DstLimits::lowest(),
295 value <= DstLimits::max());
296 }
297 };
298
299 // Unsigned to signed: Only the upper bound can be exceeded for standard limits.
300 template <typename Dst, typename Src, template <typename> class Bounds>
301 struct DstRangeRelationToSrcRangeImpl<Dst,
302 Src,
303 Bounds,
304 INTEGER_REPRESENTATION_SIGNED,
305 INTEGER_REPRESENTATION_UNSIGNED,
306 NUMERIC_RANGE_NOT_CONTAINED> {
307 static constexpr RangeCheck Check(Src value) {
308 using DstLimits = NarrowingRange<Dst, Src, Bounds>;
309 using Promotion = decltype(Src() + Dst());
310 return RangeCheck(DstLimits::lowest() <= Dst(0) ||
311 static_cast<Promotion>(value) >=
312 static_cast<Promotion>(DstLimits::lowest()),
313 static_cast<Promotion>(value) <=
314 static_cast<Promotion>(DstLimits::max()));
315 }
316 };
317
318 // Signed to unsigned: The upper boundary may be exceeded for a narrower Dst,
319 // and any negative value exceeds the lower boundary for standard limits.
320 template <typename Dst, typename Src, template <typename> class Bounds>
321 struct DstRangeRelationToSrcRangeImpl<Dst,
322 Src,
323 Bounds,
324 INTEGER_REPRESENTATION_UNSIGNED,
325 INTEGER_REPRESENTATION_SIGNED,
326 NUMERIC_RANGE_NOT_CONTAINED> {
327 static constexpr RangeCheck Check(Src value) {
328 using SrcLimits = std::numeric_limits<Src>;
329 using DstLimits = NarrowingRange<Dst, Src, Bounds>;
330 using Promotion = decltype(Src() + Dst());
331 return RangeCheck(
332 value >= Src(0) && (DstLimits::lowest() == 0 ||
333 static_cast<Dst>(value) >= DstLimits::lowest()),
334 static_cast<Promotion>(SrcLimits::max()) <=
335 static_cast<Promotion>(DstLimits::max()) ||
336 static_cast<Promotion>(value) <=
337 static_cast<Promotion>(DstLimits::max()));
338 }
339 };
340
341 template <typename Dst,
342 template <typename> class Bounds = std::numeric_limits,
343 typename Src>
344 constexpr RangeCheck DstRangeRelationToSrcRange(Src value) {
345 static_assert(std::is_arithmetic<Src>::value, "Argument must be numeric.");
346 static_assert(std::is_arithmetic<Dst>::value, "Result must be numeric.");
347 static_assert(Bounds<Dst>::lowest() < Bounds<Dst>::max(), "");
348 return DstRangeRelationToSrcRangeImpl<Dst, Src, Bounds>::Check(value);
349 }
350
351 // Integer promotion templates used by the portable checked integer arithmetic.
352 template <size_t Size, bool IsSigned>
353 struct IntegerForDigitsAndSign;
354
355 #define INTEGER_FOR_DIGITS_AND_SIGN(I) \
356 template <> \
357 struct IntegerForDigitsAndSign<IntegerBitsPlusSign<I>::value, \
358 std::is_signed<I>::value> { \
359 using type = I; \
360 }
361
362 INTEGER_FOR_DIGITS_AND_SIGN(int8_t);
363 INTEGER_FOR_DIGITS_AND_SIGN(uint8_t);
364 INTEGER_FOR_DIGITS_AND_SIGN(int16_t);
365 INTEGER_FOR_DIGITS_AND_SIGN(uint16_t);
366 INTEGER_FOR_DIGITS_AND_SIGN(int32_t);
367 INTEGER_FOR_DIGITS_AND_SIGN(uint32_t);
368 INTEGER_FOR_DIGITS_AND_SIGN(int64_t);
369 INTEGER_FOR_DIGITS_AND_SIGN(uint64_t);
370 #undef INTEGER_FOR_DIGITS_AND_SIGN
371
372 // WARNING: We have no IntegerForSizeAndSign<16, *>. If we ever add one to
373 // support 128-bit math, then the ArithmeticPromotion template below will need
374 // to be updated (or more likely replaced with a decltype expression).
375 static_assert(IntegerBitsPlusSign<intmax_t>::value == 64,
376 "Max integer size not supported for this toolchain.");
377
378 template <typename Integer, bool IsSigned = std::is_signed<Integer>::value>
379 struct TwiceWiderInteger {
380 using type =
381 typename IntegerForDigitsAndSign<IntegerBitsPlusSign<Integer>::value * 2,
382 IsSigned>::type;
383 };
384
385 enum ArithmeticPromotionCategory {
386 LEFT_PROMOTION, // Use the type of the left-hand argument.
387 RIGHT_PROMOTION // Use the type of the right-hand argument.
388 };
389
390 // Determines the type that can represent the largest positive value.
391 template <typename Lhs,
392 typename Rhs,
393 ArithmeticPromotionCategory Promotion =
394 (MaxExponent<Lhs>::value > MaxExponent<Rhs>::value)
395 ? LEFT_PROMOTION
396 : RIGHT_PROMOTION>
397 struct MaxExponentPromotion;
398
399 template <typename Lhs, typename Rhs>
400 struct MaxExponentPromotion<Lhs, Rhs, LEFT_PROMOTION> {
401 using type = Lhs;
402 };
403
404 template <typename Lhs, typename Rhs>
405 struct MaxExponentPromotion<Lhs, Rhs, RIGHT_PROMOTION> {
406 using type = Rhs;
407 };
408
409 // Determines the type that can represent the lowest arithmetic value.
410 template <typename Lhs,
411 typename Rhs,
412 ArithmeticPromotionCategory Promotion =
413 std::is_signed<Lhs>::value
414 ? (std::is_signed<Rhs>::value
415 ? (MaxExponent<Lhs>::value > MaxExponent<Rhs>::value
416 ? LEFT_PROMOTION
417 : RIGHT_PROMOTION)
418 : LEFT_PROMOTION)
419 : (std::is_signed<Rhs>::value
420 ? RIGHT_PROMOTION
421 : (MaxExponent<Lhs>::value < MaxExponent<Rhs>::value
422 ? LEFT_PROMOTION
423 : RIGHT_PROMOTION))>
424 struct LowestValuePromotion;
425
426 template <typename Lhs, typename Rhs>
427 struct LowestValuePromotion<Lhs, Rhs, LEFT_PROMOTION> {
428 using type = Lhs;
429 };
430
431 template <typename Lhs, typename Rhs>
432 struct LowestValuePromotion<Lhs, Rhs, RIGHT_PROMOTION> {
433 using type = Rhs;
434 };
435
436 // Determines the type that is best able to represent an arithmetic result.
437 template <
438 typename Lhs,
439 typename Rhs = Lhs,
440 bool is_intmax_type =
441 std::is_integral<typename MaxExponentPromotion<Lhs, Rhs>::type>::value&&
442 IntegerBitsPlusSign<typename MaxExponentPromotion<Lhs, Rhs>::type>::
443 value == IntegerBitsPlusSign<intmax_t>::value,
444 bool is_max_exponent =
445 StaticDstRangeRelationToSrcRange<
446 typename MaxExponentPromotion<Lhs, Rhs>::type,
447 Lhs>::value ==
448 NUMERIC_RANGE_CONTAINED&& StaticDstRangeRelationToSrcRange<
449 typename MaxExponentPromotion<Lhs, Rhs>::type,
450 Rhs>::value == NUMERIC_RANGE_CONTAINED>
451 struct BigEnoughPromotion;
452
453 // The side with the max exponent is big enough.
454 template <typename Lhs, typename Rhs, bool is_intmax_type>
455 struct BigEnoughPromotion<Lhs, Rhs, is_intmax_type, true> {
456 using type = typename MaxExponentPromotion<Lhs, Rhs>::type;
457 static const bool is_contained = true;
458 };
459
460 // We can use a twice wider type to fit.
461 template <typename Lhs, typename Rhs>
462 struct BigEnoughPromotion<Lhs, Rhs, false, false> {
463 using type =
464 typename TwiceWiderInteger<typename MaxExponentPromotion<Lhs, Rhs>::type,
465 std::is_signed<Lhs>::value ||
466 std::is_signed<Rhs>::value>::type;
467 static const bool is_contained = true;
468 };
469
470 // No type is large enough.
471 template <typename Lhs, typename Rhs>
472 struct BigEnoughPromotion<Lhs, Rhs, true, false> {
473 using type = typename MaxExponentPromotion<Lhs, Rhs>::type;
474 static const bool is_contained = false;
475 };
476
477 // We can statically check if operations on the provided types can wrap, so we
478 // can skip the checked operations if they're not needed. So, for an integer we
479 // care if the destination type preserves the sign and is twice the width of
480 // the source.
481 template <typename T, typename Lhs, typename Rhs = Lhs>
482 struct IsIntegerArithmeticSafe {
483 static const bool value =
484 !std::is_floating_point<T>::value &&
485 !std::is_floating_point<Lhs>::value &&
486 !std::is_floating_point<Rhs>::value &&
487 std::is_signed<T>::value >= std::is_signed<Lhs>::value &&
488 IntegerBitsPlusSign<T>::value >= (2 * IntegerBitsPlusSign<Lhs>::value) &&
489 std::is_signed<T>::value >= std::is_signed<Rhs>::value &&
490 IntegerBitsPlusSign<T>::value >= (2 * IntegerBitsPlusSign<Rhs>::value);
491 };
492
493 // Promotes to a type that can represent any possible result of a binary
494 // arithmetic operation with the source types.
495 template <typename Lhs,
496 typename Rhs,
497 bool is_promotion_possible = IsIntegerArithmeticSafe<
498 typename std::conditional<std::is_signed<Lhs>::value ||
499 std::is_signed<Rhs>::value,
500 intmax_t,
501 uintmax_t>::type,
502 typename MaxExponentPromotion<Lhs, Rhs>::type>::value>
503 struct FastIntegerArithmeticPromotion;
504
505 template <typename Lhs, typename Rhs>
506 struct FastIntegerArithmeticPromotion<Lhs, Rhs, true> {
507 using type =
508 typename TwiceWiderInteger<typename MaxExponentPromotion<Lhs, Rhs>::type,
509 std::is_signed<Lhs>::value ||
510 std::is_signed<Rhs>::value>::type;
511 static_assert(IsIntegerArithmeticSafe<type, Lhs, Rhs>::value, "");
512 static const bool is_contained = true;
513 };
514
515 template <typename Lhs, typename Rhs>
516 struct FastIntegerArithmeticPromotion<Lhs, Rhs, false> {
517 using type = typename BigEnoughPromotion<Lhs, Rhs>::type;
518 static const bool is_contained = false;
519 };
520
521 // This hacks around libstdc++ 4.6 missing stuff in type_traits.
522 #if defined(__GLIBCXX__)
523 #define PRIV_GLIBCXX_4_7_0 20120322
524 #define PRIV_GLIBCXX_4_5_4 20120702
525 #define PRIV_GLIBCXX_4_6_4 20121127
526 #if (__GLIBCXX__ < PRIV_GLIBCXX_4_7_0 || __GLIBCXX__ == PRIV_GLIBCXX_4_5_4 || \
527 __GLIBCXX__ == PRIV_GLIBCXX_4_6_4)
528 #define PRIV_USE_FALLBACKS_FOR_OLD_GLIBCXX
529 #undef PRIV_GLIBCXX_4_7_0
530 #undef PRIV_GLIBCXX_4_5_4
531 #undef PRIV_GLIBCXX_4_6_4
532 #endif
533 #endif
534
535 // Extracts the underlying type from an enum.
536 template <typename T, bool is_enum = std::is_enum<T>::value>
537 struct ArithmeticOrUnderlyingEnum;
538
539 template <typename T>
540 struct ArithmeticOrUnderlyingEnum<T, true> {
541 #if defined(PRIV_USE_FALLBACKS_FOR_OLD_GLIBCXX)
542 using type = __underlying_type(T);
543 #else
544 using type = typename std::underlying_type<T>::type;
545 #endif
546 static const bool value = std::is_arithmetic<type>::value;
547 };
548
549 #if defined(PRIV_USE_FALLBACKS_FOR_OLD_GLIBCXX)
550 #undef PRIV_USE_FALLBACKS_FOR_OLD_GLIBCXX
551 #endif
552
553 template <typename T>
554 struct ArithmeticOrUnderlyingEnum<T, false> {
555 using type = T;
556 static const bool value = std::is_arithmetic<type>::value;
557 };
558
559 // The following are helper templates used in the CheckedNumeric class.
560 template <typename T>
561 class CheckedNumeric;
562
563 template <typename T>
564 class StrictNumeric;
565
566 // Used to treat CheckedNumeric and arithmetic underlying types the same.
567 template <typename T>
568 struct UnderlyingType {
569 using type = typename ArithmeticOrUnderlyingEnum<T>::type;
570 static const bool is_numeric = std::is_arithmetic<type>::value;
571 static const bool is_checked = false;
572 static const bool is_strict = false;
573 };
574
575 template <typename T>
576 struct UnderlyingType<CheckedNumeric<T>> {
577 using type = T;
578 static const bool is_numeric = true;
579 static const bool is_checked = true;
580 static const bool is_strict = false;
581 };
582
583 template <typename T>
584 struct UnderlyingType<StrictNumeric<T>> {
585 using type = T;
586 static const bool is_numeric = true;
587 static const bool is_checked = false;
588 static const bool is_strict = true;
589 };
590
591 template <typename L, typename R>
592 struct IsCheckedOp {
593 static const bool value =
594 UnderlyingType<L>::is_numeric && UnderlyingType<R>::is_numeric &&
595 (UnderlyingType<L>::is_checked || UnderlyingType<R>::is_checked);
596 };
597
598 template <typename L, typename R>
599 struct IsStrictOp {
600 static const bool value =
601 UnderlyingType<L>::is_numeric && UnderlyingType<R>::is_numeric &&
602 (UnderlyingType<L>::is_strict || UnderlyingType<R>::is_strict);
603 };
604
605 template <typename L, typename R>
606 constexpr bool IsLessImpl(const L lhs,
607 const R rhs,
608 const RangeCheck l_range,
609 const RangeCheck r_range) {
610 return l_range.IsUnderflow() || r_range.IsOverflow() ||
611 (l_range == r_range &&
612 static_cast<decltype(lhs + rhs)>(lhs) <
613 static_cast<decltype(lhs + rhs)>(rhs));
614 }
615
616 template <typename L, typename R>
617 struct IsLess {
618 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
619 "Types must be numeric.");
620 static constexpr bool Test(const L lhs, const R rhs) {
621 return IsLessImpl(lhs, rhs, DstRangeRelationToSrcRange<R>(lhs),
622 DstRangeRelationToSrcRange<L>(rhs));
623 }
624 };
625
626 template <typename L, typename R>
627 constexpr bool IsLessOrEqualImpl(const L lhs,
628 const R rhs,
629 const RangeCheck l_range,
630 const RangeCheck r_range) {
631 return l_range.IsUnderflow() || r_range.IsOverflow() ||
632 (l_range == r_range &&
633 static_cast<decltype(lhs + rhs)>(lhs) <=
634 static_cast<decltype(lhs + rhs)>(rhs));
635 }
636
637 template <typename L, typename R>
638 struct IsLessOrEqual {
639 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
640 "Types must be numeric.");
641 static constexpr bool Test(const L lhs, const R rhs) {
642 return IsLessOrEqualImpl(lhs, rhs, DstRangeRelationToSrcRange<R>(lhs),
643 DstRangeRelationToSrcRange<L>(rhs));
644 }
645 };
646
647 template <typename L, typename R>
648 constexpr bool IsGreaterImpl(const L lhs,
649 const R rhs,
650 const RangeCheck l_range,
651 const RangeCheck r_range) {
652 return l_range.IsOverflow() || r_range.IsUnderflow() ||
653 (l_range == r_range &&
654 static_cast<decltype(lhs + rhs)>(lhs) >
655 static_cast<decltype(lhs + rhs)>(rhs));
656 }
657
658 template <typename L, typename R>
659 struct IsGreater {
660 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
661 "Types must be numeric.");
662 static constexpr bool Test(const L lhs, const R rhs) {
663 return IsGreaterImpl(lhs, rhs, DstRangeRelationToSrcRange<R>(lhs),
664 DstRangeRelationToSrcRange<L>(rhs));
665 }
666 };
667
668 template <typename L, typename R>
669 constexpr bool IsGreaterOrEqualImpl(const L lhs,
670 const R rhs,
671 const RangeCheck l_range,
672 const RangeCheck r_range) {
673 return l_range.IsOverflow() || r_range.IsUnderflow() ||
674 (l_range == r_range &&
675 static_cast<decltype(lhs + rhs)>(lhs) >=
676 static_cast<decltype(lhs + rhs)>(rhs));
677 }
678
679 template <typename L, typename R>
680 struct IsGreaterOrEqual {
681 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
682 "Types must be numeric.");
683 static constexpr bool Test(const L lhs, const R rhs) {
684 return IsGreaterOrEqualImpl(lhs, rhs, DstRangeRelationToSrcRange<R>(lhs),
685 DstRangeRelationToSrcRange<L>(rhs));
686 }
687 };
688
689 template <typename L, typename R>
690 struct IsEqual {
691 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
692 "Types must be numeric.");
693 static constexpr bool Test(const L lhs, const R rhs) {
694 return DstRangeRelationToSrcRange<R>(lhs) ==
695 DstRangeRelationToSrcRange<L>(rhs) &&
696 static_cast<decltype(lhs + rhs)>(lhs) ==
697 static_cast<decltype(lhs + rhs)>(rhs);
698 }
699 };
700
701 template <typename L, typename R>
702 struct IsNotEqual {
703 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
704 "Types must be numeric.");
705 static constexpr bool Test(const L lhs, const R rhs) {
706 return DstRangeRelationToSrcRange<R>(lhs) !=
707 DstRangeRelationToSrcRange<L>(rhs) ||
708 static_cast<decltype(lhs + rhs)>(lhs) !=
709 static_cast<decltype(lhs + rhs)>(rhs);
710 }
711 };
712
713 // These perform the actual math operations on the CheckedNumerics.
714 // Binary arithmetic operations.
715 template <template <typename, typename> class C, typename L, typename R>
716 constexpr bool SafeCompare(const L lhs, const R rhs) {
717 static_assert(std::is_arithmetic<L>::value && std::is_arithmetic<R>::value,
718 "Types must be numeric.");
719 using Promotion = BigEnoughPromotion<L, R>;
720 using BigType = typename Promotion::type;
721 return Promotion::is_contained
722 // Force to a larger type for speed if both are contained.
723 ? C<BigType, BigType>::Test(
724 static_cast<BigType>(static_cast<L>(lhs)),
725 static_cast<BigType>(static_cast<R>(rhs)))
726 // Let the template functions figure it out for mixed types.
727 : C<L, R>::Test(lhs, rhs);
728 }
729
730 } // namespace internal
731 } // namespace base
732 } // namespace pdfium
733
734 #endif // PDFIUM_THIRD_PARTY_BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
735