1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BASE_NUMERICS_SAFE_MATH_IMPL_H_ 6 #define BASE_NUMERICS_SAFE_MATH_IMPL_H_ 7 8 #include <stddef.h> 9 #include <stdint.h> 10 11 #include <climits> 12 #include <cmath> 13 #include <cstdlib> 14 #include <limits> 15 #include <type_traits> 16 17 #include "base/numerics/safe_conversions.h" 18 19 namespace base { 20 namespace internal { 21 22 // Everything from here up to the floating point operations is portable C++, 23 // but it may not be fast. This code could be split based on 24 // platform/architecture and replaced with potentially faster implementations. 25 26 // This is used for UnsignedAbs, where we need to support floating-point 27 // template instantiations even though we don't actually support the operations. 28 // However, there is no corresponding implementation of e.g. SafeUnsignedAbs, 29 // so the float versions will not compile. 30 template <typename Numeric, 31 bool IsInteger = std::is_integral<Numeric>::value, 32 bool IsFloat = std::is_floating_point<Numeric>::value> 33 struct UnsignedOrFloatForSize; 34 35 template <typename Numeric> 36 struct UnsignedOrFloatForSize<Numeric, true, false> { 37 using type = typename std::make_unsigned<Numeric>::type; 38 }; 39 40 template <typename Numeric> 41 struct UnsignedOrFloatForSize<Numeric, false, true> { 42 using type = Numeric; 43 }; 44 45 // Probe for builtin math overflow support on Clang and version check on GCC. 46 #if defined(__has_builtin) 47 #define USE_OVERFLOW_BUILTINS (__has_builtin(__builtin_add_overflow)) 48 #elif defined(__GNUC__) 49 #define USE_OVERFLOW_BUILTINS (__GNUC__ >= 5) 50 #else 51 #define USE_OVERFLOW_BUILTINS (0) 52 #endif 53 54 template <typename T> 55 bool CheckedAddImpl(T x, T y, T* result) { 56 static_assert(std::is_integral<T>::value, "Type must be integral"); 57 // Since the value of x+y is undefined if we have a signed type, we compute 58 // it using the unsigned type of the same size. 59 using UnsignedDst = typename std::make_unsigned<T>::type; 60 using SignedDst = typename std::make_signed<T>::type; 61 UnsignedDst ux = static_cast<UnsignedDst>(x); 62 UnsignedDst uy = static_cast<UnsignedDst>(y); 63 UnsignedDst uresult = static_cast<UnsignedDst>(ux + uy); 64 *result = static_cast<T>(uresult); 65 // Addition is valid if the sign of (x + y) is equal to either that of x or 66 // that of y. 67 return (std::is_signed<T>::value) 68 ? static_cast<SignedDst>((uresult ^ ux) & (uresult ^ uy)) >= 0 69 : uresult >= uy; // Unsigned is either valid or underflow. 70 } 71 72 template <typename T, typename U, class Enable = void> 73 struct CheckedAddOp {}; 74 75 template <typename T, typename U> 76 struct CheckedAddOp<T, 77 U, 78 typename std::enable_if<std::is_integral<T>::value && 79 std::is_integral<U>::value>::type> { 80 using result_type = typename MaxExponentPromotion<T, U>::type; 81 template <typename V> 82 static bool Do(T x, U y, V* result) { 83 #if USE_OVERFLOW_BUILTINS 84 return !__builtin_add_overflow(x, y, result); 85 #else 86 using Promotion = typename BigEnoughPromotion<T, U>::type; 87 Promotion presult; 88 // Fail if either operand is out of range for the promoted type. 89 // TODO(jschuh): This could be made to work for a broader range of values. 90 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && 91 IsValueInRangeForNumericType<Promotion>(y); 92 93 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { 94 presult = static_cast<Promotion>(x) + static_cast<Promotion>(y); 95 } else { 96 is_valid &= CheckedAddImpl(static_cast<Promotion>(x), 97 static_cast<Promotion>(y), &presult); 98 } 99 *result = static_cast<V>(presult); 100 return is_valid && IsValueInRangeForNumericType<V>(presult); 101 #endif 102 } 103 }; 104 105 template <typename T> 106 bool CheckedSubImpl(T x, T y, T* result) { 107 static_assert(std::is_integral<T>::value, "Type must be integral"); 108 // Since the value of x+y is undefined if we have a signed type, we compute 109 // it using the unsigned type of the same size. 110 using UnsignedDst = typename std::make_unsigned<T>::type; 111 using SignedDst = typename std::make_signed<T>::type; 112 UnsignedDst ux = static_cast<UnsignedDst>(x); 113 UnsignedDst uy = static_cast<UnsignedDst>(y); 114 UnsignedDst uresult = static_cast<UnsignedDst>(ux - uy); 115 *result = static_cast<T>(uresult); 116 // Subtraction is valid if either x and y have same sign, or (x-y) and x have 117 // the same sign. 118 return (std::is_signed<T>::value) 119 ? static_cast<SignedDst>((uresult ^ ux) & (ux ^ uy)) >= 0 120 : x >= y; 121 } 122 123 template <typename T, typename U, class Enable = void> 124 struct CheckedSubOp {}; 125 126 template <typename T, typename U> 127 struct CheckedSubOp<T, 128 U, 129 typename std::enable_if<std::is_integral<T>::value && 130 std::is_integral<U>::value>::type> { 131 using result_type = typename MaxExponentPromotion<T, U>::type; 132 template <typename V> 133 static bool Do(T x, U y, V* result) { 134 #if USE_OVERFLOW_BUILTINS 135 return !__builtin_sub_overflow(x, y, result); 136 #else 137 using Promotion = typename BigEnoughPromotion<T, U>::type; 138 Promotion presult; 139 // Fail if either operand is out of range for the promoted type. 140 // TODO(jschuh): This could be made to work for a broader range of values. 141 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && 142 IsValueInRangeForNumericType<Promotion>(y); 143 144 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { 145 presult = static_cast<Promotion>(x) - static_cast<Promotion>(y); 146 } else { 147 is_valid &= CheckedSubImpl(static_cast<Promotion>(x), 148 static_cast<Promotion>(y), &presult); 149 } 150 *result = static_cast<V>(presult); 151 return is_valid && IsValueInRangeForNumericType<V>(presult); 152 #endif 153 } 154 }; 155 156 template <typename T> 157 bool CheckedMulImpl(T x, T y, T* result) { 158 static_assert(std::is_integral<T>::value, "Type must be integral"); 159 // Since the value of x*y is potentially undefined if we have a signed type, 160 // we compute it using the unsigned type of the same size. 161 using UnsignedDst = typename std::make_unsigned<T>::type; 162 using SignedDst = typename std::make_signed<T>::type; 163 const UnsignedDst ux = SafeUnsignedAbs(x); 164 const UnsignedDst uy = SafeUnsignedAbs(y); 165 UnsignedDst uresult = static_cast<UnsignedDst>(ux * uy); 166 const bool is_negative = 167 std::is_signed<T>::value && static_cast<SignedDst>(x ^ y) < 0; 168 *result = is_negative ? 0 - uresult : uresult; 169 // We have a fast out for unsigned identity or zero on the second operand. 170 // After that it's an unsigned overflow check on the absolute value, with 171 // a +1 bound for a negative result. 172 return uy <= UnsignedDst(!std::is_signed<T>::value || is_negative) || 173 ux <= (std::numeric_limits<T>::max() + UnsignedDst(is_negative)) / uy; 174 } 175 176 template <typename T, typename U, class Enable = void> 177 struct CheckedMulOp {}; 178 179 template <typename T, typename U> 180 struct CheckedMulOp<T, 181 U, 182 typename std::enable_if<std::is_integral<T>::value && 183 std::is_integral<U>::value>::type> { 184 using result_type = typename MaxExponentPromotion<T, U>::type; 185 template <typename V> 186 static bool Do(T x, U y, V* result) { 187 #if USE_OVERFLOW_BUILTINS 188 #if defined(__clang__) 189 // TODO(jschuh): Get the Clang runtime library issues sorted out so we can 190 // support full-width, mixed-sign multiply builtins. 191 // https://crbug.com/613003 192 static const bool kUseMaxInt = 193 // Narrower type than uintptr_t is always safe. 194 std::numeric_limits<__typeof__(x * y)>::digits < 195 std::numeric_limits<intptr_t>::digits || 196 // Safe for intptr_t and uintptr_t if the sign matches. 197 (IntegerBitsPlusSign<__typeof__(x * y)>::value == 198 IntegerBitsPlusSign<intptr_t>::value && 199 std::is_signed<T>::value == std::is_signed<U>::value); 200 #else 201 static const bool kUseMaxInt = true; 202 #endif 203 if (kUseMaxInt) 204 return !__builtin_mul_overflow(x, y, result); 205 #endif 206 using Promotion = typename FastIntegerArithmeticPromotion<T, U>::type; 207 Promotion presult; 208 // Fail if either operand is out of range for the promoted type. 209 // TODO(jschuh): This could be made to work for a broader range of values. 210 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && 211 IsValueInRangeForNumericType<Promotion>(y); 212 213 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { 214 presult = static_cast<Promotion>(x) * static_cast<Promotion>(y); 215 } else { 216 is_valid &= CheckedMulImpl(static_cast<Promotion>(x), 217 static_cast<Promotion>(y), &presult); 218 } 219 *result = static_cast<V>(presult); 220 return is_valid && IsValueInRangeForNumericType<V>(presult); 221 } 222 }; 223 224 // Avoid poluting the namespace once we're done with the macro. 225 #undef USE_OVERFLOW_BUILTINS 226 227 // Division just requires a check for a zero denominator or an invalid negation 228 // on signed min/-1. 229 template <typename T> 230 bool CheckedDivImpl(T x, T y, T* result) { 231 static_assert(std::is_integral<T>::value, "Type must be integral"); 232 if (y && (!std::is_signed<T>::value || 233 x != std::numeric_limits<T>::lowest() || y != static_cast<T>(-1))) { 234 *result = x / y; 235 return true; 236 } 237 return false; 238 } 239 240 template <typename T, typename U, class Enable = void> 241 struct CheckedDivOp {}; 242 243 template <typename T, typename U> 244 struct CheckedDivOp<T, 245 U, 246 typename std::enable_if<std::is_integral<T>::value && 247 std::is_integral<U>::value>::type> { 248 using result_type = typename MaxExponentPromotion<T, U>::type; 249 template <typename V> 250 static bool Do(T x, U y, V* result) { 251 using Promotion = typename BigEnoughPromotion<T, U>::type; 252 Promotion presult; 253 // Fail if either operand is out of range for the promoted type. 254 // TODO(jschuh): This could be made to work for a broader range of values. 255 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && 256 IsValueInRangeForNumericType<Promotion>(y); 257 is_valid &= CheckedDivImpl(static_cast<Promotion>(x), 258 static_cast<Promotion>(y), &presult); 259 *result = static_cast<V>(presult); 260 return is_valid && IsValueInRangeForNumericType<V>(presult); 261 } 262 }; 263 264 template <typename T> 265 bool CheckedModImpl(T x, T y, T* result) { 266 static_assert(std::is_integral<T>::value, "Type must be integral"); 267 if (y > 0) { 268 *result = static_cast<T>(x % y); 269 return true; 270 } 271 return false; 272 } 273 274 template <typename T, typename U, class Enable = void> 275 struct CheckedModOp {}; 276 277 template <typename T, typename U> 278 struct CheckedModOp<T, 279 U, 280 typename std::enable_if<std::is_integral<T>::value && 281 std::is_integral<U>::value>::type> { 282 using result_type = typename MaxExponentPromotion<T, U>::type; 283 template <typename V> 284 static bool Do(T x, U y, V* result) { 285 using Promotion = typename BigEnoughPromotion<T, U>::type; 286 Promotion presult; 287 bool is_valid = CheckedModImpl(static_cast<Promotion>(x), 288 static_cast<Promotion>(y), &presult); 289 *result = static_cast<V>(presult); 290 return is_valid && IsValueInRangeForNumericType<V>(presult); 291 } 292 }; 293 294 template <typename T, typename U, class Enable = void> 295 struct CheckedLshOp {}; 296 297 // Left shift. Shifts less than 0 or greater than or equal to the number 298 // of bits in the promoted type are undefined. Shifts of negative values 299 // are undefined. Otherwise it is defined when the result fits. 300 template <typename T, typename U> 301 struct CheckedLshOp<T, 302 U, 303 typename std::enable_if<std::is_integral<T>::value && 304 std::is_integral<U>::value>::type> { 305 using result_type = T; 306 template <typename V> 307 static bool Do(T x, U shift, V* result) { 308 using ShiftType = typename std::make_unsigned<T>::type; 309 static const ShiftType kBitWidth = IntegerBitsPlusSign<T>::value; 310 const ShiftType real_shift = static_cast<ShiftType>(shift); 311 // Signed shift is not legal on negative values. 312 if (!IsValueNegative(x) && real_shift < kBitWidth) { 313 // Just use a multiplication because it's easy. 314 // TODO(jschuh): This could probably be made more efficient. 315 if (!std::is_signed<T>::value || real_shift != kBitWidth - 1) 316 return CheckedMulOp<T, T>::Do(x, static_cast<T>(1) << shift, result); 317 return !x; // Special case zero for a full width signed shift. 318 } 319 return false; 320 } 321 }; 322 323 template <typename T, typename U, class Enable = void> 324 struct CheckedRshOp {}; 325 326 // Right shift. Shifts less than 0 or greater than or equal to the number 327 // of bits in the promoted type are undefined. Otherwise, it is always defined, 328 // but a right shift of a negative value is implementation-dependent. 329 template <typename T, typename U> 330 struct CheckedRshOp<T, 331 U, 332 typename std::enable_if<std::is_integral<T>::value && 333 std::is_integral<U>::value>::type> { 334 using result_type = T; 335 template <typename V = result_type> 336 static bool Do(T x, U shift, V* result) { 337 // Use the type conversion push negative values out of range. 338 using ShiftType = typename std::make_unsigned<T>::type; 339 if (static_cast<ShiftType>(shift) < IntegerBitsPlusSign<T>::value) { 340 T tmp = x >> shift; 341 *result = static_cast<V>(tmp); 342 return IsValueInRangeForNumericType<V>(tmp); 343 } 344 return false; 345 } 346 }; 347 348 template <typename T, typename U, class Enable = void> 349 struct CheckedAndOp {}; 350 351 // For simplicity we support only unsigned integer results. 352 template <typename T, typename U> 353 struct CheckedAndOp<T, 354 U, 355 typename std::enable_if<std::is_integral<T>::value && 356 std::is_integral<U>::value>::type> { 357 using result_type = typename std::make_unsigned< 358 typename MaxExponentPromotion<T, U>::type>::type; 359 template <typename V = result_type> 360 static bool Do(T x, U y, V* result) { 361 result_type tmp = static_cast<result_type>(x) & static_cast<result_type>(y); 362 *result = static_cast<V>(tmp); 363 return IsValueInRangeForNumericType<V>(tmp); 364 } 365 }; 366 367 template <typename T, typename U, class Enable = void> 368 struct CheckedOrOp {}; 369 370 // For simplicity we support only unsigned integers. 371 template <typename T, typename U> 372 struct CheckedOrOp<T, 373 U, 374 typename std::enable_if<std::is_integral<T>::value && 375 std::is_integral<U>::value>::type> { 376 using result_type = typename std::make_unsigned< 377 typename MaxExponentPromotion<T, U>::type>::type; 378 template <typename V = result_type> 379 static bool Do(T x, U y, V* result) { 380 result_type tmp = static_cast<result_type>(x) | static_cast<result_type>(y); 381 *result = static_cast<V>(tmp); 382 return IsValueInRangeForNumericType<V>(tmp); 383 } 384 }; 385 386 template <typename T, typename U, class Enable = void> 387 struct CheckedXorOp {}; 388 389 // For simplicity we support only unsigned integers. 390 template <typename T, typename U> 391 struct CheckedXorOp<T, 392 U, 393 typename std::enable_if<std::is_integral<T>::value && 394 std::is_integral<U>::value>::type> { 395 using result_type = typename std::make_unsigned< 396 typename MaxExponentPromotion<T, U>::type>::type; 397 template <typename V = result_type> 398 static bool Do(T x, U y, V* result) { 399 result_type tmp = static_cast<result_type>(x) ^ static_cast<result_type>(y); 400 *result = static_cast<V>(tmp); 401 return IsValueInRangeForNumericType<V>(tmp); 402 } 403 }; 404 405 // Max doesn't really need to be implemented this way because it can't fail, 406 // but it makes the code much cleaner to use the MathOp wrappers. 407 template <typename T, typename U, class Enable = void> 408 struct CheckedMaxOp {}; 409 410 template <typename T, typename U> 411 struct CheckedMaxOp< 412 T, 413 U, 414 typename std::enable_if<std::is_arithmetic<T>::value && 415 std::is_arithmetic<U>::value>::type> { 416 using result_type = typename MaxExponentPromotion<T, U>::type; 417 template <typename V = result_type> 418 static bool Do(T x, U y, V* result) { 419 *result = IsGreater<T, U>::Test(x, y) ? static_cast<result_type>(x) 420 : static_cast<result_type>(y); 421 return true; 422 } 423 }; 424 425 // Min doesn't really need to be implemented this way because it can't fail, 426 // but it makes the code much cleaner to use the MathOp wrappers. 427 template <typename T, typename U, class Enable = void> 428 struct CheckedMinOp {}; 429 430 template <typename T, typename U> 431 struct CheckedMinOp< 432 T, 433 U, 434 typename std::enable_if<std::is_arithmetic<T>::value && 435 std::is_arithmetic<U>::value>::type> { 436 using result_type = typename LowestValuePromotion<T, U>::type; 437 template <typename V = result_type> 438 static bool Do(T x, U y, V* result) { 439 *result = IsLess<T, U>::Test(x, y) ? static_cast<result_type>(x) 440 : static_cast<result_type>(y); 441 return true; 442 } 443 }; 444 445 // This is just boilerplate that wraps the standard floating point arithmetic. 446 // A macro isn't the nicest solution, but it beats rewriting these repeatedly. 447 #define BASE_FLOAT_ARITHMETIC_OPS(NAME, OP) \ 448 template <typename T, typename U> \ 449 struct Checked##NAME##Op< \ 450 T, U, typename std::enable_if<std::is_floating_point<T>::value || \ 451 std::is_floating_point<U>::value>::type> { \ 452 using result_type = typename MaxExponentPromotion<T, U>::type; \ 453 template <typename V> \ 454 static bool Do(T x, U y, V* result) { \ 455 using Promotion = typename MaxExponentPromotion<T, U>::type; \ 456 Promotion presult = x OP y; \ 457 *result = static_cast<V>(presult); \ 458 return IsValueInRangeForNumericType<V>(presult); \ 459 } \ 460 }; 461 462 BASE_FLOAT_ARITHMETIC_OPS(Add, +) 463 BASE_FLOAT_ARITHMETIC_OPS(Sub, -) 464 BASE_FLOAT_ARITHMETIC_OPS(Mul, *) 465 BASE_FLOAT_ARITHMETIC_OPS(Div, /) 466 467 #undef BASE_FLOAT_ARITHMETIC_OPS 468 469 // Wrap the unary operations to allow SFINAE when instantiating integrals versus 470 // floating points. These don't perform any overflow checking. Rather, they 471 // exhibit well-defined overflow semantics and rely on the caller to detect 472 // if an overflow occured. 473 474 template <typename T, 475 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> 476 constexpr T NegateWrapper(T value) { 477 using UnsignedT = typename std::make_unsigned<T>::type; 478 // This will compile to a NEG on Intel, and is normal negation on ARM. 479 return static_cast<T>(UnsignedT(0) - static_cast<UnsignedT>(value)); 480 } 481 482 template < 483 typename T, 484 typename std::enable_if<std::is_floating_point<T>::value>::type* = nullptr> 485 constexpr T NegateWrapper(T value) { 486 return -value; 487 } 488 489 template <typename T, 490 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> 491 constexpr typename std::make_unsigned<T>::type InvertWrapper(T value) { 492 return ~value; 493 } 494 495 template <typename T, 496 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> 497 constexpr T AbsWrapper(T value) { 498 return static_cast<T>(SafeUnsignedAbs(value)); 499 } 500 501 template < 502 typename T, 503 typename std::enable_if<std::is_floating_point<T>::value>::type* = nullptr> 504 constexpr T AbsWrapper(T value) { 505 return value < 0 ? -value : value; 506 } 507 508 // Floats carry around their validity state with them, but integers do not. So, 509 // we wrap the underlying value in a specialization in order to hide that detail 510 // and expose an interface via accessors. 511 enum NumericRepresentation { 512 NUMERIC_INTEGER, 513 NUMERIC_FLOATING, 514 NUMERIC_UNKNOWN 515 }; 516 517 template <typename NumericType> 518 struct GetNumericRepresentation { 519 static const NumericRepresentation value = 520 std::is_integral<NumericType>::value 521 ? NUMERIC_INTEGER 522 : (std::is_floating_point<NumericType>::value ? NUMERIC_FLOATING 523 : NUMERIC_UNKNOWN); 524 }; 525 526 template <typename T, NumericRepresentation type = 527 GetNumericRepresentation<T>::value> 528 class CheckedNumericState {}; 529 530 // Integrals require quite a bit of additional housekeeping to manage state. 531 template <typename T> 532 class CheckedNumericState<T, NUMERIC_INTEGER> { 533 private: 534 // is_valid_ precedes value_ because member intializers in the constructors 535 // are evaluated in field order, and is_valid_ must be read when initializing 536 // value_. 537 bool is_valid_; 538 T value_; 539 540 // Ensures that a type conversion does not trigger undefined behavior. 541 template <typename Src> 542 static constexpr T WellDefinedConversionOrZero(const Src value, 543 const bool is_valid) { 544 using SrcType = typename internal::UnderlyingType<Src>::type; 545 return (std::is_integral<SrcType>::value || is_valid) 546 ? static_cast<T>(value) 547 : static_cast<T>(0); 548 } 549 550 public: 551 template <typename Src, NumericRepresentation type> 552 friend class CheckedNumericState; 553 554 constexpr CheckedNumericState() : is_valid_(true), value_(0) {} 555 556 template <typename Src> 557 constexpr CheckedNumericState(Src value, bool is_valid) 558 : is_valid_(is_valid && IsValueInRangeForNumericType<T>(value)), 559 value_(WellDefinedConversionOrZero(value, is_valid_)) { 560 static_assert(std::is_arithmetic<Src>::value, "Argument must be numeric."); 561 } 562 563 // Copy constructor. 564 template <typename Src> 565 constexpr CheckedNumericState(const CheckedNumericState<Src>& rhs) 566 : is_valid_(rhs.IsValid()), 567 value_(WellDefinedConversionOrZero(rhs.value(), is_valid_)) {} 568 569 template <typename Src> 570 constexpr explicit CheckedNumericState(Src value) 571 : is_valid_(IsValueInRangeForNumericType<T>(value)), 572 value_(WellDefinedConversionOrZero(value, is_valid_)) {} 573 574 constexpr bool is_valid() const { return is_valid_; } 575 constexpr T value() const { return value_; } 576 }; 577 578 // Floating points maintain their own validity, but need translation wrappers. 579 template <typename T> 580 class CheckedNumericState<T, NUMERIC_FLOATING> { 581 private: 582 T value_; 583 584 // Ensures that a type conversion does not trigger undefined behavior. 585 template <typename Src> 586 static constexpr T WellDefinedConversionOrNaN(const Src value, 587 const bool is_valid) { 588 using SrcType = typename internal::UnderlyingType<Src>::type; 589 return (StaticDstRangeRelationToSrcRange<T, SrcType>::value == 590 NUMERIC_RANGE_CONTAINED || 591 is_valid) 592 ? static_cast<T>(value) 593 : std::numeric_limits<T>::quiet_NaN(); 594 } 595 596 public: 597 template <typename Src, NumericRepresentation type> 598 friend class CheckedNumericState; 599 600 constexpr CheckedNumericState() : value_(0.0) {} 601 602 template <typename Src> 603 constexpr CheckedNumericState(Src value, bool is_valid) 604 : value_(WellDefinedConversionOrNaN(value, is_valid)) {} 605 606 template <typename Src> 607 constexpr explicit CheckedNumericState(Src value) 608 : value_(WellDefinedConversionOrNaN( 609 value, 610 IsValueInRangeForNumericType<T>(value))) {} 611 612 // Copy constructor. 613 template <typename Src> 614 constexpr CheckedNumericState(const CheckedNumericState<Src>& rhs) 615 : value_(WellDefinedConversionOrNaN( 616 rhs.value(), 617 rhs.is_valid() && IsValueInRangeForNumericType<T>(rhs.value()))) {} 618 619 constexpr bool is_valid() const { 620 // Written this way because std::isfinite is not reliably constexpr. 621 // TODO(jschuh): Fix this if the libraries ever get fixed. 622 return value_ <= std::numeric_limits<T>::max() && 623 value_ >= std::numeric_limits<T>::lowest(); 624 } 625 constexpr T value() const { return value_; } 626 }; 627 628 template <template <typename, typename, typename> class M, 629 typename L, 630 typename R> 631 struct MathWrapper { 632 using math = M<typename UnderlyingType<L>::type, 633 typename UnderlyingType<R>::type, 634 void>; 635 using type = typename math::result_type; 636 }; 637 638 } // namespace internal 639 } // namespace base 640 641 #endif // BASE_NUMERICS_SAFE_MATH_IMPL_H_ 642