Chromium Code Reviews Chromium Code Reviews
Issue 11886037:
Add numeric_cast for checked integral narrowing casts (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef BASE_SAFE_NUMERICS_H_ | |
| 6 #define BASE_SAFE_NUMERICS_H_ | |
| 7 | |
| 8 #include <limits> | |
| 9 | |
| 10 #include "base/logging.h" | |
| 11 | |
| 12 namespace base { | |
| 13 namespace internal { | |
| 14 | |
| 15 template <bool SameSize, bool DestLarger, | |
| 16 bool DestIsSigned, bool SourceIsSigned> | |
| 17 struct IsValidNumericCastImpl; | |
| 18 | |
| 19 #define BASE_NUMERIC_CAST_CASE_SPECIALIZATION(A, B, C, D, Code) \ | |
| 20 template <> struct IsValidNumericCastImpl<A, B, C, D> { \ | |
| 21 template <class Source, class DestBounds> static inline bool Test( \ | |
| 22 Source source, DestBounds min, DestBounds max) { \ | |
| 23 return Code; \ | |
| 24 } \ | |
| 25 } | |
| 26 | |
| 27 #define BASE_NUMERIC_CAST_CASE_SAME_SIZE(DestSigned, SourceSigned, Code) \ | |
| 28 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \ | |
| 29 true, true, DestSigned, SourceSigned, Code); \ | |
| 30 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \ | |
| 31 true, false, DestSigned, SourceSigned, Code) | |
| 32 | |
| 33 #define BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(DestSigned, SourceSigned, Code) \ | |
| 34 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \ | |
| 35 false, false, DestSigned, SourceSigned, Code); \ | |
| 36 | |
| 37 #define BASE_NUMERIC_CAST_CASE_DEST_LARGER(DestSigned, SourceSigned, Code) \ | |
| 38 BASE_NUMERIC_CAST_CASE_SPECIALIZATION( \ | |
| 39 false, true, DestSigned, SourceSigned, Code); \ | |
| 40 | |
| 41 // The three top level cases are: | |
| 42 // - Same size | |
| 43 // - Source larger | |
| 44 // - Dest larger | |
| 45 // And for each of those three cases, we handle the 4 different possibilities | |
| 46 // of signed and unsigned. This gives 12 cases to handle, which we enumerate | |
| 47 // below. | |
| 48 // | |
| 49 // The last argument in each of the macros is the actual comparison code. It | |
| 50 // has three arguments available, source (the value), and min/max which are | |
| 51 // the ranges of the destination. | |
| 52 | |
| 53 | |
| 54 // These are the cases where both types have the same size. | |
| 55 | |
| 56 // Both signed. | |
| 57 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, true, true); | |
| 58 // Both unsigned. | |
| 59 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, false, true); | |
| 60 // Dest unsigned, Source signed. | |
| 61 BASE_NUMERIC_CAST_CASE_SAME_SIZE(false, true, source >= 0); | |
| 62 // Dest signed, Source unsigned. | |
| 63 // This cast is OK because Dest's max must be less than Source's. | |
| 64 BASE_NUMERIC_CAST_CASE_SAME_SIZE(true, false, | |
| 65 source <= static_cast<Source>(max)); | |
| 66 | |
| 67 | |
| 68 // These are the cases where Source is larger. | |
| 69 | |
| 70 // Both unsigned. | |
| 71 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, false, source <= max); | |
| 72 // Both signed. | |
| 73 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, true, | |
| 74 source >= min && source <= max); | |
| 75 // Dest is unsigned, Source is signed. | |
| 76 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(false, true, | |
| 77 source >= 0 && source <= max); | |
| 78 // Dest is signed, Source is unsigned. | |
| 79 // This cast is OK because Dest's max must be less than Source's. | |
| 80 BASE_NUMERIC_CAST_CASE_SOURCE_LARGER(true, false, | |
| 81 source <= static_cast<Source>(max)); | |
| 82 | |
| 83 | |
| 84 // These are the cases where Dest is larger. | |
| 85 | |
| 86 // Both unsigned. | |
| 87 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, false, true); | |
| 88 // Both signed. | |
| 89 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, true, true); | |
| 90 // Dest is unsigned, Source is signed. | |
| 91 BASE_NUMERIC_CAST_CASE_DEST_LARGER(false, true, source >= 0); | |
| 92 // Dest is signed, Source is unsigned. | |
| 93 BASE_NUMERIC_CAST_CASE_DEST_LARGER(true, false, true); | |
| 94 | |
| 95 #undef BASE_NUMERIC_CAST_CASE_SPECIALIZATION | |
| 96 #undef BASE_NUMERIC_CAST_CASE_SAME_SIZE | |
| 97 #undef BASE_NUMERIC_CAST_CASE_SOURCE_LARGER | |
| 98 #undef BASE_NUMERIC_CAST_CASE_DEST_LARGER | |
| 99 | |
| 100 | |
| 101 // The main test for whether the conversion will under or overflow. | |
| 102 template <class Dest, class Source> | |
| 103 inline bool IsValidNumericCast(Source source) { | |
| 104 typedef std::numeric_limits<Source> SourceLimits; | |
| 105 typedef std::numeric_limits<Dest> DestLimits; | |
| 106 COMPILE_ASSERT(SourceLimits::is_specialized, argument_must_be_numeric); | |
| 107 COMPILE_ASSERT(SourceLimits::is_integer, argument_must_be_integral); | |
| 108 COMPILE_ASSERT(DestLimits::is_specialized, result_must_be_numeric); | |
| 109 COMPILE_ASSERT(DestLimits::is_integer, result_must_be_integral); | |
| 110 | |
| 111 return IsValidNumericCastImpl< | |
| 112 sizeof(Dest) == sizeof(Source), | |
| 113 (sizeof(Dest) > sizeof(Source)), | |
| 114 DestLimits::is_signed, | |
| 115 SourceLimits::is_signed>::Test( | |
| 116 source, | |
| 117 DestLimits::min(), | |
| 118 DestLimits::max()); | |
| 119 } | |
| 120 | |
| 121 } // namespace internal | |
| 122 | |
| 123 // numeric_cast<> is analogous to static_cast<> for numeric types, except that | |
|
wtc
2013/01/25 15:40:59
The cast is checked_numeric_cast not numeric_cast,
| |
| 124 // it CHECKs that the specified numeric conversion will not overflow or | |
| 125 // underflow. Floating point arguments are not currently allowed (this is | |
| 126 // COMPILE_ASSERTd), though this could be supported if necessary. | |
| 127 template <class Dest, class Source> | |
| 128 inline Dest checked_numeric_cast(Source source) { | |
| 129 CHECK(internal::IsValidNumericCast<Dest>(source)); | |
| 130 return static_cast<Dest>(source); | |
| 131 } | |
| 132 | |
| 133 } // namespace base | |
| 134 | |
| 135 #endif // BASE_SAFE_NUMERICS_H_ | |
| OLD | NEW |
