Expand support in safe_numeric.h

base/safe_numerics_impl.h

Index: base/safe_numerics_impl.h
===================================================================
--- base/safe_numerics_impl.h	(revision 0)
+++ base/safe_numerics_impl.h	(revision 0)
@@ -0,0 +1,174 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_SAFE_NUMERICS_IMPL_H_
+#define BASE_SAFE_NUMERICS_IMPL_H_
+
+#include <limits>
+
+#include "base/macros.h"
+
+namespace base {
+namespace internal {
+
+enum DstSign {
+  DST_UNSIGNED,
+  DST_SIGNED
+};
+
+enum SrcSign {
+  SRC_UNSIGNED,
+  SRC_SIGNED
+};
+
+enum DstRange {
+  OVERLAPS_RANGE,
+  CONTAINS_RANGE
+};
+
+// Helper templates to statically determine if our destination type can contain
+// all values represented by the source type.
+
+template <typename Dst, typename Src,
+          DstSign IsDstSigned = std::numeric_limits<Dst>::is_signed ?
+                                DST_SIGNED : DST_UNSIGNED,
+          SrcSign IsSrcSigned = std::numeric_limits<Src>::is_signed ?
+                                SRC_SIGNED : SRC_UNSIGNED>
+struct StaticRangeCheck {};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_SIGNED, SRC_SIGNED> {
+  // Pad floating point value sizes so they're treated as larger than integral.
+  static const size_t DstEffectiveSize = sizeof(Dst) <<

[akalin, 2014/01/16 00:21:55]

I'm a bit confused by this padding. From your comment above, I would expect
floating-point type sizes to be *reduced* to account for the reduced number of
mantissa bits (e.g., a 32-bit float cannot hold all 32-bit numbers without
losing precision).

I'm guessing you're just checking that the interval [dst_min, dst_max] contains
[src_min, src_max] without worrying about precision? If so, perhaps add a
comment clarifying that.

I guess the padding value of 4 is just to make sure the check passes for a
32-bit float dst and a {32,64,128}-bit signed int? Would it be clearer to use
max_exponent instead? Although it's annoying that it's defined only for
floating-point types -- you'd have to then use sizeof() * 8 - 1 for integers.

[jschuh, 2014/01/16 01:26:31]

Good point. I'll use max_exponent and add a clarifying comment.

+      (std::numeric_limits<Dst>::is_iec559 * 2);
+  static const size_t SrcEffectiveSize = sizeof(Src) <<
+      (std::numeric_limits<Src>::is_iec559 * 2);
+  static const DstRange value = DstEffectiveSize >= SrcEffectiveSize ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_UNSIGNED, SRC_UNSIGNED> {
+  static const DstRange value = sizeof(Dst) >= sizeof(Src) ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_SIGNED, SRC_UNSIGNED> {
+  // Pad floating point value sizes so they're treated as larger than integral.
+  static const size_t DstEffectiveSize = sizeof(Dst) <<
+      (std::numeric_limits<Dst>::is_iec559 * 2);
+  static const size_t SrcEffectiveSize = sizeof(Src) <<

[akalin, 2014/01/16 00:21:55]

src is unsigned, so it can't be iec559, right? (I don't think this is explicitly
stated in the library docs, but you seem to make this assumption for
DST_UNSIGNED, SRC_UNSIGNED) So can't you just use sizeof(Src)?

[jschuh, 2014/01/16 01:26:31]

Done.

+      (std::numeric_limits<Src>::is_iec559 * 2);
+  static const DstRange value = DstEffectiveSize > SrcEffectiveSize ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_UNSIGNED, SRC_SIGNED> {
+  static const DstRange value = OVERLAPS_RANGE;
+};
+
+
+enum RangeCheckResult {
+  TYPE_VALID = 0,      // Value can be represented by the destination type.
+  TYPE_UNDERFLOW = 1,  // Value would overflow.
+  TYPE_OVERFLOW = 2,   // Value would underflow.
+  TYPE_INVALID = 3     // Source value is invalid (i.e. NaN).
+};
+
+// This macro creates a RangeCheckResult from an upper and lower bound
+// check by taking advantage of the fact that only NaN can be out of range in
+// both directions at once.
+#define BASE_NUMERIC_RANGE_CHECK_RESULT(is_in_upper_bound, is_in_lower_bound) \
+    RangeCheckResult(((is_in_upper_bound) ? 0 : TYPE_OVERFLOW) | \
+                            ((is_in_lower_bound) ? 0 : TYPE_UNDERFLOW))
+
+template <typename Dst,
+          typename Src,
+          DstSign IsDstSigned = std::numeric_limits<Dst>::is_signed ?
+                                DST_SIGNED : DST_UNSIGNED,
+          SrcSign IsSrcSigned = std::numeric_limits<Src>::is_signed ?
+                                SRC_SIGNED : SRC_UNSIGNED,
+          DstRange IsSrcRangeContained = StaticRangeCheck<Dst, Src>::value>
+struct RangeCheckImpl {};
+
+// The following templates are for ranges that must be verified at runtime. We
+// split it into checks based on signedness to avoid confusing casts and
+// compiler warnings on signed an unsigned comparisons.
+
+// Dst range always contains the result: nothing to check.
+template <typename Dst, typename Src, DstSign IsDstSigned, SrcSign IsSrcSigned>
+struct RangeCheckImpl<Dst, Src, IsDstSigned, IsSrcSigned,
+                             CONTAINS_RANGE> {

[akalin, 2014/01/16 00:21:55]

append to prev line?

[jschuh, 2014/01/16 01:26:31]

Done.

+  static RangeCheckResult Check(Src value) {
+    return BASE_NUMERIC_RANGE_CHECK_RESULT(true, true);

[akalin, 2014/01/16 00:21:55]

probably clearer to return TYPE_VALID directly

[jschuh, 2014/01/16 01:26:31]

Done.

+  }
+};
+
+// Signed to signed narrowing.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_SIGNED, SRC_SIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return DstLimits::is_iec559 ?
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(DstLimits::max() * -1)) :
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(DstLimits::min()));
+  }
+};
+
+// Unsigned to unsigned narrowing.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_UNSIGNED, SRC_UNSIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()), true);
+  }
+};
+
+// Unsigned to signed.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_SIGNED, SRC_UNSIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return sizeof(Dst) > sizeof(Src) ?
+           BASE_NUMERIC_RANGE_CHECK_RESULT(true, true) :

[akalin, 2014/01/16 00:21:55]

TYPE_VALID?

[jschuh, 2014/01/16 01:26:31]

Done.

+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()), true);
+  }
+};
+
+// Signed to unsigned.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_UNSIGNED, SRC_SIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+    return (SrcLimits::is_integer && sizeof(Dst) >= sizeof(Src)) ?

[akalin, 2014/01/16 00:21:55]

you can probably relax this check if Dst is a floating-point, right? i.e. use
DstEffectiveSize as above (so it'll pass if Dst is 32-bit float and Src is
{32,64,128}-bit float. Up to you if it's worth doing.

[jschuh, 2014/01/16 01:26:31]

But Dst is unsigned here, so it can't be a float. However, good point about
using max_exponent here as well.

+           BASE_NUMERIC_RANGE_CHECK_RESULT(true, value >= static_cast<Src>(0)) :
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(0));
+  }
+};
+
+template <typename Dst, typename Src>
+inline RangeCheckResult RangeCheck(Src value) {
+  COMPILE_ASSERT(std::numeric_limits<Src>::is_specialized,
+                 argument_must_be_numeric);
+  COMPILE_ASSERT(std::numeric_limits<Dst>::is_specialized,
+                 result_must_be_numeric);
+  return RangeCheckImpl<Dst, Src>::Check(value);
+}
+
+}  // namespace internal
+}  // namespace base
+
+#endif  // BASE_SAFE_NUMERICS_IMPL_H_
+
Property changes on: base\safe_numerics_impl.h
___________________________________________________________________
Added: svn:eol-style
   + LF