Add variadic helper functions for CheckedNumeric math operations

base/numerics/safe_math.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef BASE_NUMERICS_SAFE_MATH_H_
 #define BASE_NUMERICS_SAFE_MATH_H_
 
 #include <stddef.h>
 
 #include <limits>
 #include <type_traits>
 
 #include "base/numerics/safe_math_impl.h"
 
 namespace base {
-
 namespace internal {
 
 // CheckedNumeric implements all the logic and operators for detecting integer
 // boundary conditions such as overflow, underflow, and invalid conversions.
 // The CheckedNumeric type implicitly converts from floating point and integer
 // data types, and contains overloads for basic arithmetic operations (i.e.: +,
 // -, *, /, %).
 //
 // The following methods convert from CheckedNumeric to standard numeric values:
 // IsValid() - Returns true if the underlying numeric value is valid (i.e. has
 //             has not wrapped and is not the result of an invalid conversion).
 // ValueOrDie() - Returns the underlying value. If the state is not valid this
 //                call will crash on a CHECK.
 // ValueOrDefault() - Returns the current value, or the supplied default if the
-//                    state is not valid.
+//                    state is not valid (will not trigger a CHECK).
 // ValueFloating() - Returns the underlying floating point value (valid only
-//                   only for floating point CheckedNumeric types).
+//                   only for floating point CheckedNumeric types; will not
+//                   trigger a CHECK).
+//
+// You may also use one of the variadic convenience functions, which accept
+// standard arithmetic or CheckedNumeric types, perform arithmetic operations,
+// and return a CheckedNumeric result. The supported functions are:
+//   * CheckedAdd() - addition

[Tom Sepez, 2016/11/23 16:54:58]

Can I explicitly specialize these, for instance if I need an int32_t and I'm
adding a bunch of random crap, eg.

int32_t x = CheckedAdd<int32_t>(....) with int64 types as args?

[jschuh, 2016/11/23 19:18:00]

That's a good idea. I can add it.

[Tom Sepez, 2016/11/23 19:47:08]

I guess I worry about something getting silently promoted to 64-bits, and then
passing that to a smaller function argument.

void frob(int32_t x) {}
int32_t h, w;
...
frob(CheckMul(h, w).ValueOrDefault(0));

Does that give a compilation error? Or is the result type int32_t?  

[Tom Sepez, 2016/11/23 19:47:08]

Yeah, I kinda worry about something getting silently promoted to int64, and then
passing that to an int32 function argument.

[jschuh, 2016/11/23 21:49:22]

Okay, we might have a miscommunication here. I have another CL in progress with
a proxy class to try to catch the scenario you're referring to. However, we've
had that problem the whole time, so this adds no new risk on that front. Also, I
want to honor the natural arithmetic promotions, so I don't want to require an
explicit return type. And it turns out there's no nice way to make it optional
with a function template, so I just added a Cast<T> method to CheckedNumeric,
which serves the same purposes.

+//   * CheckedSub() - subtraction
+//   * CheckedMul() - multiplication
+//   * CheckedDiv() - division
+//   * CheckedMod() - modulous (integer only)
+//   * CheckedLsh() - left integer shift (integer only)
+//   * CheckedRsh() - right integer shift (integer only)
 //
 // Bitwise operations are explicitly not supported, because correct
 // handling of some cases (e.g. sign manipulation) is ambiguous. Comparison
 // operations are explicitly not supported because they could result in a crash
 // on a CHECK condition. You should use patterns like the following for these
 // operations:
 // Bitwise operation:
 //     CheckedNumeric<int> checked_int = untrusted_input_value;
 //     int x = checked_int.ValueOrDefault(0) | kFlagValues;
 // Comparison:
 //   CheckedNumeric<size_t> checked_size = untrusted_input_value;
 //   checked_size += HEADER LENGTH;
 //   if (checked_size.IsValid() && checked_size.ValueOrDie() < buffer_size)
 //     Do stuff...
 
 template <typename T>
-class CheckedNumeric;
-
-// Used to treat CheckedNumeric and arithmetic underlying types the same.
-template <typename T>
-struct UnderlyingType {
-  using type = T;
-  static const bool is_numeric = std::is_arithmetic<T>::value;
-  static const bool is_checked = false;
-};
-
-template <typename T>
-struct UnderlyingType<CheckedNumeric<T>> {
-  using type = T;
-  static const bool is_numeric = true;
-  static const bool is_checked = true;
-};
-
-template <typename T>
 class CheckedNumeric {
   static_assert(std::is_arithmetic<T>::value,
                 "CheckedNumeric<T>: T must be a numeric type.");
 
  public:
   typedef T type;
 
   constexpr CheckedNumeric() {}
 
   // Copy constructor.
@@ skipping 112 matching lines @@
     *this -= 1;
     return value;
   }
 
   // These perform the actual math operations on the CheckedNumerics.
   // Binary arithmetic operations.
   template <template <typename, typename, typename> class M,
             typename L,
             typename R>
   static CheckedNumeric MathOp(const L& lhs, const R& rhs) {
-    using Math = M<typename UnderlyingType<L>::type,
-                   typename UnderlyingType<R>::type, void>;
+    using Math = typename MathWrapper<M, L, R>::math;
     T result = 0;
     bool is_valid =
         Wrapper<L>::is_valid(lhs) && Wrapper<R>::is_valid(rhs) &&
-        Math::Op(Wrapper<L>::value(lhs), Wrapper<R>::value(rhs), &result);
+        Math::Do(Wrapper<L>::value(lhs), Wrapper<R>::value(rhs), &result);
     return CheckedNumeric<T>(result, is_valid);
   };
 
   // Assignment arithmetic operations.
   template <template <typename, typename, typename> class M, typename R>
   CheckedNumeric& MathOp(const R& rhs) {
-    using Math = M<T, typename UnderlyingType<R>::type, void>;
+    using Math = typename MathWrapper<M, T, R>::math;
     T result = 0;  // Using T as the destination saves a range check.
     bool is_valid = state_.is_valid() && Wrapper<R>::is_valid(rhs) &&
-                    Math::Op(state_.value(), Wrapper<R>::value(rhs), &result);
+                    Math::Do(state_.value(), Wrapper<R>::value(rhs), &result);
     *this = CheckedNumeric<T>(result, is_valid);
     return *this;
   };
 
  private:
   CheckedNumericState<T> state_;
 
   template <typename Src>
   constexpr CheckedNumeric(Src value, bool is_valid)
       : state_(value, is_valid) {}
@@ skipping 10 matching lines @@
   struct Wrapper<CheckedNumeric<Src>> {
     static constexpr bool is_valid(const CheckedNumeric<Src>& v) {
       return v.IsValid();
     }
     static constexpr Src value(const CheckedNumeric<Src>& v) {
       return v.state_.value();
     }
   };
 };
 
+// These variadic templates work out the return types.
+// TODO(jschuh): Rip all this out once we have C++14 non-trailing auto support.
+template <template <typename, typename, typename> class M,
+          typename L,
+          typename R,
+          typename... Args>
+struct ResultType;
+
+template <template <typename, typename, typename> class M,
+          typename L,
+          typename R>
+struct ResultType<M, L, R> {
+  using type = typename MathWrapper<M, L, R>::type;
+};
+
+template <template <typename, typename, typename> class M,
+          typename L,
+          typename R,
+          typename... Args>
+struct ResultType {
+  // The typedef was required here because MSVC fails to compile with "using".

[Tom Sepez, 2016/11/23 16:52:06]

Let's get Bruce to weigh in on this one - at least push the issue upwards.

[jschuh, 2016/11/23 19:18:00]

I've learned that any complex type resolution with using is kinda broken in
MSVS. I've hit it in a few different places this week, and I was planning on
following up with Bruce about it when I got back.

+  typedef
+      typename ResultType<M, typename ResultType<M, L, R>::type, Args...>::type
+          type;
+};
+
+// These implement the variadic wrapper for the math operations.
+template <template <typename, typename, typename> class M,
+          typename L,
+          typename R>
+CheckedNumeric<typename MathWrapper<M, L, R>::type> ChkMathOp(const L lhs,
+                                                              const R rhs) {
+  using Math = typename MathWrapper<M, L, R>::math;
+  return CheckedNumeric<typename Math::result_type>::template MathOp<M>(lhs,
+                                                                        rhs);
+};
+
+template <template <typename, typename, typename> class M,
+          typename L,
+          typename R,
+          typename... Args>
+CheckedNumeric<typename ResultType<M, L, R, Args...>::type>
+ChkMathOp(const L lhs, const R rhs, const Args... args) {
+  auto tmp = ChkMathOp<M>(lhs, rhs);
+  return tmp.IsValid() ? ChkMathOp<M>(tmp, args...)
+                       : decltype(ChkMathOp<M>(tmp, args...))(tmp);
+};
+
 // This is just boilerplate for the standard arithmetic operator overloads.
 // A macro isn't the nicest solution, but it beats rewriting these repeatedly.
-#define BASE_NUMERIC_ARITHMETIC_OPERATORS(NAME, OP, COMPOUND_OP)              \
-  /* Binary arithmetic operator for all CheckedNumeric operations. */         \
-  template <typename L, typename R,                                           \
-            typename std::enable_if<UnderlyingType<L>::is_numeric &&          \
-                                    UnderlyingType<R>::is_numeric &&          \
-                                    (UnderlyingType<L>::is_checked ||         \
-                                     UnderlyingType<R>::is_checked)>::type* = \
-                nullptr>                                                      \
-  CheckedNumeric<                                                             \
-      typename Checked##NAME<typename UnderlyingType<L>::type,                \
-                             typename UnderlyingType<R>::type>::result_type>  \
-  operator OP(const L lhs, const R rhs) {                                     \
-    return decltype(lhs OP rhs)::template MathOp<Checked##NAME>(lhs, rhs);    \
-  }                                                                           \
-  /* Assignment arithmetic operator implementation from CheckedNumeric. */    \
-  template <typename L>                                                       \
-  template <typename R>                                                       \
-  CheckedNumeric<L>& CheckedNumeric<L>::operator COMPOUND_OP(const R rhs) {   \
-    return MathOp<Checked##NAME>(rhs);                                        \
+#define BASE_NUMERIC_ARITHMETIC_OPERATORS(NAME, OP, COMPOUND_OP)               \
+  /* Binary arithmetic operator for all CheckedNumeric operations. */          \
+  template <typename L, typename R,                                            \
+            typename std::enable_if<IsCheckedOp<L, R>::value>::type* =         \
+                nullptr>                                                       \
+  CheckedNumeric<typename MathWrapper<Checked##NAME##Op, L, R>::type>          \
+  operator OP(const L lhs, const R rhs) {                                      \
+    return decltype(lhs OP rhs)::template MathOp<Checked##NAME##Op>(lhs, rhs); \
+  }                                                                            \
+  /* Assignment arithmetic operator implementation from CheckedNumeric. */     \
+  template <typename L>                                                        \
+  template <typename R>                                                        \
+  CheckedNumeric<L>& CheckedNumeric<L>::operator COMPOUND_OP(const R rhs) {    \
+    return MathOp<Checked##NAME##Op>(rhs);                                     \
+  }                                                                            \
+  /* Variadic arithmetic functions that return CheckedNumeric. */              \
+  template <typename L, typename R, typename... Args>                          \
+  CheckedNumeric<typename ResultType<Checked##NAME##Op, L, R, Args...>::type>  \
+      Checked##NAME(const L lhs, const R rhs, const Args... args) {            \
+    return ChkMathOp<Checked##NAME##Op, L, R, Args...>(lhs, rhs, args...);     \
   }
 
 BASE_NUMERIC_ARITHMETIC_OPERATORS(Add, +, +=)
 BASE_NUMERIC_ARITHMETIC_OPERATORS(Sub, -, -=)
 BASE_NUMERIC_ARITHMETIC_OPERATORS(Mul, *, *=)
 BASE_NUMERIC_ARITHMETIC_OPERATORS(Div, /, /=)
 BASE_NUMERIC_ARITHMETIC_OPERATORS(Mod, %, %=)
-BASE_NUMERIC_ARITHMETIC_OPERATORS(LeftShift, <<, <<=)
-BASE_NUMERIC_ARITHMETIC_OPERATORS(RightShift, >>, >>=)
+BASE_NUMERIC_ARITHMETIC_OPERATORS(Lsh, <<, <<=)
+BASE_NUMERIC_ARITHMETIC_OPERATORS(Rsh, >>, >>=)
 
 #undef BASE_NUMERIC_ARITHMETIC_OPERATORS
 
 }  // namespace internal
 
 using internal::CheckedNumeric;
+using internal::CheckedAdd;
+using internal::CheckedSub;
+using internal::CheckedMul;
+using internal::CheckedDiv;
+using internal::CheckedMod;
+using internal::CheckedLsh;
+using internal::CheckedRsh;
 
 }  // namespace base
 
 #endif  // BASE_NUMERICS_SAFE_MATH_H_