Fix silent truncations when extracting values from CheckedNumeric

base/numerics/safe_conversions.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef BASE_NUMERICS_SAFE_CONVERSIONS_H_
 #define BASE_NUMERICS_SAFE_CONVERSIONS_H_
 
 #include <stddef.h>
+#include <stdlib.h>
 
 #include <cassert>
 #include <limits>
+#include <ostream>
 #include <type_traits>
 
 #include "base/numerics/safe_conversions_impl.h"
 
 namespace base {
 
 // Convenience function that returns true if the supplied value is in range
 // for the destination type.
 template <typename Dst, typename Src>
 constexpr bool IsValueInRangeForNumericType(Src value) {
@@ skipping 62 matching lines @@
 constexpr Dst saturated_cast_impl(const Src value,
                                   const RangeConstraint constraint) {
   return constraint == RANGE_VALID
              ? static_cast<Dst>(value)
              : (constraint == RANGE_UNDERFLOW
                     ? std::numeric_limits<Dst>::min()
                     : (constraint == RANGE_OVERFLOW
                            ? std::numeric_limits<Dst>::max()
                            : NaNHandler::template HandleFailure<Dst>()));
 }
-}  // namespace internal
 
 // saturated_cast<> is analogous to static_cast<> for numeric types, except
 // that the specified numeric conversion will saturate rather than overflow or
 // underflow. NaN assignment to an integral will defer the behavior to a
 // specified class. By default, it will return 0.
 template <typename Dst,
           class NaNHandler = SaturatedCastNaNBehaviorReturnZero,
           typename Src>
 constexpr Dst saturated_cast(Src value) {
   return std::numeric_limits<Dst>::is_iec559
              ? static_cast<Dst>(value)  // Floating point optimization.
              : internal::saturated_cast_impl<Dst, NaNHandler>(
                    value, internal::DstRangeRelationToSrcRange<Dst>(value));
 }
 
+// The following macro attempts to determine if the passed expression is a
+// compile-time constant. GCC and clang have a compiler intrinsic for this,
+// but MSVS needs to use a hack where compile-time expression evaluation will
+// generate a zero constant that will trigger a different function overload
+// than a compile-time variable would.
+#if defined(__GNUC__) || defined(__clang__)
+#define IS_COMPILE_TIME_CONSTANT(V) __builtin_constant_p(V)
+#else
+struct ConstTest {
+  struct PlaceHolder {
+    PlaceHolder(int64_t x) {}
+  };
+  static int8_t Test(void*) { return int8_t(); }
+  static int64_t Test(PlaceHolder) { return int64_t(); }
+};
+
+#define IS_COMPILE_TIME_CONSTANT(V) \
+  (std::is_same<int8_t, decltype(internal::ConstTest::Test((V) - (V)))>::value)
+#endif
+
+// The test goes here because we undef the macro when we're done with it.
+inline void TestCompileTimeConstantSupport() {
+  const int kCompileTimeConstant = 10;
+  int compile_time_variable = rand();
+  static_assert(IS_COMPILE_TIME_CONSTANT(std::numeric_limits<int>::is_signed),
+                "");
+  static_assert(IS_COMPILE_TIME_CONSTANT(kCompileTimeConstant), "");
+  static_assert(!IS_COMPILE_TIME_CONSTANT(compile_time_variable), "");
+  (void)compile_time_variable;
+}
+
 // strict_cast<> is analogous to static_cast<> for numeric types, except that
 // it will cause a compile failure if the destination type is not large enough
 // to contain any value in the source type. It performs no runtime checking.
 template <typename Dst, typename Src>
 constexpr Dst strict_cast(Src value) {
   static_assert(std::numeric_limits<Src>::is_specialized,
                 "Argument must be numeric.");
   static_assert(std::numeric_limits<Dst>::is_specialized,
                 "Result must be numeric.");
-  static_assert((internal::StaticDstRangeRelationToSrcRange<Dst, Src>::value ==
-                 internal::NUMERIC_RANGE_CONTAINED),
-                "The numeric conversion is out of range for this type. You "
-                "should probably use one of the following conversion "
-                "mechanisms on the value you want to pass:\n"
-                "- base::checked_cast\n"
-                "- base::saturated_cast\n"
-                "- base::CheckedNumeric");
+
+  // We try to make compile-time constants just work regardless of type.
+  static_assert(
+      IS_COMPILE_TIME_CONSTANT(value)
+          ? IsValueInRangeForNumericType<Dst>(value)
+          : internal::StaticDstRangeRelationToSrcRange<Dst, Src>::value ==
+                internal::NUMERIC_RANGE_CONTAINED,
+      "The source type is out of range for the destination type");
 
   return static_cast<Dst>(value);
 }
 
+#undef IS_COMPILE_TIME_CONSTANT
+
 // StrictNumeric implements compile time range checking between numeric types by
 // wrapping assignment operations in a strict_cast. This class is intended to be
 // used for function arguments and return types, to ensure the destination type
 // can always contain the source type. This is essentially the same as enforcing
 // -Wconversion in gcc and C4302 warnings on MSVC, but it can be applied
 // incrementally at API boundaries, making it easier to convert code so that it
 // compiles cleanly with truncation warnings enabled.
 // This template should introduce no runtime overhead, but it also provides no
 // runtime checking of any of the associated mathematical operations. Use
 // CheckedNumeric for runtime range checks of the actual value being assigned.
 template <typename T>
 class StrictNumeric {
  public:
   typedef T type;
 
   constexpr StrictNumeric() : value_(0) {}
 
   // Copy constructor.
   template <typename Src>
   constexpr StrictNumeric(const StrictNumeric<Src>& rhs)
       : value_(strict_cast<T>(rhs.value_)) {}
 
   // This is not an explicit constructor because we implicitly upgrade regular
   // numerics to StrictNumerics to make them easier to use.
   template <typename Src>
   constexpr StrictNumeric(Src value)
       : value_(strict_cast<T>(value)) {}
 
   // The numeric cast operator basically handles all the magic.
-  template <typename Dst>
+  template <typename Dst,
+            typename std::enable_if<
+                ArithmeticOrUnderlyingEnum<Dst>::value>::type* = nullptr>
   constexpr operator Dst() const {
-    return strict_cast<Dst>(value_);
+    return strict_cast<typename ArithmeticOrUnderlyingEnum<Dst>::type>(value_);
   }
 
  private:
   const T value_;
 };
 
+template <typename T>
+std::ostream& operator<<(std::ostream& os, const StrictNumeric<T>& value) {
+  os << static_cast<T>(value);
+  return os;
+}
+
+// We allow simple pointer arithmetic.

[Tom Sepez, 2016/11/29 20:06:26]

For extra credit: Can we make this blow up if R is larger than SIZE_T max?

[jschuh, 2016/11/29 21:04:47]

It would be very easy to just call the corresponding checked math operation
here, if that's what you mean. But I'll have to think about whether or not it's
ok to trigger a crash here.

[jschuh, 2016/11/30 23:38:52]

Okay, I decided that wrapping here is always unsafe. So, I moved this after the
CheckedNumeric declaration and use it to compute the offset and crash on a wrap.

+template <typename L, typename R>
+constexpr L* operator+(L* lhs, const StrictNumeric<R>& rhs) {
+  return lhs + static_cast<R>(rhs);
+}
+
+template <typename L, typename R>
+constexpr L* operator-(L* lhs, const StrictNumeric<R>& rhs) {
+  return lhs - static_cast<R>(rhs);
+}
+
+#define STRICT_COMPARISON_OP(NAME, OP)                               \
+  template <typename L, typename R,                                  \
+            typename std::enable_if<                                 \
+                internal::IsStrictOp<L, R>::value>::type* = nullptr> \
+  constexpr bool operator OP(const L lhs, const R rhs) {             \
+    return SafeCompare<NAME, typename UnderlyingType<L>::type,       \
+                       typename UnderlyingType<R>::type>(lhs, rhs);  \
+  }
+
+STRICT_COMPARISON_OP(IsLess, <);
+STRICT_COMPARISON_OP(IsLessOrEqual, <=);
+STRICT_COMPARISON_OP(IsGreater, >);
+STRICT_COMPARISON_OP(IsGreaterOrEqual, >=);
+STRICT_COMPARISON_OP(IsEqual, ==);
+STRICT_COMPARISON_OP(IsNotEqual, !=);
+
+#undef STRICT_COMPARISON_OP
+};
+
+using internal::strict_cast;
+using internal::saturated_cast;
+using internal::StrictNumeric;
+
 // Explicitly make a shorter size_t typedef for convenience.
 typedef StrictNumeric<size_t> SizeT;
 
 }  // namespace base
 
 #endif  // BASE_NUMERICS_SAFE_CONVERSIONS_H_