Fix silent truncations when extracting values from CheckedNumeric

base/numerics/safe_conversions.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef BASE_NUMERICS_SAFE_CONVERSIONS_H_
 #define BASE_NUMERICS_SAFE_CONVERSIONS_H_
 
 #include <stddef.h>
 
 #include <cassert>
 #include <limits>
+#include <ostream>
 #include <type_traits>
 
 #include "base/numerics/safe_conversions_impl.h"
 
 namespace base {
 
+// The following are helper constexpr template functions and classes for safely
+// performing a range of conversions, assignments, and tests:
+//
+//  checked_cast<> - Analogous to static_cast<> for numeric types, except
+//      that it CHECKs that the specified numeric conversion will not overflow
+//      or underflow. NaN source will always trigger a CHECK.
+//      The default CHECK triggers a crash, but the handler can be overriden.
+//  saturated_cast<> - Analogous to static_cast<> for numeric types, except
+//      that it returns a saturated result when the specified numeric conversion
+//      would otherwise overflow or underflow. An NaN source returns 0 by
+//      default, but can be overridden to return a different result.
+//      The default CHECK triggers a crash, but the handler can be overriden.

[Tom Sepez, 2016/11/30 23:58:27]

Nit: can saturated_cast cause a CHECK?  

[jschuh, 2016/12/01 00:58:55]

Nope. Good catch.

+//  strict_cast<> - Analogous to static_cast<> for numeric types, except that
+//      it will cause a compile failure if the destination type is not large
+//      enough to contain any value in the source type. It performs no runtime
+//      checking and thus introduces no runtime overhead.
+//  IsValueInRangeForNumericType<>() - A convenience function that returns true
+//      if the type supplied to the template parameter can represent in the

[Tom Sepez, 2016/11/30 23:58:27]

nit: s/represent in/represent/

[jschuh, 2016/12/01 00:58:55]

Done.

+//      value passed as an argument to the function.
+//  IsValueNegative<>() - A convenience function that will accept any arithmetic
+//      type as an argument and will return whether the value is less than zero.
+//      Unsigned types always return false.
+//  StrictNumeric<> - A wrapper type that performs assignments and copies via
+//      the strict_cast<> template, and can perform valid arithmetic comparisons
+//      across any range of arithmetic types. StrictNumeric is the return type
+//      for values extracted from a CheckedNumeric class instance. The raw
+//      arithmetic value is extracted via static_cast to the underlying type.
+
 // Convenience function that returns true if the supplied value is in range
 // for the destination type.
 template <typename Dst, typename Src>
 constexpr bool IsValueInRangeForNumericType(Src value) {
   return internal::DstRangeRelationToSrcRange<Dst>(value) ==
          internal::RANGE_VALID;
 }
 
 // Convenience function for determining if a numeric value is negative without
 // throwing compiler warnings on: unsigned(value) < 0.
@@ skipping 56 matching lines @@
 constexpr Dst saturated_cast_impl(const Src value,
                                   const RangeConstraint constraint) {
   return constraint == RANGE_VALID
              ? static_cast<Dst>(value)
              : (constraint == RANGE_UNDERFLOW
                     ? std::numeric_limits<Dst>::min()
                     : (constraint == RANGE_OVERFLOW
                            ? std::numeric_limits<Dst>::max()
                            : NaNHandler::template HandleFailure<Dst>()));
 }
-}  // namespace internal
 
 // saturated_cast<> is analogous to static_cast<> for numeric types, except
 // that the specified numeric conversion will saturate rather than overflow or
 // underflow. NaN assignment to an integral will defer the behavior to a
 // specified class. By default, it will return 0.
 template <typename Dst,
           class NaNHandler = SaturatedCastNaNBehaviorReturnZero,
           typename Src>
 constexpr Dst saturated_cast(Src value) {
   return std::numeric_limits<Dst>::is_iec559
              ? static_cast<Dst>(value)  // Floating point optimization.
              : internal::saturated_cast_impl<Dst, NaNHandler>(
                    value, internal::DstRangeRelationToSrcRange<Dst>(value));
 }
 
 // strict_cast<> is analogous to static_cast<> for numeric types, except that
 // it will cause a compile failure if the destination type is not large enough
 // to contain any value in the source type. It performs no runtime checking.
 template <typename Dst, typename Src>
 constexpr Dst strict_cast(Src value) {
   static_assert(std::numeric_limits<Src>::is_specialized,
                 "Argument must be numeric.");
   static_assert(std::numeric_limits<Dst>::is_specialized,
                 "Result must be numeric.");
-  static_assert((internal::StaticDstRangeRelationToSrcRange<Dst, Src>::value ==
-                 internal::NUMERIC_RANGE_CONTAINED),
-                "The numeric conversion is out of range for this type. You "
-                "should probably use one of the following conversion "
-                "mechanisms on the value you want to pass:\n"
-                "- base::checked_cast\n"
-                "- base::saturated_cast\n"
-                "- base::CheckedNumeric");
+
+  // If you got here from a compiler error, it's because you tried to assign
+  // from a source type a destination type that has insufficient range.

[Tom Sepez, 2016/11/30 23:58:27]

nit: to a destination type.

[jschuh, 2016/12/01 00:58:55]

Done.

+  // The solution may simply be to change the destination type you're assigning

[Tom Sepez, 2016/11/30 23:58:27]

nit: s/simply//

[jschuh, 2016/12/01 00:58:55]

Done.

+  // to, and use one large enough to represent the source.
+  // If you're assigning from a CheckedNumeric<> class, you can use the
+  // AssignIfValid() member function, specify a narrower destination type to the
+  // member value functions (e.g. val.template ValueOrDie<Dst>()), or use one of
+  // the value helper functions (e.g. ValueOrDieForType<Dst>(val)).
+  // Alternatively, you may be better served with the checked_cast<> or
+  // saturated_cast<> template functions for your particular use case.
+  static_assert(internal::StaticDstRangeRelationToSrcRange<Dst, Src>::value ==
+                    internal::NUMERIC_RANGE_CONTAINED,
+                "The source type is out of range for the destination type. "
+                "Please see strict_cast<> comments for more information.");
 
   return static_cast<Dst>(value);
 }
 
 // StrictNumeric implements compile time range checking between numeric types by
 // wrapping assignment operations in a strict_cast. This class is intended to be
 // used for function arguments and return types, to ensure the destination type
 // can always contain the source type. This is essentially the same as enforcing
 // -Wconversion in gcc and C4302 warnings on MSVC, but it can be applied
 // incrementally at API boundaries, making it easier to convert code so that it
@@ skipping 13 matching lines @@
   constexpr StrictNumeric(const StrictNumeric<Src>& rhs)
       : value_(strict_cast<T>(rhs.value_)) {}
 
   // This is not an explicit constructor because we implicitly upgrade regular
   // numerics to StrictNumerics to make them easier to use.
   template <typename Src>
   constexpr StrictNumeric(Src value)
       : value_(strict_cast<T>(value)) {}
 
   // The numeric cast operator basically handles all the magic.
-  template <typename Dst>
+  template <typename Dst,
+            typename std::enable_if<
+                ArithmeticOrUnderlyingEnum<Dst>::value>::type* = nullptr>
   constexpr operator Dst() const {
-    return strict_cast<Dst>(value_);
+    return strict_cast<typename ArithmeticOrUnderlyingEnum<Dst>::type>(value_);
   }
 
  private:
   const T value_;
 };
 
+// Overload the ostream output operator to make logging work nicely.
+template <typename T>
+std::ostream& operator<<(std::ostream& os, const StrictNumeric<T>& value) {
+  os << static_cast<T>(value);
+  return os;
+}
+
+#define STRICT_COMPARISON_OP(NAME, OP)                               \
+  template <typename L, typename R,                                  \
+            typename std::enable_if<                                 \
+                internal::IsStrictOp<L, R>::value>::type* = nullptr> \
+  constexpr bool operator OP(const L lhs, const R rhs) {             \
+    return SafeCompare<NAME, typename UnderlyingType<L>::type,       \
+                       typename UnderlyingType<R>::type>(lhs, rhs);  \
+  }
+
+STRICT_COMPARISON_OP(IsLess, <);
+STRICT_COMPARISON_OP(IsLessOrEqual, <=);
+STRICT_COMPARISON_OP(IsGreater, >);
+STRICT_COMPARISON_OP(IsGreaterOrEqual, >=);
+STRICT_COMPARISON_OP(IsEqual, ==);
+STRICT_COMPARISON_OP(IsNotEqual, !=);
+
+#undef STRICT_COMPARISON_OP
+};
+
+using internal::strict_cast;
+using internal::saturated_cast;
+using internal::StrictNumeric;
+
 // Explicitly make a shorter size_t typedef for convenience.
 typedef StrictNumeric<size_t> SizeT;
 
 }  // namespace base
 
 #endif  // BASE_NUMERICS_SAFE_CONVERSIONS_H_