Fix silent truncations when extracting values from CheckedNumeric

base/numerics/safe_numerics_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <limits>
 #include <type_traits>
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/numerics/safe_math.h"
 #include "base/test/gtest_util.h"
 #include "build/build_config.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(COMPILER_MSVC) && defined(ARCH_CPU_32_BITS)
 #include <mmintrin.h>
 #endif
 
 using std::numeric_limits;
 using base::CheckedNumeric;
+using base::IsValidForType;
+using base::ValueOrDieForType;
+using base::ValueOrDefaultForType;
 using base::CheckNum;
 using base::CheckAdd;
 using base::CheckSub;
 using base::CheckMul;
 using base::CheckDiv;
 using base::CheckMod;
 using base::CheckLsh;
 using base::CheckRsh;
 using base::checked_cast;
 using base::IsValueInRangeForNumericType;
 using base::IsValueNegative;
 using base::SizeT;
 using base::StrictNumeric;
 using base::saturated_cast;
 using base::strict_cast;
+using base::StrictNumeric;
 using base::internal::MaxExponent;
 using base::internal::RANGE_VALID;
 using base::internal::RANGE_INVALID;
 using base::internal::RANGE_OVERFLOW;
 using base::internal::RANGE_UNDERFLOW;
 using base::internal::SignedIntegerForSize;
 
 // These tests deliberately cause arithmetic boundary errors. If the compiler is
 // aggressive enough, it can const detect these errors, so we disable warnings.
 #if defined(OS_WIN)
@@ skipping 51 matching lines @@
 #define TEST_EXPECTED_FAILURE(actual) TEST_EXPECTED_VALIDITY(false, actual)
 
 #define TEST_EXPECTED_VALUE(expected, actual)                              \
   EXPECT_EQ(static_cast<Dst>(expected),                                    \
             ((actual)                                                      \
                  .template Cast<Dst>()                                     \
                  .template ValueOrDie<Dst, LogOnFailure>()))               \
       << "Result test: Value " << GetNumericValueForTest(actual) << " as " \
       << dst << " on line " << line
 
+// Test the simple pointer arithmetic overrides.
+template <typename Dst>
+void TestStrictPointerMath() {
+  Dst dummy_value = 0;
+  Dst* dummy_ptr = &dummy_value;
+  static const Dst kDummyOffset = 2;  // Don't want to go too far.
+  EXPECT_EQ(dummy_ptr + kDummyOffset,
+            dummy_ptr + StrictNumeric<Dst>(kDummyOffset));
+  EXPECT_EQ(dummy_ptr - kDummyOffset,
+            dummy_ptr - StrictNumeric<Dst>(kDummyOffset));
+  EXPECT_NE(dummy_ptr, dummy_ptr + StrictNumeric<Dst>(kDummyOffset));
+  EXPECT_NE(dummy_ptr, dummy_ptr - StrictNumeric<Dst>(kDummyOffset));
+}

[Tom Sepez, 2016/11/30 23:58:27]

Can we have a test that adding numeric_limits<uinptr_t> ::max() overflows?

[jschuh, 2016/12/01 00:58:55]

Unfortunately, no, because I don't have have a way to pass an alternate check
handler here. I'm toying with how to make that possible, but they all involve
significant refactors.

[danakj, 2016/12/01 01:00:25]

Death tests are a possibility if I'm understanding right.

+
 // Signed integer arithmetic.
 template <typename Dst>
 static void TestSpecializedArithmetic(
     const char* dst,
     int line,
     typename std::enable_if<numeric_limits<Dst>::is_integer &&
                                 numeric_limits<Dst>::is_signed,
                             int>::type = 0) {
   typedef numeric_limits<Dst> DstLimits;
   TEST_EXPECTED_FAILURE(-CheckedNumeric<Dst>(DstLimits::min()));
@@ skipping 42 matching lines @@
   TEST_EXPECTED_VALUE(static_cast<Dst>(1) << (sizeof(Dst) * CHAR_BIT - 2),
                       CheckedNumeric<Dst>(1) << (sizeof(Dst) * CHAR_BIT - 2));
   TEST_EXPECTED_VALUE(0, CheckedNumeric<Dst>(0)
                              << (sizeof(Dst) * CHAR_BIT - 1));
   TEST_EXPECTED_VALUE(1, CheckedNumeric<Dst>(1) << 0);
   TEST_EXPECTED_VALUE(2, CheckedNumeric<Dst>(1) << 1);
   TEST_EXPECTED_FAILURE(CheckedNumeric<Dst>(1) >> (sizeof(Dst) * CHAR_BIT));
   TEST_EXPECTED_VALUE(0,
                       CheckedNumeric<Dst>(1) >> (sizeof(Dst) * CHAR_BIT - 1));
   TEST_EXPECTED_FAILURE(CheckedNumeric<Dst>(1) >> negative_one);
+
+  TestStrictPointerMath<Dst>();
 }
 
 // Unsigned integer arithmetic.
 template <typename Dst>
 static void TestSpecializedArithmetic(
     const char* dst,
     int line,
     typename std::enable_if<numeric_limits<Dst>::is_integer &&
                                 !numeric_limits<Dst>::is_signed,
                             int>::type = 0) {
@@ skipping 51 matching lines @@
   TEST_EXPECTED_VALUE(0, CheckedNumeric<Dst>(0) | 0);
   TEST_EXPECTED_VALUE(std::numeric_limits<Dst>::max(),
                       CheckedNumeric<Dst>(0) | static_cast<Dst>(-1));
   TEST_EXPECTED_VALUE(0, CheckedNumeric<Dst>(1) ^ 1);
   TEST_EXPECTED_VALUE(1, CheckedNumeric<Dst>(1) ^ 0);
   TEST_EXPECTED_VALUE(1, CheckedNumeric<Dst>(0) ^ 1);
   TEST_EXPECTED_VALUE(0, CheckedNumeric<Dst>(0) ^ 0);
   TEST_EXPECTED_VALUE(std::numeric_limits<Dst>::max(),
                       CheckedNumeric<Dst>(0) ^ static_cast<Dst>(-1));
   TEST_EXPECTED_VALUE(DstLimits::max(), ~CheckedNumeric<Dst>(0));
+
+  TestStrictPointerMath<Dst>();
 }
 
 // Floating point arithmetic.
 template <typename Dst>
 void TestSpecializedArithmetic(
     const char* dst,
     int line,
     typename std::enable_if<numeric_limits<Dst>::is_iec559, int>::type = 0) {
   typedef numeric_limits<Dst> DstLimits;
   TEST_EXPECTED_SUCCESS(-CheckedNumeric<Dst>(DstLimits::min()));
 
   TEST_EXPECTED_SUCCESS(CheckedNumeric<Dst>(DstLimits::min()).Abs());
   TEST_EXPECTED_VALUE(1, CheckedNumeric<Dst>(-1).Abs());
 
   TEST_EXPECTED_SUCCESS(CheckedNumeric<Dst>(DstLimits::min()) + -1);
   TEST_EXPECTED_SUCCESS(CheckedNumeric<Dst>(DstLimits::max()) + 1);
   TEST_EXPECTED_FAILURE(CheckedNumeric<Dst>(-DstLimits::max()) +
                         -DstLimits::max());
 
   TEST_EXPECTED_FAILURE(CheckedNumeric<Dst>(DstLimits::max()) -
                         -DstLimits::max());
   TEST_EXPECTED_FAILURE(CheckedNumeric<Dst>(-DstLimits::max()) -
                         DstLimits::max());
 
   TEST_EXPECTED_SUCCESS(CheckedNumeric<Dst>(DstLimits::min()) * 2);
 
   TEST_EXPECTED_VALUE(-0.5, CheckedNumeric<Dst>(-1.0) / 2);
-  EXPECT_EQ(static_cast<Dst>(1.0), CheckedNumeric<Dst>(1.0).ValueFloating());
 }
 
 // Generic arithmetic tests.
 template <typename Dst>
 static void TestArithmetic(const char* dst, int line) {
   typedef numeric_limits<Dst> DstLimits;
 
   EXPECT_EQ(true, CheckedNumeric<Dst>().IsValid());
   EXPECT_EQ(false,
             CheckedNumeric<Dst>(CheckedNumeric<Dst>(DstLimits::max()) *
@@ skipping 122 matching lines @@
 template <typename Dst, typename Src, NumericConversionType conversion>
 struct TestNumericConversion {};
 
 // EXPECT_EQ wrappers providing specific detail on test failures.
 #define TEST_EXPECTED_RANGE(expected, actual)                                  \
   EXPECT_EQ(expected, base::internal::DstRangeRelationToSrcRange<Dst>(actual)) \
       << "Conversion test: " << src << " value " << actual << " to " << dst    \
       << " on line " << line
 
 template <typename Dst, typename Src>
+void TestStrictComparison() {
+  typedef numeric_limits<Dst> DstLimits;
+  typedef numeric_limits<Src> SrcLimits;
+  static_assert(StrictNumeric<Src>(SrcLimits::min()) < DstLimits::max(), "");
+  static_assert(StrictNumeric<Src>(SrcLimits::min()) < SrcLimits::max(), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::min()) >= DstLimits::max()),
+                "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::min()) >= SrcLimits::max()),
+                "");
+  static_assert(StrictNumeric<Src>(SrcLimits::min()) <= DstLimits::max(), "");
+  static_assert(StrictNumeric<Src>(SrcLimits::min()) <= SrcLimits::max(), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::min()) > DstLimits::max()), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::min()) > SrcLimits::max()), "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) > DstLimits::min(), "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) > SrcLimits::min(), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::max()) <= DstLimits::min()),
+                "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::max()) <= SrcLimits::min()),
+                "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) >= DstLimits::min(), "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) >= SrcLimits::min(), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::max()) < DstLimits::min()), "");
+  static_assert(!(StrictNumeric<Src>(SrcLimits::max()) < SrcLimits::min()), "");
+  static_assert(StrictNumeric<Src>(static_cast<Src>(1)) == static_cast<Dst>(1),
+                "");
+  static_assert(StrictNumeric<Src>(static_cast<Src>(1)) != static_cast<Dst>(0),
+                "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) != static_cast<Dst>(0),
+                "");
+  static_assert(StrictNumeric<Src>(SrcLimits::max()) != DstLimits::min(), "");
+  static_assert(
+      !(StrictNumeric<Src>(static_cast<Src>(1)) != static_cast<Dst>(1)), "");
+  static_assert(
+      !(StrictNumeric<Src>(static_cast<Src>(1)) == static_cast<Dst>(0)), "");
+}
+
+template <typename Dst, typename Src>
 struct TestNumericConversion<Dst, Src, SIGN_PRESERVING_VALUE_PRESERVING> {
   static void Test(const char *dst, const char *src, int line) {
     typedef numeric_limits<Src> SrcLimits;
     typedef numeric_limits<Dst> DstLimits;
                    // Integral to floating.
     static_assert((DstLimits::is_iec559 && SrcLimits::is_integer) ||
                   // Not floating to integral and...
                   (!(DstLimits::is_integer && SrcLimits::is_iec559) &&
                    // Same sign, same numeric, source is narrower or same.
                    ((SrcLimits::is_signed == DstLimits::is_signed &&
                     sizeof(Dst) >= sizeof(Src)) ||
                    // Or signed destination and source is smaller
                     (DstLimits::is_signed && sizeof(Dst) > sizeof(Src)))),
                   "Comparison must be sign preserving and value preserving");
 
+    TestStrictComparison<Dst, Src>();
+
     const CheckedNumeric<Dst> checked_dst = SrcLimits::max();
     TEST_EXPECTED_SUCCESS(checked_dst);
     if (MaxExponent<Dst>::value > MaxExponent<Src>::value) {
       if (MaxExponent<Dst>::value >= MaxExponent<Src>::value * 2 - 1) {
         // At least twice larger type.
         TEST_EXPECTED_SUCCESS(SrcLimits::max() * checked_dst);
 
       } else {  // Larger, but not at least twice as large.
         TEST_EXPECTED_FAILURE(SrcLimits::max() * checked_dst);
         TEST_EXPECTED_SUCCESS(checked_dst + 1);
@@ skipping 20 matching lines @@
 struct TestNumericConversion<Dst, Src, SIGN_PRESERVING_NARROW> {
   static void Test(const char *dst, const char *src, int line) {
     typedef numeric_limits<Src> SrcLimits;
     typedef numeric_limits<Dst> DstLimits;
     static_assert(SrcLimits::is_signed == DstLimits::is_signed,
                   "Destination and source sign must be the same");
     static_assert(sizeof(Dst) < sizeof(Src) ||
                    (DstLimits::is_integer && SrcLimits::is_iec559),
                   "Destination must be narrower than source");
 
+    TestStrictComparison<Dst, Src>();
+
     const CheckedNumeric<Dst> checked_dst;
     TEST_EXPECTED_FAILURE(checked_dst + SrcLimits::max());
     TEST_EXPECTED_VALUE(1, checked_dst + static_cast<Src>(1));
     TEST_EXPECTED_FAILURE(checked_dst - SrcLimits::max());
 
     TEST_EXPECTED_RANGE(RANGE_OVERFLOW, SrcLimits::max());
     TEST_EXPECTED_RANGE(RANGE_VALID, static_cast<Src>(1));
     if (SrcLimits::is_iec559) {
       TEST_EXPECTED_RANGE(RANGE_UNDERFLOW, SrcLimits::max() * -1);
       TEST_EXPECTED_RANGE(RANGE_VALID, static_cast<Src>(-1));
@@ skipping 26 matching lines @@
 template <typename Dst, typename Src>
 struct TestNumericConversion<Dst, Src, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL> {
   static void Test(const char *dst, const char *src, int line) {
     typedef numeric_limits<Src> SrcLimits;
     typedef numeric_limits<Dst> DstLimits;
     static_assert(sizeof(Dst) >= sizeof(Src),
                   "Destination must be equal or wider than source.");
     static_assert(SrcLimits::is_signed, "Source must be signed");
     static_assert(!DstLimits::is_signed, "Destination must be unsigned");
 
+    TestStrictComparison<Dst, Src>();
+
     const CheckedNumeric<Dst> checked_dst;
     TEST_EXPECTED_VALUE(SrcLimits::max(), checked_dst + SrcLimits::max());
     TEST_EXPECTED_FAILURE(checked_dst + static_cast<Src>(-1));
     TEST_EXPECTED_FAILURE(checked_dst + -SrcLimits::max());
 
     TEST_EXPECTED_RANGE(RANGE_UNDERFLOW, SrcLimits::min());
     TEST_EXPECTED_RANGE(RANGE_VALID, SrcLimits::max());
     TEST_EXPECTED_RANGE(RANGE_VALID, static_cast<Src>(1));
     TEST_EXPECTED_RANGE(RANGE_UNDERFLOW, static_cast<Src>(-1));
   }
 };
 
 template <typename Dst, typename Src>
 struct TestNumericConversion<Dst, Src, SIGN_TO_UNSIGN_NARROW> {
   static void Test(const char *dst, const char *src, int line) {
     typedef numeric_limits<Src> SrcLimits;
     typedef numeric_limits<Dst> DstLimits;
     static_assert((DstLimits::is_integer && SrcLimits::is_iec559) ||
                    (sizeof(Dst) < sizeof(Src)),
                   "Destination must be narrower than source.");
     static_assert(SrcLimits::is_signed, "Source must be signed.");
     static_assert(!DstLimits::is_signed, "Destination must be unsigned.");
 
+    TestStrictComparison<Dst, Src>();
+
     const CheckedNumeric<Dst> checked_dst;
     TEST_EXPECTED_VALUE(1, checked_dst + static_cast<Src>(1));
     TEST_EXPECTED_FAILURE(checked_dst + SrcLimits::max());
     TEST_EXPECTED_FAILURE(checked_dst + static_cast<Src>(-1));
     TEST_EXPECTED_FAILURE(checked_dst + -SrcLimits::max());
 
     TEST_EXPECTED_RANGE(RANGE_OVERFLOW, SrcLimits::max());
     TEST_EXPECTED_RANGE(RANGE_VALID, static_cast<Src>(1));
     TEST_EXPECTED_RANGE(RANGE_UNDERFLOW, static_cast<Src>(-1));
     if (SrcLimits::is_iec559) {
@@ skipping 22 matching lines @@
 template <typename Dst, typename Src>
 struct TestNumericConversion<Dst, Src, UNSIGN_TO_SIGN_NARROW_OR_EQUAL> {
   static void Test(const char *dst, const char *src, int line) {
     typedef numeric_limits<Src> SrcLimits;
     typedef numeric_limits<Dst> DstLimits;
     static_assert(sizeof(Dst) <= sizeof(Src),
                   "Destination must be narrower or equal to source.");
     static_assert(!SrcLimits::is_signed, "Source must be unsigned.");
     static_assert(DstLimits::is_signed, "Destination must be signed.");
 
+    TestStrictComparison<Dst, Src>();
+
     const CheckedNumeric<Dst> checked_dst;
     TEST_EXPECTED_VALUE(1, checked_dst + static_cast<Src>(1));
     TEST_EXPECTED_FAILURE(checked_dst + SrcLimits::max());
     TEST_EXPECTED_VALUE(SrcLimits::min(), checked_dst + SrcLimits::min());
 
     TEST_EXPECTED_RANGE(RANGE_VALID, SrcLimits::min());
     TEST_EXPECTED_RANGE(RANGE_OVERFLOW, SrcLimits::max());
     TEST_EXPECTED_RANGE(RANGE_VALID, static_cast<Src>(1));
   }
 };
@@ skipping 157 matching lines @@
   float not_a_number = std::numeric_limits<float>::infinity() -
                        std::numeric_limits<float>::infinity();
   EXPECT_TRUE(std::isnan(not_a_number));
   EXPECT_EQ(0, saturated_cast<int>(not_a_number));
 
   // Test the CheckedNumeric value extractions functions.
   auto int8_min = CheckNum(numeric_limits<int8_t>::min());
   auto int8_max = CheckNum(numeric_limits<int8_t>::max());
   auto double_max = CheckNum(numeric_limits<double>::max());
   static_assert(
-      std::is_same<int16_t, decltype(int8_min.ValueOrDie<int16_t>())>::value,
+      std::is_same<int16_t,
+                   decltype(int8_min.ValueOrDie<int16_t>())::type>::value,
       "ValueOrDie returning incorrect type.");
   static_assert(
       std::is_same<int16_t,
-                   decltype(int8_min.ValueOrDefault<int16_t>(0))>::value,
+                   decltype(int8_min.ValueOrDefault<int16_t>(0))::type>::value,
       "ValueOrDefault returning incorrect type.");
-  static_assert(
-      std::is_same<float, decltype(double_max.ValueFloating<float>())>::value,
-      "ValueFloating returning incorrect type.");
-  EXPECT_FALSE(int8_min.template IsValid<uint8_t>());
-  EXPECT_TRUE(int8_max.template IsValid<uint8_t>());
+  EXPECT_FALSE(IsValidForType<uint8_t>(int8_min));
+  EXPECT_TRUE(IsValidForType<uint8_t>(int8_max));
   EXPECT_EQ(static_cast<int>(numeric_limits<int8_t>::min()),
-            int8_min.template ValueOrDie<int>());
-  EXPECT_TRUE(int8_max.template IsValid<uint32_t>());
+            ValueOrDieForType<int>(int8_min));
+  EXPECT_TRUE(IsValidForType<uint32_t>(int8_max));
   EXPECT_EQ(static_cast<int>(numeric_limits<int8_t>::max()),
-            int8_max.template ValueOrDie<int>());
+            ValueOrDieForType<int>(int8_max));
+  EXPECT_EQ(0, ValueOrDefaultForType<int>(double_max, 0));
   uint8_t uint8_dest = 0;
   int16_t int16_dest = 0;
   double double_dest = 0;
   EXPECT_TRUE(int8_max.AssignIfValid(&uint8_dest));
   EXPECT_EQ(static_cast<uint8_t>(numeric_limits<int8_t>::max()), uint8_dest);
   EXPECT_FALSE(int8_min.AssignIfValid(&uint8_dest));
   EXPECT_TRUE(int8_max.AssignIfValid(&int16_dest));
   EXPECT_EQ(static_cast<int16_t>(numeric_limits<int8_t>::max()), int16_dest);
   EXPECT_TRUE(int8_min.AssignIfValid(&int16_dest));
   EXPECT_EQ(static_cast<int16_t>(numeric_limits<int8_t>::min()), int16_dest);
@@ skipping 106 matching lines @@
   too_large += d;
   EXPECT_FALSE(too_large.IsValid());
   too_large -= d;
   EXPECT_FALSE(too_large.IsValid());
   too_large /= d;
   EXPECT_FALSE(too_large.IsValid());
 }
 
 TEST(SafeNumerics, VariadicNumericOperations) {
   auto a = CheckAdd(1, 2UL, CheckNum(3LL), 4).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(a)>(10), a);
+  EXPECT_EQ(static_cast<decltype(a)::type>(10), a);
   auto b = CheckSub(CheckNum(20.0), 2UL, 4).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(b)>(14.0), b);
+  EXPECT_EQ(static_cast<decltype(b)::type>(14.0), b);
   auto c = CheckMul(20.0, CheckNum(1), 5, 3UL).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(c)>(300.0), c);
+  EXPECT_EQ(static_cast<decltype(c)::type>(300.0), c);
   auto d = CheckDiv(20.0, 2.0, CheckNum(5LL), -4).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(d)>(-.5), d);
+  EXPECT_EQ(static_cast<decltype(d)::type>(-.5), d);
   auto e = CheckMod(CheckNum(20), 3).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(e)>(2), e);
+  EXPECT_EQ(static_cast<decltype(e)::type>(2), e);
   auto f = CheckLsh(1, CheckNum(2)).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(f)>(4), f);
+  EXPECT_EQ(static_cast<decltype(f)::type>(4), f);
   auto g = CheckRsh(4, CheckNum(2)).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(g)>(1), g);
+  EXPECT_EQ(static_cast<decltype(g)::type>(1), g);
   auto h = CheckRsh(CheckAdd(1, 1, 1, 1), CheckSub(4, 2)).ValueOrDie();
-  EXPECT_EQ(static_cast<decltype(h)>(1), h);
+  EXPECT_EQ(static_cast<decltype(h)::type>(1), h);
 }