| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef BASE_NUMERICS_SAFE_MATH_IMPL_H_ | |
| 6 #define BASE_NUMERICS_SAFE_MATH_IMPL_H_ | |
| 7 | |
| 8 #include <stddef.h> | |
| 9 #include <stdint.h> | |
| 10 | |
| 11 #include <climits> | |
| 12 #include <cmath> | |
| 13 #include <cstdlib> | |
| 14 #include <limits> | |
| 15 #include <type_traits> | |
| 16 | |
| 17 #include "base/numerics/safe_conversions.h" | |
| 18 | |
| 19 namespace base { | |
| 20 namespace internal { | |
| 21 | |
| 22 // Everything from here up to the floating point operations is portable C++, | |
| 23 // but it may not be fast. This code could be split based on | |
| 24 // platform/architecture and replaced with potentially faster implementations. | |
| 25 | |
| 26 // This is used for UnsignedAbs, where we need to support floating-point | |
| 27 // template instantiations even though we don't actually support the operations. | |
| 28 // However, there is no corresponding implementation of e.g. SafeUnsignedAbs, | |
| 29 // so the float versions will not compile. | |
| 30 template <typename Numeric, | |
| 31 bool IsInteger = std::is_integral<Numeric>::value, | |
| 32 bool IsFloat = std::is_floating_point<Numeric>::value> | |
| 33 struct UnsignedOrFloatForSize; | |
| 34 | |
| 35 template <typename Numeric> | |
| 36 struct UnsignedOrFloatForSize<Numeric, true, false> { | |
| 37 using type = typename std::make_unsigned<Numeric>::type; | |
| 38 }; | |
| 39 | |
| 40 template <typename Numeric> | |
| 41 struct UnsignedOrFloatForSize<Numeric, false, true> { | |
| 42 using type = Numeric; | |
| 43 }; | |
| 44 | |
| 45 // Probe for builtin math overflow support on Clang and version check on GCC. | |
| 46 #if defined(__has_builtin) | |
| 47 #define USE_OVERFLOW_BUILTINS (__has_builtin(__builtin_add_overflow)) | |
| 48 #elif defined(__GNUC__) | |
| 49 #define USE_OVERFLOW_BUILTINS (__GNUC__ >= 5) | |
| 50 #else | |
| 51 #define USE_OVERFLOW_BUILTINS (0) | |
| 52 #endif | |
| 53 | |
| 54 template <typename T> | |
| 55 bool CheckedAddImpl(T x, T y, T* result) { | |
| 56 static_assert(std::is_integral<T>::value, "Type must be integral"); | |
| 57 // Since the value of x+y is undefined if we have a signed type, we compute | |
| 58 // it using the unsigned type of the same size. | |
| 59 using UnsignedDst = typename std::make_unsigned<T>::type; | |
| 60 using SignedDst = typename std::make_signed<T>::type; | |
| 61 UnsignedDst ux = static_cast<UnsignedDst>(x); | |
| 62 UnsignedDst uy = static_cast<UnsignedDst>(y); | |
| 63 UnsignedDst uresult = static_cast<UnsignedDst>(ux + uy); | |
| 64 *result = static_cast<T>(uresult); | |
| 65 // Addition is valid if the sign of (x + y) is equal to either that of x or | |
| 66 // that of y. | |
| 67 return (std::is_signed<T>::value) | |
| 68 ? static_cast<SignedDst>((uresult ^ ux) & (uresult ^ uy)) >= 0 | |
| 69 : uresult >= uy; // Unsigned is either valid or underflow. | |
| 70 } | |
| 71 | |
| 72 template <typename T, typename U, class Enable = void> | |
| 73 struct CheckedAddOp {}; | |
| 74 | |
| 75 template <typename T, typename U> | |
| 76 struct CheckedAddOp<T, | |
| 77 U, | |
| 78 typename std::enable_if<std::is_integral<T>::value && | |
| 79 std::is_integral<U>::value>::type> { | |
| 80 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 81 template <typename V> | |
| 82 static bool Do(T x, U y, V* result) { | |
| 83 #if USE_OVERFLOW_BUILTINS | |
| 84 return !__builtin_add_overflow(x, y, result); | |
| 85 #else | |
| 86 using Promotion = typename BigEnoughPromotion<T, U>::type; | |
| 87 Promotion presult; | |
| 88 // Fail if either operand is out of range for the promoted type. | |
| 89 // TODO(jschuh): This could be made to work for a broader range of values. | |
| 90 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && | |
| 91 IsValueInRangeForNumericType<Promotion>(y); | |
| 92 | |
| 93 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { | |
| 94 presult = static_cast<Promotion>(x) + static_cast<Promotion>(y); | |
| 95 } else { | |
| 96 is_valid &= CheckedAddImpl(static_cast<Promotion>(x), | |
| 97 static_cast<Promotion>(y), &presult); | |
| 98 } | |
| 99 *result = static_cast<V>(presult); | |
| 100 return is_valid && IsValueInRangeForNumericType<V>(presult); | |
| 101 #endif | |
| 102 } | |
| 103 }; | |
| 104 | |
| 105 template <typename T> | |
| 106 bool CheckedSubImpl(T x, T y, T* result) { | |
| 107 static_assert(std::is_integral<T>::value, "Type must be integral"); | |
| 108 // Since the value of x+y is undefined if we have a signed type, we compute | |
| 109 // it using the unsigned type of the same size. | |
| 110 using UnsignedDst = typename std::make_unsigned<T>::type; | |
| 111 using SignedDst = typename std::make_signed<T>::type; | |
| 112 UnsignedDst ux = static_cast<UnsignedDst>(x); | |
| 113 UnsignedDst uy = static_cast<UnsignedDst>(y); | |
| 114 UnsignedDst uresult = static_cast<UnsignedDst>(ux - uy); | |
| 115 *result = static_cast<T>(uresult); | |
| 116 // Subtraction is valid if either x and y have same sign, or (x-y) and x have | |
| 117 // the same sign. | |
| 118 return (std::is_signed<T>::value) | |
| 119 ? static_cast<SignedDst>((uresult ^ ux) & (ux ^ uy)) >= 0 | |
| 120 : x >= y; | |
| 121 } | |
| 122 | |
| 123 template <typename T, typename U, class Enable = void> | |
| 124 struct CheckedSubOp {}; | |
| 125 | |
| 126 template <typename T, typename U> | |
| 127 struct CheckedSubOp<T, | |
| 128 U, | |
| 129 typename std::enable_if<std::is_integral<T>::value && | |
| 130 std::is_integral<U>::value>::type> { | |
| 131 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 132 template <typename V> | |
| 133 static bool Do(T x, U y, V* result) { | |
| 134 #if USE_OVERFLOW_BUILTINS | |
| 135 return !__builtin_sub_overflow(x, y, result); | |
| 136 #else | |
| 137 using Promotion = typename BigEnoughPromotion<T, U>::type; | |
| 138 Promotion presult; | |
| 139 // Fail if either operand is out of range for the promoted type. | |
| 140 // TODO(jschuh): This could be made to work for a broader range of values. | |
| 141 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && | |
| 142 IsValueInRangeForNumericType<Promotion>(y); | |
| 143 | |
| 144 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { | |
| 145 presult = static_cast<Promotion>(x) - static_cast<Promotion>(y); | |
| 146 } else { | |
| 147 is_valid &= CheckedSubImpl(static_cast<Promotion>(x), | |
| 148 static_cast<Promotion>(y), &presult); | |
| 149 } | |
| 150 *result = static_cast<V>(presult); | |
| 151 return is_valid && IsValueInRangeForNumericType<V>(presult); | |
| 152 #endif | |
| 153 } | |
| 154 }; | |
| 155 | |
| 156 template <typename T> | |
| 157 bool CheckedMulImpl(T x, T y, T* result) { | |
| 158 static_assert(std::is_integral<T>::value, "Type must be integral"); | |
| 159 // Since the value of x*y is potentially undefined if we have a signed type, | |
| 160 // we compute it using the unsigned type of the same size. | |
| 161 using UnsignedDst = typename std::make_unsigned<T>::type; | |
| 162 using SignedDst = typename std::make_signed<T>::type; | |
| 163 const UnsignedDst ux = SafeUnsignedAbs(x); | |
| 164 const UnsignedDst uy = SafeUnsignedAbs(y); | |
| 165 UnsignedDst uresult = static_cast<UnsignedDst>(ux * uy); | |
| 166 const bool is_negative = | |
| 167 std::is_signed<T>::value && static_cast<SignedDst>(x ^ y) < 0; | |
| 168 *result = is_negative ? 0 - uresult : uresult; | |
| 169 // We have a fast out for unsigned identity or zero on the second operand. | |
| 170 // After that it's an unsigned overflow check on the absolute value, with | |
| 171 // a +1 bound for a negative result. | |
| 172 return uy <= UnsignedDst(!std::is_signed<T>::value || is_negative) || | |
| 173 ux <= (std::numeric_limits<T>::max() + UnsignedDst(is_negative)) / uy; | |
| 174 } | |
| 175 | |
| 176 template <typename T, typename U, class Enable = void> | |
| 177 struct CheckedMulOp {}; | |
| 178 | |
| 179 template <typename T, typename U> | |
| 180 struct CheckedMulOp<T, | |
| 181 U, | |
| 182 typename std::enable_if<std::is_integral<T>::value && | |
| 183 std::is_integral<U>::value>::type> { | |
| 184 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 185 template <typename V> | |
| 186 static bool Do(T x, U y, V* result) { | |
| 187 #if USE_OVERFLOW_BUILTINS | |
| 188 #if defined(__clang__) | |
| 189 // TODO(jschuh): Get the Clang runtime library issues sorted out so we can | |
| 190 // support full-width, mixed-sign multiply builtins. | |
| 191 // https://crbug.com/613003 | |
| 192 static const bool kUseMaxInt = | |
| 193 // Narrower type than uintptr_t is always safe. | |
| 194 std::numeric_limits<__typeof__(x * y)>::digits < | |
| 195 std::numeric_limits<intptr_t>::digits || | |
| 196 // Safe for intptr_t and uintptr_t if the sign matches. | |
| 197 (IntegerBitsPlusSign<__typeof__(x * y)>::value == | |
| 198 IntegerBitsPlusSign<intptr_t>::value && | |
| 199 std::is_signed<T>::value == std::is_signed<U>::value); | |
| 200 #else | |
| 201 static const bool kUseMaxInt = true; | |
| 202 #endif | |
| 203 if (kUseMaxInt) | |
| 204 return !__builtin_mul_overflow(x, y, result); | |
| 205 #endif | |
| 206 using Promotion = typename FastIntegerArithmeticPromotion<T, U>::type; | |
| 207 Promotion presult; | |
| 208 // Fail if either operand is out of range for the promoted type. | |
| 209 // TODO(jschuh): This could be made to work for a broader range of values. | |
| 210 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && | |
| 211 IsValueInRangeForNumericType<Promotion>(y); | |
| 212 | |
| 213 if (IsIntegerArithmeticSafe<Promotion, T, U>::value) { | |
| 214 presult = static_cast<Promotion>(x) * static_cast<Promotion>(y); | |
| 215 } else { | |
| 216 is_valid &= CheckedMulImpl(static_cast<Promotion>(x), | |
| 217 static_cast<Promotion>(y), &presult); | |
| 218 } | |
| 219 *result = static_cast<V>(presult); | |
| 220 return is_valid && IsValueInRangeForNumericType<V>(presult); | |
| 221 } | |
| 222 }; | |
| 223 | |
| 224 // Avoid poluting the namespace once we're done with the macro. | |
| 225 #undef USE_OVERFLOW_BUILTINS | |
| 226 | |
| 227 // Division just requires a check for a zero denominator or an invalid negation | |
| 228 // on signed min/-1. | |
| 229 template <typename T> | |
| 230 bool CheckedDivImpl(T x, T y, T* result) { | |
| 231 static_assert(std::is_integral<T>::value, "Type must be integral"); | |
| 232 if (y && (!std::is_signed<T>::value || | |
| 233 x != std::numeric_limits<T>::lowest() || y != static_cast<T>(-1))) { | |
| 234 *result = x / y; | |
| 235 return true; | |
| 236 } | |
| 237 return false; | |
| 238 } | |
| 239 | |
| 240 template <typename T, typename U, class Enable = void> | |
| 241 struct CheckedDivOp {}; | |
| 242 | |
| 243 template <typename T, typename U> | |
| 244 struct CheckedDivOp<T, | |
| 245 U, | |
| 246 typename std::enable_if<std::is_integral<T>::value && | |
| 247 std::is_integral<U>::value>::type> { | |
| 248 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 249 template <typename V> | |
| 250 static bool Do(T x, U y, V* result) { | |
| 251 using Promotion = typename BigEnoughPromotion<T, U>::type; | |
| 252 Promotion presult; | |
| 253 // Fail if either operand is out of range for the promoted type. | |
| 254 // TODO(jschuh): This could be made to work for a broader range of values. | |
| 255 bool is_valid = IsValueInRangeForNumericType<Promotion>(x) && | |
| 256 IsValueInRangeForNumericType<Promotion>(y); | |
| 257 is_valid &= CheckedDivImpl(static_cast<Promotion>(x), | |
| 258 static_cast<Promotion>(y), &presult); | |
| 259 *result = static_cast<V>(presult); | |
| 260 return is_valid && IsValueInRangeForNumericType<V>(presult); | |
| 261 } | |
| 262 }; | |
| 263 | |
| 264 template <typename T> | |
| 265 bool CheckedModImpl(T x, T y, T* result) { | |
| 266 static_assert(std::is_integral<T>::value, "Type must be integral"); | |
| 267 if (y > 0) { | |
| 268 *result = static_cast<T>(x % y); | |
| 269 return true; | |
| 270 } | |
| 271 return false; | |
| 272 } | |
| 273 | |
| 274 template <typename T, typename U, class Enable = void> | |
| 275 struct CheckedModOp {}; | |
| 276 | |
| 277 template <typename T, typename U> | |
| 278 struct CheckedModOp<T, | |
| 279 U, | |
| 280 typename std::enable_if<std::is_integral<T>::value && | |
| 281 std::is_integral<U>::value>::type> { | |
| 282 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 283 template <typename V> | |
| 284 static bool Do(T x, U y, V* result) { | |
| 285 using Promotion = typename BigEnoughPromotion<T, U>::type; | |
| 286 Promotion presult; | |
| 287 bool is_valid = CheckedModImpl(static_cast<Promotion>(x), | |
| 288 static_cast<Promotion>(y), &presult); | |
| 289 *result = static_cast<V>(presult); | |
| 290 return is_valid && IsValueInRangeForNumericType<V>(presult); | |
| 291 } | |
| 292 }; | |
| 293 | |
| 294 template <typename T, typename U, class Enable = void> | |
| 295 struct CheckedLshOp {}; | |
| 296 | |
| 297 // Left shift. Shifts less than 0 or greater than or equal to the number | |
| 298 // of bits in the promoted type are undefined. Shifts of negative values | |
| 299 // are undefined. Otherwise it is defined when the result fits. | |
| 300 template <typename T, typename U> | |
| 301 struct CheckedLshOp<T, | |
| 302 U, | |
| 303 typename std::enable_if<std::is_integral<T>::value && | |
| 304 std::is_integral<U>::value>::type> { | |
| 305 using result_type = T; | |
| 306 template <typename V> | |
| 307 static bool Do(T x, U shift, V* result) { | |
| 308 using ShiftType = typename std::make_unsigned<T>::type; | |
| 309 static const ShiftType kBitWidth = IntegerBitsPlusSign<T>::value; | |
| 310 const ShiftType real_shift = static_cast<ShiftType>(shift); | |
| 311 // Signed shift is not legal on negative values. | |
| 312 if (!IsValueNegative(x) && real_shift < kBitWidth) { | |
| 313 // Just use a multiplication because it's easy. | |
| 314 // TODO(jschuh): This could probably be made more efficient. | |
| 315 if (!std::is_signed<T>::value || real_shift != kBitWidth - 1) | |
| 316 return CheckedMulOp<T, T>::Do(x, static_cast<T>(1) << shift, result); | |
| 317 return !x; // Special case zero for a full width signed shift. | |
| 318 } | |
| 319 return false; | |
| 320 } | |
| 321 }; | |
| 322 | |
| 323 template <typename T, typename U, class Enable = void> | |
| 324 struct CheckedRshOp {}; | |
| 325 | |
| 326 // Right shift. Shifts less than 0 or greater than or equal to the number | |
| 327 // of bits in the promoted type are undefined. Otherwise, it is always defined, | |
| 328 // but a right shift of a negative value is implementation-dependent. | |
| 329 template <typename T, typename U> | |
| 330 struct CheckedRshOp<T, | |
| 331 U, | |
| 332 typename std::enable_if<std::is_integral<T>::value && | |
| 333 std::is_integral<U>::value>::type> { | |
| 334 using result_type = T; | |
| 335 template <typename V = result_type> | |
| 336 static bool Do(T x, U shift, V* result) { | |
| 337 // Use the type conversion push negative values out of range. | |
| 338 using ShiftType = typename std::make_unsigned<T>::type; | |
| 339 if (static_cast<ShiftType>(shift) < IntegerBitsPlusSign<T>::value) { | |
| 340 T tmp = x >> shift; | |
| 341 *result = static_cast<V>(tmp); | |
| 342 return IsValueInRangeForNumericType<V>(tmp); | |
| 343 } | |
| 344 return false; | |
| 345 } | |
| 346 }; | |
| 347 | |
| 348 template <typename T, typename U, class Enable = void> | |
| 349 struct CheckedAndOp {}; | |
| 350 | |
| 351 // For simplicity we support only unsigned integer results. | |
| 352 template <typename T, typename U> | |
| 353 struct CheckedAndOp<T, | |
| 354 U, | |
| 355 typename std::enable_if<std::is_integral<T>::value && | |
| 356 std::is_integral<U>::value>::type> { | |
| 357 using result_type = typename std::make_unsigned< | |
| 358 typename MaxExponentPromotion<T, U>::type>::type; | |
| 359 template <typename V = result_type> | |
| 360 static bool Do(T x, U y, V* result) { | |
| 361 result_type tmp = static_cast<result_type>(x) & static_cast<result_type>(y); | |
| 362 *result = static_cast<V>(tmp); | |
| 363 return IsValueInRangeForNumericType<V>(tmp); | |
| 364 } | |
| 365 }; | |
| 366 | |
| 367 template <typename T, typename U, class Enable = void> | |
| 368 struct CheckedOrOp {}; | |
| 369 | |
| 370 // For simplicity we support only unsigned integers. | |
| 371 template <typename T, typename U> | |
| 372 struct CheckedOrOp<T, | |
| 373 U, | |
| 374 typename std::enable_if<std::is_integral<T>::value && | |
| 375 std::is_integral<U>::value>::type> { | |
| 376 using result_type = typename std::make_unsigned< | |
| 377 typename MaxExponentPromotion<T, U>::type>::type; | |
| 378 template <typename V = result_type> | |
| 379 static bool Do(T x, U y, V* result) { | |
| 380 result_type tmp = static_cast<result_type>(x) | static_cast<result_type>(y); | |
| 381 *result = static_cast<V>(tmp); | |
| 382 return IsValueInRangeForNumericType<V>(tmp); | |
| 383 } | |
| 384 }; | |
| 385 | |
| 386 template <typename T, typename U, class Enable = void> | |
| 387 struct CheckedXorOp {}; | |
| 388 | |
| 389 // For simplicity we support only unsigned integers. | |
| 390 template <typename T, typename U> | |
| 391 struct CheckedXorOp<T, | |
| 392 U, | |
| 393 typename std::enable_if<std::is_integral<T>::value && | |
| 394 std::is_integral<U>::value>::type> { | |
| 395 using result_type = typename std::make_unsigned< | |
| 396 typename MaxExponentPromotion<T, U>::type>::type; | |
| 397 template <typename V = result_type> | |
| 398 static bool Do(T x, U y, V* result) { | |
| 399 result_type tmp = static_cast<result_type>(x) ^ static_cast<result_type>(y); | |
| 400 *result = static_cast<V>(tmp); | |
| 401 return IsValueInRangeForNumericType<V>(tmp); | |
| 402 } | |
| 403 }; | |
| 404 | |
| 405 // Max doesn't really need to be implemented this way because it can't fail, | |
| 406 // but it makes the code much cleaner to use the MathOp wrappers. | |
| 407 template <typename T, typename U, class Enable = void> | |
| 408 struct CheckedMaxOp {}; | |
| 409 | |
| 410 template <typename T, typename U> | |
| 411 struct CheckedMaxOp< | |
| 412 T, | |
| 413 U, | |
| 414 typename std::enable_if<std::is_arithmetic<T>::value && | |
| 415 std::is_arithmetic<U>::value>::type> { | |
| 416 using result_type = typename MaxExponentPromotion<T, U>::type; | |
| 417 template <typename V = result_type> | |
| 418 static bool Do(T x, U y, V* result) { | |
| 419 *result = IsGreater<T, U>::Test(x, y) ? static_cast<result_type>(x) | |
| 420 : static_cast<result_type>(y); | |
| 421 return true; | |
| 422 } | |
| 423 }; | |
| 424 | |
| 425 // Min doesn't really need to be implemented this way because it can't fail, | |
| 426 // but it makes the code much cleaner to use the MathOp wrappers. | |
| 427 template <typename T, typename U, class Enable = void> | |
| 428 struct CheckedMinOp {}; | |
| 429 | |
| 430 template <typename T, typename U> | |
| 431 struct CheckedMinOp< | |
| 432 T, | |
| 433 U, | |
| 434 typename std::enable_if<std::is_arithmetic<T>::value && | |
| 435 std::is_arithmetic<U>::value>::type> { | |
| 436 using result_type = typename LowestValuePromotion<T, U>::type; | |
| 437 template <typename V = result_type> | |
| 438 static bool Do(T x, U y, V* result) { | |
| 439 *result = IsLess<T, U>::Test(x, y) ? static_cast<result_type>(x) | |
| 440 : static_cast<result_type>(y); | |
| 441 return true; | |
| 442 } | |
| 443 }; | |
| 444 | |
| 445 // This is just boilerplate that wraps the standard floating point arithmetic. | |
| 446 // A macro isn't the nicest solution, but it beats rewriting these repeatedly. | |
| 447 #define BASE_FLOAT_ARITHMETIC_OPS(NAME, OP) \ | |
| 448 template <typename T, typename U> \ | |
| 449 struct Checked##NAME##Op< \ | |
| 450 T, U, typename std::enable_if<std::is_floating_point<T>::value || \ | |
| 451 std::is_floating_point<U>::value>::type> { \ | |
| 452 using result_type = typename MaxExponentPromotion<T, U>::type; \ | |
| 453 template <typename V> \ | |
| 454 static bool Do(T x, U y, V* result) { \ | |
| 455 using Promotion = typename MaxExponentPromotion<T, U>::type; \ | |
| 456 Promotion presult = x OP y; \ | |
| 457 *result = static_cast<V>(presult); \ | |
| 458 return IsValueInRangeForNumericType<V>(presult); \ | |
| 459 } \ | |
| 460 }; | |
| 461 | |
| 462 BASE_FLOAT_ARITHMETIC_OPS(Add, +) | |
| 463 BASE_FLOAT_ARITHMETIC_OPS(Sub, -) | |
| 464 BASE_FLOAT_ARITHMETIC_OPS(Mul, *) | |
| 465 BASE_FLOAT_ARITHMETIC_OPS(Div, /) | |
| 466 | |
| 467 #undef BASE_FLOAT_ARITHMETIC_OPS | |
| 468 | |
| 469 // Wrap the unary operations to allow SFINAE when instantiating integrals versus | |
| 470 // floating points. These don't perform any overflow checking. Rather, they | |
| 471 // exhibit well-defined overflow semantics and rely on the caller to detect | |
| 472 // if an overflow occured. | |
| 473 | |
| 474 template <typename T, | |
| 475 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> | |
| 476 constexpr T NegateWrapper(T value) { | |
| 477 using UnsignedT = typename std::make_unsigned<T>::type; | |
| 478 // This will compile to a NEG on Intel, and is normal negation on ARM. | |
| 479 return static_cast<T>(UnsignedT(0) - static_cast<UnsignedT>(value)); | |
| 480 } | |
| 481 | |
| 482 template < | |
| 483 typename T, | |
| 484 typename std::enable_if<std::is_floating_point<T>::value>::type* = nullptr> | |
| 485 constexpr T NegateWrapper(T value) { | |
| 486 return -value; | |
| 487 } | |
| 488 | |
| 489 template <typename T, | |
| 490 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> | |
| 491 constexpr typename std::make_unsigned<T>::type InvertWrapper(T value) { | |
| 492 return ~value; | |
| 493 } | |
| 494 | |
| 495 template <typename T, | |
| 496 typename std::enable_if<std::is_integral<T>::value>::type* = nullptr> | |
| 497 constexpr T AbsWrapper(T value) { | |
| 498 return static_cast<T>(SafeUnsignedAbs(value)); | |
| 499 } | |
| 500 | |
| 501 template < | |
| 502 typename T, | |
| 503 typename std::enable_if<std::is_floating_point<T>::value>::type* = nullptr> | |
| 504 constexpr T AbsWrapper(T value) { | |
| 505 return value < 0 ? -value : value; | |
| 506 } | |
| 507 | |
| 508 // Floats carry around their validity state with them, but integers do not. So, | |
| 509 // we wrap the underlying value in a specialization in order to hide that detail | |
| 510 // and expose an interface via accessors. | |
| 511 enum NumericRepresentation { | |
| 512 NUMERIC_INTEGER, | |
| 513 NUMERIC_FLOATING, | |
| 514 NUMERIC_UNKNOWN | |
| 515 }; | |
| 516 | |
| 517 template <typename NumericType> | |
| 518 struct GetNumericRepresentation { | |
| 519 static const NumericRepresentation value = | |
| 520 std::is_integral<NumericType>::value | |
| 521 ? NUMERIC_INTEGER | |
| 522 : (std::is_floating_point<NumericType>::value ? NUMERIC_FLOATING | |
| 523 : NUMERIC_UNKNOWN); | |
| 524 }; | |
| 525 | |
| 526 template <typename T, NumericRepresentation type = | |
| 527 GetNumericRepresentation<T>::value> | |
| 528 class CheckedNumericState {}; | |
| 529 | |
| 530 // Integrals require quite a bit of additional housekeeping to manage state. | |
| 531 template <typename T> | |
| 532 class CheckedNumericState<T, NUMERIC_INTEGER> { | |
| 533 private: | |
| 534 // is_valid_ precedes value_ because member intializers in the constructors | |
| 535 // are evaluated in field order, and is_valid_ must be read when initializing | |
| 536 // value_. | |
| 537 bool is_valid_; | |
| 538 T value_; | |
| 539 | |
| 540 // Ensures that a type conversion does not trigger undefined behavior. | |
| 541 template <typename Src> | |
| 542 static constexpr T WellDefinedConversionOrZero(const Src value, | |
| 543 const bool is_valid) { | |
| 544 using SrcType = typename internal::UnderlyingType<Src>::type; | |
| 545 return (std::is_integral<SrcType>::value || is_valid) | |
| 546 ? static_cast<T>(value) | |
| 547 : static_cast<T>(0); | |
| 548 } | |
| 549 | |
| 550 public: | |
| 551 template <typename Src, NumericRepresentation type> | |
| 552 friend class CheckedNumericState; | |
| 553 | |
| 554 constexpr CheckedNumericState() : is_valid_(true), value_(0) {} | |
| 555 | |
| 556 template <typename Src> | |
| 557 constexpr CheckedNumericState(Src value, bool is_valid) | |
| 558 : is_valid_(is_valid && IsValueInRangeForNumericType<T>(value)), | |
| 559 value_(WellDefinedConversionOrZero(value, is_valid_)) { | |
| 560 static_assert(std::is_arithmetic<Src>::value, "Argument must be numeric."); | |
| 561 } | |
| 562 | |
| 563 // Copy constructor. | |
| 564 template <typename Src> | |
| 565 constexpr CheckedNumericState(const CheckedNumericState<Src>& rhs) | |
| 566 : is_valid_(rhs.IsValid()), | |
| 567 value_(WellDefinedConversionOrZero(rhs.value(), is_valid_)) {} | |
| 568 | |
| 569 template <typename Src> | |
| 570 constexpr explicit CheckedNumericState(Src value) | |
| 571 : is_valid_(IsValueInRangeForNumericType<T>(value)), | |
| 572 value_(WellDefinedConversionOrZero(value, is_valid_)) {} | |
| 573 | |
| 574 constexpr bool is_valid() const { return is_valid_; } | |
| 575 constexpr T value() const { return value_; } | |
| 576 }; | |
| 577 | |
| 578 // Floating points maintain their own validity, but need translation wrappers. | |
| 579 template <typename T> | |
| 580 class CheckedNumericState<T, NUMERIC_FLOATING> { | |
| 581 private: | |
| 582 T value_; | |
| 583 | |
| 584 // Ensures that a type conversion does not trigger undefined behavior. | |
| 585 template <typename Src> | |
| 586 static constexpr T WellDefinedConversionOrNaN(const Src value, | |
| 587 const bool is_valid) { | |
| 588 using SrcType = typename internal::UnderlyingType<Src>::type; | |
| 589 return (StaticDstRangeRelationToSrcRange<T, SrcType>::value == | |
| 590 NUMERIC_RANGE_CONTAINED || | |
| 591 is_valid) | |
| 592 ? static_cast<T>(value) | |
| 593 : std::numeric_limits<T>::quiet_NaN(); | |
| 594 } | |
| 595 | |
| 596 public: | |
| 597 template <typename Src, NumericRepresentation type> | |
| 598 friend class CheckedNumericState; | |
| 599 | |
| 600 constexpr CheckedNumericState() : value_(0.0) {} | |
| 601 | |
| 602 template <typename Src> | |
| 603 constexpr CheckedNumericState(Src value, bool is_valid) | |
| 604 : value_(WellDefinedConversionOrNaN(value, is_valid)) {} | |
| 605 | |
| 606 template <typename Src> | |
| 607 constexpr explicit CheckedNumericState(Src value) | |
| 608 : value_(WellDefinedConversionOrNaN( | |
| 609 value, | |
| 610 IsValueInRangeForNumericType<T>(value))) {} | |
| 611 | |
| 612 // Copy constructor. | |
| 613 template <typename Src> | |
| 614 constexpr CheckedNumericState(const CheckedNumericState<Src>& rhs) | |
| 615 : value_(WellDefinedConversionOrNaN( | |
| 616 rhs.value(), | |
| 617 rhs.is_valid() && IsValueInRangeForNumericType<T>(rhs.value()))) {} | |
| 618 | |
| 619 constexpr bool is_valid() const { | |
| 620 // Written this way because std::isfinite is not reliably constexpr. | |
| 621 // TODO(jschuh): Fix this if the libraries ever get fixed. | |
| 622 return value_ <= std::numeric_limits<T>::max() && | |
| 623 value_ >= std::numeric_limits<T>::lowest(); | |
| 624 } | |
| 625 constexpr T value() const { return value_; } | |
| 626 }; | |
| 627 | |
| 628 template <template <typename, typename, typename> class M, | |
| 629 typename L, | |
| 630 typename R> | |
| 631 struct MathWrapper { | |
| 632 using math = M<typename UnderlyingType<L>::type, | |
| 633 typename UnderlyingType<R>::type, | |
| 634 void>; | |
| 635 using type = typename math::result_type; | |
| 636 }; | |
| 637 | |
| 638 } // namespace internal | |
| 639 } // namespace base | |
| 640 | |
| 641 #endif // BASE_NUMERICS_SAFE_MATH_IMPL_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2931323002:
Split out code to be shared between CheckedNumeric and ClampedNumeric (Closed)
