1 /*
2 *
3 * Copyright (C) 2015 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 // Functions for safe arithmetic (guarded against overflow) on integer types.
19
20 #ifndef __dng_safe_arithmetic__
21 #define __dng_safe_arithmetic__
22
23 #include <climits>
24 #include <cstddef>
25 #include <cstdint>
26 #include <limits>
27
28 #include "dng_exceptions.h"
29
30 #ifndef __has_builtin
31 #define __has_builtin(x) 0 // Compatibility with non-Clang compilers.
32 #endif
33
34 #if !defined(DNG_HAS_INT128) && defined(__SIZEOF_INT128__)
35 #define DNG_HAS_INT128
36 #endif
37
38 // If the result of adding arg1 and arg2 will fit in an int32_t (without
39 // under-/overflow), stores this result in *result and returns true. Otherwise,
40 // returns false and leaves *result unchanged.
41 bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
42
43 // Returns the result of adding arg1 and arg2 if it will fit in the result type
44 // (without under-/overflow). Otherwise, throws a dng_exception with error code
45 // dng_error_unknown.
46 std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2);
47 std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2);
48
49 // If the result of adding arg1 and arg2 will fit in a uint32_t (without
50 // wraparound), stores this result in *result and returns true. Otherwise,
51 // returns false and leaves *result unchanged.
52 bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2,
53 std::uint32_t *result);
54
55 // Returns the result of adding arg1 and arg2 if it will fit in the result type
56 // (without wraparound). Otherwise, throws a dng_exception with error code
57 // dng_error_unknown.
58 std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2);
59 std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2);
60
61 // If the subtraction of arg2 from arg1 will not result in an int32_t under- or
62 // overflow, stores this result in *result and returns true. Otherwise,
63 // returns false and leaves *result unchanged.
64 bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result);
65
66 // Returns the result of subtracting arg2 from arg1 if this operation will not
67 // result in an int32_t under- or overflow. Otherwise, throws a dng_exception
68 // with error code dng_error_unknown.
69 std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2);
70
71 // Returns the result of subtracting arg2 from arg1 if this operation will not
72 // result in wraparound. Otherwise, throws a dng_exception with error code
73 // dng_error_unknown.
74 std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2);
75
76 // Returns the result of multiplying arg1 and arg2 if it will fit in a int32_t
77 // (without overflow). Otherwise, throws a dng_exception with error code
78 // dng_error_unknown.
79 std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2);
80
81 // If the result of multiplying arg1, ..., argn will fit in a uint32_t (without
82 // wraparound), stores this result in *result and returns true. Otherwise,
83 // returns false and leaves *result unchanged.
84 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
85 std::uint32_t *result);
86 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
87 std::uint32_t *result);
88 bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3,
89 std::uint32_t arg4, std::uint32_t *result);
90
91 // Returns the result of multiplying arg1, ..., argn if it will fit in a
92 // uint32_t (without wraparound). Otherwise, throws a dng_exception with error
93 // code dng_error_unknown.
94 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2);
95 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
96 std::uint32_t arg3);
97 std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2,
98 std::uint32_t arg3, std::uint32_t arg4);
99
100 // Returns the result of multiplying arg1 and arg2 if it will fit in a size_t
101 // (without overflow). Otherwise, throws a dng_exception with error code
102 // dng_error_unknown.
103 std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2);
104
105 namespace dng_internal {
106
107 // Internal function used as fallback for SafeInt64Mult() if other optimized
108 // computation is not supported. Don't call this function directly.
109 std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2);
110
111 // Internal function used as optimization for SafeInt64Mult() if Clang
112 // __builtin_smull_overflow is supported. Don't call this function directly.
113 #if __has_builtin(__builtin_smull_overflow)
SafeInt64MultByClang(std::int64_t arg1,std::int64_t arg2)114 inline std::int64_t SafeInt64MultByClang(std::int64_t arg1, std::int64_t arg2) {
115 std::int64_t result;
116 #if (LONG_MAX == INT64_MAX) && !defined(__APPLE__)
117 if (__builtin_smull_overflow(arg1, arg2, &result)) {
118 #else
119 if (__builtin_smulll_overflow(arg1, arg2, &result)) {
120 #endif
121 ThrowProgramError("Arithmetic overflow");
122 abort(); // Never reached.
123 }
124 return result;
125 }
126 #endif
127
128 // Internal function used as optimization for SafeInt64Mult() if __int128 type
129 // is supported. Don't call this function directly.
130 #ifdef DNG_HAS_INT128
131 inline std::int64_t SafeInt64MultByInt128(std::int64_t arg1,
132 std::int64_t arg2) {
133 const __int128 kInt64Max =
134 static_cast<__int128>(std::numeric_limits<std::int64_t>::max());
135 const __int128 kInt64Min =
136 static_cast<__int128>(std::numeric_limits<std::int64_t>::min());
137 __int128 result = static_cast<__int128>(arg1) * static_cast<__int128>(arg2);
138 if (result > kInt64Max || result < kInt64Min) {
139 ThrowProgramError("Arithmetic overflow");
140 }
141 return static_cast<std::int64_t>(result);
142 }
143 #endif
144
145 } // namespace dng_internal
146
147 // Returns the result of multiplying arg1 and arg2 if it will fit in an int64_t
148 // (without overflow). Otherwise, throws a dng_exception with error code
149 // dng_error_unknown.
SafeInt64Mult(std::int64_t arg1,std::int64_t arg2)150 inline std::int64_t SafeInt64Mult(std::int64_t arg1, std::int64_t arg2) {
151 #if __has_builtin(__builtin_smull_overflow)
152 return dng_internal::SafeInt64MultByClang(arg1, arg2);
153 #elif defined(DNG_HAS_INT128)
154 return dng_internal::SafeInt64MultByInt128(arg1, arg2);
155 #else
156 return dng_internal::SafeInt64MultSlow(arg1, arg2);
157 #endif
158 }
159
160 // Returns the result of dividing arg1 by arg2; if the result is not an integer,
161 // rounds up to the next integer. If arg2 is zero, throws a dng_exception with
162 // error code dng_error_unknown.
163 // The function is safe against wraparound and will return the correct result
164 // for all combinations of arg1 and arg2.
165 std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2);
166
167 // Finds the smallest integer multiple of 'multiple_of' that is greater than or
168 // equal to 'val'. If this value will fit in a uint32_t, stores it in *result
169 // and returns true. Otherwise, or if 'multiple_of' is zero, returns false and
170 // leaves *result unchanged.
171 bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of,
172 std::uint32_t *result);
173
174 // Returns the smallest integer multiple of 'multiple_of' that is greater than
175 // or equal to 'val'. If the result will not fit in a std::uint32_t or if
176 // 'multiple_of' is zero, throws a dng_exception with error code
177 // dng_error_unknown.
178 std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val,
179 std::uint32_t multiple_of);
180
181 // If the uint32_t value val will fit in a int32_t, converts it to a int32_t and
182 // stores it in *result. Otherwise, returns false and leaves *result unchanged.
183 bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result);
184
185 // Returns the result of converting val to an int32_t if it can be converted
186 // without overflow. Otherwise, throws a dng_exception with error code
187 // dng_error_unknown.
188 std::int32_t ConvertUint32ToInt32(std::uint32_t val);
189
190 // Converts a value of the unsigned integer type TSrc to the unsigned integer
191 // type TDest. If the value in 'src' cannot be converted to the type TDest
192 // without truncation, throws a dng_exception with error code dng_error_unknown.
193 //
194 // Note: Though this function is typically used where TDest is a narrower type
195 // than TSrc, it is designed to work also if TDest is wider than from TSrc or
196 // identical to TSrc. This is useful in situations where the width of the types
197 // involved can change depending on the architecture -- for example, the
198 // conversion from size_t to uint32_t may either be narrowing, identical or even
199 // widening (though the latter admittedly happens only on architectures that
200 // aren't relevant to us).
201 template <class TSrc, class TDest>
ConvertUnsigned(TSrc src,TDest * dest)202 static void ConvertUnsigned(TSrc src, TDest *dest) {
203 static_assert(std::numeric_limits<TSrc>::is_integer &&
204 !std::numeric_limits<TSrc>::is_signed &&
205 std::numeric_limits<TDest>::is_integer &&
206 !std::numeric_limits<TDest>::is_signed,
207 "TSrc and TDest must be unsigned integer types");
208
209 const TDest converted = static_cast<TDest>(src);
210
211 // Convert back to TSrc to check whether truncation occurred in the
212 // conversion to TDest.
213 if (static_cast<TSrc>(converted) != src) {
214 ThrowProgramError("Overflow in unsigned integer conversion");
215 }
216
217 *dest = converted;
218 }
219
220 // Returns the result of converting val to the result type using truncation if
221 // val is in range of the result type values. Otherwise, throws a dng_exception
222 // with error code dng_error_unknown.
223 std::int32_t ConvertDoubleToInt32(double val);
224 std::uint32_t ConvertDoubleToUint32(double val);
225
226 // Returns the result of converting val to float. If val is outside of
227 // [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is
228 // returned as NaN.
229 float ConvertDoubleToFloat(double val);
230
231 #endif // __dng_safe_arithmetic__
232