| 1 | /* |
|---|---|
| 2 | * |
| 3 | * Copyright (C) 2015 The Android Open Source Project |
| 4 | * |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | // Functions for safe arithmetic (guarded against overflow) on integer types. |
| 19 | |
| 20 | #ifndef __dng_safe_arithmetic__ |
| 21 | #define __dng_safe_arithmetic__ |
| 22 | |
| 23 | #include <cstddef> |
| 24 | #include <cstdint> |
| 25 | #include <limits> |
| 26 | |
| 27 | #include "dng_exceptions.h" |
| 28 | |
| 29 | #ifndef __has_builtin |
| 30 | #define __has_builtin(x) 0 // Compatibility with non-Clang compilers. |
| 31 | #endif |
| 32 | |
| 33 | #if !defined(DNG_HAS_INT128) && defined(__SIZEOF_INT128__) |
| 34 | #define DNG_HAS_INT128 |
| 35 | #endif |
| 36 | |
| 37 | // If the result of adding arg1 and arg2 will fit in an int32_t (without |
| 38 | // under-/overflow), stores this result in *result and returns true. Otherwise, |
| 39 | // returns false and leaves *result unchanged. |
| 40 | bool SafeInt32Add(std::int32_t arg1, std::int32_t arg2, std::int32_t *result); |
| 41 | |
| 42 | // Returns the result of adding arg1 and arg2 if it will fit in the result type |
| 43 | // (without under-/overflow). Otherwise, throws a dng_exception with error code |
| 44 | // dng_error_unknown. |
| 45 | std::int32_t SafeInt32Add(std::int32_t arg1, std::int32_t arg2); |
| 46 | std::int64_t SafeInt64Add(std::int64_t arg1, std::int64_t arg2); |
| 47 | |
| 48 | // If the result of adding arg1 and arg2 will fit in a uint32_t (without |
| 49 | // wraparound), stores this result in *result and returns true. Otherwise, |
| 50 | // returns false and leaves *result unchanged. |
| 51 | bool SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2, |
| 52 | std::uint32_t *result); |
| 53 | |
| 54 | // Returns the result of adding arg1 and arg2 if it will fit in the result type |
| 55 | // (without wraparound). Otherwise, throws a dng_exception with error code |
| 56 | // dng_error_unknown. |
| 57 | std::uint32_t SafeUint32Add(std::uint32_t arg1, std::uint32_t arg2); |
| 58 | std::uint64_t SafeUint64Add(std::uint64_t arg1, std::uint64_t arg2); |
| 59 | |
| 60 | // If the subtraction of arg2 from arg1 will not result in an int32_t under- or |
| 61 | // overflow, stores this result in *result and returns true. Otherwise, |
| 62 | // returns false and leaves *result unchanged. |
| 63 | bool SafeInt32Sub(std::int32_t arg1, std::int32_t arg2, std::int32_t *result); |
| 64 | |
| 65 | // Returns the result of subtracting arg2 from arg1 if this operation will not |
| 66 | // result in an int32_t under- or overflow. Otherwise, throws a dng_exception |
| 67 | // with error code dng_error_unknown. |
| 68 | std::int32_t SafeInt32Sub(std::int32_t arg1, std::int32_t arg2); |
| 69 | |
| 70 | // Returns the result of subtracting arg2 from arg1 if this operation will not |
| 71 | // result in wraparound. Otherwise, throws a dng_exception with error code |
| 72 | // dng_error_unknown. |
| 73 | std::uint32_t SafeUint32Sub(std::uint32_t arg1, std::uint32_t arg2); |
| 74 | |
| 75 | // Returns the result of multiplying arg1 and arg2 if it will fit in a int32_t |
| 76 | // (without overflow). Otherwise, throws a dng_exception with error code |
| 77 | // dng_error_unknown. |
| 78 | std::int32_t SafeInt32Mult(std::int32_t arg1, std::int32_t arg2); |
| 79 | |
| 80 | // If the result of multiplying arg1, ..., argn will fit in a uint32_t (without |
| 81 | // wraparound), stores this result in *result and returns true. Otherwise, |
| 82 | // returns false and leaves *result unchanged. |
| 83 | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
| 84 | std::uint32_t *result); |
| 85 | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, |
| 86 | std::uint32_t *result); |
| 87 | bool SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, std::uint32_t arg3, |
| 88 | std::uint32_t arg4, std::uint32_t *result); |
| 89 | |
| 90 | // Returns the result of multiplying arg1, ..., argn if it will fit in a |
| 91 | // uint32_t (without wraparound). Otherwise, throws a dng_exception with error |
| 92 | // code dng_error_unknown. |
| 93 | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2); |
| 94 | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
| 95 | std::uint32_t arg3); |
| 96 | std::uint32_t SafeUint32Mult(std::uint32_t arg1, std::uint32_t arg2, |
| 97 | std::uint32_t arg3, std::uint32_t arg4); |
| 98 | |
| 99 | // Returns the result of multiplying arg1 and arg2 if it will fit in a size_t |
| 100 | // (without overflow). Otherwise, throws a dng_exception with error code |
| 101 | // dng_error_unknown. |
| 102 | std::size_t SafeSizetMult(std::size_t arg1, std::size_t arg2); |
| 103 | |
| 104 | namespace dng_internal { |
| 105 | |
| 106 | // Internal function used as fallback for SafeInt64Mult() if other optimized |
| 107 | // computation is not supported. Don't call this function directly. |
| 108 | std::int64_t SafeInt64MultSlow(std::int64_t arg1, std::int64_t arg2); |
| 109 | |
| 110 | // Internal function used as optimization for SafeInt64Mult() if Clang |
| 111 | // __builtin_smull_overflow is supported. Don't call this function directly. |
| 112 | #if __has_builtin(__builtin_smull_overflow) |
| 113 | inline std::int64_t SafeInt64MultByClang(std::int64_t arg1, std::int64_t arg2) { |
| 114 | std::int64_t result; |
| 115 | #if (__WORDSIZE == 64) && !defined(__APPLE__) |
| 116 | if (__builtin_smull_overflow(arg1, arg2, &result)) { |
| 117 | #else |
| 118 | if (__builtin_smulll_overflow(arg1, arg2, &result)) { |
| 119 | #endif |
| 120 | ThrowProgramError("Arithmetic overflow"); |
| 121 | abort(); // Never reached. |
| 122 | } |
| 123 | return result; |
| 124 | } |
| 125 | #endif |
| 126 | |
| 127 | // Internal function used as optimization for SafeInt64Mult() if __int128 type |
| 128 | // is supported. Don't call this function directly. |
| 129 | #ifdef DNG_HAS_INT128 |
| 130 | inline std::int64_t SafeInt64MultByInt128(std::int64_t arg1, |
| 131 | std::int64_t arg2) { |
| 132 | const __int128 kInt64Max = |
| 133 | static_cast<__int128>(std::numeric_limits<std::int64_t>::max()); |
| 134 | const __int128 kInt64Min = |
| 135 | static_cast<__int128>(std::numeric_limits<std::int64_t>::min()); |
| 136 | __int128 result = static_cast<__int128>(arg1) * static_cast<__int128>(arg2); |
| 137 | if (result > kInt64Max || result < kInt64Min) { |
| 138 | ThrowProgramError("Arithmetic overflow"); |
| 139 | } |
| 140 | return static_cast<std::int64_t>(result); |
| 141 | } |
| 142 | #endif |
| 143 | |
| 144 | } // namespace dng_internal |
| 145 | |
| 146 | // Returns the result of multiplying arg1 and arg2 if it will fit in an int64_t |
| 147 | // (without overflow). Otherwise, throws a dng_exception with error code |
| 148 | // dng_error_unknown. |
| 149 | inline std::int64_t SafeInt64Mult(std::int64_t arg1, std::int64_t arg2) { |
| 150 | #if __has_builtin(__builtin_smull_overflow) |
| 151 | return dng_internal::SafeInt64MultByClang(arg1, arg2); |
| 152 | #elif defined(DNG_HAS_INT128) |
| 153 | return dng_internal::SafeInt64MultByInt128(arg1, arg2); |
| 154 | #else |
| 155 | return dng_internal::SafeInt64MultSlow(arg1, arg2); |
| 156 | #endif |
| 157 | } |
| 158 | |
| 159 | // Returns the result of dividing arg1 by arg2; if the result is not an integer, |
| 160 | // rounds up to the next integer. If arg2 is zero, throws a dng_exception with |
| 161 | // error code dng_error_unknown. |
| 162 | // The function is safe against wraparound and will return the correct result |
| 163 | // for all combinations of arg1 and arg2. |
| 164 | std::uint32_t SafeUint32DivideUp(std::uint32_t arg1, std::uint32_t arg2); |
| 165 | |
| 166 | // Finds the smallest integer multiple of 'multiple_of' that is greater than or |
| 167 | // equal to 'val'. If this value will fit in a uint32_t, stores it in *result |
| 168 | // and returns true. Otherwise, or if 'multiple_of' is zero, returns false and |
| 169 | // leaves *result unchanged. |
| 170 | bool RoundUpUint32ToMultiple(std::uint32_t val, std::uint32_t multiple_of, |
| 171 | std::uint32_t *result); |
| 172 | |
| 173 | // Returns the smallest integer multiple of 'multiple_of' that is greater than |
| 174 | // or equal to 'val'. If the result will not fit in a std::uint32_t or if |
| 175 | // 'multiple_of' is zero, throws a dng_exception with error code |
| 176 | // dng_error_unknown. |
| 177 | std::uint32_t RoundUpUint32ToMultiple(std::uint32_t val, |
| 178 | std::uint32_t multiple_of); |
| 179 | |
| 180 | // If the uint32_t value val will fit in a int32_t, converts it to a int32_t and |
| 181 | // stores it in *result. Otherwise, returns false and leaves *result unchanged. |
| 182 | bool ConvertUint32ToInt32(std::uint32_t val, std::int32_t *result); |
| 183 | |
| 184 | // Returns the result of converting val to an int32_t if it can be converted |
| 185 | // without overflow. Otherwise, throws a dng_exception with error code |
| 186 | // dng_error_unknown. |
| 187 | std::int32_t ConvertUint32ToInt32(std::uint32_t val); |
| 188 | |
| 189 | // Converts a value of the unsigned integer type TSrc to the unsigned integer |
| 190 | // type TDest. If the value in 'src' cannot be converted to the type TDest |
| 191 | // without truncation, throws a dng_exception with error code dng_error_unknown. |
| 192 | // |
| 193 | // Note: Though this function is typically used where TDest is a narrower type |
| 194 | // than TSrc, it is designed to work also if TDest is wider than from TSrc or |
| 195 | // identical to TSrc. This is useful in situations where the width of the types |
| 196 | // involved can change depending on the architecture -- for example, the |
| 197 | // conversion from size_t to uint32_t may either be narrowing, identical or even |
| 198 | // widening (though the latter admittedly happens only on architectures that |
| 199 | // aren't relevant to us). |
| 200 | template <class TSrc, class TDest> |
| 201 | static void ConvertUnsigned(TSrc src, TDest *dest) { |
| 202 | static_assert(std::numeric_limits<TSrc>::is_integer && |
| 203 | !std::numeric_limits<TSrc>::is_signed && |
| 204 | std::numeric_limits<TDest>::is_integer && |
| 205 | !std::numeric_limits<TDest>::is_signed, |
| 206 | "TSrc and TDest must be unsigned integer types"); |
| 207 | |
| 208 | const TDest converted = static_cast<TDest>(src); |
| 209 | |
| 210 | // Convert back to TSrc to check whether truncation occurred in the |
| 211 | // conversion to TDest. |
| 212 | if (static_cast<TSrc>(converted) != src) { |
| 213 | ThrowProgramError("Overflow in unsigned integer conversion"); |
| 214 | } |
| 215 | |
| 216 | *dest = converted; |
| 217 | } |
| 218 | |
| 219 | // Returns the result of converting val to the result type using truncation if |
| 220 | // val is in range of the result type values. Otherwise, throws a dng_exception |
| 221 | // with error code dng_error_unknown. |
| 222 | std::int32_t ConvertDoubleToInt32(double val); |
| 223 | std::uint32_t ConvertDoubleToUint32(double val); |
| 224 | |
| 225 | // Returns the result of converting val to float. If val is outside of |
| 226 | // [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is |
| 227 | // returned as NaN. |
| 228 | float ConvertDoubleToFloat(double val); |
| 229 | |
| 230 | #endif // __dng_safe_arithmetic__ |
| 231 |
Generated while processing Skia/src/codec/SkRawCodec.cpp
Generated on 2020-Apr-12 from project Skia revision 83.5
Powered by 
Code Browser 2.1
Generator usage only permitted with license.