This is an archive of the discontinued LLVM Phabricator instance.

Differential D65494

[Support] Added overflow checking add, sub and mul.
ClosedPublic

Authored by nand on Jul 30 2019, 5:38 PM.

Details

Reviewers
jfb
Bigcheese
rsmith
Summary

Added AddOverflow, SubOverflow and MulOverflow to compute truncated results and return a flag indicating whether overflow occured.

Diff Detail

Event Timeline

nand created this revision.Jul 30 2019, 5:38 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 30 2019, 5:38 PM
Herald added subscribers: llvm-commits, dexonsmith. · View Herald Transcript
Harbormaster completed remote builds in B35857: Diff 212480.Jul 30 2019, 5:39 PM
jfb added a comment.Jul 30 2019, 8:18 PM

Can you confirm that the tests pass with UBSan enabled?

llvm/include/llvm/Support/MathExtras.h
862

I think you want to have T1 X, T2 Y and enable_if::<is_same<T1, T2>::value since you're trying to avoid promotions entirely.

I'd also rather return a pair or a struct with named values instead of having a reference return value, and make the result nodiscard.

870

We have bit_cast in ADT/bit.h if that's what you meant to use. I think you meant static_cast thought :)

llvm/unittests/Support/MathExtrasTest.cpp
474

You probably want signed char instead of char.

lebedev.ri added a subscriber: lebedev.ri.Jul 31 2019, 4:47 AM
lebedev.ri added inline comments.
llvm/include/llvm/Support/MathExtras.h
783–786

Do you want to also refactor the functions that already used that checking at the same time?

nand marked 4 inline comments as done.Jul 31 2019, 7:00 AM
nand added inline comments.
llvm/include/llvm/Support/MathExtras.h
783–786

Unfortunately, I would like to avoid any refactoring in this diff.

862

I would like to keep these functions simple so at some point we might make them straightforward wrappers over __builtin_add_overflow etc, reason why I would like to keep this signature. Promotions can be handled on the callee's side. For my use case, I always want to explicitly specify the template parameter type.

Regarding struct returns, that sounds like a use case for a class such as CheckedInt/SafeInt etc, which doesn't seem to be required yet. A future implementation might use these methods though.

870

If the sizes match, doesn't static cast simply move the number bit by bit to the result? I have adjusted the comment.

nand updated this revision to Diff 212573.Jul 31 2019, 7:01 AM
nand marked an inline comment as done.

Updated comments about bitcast

Harbormaster completed remote builds in B35889: Diff 212573.Jul 31 2019, 7:01 AM
nand added a comment.Jul 31 2019, 7:40 AM

Just checked: tests pass with UBSan.

nand updated this revision to Diff 212597.Jul 31 2019, 9:17 AM

s/char/signed char/

nand marked 2 inline comments as done.Jul 31 2019, 9:17 AM

replaced char with signed char

jfb added inline comments.Jul 31 2019, 10:03 AM
llvm/include/llvm/Support/MathExtras.h
862

OK seeing this as the base helper SGTM.

You probably still want nodiscard however.

nand marked an inline comment as done.Jul 31 2019, 10:10 AM
nand added inline comments.
llvm/include/llvm/Support/MathExtras.h
862

This method is the only way to compute the result of overflow - if we know overflow happens, we might not want to look at the return flag at all.

jfb accepted this revision.Jul 31 2019, 10:13 AM
jfb added inline comments.
llvm/include/llvm/Support/MathExtras.h
862

That sounds good!

This revision is now accepted and ready to land.Jul 31 2019, 10:13 AM
jfb closed this revision.Jul 31 2019, 12:42 PM

http://llvm.org/r367470

Revision Contents

PathSize
llvm/
include/
llvm/
Support/
77 lines
unittests/
Support/
127 lines

Diff 212597

llvm/include/llvm/Support/MathExtras.h

Context not available.
/// Use this rather than HUGE_VALF; the latter causes warnings on MSVC. /// Use this rather than HUGE_VALF; the latter causes warnings on MSVC.
extern const float huge_valf; extern const float huge_valf;
/// Add two signed integers, computing the two's complement truncated result,
/// returning true if overflow occured.
template <typename T>
typename std::enable_if<std::is_signed<T>::value, T>::type
AddOverflow(T X, T Y, T &Result) {
// Perform the unsigned addition.
using U = typename std::make_unsigned<T>::type;
const U UX = static_cast<U>(X);
const U UY = static_cast<U>(Y);
const U UResult = UX + UY;
jfbUnsubmitted
Done
ReplyInline Actions

I think you want to have T1 X, T2 Y and enable_if::<is_same<T1, T2>::value since you're trying to avoid promotions entirely.

I'd also rather return a pair or a struct with named values instead of having a reference return value, and make the result nodiscard.

jfb: I think you want to have `T1 X, T2 Y` and `enable_if::<is_same<T1, T2>::value` since you're…
nandAuthorUnsubmitted
Done
ReplyInline Actions

I would like to keep these functions simple so at some point we might make them straightforward wrappers over __builtin_add_overflow etc, reason why I would like to keep this signature. Promotions can be handled on the callee's side. For my use case, I always want to explicitly specify the template parameter type.

Regarding struct returns, that sounds like a use case for a class such as CheckedInt/SafeInt etc, which doesn't seem to be required yet. A future implementation might use these methods though.

nand: I would like to keep these functions simple so at some point we might make them straightforward…
jfbUnsubmitted
Not Done
ReplyInline Actions

OK seeing this as the base helper SGTM.

You probably still want nodiscard however.

jfb: OK seeing this as the base helper SGTM. You probably still want `nodiscard` however.
nandAuthorUnsubmitted
Done
ReplyInline Actions

This method is the only way to compute the result of overflow - if we know overflow happens, we might not want to look at the return flag at all.

nand: This method is the only way to compute the result of overflow - if we know overflow happens, we…
jfbUnsubmitted
Not Done
ReplyInline Actions

That sounds good!

jfb: That sounds good!
// Convert to signed.
Result = static_cast<T>(UResult);
// Adding two positive numbers should result in a positive number.
if (X > 0 && Y > 0)
return Result <= 0;
// Adding two negatives should result in a negative number.
jfbUnsubmitted
Done
ReplyInline Actions

We have bit_cast in ADT/bit.h if that's what you meant to use. I think you meant static_cast thought :)

jfb: We have `bit_cast` in `ADT/bit.h` if that's what you meant to use. I think you meant…
nandAuthorUnsubmitted
Done
ReplyInline Actions

If the sizes match, doesn't static cast simply move the number bit by bit to the result? I have adjusted the comment.

nand: If the sizes match, doesn't static cast simply move the number bit by bit to the result? I have…
if (X < 0 && Y < 0)
return Result >= 0;
return false;
}
/// Subtract two signed integers, computing the two's complement truncated
/// result, returning true if an overflow ocurred.
template <typename T>
typename std::enable_if<std::is_signed<T>::value, T>::type
SubOverflow(T X, T Y, T &Result) {
// Perform the unsigned addition.
using U = typename std::make_unsigned<T>::type;
const U UX = static_cast<U>(X);
const U UY = static_cast<U>(Y);
const U UResult = UX - UY;
// Convert to signed.
Result = static_cast<T>(UResult);
// Subtracting a positive number from a negative results in a negative number.
if (X <= 0 && Y > 0)
return Result >= 0;
// Subtracting a negative number from a positive results in a positive number.
if (X >= 0 && Y < 0)
return Result <= 0;
return false;
}
/// Multiply two signed integers, computing the two's complement truncated
/// result, returning true if an overflow ocurred.
template <typename T>
typename std::enable_if<std::is_signed<T>::value, T>::type
MulOverflow(T X, T Y, T &Result) {
// Perform the unsigned multiplication on absolute values.
using U = typename std::make_unsigned<T>::type;
const U UX = X < 0 ? (0 - static_cast<U>(X)) : static_cast<U>(X);
const U UY = Y < 0 ? (0 - static_cast<U>(Y)) : static_cast<U>(Y);
const U UResult = UX * UY;
// Convert to signed.
const bool IsNegative = (X < 0) ^ (Y < 0);
Result = IsNegative ? (0 - UResult) : UResult;
// If any of the args was 0, result is 0 and no overflow occurs.
if (UX == 0 || UY == 0)
return false;
// UX and UY are in [1, 2^n], where n is the number of digits.
// Check how the max allowed absolute value (2^n for negative, 2^(n-1) for
// positive) divided by an argument compares to the other.
if (IsNegative)
return UX > (static_cast<U>(std::numeric_limits<T>::max()) + U(1)) / UY;
else
return UX > (static_cast<U>(std::numeric_limits<T>::max())) / UY;
}
} // End llvm namespace } // End llvm namespace
#endif #endif
Context not available.

llvm/unittests/Support/MathExtrasTest.cpp

Context not available.
EXPECT_FALSE((isShiftedInt<6, 10>(int64_t(1) << 15))); EXPECT_FALSE((isShiftedInt<6, 10>(int64_t(1) << 15)));
} }
template <typename T>
class OverflowTest : public ::testing::Test { };
using OverflowTestTypes = ::testing::Types<signed char, short, int, long,
jfbUnsubmitted
Done
ReplyInline Actions

You probably want signed char instead of char.

jfb: You probably want `signed char` instead of `char`.
long long>;
TYPED_TEST_CASE(OverflowTest, OverflowTestTypes);
TYPED_TEST(OverflowTest, AddNoOverflow) {
TypeParam Result;
EXPECT_FALSE(AddOverflow<TypeParam>(1, 2, Result));
EXPECT_EQ(Result, TypeParam(3));
}
TYPED_TEST(OverflowTest, AddOverflowToNegative) {
TypeParam Result;
auto MaxValue = std::numeric_limits<TypeParam>::max();
EXPECT_TRUE(AddOverflow<TypeParam>(MaxValue, MaxValue, Result));
EXPECT_EQ(Result, TypeParam(-2));
}
TYPED_TEST(OverflowTest, AddOverflowToMin) {
TypeParam Result;
auto MaxValue = std::numeric_limits<TypeParam>::max();
EXPECT_TRUE(AddOverflow<TypeParam>(MaxValue, TypeParam(1), Result));
EXPECT_EQ(Result, std::numeric_limits<TypeParam>::min());
}
TYPED_TEST(OverflowTest, AddOverflowToZero) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(AddOverflow<TypeParam>(MinValue, MinValue, Result));
EXPECT_EQ(Result, TypeParam(0));
}
TYPED_TEST(OverflowTest, AddOverflowToMax) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(AddOverflow<TypeParam>(MinValue, TypeParam(-1), Result));
EXPECT_EQ(Result, std::numeric_limits<TypeParam>::max());
}
TYPED_TEST(OverflowTest, SubNoOverflow) {
TypeParam Result;
EXPECT_FALSE(SubOverflow<TypeParam>(1, 2, Result));
EXPECT_EQ(Result, TypeParam(-1));
}
TYPED_TEST(OverflowTest, SubOverflowToMax) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(SubOverflow<TypeParam>(0, MinValue, Result));
EXPECT_EQ(Result, MinValue);
}
TYPED_TEST(OverflowTest, SubOverflowToMin) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(SubOverflow<TypeParam>(0, MinValue, Result));
EXPECT_EQ(Result, MinValue);
}
TYPED_TEST(OverflowTest, SubOverflowToNegative) {
TypeParam Result;
auto MaxValue = std::numeric_limits<TypeParam>::max();
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(SubOverflow<TypeParam>(MaxValue, MinValue, Result));
EXPECT_EQ(Result, TypeParam(-1));
}
TYPED_TEST(OverflowTest, SubOverflowToPositive) {
TypeParam Result;
auto MaxValue = std::numeric_limits<TypeParam>::max();
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(SubOverflow<TypeParam>(MinValue, MaxValue, Result));
EXPECT_EQ(Result, TypeParam(1));
}
TYPED_TEST(OverflowTest, MulNoOverflow) {
TypeParam Result;
EXPECT_FALSE(MulOverflow<TypeParam>(1, 2, Result));
EXPECT_EQ(Result, 2);
EXPECT_FALSE(MulOverflow<TypeParam>(-1, 3, Result));
EXPECT_EQ(Result, -3);
EXPECT_FALSE(MulOverflow<TypeParam>(4, -2, Result));
EXPECT_EQ(Result, -8);
EXPECT_FALSE(MulOverflow<TypeParam>(-6, -5, Result));
EXPECT_EQ(Result, 30);
}
TYPED_TEST(OverflowTest, MulNoOverflowToMax) {
TypeParam Result;
auto MaxValue = std::numeric_limits<TypeParam>::max();
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_FALSE(MulOverflow<TypeParam>(MinValue + 1, -1, Result));
EXPECT_EQ(Result, MaxValue);
}
TYPED_TEST(OverflowTest, MulOverflowToMin) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
EXPECT_TRUE(MulOverflow<TypeParam>(MinValue, -1, Result));
EXPECT_EQ(Result, MinValue);
}
TYPED_TEST(OverflowTest, MulOverflowMax) {
TypeParam Result;
auto MinValue = std::numeric_limits<TypeParam>::min();
auto MaxValue = std::numeric_limits<TypeParam>::max();
EXPECT_TRUE(MulOverflow<TypeParam>(MinValue, MinValue, Result));
EXPECT_EQ(Result, 0);
EXPECT_TRUE(MulOverflow<TypeParam>(MaxValue, MaxValue, Result));
EXPECT_EQ(Result, 1);
}
TYPED_TEST(OverflowTest, MulResultZero) {
TypeParam Result;
EXPECT_FALSE(MulOverflow<TypeParam>(4, 0, Result));
EXPECT_EQ(Result, TypeParam(0));
EXPECT_FALSE(MulOverflow<TypeParam>(-5, 0, Result));
EXPECT_EQ(Result, TypeParam(0));
EXPECT_FALSE(MulOverflow<TypeParam>(0, 5, Result));
EXPECT_EQ(Result, TypeParam(0));
EXPECT_FALSE(MulOverflow<TypeParam>(0, -5, Result));
EXPECT_EQ(Result, TypeParam(0));
}
} // namespace } // namespace
Context not available.