[mirror_lxc.git] / src / lxc / compiler.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_COMPILER_H
#define __LXC_COMPILER_H

#include "config.h"

#include <stdbool.h>
#include <linux/types.h>

#ifndef thread_local
#if __STDC_VERSION__ >= 201112L &&    \
    !(defined(__STDC_NO_THREADS__) || \
      (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
#define thread_local _Thread_local
#else
#define thread_local __thread
#endif
#endif

#if __GNUC__ >= 7
#define __fallthrough __attribute__((__fallthrough__))
#else
#define __fallthrough /* fall through */
#endif

#if defined(__GNUC__) && !defined(__clang__)
	#if GCC_VERSION >= 50100
	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	#endif
#endif

#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#define __must_check __attribute__((__warn_unused_result__))

static inline bool __must_check __must_check_overflow(bool overflow)
{
	return unlikely(overflow);
}

#define is_signed_type(type)       (((type)(-1)) < (type)1)
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
#define type_min(T) ((T)((T)-type_max(T)-(T)1))

/*
 * Avoids triggering -Wtype-limits compilation warning,
 * while using unsigned data types to check a < 0.
 */
#define is_non_negative(a) ((a) > 0 || (a) == 0)
#define is_negative(a) (!(is_non_negative(a)))

#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
/*
 * For simplicity and code hygiene, the fallback code below insists on
 * a, b and *d having the same type (similar to the min() and max()
 * macros), whereas gcc's type-generic overflow checkers accept
 * different types. Hence we don't just make check_add_overflow an
 * alias for __builtin_add_overflow, but add type checks similar to
 * below.
 */
#define check_add_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_add_overflow(__a, __b, __d);	\
}))

#define check_sub_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_sub_overflow(__a, __b, __d);	\
}))

#define check_mul_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_mul_overflow(__a, __b, __d);	\
}))
#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

/* Checking for unsigned overflow is relatively easy without causing UB. */
#define __unsigned_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a + __b;			\
	*__d < __a;				\
})
#define __unsigned_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a - __b;			\
	__a < __b;				\
})

/*
 * If one of a or b is a compile-time constant, this avoids a division.
 */
#define __unsigned_mul_overflow(a, b, d) ({		\
	typeof(a) __a = (a);				\
	typeof(b) __b = (b);				\
	typeof(d) __d = (d);				\
	(void) (&__a == &__b);				\
	(void) (&__a == __d);				\
	*__d = __a * __b;				\
	__builtin_constant_p(__b) ?			\
	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
})

/*
 * For signed types, detecting overflow is much harder, especially if
 * we want to avoid UB. But the interface of these macros is such that
 * we must provide a result in *d, and in fact we must produce the
 * result promised by gcc's builtins, which is simply the possibly
 * wrapped-around value. Fortunately, we can just formally do the
 * operations in the widest relevant unsigned type (u64) and then
 * truncate the result - gcc is smart enough to generate the same code
 * with and without the (u64) casts.
 */

/*
 * Adding two signed integers can overflow only if they have the same
 * sign, and overflow has happened iff the result has the opposite
 * sign.
 */
#define __signed_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a + (__u64)__b;		\
	(((~(__a ^ __b)) & (*__d ^ __a))	\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Subtraction is similar, except that overflow can now happen only
 * when the signs are opposite. In this case, overflow has happened if
 * the result has the opposite sign of a.
 */
#define __signed_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a - (__u64)__b;		\
	((((__a ^ __b)) & (*__d ^ __a))		\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Signed multiplication is rather hard. gcc always follows C99, so
 * division is truncated towards 0. This means that we can write the
 * overflow check like this:
 *
 * (a > 0 && (b > MAX/a || b < MIN/a)) ||
 * (a < -1 && (b > MIN/a || b < MAX/a) ||
 * (a == -1 && b == MIN)
 *
 * The redundant casts of -1 are to silence an annoying -Wtype-limits
 * (included in -Wextra) warning: When the type is u8 or u16, the
 * __b_c_e in check_mul_overflow obviously selects
 * __unsigned_mul_overflow, but unfortunately gcc still parses this
 * code and warns about the limited range of __b.
 */

#define __signed_mul_overflow(a, b, d) ({				\
	typeof(a) __a = (a);						\
	typeof(b) __b = (b);						\
	typeof(d) __d = (d);						\
	typeof(a) __tmax = type_max(typeof(a));				\
	typeof(a) __tmin = type_min(typeof(a));				\
	(void) (&__a == &__b);						\
	(void) (&__a == __d);						\
	*__d = (__u64)__a * (__u64)__b;					\
	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
	(__b == (typeof(__b))-1 && __a == __tmin);			\
})


#define check_add_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_add_overflow(a, b, d),			\
			__unsigned_add_overflow(a, b, d)))

#define check_sub_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_sub_overflow(a, b, d),			\
			__unsigned_sub_overflow(a, b, d)))

#define check_mul_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_mul_overflow(a, b, d),			\
			__unsigned_mul_overflow(a, b, d)))

#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

#ifndef __noreturn
#	if __STDC_VERSION__ >= 201112L
#		if !IS_BIONIC
#			define __noreturn _Noreturn
#		else
#			define __noreturn __attribute__((__noreturn__))
#		endif
#	elif IS_BIONIC
#		define __noreturn __attribute__((__noreturn__))
#	else
#		define __noreturn __attribute__((noreturn))
#	endif
#endif

#ifndef __hot
#	define __hot __attribute__((hot))
#endif

#ifndef __returns_twice
#define __returns_twice __attribute__((returns_twice))
#endif

/* This attribute is required to silence clang warnings */
#if defined(__GNUC__)
#define __lxc_unused __attribute__ ((unused))
#else
#define __lxc_unused
#endif

/* Indicates taking ownership */
#define __owns

#define __cgfsng_ops

/* access attribute */
#define __access_r_nosize(x)
#define __access_r(x, y)
#define __access_w(x, y)
#define __access_rw(x, y)

#ifdef __has_attribute
#if __has_attribute(access)
#undef __access_r
#define __access_r(x, y) __attribute__((access(read_only, x, y)))

#undef __access_r_nosize
#define __access_r_nosize(x) __attribute__((access(read_only, x)))

#undef __access_w
#define __access_w(x, y) __attribute__((access(write_only, x, y)))

#undef __access_rw
#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
#endif
#endif

#ifndef __hidden
#define __hidden __attribute__((visibility("hidden")))
#endif

#ifndef __public
#define __public __attribute__((visibility("default")))
#endif

/* Are two types/vars the same type (ignoring qualifiers)? */
#define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))

#define __compiletime_assert(condition, msg, prefix, suffix) \
	do {                                                 \
	} while (0)

#define _compiletime_assert(condition, msg, prefix, suffix) \
	__compiletime_assert(condition, msg, prefix, suffix)

/**
 * compiletime_assert - break build and emit msg if condition is false
 * @condition: a compile-time constant condition to check
 * @msg:       a message to emit if condition is false
 *
 * In tradition of POSIX assert, this macro will break the build if the
 * supplied condition is *false*, emitting the supplied error message if the
 * compiler has support to do so.
 */
#define compiletime_assert(condition, msg) \
	_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)

/**
 * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied
 *		      error message.
 * @condition: the condition which the compiler should know is false.
 *
 * See BUILD_BUG_ON for description.
 */
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)

#endif /* __LXC_COMPILER_H */
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
d7f19646 CB	2
	3	#ifndef __LXC_COMPILER_H
	4	#define __LXC_COMPILER_H
	5
1160ce89	6	#include "config.h"
d17947f8	7
4c5479d2 CB	8	#include <stdbool.h>
	9	#include <linux/types.h>
	10
44843972 CB	11	#ifndef thread_local
	12	#if __STDC_VERSION__ >= 201112L && \
	13	!(defined(__STDC_NO_THREADS__) \|\| \
	14	(defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
	15	#define thread_local _Thread_local
d7f19646	16	#else
44843972 CB	17	#define thread_local __thread
44843972 CB	18	#endif
d7f19646 CB	19	#endif
d7f19646 CB	20
fd1cf1b1 CB	21	#if __GNUC__ >= 7
	22	#define __fallthrough __attribute__((__fallthrough__))
	23	#else
c73fbad1	24	#define __fallthrough /* fall through */
cf0fd972 CB	25	#endif
cf0fd972 CB	26
4c5479d2 CB	27	#if defined(__GNUC__) && !defined(__clang__)
	28	#if GCC_VERSION >= 50100
	29	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	30	#endif
	31	#endif
	32
	33	#define likely(x) __builtin_expect(!!(x), 1)
	34	#define unlikely(x) __builtin_expect(!!(x), 0)
	35	#define __must_check __attribute__((__warn_unused_result__))
	36
	37	static inline bool __must_check __must_check_overflow(bool overflow)
	38	{
	39	return unlikely(overflow);
	40	}
	41
	42	#define is_signed_type(type) (((type)(-1)) < (type)1)
	43	#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
	44	#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
	45	#define type_min(T) ((T)((T)-type_max(T)-(T)1))
	46
	47	/*
	48	* Avoids triggering -Wtype-limits compilation warning,
	49	* while using unsigned data types to check a < 0.
	50	*/
	51	#define is_non_negative(a) ((a) > 0 \|\| (a) == 0)
	52	#define is_negative(a) (!(is_non_negative(a)))
	53
	54	#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
	55	/*
	56	* For simplicity and code hygiene, the fallback code below insists on
	57	* a, b and *d having the same type (similar to the min() and max()
	58	* macros), whereas gcc's type-generic overflow checkers accept
	59	* different types. Hence we don't just make check_add_overflow an
	60	* alias for __builtin_add_overflow, but add type checks similar to
	61	* below.
	62	*/
	63	#define check_add_overflow(a, b, d) __must_check_overflow(({ \
	64	typeof(a) __a = (a); \
	65	typeof(b) __b = (b); \
	66	typeof(d) __d = (d); \
	67	(void) (&__a == &__b); \
	68	(void) (&__a == __d); \
	69	__builtin_add_overflow(__a, __b, __d); \
	70	}))
	71
	72	#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
	73	typeof(a) __a = (a); \
	74	typeof(b) __b = (b); \
	75	typeof(d) __d = (d); \
	76	(void) (&__a == &__b); \
	77	(void) (&__a == __d); \
	78	__builtin_sub_overflow(__a, __b, __d); \
	79	}))
	80
	81	#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
	82	typeof(a) __a = (a); \
	83	typeof(b) __b = (b); \
	84	typeof(d) __d = (d); \
	85	(void) (&__a == &__b); \
	86	(void) (&__a == __d); \
	87	__builtin_mul_overflow(__a, __b, __d); \
	88	}))
	89	#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
	90
91	/* Checking for unsigned overflow is relatively easy without causing UB. */
92	#define __unsigned_add_overflow(a, b, d) ({ \
93	typeof(a) __a = (a); \
94	typeof(b) __b = (b); \
95	typeof(d) __d = (d); \
96	(void) (&__a == &__b); \
97	(void) (&__a == __d); \
98	*__d = __a + __b; \
99	*__d < __a; \
100	})
101	#define __unsigned_sub_overflow(a, b, d) ({ \
102	typeof(a) __a = (a); \
103	typeof(b) __b = (b); \
104	typeof(d) __d = (d); \
105	(void) (&__a == &__b); \
106	(void) (&__a == __d); \
107	*__d = __a - __b; \
108	__a < __b; \
109	})
110
111	/*
112	* If one of a or b is a compile-time constant, this avoids a division.
113	*/
114	#define __unsigned_mul_overflow(a, b, d) ({ \
115	typeof(a) __a = (a); \
116	typeof(b) __b = (b); \
117	typeof(d) __d = (d); \
118	(void) (&__a == &__b); \
119	(void) (&__a == __d); \
120	__d = __a __b; \
121	__builtin_constant_p(__b) ? \
122	__b > 0 && __a > type_max(typeof(__a)) / __b : \
123	__a > 0 && __b > type_max(typeof(__b)) / __a; \
124	})
125
126	/*
127	* For signed types, detecting overflow is much harder, especially if
128	* we want to avoid UB. But the interface of these macros is such that
129	* we must provide a result in *d, and in fact we must produce the
130	* result promised by gcc's builtins, which is simply the possibly
131	* wrapped-around value. Fortunately, we can just formally do the
132	* operations in the widest relevant unsigned type (u64) and then
133	* truncate the result - gcc is smart enough to generate the same code
134	* with and without the (u64) casts.
135	*/
136
137	/*
138	* Adding two signed integers can overflow only if they have the same
139	* sign, and overflow has happened iff the result has the opposite
140	* sign.
141	*/
142	#define __signed_add_overflow(a, b, d) ({ \
143	typeof(a) __a = (a); \
144	typeof(b) __b = (b); \
145	typeof(d) __d = (d); \
146	(void) (&__a == &__b); \
147	(void) (&__a == __d); \
148	*__d = (__u64)__a + (__u64)__b; \
149	(((~(__a ^ __b)) & (*__d ^ __a)) \
150	& type_min(typeof(__a))) != 0; \
151	})
152
153	/*
154	* Subtraction is similar, except that overflow can now happen only
155	* when the signs are opposite. In this case, overflow has happened if
156	* the result has the opposite sign of a.
157	*/
158	#define __signed_sub_overflow(a, b, d) ({ \
159	typeof(a) __a = (a); \
160	typeof(b) __b = (b); \
161	typeof(d) __d = (d); \
162	(void) (&__a == &__b); \
163	(void) (&__a == __d); \
164	*__d = (__u64)__a - (__u64)__b; \
165	((((__a ^ __b)) & (*__d ^ __a)) \
166	& type_min(typeof(__a))) != 0; \
167	})
168
169	/*
170	* Signed multiplication is rather hard. gcc always follows C99, so
171	* division is truncated towards 0. This means that we can write the
172	* overflow check like this:
173	*
174	* (a > 0 && (b > MAX/a \|\| b < MIN/a)) \|\|
175	* (a < -1 && (b > MIN/a \|\| b < MAX/a) \|\|
176	* (a == -1 && b == MIN)
177	*
178	* The redundant casts of -1 are to silence an annoying -Wtype-limits
179	* (included in -Wextra) warning: When the type is u8 or u16, the
180	* __b_c_e in check_mul_overflow obviously selects
181	* __unsigned_mul_overflow, but unfortunately gcc still parses this
182	* code and warns about the limited range of __b.
183	*/
184
185	#define __signed_mul_overflow(a, b, d) ({ \
186	typeof(a) __a = (a); \
187	typeof(b) __b = (b); \
188	typeof(d) __d = (d); \
189	typeof(a) __tmax = type_max(typeof(a)); \
190	typeof(a) __tmin = type_min(typeof(a)); \
191	(void) (&__a == &__b); \
192	(void) (&__a == __d); \
193	__d = (__u64)__a (__u64)__b; \
194	(__b > 0 && (__a > __tmax/__b \|\| __a < __tmin/__b)) \|\| \
195	(__b < (typeof(__b))-1 && (__a > __tmin/__b \|\| __a < __tmax/__b)) \|\| \
196	(__b == (typeof(__b))-1 && __a == __tmin); \
197	})
198
199
200	#define check_add_overflow(a, b, d) __must_check_overflow( \
201	__builtin_choose_expr(is_signed_type(typeof(a)), \
202	__signed_add_overflow(a, b, d), \
203	__unsigned_add_overflow(a, b, d)))
204
205	#define check_sub_overflow(a, b, d) __must_check_overflow( \
206	__builtin_choose_expr(is_signed_type(typeof(a)), \
207	__signed_sub_overflow(a, b, d), \
208	__unsigned_sub_overflow(a, b, d)))
209
210	#define check_mul_overflow(a, b, d) __must_check_overflow( \
211	__builtin_choose_expr(is_signed_type(typeof(a)), \
212	__signed_mul_overflow(a, b, d), \
213	__unsigned_mul_overflow(a, b, d)))
214
215	#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
216
d17947f8 CB	217	#ifndef __noreturn
	218	# if __STDC_VERSION__ >= 201112L
	219	# if !IS_BIONIC
	220	# define __noreturn _Noreturn
	221	# else
	222	# define __noreturn __attribute__((__noreturn__))
	223	# endif
	224	# elif IS_BIONIC
	225	# define __noreturn __attribute__((__noreturn__))
	226	# else
	227	# define __noreturn __attribute__((noreturn))
	228	# endif
cf0fd972 CB	229	#endif
cf0fd972 CB	230
afeec9b7 CB	231	#ifndef __hot
	232	# define __hot __attribute__((hot))
	233	#endif
	234
633cb8be CB	235	#ifndef __returns_twice
	236	#define __returns_twice __attribute__((returns_twice))
	237	#endif
	238
1a080cd7 CB	239	/* This attribute is required to silence clang warnings */
1a080cd7 CB	240	#if defined(__GNUC__)
53675a8d	241	#define __lxc_unused __attribute__ ((unused))
1a080cd7	242	#else
53675a8d	243	#define __lxc_unused
1a080cd7 CB	244	#endif
1a080cd7 CB	245
ebbca852 MH	246	/* Indicates taking ownership */
	247	#define __owns
	248
b857f4be CB	249	#define __cgfsng_ops
b857f4be CB	250
674c9692	251	/* access attribute */
3d971319	252	#define __access_r_nosize(x)
674c9692 CB	253	#define __access_r(x, y)
	254	#define __access_w(x, y)
	255	#define __access_rw(x, y)
	256
	257	#ifdef __has_attribute
	258	#if __has_attribute(access)
	259	#undef __access_r
	260	#define __access_r(x, y) __attribute__((access(read_only, x, y)))
	261
3d971319 CB	262	#undef __access_r_nosize
	263	#define __access_r_nosize(x) __attribute__((access(read_only, x)))
	264
674c9692 CB	265	#undef __access_w
	266	#define __access_w(x, y) __attribute__((access(write_only, x, y)))
	267
	268	#undef __access_rw
	269	#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
	270	#endif
	271	#endif
	272
6822ba9b CB	273	#ifndef __hidden
	274	#define __hidden __attribute__((visibility("hidden")))
	275	#endif
	276
a7692df5 CB	277	#ifndef __public
	278	#define __public __attribute__((visibility("default")))
	279	#endif
	280
4780b5e7 CB	281	/* Are two types/vars the same type (ignoring qualifiers)? */
	282	#define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
	283
	284	#define __compiletime_assert(condition, msg, prefix, suffix) \
	285	do { \
	286	} while (0)
	287
	288	#define _compiletime_assert(condition, msg, prefix, suffix) \
	289	__compiletime_assert(condition, msg, prefix, suffix)
	290
	291	/**
	292	* compiletime_assert - break build and emit msg if condition is false
	293	* @condition: a compile-time constant condition to check
	294	* @msg: a message to emit if condition is false
	295	*
	296	* In tradition of POSIX assert, this macro will break the build if the
	297	* supplied condition is false, emitting the supplied error message if the
	298	* compiler has support to do so.
	299	*/
	300	#define compiletime_assert(condition, msg) \
	301	_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
	302
	303	/**
	304	* BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied
	305	* error message.
	306	* @condition: the condition which the compiler should know is false.
	307	*
	308	* See BUILD_BUG_ON for description.
	309	*/
	310	#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
	311
d7f19646	312	#endif /* __LXC_COMPILER_H */