]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
d7f19646 CB |
2 | |
3 | #ifndef __LXC_COMPILER_H | |
4 | #define __LXC_COMPILER_H | |
5 | ||
1160ce89 | 6 | #include "config.h" |
d17947f8 | 7 | |
4c5479d2 CB |
8 | #include <stdbool.h> |
9 | #include <linux/types.h> | |
10 | ||
44843972 CB |
11 | #ifndef thread_local |
12 | #if __STDC_VERSION__ >= 201112L && \ | |
13 | !(defined(__STDC_NO_THREADS__) || \ | |
14 | (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16)) | |
15 | #define thread_local _Thread_local | |
d7f19646 | 16 | #else |
44843972 CB |
17 | #define thread_local __thread |
18 | #endif | |
d7f19646 CB |
19 | #endif |
20 | ||
fd1cf1b1 CB |
21 | #if __GNUC__ >= 7 |
22 | #define __fallthrough __attribute__((__fallthrough__)) | |
23 | #else | |
c73fbad1 | 24 | #define __fallthrough /* fall through */ |
cf0fd972 CB |
25 | #endif |
26 | ||
4c5479d2 CB |
27 | #if defined(__GNUC__) && !defined(__clang__) |
28 | #if GCC_VERSION >= 50100 | |
29 | #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 | |
30 | #endif | |
31 | #endif | |
32 | ||
33 | #define likely(x) __builtin_expect(!!(x), 1) | |
34 | #define unlikely(x) __builtin_expect(!!(x), 0) | |
35 | #define __must_check __attribute__((__warn_unused_result__)) | |
36 | ||
37 | static inline bool __must_check __must_check_overflow(bool overflow) | |
38 | { | |
39 | return unlikely(overflow); | |
40 | } | |
41 | ||
42 | #define is_signed_type(type) (((type)(-1)) < (type)1) | |
43 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) | |
44 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) | |
45 | #define type_min(T) ((T)((T)-type_max(T)-(T)1)) | |
46 | ||
47 | /* | |
48 | * Avoids triggering -Wtype-limits compilation warning, | |
49 | * while using unsigned data types to check a < 0. | |
50 | */ | |
51 | #define is_non_negative(a) ((a) > 0 || (a) == 0) | |
52 | #define is_negative(a) (!(is_non_negative(a))) | |
53 | ||
54 | #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW | |
55 | /* | |
56 | * For simplicity and code hygiene, the fallback code below insists on | |
57 | * a, b and *d having the same type (similar to the min() and max() | |
58 | * macros), whereas gcc's type-generic overflow checkers accept | |
59 | * different types. Hence we don't just make check_add_overflow an | |
60 | * alias for __builtin_add_overflow, but add type checks similar to | |
61 | * below. | |
62 | */ | |
63 | #define check_add_overflow(a, b, d) __must_check_overflow(({ \ | |
64 | typeof(a) __a = (a); \ | |
65 | typeof(b) __b = (b); \ | |
66 | typeof(d) __d = (d); \ | |
67 | (void) (&__a == &__b); \ | |
68 | (void) (&__a == __d); \ | |
69 | __builtin_add_overflow(__a, __b, __d); \ | |
70 | })) | |
71 | ||
72 | #define check_sub_overflow(a, b, d) __must_check_overflow(({ \ | |
73 | typeof(a) __a = (a); \ | |
74 | typeof(b) __b = (b); \ | |
75 | typeof(d) __d = (d); \ | |
76 | (void) (&__a == &__b); \ | |
77 | (void) (&__a == __d); \ | |
78 | __builtin_sub_overflow(__a, __b, __d); \ | |
79 | })) | |
80 | ||
81 | #define check_mul_overflow(a, b, d) __must_check_overflow(({ \ | |
82 | typeof(a) __a = (a); \ | |
83 | typeof(b) __b = (b); \ | |
84 | typeof(d) __d = (d); \ | |
85 | (void) (&__a == &__b); \ | |
86 | (void) (&__a == __d); \ | |
87 | __builtin_mul_overflow(__a, __b, __d); \ | |
88 | })) | |
89 | #else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ | |
90 | ||
91 | /* Checking for unsigned overflow is relatively easy without causing UB. */ | |
92 | #define __unsigned_add_overflow(a, b, d) ({ \ | |
93 | typeof(a) __a = (a); \ | |
94 | typeof(b) __b = (b); \ | |
95 | typeof(d) __d = (d); \ | |
96 | (void) (&__a == &__b); \ | |
97 | (void) (&__a == __d); \ | |
98 | *__d = __a + __b; \ | |
99 | *__d < __a; \ | |
100 | }) | |
101 | #define __unsigned_sub_overflow(a, b, d) ({ \ | |
102 | typeof(a) __a = (a); \ | |
103 | typeof(b) __b = (b); \ | |
104 | typeof(d) __d = (d); \ | |
105 | (void) (&__a == &__b); \ | |
106 | (void) (&__a == __d); \ | |
107 | *__d = __a - __b; \ | |
108 | __a < __b; \ | |
109 | }) | |
110 | ||
111 | /* | |
112 | * If one of a or b is a compile-time constant, this avoids a division. | |
113 | */ | |
114 | #define __unsigned_mul_overflow(a, b, d) ({ \ | |
115 | typeof(a) __a = (a); \ | |
116 | typeof(b) __b = (b); \ | |
117 | typeof(d) __d = (d); \ | |
118 | (void) (&__a == &__b); \ | |
119 | (void) (&__a == __d); \ | |
120 | *__d = __a * __b; \ | |
121 | __builtin_constant_p(__b) ? \ | |
122 | __b > 0 && __a > type_max(typeof(__a)) / __b : \ | |
123 | __a > 0 && __b > type_max(typeof(__b)) / __a; \ | |
124 | }) | |
125 | ||
126 | /* | |
127 | * For signed types, detecting overflow is much harder, especially if | |
128 | * we want to avoid UB. But the interface of these macros is such that | |
129 | * we must provide a result in *d, and in fact we must produce the | |
130 | * result promised by gcc's builtins, which is simply the possibly | |
131 | * wrapped-around value. Fortunately, we can just formally do the | |
132 | * operations in the widest relevant unsigned type (u64) and then | |
133 | * truncate the result - gcc is smart enough to generate the same code | |
134 | * with and without the (u64) casts. | |
135 | */ | |
136 | ||
137 | /* | |
138 | * Adding two signed integers can overflow only if they have the same | |
139 | * sign, and overflow has happened iff the result has the opposite | |
140 | * sign. | |
141 | */ | |
142 | #define __signed_add_overflow(a, b, d) ({ \ | |
143 | typeof(a) __a = (a); \ | |
144 | typeof(b) __b = (b); \ | |
145 | typeof(d) __d = (d); \ | |
146 | (void) (&__a == &__b); \ | |
147 | (void) (&__a == __d); \ | |
148 | *__d = (__u64)__a + (__u64)__b; \ | |
149 | (((~(__a ^ __b)) & (*__d ^ __a)) \ | |
150 | & type_min(typeof(__a))) != 0; \ | |
151 | }) | |
152 | ||
153 | /* | |
154 | * Subtraction is similar, except that overflow can now happen only | |
155 | * when the signs are opposite. In this case, overflow has happened if | |
156 | * the result has the opposite sign of a. | |
157 | */ | |
158 | #define __signed_sub_overflow(a, b, d) ({ \ | |
159 | typeof(a) __a = (a); \ | |
160 | typeof(b) __b = (b); \ | |
161 | typeof(d) __d = (d); \ | |
162 | (void) (&__a == &__b); \ | |
163 | (void) (&__a == __d); \ | |
164 | *__d = (__u64)__a - (__u64)__b; \ | |
165 | ((((__a ^ __b)) & (*__d ^ __a)) \ | |
166 | & type_min(typeof(__a))) != 0; \ | |
167 | }) | |
168 | ||
169 | /* | |
170 | * Signed multiplication is rather hard. gcc always follows C99, so | |
171 | * division is truncated towards 0. This means that we can write the | |
172 | * overflow check like this: | |
173 | * | |
174 | * (a > 0 && (b > MAX/a || b < MIN/a)) || | |
175 | * (a < -1 && (b > MIN/a || b < MAX/a) || | |
176 | * (a == -1 && b == MIN) | |
177 | * | |
178 | * The redundant casts of -1 are to silence an annoying -Wtype-limits | |
179 | * (included in -Wextra) warning: When the type is u8 or u16, the | |
180 | * __b_c_e in check_mul_overflow obviously selects | |
181 | * __unsigned_mul_overflow, but unfortunately gcc still parses this | |
182 | * code and warns about the limited range of __b. | |
183 | */ | |
184 | ||
185 | #define __signed_mul_overflow(a, b, d) ({ \ | |
186 | typeof(a) __a = (a); \ | |
187 | typeof(b) __b = (b); \ | |
188 | typeof(d) __d = (d); \ | |
189 | typeof(a) __tmax = type_max(typeof(a)); \ | |
190 | typeof(a) __tmin = type_min(typeof(a)); \ | |
191 | (void) (&__a == &__b); \ | |
192 | (void) (&__a == __d); \ | |
193 | *__d = (__u64)__a * (__u64)__b; \ | |
194 | (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ | |
195 | (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ | |
196 | (__b == (typeof(__b))-1 && __a == __tmin); \ | |
197 | }) | |
198 | ||
199 | ||
200 | #define check_add_overflow(a, b, d) __must_check_overflow( \ | |
201 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
202 | __signed_add_overflow(a, b, d), \ | |
203 | __unsigned_add_overflow(a, b, d))) | |
204 | ||
205 | #define check_sub_overflow(a, b, d) __must_check_overflow( \ | |
206 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
207 | __signed_sub_overflow(a, b, d), \ | |
208 | __unsigned_sub_overflow(a, b, d))) | |
209 | ||
210 | #define check_mul_overflow(a, b, d) __must_check_overflow( \ | |
211 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
212 | __signed_mul_overflow(a, b, d), \ | |
213 | __unsigned_mul_overflow(a, b, d))) | |
214 | ||
215 | #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ | |
216 | ||
d17947f8 CB |
217 | #ifndef __noreturn |
218 | # if __STDC_VERSION__ >= 201112L | |
219 | # if !IS_BIONIC | |
220 | # define __noreturn _Noreturn | |
221 | # else | |
222 | # define __noreturn __attribute__((__noreturn__)) | |
223 | # endif | |
224 | # elif IS_BIONIC | |
225 | # define __noreturn __attribute__((__noreturn__)) | |
226 | # else | |
227 | # define __noreturn __attribute__((noreturn)) | |
228 | # endif | |
cf0fd972 CB |
229 | #endif |
230 | ||
afeec9b7 CB |
231 | #ifndef __hot |
232 | # define __hot __attribute__((hot)) | |
233 | #endif | |
234 | ||
633cb8be CB |
235 | #ifndef __returns_twice |
236 | #define __returns_twice __attribute__((returns_twice)) | |
237 | #endif | |
238 | ||
1a080cd7 CB |
239 | /* This attribute is required to silence clang warnings */ |
240 | #if defined(__GNUC__) | |
53675a8d | 241 | #define __lxc_unused __attribute__ ((unused)) |
1a080cd7 | 242 | #else |
53675a8d | 243 | #define __lxc_unused |
1a080cd7 CB |
244 | #endif |
245 | ||
ebbca852 MH |
246 | /* Indicates taking ownership */ |
247 | #define __owns | |
248 | ||
b857f4be CB |
249 | #define __cgfsng_ops |
250 | ||
674c9692 | 251 | /* access attribute */ |
3d971319 | 252 | #define __access_r_nosize(x) |
674c9692 CB |
253 | #define __access_r(x, y) |
254 | #define __access_w(x, y) | |
255 | #define __access_rw(x, y) | |
256 | ||
257 | #ifdef __has_attribute | |
258 | #if __has_attribute(access) | |
259 | #undef __access_r | |
260 | #define __access_r(x, y) __attribute__((access(read_only, x, y))) | |
261 | ||
3d971319 CB |
262 | #undef __access_r_nosize |
263 | #define __access_r_nosize(x) __attribute__((access(read_only, x))) | |
264 | ||
674c9692 CB |
265 | #undef __access_w |
266 | #define __access_w(x, y) __attribute__((access(write_only, x, y))) | |
267 | ||
268 | #undef __access_rw | |
269 | #define __access_rw(x, y) __attribute__((access(read_write, x, y))) | |
270 | #endif | |
271 | #endif | |
272 | ||
6822ba9b CB |
273 | #ifndef __hidden |
274 | #define __hidden __attribute__((visibility("hidden"))) | |
275 | #endif | |
276 | ||
a7692df5 CB |
277 | #ifndef __public |
278 | #define __public __attribute__((visibility("default"))) | |
279 | #endif | |
280 | ||
4780b5e7 CB |
281 | /* Are two types/vars the same type (ignoring qualifiers)? */ |
282 | #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) | |
283 | ||
284 | #define __compiletime_assert(condition, msg, prefix, suffix) \ | |
285 | do { \ | |
286 | } while (0) | |
287 | ||
288 | #define _compiletime_assert(condition, msg, prefix, suffix) \ | |
289 | __compiletime_assert(condition, msg, prefix, suffix) | |
290 | ||
291 | /** | |
292 | * compiletime_assert - break build and emit msg if condition is false | |
293 | * @condition: a compile-time constant condition to check | |
294 | * @msg: a message to emit if condition is false | |
295 | * | |
296 | * In tradition of POSIX assert, this macro will break the build if the | |
297 | * supplied condition is *false*, emitting the supplied error message if the | |
298 | * compiler has support to do so. | |
299 | */ | |
300 | #define compiletime_assert(condition, msg) \ | |
301 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | |
302 | ||
303 | /** | |
304 | * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied | |
305 | * error message. | |
306 | * @condition: the condition which the compiler should know is false. | |
307 | * | |
308 | * See BUILD_BUG_ON for description. | |
309 | */ | |
310 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) | |
311 | ||
d7f19646 | 312 | #endif /* __LXC_COMPILER_H */ |