[mirror_lxc.git] / src / lxc / compiler.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_COMPILER_H
#define __LXC_COMPILER_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif

#include <stdbool.h>
#include <linux/types.h>

#include "config.h"

#ifndef thread_local
#if __STDC_VERSION__ >= 201112L &&    \
    !(defined(__STDC_NO_THREADS__) || \
      (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
#define thread_local _Thread_local
#else
#define thread_local __thread
#endif
#endif

#if __GNUC__ >= 7
#define __fallthrough __attribute__((__fallthrough__))
#else
#define __fallthrough /* fall through */
#endif

#if defined(__GNUC__) && !defined(__clang__)
	#if GCC_VERSION >= 50100
	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	#endif
#endif

#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#define __must_check __attribute__((__warn_unused_result__))

static inline bool __must_check __must_check_overflow(bool overflow)
{
	return unlikely(overflow);
}

#define is_signed_type(type)       (((type)(-1)) < (type)1)
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
#define type_min(T) ((T)((T)-type_max(T)-(T)1))

/*
 * Avoids triggering -Wtype-limits compilation warning,
 * while using unsigned data types to check a < 0.
 */
#define is_non_negative(a) ((a) > 0 || (a) == 0)
#define is_negative(a) (!(is_non_negative(a)))

#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
/*
 * For simplicity and code hygiene, the fallback code below insists on
 * a, b and *d having the same type (similar to the min() and max()
 * macros), whereas gcc's type-generic overflow checkers accept
 * different types. Hence we don't just make check_add_overflow an
 * alias for __builtin_add_overflow, but add type checks similar to
 * below.
 */
#define check_add_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_add_overflow(__a, __b, __d);	\
}))

#define check_sub_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_sub_overflow(__a, __b, __d);	\
}))

#define check_mul_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_mul_overflow(__a, __b, __d);	\
}))
#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

/* Checking for unsigned overflow is relatively easy without causing UB. */
#define __unsigned_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a + __b;			\
	*__d < __a;				\
})
#define __unsigned_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a - __b;			\
	__a < __b;				\
})

/*
 * If one of a or b is a compile-time constant, this avoids a division.
 */
#define __unsigned_mul_overflow(a, b, d) ({		\
	typeof(a) __a = (a);				\
	typeof(b) __b = (b);				\
	typeof(d) __d = (d);				\
	(void) (&__a == &__b);				\
	(void) (&__a == __d);				\
	*__d = __a * __b;				\
	__builtin_constant_p(__b) ?			\
	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
})

/*
 * For signed types, detecting overflow is much harder, especially if
 * we want to avoid UB. But the interface of these macros is such that
 * we must provide a result in *d, and in fact we must produce the
 * result promised by gcc's builtins, which is simply the possibly
 * wrapped-around value. Fortunately, we can just formally do the
 * operations in the widest relevant unsigned type (u64) and then
 * truncate the result - gcc is smart enough to generate the same code
 * with and without the (u64) casts.
 */

/*
 * Adding two signed integers can overflow only if they have the same
 * sign, and overflow has happened iff the result has the opposite
 * sign.
 */
#define __signed_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a + (__u64)__b;		\
	(((~(__a ^ __b)) & (*__d ^ __a))	\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Subtraction is similar, except that overflow can now happen only
 * when the signs are opposite. In this case, overflow has happened if
 * the result has the opposite sign of a.
 */
#define __signed_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a - (__u64)__b;		\
	((((__a ^ __b)) & (*__d ^ __a))		\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Signed multiplication is rather hard. gcc always follows C99, so
 * division is truncated towards 0. This means that we can write the
 * overflow check like this:
 *
 * (a > 0 && (b > MAX/a || b < MIN/a)) ||
 * (a < -1 && (b > MIN/a || b < MAX/a) ||
 * (a == -1 && b == MIN)
 *
 * The redundant casts of -1 are to silence an annoying -Wtype-limits
 * (included in -Wextra) warning: When the type is u8 or u16, the
 * __b_c_e in check_mul_overflow obviously selects
 * __unsigned_mul_overflow, but unfortunately gcc still parses this
 * code and warns about the limited range of __b.
 */

#define __signed_mul_overflow(a, b, d) ({				\
	typeof(a) __a = (a);						\
	typeof(b) __b = (b);						\
	typeof(d) __d = (d);						\
	typeof(a) __tmax = type_max(typeof(a));				\
	typeof(a) __tmin = type_min(typeof(a));				\
	(void) (&__a == &__b);						\
	(void) (&__a == __d);						\
	*__d = (__u64)__a * (__u64)__b;					\
	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
	(__b == (typeof(__b))-1 && __a == __tmin);			\
})


#define check_add_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_add_overflow(a, b, d),			\
			__unsigned_add_overflow(a, b, d)))

#define check_sub_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_sub_overflow(a, b, d),			\
			__unsigned_sub_overflow(a, b, d)))

#define check_mul_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_mul_overflow(a, b, d),			\
			__unsigned_mul_overflow(a, b, d)))

#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

#ifndef __noreturn
#	if __STDC_VERSION__ >= 201112L
#		if !IS_BIONIC
#			define __noreturn _Noreturn
#		else
#			define __noreturn __attribute__((__noreturn__))
#		endif
#	elif IS_BIONIC
#		define __noreturn __attribute__((__noreturn__))
#	else
#		define __noreturn __attribute__((noreturn))
#	endif
#endif

#ifndef __hot
#	define __hot __attribute__((hot))
#endif

#ifndef __returns_twice
#define __returns_twice __attribute__((returns_twice))
#endif

/* This attribute is required to silence clang warnings */
#if defined(__GNUC__)
#define __lxc_unused __attribute__ ((unused))
#else
#define __lxc_unused
#endif

/* Indicates taking ownership */
#define __owns

#define __cgfsng_ops

/* access attribute */
#define __access_r_nosize(x)
#define __access_r(x, y)
#define __access_w(x, y)
#define __access_rw(x, y)

#ifdef __has_attribute
#if __has_attribute(access)
#undef __access_r
#define __access_r(x, y) __attribute__((access(read_only, x, y)))

#undef __access_r_nosize
#define __access_r_nosize(x) __attribute__((access(read_only, x)))

#undef __access_w
#define __access_w(x, y) __attribute__((access(write_only, x, y)))

#undef __access_rw
#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
#endif
#endif

#ifndef __hidden
#define __hidden __attribute__((visibility("hidden")))
#endif

#ifndef __public
#define __public __attribute__((visibility("default")))
#endif

#endif /* __LXC_COMPILER_H */
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
d7f19646 CB	2
	3	#ifndef __LXC_COMPILER_H
	4	#define __LXC_COMPILER_H
	5
d38dd64a CB	6	#ifndef _GNU_SOURCE
	7	#define _GNU_SOURCE 1
	8	#endif
d17947f8	9
4c5479d2 CB	10	#include <stdbool.h>
	11	#include <linux/types.h>
	12
d7f19646 CB	13	#include "config.h"
	14
	15	#ifndef thread_local
	16	#if __STDC_VERSION__ >= 201112L && \
	17	!(defined(__STDC_NO_THREADS__) \|\| \
	18	(defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
	19	#define thread_local _Thread_local
	20	#else
	21	#define thread_local __thread
	22	#endif
	23	#endif
	24
fd1cf1b1 CB	25	#if __GNUC__ >= 7
	26	#define __fallthrough __attribute__((__fallthrough__))
	27	#else
c73fbad1	28	#define __fallthrough /* fall through */
cf0fd972 CB	29	#endif
cf0fd972 CB	30
4c5479d2 CB	31	#if defined(__GNUC__) && !defined(__clang__)
	32	#if GCC_VERSION >= 50100
	33	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	34	#endif
	35	#endif
	36
	37	#define likely(x) __builtin_expect(!!(x), 1)
	38	#define unlikely(x) __builtin_expect(!!(x), 0)
	39	#define __must_check __attribute__((__warn_unused_result__))
	40
	41	static inline bool __must_check __must_check_overflow(bool overflow)
	42	{
	43	return unlikely(overflow);
	44	}
	45
	46	#define is_signed_type(type) (((type)(-1)) < (type)1)
	47	#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
	48	#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
	49	#define type_min(T) ((T)((T)-type_max(T)-(T)1))
	50
	51	/*
	52	* Avoids triggering -Wtype-limits compilation warning,
	53	* while using unsigned data types to check a < 0.
	54	*/
	55	#define is_non_negative(a) ((a) > 0 \|\| (a) == 0)
	56	#define is_negative(a) (!(is_non_negative(a)))
	57
	58	#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
	59	/*
	60	* For simplicity and code hygiene, the fallback code below insists on
	61	* a, b and *d having the same type (similar to the min() and max()
	62	* macros), whereas gcc's type-generic overflow checkers accept
	63	* different types. Hence we don't just make check_add_overflow an
	64	* alias for __builtin_add_overflow, but add type checks similar to
	65	* below.
	66	*/
	67	#define check_add_overflow(a, b, d) __must_check_overflow(({ \
	68	typeof(a) __a = (a); \
	69	typeof(b) __b = (b); \
	70	typeof(d) __d = (d); \
	71	(void) (&__a == &__b); \
	72	(void) (&__a == __d); \
	73	__builtin_add_overflow(__a, __b, __d); \
	74	}))
	75
	76	#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
	77	typeof(a) __a = (a); \
	78	typeof(b) __b = (b); \
	79	typeof(d) __d = (d); \
	80	(void) (&__a == &__b); \
	81	(void) (&__a == __d); \
	82	__builtin_sub_overflow(__a, __b, __d); \
	83	}))
	84
	85	#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
	86	typeof(a) __a = (a); \
	87	typeof(b) __b = (b); \
	88	typeof(d) __d = (d); \
	89	(void) (&__a == &__b); \
	90	(void) (&__a == __d); \
	91	__builtin_mul_overflow(__a, __b, __d); \
	92	}))
	93	#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
	94
95	/* Checking for unsigned overflow is relatively easy without causing UB. */
96	#define __unsigned_add_overflow(a, b, d) ({ \
97	typeof(a) __a = (a); \
98	typeof(b) __b = (b); \
99	typeof(d) __d = (d); \
100	(void) (&__a == &__b); \
101	(void) (&__a == __d); \
102	*__d = __a + __b; \
103	*__d < __a; \
104	})
105	#define __unsigned_sub_overflow(a, b, d) ({ \
106	typeof(a) __a = (a); \
107	typeof(b) __b = (b); \
108	typeof(d) __d = (d); \
109	(void) (&__a == &__b); \
110	(void) (&__a == __d); \
111	*__d = __a - __b; \
112	__a < __b; \
113	})
114
115	/*
116	* If one of a or b is a compile-time constant, this avoids a division.
117	*/
118	#define __unsigned_mul_overflow(a, b, d) ({ \
119	typeof(a) __a = (a); \
120	typeof(b) __b = (b); \
121	typeof(d) __d = (d); \
122	(void) (&__a == &__b); \
123	(void) (&__a == __d); \
124	__d = __a __b; \
125	__builtin_constant_p(__b) ? \
126	__b > 0 && __a > type_max(typeof(__a)) / __b : \
127	__a > 0 && __b > type_max(typeof(__b)) / __a; \
128	})
129
130	/*
131	* For signed types, detecting overflow is much harder, especially if
132	* we want to avoid UB. But the interface of these macros is such that
133	* we must provide a result in *d, and in fact we must produce the
134	* result promised by gcc's builtins, which is simply the possibly
135	* wrapped-around value. Fortunately, we can just formally do the
136	* operations in the widest relevant unsigned type (u64) and then
137	* truncate the result - gcc is smart enough to generate the same code
138	* with and without the (u64) casts.
139	*/
140
141	/*
142	* Adding two signed integers can overflow only if they have the same
143	* sign, and overflow has happened iff the result has the opposite
144	* sign.
145	*/
146	#define __signed_add_overflow(a, b, d) ({ \
147	typeof(a) __a = (a); \
148	typeof(b) __b = (b); \
149	typeof(d) __d = (d); \
150	(void) (&__a == &__b); \
151	(void) (&__a == __d); \
152	*__d = (__u64)__a + (__u64)__b; \
153	(((~(__a ^ __b)) & (*__d ^ __a)) \
154	& type_min(typeof(__a))) != 0; \
155	})
156
157	/*
158	* Subtraction is similar, except that overflow can now happen only
159	* when the signs are opposite. In this case, overflow has happened if
160	* the result has the opposite sign of a.
161	*/
162	#define __signed_sub_overflow(a, b, d) ({ \
163	typeof(a) __a = (a); \
164	typeof(b) __b = (b); \
165	typeof(d) __d = (d); \
166	(void) (&__a == &__b); \
167	(void) (&__a == __d); \
168	*__d = (__u64)__a - (__u64)__b; \
169	((((__a ^ __b)) & (*__d ^ __a)) \
170	& type_min(typeof(__a))) != 0; \
171	})
172
173	/*
174	* Signed multiplication is rather hard. gcc always follows C99, so
175	* division is truncated towards 0. This means that we can write the
176	* overflow check like this:
177	*
178	* (a > 0 && (b > MAX/a \|\| b < MIN/a)) \|\|
179	* (a < -1 && (b > MIN/a \|\| b < MAX/a) \|\|
180	* (a == -1 && b == MIN)
181	*
182	* The redundant casts of -1 are to silence an annoying -Wtype-limits
183	* (included in -Wextra) warning: When the type is u8 or u16, the
184	* __b_c_e in check_mul_overflow obviously selects
185	* __unsigned_mul_overflow, but unfortunately gcc still parses this
186	* code and warns about the limited range of __b.
187	*/
188
189	#define __signed_mul_overflow(a, b, d) ({ \
190	typeof(a) __a = (a); \
191	typeof(b) __b = (b); \
192	typeof(d) __d = (d); \
193	typeof(a) __tmax = type_max(typeof(a)); \
194	typeof(a) __tmin = type_min(typeof(a)); \
195	(void) (&__a == &__b); \
196	(void) (&__a == __d); \
197	__d = (__u64)__a (__u64)__b; \
198	(__b > 0 && (__a > __tmax/__b \|\| __a < __tmin/__b)) \|\| \
199	(__b < (typeof(__b))-1 && (__a > __tmin/__b \|\| __a < __tmax/__b)) \|\| \
200	(__b == (typeof(__b))-1 && __a == __tmin); \
201	})
202
203
204	#define check_add_overflow(a, b, d) __must_check_overflow( \
205	__builtin_choose_expr(is_signed_type(typeof(a)), \
206	__signed_add_overflow(a, b, d), \
207	__unsigned_add_overflow(a, b, d)))
208
209	#define check_sub_overflow(a, b, d) __must_check_overflow( \
210	__builtin_choose_expr(is_signed_type(typeof(a)), \
211	__signed_sub_overflow(a, b, d), \
212	__unsigned_sub_overflow(a, b, d)))
213
214	#define check_mul_overflow(a, b, d) __must_check_overflow( \
215	__builtin_choose_expr(is_signed_type(typeof(a)), \
216	__signed_mul_overflow(a, b, d), \
217	__unsigned_mul_overflow(a, b, d)))
218
219	#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
220
d17947f8 CB	221	#ifndef __noreturn
	222	# if __STDC_VERSION__ >= 201112L
	223	# if !IS_BIONIC
	224	# define __noreturn _Noreturn
	225	# else
	226	# define __noreturn __attribute__((__noreturn__))
	227	# endif
	228	# elif IS_BIONIC
	229	# define __noreturn __attribute__((__noreturn__))
	230	# else
	231	# define __noreturn __attribute__((noreturn))
	232	# endif
cf0fd972 CB	233	#endif
cf0fd972 CB	234
afeec9b7 CB	235	#ifndef __hot
	236	# define __hot __attribute__((hot))
	237	#endif
	238
633cb8be CB	239	#ifndef __returns_twice
	240	#define __returns_twice __attribute__((returns_twice))
	241	#endif
	242
1a080cd7 CB	243	/* This attribute is required to silence clang warnings */
1a080cd7 CB	244	#if defined(__GNUC__)
53675a8d	245	#define __lxc_unused __attribute__ ((unused))
1a080cd7	246	#else
53675a8d	247	#define __lxc_unused
1a080cd7 CB	248	#endif
1a080cd7 CB	249
ebbca852 MH	250	/* Indicates taking ownership */
	251	#define __owns
	252
b857f4be CB	253	#define __cgfsng_ops
b857f4be CB	254
674c9692	255	/* access attribute */
3d971319	256	#define __access_r_nosize(x)
674c9692 CB	257	#define __access_r(x, y)
	258	#define __access_w(x, y)
	259	#define __access_rw(x, y)
	260
	261	#ifdef __has_attribute
	262	#if __has_attribute(access)
	263	#undef __access_r
	264	#define __access_r(x, y) __attribute__((access(read_only, x, y)))
	265
3d971319 CB	266	#undef __access_r_nosize
	267	#define __access_r_nosize(x) __attribute__((access(read_only, x)))
	268
674c9692 CB	269	#undef __access_w
	270	#define __access_w(x, y) __attribute__((access(write_only, x, y)))
	271
	272	#undef __access_rw
	273	#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
	274	#endif
	275	#endif
	276
6822ba9b CB	277	#ifndef __hidden
	278	#define __hidden __attribute__((visibility("hidden")))
	279	#endif
	280
a7692df5 CB	281	#ifndef __public
	282	#define __public __attribute__((visibility("default")))
	283	#endif
	284
d7f19646	285	#endif /* __LXC_COMPILER_H */