[mirror_lxc.git] / src / lxc / compiler.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_COMPILER_H
#define __LXC_COMPILER_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif

#include <stdbool.h>
#include <linux/types.h>

#include "config.h"

#if defined(HAVE_THREADS_H)
	#include <threads.h>
	#define THREAD_LOCAL_STORAGE_SUPPORTED
#elif defined(thread_local)
	#define THREAD_LOCAL_STORAGE_SUPPORTED
#else
	#if __STDC_VERSION__ >= 201112L &&    \
	    !(defined(__STDC_NO_THREADS__) || \
	      (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
		#define thread_local _Thread_local

		#define THREAD_LOCAL_STORAGE_SUPPORTED
	#else
		#define thread_local __thread

		#define THREAD_LOCAL_STORAGE_SUPPORTED
	#endif
#endif

#if __GNUC__ >= 7
#define __fallthrough __attribute__((__fallthrough__))
#else
#define __fallthrough /* fall through */
#endif

#if defined(__GNUC__) && !defined(__clang__)
	#if GCC_VERSION >= 50100
	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	#endif
#endif

#define likely(x) __builtin_expect(!!(x), 1)
#define unlikely(x) __builtin_expect(!!(x), 0)
#define __must_check __attribute__((__warn_unused_result__))

static inline bool __must_check __must_check_overflow(bool overflow)
{
	return unlikely(overflow);
}

#define is_signed_type(type)       (((type)(-1)) < (type)1)
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
#define type_min(T) ((T)((T)-type_max(T)-(T)1))

/*
 * Avoids triggering -Wtype-limits compilation warning,
 * while using unsigned data types to check a < 0.
 */
#define is_non_negative(a) ((a) > 0 || (a) == 0)
#define is_negative(a) (!(is_non_negative(a)))

#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
/*
 * For simplicity and code hygiene, the fallback code below insists on
 * a, b and *d having the same type (similar to the min() and max()
 * macros), whereas gcc's type-generic overflow checkers accept
 * different types. Hence we don't just make check_add_overflow an
 * alias for __builtin_add_overflow, but add type checks similar to
 * below.
 */
#define check_add_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_add_overflow(__a, __b, __d);	\
}))

#define check_sub_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_sub_overflow(__a, __b, __d);	\
}))

#define check_mul_overflow(a, b, d) __must_check_overflow(({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	__builtin_mul_overflow(__a, __b, __d);	\
}))
#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

/* Checking for unsigned overflow is relatively easy without causing UB. */
#define __unsigned_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a + __b;			\
	*__d < __a;				\
})
#define __unsigned_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = __a - __b;			\
	__a < __b;				\
})

/*
 * If one of a or b is a compile-time constant, this avoids a division.
 */
#define __unsigned_mul_overflow(a, b, d) ({		\
	typeof(a) __a = (a);				\
	typeof(b) __b = (b);				\
	typeof(d) __d = (d);				\
	(void) (&__a == &__b);				\
	(void) (&__a == __d);				\
	*__d = __a * __b;				\
	__builtin_constant_p(__b) ?			\
	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
})

/*
 * For signed types, detecting overflow is much harder, especially if
 * we want to avoid UB. But the interface of these macros is such that
 * we must provide a result in *d, and in fact we must produce the
 * result promised by gcc's builtins, which is simply the possibly
 * wrapped-around value. Fortunately, we can just formally do the
 * operations in the widest relevant unsigned type (u64) and then
 * truncate the result - gcc is smart enough to generate the same code
 * with and without the (u64) casts.
 */

/*
 * Adding two signed integers can overflow only if they have the same
 * sign, and overflow has happened iff the result has the opposite
 * sign.
 */
#define __signed_add_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a + (__u64)__b;		\
	(((~(__a ^ __b)) & (*__d ^ __a))	\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Subtraction is similar, except that overflow can now happen only
 * when the signs are opposite. In this case, overflow has happened if
 * the result has the opposite sign of a.
 */
#define __signed_sub_overflow(a, b, d) ({	\
	typeof(a) __a = (a);			\
	typeof(b) __b = (b);			\
	typeof(d) __d = (d);			\
	(void) (&__a == &__b);			\
	(void) (&__a == __d);			\
	*__d = (__u64)__a - (__u64)__b;		\
	((((__a ^ __b)) & (*__d ^ __a))		\
		& type_min(typeof(__a))) != 0;	\
})

/*
 * Signed multiplication is rather hard. gcc always follows C99, so
 * division is truncated towards 0. This means that we can write the
 * overflow check like this:
 *
 * (a > 0 && (b > MAX/a || b < MIN/a)) ||
 * (a < -1 && (b > MIN/a || b < MAX/a) ||
 * (a == -1 && b == MIN)
 *
 * The redundant casts of -1 are to silence an annoying -Wtype-limits
 * (included in -Wextra) warning: When the type is u8 or u16, the
 * __b_c_e in check_mul_overflow obviously selects
 * __unsigned_mul_overflow, but unfortunately gcc still parses this
 * code and warns about the limited range of __b.
 */

#define __signed_mul_overflow(a, b, d) ({				\
	typeof(a) __a = (a);						\
	typeof(b) __b = (b);						\
	typeof(d) __d = (d);						\
	typeof(a) __tmax = type_max(typeof(a));				\
	typeof(a) __tmin = type_min(typeof(a));				\
	(void) (&__a == &__b);						\
	(void) (&__a == __d);						\
	*__d = (__u64)__a * (__u64)__b;					\
	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
	(__b == (typeof(__b))-1 && __a == __tmin);			\
})


#define check_add_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_add_overflow(a, b, d),			\
			__unsigned_add_overflow(a, b, d)))

#define check_sub_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_sub_overflow(a, b, d),			\
			__unsigned_sub_overflow(a, b, d)))

#define check_mul_overflow(a, b, d)	__must_check_overflow(		\
	__builtin_choose_expr(is_signed_type(typeof(a)),		\
			__signed_mul_overflow(a, b, d),			\
			__unsigned_mul_overflow(a, b, d)))

#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */

#ifndef __noreturn
#	if __STDC_VERSION__ >= 201112L
#		if !IS_BIONIC
#			define __noreturn _Noreturn
#		else
#			define __noreturn __attribute__((__noreturn__))
#		endif
#	elif IS_BIONIC
#		define __noreturn __attribute__((__noreturn__))
#	else
#		define __noreturn __attribute__((noreturn))
#	endif
#endif

#ifndef __hot
#	define __hot __attribute__((hot))
#endif

#ifndef __returns_twice
#define __returns_twice __attribute__((returns_twice))
#endif

/* This attribute is required to silence clang warnings */
#if defined(__GNUC__)
#define __lxc_unused __attribute__ ((unused))
#else
#define __lxc_unused
#endif

/* Indicates taking ownership */
#define __owns

#define __cgfsng_ops

/* access attribute */
#define __access_r_nosize(x)
#define __access_r(x, y)
#define __access_w(x, y)
#define __access_rw(x, y)

#ifdef __has_attribute
#if __has_attribute(access)
#undef __access_r
#define __access_r(x, y) __attribute__((access(read_only, x, y)))

#undef __access_r_nosize
#define __access_r_nosize(x) __attribute__((access(read_only, x)))

#undef __access_w
#define __access_w(x, y) __attribute__((access(write_only, x, y)))

#undef __access_rw
#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
#endif
#endif

#ifndef __hidden
#define __hidden __attribute__((visibility("hidden")))
#endif

#ifndef __public
#define __public __attribute__((visibility("default")))
#endif

#endif /* __LXC_COMPILER_H */
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
d7f19646 CB	2
	3	#ifndef __LXC_COMPILER_H
	4	#define __LXC_COMPILER_H
	5
d38dd64a CB	6	#ifndef _GNU_SOURCE
	7	#define _GNU_SOURCE 1
	8	#endif
d17947f8	9
4c5479d2 CB	10	#include <stdbool.h>
	11	#include <linux/types.h>
	12
d7f19646 CB	13	#include "config.h"
d7f19646 CB	14
52ce8504 CB	15	#if defined(HAVE_THREADS_H)
	16	#include <threads.h>
	17	#define THREAD_LOCAL_STORAGE_SUPPORTED
	18	#elif defined(thread_local)
	19	#define THREAD_LOCAL_STORAGE_SUPPORTED
d7f19646	20	#else
52ce8504 CB	21	#if __STDC_VERSION__ >= 201112L && \
	22	!(defined(__STDC_NO_THREADS__) \|\| \
	23	(defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
	24	#define thread_local _Thread_local
	25
	26	#define THREAD_LOCAL_STORAGE_SUPPORTED
	27	#else
	28	#define thread_local __thread
	29
	30	#define THREAD_LOCAL_STORAGE_SUPPORTED
	31	#endif
d7f19646 CB	32	#endif
d7f19646 CB	33
fd1cf1b1 CB	34	#if __GNUC__ >= 7
	35	#define __fallthrough __attribute__((__fallthrough__))
	36	#else
c73fbad1	37	#define __fallthrough /* fall through */
cf0fd972 CB	38	#endif
cf0fd972 CB	39
4c5479d2 CB	40	#if defined(__GNUC__) && !defined(__clang__)
	41	#if GCC_VERSION >= 50100
	42	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
	43	#endif
	44	#endif
	45
	46	#define likely(x) __builtin_expect(!!(x), 1)
	47	#define unlikely(x) __builtin_expect(!!(x), 0)
	48	#define __must_check __attribute__((__warn_unused_result__))
	49
	50	static inline bool __must_check __must_check_overflow(bool overflow)
	51	{
	52	return unlikely(overflow);
	53	}
	54
	55	#define is_signed_type(type) (((type)(-1)) < (type)1)
	56	#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
	57	#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
	58	#define type_min(T) ((T)((T)-type_max(T)-(T)1))
	59
	60	/*
	61	* Avoids triggering -Wtype-limits compilation warning,
	62	* while using unsigned data types to check a < 0.
	63	*/
	64	#define is_non_negative(a) ((a) > 0 \|\| (a) == 0)
	65	#define is_negative(a) (!(is_non_negative(a)))
	66
	67	#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
	68	/*
	69	* For simplicity and code hygiene, the fallback code below insists on
	70	* a, b and *d having the same type (similar to the min() and max()
	71	* macros), whereas gcc's type-generic overflow checkers accept
	72	* different types. Hence we don't just make check_add_overflow an
	73	* alias for __builtin_add_overflow, but add type checks similar to
	74	* below.
	75	*/
	76	#define check_add_overflow(a, b, d) __must_check_overflow(({ \
	77	typeof(a) __a = (a); \
	78	typeof(b) __b = (b); \
	79	typeof(d) __d = (d); \
	80	(void) (&__a == &__b); \
	81	(void) (&__a == __d); \
	82	__builtin_add_overflow(__a, __b, __d); \
	83	}))
	84
	85	#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
	86	typeof(a) __a = (a); \
	87	typeof(b) __b = (b); \
	88	typeof(d) __d = (d); \
	89	(void) (&__a == &__b); \
	90	(void) (&__a == __d); \
	91	__builtin_sub_overflow(__a, __b, __d); \
	92	}))
	93
	94	#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
	95	typeof(a) __a = (a); \
	96	typeof(b) __b = (b); \
	97	typeof(d) __d = (d); \
	98	(void) (&__a == &__b); \
	99	(void) (&__a == __d); \
	100	__builtin_mul_overflow(__a, __b, __d); \
	101	}))
	102	#else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
	103
104	/* Checking for unsigned overflow is relatively easy without causing UB. */
105	#define __unsigned_add_overflow(a, b, d) ({ \
106	typeof(a) __a = (a); \
107	typeof(b) __b = (b); \
108	typeof(d) __d = (d); \
109	(void) (&__a == &__b); \
110	(void) (&__a == __d); \
111	*__d = __a + __b; \
112	*__d < __a; \
113	})
114	#define __unsigned_sub_overflow(a, b, d) ({ \
115	typeof(a) __a = (a); \
116	typeof(b) __b = (b); \
117	typeof(d) __d = (d); \
118	(void) (&__a == &__b); \
119	(void) (&__a == __d); \
120	*__d = __a - __b; \
121	__a < __b; \
122	})
123
124	/*
125	* If one of a or b is a compile-time constant, this avoids a division.
126	*/
127	#define __unsigned_mul_overflow(a, b, d) ({ \
128	typeof(a) __a = (a); \
129	typeof(b) __b = (b); \
130	typeof(d) __d = (d); \
131	(void) (&__a == &__b); \
132	(void) (&__a == __d); \
133	__d = __a __b; \
134	__builtin_constant_p(__b) ? \
135	__b > 0 && __a > type_max(typeof(__a)) / __b : \
136	__a > 0 && __b > type_max(typeof(__b)) / __a; \
137	})
138
139	/*
140	* For signed types, detecting overflow is much harder, especially if
141	* we want to avoid UB. But the interface of these macros is such that
142	* we must provide a result in *d, and in fact we must produce the
143	* result promised by gcc's builtins, which is simply the possibly
144	* wrapped-around value. Fortunately, we can just formally do the
145	* operations in the widest relevant unsigned type (u64) and then
146	* truncate the result - gcc is smart enough to generate the same code
147	* with and without the (u64) casts.
148	*/
149
150	/*
151	* Adding two signed integers can overflow only if they have the same
152	* sign, and overflow has happened iff the result has the opposite
153	* sign.
154	*/
155	#define __signed_add_overflow(a, b, d) ({ \
156	typeof(a) __a = (a); \
157	typeof(b) __b = (b); \
158	typeof(d) __d = (d); \
159	(void) (&__a == &__b); \
160	(void) (&__a == __d); \
161	*__d = (__u64)__a + (__u64)__b; \
162	(((~(__a ^ __b)) & (*__d ^ __a)) \
163	& type_min(typeof(__a))) != 0; \
164	})
165
166	/*
167	* Subtraction is similar, except that overflow can now happen only
168	* when the signs are opposite. In this case, overflow has happened if
169	* the result has the opposite sign of a.
170	*/
171	#define __signed_sub_overflow(a, b, d) ({ \
172	typeof(a) __a = (a); \
173	typeof(b) __b = (b); \
174	typeof(d) __d = (d); \
175	(void) (&__a == &__b); \
176	(void) (&__a == __d); \
177	*__d = (__u64)__a - (__u64)__b; \
178	((((__a ^ __b)) & (*__d ^ __a)) \
179	& type_min(typeof(__a))) != 0; \
180	})
181
182	/*
183	* Signed multiplication is rather hard. gcc always follows C99, so
184	* division is truncated towards 0. This means that we can write the
185	* overflow check like this:
186	*
187	* (a > 0 && (b > MAX/a \|\| b < MIN/a)) \|\|
188	* (a < -1 && (b > MIN/a \|\| b < MAX/a) \|\|
189	* (a == -1 && b == MIN)
190	*
191	* The redundant casts of -1 are to silence an annoying -Wtype-limits
192	* (included in -Wextra) warning: When the type is u8 or u16, the
193	* __b_c_e in check_mul_overflow obviously selects
194	* __unsigned_mul_overflow, but unfortunately gcc still parses this
195	* code and warns about the limited range of __b.
196	*/
197
198	#define __signed_mul_overflow(a, b, d) ({ \
199	typeof(a) __a = (a); \
200	typeof(b) __b = (b); \
201	typeof(d) __d = (d); \
202	typeof(a) __tmax = type_max(typeof(a)); \
203	typeof(a) __tmin = type_min(typeof(a)); \
204	(void) (&__a == &__b); \
205	(void) (&__a == __d); \
206	__d = (__u64)__a (__u64)__b; \
207	(__b > 0 && (__a > __tmax/__b \|\| __a < __tmin/__b)) \|\| \
208	(__b < (typeof(__b))-1 && (__a > __tmin/__b \|\| __a < __tmax/__b)) \|\| \
209	(__b == (typeof(__b))-1 && __a == __tmin); \
210	})
211
212
213	#define check_add_overflow(a, b, d) __must_check_overflow( \
214	__builtin_choose_expr(is_signed_type(typeof(a)), \
215	__signed_add_overflow(a, b, d), \
216	__unsigned_add_overflow(a, b, d)))
217
218	#define check_sub_overflow(a, b, d) __must_check_overflow( \
219	__builtin_choose_expr(is_signed_type(typeof(a)), \
220	__signed_sub_overflow(a, b, d), \
221	__unsigned_sub_overflow(a, b, d)))
222
223	#define check_mul_overflow(a, b, d) __must_check_overflow( \
224	__builtin_choose_expr(is_signed_type(typeof(a)), \
225	__signed_mul_overflow(a, b, d), \
226	__unsigned_mul_overflow(a, b, d)))
227
228	#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
229
d17947f8 CB	230	#ifndef __noreturn
	231	# if __STDC_VERSION__ >= 201112L
	232	# if !IS_BIONIC
	233	# define __noreturn _Noreturn
	234	# else
	235	# define __noreturn __attribute__((__noreturn__))
	236	# endif
	237	# elif IS_BIONIC
	238	# define __noreturn __attribute__((__noreturn__))
	239	# else
	240	# define __noreturn __attribute__((noreturn))
	241	# endif
cf0fd972 CB	242	#endif
cf0fd972 CB	243
afeec9b7 CB	244	#ifndef __hot
	245	# define __hot __attribute__((hot))
	246	#endif
	247
633cb8be CB	248	#ifndef __returns_twice
	249	#define __returns_twice __attribute__((returns_twice))
	250	#endif
	251
1a080cd7 CB	252	/* This attribute is required to silence clang warnings */
1a080cd7 CB	253	#if defined(__GNUC__)
53675a8d	254	#define __lxc_unused __attribute__ ((unused))
1a080cd7	255	#else
53675a8d	256	#define __lxc_unused
1a080cd7 CB	257	#endif
1a080cd7 CB	258
ebbca852 MH	259	/* Indicates taking ownership */
	260	#define __owns
	261
b857f4be CB	262	#define __cgfsng_ops
b857f4be CB	263
674c9692	264	/* access attribute */
3d971319	265	#define __access_r_nosize(x)
674c9692 CB	266	#define __access_r(x, y)
	267	#define __access_w(x, y)
	268	#define __access_rw(x, y)
	269
	270	#ifdef __has_attribute
	271	#if __has_attribute(access)
	272	#undef __access_r
	273	#define __access_r(x, y) __attribute__((access(read_only, x, y)))
	274
3d971319 CB	275	#undef __access_r_nosize
	276	#define __access_r_nosize(x) __attribute__((access(read_only, x)))
	277
674c9692 CB	278	#undef __access_w
	279	#define __access_w(x, y) __attribute__((access(write_only, x, y)))
	280
	281	#undef __access_rw
	282	#define __access_rw(x, y) __attribute__((access(read_write, x, y)))
	283	#endif
	284	#endif
	285
6822ba9b CB	286	#ifndef __hidden
	287	#define __hidden __attribute__((visibility("hidden")))
	288	#endif
	289
a7692df5 CB	290	#ifndef __public
	291	#define __public __attribute__((visibility("default")))
	292	#endif
	293
d7f19646	294	#endif /* __LXC_COMPILER_H */