]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
d7f19646 CB |
2 | |
3 | #ifndef __LXC_COMPILER_H | |
4 | #define __LXC_COMPILER_H | |
5 | ||
d38dd64a CB |
6 | #ifndef _GNU_SOURCE |
7 | #define _GNU_SOURCE 1 | |
8 | #endif | |
d17947f8 | 9 | |
4c5479d2 CB |
10 | #include <stdbool.h> |
11 | #include <linux/types.h> | |
12 | ||
d7f19646 CB |
13 | #include "config.h" |
14 | ||
52ce8504 CB |
15 | #if defined(HAVE_THREADS_H) |
16 | #include <threads.h> | |
17 | #define THREAD_LOCAL_STORAGE_SUPPORTED | |
18 | #elif defined(thread_local) | |
19 | #define THREAD_LOCAL_STORAGE_SUPPORTED | |
d7f19646 | 20 | #else |
52ce8504 CB |
21 | #if __STDC_VERSION__ >= 201112L && \ |
22 | !(defined(__STDC_NO_THREADS__) || \ | |
23 | (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16)) | |
24 | #define thread_local _Thread_local | |
25 | ||
26 | #define THREAD_LOCAL_STORAGE_SUPPORTED | |
27 | #else | |
28 | #define thread_local __thread | |
29 | ||
30 | #define THREAD_LOCAL_STORAGE_SUPPORTED | |
31 | #endif | |
d7f19646 CB |
32 | #endif |
33 | ||
fd1cf1b1 CB |
34 | #if __GNUC__ >= 7 |
35 | #define __fallthrough __attribute__((__fallthrough__)) | |
36 | #else | |
c73fbad1 | 37 | #define __fallthrough /* fall through */ |
cf0fd972 CB |
38 | #endif |
39 | ||
4c5479d2 CB |
40 | #if defined(__GNUC__) && !defined(__clang__) |
41 | #if GCC_VERSION >= 50100 | |
42 | #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 | |
43 | #endif | |
44 | #endif | |
45 | ||
46 | #define likely(x) __builtin_expect(!!(x), 1) | |
47 | #define unlikely(x) __builtin_expect(!!(x), 0) | |
48 | #define __must_check __attribute__((__warn_unused_result__)) | |
49 | ||
50 | static inline bool __must_check __must_check_overflow(bool overflow) | |
51 | { | |
52 | return unlikely(overflow); | |
53 | } | |
54 | ||
55 | #define is_signed_type(type) (((type)(-1)) < (type)1) | |
56 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) | |
57 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) | |
58 | #define type_min(T) ((T)((T)-type_max(T)-(T)1)) | |
59 | ||
60 | /* | |
61 | * Avoids triggering -Wtype-limits compilation warning, | |
62 | * while using unsigned data types to check a < 0. | |
63 | */ | |
64 | #define is_non_negative(a) ((a) > 0 || (a) == 0) | |
65 | #define is_negative(a) (!(is_non_negative(a))) | |
66 | ||
67 | #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW | |
68 | /* | |
69 | * For simplicity and code hygiene, the fallback code below insists on | |
70 | * a, b and *d having the same type (similar to the min() and max() | |
71 | * macros), whereas gcc's type-generic overflow checkers accept | |
72 | * different types. Hence we don't just make check_add_overflow an | |
73 | * alias for __builtin_add_overflow, but add type checks similar to | |
74 | * below. | |
75 | */ | |
76 | #define check_add_overflow(a, b, d) __must_check_overflow(({ \ | |
77 | typeof(a) __a = (a); \ | |
78 | typeof(b) __b = (b); \ | |
79 | typeof(d) __d = (d); \ | |
80 | (void) (&__a == &__b); \ | |
81 | (void) (&__a == __d); \ | |
82 | __builtin_add_overflow(__a, __b, __d); \ | |
83 | })) | |
84 | ||
85 | #define check_sub_overflow(a, b, d) __must_check_overflow(({ \ | |
86 | typeof(a) __a = (a); \ | |
87 | typeof(b) __b = (b); \ | |
88 | typeof(d) __d = (d); \ | |
89 | (void) (&__a == &__b); \ | |
90 | (void) (&__a == __d); \ | |
91 | __builtin_sub_overflow(__a, __b, __d); \ | |
92 | })) | |
93 | ||
94 | #define check_mul_overflow(a, b, d) __must_check_overflow(({ \ | |
95 | typeof(a) __a = (a); \ | |
96 | typeof(b) __b = (b); \ | |
97 | typeof(d) __d = (d); \ | |
98 | (void) (&__a == &__b); \ | |
99 | (void) (&__a == __d); \ | |
100 | __builtin_mul_overflow(__a, __b, __d); \ | |
101 | })) | |
102 | #else /* !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ | |
103 | ||
104 | /* Checking for unsigned overflow is relatively easy without causing UB. */ | |
105 | #define __unsigned_add_overflow(a, b, d) ({ \ | |
106 | typeof(a) __a = (a); \ | |
107 | typeof(b) __b = (b); \ | |
108 | typeof(d) __d = (d); \ | |
109 | (void) (&__a == &__b); \ | |
110 | (void) (&__a == __d); \ | |
111 | *__d = __a + __b; \ | |
112 | *__d < __a; \ | |
113 | }) | |
114 | #define __unsigned_sub_overflow(a, b, d) ({ \ | |
115 | typeof(a) __a = (a); \ | |
116 | typeof(b) __b = (b); \ | |
117 | typeof(d) __d = (d); \ | |
118 | (void) (&__a == &__b); \ | |
119 | (void) (&__a == __d); \ | |
120 | *__d = __a - __b; \ | |
121 | __a < __b; \ | |
122 | }) | |
123 | ||
124 | /* | |
125 | * If one of a or b is a compile-time constant, this avoids a division. | |
126 | */ | |
127 | #define __unsigned_mul_overflow(a, b, d) ({ \ | |
128 | typeof(a) __a = (a); \ | |
129 | typeof(b) __b = (b); \ | |
130 | typeof(d) __d = (d); \ | |
131 | (void) (&__a == &__b); \ | |
132 | (void) (&__a == __d); \ | |
133 | *__d = __a * __b; \ | |
134 | __builtin_constant_p(__b) ? \ | |
135 | __b > 0 && __a > type_max(typeof(__a)) / __b : \ | |
136 | __a > 0 && __b > type_max(typeof(__b)) / __a; \ | |
137 | }) | |
138 | ||
139 | /* | |
140 | * For signed types, detecting overflow is much harder, especially if | |
141 | * we want to avoid UB. But the interface of these macros is such that | |
142 | * we must provide a result in *d, and in fact we must produce the | |
143 | * result promised by gcc's builtins, which is simply the possibly | |
144 | * wrapped-around value. Fortunately, we can just formally do the | |
145 | * operations in the widest relevant unsigned type (u64) and then | |
146 | * truncate the result - gcc is smart enough to generate the same code | |
147 | * with and without the (u64) casts. | |
148 | */ | |
149 | ||
150 | /* | |
151 | * Adding two signed integers can overflow only if they have the same | |
152 | * sign, and overflow has happened iff the result has the opposite | |
153 | * sign. | |
154 | */ | |
155 | #define __signed_add_overflow(a, b, d) ({ \ | |
156 | typeof(a) __a = (a); \ | |
157 | typeof(b) __b = (b); \ | |
158 | typeof(d) __d = (d); \ | |
159 | (void) (&__a == &__b); \ | |
160 | (void) (&__a == __d); \ | |
161 | *__d = (__u64)__a + (__u64)__b; \ | |
162 | (((~(__a ^ __b)) & (*__d ^ __a)) \ | |
163 | & type_min(typeof(__a))) != 0; \ | |
164 | }) | |
165 | ||
166 | /* | |
167 | * Subtraction is similar, except that overflow can now happen only | |
168 | * when the signs are opposite. In this case, overflow has happened if | |
169 | * the result has the opposite sign of a. | |
170 | */ | |
171 | #define __signed_sub_overflow(a, b, d) ({ \ | |
172 | typeof(a) __a = (a); \ | |
173 | typeof(b) __b = (b); \ | |
174 | typeof(d) __d = (d); \ | |
175 | (void) (&__a == &__b); \ | |
176 | (void) (&__a == __d); \ | |
177 | *__d = (__u64)__a - (__u64)__b; \ | |
178 | ((((__a ^ __b)) & (*__d ^ __a)) \ | |
179 | & type_min(typeof(__a))) != 0; \ | |
180 | }) | |
181 | ||
182 | /* | |
183 | * Signed multiplication is rather hard. gcc always follows C99, so | |
184 | * division is truncated towards 0. This means that we can write the | |
185 | * overflow check like this: | |
186 | * | |
187 | * (a > 0 && (b > MAX/a || b < MIN/a)) || | |
188 | * (a < -1 && (b > MIN/a || b < MAX/a) || | |
189 | * (a == -1 && b == MIN) | |
190 | * | |
191 | * The redundant casts of -1 are to silence an annoying -Wtype-limits | |
192 | * (included in -Wextra) warning: When the type is u8 or u16, the | |
193 | * __b_c_e in check_mul_overflow obviously selects | |
194 | * __unsigned_mul_overflow, but unfortunately gcc still parses this | |
195 | * code and warns about the limited range of __b. | |
196 | */ | |
197 | ||
198 | #define __signed_mul_overflow(a, b, d) ({ \ | |
199 | typeof(a) __a = (a); \ | |
200 | typeof(b) __b = (b); \ | |
201 | typeof(d) __d = (d); \ | |
202 | typeof(a) __tmax = type_max(typeof(a)); \ | |
203 | typeof(a) __tmin = type_min(typeof(a)); \ | |
204 | (void) (&__a == &__b); \ | |
205 | (void) (&__a == __d); \ | |
206 | *__d = (__u64)__a * (__u64)__b; \ | |
207 | (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ | |
208 | (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ | |
209 | (__b == (typeof(__b))-1 && __a == __tmin); \ | |
210 | }) | |
211 | ||
212 | ||
213 | #define check_add_overflow(a, b, d) __must_check_overflow( \ | |
214 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
215 | __signed_add_overflow(a, b, d), \ | |
216 | __unsigned_add_overflow(a, b, d))) | |
217 | ||
218 | #define check_sub_overflow(a, b, d) __must_check_overflow( \ | |
219 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
220 | __signed_sub_overflow(a, b, d), \ | |
221 | __unsigned_sub_overflow(a, b, d))) | |
222 | ||
223 | #define check_mul_overflow(a, b, d) __must_check_overflow( \ | |
224 | __builtin_choose_expr(is_signed_type(typeof(a)), \ | |
225 | __signed_mul_overflow(a, b, d), \ | |
226 | __unsigned_mul_overflow(a, b, d))) | |
227 | ||
228 | #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ | |
229 | ||
d17947f8 CB |
230 | #ifndef __noreturn |
231 | # if __STDC_VERSION__ >= 201112L | |
232 | # if !IS_BIONIC | |
233 | # define __noreturn _Noreturn | |
234 | # else | |
235 | # define __noreturn __attribute__((__noreturn__)) | |
236 | # endif | |
237 | # elif IS_BIONIC | |
238 | # define __noreturn __attribute__((__noreturn__)) | |
239 | # else | |
240 | # define __noreturn __attribute__((noreturn)) | |
241 | # endif | |
cf0fd972 CB |
242 | #endif |
243 | ||
afeec9b7 CB |
244 | #ifndef __hot |
245 | # define __hot __attribute__((hot)) | |
246 | #endif | |
247 | ||
633cb8be CB |
248 | #ifndef __returns_twice |
249 | #define __returns_twice __attribute__((returns_twice)) | |
250 | #endif | |
251 | ||
1a080cd7 CB |
252 | /* This attribute is required to silence clang warnings */ |
253 | #if defined(__GNUC__) | |
53675a8d | 254 | #define __lxc_unused __attribute__ ((unused)) |
1a080cd7 | 255 | #else |
53675a8d | 256 | #define __lxc_unused |
1a080cd7 CB |
257 | #endif |
258 | ||
ebbca852 MH |
259 | /* Indicates taking ownership */ |
260 | #define __owns | |
261 | ||
b857f4be CB |
262 | #define __cgfsng_ops |
263 | ||
674c9692 | 264 | /* access attribute */ |
3d971319 | 265 | #define __access_r_nosize(x) |
674c9692 CB |
266 | #define __access_r(x, y) |
267 | #define __access_w(x, y) | |
268 | #define __access_rw(x, y) | |
269 | ||
270 | #ifdef __has_attribute | |
271 | #if __has_attribute(access) | |
272 | #undef __access_r | |
273 | #define __access_r(x, y) __attribute__((access(read_only, x, y))) | |
274 | ||
3d971319 CB |
275 | #undef __access_r_nosize |
276 | #define __access_r_nosize(x) __attribute__((access(read_only, x))) | |
277 | ||
674c9692 CB |
278 | #undef __access_w |
279 | #define __access_w(x, y) __attribute__((access(write_only, x, y))) | |
280 | ||
281 | #undef __access_rw | |
282 | #define __access_rw(x, y) __attribute__((access(read_write, x, y))) | |
283 | #endif | |
284 | #endif | |
285 | ||
6822ba9b CB |
286 | #ifndef __hidden |
287 | #define __hidden __attribute__((visibility("hidden"))) | |
288 | #endif | |
289 | ||
a7692df5 CB |
290 | #ifndef __public |
291 | #define __public __attribute__((visibility("default"))) | |
292 | #endif | |
293 | ||
d7f19646 | 294 | #endif /* __LXC_COMPILER_H */ |