xref: /aosp_15_r20/external/libbpf/include/linux/overflow.h (revision f7c14bbac8cf49633f2740db462ea43457973ec4) 
1 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
2 
3 #ifndef __LINUX_OVERFLOW_H
4 #define __LINUX_OVERFLOW_H
5 
6 #define is_signed_type(type)	(((type)(-1)) < (type)1)
7 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
8 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
9 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
10 
11 #ifndef unlikely
12 #define unlikely(x)	__builtin_expect(!!(x), 0)
13 #endif
14 
15 #ifdef __GNUC__
16 #define GCC_VERSION (__GNUC__ * 10000           \
17                      + __GNUC_MINOR__ * 100     \
18                      + __GNUC_PATCHLEVEL__)
19 #if GCC_VERSION >= 50100
20 #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
21 #endif
22 #endif
23 
24 #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
25 
26 #define check_mul_overflow(a, b, d) ({		\
27 	typeof(a) __a = (a);			\
28 	typeof(b) __b = (b);			\
29 	typeof(d) __d = (d);			\
30 	(void) (&__a == &__b);			\
31 	(void) (&__a == __d);			\
32 	__builtin_mul_overflow(__a, __b, __d);	\
33 })
34 
35 #else
36 
37 /*
38  * If one of a or b is a compile-time constant, this avoids a division.
39  */
40 #define __unsigned_mul_overflow(a, b, d) ({		\
41 	typeof(a) __a = (a);				\
42 	typeof(b) __b = (b);				\
43 	typeof(d) __d = (d);				\
44 	(void) (&__a == &__b);				\
45 	(void) (&__a == __d);				\
46 	*__d = __a * __b;				\
47 	__builtin_constant_p(__b) ?			\
48 	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
49 	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
50 })
51 
52 /*
53  * Signed multiplication is rather hard. gcc always follows C99, so
54  * division is truncated towards 0. This means that we can write the
55  * overflow check like this:
56  *
57  * (a > 0 && (b > MAX/a || b < MIN/a)) ||
58  * (a < -1 && (b > MIN/a || b < MAX/a) ||
59  * (a == -1 && b == MIN)
60  *
61  * The redundant casts of -1 are to silence an annoying -Wtype-limits
62  * (included in -Wextra) warning: When the type is u8 or u16, the
63  * __b_c_e in check_mul_overflow obviously selects
64  * __unsigned_mul_overflow, but unfortunately gcc still parses this
65  * code and warns about the limited range of __b.
66  */
67 
68 #define __signed_mul_overflow(a, b, d) ({				\
69 	typeof(a) __a = (a);						\
70 	typeof(b) __b = (b);						\
71 	typeof(d) __d = (d);						\
72 	typeof(a) __tmax = type_max(typeof(a));				\
73 	typeof(a) __tmin = type_min(typeof(a));				\
74 	(void) (&__a == &__b);						\
75 	(void) (&__a == __d);						\
76 	*__d = (__u64)__a * (__u64)__b;					\
77 	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
78 	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
79 	(__b == (typeof(__b))-1 && __a == __tmin);			\
80 })
81 
82 #define check_mul_overflow(a, b, d)					\
83 	__builtin_choose_expr(is_signed_type(typeof(a)),		\
84 			__signed_mul_overflow(a, b, d),			\
85 			__unsigned_mul_overflow(a, b, d))
86 
87 
88 #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
89 
90 #endif
91