Merge branch 'gh47926-safe-arith' into exp-csv-fuzz-safe-arith

Author: pitrou

cpp/src/arrow/util/int_util_overflow.h

@@ -25,62 +25,130 @@
 #include "arrow/util/macros.h"
 #include "arrow/util/visibility.h"
 
-// "safe-math.h" includes <intsafe.h> from the Windows headers.
-#include "arrow/vendored/portable-snippets/safe-math.h"
-// clang-format off (avoid include reordering)
-// clang-format on
+#include "arrow/vendored/safeint/safe_math.h"
 
 namespace arrow {
 namespace internal {
 
+// static inline bool check_add_int32_int32(int32_t a, int32_t b, int32_t* ret)
+
 // Define functions AddWithOverflow, SubtractWithOverflow, MultiplyWithOverflow
 // with the signature `bool(T u, T v, T* out)` where T is an integer type.
 // On overflow, these functions return true.  Otherwise, false is returned
 // and `out` is updated with the result of the operation.
 
-#define OP_WITH_OVERFLOW(_func_name, _psnip_op, _type, _psnip_type)           \
-  [[nodiscard]] static inline bool _func_name(_type u, _type v, _type* out) { \
-    return !psnip_safe_##_psnip_type##_##_psnip_op(out, u, v);                \
+#define SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, _c_type, _type)             \
+  [[nodiscard]] static inline bool _func_name(_c_type u, _c_type v, _c_type* out) { \
+    return !check_##_op_name##_##_type##_##_type(u, v, out);                        \
   }
 
-#define OPS_WITH_OVERFLOW(_func_name, _psnip_op)            \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int8_t, int8)     \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int16_t, int16)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int32_t, int32)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int64_t, int64)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint8_t, uint8)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint16_t, uint16) \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint32_t, uint32) \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint64_t, uint64)
+#define SAFE_INT_OPS_WITH_OVERFLOW(_func_name, _psnip_op)            \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _psnip_op, int32_t, int32)   \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _psnip_op, int64_t, int64)   \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _psnip_op, uint32_t, uint32) \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _psnip_op, uint64_t, uint64)
+
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntAddWithOverflow, add)
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntSubtractWithOverflow, sub)
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntMultiplyWithOverflow, mul)
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntDivideWithOverflow, div)
+
+#undef SAFE_INT_OP_WITH_OVERFLOW
+#undef SAFE_INT_OPS_WITH_OVERFLOW
+
+template <typename Int, typename SignedRet, typename UnsignedRet>
+using transformed_int_t =
+    std::conditional_t<std::is_signed_v<Int>, SignedRet, UnsignedRet>;
+
+template <typename Int>
+using upscaled_int32_t = transformed_int_t<Int, int32_t, uint32_t>;
+
+// TODO use builtins on clang/gcc
+
+template <typename Int>
+[[nodiscard]] bool AddWithOverflowGeneric(Int u, Int v, Int* out) {
+  if constexpr (sizeof(Int) < 4) {
+    auto r =
+        static_cast<upscaled_int32_t<Int>>(u) + static_cast<upscaled_int32_t<Int>>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntAddWithOverflow(u, v, out);
+  }
+}
 
-OPS_WITH_OVERFLOW(AddWithOverflow, add)
-OPS_WITH_OVERFLOW(SubtractWithOverflow, sub)
-OPS_WITH_OVERFLOW(MultiplyWithOverflow, mul)
-OPS_WITH_OVERFLOW(DivideWithOverflow, div)
+template <typename Int>
+[[nodiscard]] bool SubtractWithOverflowGeneric(Int u, Int v, Int* out) {
+  if constexpr (sizeof(Int) < 4) {
+    auto r =
+        static_cast<upscaled_int32_t<Int>>(u) - static_cast<upscaled_int32_t<Int>>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntSubtractWithOverflow(u, v, out);
+  }
+}
 
-#undef OP_WITH_OVERFLOW
-#undef OPS_WITH_OVERFLOW
+template <typename Int>
+[[nodiscard]] bool MultiplyWithOverflowGeneric(Int u, Int v, Int* out) {
+  if constexpr (sizeof(Int) < 4) {
+    auto r =
+        static_cast<upscaled_int32_t<Int>>(u) * static_cast<upscaled_int32_t<Int>>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntMultiplyWithOverflow(u, v, out);
+  }
+}
 
-// Define function NegateWithOverflow with the signature `bool(T u, T* out)`
-// where T is a signed integer type.  On overflow, these functions return true.
-// Otherwise, false is returned and `out` is updated with the result of the
-// operation.
+template <typename Int>
+[[nodiscard]] bool DivideWithOverflowGeneric(Int u, Int v, Int* out) {
+  if constexpr (sizeof(Int) < 4) {
+    using UpscaledInt = upscaled_int32_t<Int>;
+    UpscaledInt r;
+    bool error = SafeIntDivideWithOverflow(UpscaledInt{u}, UpscaledInt{v}, &r);
+    *out = static_cast<Int>(r);
+    return error || r != *out;
+  } else {
+    return SafeIntDivideWithOverflow(u, v, out);
+  }
+}
 
-#define UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, _type, _psnip_type) \
-  [[nodiscard]] static inline bool _func_name(_type u, _type* out) {      \
-    return !psnip_safe_##_psnip_type##_##_psnip_op(out, u);               \
+// Define non-generic versions of the above so as to benefit from automatic
+// integer conversion, to allow for mixed-type calls such as
+// AddWithOverflow(int32_t, int64_t, int64_t*).
+
+#define NON_GENERIC_OP_WITH_OVERFLOW(_func_name, _c_type)                    \
+  [[nodiscard]] inline bool _func_name(_c_type u, _c_type v, _c_type* out) { \
+    return _func_name##Generic(u, v, out);                                   \
   }
 
-#define SIGNED_UNARY_OPS_WITH_OVERFLOW(_func_name, _psnip_op)   \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int8_t, int8)   \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int16_t, int16) \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int32_t, int32) \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int64_t, int64)
+#define NON_GENERIC_OPS_WITH_OVERFLOW(_func_name)    \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int8_t)   \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint8_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int16_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint16_t) \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int32_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint32_t) \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int64_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint64_t)
+
+NON_GENERIC_OPS_WITH_OVERFLOW(AddWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(SubtractWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(MultiplyWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(DivideWithOverflow)
 
-SIGNED_UNARY_OPS_WITH_OVERFLOW(NegateWithOverflow, neg)
+#undef NON_GENERIC_OPS_WITH_OVERFLOW
+#undef NON_GENERIC_OP_WITH_OVERFLOW
 
-#undef UNARY_OP_WITH_OVERFLOW
-#undef SIGNED_UNARY_OPS_WITH_OVERFLOW
+// Define function NegateWithOverflow with the signature `bool(T u, T* out)`
+// where T is a signed integer type.  On overflow, these functions return true.
+// Otherwise, false is returned and `out` is updated with the result of the
+// operation.
+template <typename Int>
+[[nodiscard]] bool NegateWithOverflow(Int v, Int* out) {
+  return SubtractWithOverflow(Int{}, v, out);
+}
 
 /// Signed addition with well-defined behaviour on overflow (as unsigned)
 template <typename SignedInt>