Add SAL annotations to safecast.h helper methods (#620)

dmachaj · web-flow · commit 3ecba603d978 · 2026-02-24T12:13:49.000-08:00
* Add annotations to safecast helper methods

* I swear I ran the formatter before but it didn't change anything
diff --git a/include/wil/safecast.h b/include/wil/safecast.h
@@ -265,7 +265,7 @@ namespace details
 
 // Unsafe conversion where failure results in fail fast.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast_failfast(const OldT var)
+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)
 {
     NewT newVar;
     FAIL_FAST_IF_FAILED((details::intsafe_conversion<OldT, NewT>(var, &newVar)));
@@ -274,7 +274,7 @@ NewT safe_cast_failfast(const OldT var)
 
 // Unsafe conversion where failure results in fail fast.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast_failfast(const OldT var)
+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)
 {
     NewT newVar;
     FAIL_FAST_IF_FAILED((details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), &newVar)));
@@ -283,7 +283,7 @@ NewT safe_cast_failfast(const OldT var)
 
 // Unsafe conversion where failure results in fail fast.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast_failfast(const OldT var)
+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)
 {
     unsigned short newVar;
     FAIL_FAST_IF_FAILED((details::intsafe_conversion<OldT, unsigned short>(var, &newVar)));
@@ -292,15 +292,15 @@ NewT safe_cast_failfast(const OldT var)
 
 // This conversion is always safe, therefore a static_cast is fine.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>
-NewT safe_cast_failfast(const OldT var)
+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)
 {
     return static_cast<NewT>(var);
 }
 
 #ifdef WIL_ENABLE_EXCEPTIONS
 // Unsafe conversion where failure results in a thrown exception.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast(const OldT var)
+_Out_range_(==, var) NewT safe_cast(const OldT var)
 {
     NewT newVar;
     THROW_IF_FAILED((details::intsafe_conversion<OldT, NewT>(var, &newVar)));
@@ -309,7 +309,7 @@ NewT safe_cast(const OldT var)
 
 // Unsafe conversion where failure results in a thrown exception.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast(const OldT var)
+_Out_range_(==, var) NewT safe_cast(const OldT var)
 {
     NewT newVar;
     THROW_IF_FAILED((details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), &newVar)));
@@ -318,7 +318,7 @@ NewT safe_cast(const OldT var)
 
 // Unsafe conversion where failure results in a thrown exception.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>
-NewT safe_cast(const OldT var)
+_Out_range_(==, var) NewT safe_cast(const OldT var)
 {
     unsigned short newVar;
     THROW_IF_FAILED((details::intsafe_conversion<OldT, unsigned short>(var, &newVar)));
@@ -327,43 +327,43 @@ NewT safe_cast(const OldT var)
 
 // This conversion is always safe, therefore a static_cast is fine.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>
-NewT safe_cast(const OldT var)
+_Out_range_(==, var) NewT safe_cast(const OldT var)
 {
     return static_cast<NewT>(var);
 }
 #endif
 
 // This conversion is unsafe, therefore the two parameter version of safe_cast_nothrow must be used
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_v<NewT, OldT>, int> = 0>
-NewT safe_cast_nothrow(const OldT /*var*/)
+_Out_range_(==, _Param_(1)) NewT safe_cast_nothrow(const OldT /*var*/)
 {
     static_assert(!wistd::is_same_v<NewT, NewT>, "This cast has the potential to fail, use the two parameter safe_cast_nothrow instead");
 }
 
 // This conversion is always safe, therefore a static_cast is fine.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>
-NewT safe_cast_nothrow(const OldT var)
+_Out_range_(==, var) NewT safe_cast_nothrow(const OldT var)
 {
     return static_cast<NewT>(var);
 }
 
 // Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>
-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
+_At_(*newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 {
     return details::intsafe_conversion<OldT, NewT>(var, newTResult);
 }
 
 // Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>
-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
+_At_(*newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 {
     return details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), newTResult);
 }
 
 // Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>
-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
+_At_(*newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 {
     return details::intsafe_conversion<OldT, unsigned short>(var, reinterpret_cast<unsigned short*>(newTResult));
 }
@@ -372,7 +372,7 @@ HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 // does not involve a variably sized type, then the compilation will fail and say the single parameter version
 // of safe_cast_nothrow should be used instead.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>
-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
+_At_(*newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 {
     static_assert(
         details::is_potentially_variably_sized_cast_v<OldT, NewT>,
@@ -389,7 +389,7 @@ HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)
 //      wil::safe_zero_extending_cast<ULONG_PTR>(-1)
 // will return 0x00000000`FFFFFFFF on a 64-bit system.
 template <typename NewT, typename OldT, wistd::enable_if_t<details::is_sign_extending_cast_v<NewT, OldT>, int> = 0>
-NewT safe_zero_extending_cast(const OldT var)
+_Out_range_(==, var) NewT safe_zero_extending_cast(const OldT var)
 {
     // The first cast is to an unsigned type of the same size as the original.  The second cast is to the
     // larger type.  Being an unsigned cast, the upper bits are zeroed out.

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ namespace details`
`265`	`265`
`266`	`266`	`// Unsafe conversion where failure results in fail fast.`
`267`	`267`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>`
`268`		`-NewT safe_cast_failfast(const OldT var)`
	`268`	`+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)`
`269`	`269`	`{`
`270`	`270`	`NewT newVar;`
`271`	`271`	`FAIL_FAST_IF_FAILED((details::intsafe_conversion<OldT, NewT>(var, &newVar)));`
`@@ -274,7 +274,7 @@ NewT safe_cast_failfast(const OldT var)`
`274`	`274`
`275`	`275`	`// Unsafe conversion where failure results in fail fast.`
`276`	`276`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>`
`277`		`-NewT safe_cast_failfast(const OldT var)`
	`277`	`+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)`
`278`	`278`	`{`
`279`	`279`	`NewT newVar;`
`280`	`280`	`FAIL_FAST_IF_FAILED((details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), &newVar)));`
`@@ -283,7 +283,7 @@ NewT safe_cast_failfast(const OldT var)`
`283`	`283`
`284`	`284`	`// Unsafe conversion where failure results in fail fast.`
`285`	`285`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>`
`286`		`-NewT safe_cast_failfast(const OldT var)`
	`286`	`+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)`
`287`	`287`	`{`
`288`	`288`	`unsigned short newVar;`
`289`	`289`	`FAIL_FAST_IF_FAILED((details::intsafe_conversion<OldT, unsigned short>(var, &newVar)));`
`@@ -292,15 +292,15 @@ NewT safe_cast_failfast(const OldT var)`
`292`	`292`
`293`	`293`	`// This conversion is always safe, therefore a static_cast is fine.`
`294`	`294`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>`
`295`		`-NewT safe_cast_failfast(const OldT var)`
	`295`	`+_Out_range_(==, var) NewT safe_cast_failfast(const OldT var)`
`296`	`296`	`{`
`297`	`297`	`return static_cast<NewT>(var);`
`298`	`298`	`}`
`299`	`299`
`300`	`300`	`#ifdef WIL_ENABLE_EXCEPTIONS`
`301`	`301`	`// Unsafe conversion where failure results in a thrown exception.`
`302`	`302`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>`
`303`		`-NewT safe_cast(const OldT var)`
	`303`	`+_Out_range_(==, var) NewT safe_cast(const OldT var)`
`304`	`304`	`{`
`305`	`305`	`NewT newVar;`
`306`	`306`	`THROW_IF_FAILED((details::intsafe_conversion<OldT, NewT>(var, &newVar)));`
`@@ -309,7 +309,7 @@ NewT safe_cast(const OldT var)`
`309`	`309`
`310`	`310`	`// Unsafe conversion where failure results in a thrown exception.`
`311`	`311`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>`
`312`		`-NewT safe_cast(const OldT var)`
	`312`	`+_Out_range_(==, var) NewT safe_cast(const OldT var)`
`313`	`313`	`{`
`314`	`314`	`NewT newVar;`
`315`	`315`	`THROW_IF_FAILED((details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), &newVar)));`
`@@ -318,7 +318,7 @@ NewT safe_cast(const OldT var)`
`318`	`318`
`319`	`319`	`// Unsafe conversion where failure results in a thrown exception.`
`320`	`320`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>`
`321`		`-NewT safe_cast(const OldT var)`
	`321`	`+_Out_range_(==, var) NewT safe_cast(const OldT var)`
`322`	`322`	`{`
`323`	`323`	`unsigned short newVar;`
`324`	`324`	`THROW_IF_FAILED((details::intsafe_conversion<OldT, unsigned short>(var, &newVar)));`
`@@ -327,43 +327,43 @@ NewT safe_cast(const OldT var)`
`327`	`327`
`328`	`328`	`// This conversion is always safe, therefore a static_cast is fine.`
`329`	`329`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>`
`330`		`-NewT safe_cast(const OldT var)`
	`330`	`+_Out_range_(==, var) NewT safe_cast(const OldT var)`
`331`	`331`	`{`
`332`	`332`	`return static_cast<NewT>(var);`
`333`	`333`	`}`
`334`	`334`	`#endif`
`335`	`335`
`336`	`336`	`// This conversion is unsafe, therefore the two parameter version of safe_cast_nothrow must be used`
`337`	`337`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_v<NewT, OldT>, int> = 0>`
`338`		`-NewT safe_cast_nothrow(const OldT /var/)`
	`338`	`+_Out_range_(==, _Param_(1)) NewT safe_cast_nothrow(const OldT /var/)`
`339`	`339`	`{`
`340`	`340`	`static_assert(!wistd::is_same_v<NewT, NewT>, "This cast has the potential to fail, use the two parameter safe_cast_nothrow instead");`
`341`	`341`	`}`
`342`	`342`
`343`	`343`	`// This conversion is always safe, therefore a static_cast is fine.`
`344`	`344`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>`
`345`		`-NewT safe_cast_nothrow(const OldT var)`
	`345`	`+_Out_range_(==, var) NewT safe_cast_nothrow(const OldT var)`
`346`	`346`	`{`
`347`	`347`	`return static_cast<NewT>(var);`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`// Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT`
`351`	`351`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_no_wchar_v<NewT, OldT>, int> = 0>`
`352`		`-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
	`352`	`+_At_(newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT newTResult)`
`353`	`353`	`{`
`354`	`354`	`return details::intsafe_conversion<OldT, NewT>(var, newTResult);`
`355`	`355`	`}`
`356`	`356`
`357`	`357`	`// Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT`
`358`	`358`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_from_wchar_v<NewT, OldT>, int> = 0>`
`359`		`-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
	`359`	`+_At_(newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT newTResult)`
`360`	`360`	`{`
`361`	`361`	`return details::intsafe_conversion<unsigned short, NewT>(static_cast<unsigned short>(var), newTResult);`
`362`	`362`	`}`
`363`	`363`
`364`	`364`	`// Unsafe conversion where an HRESULT is returned. It is up to the callee to check and handle the HRESULT`
`365`	`365`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_unsafe_cast_to_wchar_v<NewT, OldT>, int> = 0>`
`366`		`-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
	`366`	`+_At_(newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT newTResult)`
`367`	`367`	`{`
`368`	`368`	`return details::intsafe_conversion<OldT, unsigned short>(var, reinterpret_cast<unsigned short*>(newTResult));`
`369`	`369`	`}`
`@@ -372,7 +372,7 @@ HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
`372`	`372`	`// does not involve a variably sized type, then the compilation will fail and say the single parameter version`
`373`	`373`	`// of safe_cast_nothrow should be used instead.`
`374`	`374`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_supported_safe_static_cast_v<NewT, OldT>, int> = 0>`
`375`		`-HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
	`375`	`+_At_(newTResult, _Out_range_(==, var)) HRESULT safe_cast_nothrow(const OldT var, NewT newTResult)`
`376`	`376`	`{`
`377`	`377`	`static_assert(`
`378`	`378`	`details::is_potentially_variably_sized_cast_v<OldT, NewT>,`
`@@ -389,7 +389,7 @@ HRESULT safe_cast_nothrow(const OldT var, NewT* newTResult)`
`389`	`389`	`// wil::safe_zero_extending_cast<ULONG_PTR>(-1)`
`390`	`390`	// will return 0x00000000`FFFFFFFF on a 64-bit system.
`391`	`391`	`template <typename NewT, typename OldT, wistd::enable_if_t<details::is_sign_extending_cast_v<NewT, OldT>, int> = 0>`
`392`		`-NewT safe_zero_extending_cast(const OldT var)`
	`392`	`+_Out_range_(==, var) NewT safe_zero_extending_cast(const OldT var)`
`393`	`393`	`{`
`394`	`394`	`// The first cast is to an unsigned type of the same size as the original. The second cast is to the`
`395`	`395`	`// larger type. Being an unsigned cast, the upper bits are zeroed out.`