mfbt/Casting.h
author Petru Lingurar <petru.lingurar@softvision.ro>
Fri, 21 Dec 2018 08:56:47 +0000
changeset 501492 65621d0fe1262af0643cec37c23b2d9ec42588ad
parent 478640 9b5279a09e13b33f1e4e29e40e5aa968ef0f8fa6
child 508163 6f3709b3878117466168c40affa7bca0b60cf75b
permissions -rw-r--r--
Bug 1513938 - Enforce a Bundle size limit and drop `privateSession` if exceeds it. r=JanH, a=jcristau The `privateSession` key would normally allow persisting the Private Browsing session across OOMs in Activity's Bundle. We need to do that to avoid storing private, sensible data on disk like we do with the normal browsing session. In some cases `privateSession` would contain a lot of data which, along with other possible concurrent transactions could overflow Binder's buffer which has a limited fixed size, currently 1Mb. To avoid this, we will drop `privateSession` from the Bundle if the resulting size is greater than a _speculative_ size of 300KBs which would mean that in the case of an OOM all Private Browsing state would be lost. Bug 1515592 is filed to investigate for a better solution. Differential Revision: https://phabricator.services.mozilla.com/D15067

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/* Cast operations to supplement the built-in casting operations. */

#ifndef mozilla_Casting_h
#define mozilla_Casting_h

#include "mozilla/Assertions.h"
#include "mozilla/TypeTraits.h"

#include <cstring>
#include <limits.h>
#include <type_traits>

namespace mozilla {

/**
 * Sets the outparam value of type |To| with the same underlying bit pattern of
 * |aFrom|.
 *
 * |To| and |From| must be types of the same size; be careful of cross-platform
 * size differences, or this might fail to compile on some but not all
 * platforms.
 *
 * There is also a variant that returns the value directly.  In most cases, the
 * two variants should be identical.  However, in the specific case of x86
 * chips, the behavior differs: returning floating-point values directly is done
 * through the x87 stack, and x87 loads and stores turn signaling NaNs into
 * quiet NaNs... silently.  Returning floating-point values via outparam,
 * however, is done entirely within the SSE registers when SSE2 floating-point
 * is enabled in the compiler, which has semantics-preserving behavior you would
 * expect.
 *
 * If preserving the distinction between signaling NaNs and quiet NaNs is
 * important to you, you should use the outparam version.  In all other cases,
 * you should use the direct return version.
 */
template<typename To, typename From>
inline void
BitwiseCast(const From aFrom, To* aResult)
{
  static_assert(sizeof(From) == sizeof(To),
                "To and From must have the same size");

  // We could maybe downgrade these to std::is_trivially_copyable, but the
  // various STLs we use don't all provide it.
  static_assert(std::is_trivial<From>::value,
                "shouldn't bitwise-copy a type having non-trivial "
                "initialization");
  static_assert(std::is_trivial<To>::value,
                "shouldn't bitwise-copy a type having non-trivial "
                "initialization");

  std::memcpy(static_cast<void*>(aResult),
              static_cast<const void*>(&aFrom),
              sizeof(From));
}

template<typename To, typename From>
inline To
BitwiseCast(const From aFrom)
{
  To temp;
  BitwiseCast<To, From>(aFrom, &temp);
  return temp;
}

namespace detail {

enum ToSignedness { ToIsSigned, ToIsUnsigned };
enum FromSignedness { FromIsSigned, FromIsUnsigned };

template<typename From,
         typename To,
         FromSignedness = IsSigned<From>::value ? FromIsSigned : FromIsUnsigned,
         ToSignedness = IsSigned<To>::value ? ToIsSigned : ToIsUnsigned>
struct BoundsCheckImpl;

// Implicit conversions on operands to binary operations make this all a bit
// hard to verify.  Attempt to ease the pain below by *only* comparing values
// that are obviously the same type (and will undergo no further conversions),
// even when it's not strictly necessary, for explicitness.

enum UUComparison { FromIsBigger, FromIsNotBigger };

// Unsigned-to-unsigned range check

template<typename From, typename To,
         UUComparison = (sizeof(From) > sizeof(To))
                        ? FromIsBigger
                        : FromIsNotBigger>
struct UnsignedUnsignedCheck;

template<typename From, typename To>
struct UnsignedUnsignedCheck<From, To, FromIsBigger>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return aFrom <= From(To(-1));
  }
};

template<typename From, typename To>
struct UnsignedUnsignedCheck<From, To, FromIsNotBigger>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return true;
  }
};

template<typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsUnsigned, ToIsUnsigned>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return UnsignedUnsignedCheck<From, To>::checkBounds(aFrom);
  }
};

// Signed-to-unsigned range check

template<typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsSigned, ToIsUnsigned>
{
public:
  static bool checkBounds(const From aFrom)
  {
    if (aFrom < 0) {
      return false;
    }
    if (sizeof(To) >= sizeof(From)) {
      return true;
    }
    return aFrom <= From(To(-1));
  }
};

// Unsigned-to-signed range check

enum USComparison { FromIsSmaller, FromIsNotSmaller };

template<typename From, typename To,
         USComparison = (sizeof(From) < sizeof(To))
                        ? FromIsSmaller
                        : FromIsNotSmaller>
struct UnsignedSignedCheck;

template<typename From, typename To>
struct UnsignedSignedCheck<From, To, FromIsSmaller>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return true;
  }
};

template<typename From, typename To>
struct UnsignedSignedCheck<From, To, FromIsNotSmaller>
{
public:
  static bool checkBounds(const From aFrom)
  {
    const To MaxValue = To((1ULL << (CHAR_BIT * sizeof(To) - 1)) - 1);
    return aFrom <= From(MaxValue);
  }
};

template<typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsUnsigned, ToIsSigned>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return UnsignedSignedCheck<From, To>::checkBounds(aFrom);
  }
};

// Signed-to-signed range check

template<typename From, typename To>
struct BoundsCheckImpl<From, To, FromIsSigned, ToIsSigned>
{
public:
  static bool checkBounds(const From aFrom)
  {
    if (sizeof(From) <= sizeof(To)) {
      return true;
    }
    const To MaxValue = To((1ULL << (CHAR_BIT * sizeof(To) - 1)) - 1);
    const To MinValue = -MaxValue - To(1);
    return From(MinValue) <= aFrom &&
           From(aFrom) <= From(MaxValue);
  }
};

template<typename From, typename To,
         bool TypesAreIntegral = IsIntegral<From>::value &&
                                 IsIntegral<To>::value>
class BoundsChecker;

template<typename From>
class BoundsChecker<From, From, true>
{
public:
  static bool checkBounds(const From aFrom) { return true; }
};

template<typename From, typename To>
class BoundsChecker<From, To, true>
{
public:
  static bool checkBounds(const From aFrom)
  {
    return BoundsCheckImpl<From, To>::checkBounds(aFrom);
  }
};

template<typename From, typename To>
inline bool
IsInBounds(const From aFrom)
{
  return BoundsChecker<From, To>::checkBounds(aFrom);
}

} // namespace detail

/**
 * Cast a value of integral type |From| to a value of integral type |To|,
 * asserting that the cast will be a safe cast per C++ (that is, that |to| is in
 * the range of values permitted for the type |From|).
 */
template<typename To, typename From>
inline To
AssertedCast(const From aFrom)
{
  MOZ_ASSERT((detail::IsInBounds<From, To>(aFrom)));
  return static_cast<To>(aFrom);
}

/**
 * Cast a value of integral type |From| to a value of integral type |To|,
 * release asserting that the cast will be a safe cast per C++ (that is, that
 * |to| is in the range of values permitted for the type |From|).
 */
template<typename To, typename From>
inline To
ReleaseAssertedCast(const From aFrom)
{
  MOZ_RELEASE_ASSERT((detail::IsInBounds<From, To>(aFrom)));
  return static_cast<To>(aFrom);
}

} // namespace mozilla

#endif /* mozilla_Casting_h */