[thirdparty/systemd.git] / src / basic / macro.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <assert.h>
#include <errno.h>
#include <inttypes.h>
#include <stdbool.h>
#include <sys/param.h>
#include <sys/sysmacros.h>
#include <sys/types.h>

#include "constants.h"
#include "macro-fundamental.h"

/* Note: on GCC "no_sanitize_address" is a function attribute only, on llvm it may also be applied to global
 * variables. We define a specific macro which knows this. Note that on GCC we don't need this decorator so much, since
 * our primary use case for this attribute is registration structures placed in named ELF sections which shall not be
 * padded, but GCC doesn't pad those anyway if AddressSanitizer is enabled. */
#if HAS_FEATURE_ADDRESS_SANITIZER && defined(__clang__)
#define _variable_no_sanitize_address_ __attribute__((__no_sanitize_address__))
#else
#define _variable_no_sanitize_address_
#endif

/* Apparently there's no has_feature() call defined to check for ubsan, hence let's define this
 * unconditionally on llvm */
#if defined(__clang__)
#define _function_no_sanitize_float_cast_overflow_ __attribute__((no_sanitize("float-cast-overflow")))
#else
#define _function_no_sanitize_float_cast_overflow_
#endif

#if HAVE_WSTRINGOP_TRUNCATION
#  define DISABLE_WARNING_STRINGOP_TRUNCATION                           \
        _Pragma("GCC diagnostic push");                                 \
        _Pragma("GCC diagnostic ignored \"-Wstringop-truncation\"")
#else
#  define DISABLE_WARNING_STRINGOP_TRUNCATION                           \
        _Pragma("GCC diagnostic push")
#endif

/* test harness */
#define EXIT_TEST_SKIP 77

/* builtins */
#if __SIZEOF_INT__ == 4
#define BUILTIN_FFS_U32(x) __builtin_ffs(x);
#elif __SIZEOF_LONG__ == 4
#define BUILTIN_FFS_U32(x) __builtin_ffsl(x);
#else
#error "neither int nor long are four bytes long?!?"
#endif

static inline uint64_t u64_multiply_safe(uint64_t a, uint64_t b) {
        if (_unlikely_(a != 0 && b > (UINT64_MAX / a)))
                return 0; /* overflow */

        return a * b;
}

/* align to next higher power-of-2 (except for: 0 => 0, overflow => 0) */
static inline unsigned long ALIGN_POWER2(unsigned long u) {

        /* Avoid subtraction overflow */
        if (u == 0)
                return 0;

        /* clz(0) is undefined */
        if (u == 1)
                return 1;

        /* left-shift overflow is undefined */
        if (__builtin_clzl(u - 1UL) < 1)
                return 0;

        return 1UL << (sizeof(u) * 8 - __builtin_clzl(u - 1UL));
}

static inline size_t GREEDY_ALLOC_ROUND_UP(size_t l) {
        size_t m;

        /* Round up allocation sizes a bit to some reasonable, likely larger value. This is supposed to be
         * used for cases which are likely called in an allocation loop of some form, i.e. that repetitively
         * grow stuff, for example strv_extend() and suchlike.
         *
         * Note the difference to GREEDY_REALLOC() here, as this helper operates on a single size value only,
         * and rounds up to next multiple of 2, needing no further counter.
         *
         * Note the benefits of direct ALIGN_POWER2() usage: type-safety for size_t, sane handling for very
         * small (i.e. <= 2) and safe handling for very large (i.e. > SSIZE_MAX) values. */

        if (l <= 2)
                return 2; /* Never allocate less than 2 of something.  */

        m = ALIGN_POWER2(l);
        if (m == 0) /* overflow? */
                return l;

        return m;
}

/*
 * container_of - cast a member of a structure out to the containing structure
 * @ptr: the pointer to the member.
 * @type: the type of the container struct this is embedded in.
 * @member: the name of the member within the struct.
 */
#define container_of(ptr, type, member) __container_of(UNIQ, (ptr), type, member)
#define __container_of(uniq, ptr, type, member)                         \
        ({                                                              \
                const typeof( ((type*)0)->member ) *UNIQ_T(A, uniq) = (ptr); \
                (type*)( (char *)UNIQ_T(A, uniq) - offsetof(type, member) ); \
        })

#ifdef __COVERITY__

/* Use special definitions of assertion macros in order to prevent
 * false positives of ASSERT_SIDE_EFFECT on Coverity static analyzer
 * for uses of assert_se() and assert_return().
 *
 * These definitions make expression go through a (trivial) function
 * call to ensure they are not discarded. Also use ! or !! to ensure
 * the boolean expressions are seen as such.
 *
 * This technique has been described and recommended in:
 * https://community.synopsys.com/s/question/0D534000046Yuzb/suppressing-assertsideeffect-for-functions-that-allow-for-sideeffects
 */

extern void __coverity_panic__(void);

static inline void __coverity_check__(int condition) {
        if (!condition)
                __coverity_panic__();
}

static inline int __coverity_check_and_return__(int condition) {
        return condition;
}

#define assert_message_se(expr, message) __coverity_check__(!!(expr))

#define assert_log(expr, message) __coverity_check_and_return__(!!(expr))

#else  /* ! __COVERITY__ */

#define assert_message_se(expr, message)                                \
        do {                                                            \
                if (_unlikely_(!(expr)))                                \
                        log_assert_failed(message, PROJECT_FILE, __LINE__, __func__); \
        } while (false)

#define assert_log(expr, message) ((_likely_(expr))                     \
        ? (true)                                                        \
        : (log_assert_failed_return(message, PROJECT_FILE, __LINE__, __func__), false))

#endif  /* __COVERITY__ */

#define assert_se(expr) assert_message_se(expr, #expr)

/* We override the glibc assert() here. */
#undef assert
#ifdef NDEBUG
#define assert(expr) ({ if (!(expr)) __builtin_unreachable(); })
#else
#define assert(expr) assert_message_se(expr, #expr)
#endif

#define assert_not_reached()                                            \
        log_assert_failed_unreachable(PROJECT_FILE, __LINE__, __func__)

#define assert_return(expr, r)                                          \
        do {                                                            \
                if (!assert_log(expr, #expr))                           \
                        return (r);                                     \
        } while (false)

#define assert_return_errno(expr, r, err)                               \
        do {                                                            \
                if (!assert_log(expr, #expr)) {                         \
                        errno = err;                                    \
                        return (r);                                     \
                }                                                       \
        } while (false)

#define return_with_errno(r, err)                     \
        do {                                          \
                errno = abs(err);                     \
                return r;                             \
        } while (false)

#define PTR_TO_INT(p) ((int) ((intptr_t) (p)))
#define INT_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT(p) ((unsigned) ((uintptr_t) (p)))
#define UINT_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_LONG(p) ((long) ((intptr_t) (p)))
#define LONG_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_ULONG(p) ((unsigned long) ((uintptr_t) (p)))
#define ULONG_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_UINT8(p) ((uint8_t) ((uintptr_t) (p)))
#define UINT8_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_INT32(p) ((int32_t) ((intptr_t) (p)))
#define INT32_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT32(p) ((uint32_t) ((uintptr_t) (p)))
#define UINT32_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_INT64(p) ((int64_t) ((intptr_t) (p)))
#define INT64_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT64(p) ((uint64_t) ((uintptr_t) (p)))
#define UINT64_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_SIZE(p) ((size_t) ((uintptr_t) (p)))
#define SIZE_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define CHAR_TO_STR(x) ((char[2]) { x, 0 })

#define char_array_0(x) x[sizeof(x)-1] = 0;

#define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)
#define endoffsetof_field(struct_type, member) (offsetof(struct_type, member) + sizeof_field(struct_type, member))

/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x'
 * prefix and trailing NUL suffix. */
#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1)

/* Returns the number of chars needed to format variables of the specified type as a decimal string. Adds in
 * extra space for a negative '-' prefix for signed types. Includes space for the trailing NUL. */
#define DECIMAL_STR_MAX(type)                                           \
        ((size_t) IS_SIGNED_INTEGER_TYPE(type) + 1U +                   \
            (sizeof(type) <= 1 ? 3U :                                   \
             sizeof(type) <= 2 ? 5U :                                   \
             sizeof(type) <= 4 ? 10U :                                  \
             sizeof(type) <= 8 ? (IS_SIGNED_INTEGER_TYPE(type) ? 19U : 20U) : sizeof(int[-2*(sizeof(type) > 8)])))

/* Returns the number of chars needed to format the specified integer value. It's hence more specific than
 * DECIMAL_STR_MAX() which answers the same question for all possible values of the specified type. Does
 * *not* include space for a trailing NUL. (If you wonder why we special case _x_ == 0 here: it's to trick
 * out gcc's -Wtype-limits, which would complain on comparing an unsigned type with < 0, otherwise. By
 * special-casing == 0 here first, we can use <= 0 instead of < 0 to trick out gcc.) */
#define DECIMAL_STR_WIDTH(x)                                      \
        ({                                                        \
                typeof(x) _x_ = (x);                              \
                size_t ans;                                       \
                if (_x_ == 0)                                     \
                        ans = 1;                                  \
                else {                                            \
                        ans = _x_ <= 0 ? 2 : 1;                   \
                        while ((_x_ /= 10) != 0)                  \
                                ans++;                            \
                }                                                 \
                ans;                                              \
        })

#define SWAP_TWO(x, y) do {                        \
                typeof(x) _t = (x);                \
                (x) = (y);                         \
                (y) = (_t);                        \
        } while (false)

#define STRV_MAKE(...) ((char**) ((const char*[]) { __VA_ARGS__, NULL }))
#define STRV_MAKE_EMPTY ((char*[1]) { NULL })
#define STRV_MAKE_CONST(...) ((const char* const*) ((const char*[]) { __VA_ARGS__, NULL }))

/* Pointers range from NULL to POINTER_MAX */
#define POINTER_MAX ((void*) UINTPTR_MAX)

#define _FOREACH_ARRAY(i, array, num, m, end)                           \
        for (typeof(array[0]) *i = (array), *end = ({                   \
                                typeof(num) m = (num);                  \
                                (i && m > 0) ? i + m : NULL;            \
                        }); end && i < end; i++)

#define FOREACH_ARRAY(i, array, num)                                    \
        _FOREACH_ARRAY(i, array, num, UNIQ_T(m, UNIQ), UNIQ_T(end, UNIQ))

#define FOREACH_ELEMENT(i, array)                                 \
        FOREACH_ARRAY(i, array, ELEMENTSOF(array))

#define _DEFINE_TRIVIAL_REF_FUNC(type, name, scope)             \
        scope type *name##_ref(type *p) {                       \
                if (!p)                                         \
                        return NULL;                            \
                                                                \
                /* For type check. */                           \
                unsigned *q = &p->n_ref;                        \
                assert(*q > 0);                                 \
                assert_se(*q < UINT_MAX);                       \
                                                                \
                (*q)++;                                         \
                return p;                                       \
        }

#define _DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, scope) \
        scope type *name##_unref(type *p) {                      \
                if (!p)                                          \
                        return NULL;                             \
                                                                 \
                assert(p->n_ref > 0);                            \
                p->n_ref--;                                      \
                if (p->n_ref > 0)                                \
                        return NULL;                             \
                                                                 \
                return free_func(p);                             \
        }

#define DEFINE_TRIVIAL_REF_FUNC(type, name)     \
        _DEFINE_TRIVIAL_REF_FUNC(type, name,)
#define DEFINE_PRIVATE_TRIVIAL_REF_FUNC(type, name)     \
        _DEFINE_TRIVIAL_REF_FUNC(type, name, static)
#define DEFINE_PUBLIC_TRIVIAL_REF_FUNC(type, name)      \
        _DEFINE_TRIVIAL_REF_FUNC(type, name, _public_)

#define DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func)        \
        _DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func,)
#define DEFINE_PRIVATE_TRIVIAL_UNREF_FUNC(type, name, free_func)        \
        _DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, static)
#define DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC(type, name, free_func)         \
        _DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, _public_)

#define DEFINE_TRIVIAL_REF_UNREF_FUNC(type, name, free_func)    \
        DEFINE_TRIVIAL_REF_FUNC(type, name);                    \
        DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func);

#define DEFINE_PRIVATE_TRIVIAL_REF_UNREF_FUNC(type, name, free_func)    \
        DEFINE_PRIVATE_TRIVIAL_REF_FUNC(type, name);                    \
        DEFINE_PRIVATE_TRIVIAL_UNREF_FUNC(type, name, free_func);

#define DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(type, name, free_func)    \
        DEFINE_PUBLIC_TRIVIAL_REF_FUNC(type, name);                    \
        DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC(type, name, free_func);

/* A macro to force copying of a variable from memory. This is useful whenever we want to read something from
 * memory and want to make sure the compiler won't optimize away the destination variable for us. It's not
 * supposed to be a full CPU memory barrier, i.e. CPU is still allowed to reorder the reads, but it is not
 * allowed to remove our local copies of the variables. We want this to work for unaligned memory, hence
 * memcpy() is great for our purposes. */
#define READ_NOW(x)                                                     \
        ({                                                              \
                typeof(x) _copy;                                        \
                memcpy(&_copy, &(x), sizeof(_copy));                    \
                asm volatile ("" : : : "memory");                       \
                _copy;                                                  \
        })

#define saturate_add(x, y, limit)                                       \
        ({                                                              \
                typeof(limit) _x = (x);                                 \
                typeof(limit) _y = (y);                                 \
                _x > (limit) || _y >= (limit) - _x ? (limit) : _x + _y; \
        })

static inline size_t size_add(size_t x, size_t y) {
        return saturate_add(x, y, SIZE_MAX);
}

typedef struct {
        int _empty[0];
} dummy_t;

assert_cc(sizeof(dummy_t) == 0);

/* A little helper for subtracting 1 off a pointer in a safe UB-free way. This is intended to be used for
 * loops that count down from a high pointer until some base. A naive loop would implement this like this:
 *
 * for (p = end-1; p >= base; p--) …
 *
 * But this is not safe because p before the base is UB in C. With this macro the loop becomes this instead:
 *
 * for (p = PTR_SUB1(end, base); p; p = PTR_SUB1(p, base)) …
 *
 * And is free from UB! */
#define PTR_SUB1(p, base)                                \
        ({                                               \
                typeof(p) _q = (p);                      \
                _q && _q > (base) ? &_q[-1] : NULL;      \
        })

/* Iterate through each argument passed. All must be the same type as 'entry' or must be implicitly
 * convertible. The iteration variable 'entry' must already be defined. */
#define FOREACH_ARGUMENT(entry, ...)                                     \
        _FOREACH_ARGUMENT(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), UNIQ_T(_va_sentinel_, UNIQ), ##__VA_ARGS__)
#define _FOREACH_ARGUMENT(entry, _entries_, _current_, _va_sentinel_, ...)      \
        for (typeof(entry) _va_sentinel_[1] = {}, _entries_[] = { __VA_ARGS__ __VA_OPT__(,) _va_sentinel_[0] }, *_current_ = _entries_; \
             ((long)(_current_ - _entries_) < (long)(ELEMENTSOF(_entries_) - 1)) && ({ entry = *_current_; true; }); \
             _current_++)

#define DECIMAL_STR_FMT(x) _Generic((x),        \
        char: "%c",                             \
        bool: "%d",                             \
        unsigned char: "%d",                    \
        short: "%hd",                           \
        unsigned short: "%hu",                  \
        int: "%d",                              \
        unsigned: "%u",                         \
        long: "%ld",                            \
        unsigned long: "%lu",                   \
        long long: "%lld",                      \
        unsigned long long: "%llu")

#include "log.h"
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
c2f1db8f	2	#pragma once
60918275	3
7e61bd0f	4	#include <assert.h>
666a84ea	5	#include <errno.h>
c31e1495	6	#include <inttypes.h>
c01ff965	7	#include <stdbool.h>
afc5dbf3	8	#include <sys/param.h>
27d13af7	9	#include <sys/sysmacros.h>
afc5dbf3	10	#include <sys/types.h>
60918275	11
28db6fbf	12	#include "constants.h"
e5bc5f1f YW	13	#include "macro-fundamental.h"
e5bc5f1f YW	14
026c2677 LP	15	/* Note: on GCC "no_sanitize_address" is a function attribute only, on llvm it may also be applied to global
026c2677 LP	16	* variables. We define a specific macro which knows this. Note that on GCC we don't need this decorator so much, since
7227dd81	17	* our primary use case for this attribute is registration structures placed in named ELF sections which shall not be
026c2677 LP	18	* padded, but GCC doesn't pad those anyway if AddressSanitizer is enabled. */
	19	#if HAS_FEATURE_ADDRESS_SANITIZER && defined(__clang__)
	20	#define _variable_no_sanitize_address_ __attribute__((__no_sanitize_address__))
	21	#else
	22	#define _variable_no_sanitize_address_
	23	#endif
	24
8e2fa6e2 LP	25	/* Apparently there's no has_feature() call defined to check for ubsan, hence let's define this
	26	* unconditionally on llvm */
	27	#if defined(__clang__)
	28	#define _function_no_sanitize_float_cast_overflow_ __attribute__((no_sanitize("float-cast-overflow")))
	29	#else
	30	#define _function_no_sanitize_float_cast_overflow_
	31	#endif
	32
6695c200 ZJS	33	#if HAVE_WSTRINGOP_TRUNCATION
	34	# define DISABLE_WARNING_STRINGOP_TRUNCATION \
	35	_Pragma("GCC diagnostic push"); \
	36	_Pragma("GCC diagnostic ignored \"-Wstringop-truncation\"")
	37	#else
	38	# define DISABLE_WARNING_STRINGOP_TRUNCATION \
	39	_Pragma("GCC diagnostic push")
	40	#endif
	41
3be6ab5c	42	/* test harness */
49e5de64 ZJS	43	#define EXIT_TEST_SKIP 77
49e5de64 ZJS	44
13b498f9 TJ	45	/* builtins */
	46	#if __SIZEOF_INT__ == 4
	47	#define BUILTIN_FFS_U32(x) __builtin_ffs(x);
	48	#elif __SIZEOF_LONG__ == 4
	49	#define BUILTIN_FFS_U32(x) __builtin_ffsl(x);
	50	#else
	51	#error "neither int nor long are four bytes long?!?"
	52	#endif
	53
ffee7b97 YW	54	static inline uint64_t u64_multiply_safe(uint64_t a, uint64_t b) {
	55	if (_unlikely_(a != 0 && b > (UINT64_MAX / a)))
	56	return 0; /* overflow */
	57
	58	return a * b;
	59	}
	60
625e870b DH	61	/* align to next higher power-of-2 (except for: 0 => 0, overflow => 0) */
625e870b DH	62	static inline unsigned long ALIGN_POWER2(unsigned long u) {
85c267af LP	63
	64	/* Avoid subtraction overflow */
	65	if (u == 0)
	66	return 0;
	67
625e870b DH	68	/* clz(0) is undefined */
	69	if (u == 1)
	70	return 1;
	71
	72	/* left-shift overflow is undefined */
	73	if (__builtin_clzl(u - 1UL) < 1)
	74	return 0;
	75
	76	return 1UL << (sizeof(u) * 8 - __builtin_clzl(u - 1UL));
	77	}
	78
e49e4c33 LP	79	static inline size_t GREEDY_ALLOC_ROUND_UP(size_t l) {
	80	size_t m;
	81
	82	/* Round up allocation sizes a bit to some reasonable, likely larger value. This is supposed to be
	83	* used for cases which are likely called in an allocation loop of some form, i.e. that repetitively
	84	* grow stuff, for example strv_extend() and suchlike.
	85	*
	86	* Note the difference to GREEDY_REALLOC() here, as this helper operates on a single size value only,
	87	* and rounds up to next multiple of 2, needing no further counter.
	88	*
	89	* Note the benefits of direct ALIGN_POWER2() usage: type-safety for size_t, sane handling for very
	90	* small (i.e. <= 2) and safe handling for very large (i.e. > SSIZE_MAX) values. */
	91
	92	if (l <= 2)
	93	return 2; /* Never allocate less than 2 of something. */
	94
	95	m = ALIGN_POWER2(l);
	96	if (m == 0) /* overflow? */
	97	return l;
	98
	99	return m;
	100	}
	101
bbc98d32 KS	102	/*
	103	* container_of - cast a member of a structure out to the containing structure
	104	* @ptr: the pointer to the member.
	105	* @type: the type of the container struct this is embedded in.
	106	* @member: the name of the member within the struct.
bbc98d32	107	*/
fb835651 DH	108	#define container_of(ptr, type, member) __container_of(UNIQ, (ptr), type, member)
fb835651 DH	109	#define __container_of(uniq, ptr, type, member) \
117efe06	110	({ \
fb835651	111	const typeof( ((type)0)->member ) UNIQ_T(A, uniq) = (ptr); \
117efe06	112	(type)( (char )UNIQ_T(A, uniq) - offsetof(type, member) ); \
fb835651	113	})
bbc98d32	114
d9fb7afb FB	115	#ifdef __COVERITY__
	116
	117	/* Use special definitions of assertion macros in order to prevent
	118	* false positives of ASSERT_SIDE_EFFECT on Coverity static analyzer
	119	* for uses of assert_se() and assert_return().
	120	*
	121	* These definitions make expression go through a (trivial) function
	122	* call to ensure they are not discarded. Also use ! or !! to ensure
	123	* the boolean expressions are seen as such.
	124	*
	125	* This technique has been described and recommended in:
	126	* https://community.synopsys.com/s/question/0D534000046Yuzb/suppressing-assertsideeffect-for-functions-that-allow-for-sideeffects
	127	*/
	128
	129	extern void __coverity_panic__(void);
	130
065a74a7 FS	131	static inline void __coverity_check__(int condition) {
	132	if (!condition)
	133	__coverity_panic__();
	134	}
	135
	136	static inline int __coverity_check_and_return__(int condition) {
d9fb7afb FB	137	return condition;
	138	}
	139
065a74a7	140	#define assert_message_se(expr, message) __coverity_check__(!!(expr))
d9fb7afb	141
065a74a7	142	#define assert_log(expr, message) __coverity_check_and_return__(!!(expr))
d9fb7afb FB	143
	144	#else /* ! __COVERITY__ */
	145
34c38d2a	146	#define assert_message_se(expr, message) \
dd8f71ee	147	do { \
93a46b0b	148	if (_unlikely_(!(expr))) \
5a9b9157	149	log_assert_failed(message, PROJECT_FILE, __LINE__, __func__); \
34c38d2a MS	150	} while (false)
34c38d2a MS	151
d9fb7afb FB	152	#define assert_log(expr, message) ((_likely_(expr)) \
d9fb7afb FB	153	? (true) \
5a9b9157	154	: (log_assert_failed_return(message, PROJECT_FILE, __LINE__, __func__), false))
d9fb7afb FB	155
	156	#endif /* __COVERITY__ */
	157
34c38d2a	158	#define assert_se(expr) assert_message_se(expr, #expr)
dd8f71ee LP	159
	160	/* We override the glibc assert() here. */
	161	#undef assert
	162	#ifdef NDEBUG
be166688	163	#define assert(expr) ({ if (!(expr)) __builtin_unreachable(); })
dd8f71ee	164	#else
34c38d2a	165	#define assert(expr) assert_message_se(expr, #expr)
dd8f71ee	166	#endif
60918275	167
04499a70	168	#define assert_not_reached() \
5a9b9157	169	log_assert_failed_unreachable(PROJECT_FILE, __LINE__, __func__)
60918275	170
80514f9c LP	171	#define assert_return(expr, r) \
80514f9c LP	172	do { \
34c38d2a	173	if (!assert_log(expr, #expr)) \
80514f9c	174	return (r); \
18387b59 LP	175	} while (false)
18387b59 LP	176
aa029628 TG	177	#define assert_return_errno(expr, r, err) \
aa029628 TG	178	do { \
34c38d2a	179	if (!assert_log(expr, #expr)) { \
aa029628 TG	180	errno = err; \
	181	return (r); \
	182	} \
	183	} while (false)
	184
fd05c424 YW	185	#define return_with_errno(r, err) \
	186	do { \
	187	errno = abs(err); \
	188	return r; \
	189	} while (false)
	190
a3dc3547 KS	191	#define PTR_TO_INT(p) ((int) ((intptr_t) (p)))
a3dc3547 KS	192	#define INT_TO_PTR(u) ((void *) ((intptr_t) (u)))
14cb109d	193	#define PTR_TO_UINT(p) ((unsigned) ((uintptr_t) (p)))
a3dc3547	194	#define UINT_TO_PTR(u) ((void *) ((uintptr_t) (u)))
60918275	195
a3dc3547 KS	196	#define PTR_TO_LONG(p) ((long) ((intptr_t) (p)))
a3dc3547 KS	197	#define LONG_TO_PTR(u) ((void *) ((intptr_t) (u)))
c6c18be3	198	#define PTR_TO_ULONG(p) ((unsigned long) ((uintptr_t) (p)))
a3dc3547	199	#define ULONG_TO_PTR(u) ((void *) ((uintptr_t) (u)))
c6c18be3	200
4081756a YW	201	#define PTR_TO_UINT8(p) ((uint8_t) ((uintptr_t) (p)))
	202	#define UINT8_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	203
a3dc3547 KS	204	#define PTR_TO_INT32(p) ((int32_t) ((intptr_t) (p)))
	205	#define INT32_TO_PTR(u) ((void *) ((intptr_t) (u)))
	206	#define PTR_TO_UINT32(p) ((uint32_t) ((uintptr_t) (p)))
	207	#define UINT32_TO_PTR(u) ((void *) ((uintptr_t) (u)))
60918275	208
a3dc3547 KS	209	#define PTR_TO_INT64(p) ((int64_t) ((intptr_t) (p)))
	210	#define INT64_TO_PTR(u) ((void *) ((intptr_t) (u)))
	211	#define PTR_TO_UINT64(p) ((uint64_t) ((uintptr_t) (p)))
	212	#define UINT64_TO_PTR(u) ((void *) ((uintptr_t) (u)))
c6c18be3	213
74b2466e LP	214	#define PTR_TO_SIZE(p) ((size_t) ((uintptr_t) (p)))
	215	#define SIZE_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	216
a9c55a88 LP	217	#define CHAR_TO_STR(x) ((char[2]) { x, 0 })
a9c55a88 LP	218
034c6ed7 LP	219	#define char_array_0(x) x[sizeof(x)-1] = 0;
034c6ed7 LP	220
aaec2d7b	221	#define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)
d6e9e8c7	222	#define endoffsetof_field(struct_type, member) (offsetof(struct_type, member) + sizeof_field(struct_type, member))
aaec2d7b	223
37232d55 LB	224	/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x'
	225	* prefix and trailing NUL suffix. */
	226	#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1)
	227
56da8d5a LP	228	/* Returns the number of chars needed to format variables of the specified type as a decimal string. Adds in
56da8d5a LP	229	* extra space for a negative '-' prefix for signed types. Includes space for the trailing NUL. */
fa70beaa	230	#define DECIMAL_STR_MAX(type) \
56da8d5a LP	231	((size_t) IS_SIGNED_INTEGER_TYPE(type) + 1U + \
56da8d5a LP	232	(sizeof(type) <= 1 ? 3U : \
d3e40294 ZJS	233	sizeof(type) <= 2 ? 5U : \
d3e40294 ZJS	234	sizeof(type) <= 4 ? 10U : \
56da8d5a	235	sizeof(type) <= 8 ? (IS_SIGNED_INTEGER_TYPE(type) ? 19U : 20U) : sizeof(int[-2*(sizeof(type) > 8)])))
fa70beaa	236
92463840 LP	237	/* Returns the number of chars needed to format the specified integer value. It's hence more specific than
	238	* DECIMAL_STR_MAX() which answers the same question for all possible values of the specified type. Does
	239	* not include space for a trailing NUL. (If you wonder why we special case _x_ == 0 here: it's to trick
	240	* out gcc's -Wtype-limits, which would complain on comparing an unsigned type with < 0, otherwise. By
	241	* special-casing == 0 here first, we can use <= 0 instead of < 0 to trick out gcc.) */
e3dd9ea8 FS	242	#define DECIMAL_STR_WIDTH(x) \
	243	({ \
	244	typeof(x) _x_ = (x); \
92463840 LP	245	size_t ans; \
	246	if (_x_ == 0) \
	247	ans = 1; \
	248	else { \
	249	ans = _x_ <= 0 ? 2 : 1; \
	250	while ((_x_ /= 10) != 0) \
	251	ans++; \
	252	} \
e3dd9ea8	253	ans; \
0d1dbeb3 LP	254	})
0d1dbeb3 LP	255
35aa04e9 LP	256	#define SWAP_TWO(x, y) do { \
	257	typeof(x) _t = (x); \
	258	(x) = (y); \
	259	(y) = (_t); \
	260	} while (false)
	261
46bf625a ZJS	262	#define STRV_MAKE(...) ((char*) ((const char[]) { __VA_ARGS__, NULL }))
46bf625a ZJS	263	#define STRV_MAKE_EMPTY ((char*[1]) { NULL })
8b8024f1	264	#define STRV_MAKE_CONST(...) ((const char* const) ((const char[]) { __VA_ARGS__, NULL }))
46bf625a	265
66032ef4 LP	266	/* Pointers range from NULL to POINTER_MAX */
	267	#define POINTER_MAX ((void*) UINTPTR_MAX)
	268
b9872fe1 YW	269	#define _FOREACH_ARRAY(i, array, num, m, end) \
	270	for (typeof(array[0]) i = (array), end = ({ \
	271	typeof(num) m = (num); \
	272	(i && m > 0) ? i + m : NULL; \
	273	}); end && i < end; i++)
5716c27e YW	274
5716c27e YW	275	#define FOREACH_ARRAY(i, array, num) \
b9872fe1	276	_FOREACH_ARRAY(i, array, num, UNIQ_T(m, UNIQ), UNIQ_T(end, UNIQ))
5716c27e	277
64f7b296 MC	278	#define FOREACH_ELEMENT(i, array) \
	279	FOREACH_ARRAY(i, array, ELEMENTSOF(array))
	280
a6a08596 YW	281	#define _DEFINE_TRIVIAL_REF_FUNC(type, name, scope) \
	282	scope type name##_ref(type p) { \
	283	if (!p) \
	284	return NULL; \
	285	\
c8431e9e YW	286	/* For type check. */ \
	287	unsigned *q = &p->n_ref; \
	288	assert(*q > 0); \
7d3e856e	289	assert_se(*q < UINT_MAX); \
c8431e9e YW	290	\
c8431e9e YW	291	(*q)++; \
a6a08596 YW	292	return p; \
	293	}
	294
	295	#define _DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, scope) \
	296	scope type name##_unref(type p) { \
	297	if (!p) \
	298	return NULL; \
	299	\
	300	assert(p->n_ref > 0); \
	301	p->n_ref--; \
	302	if (p->n_ref > 0) \
	303	return NULL; \
	304	\
	305	return free_func(p); \
	306	}
	307
	308	#define DEFINE_TRIVIAL_REF_FUNC(type, name) \
	309	_DEFINE_TRIVIAL_REF_FUNC(type, name,)
	310	#define DEFINE_PRIVATE_TRIVIAL_REF_FUNC(type, name) \
	311	_DEFINE_TRIVIAL_REF_FUNC(type, name, static)
	312	#define DEFINE_PUBLIC_TRIVIAL_REF_FUNC(type, name) \
	313	_DEFINE_TRIVIAL_REF_FUNC(type, name, _public_)
	314
	315	#define DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func) \
	316	_DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func,)
	317	#define DEFINE_PRIVATE_TRIVIAL_UNREF_FUNC(type, name, free_func) \
	318	_DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, static)
	319	#define DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC(type, name, free_func) \
	320	_DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func, _public_)
	321
	322	#define DEFINE_TRIVIAL_REF_UNREF_FUNC(type, name, free_func) \
	323	DEFINE_TRIVIAL_REF_FUNC(type, name); \
	324	DEFINE_TRIVIAL_UNREF_FUNC(type, name, free_func);
	325
	326	#define DEFINE_PRIVATE_TRIVIAL_REF_UNREF_FUNC(type, name, free_func) \
	327	DEFINE_PRIVATE_TRIVIAL_REF_FUNC(type, name); \
	328	DEFINE_PRIVATE_TRIVIAL_UNREF_FUNC(type, name, free_func);
	329
	330	#define DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(type, name, free_func) \
	331	DEFINE_PUBLIC_TRIVIAL_REF_FUNC(type, name); \
	332	DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC(type, name, free_func);
	333
ed50f18c LP	334	/* A macro to force copying of a variable from memory. This is useful whenever we want to read something from
	335	* memory and want to make sure the compiler won't optimize away the destination variable for us. It's not
	336	* supposed to be a full CPU memory barrier, i.e. CPU is still allowed to reorder the reads, but it is not
	337	* allowed to remove our local copies of the variables. We want this to work for unaligned memory, hence
	338	* memcpy() is great for our purposes. */
	339	#define READ_NOW(x) \
	340	({ \
	341	typeof(x) _copy; \
	342	memcpy(&_copy, &(x), sizeof(_copy)); \
	343	asm volatile ("" : : : "memory"); \
	344	_copy; \
	345	})
	346
8b0c4347 ZJS	347	#define saturate_add(x, y, limit) \
	348	({ \
	349	typeof(limit) _x = (x); \
	350	typeof(limit) _y = (y); \
	351	_x > (limit) \|\| _y >= (limit) - _x ? (limit) : _x + _y; \
	352	})
	353
b0e3d799	354	static inline size_t size_add(size_t x, size_t y) {
8b0c4347	355	return saturate_add(x, y, SIZE_MAX);
b0e3d799	356	}
7c502303	357
3cc3dc77 MG	358	typedef struct {
	359	int _empty[0];
	360	} dummy_t;
	361
	362	assert_cc(sizeof(dummy_t) == 0);
	363
30fd9a2d	364	/* A little helper for subtracting 1 off a pointer in a safe UB-free way. This is intended to be used for
50996f04 LP	365	* loops that count down from a high pointer until some base. A naive loop would implement this like this:
	366	*
	367	* for (p = end-1; p >= base; p--) …
	368	*
	369	* But this is not safe because p before the base is UB in C. With this macro the loop becomes this instead:
	370	*
	371	* for (p = PTR_SUB1(end, base); p; p = PTR_SUB1(p, base)) …
	372	*
	373	* And is free from UB! */
	374	#define PTR_SUB1(p, base) \
	375	({ \
	376	typeof(p) _q = (p); \
	377	_q && _q > (base) ? &_q[-1] : NULL; \
	378	})
	379
e9a46668	380	/* Iterate through each argument passed. All must be the same type as 'entry' or must be implicitly
94d82b59	381	* convertible. The iteration variable 'entry' must already be defined. */
e9a46668 MY	382	#define FOREACH_ARGUMENT(entry, ...) \
	383	_FOREACH_ARGUMENT(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), UNIQ_T(_va_sentinel_, UNIQ), ##__VA_ARGS__)
	384	#define _FOREACH_ARGUMENT(entry, _entries_, _current_, _va_sentinel_, ...) \
dc571ccc FS	385	for (typeof(entry) _va_sentinel_[1] = {}, _entries_[] = { __VA_ARGS__ __VA_OPT__(,) _va_sentinel_[0] }, *_current_ = _entries_; \
dc571ccc FS	386	((long)(_current_ - _entries_) < (long)(ELEMENTSOF(_entries_) - 1)) && ({ entry = *_current_; true; }); \
e179f2d8 DS	387	_current_++)
e179f2d8 DS	388
c0cd99ee UU	389	#define DECIMAL_STR_FMT(x) _Generic((x), \
	390	char: "%c", \
	391	bool: "%d", \
	392	unsigned char: "%d", \
	393	short: "%hd", \
	394	unsigned short: "%hu", \
	395	int: "%d", \
	396	unsigned: "%u", \
	397	long: "%ld", \
	398	unsigned long: "%lu", \
	399	long long: "%lld", \
	400	unsigned long long: "%llu")
	401
dd8f71ee	402	#include "log.h"