[thirdparty/systemd.git] / src / basic / macro.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include "macro-fundamental.h" /* IWYU pragma: export */

#if !defined(HAS_FEATURE_MEMORY_SANITIZER)
#  if defined(__has_feature)
#    if __has_feature(memory_sanitizer)
#      define HAS_FEATURE_MEMORY_SANITIZER 1
#    endif
#  endif
#  if !defined(HAS_FEATURE_MEMORY_SANITIZER)
#    define HAS_FEATURE_MEMORY_SANITIZER 0
#  endif
#endif

#if !defined(HAS_FEATURE_ADDRESS_SANITIZER)
#  ifdef __SANITIZE_ADDRESS__
#      define HAS_FEATURE_ADDRESS_SANITIZER 1
#  elif defined(__has_feature)
#    if __has_feature(address_sanitizer)
#      define HAS_FEATURE_ADDRESS_SANITIZER 1
#    endif
#  endif
#  if !defined(HAS_FEATURE_ADDRESS_SANITIZER)
#    define HAS_FEATURE_ADDRESS_SANITIZER 0
#  endif
#endif

/* Note: on GCC "no_sanitize_address" is a function attribute only, on llvm it may also be applied to global
 * variables. We define a specific macro which knows this. Note that on GCC we don't need this decorator so much, since
 * our primary use case for this attribute is registration structures placed in named ELF sections which shall not be
 * padded, but GCC doesn't pad those anyway if AddressSanitizer is enabled. */
#if HAS_FEATURE_ADDRESS_SANITIZER && defined(__clang__)
#define _variable_no_sanitize_address_ __attribute__((__no_sanitize_address__))
#else
#define _variable_no_sanitize_address_
#endif

/* Apparently there's no has_feature() call defined to check for ubsan, hence let's define this
 * unconditionally on llvm */
#if defined(__clang__)
#define _function_no_sanitize_float_cast_overflow_ __attribute__((no_sanitize("float-cast-overflow")))
#else
#define _function_no_sanitize_float_cast_overflow_
#endif

/* test harness */
#define EXIT_TEST_SKIP 77

static inline uint64_t u64_multiply_safe(uint64_t a, uint64_t b) {
        if (_unlikely_(a != 0 && b > (UINT64_MAX / a)))
                return 0; /* overflow */

        return a * b;
}

/* align to next higher power-of-2 (except for: 0 => 0, overflow => 0) */
static inline unsigned long ALIGN_POWER2(unsigned long u) {

        /* Avoid subtraction overflow */
        if (u == 0)
                return 0;

        /* clz(0) is undefined */
        if (u == 1)
                return 1;

        /* left-shift overflow is undefined */
        if (__builtin_clzl(u - 1UL) < 1)
                return 0;

        return 1UL << (sizeof(u) * 8 - __builtin_clzl(u - 1UL));
}

/*
 * container_of - cast a member of a structure out to the containing structure
 * @ptr: the pointer to the member.
 * @type: the type of the container struct this is embedded in.
 * @member: the name of the member within the struct.
 */
#define container_of(ptr, type, member) __container_of(UNIQ, (ptr), type, member)
#define __container_of(uniq, ptr, type, member)                         \
        ({                                                              \
                const typeof( ((type*)0)->member ) *UNIQ_T(A, uniq) = (ptr); \
                (type*)( (char *)UNIQ_T(A, uniq) - offsetof(type, member) ); \
        })

#define PTR_TO_INT(p) ((int) ((intptr_t) (p)))
#define INT_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT(p) ((unsigned) ((uintptr_t) (p)))
#define UINT_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_LONG(p) ((long) ((intptr_t) (p)))
#define LONG_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_ULONG(p) ((unsigned long) ((uintptr_t) (p)))
#define ULONG_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_UINT8(p) ((uint8_t) ((uintptr_t) (p)))
#define UINT8_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_INT32(p) ((int32_t) ((intptr_t) (p)))
#define INT32_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT32(p) ((uint32_t) ((uintptr_t) (p)))
#define UINT32_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define PTR_TO_INT64(p) ((int64_t) ((intptr_t) (p)))
#define INT64_TO_PTR(u) ((void *) ((intptr_t) (u)))
#define PTR_TO_UINT64(p) ((uint64_t) ((uintptr_t) (p)))
#define UINT64_TO_PTR(u) ((void *) ((uintptr_t) (u)))

#define CHAR_TO_STR(x) ((char[2]) { x, 0 })

#define char_array_0(x) x[sizeof(x)-1] = 0;

/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x'
 * prefix and trailing NUL suffix. */
#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1)

/* Returns the number of chars needed to format variables of the specified type as a decimal string. Adds in
 * extra space for a negative '-' prefix for signed types. Includes space for the trailing NUL. */
#define DECIMAL_STR_MAX(type)                                           \
        ((size_t) IS_SIGNED_INTEGER_TYPE(type) + 1U +                   \
            (sizeof(type) <= 1 ? 3U :                                   \
             sizeof(type) <= 2 ? 5U :                                   \
             sizeof(type) <= 4 ? 10U :                                  \
             sizeof(type) <= 8 ? (IS_SIGNED_INTEGER_TYPE(type) ? 19U : 20U) : sizeof(int[-2*(sizeof(type) > 8)])))

/* Returns the number of chars needed to format the specified integer value. It's hence more specific than
 * DECIMAL_STR_MAX() which answers the same question for all possible values of the specified type. Does
 * *not* include space for a trailing NUL. (If you wonder why we special case _x_ == 0 here: it's to trick
 * out gcc's -Wtype-limits, which would complain on comparing an unsigned type with < 0, otherwise. By
 * special-casing == 0 here first, we can use <= 0 instead of < 0 to trick out gcc.) */
#define DECIMAL_STR_WIDTH(x)                                      \
        ({                                                        \
                typeof(x) _x_ = (x);                              \
                size_t ans;                                       \
                if (_x_ == 0)                                     \
                        ans = 1;                                  \
                else {                                            \
                        ans = _x_ <= 0 ? 2 : 1;                   \
                        while ((_x_ /= 10) != 0)                  \
                                ans++;                            \
                }                                                 \
                ans;                                              \
        })

#define SWAP_TWO(x, y) do {                        \
                typeof(x) _t = (x);                \
                (x) = (y);                         \
                (y) = (_t);                        \
        } while (false)

#define STRV_MAKE(...) ((char**) ((const char*[]) { __VA_ARGS__, NULL }))
#define STRV_MAKE_EMPTY ((char*[1]) { NULL })
#define STRV_MAKE_CONST(...) ((const char* const*) ((const char*[]) { __VA_ARGS__, NULL }))

/* Pointers range from NULL to POINTER_MAX */
#define POINTER_MAX ((void*) UINTPTR_MAX)

/* A macro to force copying of a variable from memory. This is useful whenever we want to read something from
 * memory and want to make sure the compiler won't optimize away the destination variable for us. It's not
 * supposed to be a full CPU memory barrier, i.e. CPU is still allowed to reorder the reads, but it is not
 * allowed to remove our local copies of the variables. We want this to work for unaligned memory, hence
 * memcpy() is great for our purposes. */
#define READ_NOW(x)                                                     \
        ({                                                              \
                typeof(x) _copy;                                        \
                memcpy(&_copy, &(x), sizeof(_copy));                    \
                asm volatile ("" : : : "memory");                       \
                _copy;                                                  \
        })

#define saturate_add(x, y, limit)                                       \
        ({                                                              \
                typeof(limit) _x = (x);                                 \
                typeof(limit) _y = (y);                                 \
                _x > (limit) || _y >= (limit) - _x ? (limit) : _x + _y; \
        })

static inline size_t size_add(size_t x, size_t y) {
        return saturate_add(x, y, SIZE_MAX);
}

/* A little helper for subtracting 1 off a pointer in a safe UB-free way. This is intended to be used for
 * loops that count down from a high pointer until some base. A naive loop would implement this like this:
 *
 * for (p = end-1; p >= base; p--) …
 *
 * But this is not safe because p before the base is UB in C. With this macro the loop becomes this instead:
 *
 * for (p = PTR_SUB1(end, base); p; p = PTR_SUB1(p, base)) …
 *
 * And is free from UB! */
#define PTR_SUB1(p, base)                                \
        ({                                               \
                typeof(p) _q = (p);                      \
                _q && _q > (base) ? &_q[-1] : NULL;      \
        })

/* Iterate through each argument passed. All must be the same type as 'entry' or must be implicitly
 * convertible. The iteration variable 'entry' must already be defined. */
#define FOREACH_ARGUMENT(entry, ...)                                     \
        _FOREACH_ARGUMENT(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), UNIQ_T(_va_sentinel_, UNIQ), ##__VA_ARGS__)
#define _FOREACH_ARGUMENT(entry, _entries_, _current_, _va_sentinel_, ...)      \
        for (typeof(entry) _va_sentinel_[1] = {}, _entries_[] = { __VA_ARGS__ __VA_OPT__(,) _va_sentinel_[0] }, *_current_ = _entries_; \
             ((long)(_current_ - _entries_) < (long)(ELEMENTSOF(_entries_) - 1)) && ({ entry = *_current_; true; }); \
             _current_++)
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2	#pragma once
	3
	4	#include "macro-fundamental.h" /* IWYU pragma: export */
	5
	6	#if !defined(HAS_FEATURE_MEMORY_SANITIZER)
	7	# if defined(__has_feature)
	8	# if __has_feature(memory_sanitizer)
	9	# define HAS_FEATURE_MEMORY_SANITIZER 1
	10	# endif
	11	# endif
	12	# if !defined(HAS_FEATURE_MEMORY_SANITIZER)
	13	# define HAS_FEATURE_MEMORY_SANITIZER 0
	14	# endif
	15	#endif
	16
	17	#if !defined(HAS_FEATURE_ADDRESS_SANITIZER)
	18	# ifdef __SANITIZE_ADDRESS__
	19	# define HAS_FEATURE_ADDRESS_SANITIZER 1
	20	# elif defined(__has_feature)
	21	# if __has_feature(address_sanitizer)
	22	# define HAS_FEATURE_ADDRESS_SANITIZER 1
	23	# endif
	24	# endif
	25	# if !defined(HAS_FEATURE_ADDRESS_SANITIZER)
	26	# define HAS_FEATURE_ADDRESS_SANITIZER 0
	27	# endif
	28	#endif
	29
	30	/* Note: on GCC "no_sanitize_address" is a function attribute only, on llvm it may also be applied to global
	31	* variables. We define a specific macro which knows this. Note that on GCC we don't need this decorator so much, since
	32	* our primary use case for this attribute is registration structures placed in named ELF sections which shall not be
	33	* padded, but GCC doesn't pad those anyway if AddressSanitizer is enabled. */
	34	#if HAS_FEATURE_ADDRESS_SANITIZER && defined(__clang__)
	35	#define _variable_no_sanitize_address_ __attribute__((__no_sanitize_address__))
	36	#else
	37	#define _variable_no_sanitize_address_
	38	#endif
	39
	40	/* Apparently there's no has_feature() call defined to check for ubsan, hence let's define this
	41	* unconditionally on llvm */
	42	#if defined(__clang__)
	43	#define _function_no_sanitize_float_cast_overflow_ __attribute__((no_sanitize("float-cast-overflow")))
	44	#else
	45	#define _function_no_sanitize_float_cast_overflow_
	46	#endif
	47
	48	/* test harness */
	49	#define EXIT_TEST_SKIP 77
	50
	51	static inline uint64_t u64_multiply_safe(uint64_t a, uint64_t b) {
	52	if (_unlikely_(a != 0 && b > (UINT64_MAX / a)))
	53	return 0; /* overflow */
	54
	55	return a * b;
	56	}
	57
	58	/* align to next higher power-of-2 (except for: 0 => 0, overflow => 0) */
	59	static inline unsigned long ALIGN_POWER2(unsigned long u) {
	60
	61	/* Avoid subtraction overflow */
	62	if (u == 0)
	63	return 0;
	64
	65	/* clz(0) is undefined */
	66	if (u == 1)
	67	return 1;
	68
	69	/* left-shift overflow is undefined */
	70	if (__builtin_clzl(u - 1UL) < 1)
	71	return 0;
	72
	73	return 1UL << (sizeof(u) * 8 - __builtin_clzl(u - 1UL));
	74	}
	75
	76	/*
	77	* container_of - cast a member of a structure out to the containing structure
	78	* @ptr: the pointer to the member.
	79	* @type: the type of the container struct this is embedded in.
	80	* @member: the name of the member within the struct.
	81	*/
	82	#define container_of(ptr, type, member) __container_of(UNIQ, (ptr), type, member)
	83	#define __container_of(uniq, ptr, type, member) \
	84	({ \
	85	const typeof( ((type)0)->member ) UNIQ_T(A, uniq) = (ptr); \
	86	(type)( (char )UNIQ_T(A, uniq) - offsetof(type, member) ); \
	87	})
	88
	89	#define PTR_TO_INT(p) ((int) ((intptr_t) (p)))
	90	#define INT_TO_PTR(u) ((void *) ((intptr_t) (u)))
	91	#define PTR_TO_UINT(p) ((unsigned) ((uintptr_t) (p)))
	92	#define UINT_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	93
	94	#define PTR_TO_LONG(p) ((long) ((intptr_t) (p)))
	95	#define LONG_TO_PTR(u) ((void *) ((intptr_t) (u)))
	96	#define PTR_TO_ULONG(p) ((unsigned long) ((uintptr_t) (p)))
	97	#define ULONG_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	98
	99	#define PTR_TO_UINT8(p) ((uint8_t) ((uintptr_t) (p)))
	100	#define UINT8_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	101
	102	#define PTR_TO_INT32(p) ((int32_t) ((intptr_t) (p)))
	103	#define INT32_TO_PTR(u) ((void *) ((intptr_t) (u)))
	104	#define PTR_TO_UINT32(p) ((uint32_t) ((uintptr_t) (p)))
	105	#define UINT32_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	106
	107	#define PTR_TO_INT64(p) ((int64_t) ((intptr_t) (p)))
	108	#define INT64_TO_PTR(u) ((void *) ((intptr_t) (u)))
	109	#define PTR_TO_UINT64(p) ((uint64_t) ((uintptr_t) (p)))
	110	#define UINT64_TO_PTR(u) ((void *) ((uintptr_t) (u)))
	111
	112	#define CHAR_TO_STR(x) ((char[2]) { x, 0 })
	113
	114	#define char_array_0(x) x[sizeof(x)-1] = 0;
	115
	116	/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x'
	117	* prefix and trailing NUL suffix. */
	118	#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1)
	119
	120	/* Returns the number of chars needed to format variables of the specified type as a decimal string. Adds in
	121	* extra space for a negative '-' prefix for signed types. Includes space for the trailing NUL. */
	122	#define DECIMAL_STR_MAX(type) \
	123	((size_t) IS_SIGNED_INTEGER_TYPE(type) + 1U + \
	124	(sizeof(type) <= 1 ? 3U : \
	125	sizeof(type) <= 2 ? 5U : \
	126	sizeof(type) <= 4 ? 10U : \
	127	sizeof(type) <= 8 ? (IS_SIGNED_INTEGER_TYPE(type) ? 19U : 20U) : sizeof(int[-2*(sizeof(type) > 8)])))
	128
	129	/* Returns the number of chars needed to format the specified integer value. It's hence more specific than
	130	* DECIMAL_STR_MAX() which answers the same question for all possible values of the specified type. Does
	131	* not include space for a trailing NUL. (If you wonder why we special case _x_ == 0 here: it's to trick
	132	* out gcc's -Wtype-limits, which would complain on comparing an unsigned type with < 0, otherwise. By
	133	* special-casing == 0 here first, we can use <= 0 instead of < 0 to trick out gcc.) */
	134	#define DECIMAL_STR_WIDTH(x) \
	135	({ \
	136	typeof(x) _x_ = (x); \
	137	size_t ans; \
	138	if (_x_ == 0) \
	139	ans = 1; \
	140	else { \
	141	ans = _x_ <= 0 ? 2 : 1; \
	142	while ((_x_ /= 10) != 0) \
	143	ans++; \
	144	} \
	145	ans; \
	146	})
	147
	148	#define SWAP_TWO(x, y) do { \
	149	typeof(x) _t = (x); \
	150	(x) = (y); \
	151	(y) = (_t); \
	152	} while (false)
	153
	154	#define STRV_MAKE(...) ((char*) ((const char[]) { __VA_ARGS__, NULL }))
	155	#define STRV_MAKE_EMPTY ((char*[1]) { NULL })
	156	#define STRV_MAKE_CONST(...) ((const char* const) ((const char[]) { __VA_ARGS__, NULL }))
	157
	158	/* Pointers range from NULL to POINTER_MAX */
	159	#define POINTER_MAX ((void*) UINTPTR_MAX)
	160
	161	/* A macro to force copying of a variable from memory. This is useful whenever we want to read something from
	162	* memory and want to make sure the compiler won't optimize away the destination variable for us. It's not
	163	* supposed to be a full CPU memory barrier, i.e. CPU is still allowed to reorder the reads, but it is not
	164	* allowed to remove our local copies of the variables. We want this to work for unaligned memory, hence
	165	* memcpy() is great for our purposes. */
	166	#define READ_NOW(x) \
	167	({ \
	168	typeof(x) _copy; \
	169	memcpy(&_copy, &(x), sizeof(_copy)); \
	170	asm volatile ("" : : : "memory"); \
	171	_copy; \
	172	})
	173
	174	#define saturate_add(x, y, limit) \
	175	({ \
	176	typeof(limit) _x = (x); \
	177	typeof(limit) _y = (y); \
	178	_x > (limit) \|\| _y >= (limit) - _x ? (limit) : _x + _y; \
	179	})
	180
	181	static inline size_t size_add(size_t x, size_t y) {
	182	return saturate_add(x, y, SIZE_MAX);
	183	}
	184
	185	/* A little helper for subtracting 1 off a pointer in a safe UB-free way. This is intended to be used for
	186	* loops that count down from a high pointer until some base. A naive loop would implement this like this:
	187	*
	188	* for (p = end-1; p >= base; p--) …
	189	*
	190	* But this is not safe because p before the base is UB in C. With this macro the loop becomes this instead:
	191	*
	192	* for (p = PTR_SUB1(end, base); p; p = PTR_SUB1(p, base)) …
	193	*
	194	* And is free from UB! */
	195	#define PTR_SUB1(p, base) \
	196	({ \
	197	typeof(p) _q = (p); \
	198	_q && _q > (base) ? &_q[-1] : NULL; \
	199	})
	200
	201	/* Iterate through each argument passed. All must be the same type as 'entry' or must be implicitly
	202	* convertible. The iteration variable 'entry' must already be defined. */
	203	#define FOREACH_ARGUMENT(entry, ...) \
	204	_FOREACH_ARGUMENT(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), UNIQ_T(_va_sentinel_, UNIQ), ##__VA_ARGS__)
	205	#define _FOREACH_ARGUMENT(entry, _entries_, _current_, _va_sentinel_, ...) \
	206	for (typeof(entry) _va_sentinel_[1] = {}, _entries_[] = { __VA_ARGS__ __VA_OPT__(,) _va_sentinel_[0] }, *_current_ = _entries_; \
	207	((long)(_current_ - _entries_) < (long)(ELEMENTSOF(_entries_) - 1)) && ({ entry = *_current_; true; }); \
	208	_current_++)