unsafe_libyaml/ops.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
pub(crate) trait ForceAdd: Sized {
fn force_add(self, rhs: Self) -> Self;
}
impl ForceAdd for u8 {
fn force_add(self, rhs: Self) -> Self {
self.checked_add(rhs).unwrap_or_else(die)
}
}
impl ForceAdd for i32 {
fn force_add(self, rhs: Self) -> Self {
self.checked_add(rhs).unwrap_or_else(die)
}
}
impl ForceAdd for u32 {
fn force_add(self, rhs: Self) -> Self {
self.checked_add(rhs).unwrap_or_else(die)
}
}
impl ForceAdd for u64 {
fn force_add(self, rhs: Self) -> Self {
self.checked_add(rhs).unwrap_or_else(die)
}
}
impl ForceAdd for usize {
fn force_add(self, rhs: Self) -> Self {
self.checked_add(rhs).unwrap_or_else(die)
}
}
pub(crate) trait ForceMul: Sized {
fn force_mul(self, rhs: Self) -> Self;
}
impl ForceMul for i32 {
fn force_mul(self, rhs: Self) -> Self {
self.checked_mul(rhs).unwrap_or_else(die)
}
}
impl ForceMul for i64 {
fn force_mul(self, rhs: Self) -> Self {
self.checked_mul(rhs).unwrap_or_else(die)
}
}
impl ForceMul for u64 {
fn force_mul(self, rhs: Self) -> Self {
self.checked_mul(rhs).unwrap_or_else(die)
}
}
pub(crate) trait ForceInto {
fn force_into<U>(self) -> U
where
Self: TryInto<U>;
}
impl<T> ForceInto for T {
fn force_into<U>(self) -> U
where
Self: TryInto<U>,
{
<Self as TryInto<U>>::try_into(self)
.ok()
.unwrap_or_else(die)
}
}
// Deterministically abort on arithmetic overflow, instead of wrapping and
// continuing with invalid behavior.
//
// This is impossible or nearly impossible to hit as the arithmetic computations
// in libyaml are all related to either:
//
// - small integer processing (ascii, hex digits)
// - allocation sizing
//
// and the only allocations in libyaml are for fixed-sized objects and
// geometrically growing buffers with a growth factor of 2. So in order for an
// allocation computation to overflow usize, the previous allocation for that
// container must have been filled to a size of usize::MAX/2, which is an
// allocation that would have failed in the allocator. But we check for this to
// be pedantic and to find out if it ever does happen.
//
// No-std abort is implemented using a double panic. On most platforms the
// current mechanism for this is for core::intrinsics::abort to invoke an
// invalid instruction. On Unix, the process will probably terminate with a
// signal like SIGABRT, SIGILL, SIGTRAP, SIGSEGV or SIGBUS. The precise
// behaviour is not guaranteed and not stable, but is safe.
#[cold]
pub(crate) fn die<T>() -> T {
struct PanicAgain;
impl Drop for PanicAgain {
fn drop(&mut self) {
panic!("arithmetic overflow");
}
}
fn do_die() -> ! {
let _panic_again = PanicAgain;
panic!("arithmetic overflow");
}
do_die();
}