mirror of
https://github.com/bitcoin/bitcoin.git
synced 2026-03-16 16:32:47 +00:00
b62abc7eec
02d047fd5b93d96f159db2b8e95fc39450505159 refactor: add overflow-safe `CeilDiv` helper (Lőrinc)
Pull request description:
### Problem
The codebase has many open-coded ceiling-division expressions (for example `(x+y-1)/y`) scattered across files.
These are less readable, duplicate logic, and can be overflow-prone in edge cases.
### Fix
Introduce a small overflow-safe integer helper, `CeilDiv()`, and use it in existing **unsigned** callsites where the conversion is straightforward and noise-free.
### What this PR does
* Adds `CeilDiv()` to `src/util/overflow.h` for unsigned integral inputs.
* Keeps the precondition check `assert(divisor > 0)`.
* Replaces selected unsigned ceiling-division expressions with `CeilDiv(...)`.
* Adds focused unit tests in `src/test/util_tests.cpp` for the migrated patterns.
---
This is a pure refactor with no intended behavioral change.
Signed arithmetic callsites are intentionally left unchanged in this PR.
This PR changed a few more things originally but based on feedback reverted to the simplest cases only.
ACKs for top commit:
rustaceanrob:
ACK 02d047fd5b93d96f159db2b8e95fc39450505159
hodlinator:
ACK 02d047fd5b93d96f159db2b8e95fc39450505159
sedited:
ACK 02d047fd5b93d96f159db2b8e95fc39450505159
Tree-SHA512: b09336031f487e6ce289822e0ffeb8cfc8cfe8a2f4f3f49470748dfbd0a6cbab97498674cb8686dd2bd4ab6dd0b79cfdf2da00041fee12d109892e1bc5dde0ff
111 lines
3.6 KiB
C++
111 lines
3.6 KiB
C++
// Copyright (c) 2021-present The Bitcoin Core developers
|
|
// Distributed under the MIT software license, see the accompanying
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
#ifndef BITCOIN_UTIL_OVERFLOW_H
|
|
#define BITCOIN_UTIL_OVERFLOW_H
|
|
|
|
#include <cassert>
|
|
#include <climits>
|
|
#include <concepts>
|
|
#include <limits>
|
|
#include <optional>
|
|
#include <type_traits>
|
|
|
|
template <class T>
|
|
[[nodiscard]] bool AdditionOverflow(const T i, const T j) noexcept
|
|
{
|
|
static_assert(std::is_integral_v<T>, "Integral required.");
|
|
if constexpr (std::numeric_limits<T>::is_signed) {
|
|
return (i > 0 && j > std::numeric_limits<T>::max() - i) ||
|
|
(i < 0 && j < std::numeric_limits<T>::min() - i);
|
|
}
|
|
return std::numeric_limits<T>::max() - i < j;
|
|
}
|
|
|
|
template <class T>
|
|
[[nodiscard]] std::optional<T> CheckedAdd(const T i, const T j) noexcept
|
|
{
|
|
if (AdditionOverflow(i, j)) {
|
|
return std::nullopt;
|
|
}
|
|
return i + j;
|
|
}
|
|
|
|
template <std::unsigned_integral T, std::unsigned_integral U>
|
|
[[nodiscard]] constexpr bool TrySub(T& i, const U j) noexcept
|
|
{
|
|
if (i < T{j}) return false;
|
|
i -= T{j};
|
|
return true;
|
|
}
|
|
|
|
template <class T>
|
|
[[nodiscard]] T SaturatingAdd(const T i, const T j) noexcept
|
|
{
|
|
if constexpr (std::numeric_limits<T>::is_signed) {
|
|
if (i > 0 && j > std::numeric_limits<T>::max() - i) {
|
|
return std::numeric_limits<T>::max();
|
|
}
|
|
if (i < 0 && j < std::numeric_limits<T>::min() - i) {
|
|
return std::numeric_limits<T>::min();
|
|
}
|
|
} else {
|
|
if (std::numeric_limits<T>::max() - i < j) {
|
|
return std::numeric_limits<T>::max();
|
|
}
|
|
}
|
|
return i + j;
|
|
}
|
|
|
|
/**
|
|
* @brief Integer ceiling division (for unsigned values).
|
|
*
|
|
* Computes the smallest integer q such that q * divisor >= dividend.
|
|
* Both dividend and divisor must be unsigned, and divisor must be non-zero.
|
|
*
|
|
* The implementation avoids overflow that can occur with `(dividend + divisor - 1) / divisor`.
|
|
*/
|
|
template <std::unsigned_integral Dividend, std::unsigned_integral Divisor>
|
|
[[nodiscard]] constexpr auto CeilDiv(const Dividend dividend, const Divisor divisor)
|
|
{
|
|
assert(divisor > 0);
|
|
return dividend / divisor + (dividend % divisor != 0);
|
|
}
|
|
|
|
/**
|
|
* @brief Left bit shift with overflow checking.
|
|
* @param input The input value to be left shifted.
|
|
* @param shift The number of bits to left shift.
|
|
* @return (input * 2^shift) or nullopt if it would not fit in the return type.
|
|
*/
|
|
template <std::integral T>
|
|
constexpr std::optional<T> CheckedLeftShift(T input, unsigned shift) noexcept
|
|
{
|
|
if (shift == 0 || input == 0) return input;
|
|
// Avoid undefined c++ behaviour if shift is >= number of bits in T.
|
|
if (shift >= sizeof(T) * CHAR_BIT) return std::nullopt;
|
|
// If input << shift is too big to fit in T, return nullopt.
|
|
if (input > (std::numeric_limits<T>::max() >> shift)) return std::nullopt;
|
|
if (input < (std::numeric_limits<T>::min() >> shift)) return std::nullopt;
|
|
return input << shift;
|
|
}
|
|
|
|
/**
|
|
* @brief Left bit shift with safe minimum and maximum values.
|
|
* @param input The input value to be left shifted.
|
|
* @param shift The number of bits to left shift.
|
|
* @return (input * 2^shift) clamped to fit between the lowest and highest
|
|
* representable values of the type T.
|
|
*/
|
|
template <std::integral T>
|
|
constexpr T SaturatingLeftShift(T input, unsigned shift) noexcept
|
|
{
|
|
if (auto result{CheckedLeftShift(input, shift)}) return *result;
|
|
// If input << shift is too big to fit in T, return biggest positive or negative
|
|
// number that fits.
|
|
return input < 0 ? std::numeric_limits<T>::min() : std::numeric_limits<T>::max();
|
|
}
|
|
|
|
#endif // BITCOIN_UTIL_OVERFLOW_H
|