[stdlib] add overflow checks for some pointer arithmetic

glessard · glessard · commit 45b81f6456ac · 2022-08-22T09:51:10.000-06:00
- Overflow checks added for recent additions to pointer arithmetic (rounding and property pointers).
- The basic `advanced(by:)` functions will need to be dealt with separately.
diff --git a/stdlib/public/core/UnsafePointer.swift b/stdlib/public/core/UnsafePointer.swift
@@ -371,6 +371,11 @@ public struct UnsafePointer<Pointee>: _Pointer {
     to property: KeyPath<Pointee, Property>
   ) -> UnsafePointer<Property>? {
     guard let o = property._storedInlineOffset else { return nil }
+    _internalInvariant(o >= 0)
+    _debugPrecondition(
+      o == 0 || UnsafeRawPointer(self) < UnsafeRawPointer(bitPattern: 0 &- o)!,
+      "Overflow in pointer arithmetic"
+    )
     return .init(Builtin.gepRaw_Word(_rawValue, o._builtinWordValue))
   }
 
@@ -1088,6 +1093,11 @@ public struct UnsafeMutablePointer<Pointee>: _Pointer {
     to property: KeyPath<Pointee, Property>
   ) -> UnsafePointer<Property>? {
     guard let o = property._storedInlineOffset else { return nil }
+    _internalInvariant(o >= 0)
+    _debugPrecondition(
+      o == 0 || UnsafeRawPointer(self) < UnsafeRawPointer(bitPattern: 0 &- o)!,
+      "Overflow in pointer arithmetic"
+    )
     return .init(Builtin.gepRaw_Word(_rawValue, o._builtinWordValue))
   }
 
@@ -1105,6 +1115,11 @@ public struct UnsafeMutablePointer<Pointee>: _Pointer {
     to property: WritableKeyPath<Pointee, Property>
   ) -> UnsafeMutablePointer<Property>? {
     guard let o = property._storedInlineOffset else { return nil }
+    _internalInvariant(o >= 0)
+    _debugPrecondition(
+      o == 0 || UnsafeRawPointer(self) < UnsafeRawPointer(bitPattern: 0 &- o)!,
+      "Overflow in pointer arithmetic"
+    )
     return .init(Builtin.gepRaw_Word(_rawValue, o._builtinWordValue))
   }
 
diff --git a/stdlib/public/core/UnsafeRawPointer.swift b/stdlib/public/core/UnsafeRawPointer.swift
@@ -499,6 +499,7 @@ extension UnsafeRawPointer {
   public func alignedUp<T>(for type: T.Type) -> Self {
     let mask = UInt(Builtin.alignof(T.self)) &- 1
     let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -515,6 +516,7 @@ extension UnsafeRawPointer {
   public func alignedDown<T>(for type: T.Type) -> Self {
     let mask = UInt(Builtin.alignof(T.self)) &- 1
     let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -536,6 +538,7 @@ extension UnsafeRawPointer {
       "alignment must be a whole power of 2."
     )
     let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -557,6 +560,7 @@ extension UnsafeRawPointer {
       "alignment must be a whole power of 2."
     )
     let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 }
@@ -1351,6 +1355,7 @@ extension UnsafeMutableRawPointer {
   public func alignedUp<T>(for type: T.Type) -> Self {
     let mask = UInt(Builtin.alignof(T.self)) &- 1
     let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -1367,6 +1372,7 @@ extension UnsafeMutableRawPointer {
   public func alignedDown<T>(for type: T.Type) -> Self {
     let mask = UInt(Builtin.alignof(T.self)) &- 1
     let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -1388,6 +1394,7 @@ extension UnsafeMutableRawPointer {
       "alignment must be a whole power of 2."
     )
     let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 
@@ -1409,6 +1416,7 @@ extension UnsafeMutableRawPointer {
       "alignment must be a whole power of 2."
     )
     let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask
+    _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")
     return .init(Builtin.inttoptr_Word(bits._builtinWordValue))
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -499,6 +499,7 @@ extension UnsafeRawPointer {`
`499`	`499`	`public func alignedUp<T>(for type: T.Type) -> Self {`
`500`	`500`	`let mask = UInt(Builtin.alignof(T.self)) &- 1`
`501`	`501`	`let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask`
	`502`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`502`	`503`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`503`	`504`	`}`
`504`	`505`
`@@ -515,6 +516,7 @@ extension UnsafeRawPointer {`
`515`	`516`	`public func alignedDown<T>(for type: T.Type) -> Self {`
`516`	`517`	`let mask = UInt(Builtin.alignof(T.self)) &- 1`
`517`	`518`	`let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask`
	`519`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`518`	`520`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`519`	`521`	`}`
`520`	`522`
`@@ -536,6 +538,7 @@ extension UnsafeRawPointer {`
`536`	`538`	`"alignment must be a whole power of 2."`
`537`	`539`	`)`
`538`	`540`	`let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask`
	`541`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`539`	`542`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`540`	`543`	`}`
`541`	`544`
`@@ -557,6 +560,7 @@ extension UnsafeRawPointer {`
`557`	`560`	`"alignment must be a whole power of 2."`
`558`	`561`	`)`
`559`	`562`	`let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask`
	`563`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`560`	`564`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`561`	`565`	`}`
`562`	`566`	`}`
`@@ -1351,6 +1355,7 @@ extension UnsafeMutableRawPointer {`
`1351`	`1355`	`public func alignedUp<T>(for type: T.Type) -> Self {`
`1352`	`1356`	`let mask = UInt(Builtin.alignof(T.self)) &- 1`
`1353`	`1357`	`let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask`
	`1358`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`1354`	`1359`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`1355`	`1360`	`}`
`1356`	`1361`
`@@ -1367,6 +1372,7 @@ extension UnsafeMutableRawPointer {`
`1367`	`1372`	`public func alignedDown<T>(for type: T.Type) -> Self {`
`1368`	`1373`	`let mask = UInt(Builtin.alignof(T.self)) &- 1`
`1369`	`1374`	`let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask`
	`1375`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`1370`	`1376`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`1371`	`1377`	`}`
`1372`	`1378`
`@@ -1388,6 +1394,7 @@ extension UnsafeMutableRawPointer {`
`1388`	`1394`	`"alignment must be a whole power of 2."`
`1389`	`1395`	`)`
`1390`	`1396`	`let bits = (UInt(Builtin.ptrtoint_Word(_rawValue)) &+ mask) & ~mask`
	`1397`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`1391`	`1398`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`1392`	`1399`	`}`
`1393`	`1400`
`@@ -1409,6 +1416,7 @@ extension UnsafeMutableRawPointer {`
`1409`	`1416`	`"alignment must be a whole power of 2."`
`1410`	`1417`	`)`
`1411`	`1418`	`let bits = UInt(Builtin.ptrtoint_Word(_rawValue)) & ~mask`
	`1419`	`+ _debugPrecondition(bits != 0, "Overflow in pointer arithmetic")`
`1412`	`1420`	`return .init(Builtin.inttoptr_Word(bits._builtinWordValue))`
`1413`	`1421`	`}`
`1414`	`1422`	`}`