/* * Copyright (c) 2018 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ #ifndef _OS_CXX_SAFE_BUFFERS_H #define _OS_CXX_SAFE_BUFFERS_H #ifdef KERNEL_PRIVATE #include #endif #if (defined(__has_include) && __has_include() && __has_include() && __has_include()) #include #include #include namespace os { #pragma clang unsafe_buffer_usage begin /* The `unsafe_forge_span` functions are for suppressing false * positive `-Wunsafe-buffer-usage-in-container` warnings on * uses of the two-parameter `std::span` constructors. * * For a `std::span(ptr, size)` call that raises a false alarm, one * can suppress the warning by changing the call to * `unsafe_forge_span(ptr, size)`. * * Please consider the C++ Safe Buffers Programming Model and * Adoption Tooling Guide as a reference to identify false positives * and do not use the functions in non-applicable cases. */ template std::span > > unsafe_forge_span(It data, typename std::span > >::size_type size) { return std::span > >{data, size}; } template End> std::span > > unsafe_forge_span(It begin, End end) { return std::span > >{begin, end}; } template std::span unsafe_forge_span(T *data) { return std::span{data, N}; } template< typename Dst, typename Src, std::size_t Count #ifdef KERNEL_PRIVATE , typename = std::enable_if_t #endif > std::span reinterpret_span_cast( std::span src ) { if constexpr (std::is_same_v) { return std::as_writable_bytes(src); } else { if constexpr (std::is_same_v) { return std::as_bytes(src); } } if constexpr (Count == std::dynamic_extent) { if constexpr ((sizeof(Src) < sizeof(Dst)) || (sizeof(Src) % sizeof(Dst) != 0)) { if (__builtin_expect(((src.size() * sizeof(Src)) % sizeof(Dst) != 0), 0)) { #ifdef KERNEL_PRIVATE ml_fatal_trap(0x0800); #else __builtin_verbose_trap("safe-buffers", "reinterpret_span_cast: Conversion between incompatible span sizes"); #endif } } } else { static_assert((Count * sizeof(Src)) % sizeof(Dst) == 0, "reinterpret_span_cast: Conversion between incompatible span sizes" ); } using ReturnType = std::span; return ReturnType { reinterpret_cast(src.data()), (src.size() * sizeof(Src)) / sizeof(Dst) }; } // We keep old function names below for better transitions in Safe // Buffer adoption. These names will exist in the header for a while // before being marked as "deprecated". namespace span { template std::span > > __unsafe_forge_span(It data, typename std::span > >::size_type size) { return std::span > >{data, size}; } template End> std::span > > __unsafe_forge_span(It begin, End end) { return std::span > >{begin, end}; } } // namespace span #pragma clang unsafe_buffer_usage end } // namespace os #endif /* (defined(__has_include) && __has_include() && __has_include()) */ #endif /* _OS_CXX_SAFE_BUFFERS_H */