Refactor base/safe_numerics.h

* Move into base/numerics subdirectory.
* Rename files for clarity.
* Add owners.
* Rename checked_numeric_cast to checked_cast.
* Fixup callsites and include paths.

BUG=332611
R=brettw@chromium.org, jam@chromium.org

Review URL: https://codereview.chromium.org/141113003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@245418 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 529 insertions, 0 deletions

diff --git a/base/numerics/OWNERS b/base/numerics/OWNERS
new file mode 100644
index 0000000..41f35fc
--- /dev/null
+++ b/base/numerics/OWNERS
@@ -0,0 +1,3 @@
+jschuh@chromium.org
+tsepez@chromium.org
+
diff --git a/base/numerics/safe_conversions.h b/base/numerics/safe_conversions.h
new file mode 100644
index 0000000..03ef96d
--- /dev/null
+++ b/base/numerics/safe_conversions.h
@@ -0,0 +1,63 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_SAFE_CONVERSIONS_H_
+#define BASE_SAFE_CONVERSIONS_H_
+
+#include <limits>
+
+#include "base/logging.h"
+#include "base/numerics/safe_conversions_impl.h"
+
+namespace base {
+
+// Convenience function that returns true if the supplied value is in range
+// for the destination type.
+template <typename Dst, typename Src>
+inline bool IsValueInRangeForNumericType(Src value) {
+  return internal::RangeCheck<Dst>(value) == internal::TYPE_VALID;
+}
+
+// checked_cast<> is analogous to static_cast<> for numeric types,
+// except that it CHECKs that the specified numeric conversion will not
+// overflow or underflow. NaN source will always trigger a CHECK.
+template <typename Dst, typename Src>
+inline Dst checked_cast(Src value) {
+  CHECK(IsValueInRangeForNumericType<Dst>(value));
+  return static_cast<Dst>(value);
+}
+
+// saturated_cast<> is analogous to static_cast<> for numeric types, except
+// that the specified numeric conversion will saturate rather than overflow or
+// underflow. NaN assignment to an integral will trigger a CHECK condition.
+template <typename Dst, typename Src>
+inline Dst saturated_cast(Src value) {
+  // Optimization for floating point values, which already saturate.
+  if (std::numeric_limits<Dst>::is_iec559)
+    return static_cast<Dst>(value);
+
+  switch (internal::RangeCheck<Dst>(value)) {
+    case internal::TYPE_VALID:
+      return static_cast<Dst>(value);
+
+    case internal::TYPE_UNDERFLOW:
+      return std::numeric_limits<Dst>::min();
+
+    case internal::TYPE_OVERFLOW:
+      return std::numeric_limits<Dst>::max();
+
+    // Should fail only on attempting to assign NaN to a saturated integer.
+    case internal::TYPE_INVALID:
+      CHECK(false);
+      return std::numeric_limits<Dst>::max();
+  }
+
+  NOTREACHED();
+  return static_cast<Dst>(value);
+}
+
+}  // namespace base
+
+#endif  // BASE_SAFE_CONVERSIONS_H_
+
diff --git a/base/numerics/safe_conversions_impl.h b/base/numerics/safe_conversions_impl.h
new file mode 100644
index 0000000..8bc3021
--- /dev/null
+++ b/base/numerics/safe_conversions_impl.h
@@ -0,0 +1,183 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_SAFE_CONVERSIONS_IMPL_H_
+#define BASE_SAFE_CONVERSIONS_IMPL_H_
+
+#include <limits>
+
+#include "base/macros.h"
+
+namespace base {
+namespace internal {
+
+enum DstSign {
+  DST_UNSIGNED,
+  DST_SIGNED
+};
+
+enum SrcSign {
+  SRC_UNSIGNED,
+  SRC_SIGNED
+};
+
+enum DstRange {
+  OVERLAPS_RANGE,
+  CONTAINS_RANGE
+};
+
+// Helper templates to statically determine if our destination type can contain
+// all values represented by the source type.
+
+template <typename Dst, typename Src,
+          DstSign IsDstSigned = std::numeric_limits<Dst>::is_signed ?
+                                DST_SIGNED : DST_UNSIGNED,
+          SrcSign IsSrcSigned = std::numeric_limits<Src>::is_signed ?
+                                SRC_SIGNED : SRC_UNSIGNED>
+struct StaticRangeCheck {};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_SIGNED, SRC_SIGNED> {
+  typedef std::numeric_limits<Dst> DstLimits;
+  typedef std::numeric_limits<Src> SrcLimits;
+  // Compare based on max_exponent, which we must compute for integrals.
+  static const size_t kDstMaxExponent = DstLimits::is_iec559 ?
+                                        DstLimits::max_exponent :
+                                        (sizeof(Dst) * 8 - 1);
+  static const size_t kSrcMaxExponent = SrcLimits::is_iec559 ?
+                                        SrcLimits::max_exponent :
+                                        (sizeof(Src) * 8 - 1);
+  static const DstRange value = kDstMaxExponent >= kSrcMaxExponent ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_UNSIGNED, SRC_UNSIGNED> {
+  static const DstRange value = sizeof(Dst) >= sizeof(Src) ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_SIGNED, SRC_UNSIGNED> {
+  typedef std::numeric_limits<Dst> DstLimits;
+  typedef std::numeric_limits<Src> SrcLimits;
+  // Compare based on max_exponent, which we must compute for integrals.
+  static const size_t kDstMaxExponent = DstLimits::is_iec559 ?
+                                        DstLimits::max_exponent :
+                                        (sizeof(Dst) * 8 - 1);
+  static const size_t kSrcMaxExponent = sizeof(Src) * 8;
+  static const DstRange value = kDstMaxExponent >= kSrcMaxExponent ?
+                                CONTAINS_RANGE : OVERLAPS_RANGE;
+};
+
+template <typename Dst, typename Src>
+struct StaticRangeCheck<Dst, Src, DST_UNSIGNED, SRC_SIGNED> {
+  static const DstRange value = OVERLAPS_RANGE;
+};
+
+
+enum RangeCheckResult {
+  TYPE_VALID = 0,      // Value can be represented by the destination type.
+  TYPE_UNDERFLOW = 1,  // Value would overflow.
+  TYPE_OVERFLOW = 2,   // Value would underflow.
+  TYPE_INVALID = 3     // Source value is invalid (i.e. NaN).
+};
+
+// This macro creates a RangeCheckResult from an upper and lower bound
+// check by taking advantage of the fact that only NaN can be out of range in
+// both directions at once.
+#define BASE_NUMERIC_RANGE_CHECK_RESULT(is_in_upper_bound, is_in_lower_bound) \
+    RangeCheckResult(((is_in_upper_bound) ? 0 : TYPE_OVERFLOW) | \
+                            ((is_in_lower_bound) ? 0 : TYPE_UNDERFLOW))
+
+template <typename Dst,
+          typename Src,
+          DstSign IsDstSigned = std::numeric_limits<Dst>::is_signed ?
+                                DST_SIGNED : DST_UNSIGNED,
+          SrcSign IsSrcSigned = std::numeric_limits<Src>::is_signed ?
+                                SRC_SIGNED : SRC_UNSIGNED,
+          DstRange IsSrcRangeContained = StaticRangeCheck<Dst, Src>::value>
+struct RangeCheckImpl {};
+
+// The following templates are for ranges that must be verified at runtime. We
+// split it into checks based on signedness to avoid confusing casts and
+// compiler warnings on signed an unsigned comparisons.
+
+// Dst range always contains the result: nothing to check.
+template <typename Dst, typename Src, DstSign IsDstSigned, SrcSign IsSrcSigned>
+struct RangeCheckImpl<Dst, Src, IsDstSigned, IsSrcSigned, CONTAINS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    return TYPE_VALID;
+  }
+};
+
+// Signed to signed narrowing.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_SIGNED, SRC_SIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return DstLimits::is_iec559 ?
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(DstLimits::max() * -1)) :
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(DstLimits::min()));
+  }
+};
+
+// Unsigned to unsigned narrowing.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_UNSIGNED, SRC_UNSIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()), true);
+  }
+};
+
+// Unsigned to signed.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_SIGNED, SRC_UNSIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    return sizeof(Dst) > sizeof(Src) ? TYPE_VALID :
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()), true);
+  }
+};
+
+// Signed to unsigned.
+template <typename Dst, typename Src>
+struct RangeCheckImpl<Dst, Src, DST_UNSIGNED, SRC_SIGNED, OVERLAPS_RANGE> {
+  static RangeCheckResult Check(Src value) {
+    typedef std::numeric_limits<Dst> DstLimits;
+    typedef std::numeric_limits<Src> SrcLimits;
+    // Compare based on max_exponent, which we must compute for integrals.
+    static const size_t kDstMaxExponent = sizeof(Dst) * 8;
+    static const size_t kSrcMaxExponent = SrcLimits::is_iec559 ?
+                                          SrcLimits::max_exponent :
+                                          (sizeof(Src) * 8 - 1);
+    return (kDstMaxExponent >= kSrcMaxExponent) ?
+           BASE_NUMERIC_RANGE_CHECK_RESULT(true, value >= static_cast<Src>(0)) :
+           BASE_NUMERIC_RANGE_CHECK_RESULT(
+               value <= static_cast<Src>(DstLimits::max()),
+               value >= static_cast<Src>(0));
+  }
+};
+
+template <typename Dst, typename Src>
+inline RangeCheckResult RangeCheck(Src value) {
+  COMPILE_ASSERT(std::numeric_limits<Src>::is_specialized,
+                 argument_must_be_numeric);
+  COMPILE_ASSERT(std::numeric_limits<Dst>::is_specialized,
+                 result_must_be_numeric);
+  return RangeCheckImpl<Dst, Src>::Check(value);
+}
+
+}  // namespace internal
+}  // namespace base
+
+#endif  // BASE_SAFE_CONVERSIONS_IMPL_H_
+
diff --git a/base/numerics/safe_numerics_unittest.cc b/base/numerics/safe_numerics_unittest.cc
new file mode 100644
index 0000000..39eee0a
--- /dev/null
+++ b/base/numerics/safe_numerics_unittest.cc
@@ -0,0 +1,280 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/numerics/safe_conversions.h"
+
+#include <stdint.h>
+
+#include <limits>
+
+#include "base/compiler_specific.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace base {
+namespace internal {
+
+// Enumerates the five different conversions types we need to test.
+enum NumericConversionType {
+  SIGN_PRESERVING_VALUE_PRESERVING,
+  SIGN_PRESERVING_NARROW,
+  SIGN_TO_UNSIGN_WIDEN_OR_EQUAL,
+  SIGN_TO_UNSIGN_NARROW,
+  UNSIGN_TO_SIGN_NARROW_OR_EQUAL,
+};
+
+// Template covering the different conversion tests.
+template <typename Dst, typename Src, NumericConversionType conversion>
+struct TestNumericConversion {};
+
+// EXPECT_EQ wrapper providing specific detail on test failures.
+#define TEST_EXPECTED_RANGE(expected, actual) \
+  EXPECT_EQ(expected, RangeCheck<Dst>(actual)) << \
+  "Conversion test: " << src << " value " << actual << \
+  " to " << dst << " on line " << line;
+
+template <typename Dst, typename Src>
+struct TestNumericConversion<Dst, Src, SIGN_PRESERVING_VALUE_PRESERVING> {
+  static void Test(const char *dst, const char *src, int line) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+                   // Integral to floating.
+    COMPILE_ASSERT((DstLimits::is_iec559 && SrcLimits::is_integer) ||
+                   // Not floating to integral and...
+                   (!(DstLimits::is_integer && SrcLimits::is_iec559) &&
+                    // Same sign, same numeric, source is narrower or same.
+                    ((SrcLimits::is_signed == DstLimits::is_signed &&
+                     sizeof(Dst) >= sizeof(Src)) ||
+                    // Or signed destination and source is smaller
+                     (DstLimits::is_signed && sizeof(Dst) > sizeof(Src)))),
+                   comparison_must_be_sign_preserving_and_value_preserving);
+
+    TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::max());
+    TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(1));
+    if (SrcLimits::is_iec559) {
+      TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::max() * static_cast<Src>(-1));
+      TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::infinity());
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::infinity() * -1);
+      TEST_EXPECTED_RANGE(TYPE_INVALID, SrcLimits::quiet_NaN());
+    } else if (std::numeric_limits<Src>::is_signed) {
+      TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(-1));
+      TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::min());
+    }
+  }
+};
+
+template <typename Dst, typename Src>
+struct TestNumericConversion<Dst, Src, SIGN_PRESERVING_NARROW> {
+  static void Test(const char *dst, const char *src, int line) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+    COMPILE_ASSERT(SrcLimits::is_signed == DstLimits::is_signed,
+                   destination_and_source_sign_must_be_the_same);
+    COMPILE_ASSERT(sizeof(Dst) < sizeof(Src) ||
+                   (DstLimits::is_integer && SrcLimits::is_iec559),
+                   destination_must_be_narrower_than_source);
+
+    TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::max());
+    TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(1));
+    if (SrcLimits::is_iec559) {
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::max() * -1);
+      TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(-1));
+      TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::infinity());
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::infinity() * -1);
+      TEST_EXPECTED_RANGE(TYPE_INVALID, SrcLimits::quiet_NaN());
+    } else if (SrcLimits::is_signed) {
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::min());
+      TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(-1));
+    } else {
+      TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::min());
+    }
+  }
+};
+
+template <typename Dst, typename Src>
+struct TestNumericConversion<Dst, Src, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL> {
+  static void Test(const char *dst, const char *src, int line) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+    COMPILE_ASSERT(sizeof(Dst) >= sizeof(Src),
+                   destination_must_be_equal_or_wider_than_source);
+    COMPILE_ASSERT(SrcLimits::is_signed, source_must_be_signed);
+    COMPILE_ASSERT(!DstLimits::is_signed, destination_must_be_unsigned);
+
+    TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::min());
+    TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::max());
+    TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(1));
+    TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, static_cast<Src>(-1));
+  }
+};
+
+template <typename Dst, typename Src>
+struct TestNumericConversion<Dst, Src, SIGN_TO_UNSIGN_NARROW> {
+  static void Test(const char *dst, const char *src, int line) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+    COMPILE_ASSERT((DstLimits::is_integer && SrcLimits::is_iec559) ||
+                   (sizeof(Dst) < sizeof(Src)),
+      destination_must_be_narrower_than_source);
+    COMPILE_ASSERT(SrcLimits::is_signed, source_must_be_signed);
+    COMPILE_ASSERT(!DstLimits::is_signed, destination_must_be_unsigned);
+
+    TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::max());
+    TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(1));
+    TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, static_cast<Src>(-1));
+    if (SrcLimits::is_iec559) {
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::max() * -1);
+      TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::infinity());
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::infinity() * -1);
+      TEST_EXPECTED_RANGE(TYPE_INVALID, SrcLimits::quiet_NaN());
+    } else {
+      TEST_EXPECTED_RANGE(TYPE_UNDERFLOW, SrcLimits::min());
+    }
+  }
+};
+
+template <typename Dst, typename Src>
+struct TestNumericConversion<Dst, Src, UNSIGN_TO_SIGN_NARROW_OR_EQUAL> {
+  static void Test(const char *dst, const char *src, int line) {
+    typedef std::numeric_limits<Src> SrcLimits;
+    typedef std::numeric_limits<Dst> DstLimits;
+    COMPILE_ASSERT(sizeof(Dst) <= sizeof(Src),
+                   destination_must_be_narrower_or_equal_to_source);
+    COMPILE_ASSERT(!SrcLimits::is_signed, source_must_be_unsigned);
+    COMPILE_ASSERT(DstLimits::is_signed, destination_must_be_signed);
+
+    TEST_EXPECTED_RANGE(TYPE_VALID, SrcLimits::min());
+    TEST_EXPECTED_RANGE(TYPE_OVERFLOW, SrcLimits::max());
+    TEST_EXPECTED_RANGE(TYPE_VALID, static_cast<Src>(1));
+  }
+};
+
+// Helper macro to wrap displaying the conversion types and line numbers
+#define TEST_NUMERIC_CONVERSION(d, s, t) \
+  TestNumericConversion<d, s, t>::Test(#d, #s, __LINE__)
+
+TEST(SafeNumerics, IntMinConversions) {
+  TEST_NUMERIC_CONVERSION(int8_t, int8_t, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(uint8_t, uint8_t, SIGN_PRESERVING_VALUE_PRESERVING);
+
+  TEST_NUMERIC_CONVERSION(int8_t, int, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(uint8_t, unsigned int, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(int8_t, float, SIGN_PRESERVING_NARROW);
+
+  TEST_NUMERIC_CONVERSION(uint8_t, int8_t, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+
+  TEST_NUMERIC_CONVERSION(uint8_t, int, SIGN_TO_UNSIGN_NARROW);
+  TEST_NUMERIC_CONVERSION(uint8_t, intmax_t, SIGN_TO_UNSIGN_NARROW);
+  TEST_NUMERIC_CONVERSION(uint8_t, float, SIGN_TO_UNSIGN_NARROW);
+
+  TEST_NUMERIC_CONVERSION(int8_t, unsigned int, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+  TEST_NUMERIC_CONVERSION(int8_t, uintmax_t, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+}
+
+TEST(SafeNumerics, IntConversions) {
+  TEST_NUMERIC_CONVERSION(int, int, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(unsigned int, unsigned int,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(int, int8_t, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(unsigned int, uint8_t,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(int, uint8_t, SIGN_PRESERVING_VALUE_PRESERVING);
+
+  TEST_NUMERIC_CONVERSION(int, intmax_t, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(unsigned int, uintmax_t, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(int, float, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(int, double, SIGN_PRESERVING_NARROW);
+
+  TEST_NUMERIC_CONVERSION(unsigned int, int, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+  TEST_NUMERIC_CONVERSION(unsigned int, int8_t, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+
+  TEST_NUMERIC_CONVERSION(unsigned int, intmax_t, SIGN_TO_UNSIGN_NARROW);
+  TEST_NUMERIC_CONVERSION(unsigned int, float, SIGN_TO_UNSIGN_NARROW);
+  TEST_NUMERIC_CONVERSION(unsigned int, double, SIGN_TO_UNSIGN_NARROW);
+
+  TEST_NUMERIC_CONVERSION(int, unsigned int, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+  TEST_NUMERIC_CONVERSION(int, uintmax_t, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+}
+
+TEST(SafeNumerics, IntMaxConversions) {
+  TEST_NUMERIC_CONVERSION(intmax_t, intmax_t, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(uintmax_t, uintmax_t,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(intmax_t, int, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(uintmax_t, unsigned int,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(intmax_t, unsigned int,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(intmax_t, uint8_t, SIGN_PRESERVING_VALUE_PRESERVING);
+
+  TEST_NUMERIC_CONVERSION(intmax_t, float, SIGN_PRESERVING_NARROW);
+  TEST_NUMERIC_CONVERSION(intmax_t, double, SIGN_PRESERVING_NARROW);
+
+  TEST_NUMERIC_CONVERSION(uintmax_t, int, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+  TEST_NUMERIC_CONVERSION(uintmax_t, int8_t, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+
+  TEST_NUMERIC_CONVERSION(uintmax_t, float, SIGN_TO_UNSIGN_NARROW);
+  TEST_NUMERIC_CONVERSION(uintmax_t, double, SIGN_TO_UNSIGN_NARROW);
+
+  TEST_NUMERIC_CONVERSION(intmax_t, uintmax_t, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+}
+
+TEST(SafeNumerics, FloatConversions) {
+  TEST_NUMERIC_CONVERSION(float, intmax_t, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(float, uintmax_t,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(float, int, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(float, unsigned int,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+
+  TEST_NUMERIC_CONVERSION(float, double, SIGN_PRESERVING_NARROW);
+}
+
+TEST(SafeNumerics, DoubleConversions) {
+  TEST_NUMERIC_CONVERSION(double, intmax_t, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(double, uintmax_t,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(double, int, SIGN_PRESERVING_VALUE_PRESERVING);
+  TEST_NUMERIC_CONVERSION(double, unsigned int,
+                          SIGN_PRESERVING_VALUE_PRESERVING);
+}
+
+TEST(SafeNumerics, SizeTConversions) {
+  TEST_NUMERIC_CONVERSION(size_t, int, SIGN_TO_UNSIGN_WIDEN_OR_EQUAL);
+  TEST_NUMERIC_CONVERSION(int, size_t, UNSIGN_TO_SIGN_NARROW_OR_EQUAL);
+}
+
+TEST(SafeNumerics, CastTests) {
+// MSVC catches and warns that we're forcing saturation in these tests.
+// Since that's intentional, we need to shut this warning off.
+#if defined(COMPILER_MSVC)
+#pragma warning(disable : 4756)
+#endif
+
+  int small_positive = 1;
+  int small_negative = -1;
+  double double_small = 1.0;
+  double double_large = std::numeric_limits<double>::max();
+  double double_infinity = std::numeric_limits<float>::infinity();
+
+  // Just test that the cast compiles, since the other tests cover logic.
+  EXPECT_EQ(0, base::checked_cast<int>(static_cast<size_t>(0)));
+
+  // Test various saturation corner cases.
+  EXPECT_EQ(saturated_cast<int>(small_negative),
+            static_cast<int>(small_negative));
+  EXPECT_EQ(saturated_cast<int>(small_positive),
+            static_cast<int>(small_positive));
+  EXPECT_EQ(saturated_cast<unsigned>(small_negative),
+            static_cast<unsigned>(0));
+  EXPECT_EQ(saturated_cast<int>(double_small),
+            static_cast<int>(double_small));
+  EXPECT_EQ(saturated_cast<int>(double_large),
+            std::numeric_limits<int>::max());
+  EXPECT_EQ(saturated_cast<float>(double_large), double_infinity);
+  EXPECT_EQ(saturated_cast<float>(-double_large), -double_infinity);
+}
+
+}  // namespace internal
+}  // namespace base
+