xref: /linux/include/linux/minmax.h (revision 21b136cc63d2a9ddd60d4699552b69c214b32964)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_MINMAX_H
3 #define _LINUX_MINMAX_H
4 
5 #include <linux/build_bug.h>
6 #include <linux/compiler.h>
7 #include <linux/const.h>
8 #include <linux/types.h>
9 
10 /*
11  * min()/max()/clamp() macros must accomplish three things:
12  *
13  * - Avoid multiple evaluations of the arguments (so side-effects like
14  *   "x++" happen only once) when non-constant.
15  * - Retain result as a constant expressions when called with only
16  *   constant expressions (to avoid tripping VLA warnings in stack
17  *   allocation usage).
18  * - Perform signed v unsigned type-checking (to generate compile
19  *   errors instead of nasty runtime surprises).
20  * - Unsigned char/short are always promoted to signed int and can be
21  *   compared against signed or unsigned arguments.
22  * - Unsigned arguments can be compared against non-negative signed constants.
23  * - Comparison of a signed argument against an unsigned constant fails
24  *   even if the constant is below __INT_MAX__ and could be cast to int.
25  */
26 #define __typecheck(x, y) \
27 	(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
28 
29 /*
30  * __sign_use for integer expressions:
31  *   bit #0 set if ok for unsigned comparisons
32  *   bit #1 set if ok for signed comparisons
33  *
34  * In particular, statically non-negative signed integer
35  * expressions are ok for both.
36  *
37  * NOTE! Unsigned types smaller than 'int' are implicitly
38  * converted to 'int' in expressions, and are accepted for
39  * signed conversions for now. This is debatable.
40  *
41  * Note that 'x' is the original expression, and 'ux' is
42  * the unique variable that contains the value.
43  *
44  * We use 'ux' for pure type checking, and 'x' for when
45  * we need to look at the value (but without evaluating
46  * it for side effects! Careful to only ever evaluate it
47  * with sizeof() or __builtin_constant_p() etc).
48  *
49  * Pointers end up being checked by the normal C type
50  * rules at the actual comparison, and these expressions
51  * only need to be careful to not cause warnings for
52  * pointer use.
53  */
54 #define __signed_type_use(x,ux) (2+__is_nonneg(x,ux))
55 #define __unsigned_type_use(x,ux) (1+2*(sizeof(ux)<4))
56 #define __sign_use(x,ux) (is_signed_type(typeof(ux))? \
57 	__signed_type_use(x,ux):__unsigned_type_use(x,ux))
58 
59 /*
60  * To avoid warnings about casting pointers to integers
61  * of different sizes, we need that special sign type.
62  *
63  * On 64-bit we can just always use 'long', since any
64  * integer or pointer type can just be cast to that.
65  *
66  * This does not work for 128-bit signed integers since
67  * the cast would truncate them, but we do not use s128
68  * types in the kernel (we do use 'u128', but they will
69  * be handled by the !is_signed_type() case).
70  *
71  * NOTE! The cast is there only to avoid any warnings
72  * from when values that aren't signed integer types.
73  */
74 #ifdef CONFIG_64BIT
75   #define __signed_type(ux) long
76 #else
77   #define __signed_type(ux) typeof(__builtin_choose_expr(sizeof(ux)>4,1LL,1L))
78 #endif
79 #define __is_nonneg(x,ux) statically_true((__signed_type(ux))(x)>=0)
80 
81 #define __types_ok(x,y,ux,uy) \
82 	(__sign_use(x,ux) & __sign_use(y,uy))
83 
84 #define __types_ok3(x,y,z,ux,uy,uz) \
85 	(__sign_use(x,ux) & __sign_use(y,uy) & __sign_use(z,uz))
86 
87 #define __cmp_op_min <
88 #define __cmp_op_max >
89 
90 #define __cmp(op, x, y)	((x) __cmp_op_##op (y) ? (x) : (y))
91 
92 #define __cmp_once_unique(op, type, x, y, ux, uy) \
93 	({ type ux = (x); type uy = (y); __cmp(op, ux, uy); })
94 
95 #define __cmp_once(op, type, x, y) \
96 	__cmp_once_unique(op, type, x, y, __UNIQUE_ID(x_), __UNIQUE_ID(y_))
97 
98 #define __careful_cmp_once(op, x, y, ux, uy) ({		\
99 	__auto_type ux = (x); __auto_type uy = (y);	\
100 	BUILD_BUG_ON_MSG(!__types_ok(x,y,ux,uy),	\
101 		#op"("#x", "#y") signedness error");	\
102 	__cmp(op, ux, uy); })
103 
104 #define __careful_cmp(op, x, y) \
105 	__careful_cmp_once(op, x, y, __UNIQUE_ID(x_), __UNIQUE_ID(y_))
106 
107 #define __clamp(val, lo, hi)	\
108 	((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val)))
109 
110 #define __clamp_once(val, lo, hi, uval, ulo, uhi) ({				\
111 	__auto_type uval = (val);						\
112 	__auto_type ulo = (lo);							\
113 	__auto_type uhi = (hi);							\
114 	static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), 	\
115 			(lo) <= (hi), true),					\
116 		"clamp() low limit " #lo " greater than high limit " #hi);	\
117 	BUILD_BUG_ON_MSG(!__types_ok3(val,lo,hi,uval,ulo,uhi),			\
118 		"clamp("#val", "#lo", "#hi") signedness error");		\
119 	__clamp(uval, ulo, uhi); })
120 
121 #define __careful_clamp(val, lo, hi) \
122 	__clamp_once(val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_))
123 
124 /**
125  * min - return minimum of two values of the same or compatible types
126  * @x: first value
127  * @y: second value
128  */
129 #define min(x, y)	__careful_cmp(min, x, y)
130 
131 /**
132  * max - return maximum of two values of the same or compatible types
133  * @x: first value
134  * @y: second value
135  */
136 #define max(x, y)	__careful_cmp(max, x, y)
137 
138 /**
139  * umin - return minimum of two non-negative values
140  *   Signed types are zero extended to match a larger unsigned type.
141  * @x: first value
142  * @y: second value
143  */
144 #define umin(x, y)	\
145 	__careful_cmp(min, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
146 
147 /**
148  * umax - return maximum of two non-negative values
149  * @x: first value
150  * @y: second value
151  */
152 #define umax(x, y)	\
153 	__careful_cmp(max, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
154 
155 #define __careful_op3(op, x, y, z, ux, uy, uz) ({			\
156 	__auto_type ux = (x); __auto_type uy = (y);__auto_type uz = (z);\
157 	BUILD_BUG_ON_MSG(!__types_ok3(x,y,z,ux,uy,uz),			\
158 		#op"3("#x", "#y", "#z") signedness error");		\
159 	__cmp(op, ux, __cmp(op, uy, uz)); })
160 
161 /**
162  * min3 - return minimum of three values
163  * @x: first value
164  * @y: second value
165  * @z: third value
166  */
167 #define min3(x, y, z) \
168 	__careful_op3(min, x, y, z, __UNIQUE_ID(x_), __UNIQUE_ID(y_), __UNIQUE_ID(z_))
169 
170 /**
171  * max3 - return maximum of three values
172  * @x: first value
173  * @y: second value
174  * @z: third value
175  */
176 #define max3(x, y, z) \
177 	__careful_op3(max, x, y, z, __UNIQUE_ID(x_), __UNIQUE_ID(y_), __UNIQUE_ID(z_))
178 
179 /**
180  * min_not_zero - return the minimum that is _not_ zero, unless both are zero
181  * @x: value1
182  * @y: value2
183  */
184 #define min_not_zero(x, y) ({			\
185 	typeof(x) __x = (x);			\
186 	typeof(y) __y = (y);			\
187 	__x == 0 ? __y : ((__y == 0) ? __x : min(__x, __y)); })
188 
189 /**
190  * clamp - return a value clamped to a given range with strict typechecking
191  * @val: current value
192  * @lo: lowest allowable value
193  * @hi: highest allowable value
194  *
195  * This macro does strict typechecking of @lo/@hi to make sure they are of the
196  * same type as @val.  See the unnecessary pointer comparisons.
197  */
198 #define clamp(val, lo, hi) __careful_clamp(val, lo, hi)
199 
200 /*
201  * ..and if you can't take the strict
202  * types, you can specify one yourself.
203  *
204  * Or not use min/max/clamp at all, of course.
205  */
206 
207 /**
208  * min_t - return minimum of two values, using the specified type
209  * @type: data type to use
210  * @x: first value
211  * @y: second value
212  */
213 #define min_t(type, x, y) __cmp_once(min, type, x, y)
214 
215 /**
216  * max_t - return maximum of two values, using the specified type
217  * @type: data type to use
218  * @x: first value
219  * @y: second value
220  */
221 #define max_t(type, x, y) __cmp_once(max, type, x, y)
222 
223 /*
224  * Do not check the array parameter using __must_be_array().
225  * In the following legit use-case where the "array" passed is a simple pointer,
226  * __must_be_array() will return a failure.
227  * --- 8< ---
228  * int *buff
229  * ...
230  * min = min_array(buff, nb_items);
231  * --- 8< ---
232  *
233  * The first typeof(&(array)[0]) is needed in order to support arrays of both
234  * 'int *buff' and 'int buff[N]' types.
235  *
236  * The array can be an array of const items.
237  * typeof() keeps the const qualifier. Use __unqual_scalar_typeof() in order
238  * to discard the const qualifier for the __element variable.
239  */
240 #define __minmax_array(op, array, len) ({				\
241 	typeof(&(array)[0]) __array = (array);				\
242 	typeof(len) __len = (len);					\
243 	__unqual_scalar_typeof(__array[0]) __element = __array[--__len];\
244 	while (__len--)							\
245 		__element = op(__element, __array[__len]);		\
246 	__element; })
247 
248 /**
249  * min_array - return minimum of values present in an array
250  * @array: array
251  * @len: array length
252  *
253  * Note that @len must not be zero (empty array).
254  */
255 #define min_array(array, len) __minmax_array(min, array, len)
256 
257 /**
258  * max_array - return maximum of values present in an array
259  * @array: array
260  * @len: array length
261  *
262  * Note that @len must not be zero (empty array).
263  */
264 #define max_array(array, len) __minmax_array(max, array, len)
265 
266 /**
267  * clamp_t - return a value clamped to a given range using a given type
268  * @type: the type of variable to use
269  * @val: current value
270  * @lo: minimum allowable value
271  * @hi: maximum allowable value
272  *
273  * This macro does no typechecking and uses temporary variables of type
274  * @type to make all the comparisons.
275  */
276 #define clamp_t(type, val, lo, hi) __careful_clamp((type)(val), (type)(lo), (type)(hi))
277 
278 /**
279  * clamp_val - return a value clamped to a given range using val's type
280  * @val: current value
281  * @lo: minimum allowable value
282  * @hi: maximum allowable value
283  *
284  * This macro does no typechecking and uses temporary variables of whatever
285  * type the input argument @val is.  This is useful when @val is an unsigned
286  * type and @lo and @hi are literals that will otherwise be assigned a signed
287  * integer type.
288  */
289 #define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
290 
in_range64(u64 val,u64 start,u64 len)291 static inline bool in_range64(u64 val, u64 start, u64 len)
292 {
293 	return (val - start) < len;
294 }
295 
in_range32(u32 val,u32 start,u32 len)296 static inline bool in_range32(u32 val, u32 start, u32 len)
297 {
298 	return (val - start) < len;
299 }
300 
301 /**
302  * in_range - Determine if a value lies within a range.
303  * @val: Value to test.
304  * @start: First value in range.
305  * @len: Number of values in range.
306  *
307  * This is more efficient than "if (start <= val && val < (start + len))".
308  * It also gives a different answer if @start + @len overflows the size of
309  * the type by a sufficient amount to encompass @val.  Decide for yourself
310  * which behaviour you want, or prove that start + len never overflow.
311  * Do not blindly replace one form with the other.
312  */
313 #define in_range(val, start, len)					\
314 	((sizeof(start) | sizeof(len) | sizeof(val)) <= sizeof(u32) ?	\
315 		in_range32(val, start, len) : in_range64(val, start, len))
316 
317 /**
318  * swap - swap values of @a and @b
319  * @a: first value
320  * @b: second value
321  */
322 #define swap(a, b) \
323 	do { typeof(a) __tmp = (a); (a) = (b); (b) = __tmp; } while (0)
324 
325 /*
326  * Use these carefully: no type checking, and uses the arguments
327  * multiple times. Use for obvious constants only.
328  */
329 #define MIN(a,b) __cmp(min,a,b)
330 #define MAX(a,b) __cmp(max,a,b)
331 #define MIN_T(type,a,b) __cmp(min,(type)(a),(type)(b))
332 #define MAX_T(type,a,b) __cmp(max,(type)(a),(type)(b))
333 
334 #endif	/* _LINUX_MINMAX_H */
335