[TOC]
These handy tips apply in any memory management situation and in any kind of IPC situation (classic Chromium IPC, Mojo, Windows/POSIX IPC, Mach IPC, files, sockets, parsing binary formats, ...).
Basically, don't believe the lie that 'computers are good at arithmetic'. In general, unless you explicitly check an arithmetic operation, it's safest to assume the operation went wrong. The least painful way to systematically check arithmetic is Chromium's base/numerics templates and helper functions.
First read about the scary security implications of integer arithmetic in C/C++. Adhere to these best practices:
- Use the integer templates and cast templates in base/numerics to avoid overflows, especially when calculating the size or offset of memory allocations.
- Use unsigned types for values that shouldn't be negative or where defined overflow behavior is required. (Overflow is undefined behavior for signed types!)
- Across any process boundary, use explicitly sized integer types, such as
int32_t,int64_t, oruint32_t, since caller and callee could potentially use different interpretations of implicitly-sized types likeintorlong. (For example, a 64-bit browser process and a 32-bit plug-in process might interpretlongdifferently.)
When writing code for Chromium on Android, you will often need to marshall
arrays, and their sizes and indices, across the language barrier (and possibly
also across the IPC barrier). The trouble here is that the Java integer types
are well-defined, but the C++ integer types are whimsical. A Java int is a
signed 32-bit integer with well-defined overflow semantics, and a Java long is
a signed 64-bit integer with well-defined overflow semantics. in C++, only the
explicitly-sized types (e.g. int32_t) have guaranteed exact sizes, and only
unsigned integers (of any size) have defined overflow semantics.
Essentially, Java integers actually are what people often (incorrectly)
assume C++ integers are. Furthermore, Java Arrays are indexed with Java
ints, whereas C++ arrays are indexed with size_t (often implicitly cast, of
course). Note that this also implies a 2^31 limit on the number of elements in
an array that is coming from or going to Java. That Should Be Enough For
Anybody, but it's good to keep in mind.
You need to make sure that every integer value survives its journey across
languages intact. That generally means explicit casts with range checks; the
easiest way to do this is with the base::checked_cast or (much less likely)
base::saturated_cast templates in base/numerics. Depending on how the integer
object is going to be used, and in which direction the value is flowing, it may
make sense to cast the value to jint (an ID or regular integer), jlong (a
regular long integer), size_t (a size or index), or one of the other more
exotic C/C++ integer types like off_t.
Here is some good reading on integers in JavaScript. TL;DR:
- Normal JavaScript
Numbers have a 'safe' integer range of 53 bits (signed). SeeNumber.isSafeInteger,Number.MIN_SAFE_INTEGER, andNumber.MAX_SAFE_INTEGER. - Array indices are unsigned 32-bit values.
- Character codes (
fromCharCode,charCodeAt) are unsigned 16-bit values.