David Benjamin (Gerrit)

unread,

Nov 12, 2025, 3:38:05 PM (2 days ago) Nov 12

to Daniel Cheng, Tom Sepez, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from Daniel Cheng

David Benjamin added 2 comments

File base/numerics/checked_math.h

Line 59, Patchset 4 (Latest): // `predicate`'s single parameter.

David Benjamin . unresolved

Not a strong feeling either way, just an idle thought: the conversion case seems like this is really two values in one: `Cast<OtherType>()` and `IsValidAnd`.

Would it make sense to make this specifically take the underlying type, and then explicitly call `Cast<uint16_t>().IsValidAnd(...)` if folks want the other type?

File base/safe_numerics_unittest.cc

Line 1683, Patchset 3:

    EXPECT_FALSE(invalid.IsValidAnd(IntGreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(IntLessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64LessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16LessThanZero));

Tom Sepez . unresolved

given that I have faith that lambda captures work correctly, do we need to test all these named functions? Alternatively, do we just test the named functions?

David Benjamin

There also aren't any lambda captures involved anyway. 😊

Open in Gerrit

Related details

Attention is currently required from:

Daniel Cheng

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Daniel Cheng (Gerrit)

unread,

Nov 12, 2025, 8:17:17 PM (2 days ago) Nov 12

to Daniel Cheng, Tom Sepez, David Benjamin, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from David Benjamin and Tom Sepez

Daniel Cheng added 3 comments

File base/numerics/checked_math.h

Line 59, Patchset 4: // `predicate`'s single parameter.

David Benjamin . unresolved

Not a strong feeling either way, just an idle thought: the conversion case seems like this is really two values in one: `Cast<OtherType>()` and `IsValidAnd`.
Would it make sense to make this specifically take the underlying type, and then explicitly call `Cast<uint16_t>().IsValidAnd(...)` if folks want the other type?

Daniel Cheng

I don't love making people write out types twice, even if they're relatively short in this case. The problem (to me) is it's not always clear what the result of `base::CheckAdd(...)` will be, especially if the two arms differ in types.

Other possibilities are to allow this API to work without an explicit argument if the types match exactly and requirement an explicit type argument otherwise. Always requiring an exact match would be a bit cumbersome IMO. But... it's a bit clunky either way.

I settled with this, but it is definitely a little magical. I'll link this out to see if there are other general opinions.

File base/safe_numerics_unittest.cc

Line 1655, Patchset 3:

static bool IntGreaterThanZero(int value) {
  return value > 0;
}

static bool IntLessThanZero(int value) {
  return value < 0;
}

static bool Int64GreaterThanZero(int64_t value) {
  return value > 0;
}

static bool Int64LessThanZero(int64_t value) {
  return value < 0;
}

static bool Int16GreaterThanZero(int16_t value) {
  return value > 0;
}

static bool Int16LessThanZero(int16_t value) {
  return value < 0;
}

Tom Sepez . resolved

Maybe these should have side-effects, so we can check if they were short-circuited. Or gmock matchers.

Daniel Cheng

Done

Line 1683, Patchset 3:

    EXPECT_FALSE(invalid.IsValidAnd(IntGreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(IntLessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64LessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16LessThanZero));

Tom Sepez . unresolved

given that I have faith that lambda captures work correctly, do we need to test all these named functions? Alternatively, do we just test the named functions?

David Benjamin

There also aren't any lambda captures involved anyway. 😊

Daniel Cheng

Well, now there are 😊

It's mostly to test the traits work, but then it looks kind of weird if we only have some of the cases IMO. I will concede it looks very verbose.

Open in Gerrit

Related details

Attention is currently required from:

David Benjamin
Tom Sepez

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Tom Sepez (Gerrit)

unread,

Nov 13, 2025, 1:04:07 PM (yesterday) Nov 13

to Daniel Cheng, David Benjamin, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from Daniel Cheng and David Benjamin

Tom Sepez added 1 comment

File base/safe_numerics_unittest.cc

Line 1655, Patchset 5 (Latest):static bool* did_call_predicate = nullptr;

Tom Sepez . unresolved

bleh on mutable global storage. Maybe only check the short-circuiting via lambda capture by referecne of a local variable.

Open in Gerrit

Related details

Attention is currently required from:

Daniel Cheng
David Benjamin

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

David Benjamin (Gerrit)

unread,

Nov 13, 2025, 4:17:24 PM (yesterday) Nov 13

to Daniel Cheng, Tom Sepez, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from Daniel Cheng

David Benjamin added 1 comment

File base/numerics/checked_math.h

Line 59, Patchset 4: // `predicate`'s single parameter.

David Benjamin . unresolved

Not a strong feeling either way, just an idle thought: the conversion case seems like this is really two values in one: `Cast<OtherType>()` and `IsValidAnd`.
Would it make sense to make this specifically take the underlying type, and then explicitly call `Cast<uint16_t>().IsValidAnd(...)` if folks want the other type?

Daniel Cheng

I don't love making people write out types twice, even if they're relatively short in this case. The problem (to me) is it's not always clear what the result of `base::CheckAdd(...)` will be, especially if the two arms differ in types.
Other possibilities are to allow this API to work without an explicit argument if the types match exactly and requirement an explicit type argument otherwise. Always requiring an exact match would be a bit cumbersome IMO. But... it's a bit clunky either way.
I settled with this, but it is definitely a little magical. I'll link this out to see if there are other general opinions.

David Benjamin

Fair enough. (I don't have strong feelings here. Just an idle thought.)

Open in Gerrit

Related details

Attention is currently required from:

Daniel Cheng

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Tom Sepez (Gerrit)

unread,

6:39 PM (4 hours ago) 6:39 PM

to Daniel Cheng, David Benjamin, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from Daniel Cheng

Tom Sepez voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Daniel Cheng

Submit Requirements:

Code-Coverage
Code-Owners

Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Daniel Cheng (Gerrit)

unread,

8:19 PM (3 hours ago) 8:19 PM

to Daniel Cheng, Tom Sepez, David Benjamin, Chromium LUCI CQ, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Attention needed from David Benjamin

Daniel Cheng voted and added 3 comments

Votes added by Daniel Cheng

Commit-Queue

+2

3 comments

File base/numerics/checked_math.h

Line 59, Patchset 4: // `predicate`'s single parameter.

David Benjamin . resolved

Not a strong feeling either way, just an idle thought: the conversion case seems like this is really two values in one: `Cast<OtherType>()` and `IsValidAnd`.
Would it make sense to make this specifically take the underlying type, and then explicitly call `Cast<uint16_t>().IsValidAnd(...)` if folks want the other type?

Daniel Cheng

I don't love making people write out types twice, even if they're relatively short in this case. The problem (to me) is it's not always clear what the result of `base::CheckAdd(...)` will be, especially if the two arms differ in types.
Other possibilities are to allow this API to work without an explicit argument if the types match exactly and requirement an explicit type argument otherwise. Always requiring an exact match would be a bit cumbersome IMO. But... it's a bit clunky either way.
I settled with this, but it is definitely a little magical. I'll link this out to see if there are other general opinions.

David Benjamin

Fair enough. (I don't have strong feelings here. Just an idle thought.)

Daniel Cheng

Acknowledged

File base/safe_numerics_unittest.cc

Line 1655, Patchset 5 (Latest):static bool* did_call_predicate = nullptr;

Tom Sepez . resolved

bleh on mutable global storage. Maybe only check the short-circuiting via lambda capture by referecne of a local variable.

Daniel Cheng

As discussed offline, landing as-is (but for the record, I agree that globals aren't great)

Line 1683, Patchset 3:

    EXPECT_FALSE(invalid.IsValidAnd(IntGreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(IntLessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int64LessThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16GreaterThanZero));
    EXPECT_FALSE(invalid.IsValidAnd(Int16LessThanZero));

Tom Sepez . resolved

given that I have faith that lambda captures work correctly, do we need to test all these named functions? Alternatively, do we just test the named functions?

David Benjamin

There also aren't any lambda captures involved anyway. 😊

Daniel Cheng

Well, now there are 😊
It's mostly to test the traits work, but then it looks kind of weird if we only have some of the cases IMO. I will concede it looks very verbose.

Daniel Cheng

Acknowledged

Open in Gerrit

Related details

Attention is currently required from:

David Benjamin

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Chromium LUCI CQ (Gerrit)

unread,

9:17 PM (2 hours ago) 9:17 PM

to Daniel Cheng, Tom Sepez, David Benjamin, chromium...@chromium.org, blink-re...@chromium.org, blink-...@chromium.org, kinuko...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:

Add IsValidAnd() and IsInvalidOr() helpers to CheckedNumeric

Bug: 459848847

Change-Id: Ib09e4c5d3631c3ba18bc33a915cb74729a1a69d5

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7144738

Reviewed-by: Tom Sepez <tse...@chromium.org>

Commit-Queue: Daniel Cheng <dch...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#1545375}

Files:

M base/numerics/checked_math.h
M base/numerics/checked_math_impl.h
M base/safe_numerics_nocompile.nc
M base/safe_numerics_unittest.cc

Change size: L

Delta: 4 files changed, 516 insertions(+), 0 deletions(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Tom Sepez

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

Add IsValidAnd() and IsInvalidOr() helpers to CheckedNumeric [chromium/src : main]

David Benjamin (Gerrit)

David Benjamin added 2 comments

Related details

Daniel Cheng (Gerrit)

Daniel Cheng added 3 comments

Related details

Tom Sepez (Gerrit)

Tom Sepez added 1 comment

Related details

David Benjamin (Gerrit)

David Benjamin added 1 comment

Related details

Tom Sepez (Gerrit)

Tom Sepez voted Code-Review+1

Related details

Daniel Cheng (Gerrit)

Daniel Cheng voted and added 3 comments

Votes added by Daniel Cheng

3 comments

Related details

Chromium LUCI CQ (Gerrit)

Chromium LUCI CQ submitted the change

Change information