GH-47926: [C++] Adopt alternative safe arithmetic library (#47958)

### Rationale for this change

Our safe math arithmetic currently use the [portable-snippets library](https://github.com/nemequ/portable-snippets/blob/master/safe-math/safe-math.h). Besides being unmaintained, this library includes Windows headers, which has unfortunate effects such as defining multiple unwanted macros (`GetObject`, etc.).

### What changes are included in this PR?

Replace usage of the portable snippets safe-math header with the [SafeInt](https://github.com/dcleblanc/SafeInt) library, and gcc/clang builtins.

### Are these changes tested?

Yes, by existing CI tests.

### Are there any user-facing changes?

No.

* GitHub Issue: #47926

Authored-by: Antoine Pitrou <[email protected]>
Signed-off-by: Antoine Pitrou <[email protected]>

Author: pitrou

cpp/src/arrow/compute/kernels/scalar_arithmetic_test.cc

@@ -241,7 +241,10 @@ class TestUnaryArithmetic : public TestBaseUnaryArithmetic<T, ArithmeticOptions>
  protected:
   using Base = TestBaseUnaryArithmetic<T, ArithmeticOptions>;
   using Base::options_;
-  void SetOverflowCheck(bool value) { options_.check_overflow = value; }
+  void SetOverflowCheck(bool value) {
+    ARROW_SCOPED_TRACE("check_overflow = ", value);
+    options_.check_overflow = value;
+  }
 };
 
 template <typename T>
@@ -421,7 +424,10 @@ class TestBinaryArithmetic : public TestBaseArithmetic<T> {
     AssertArraysApproxEqual(*expected, *actual, /*verbose=*/true, equal_options_);
   }
 
-  void SetOverflowCheck(bool value = true) { options_.check_overflow = value; }
+  void SetOverflowCheck(bool value) {
+    ARROW_SCOPED_TRACE("check_overflow = ", value);
+    options_.check_overflow = value;
+  }
 
   void SetNansEqual(bool value = true) {
     this->equal_options_ = equal_options_.nans_equal(value);

cpp/src/arrow/util/int_util_overflow.h

@@ -25,10 +25,7 @@
 #include "arrow/util/macros.h"
 #include "arrow/util/visibility.h"
 
-// "safe-math.h" includes <intsafe.h> from the Windows headers.
-#include "arrow/vendored/portable-snippets/safe-math.h"
-// clang-format off (avoid include reordering)
-// clang-format on
+#include "arrow/vendored/safeint/safe_math.h"
 
 namespace arrow {
 namespace internal {
@@ -38,49 +35,141 @@ namespace internal {
 // On overflow, these functions return true.  Otherwise, false is returned
 // and `out` is updated with the result of the operation.
 
-#define OP_WITH_OVERFLOW(_func_name, _psnip_op, _type, _psnip_type)           \
-  [[nodiscard]] static inline bool _func_name(_type u, _type v, _type* out) { \
-    return !psnip_safe_##_psnip_type##_##_psnip_op(out, u, v);                \
+#define SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, _c_type, _type)             \
+  [[nodiscard]] static inline bool _func_name(_c_type u, _c_type v, _c_type* out) { \
+    return !check_##_op_name##_##_type##_##_type(u, v, out);                        \
   }
 
-#define OPS_WITH_OVERFLOW(_func_name, _psnip_op)            \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int8_t, int8)     \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int16_t, int16)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int32_t, int32)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, int64_t, int64)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint8_t, uint8)   \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint16_t, uint16) \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint32_t, uint32) \
-  OP_WITH_OVERFLOW(_func_name, _psnip_op, uint64_t, uint64)
+#define SAFE_INT_OPS_WITH_OVERFLOW(_func_name, _op_name)            \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, int32_t, int32)   \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, int64_t, int64)   \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, uint32_t, uint32) \
+  SAFE_INT_OP_WITH_OVERFLOW(_func_name, _op_name, uint64_t, uint64)
+
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntAddWithOverflow, add)
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntSubtractWithOverflow, sub)
+SAFE_INT_OPS_WITH_OVERFLOW(SafeIntMultiplyWithOverflow, mul)
+
+#undef SAFE_INT_OP_WITH_OVERFLOW
+#undef SAFE_INT_OPS_WITH_OVERFLOW
+
+template <typename Int, typename SignedRet, typename UnsignedRet>
+using transformed_int_t =
+    std::conditional_t<std::is_signed_v<Int>, SignedRet, UnsignedRet>;
+
+template <typename Int>
+using upscaled_int32_t = transformed_int_t<Int, int32_t, uint32_t>;
+
+// Use GCC/CLang builtins for checked arithmetic, promising better performance
+// than SafeInt's hand-written implementations.
+#if defined __has_builtin
+#  if __has_builtin(__builtin_object_size)
+#    define USE_CHECKED_ARITHMETIC_BUILTINS 1
+#  else
+#    define USE_CHECKED_ARITHMETIC_BUILTINS 0
+#  endif
+#endif
+
+template <typename Int>
+[[nodiscard]] bool AddWithOverflowGeneric(Int u, Int v, Int* out) {
+#if USE_CHECKED_ARITHMETIC_BUILTINS
+  return __builtin_add_overflow(u, v, out);
+#else
+  if constexpr (sizeof(Int) < 4) {
+    using UpscaledInt = upscaled_int32_t<Int>;
+    auto r = static_cast<UpscaledInt>(u) + static_cast<UpscaledInt>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntAddWithOverflow(u, v, out);
+  }
+#endif
+}
 
-OPS_WITH_OVERFLOW(AddWithOverflow, add)
-OPS_WITH_OVERFLOW(SubtractWithOverflow, sub)
-OPS_WITH_OVERFLOW(MultiplyWithOverflow, mul)
-OPS_WITH_OVERFLOW(DivideWithOverflow, div)
+template <typename Int>
+[[nodiscard]] bool SubtractWithOverflowGeneric(Int u, Int v, Int* out) {
+#if USE_CHECKED_ARITHMETIC_BUILTINS
+  return __builtin_sub_overflow(u, v, out);
+#else
+  if constexpr (sizeof(Int) < 4) {
+    using UpscaledInt = upscaled_int32_t<Int>;
+    auto r = static_cast<UpscaledInt>(u) - static_cast<UpscaledInt>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntSubtractWithOverflow(u, v, out);
+  }
+#endif
+}
 
-#undef OP_WITH_OVERFLOW
-#undef OPS_WITH_OVERFLOW
+template <typename Int>
+[[nodiscard]] bool MultiplyWithOverflowGeneric(Int u, Int v, Int* out) {
+#if USE_CHECKED_ARITHMETIC_BUILTINS
+  return __builtin_mul_overflow(u, v, out);
+#else
+  if constexpr (sizeof(Int) < 4) {
+    using UpscaledInt = upscaled_int32_t<Int>;
+    auto r = static_cast<UpscaledInt>(u) * static_cast<UpscaledInt>(v);
+    *out = static_cast<Int>(r);
+    return r != *out;
+  } else {
+    return SafeIntMultiplyWithOverflow(u, v, out);
+  }
+#endif
+}
 
-// Define function NegateWithOverflow with the signature `bool(T u, T* out)`
-// where T is a signed integer type.  On overflow, these functions return true.
-// Otherwise, false is returned and `out` is updated with the result of the
-// operation.
+template <typename Int>
+[[nodiscard]] bool DivideWithOverflowGeneric(Int u, Int v, Int* out) {
+  if (v == 0) {
+    *out = Int{};
+    return true;
+  }
+  if constexpr (std::is_signed_v<Int>) {
+    constexpr auto kMin = std::numeric_limits<Int>::min();
+    if (u == kMin && v == -1) {
+      *out = kMin;
+      return true;
+    }
+  }
+  *out = u / v;
+  return false;
+}
 
-#define UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, _type, _psnip_type) \
-  [[nodiscard]] static inline bool _func_name(_type u, _type* out) {      \
-    return !psnip_safe_##_psnip_type##_##_psnip_op(out, u);               \
+// Define non-generic versions of the above so as to benefit from automatic
+// integer conversion, to allow for mixed-type calls such as
+// AddWithOverflow(int32_t, int64_t, int64_t*).
+
+#define NON_GENERIC_OP_WITH_OVERFLOW(_func_name, _c_type)                    \
+  [[nodiscard]] inline bool _func_name(_c_type u, _c_type v, _c_type* out) { \
+    return ARROW_PREDICT_FALSE(_func_name##Generic(u, v, out));              \
   }
 
-#define SIGNED_UNARY_OPS_WITH_OVERFLOW(_func_name, _psnip_op)   \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int8_t, int8)   \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int16_t, int16) \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int32_t, int32) \
-  UNARY_OP_WITH_OVERFLOW(_func_name, _psnip_op, int64_t, int64)
+#define NON_GENERIC_OPS_WITH_OVERFLOW(_func_name)    \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int8_t)   \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint8_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int16_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint16_t) \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int32_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint32_t) \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, int64_t)  \
+  NON_GENERIC_OP_WITH_OVERFLOW(_func_name, uint64_t)
+
+NON_GENERIC_OPS_WITH_OVERFLOW(AddWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(SubtractWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(MultiplyWithOverflow)
+NON_GENERIC_OPS_WITH_OVERFLOW(DivideWithOverflow)
 
-SIGNED_UNARY_OPS_WITH_OVERFLOW(NegateWithOverflow, neg)
+#undef NON_GENERIC_OPS_WITH_OVERFLOW
+#undef NON_GENERIC_OP_WITH_OVERFLOW
 
-#undef UNARY_OP_WITH_OVERFLOW
-#undef SIGNED_UNARY_OPS_WITH_OVERFLOW
+// Define function NegateWithOverflow with the signature `bool(T u, T* out)`
+// where T is a signed integer type.  On overflow, these functions return true.
+// Otherwise, false is returned and `out` is updated with the result of the
+// operation.
+template <typename Int>
+[[nodiscard]] bool NegateWithOverflow(Int v, Int* out) {
+  return SubtractWithOverflow(Int{}, v, out);
+}
 
 /// Signed addition with well-defined behaviour on overflow (as unsigned)
 template <typename SignedInt>

cpp/src/arrow/vendored/CMakeLists.txt

@@ -21,4 +21,5 @@ add_subdirectory(datetime)
 add_subdirectory(double-conversion)
 add_subdirectory(pcg)
 add_subdirectory(portable-snippets)
+add_subdirectory(safeint)
 add_subdirectory(xxhash)