// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "base/rand_util.h"

#include <limits.h>
#include <math.h>
#include <stdint.h>

#include <algorithm>
#include <atomic>
#include <limits>

#include "base/check.h"
#include "base/check_op.h"
#include "base/containers/span.h"
#include "base/time/time.h"

namespace base {

namespace {

// A MetricSubsampler instance is not thread-safe. However, the global
// sampling state may be read concurrently with writing it via testing
// scopers, hence the need to use atomics. All operations use
// memory_order_relaxed because there are no dependent memory accesses.
std::atomic<bool> g_subsampling_always_sample = false;
std::atomic<bool> g_subsampling_never_sample = false;

MetricsSubSampler* GetSharedSubsampler() {
  static thread_local MetricsSubSampler g_shared_subsampler;
  return &g_shared_subsampler;
}

}  // namespace

uint64_t RandUint64() {
  uint64_t number;
  RandBytes(base::byte_span_from_ref(number));
  return number;
}

int RandInt(int min, int max) {
  DCHECK_LE(min, max);

  uint64_t range = static_cast<uint64_t>(max) - static_cast<uint64_t>(min) + 1;
  // |range| is at most UINT_MAX + 1, so the result of RandGenerator(range)
  // is at most UINT_MAX.  Hence it's safe to cast it from uint64_t to int64_t.
  int result =
      static_cast<int>(min + static_cast<int64_t>(base::RandGenerator(range)));
  DCHECK_GE(result, min);
  DCHECK_LE(result, max);
  return result;
}

double RandDouble() {
  return BitsToOpenEndedUnitInterval(base::RandUint64());
}

float RandFloat() {
  return BitsToOpenEndedUnitIntervalF(base::RandUint64());
}

bool RandBool() {
  uint8_t number;
  RandBytes(span_from_ref(number));
  return number & 1;
}

TimeDelta RandTimeDelta(TimeDelta start, TimeDelta limit) {
  // We must have a finite, non-empty, non-reversed interval.
  CHECK_LT(start, limit);
  CHECK(!start.is_min());
  CHECK(!limit.is_max());

  const int64_t range = (limit - start).InMicroseconds();
  // Because of the `CHECK_LT()` above, range > 0, so this cast is safe.
  const uint64_t delta_us = base::RandGenerator(static_cast<uint64_t>(range));
  // ...and because `range` fit in an `int64_t`, so will `delta_us`.
  return start + Microseconds(static_cast<int64_t>(delta_us));
}

TimeDelta RandTimeDeltaUpTo(TimeDelta limit) {
  return RandTimeDelta(TimeDelta(), limit);
}

double BitsToOpenEndedUnitInterval(uint64_t bits) {
  // We try to get maximum precision by masking out as many bits as will fit
  // in the target type's mantissa, and raising it to an appropriate power to
  // produce output in the range [0, 1).  For IEEE 754 doubles, the mantissa
  // is expected to accommodate 53 bits (including the implied bit).
  static_assert(std::numeric_limits<double>::radix == 2,
                "otherwise use scalbn");
  constexpr int kBits = std::numeric_limits<double>::digits;
  return ldexp(bits & ((UINT64_C(1) << kBits) - 1u), -kBits);
}

float BitsToOpenEndedUnitIntervalF(uint64_t bits) {
  // We try to get maximum precision by masking out as many bits as will fit
  // in the target type's mantissa, and raising it to an appropriate power to
  // produce output in the range [0, 1).  For IEEE 754 floats, the mantissa is
  // expected to accommodate 12 bits (including the implied bit).
  static_assert(std::numeric_limits<float>::radix == 2, "otherwise use scalbn");
  constexpr int kBits = std::numeric_limits<float>::digits;
  return ldexpf(bits & ((UINT64_C(1) << kBits) - 1u), -kBits);
}

uint64_t RandGenerator(uint64_t range) {
  DCHECK_GT(range, 0u);
  // We must discard random results above this number, as they would
  // make the random generator non-uniform (consider e.g. if
  // MAX_UINT64 was 7 and |range| was 5, then a result of 1 would be twice
  // as likely as a result of 3 or 4).
  uint64_t max_acceptable_value =
      (std::numeric_limits<uint64_t>::max() / range) * range - 1;

  uint64_t value;
  do {
    value = base::RandUint64();
  } while (value > max_acceptable_value);

  return value % range;
}

std::string RandBytesAsString(size_t length) {
  std::string result(length, '\0');
  RandBytes(as_writable_byte_span(result));
  return result;
}

std::vector<uint8_t> RandBytesAsVector(size_t length) {
  std::vector<uint8_t> result(length);
  RandBytes(result);
  return result;
}

InsecureRandomGenerator::InsecureRandomGenerator() {
  a_ = base::RandUint64();
  b_ = base::RandUint64();
}

void InsecureRandomGenerator::ReseedForTesting(uint64_t seed) {
  a_ = seed;
  b_ = seed;
}

uint64_t InsecureRandomGenerator::RandUint64() const {
  // Using XorShift128+, which is simple and widely used. See
  // https://en.wikipedia.org/wiki/Xorshift#xorshift+ for details.
  uint64_t t = a_;
  const uint64_t s = b_;

  a_ = s;
  t ^= t << 23;
  t ^= t >> 17;
  t ^= s ^ (s >> 26);
  b_ = t;

  return t + s;
}

uint32_t InsecureRandomGenerator::RandUint32() const {
  // The generator usually returns an uint64_t, truncate it.
  //
  // It is noted in this paper (https://arxiv.org/abs/1810.05313) that the
  // lowest 32 bits fail some statistical tests from the Big Crush
  // suite. Use the higher ones instead.
  return this->RandUint64() >> 32;
}

double InsecureRandomGenerator::RandDouble() const {
  uint64_t x = RandUint64();
  // From https://vigna.di.unimi.it/xorshift/.
  // 53 bits of mantissa, hence the "hexadecimal exponent" 1p-53.
  return (x >> 11) * 0x1.0p-53;
}

MetricsSubSampler::MetricsSubSampler() = default;
bool MetricsSubSampler::ShouldSample(double probability) const {
  if (g_subsampling_always_sample.load(std::memory_order_relaxed)) {
    return true;
  }
  if (g_subsampling_never_sample.load(std::memory_order_relaxed)) {
    return false;
  }

  DCHECK(probability >= 0 && probability <= 1);
  return generator_.RandDouble() < probability;
}

void MetricsSubSampler::Reseed() {
  generator_ = InsecureRandomGenerator();
}

MetricsSubSampler::ScopedAlwaysSampleForTesting::
    ScopedAlwaysSampleForTesting() {
  DCHECK(!g_subsampling_always_sample.load(std::memory_order_relaxed));
  DCHECK(!g_subsampling_never_sample.load(std::memory_order_relaxed));
  g_subsampling_always_sample.store(true, std::memory_order_relaxed);
}

MetricsSubSampler::ScopedAlwaysSampleForTesting::
    ~ScopedAlwaysSampleForTesting() {
  DCHECK(g_subsampling_always_sample.load(std::memory_order_relaxed));
  DCHECK(!g_subsampling_never_sample.load(std::memory_order_relaxed));
  g_subsampling_always_sample.store(false, std::memory_order_relaxed);
}

MetricsSubSampler::ScopedNeverSampleForTesting::ScopedNeverSampleForTesting() {
  DCHECK(!g_subsampling_always_sample.load(std::memory_order_relaxed));
  DCHECK(!g_subsampling_never_sample.load(std::memory_order_relaxed));
  g_subsampling_never_sample.store(true, std::memory_order_relaxed);
}

MetricsSubSampler::ScopedNeverSampleForTesting::~ScopedNeverSampleForTesting() {
  DCHECK(!g_subsampling_always_sample);
  DCHECK(g_subsampling_never_sample);
  g_subsampling_never_sample.store(false, std::memory_order_relaxed);
}

bool ShouldRecordSubsampledMetric(double probability) {
  return GetSharedSubsampler()->ShouldSample(probability);
}

void ReseedSharedMetricsSubsampler() {
  GetSharedSubsampler()->Reseed();
}

}  // namespace base