| blob | f680d1497db8e8fb79c158badd70d189c2058854 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Implementations of various class and method modifier attributes. */
9 #ifndef mozilla_Attributes_h
10 #define mozilla_Attributes_h
14 /*
15 * MOZ_ALWAYS_INLINE is a macro which expands to tell the compiler that the
16 * method decorated with it must be inlined, even if the compiler thinks
17 * otherwise. This is only a (much) stronger version of the inline hint:
18 * compilers are not guaranteed to respect it (although they're much more likely
19 * to do so).
20 *
21 * The MOZ_ALWAYS_INLINE_EVEN_DEBUG macro is yet stronger. It tells the
22 * compiler to inline even in DEBUG builds. It should be used very rarely.
23 */
24 #if defined(_MSC_VER)
25 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __forceinline
26 #elif defined(__GNUC__)
27 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __attribute__((always_inline)) inline
28 #else
29 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG inline
30 #endif
32 #if !defined(DEBUG)
33 # define MOZ_ALWAYS_INLINE MOZ_ALWAYS_INLINE_EVEN_DEBUG
34 #elif defined(_MSC_VER) && !defined(__cplusplus)
35 # define MOZ_ALWAYS_INLINE __inline
36 #else
37 # define MOZ_ALWAYS_INLINE inline
38 #endif
40 #if defined(_MSC_VER)
41 /*
42 * g++ requires -std=c++0x or -std=gnu++0x to support C++11 functionality
43 * without warnings (functionality used by the macros below). These modes are
44 * detectable by checking whether __GXX_EXPERIMENTAL_CXX0X__ is defined or, more
45 * standardly, by checking whether __cplusplus has a C++11 or greater value.
46 * Current versions of g++ do not correctly set __cplusplus, so we check both
47 * for forward compatibility.
48 */
49 # define MOZ_HAVE_NEVER_INLINE __declspec(noinline)
50 # define MOZ_HAVE_NORETURN __declspec(noreturn)
51 #elif defined(__clang__)
52 /*
53 * Per Clang documentation, "Note that marketing version numbers should not
54 * be used to check for language features, as different vendors use different
55 * numbering schemes. Instead, use the feature checking macros."
56 */
57 # ifndef __has_extension
59 # endif
60 # if __has_attribute(noinline)
61 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
62 # endif
63 # if __has_attribute(noreturn)
64 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
65 # endif
66 #elif defined(__GNUC__)
67 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
68 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
69 # define MOZ_HAVE_NORETURN_PTR __attribute__((noreturn))
70 #endif
72 /*
73 * When built with clang analyzer (a.k.a scan-build), define MOZ_HAVE_NORETURN
74 * to mark some false positives
75 */
76 #ifdef __clang_analyzer__
77 # if __has_extension(attribute_analyzer_noreturn)
78 # define MOZ_HAVE_ANALYZER_NORETURN __attribute__((analyzer_noreturn))
79 # endif
80 #endif
82 /*
83 * MOZ_NEVER_INLINE is a macro which expands to tell the compiler that the
84 * method decorated with it must never be inlined, even if the compiler would
85 * otherwise choose to inline the method. Compilers aren't absolutely
86 * guaranteed to support this, but most do.
87 */
88 #if defined(MOZ_HAVE_NEVER_INLINE)
89 # define MOZ_NEVER_INLINE MOZ_HAVE_NEVER_INLINE
90 #else
92 #endif
94 /*
95 * MOZ_NORETURN, specified at the start of a function declaration, indicates
96 * that the given function does not return. (The function definition does not
97 * need to be annotated.)
98 *
99 * MOZ_NORETURN void abort(const char* msg);
100 *
101 * This modifier permits the compiler to optimize code assuming a call to such a
102 * function will never return. It also enables the compiler to avoid spurious
103 * warnings about not initializing variables, or about any other seemingly-dodgy
104 * operations performed after the function returns.
105 *
106 * There are two variants. The GCC version of NORETURN may be applied to a
107 * function pointer, while for MSVC it may not.
108 *
109 * This modifier does not affect the corresponding function's linking behavior.
110 */
111 #if defined(MOZ_HAVE_NORETURN)
112 # define MOZ_NORETURN MOZ_HAVE_NORETURN
113 #else
115 #endif
116 #if defined(MOZ_HAVE_NORETURN_PTR)
117 # define MOZ_NORETURN_PTR MOZ_HAVE_NORETURN_PTR
118 #else
120 #endif
122 /**
123 * MOZ_COLD tells the compiler that a function is "cold", meaning infrequently
124 * executed. This may lead it to optimize for size more aggressively than speed,
125 * or to allocate the body of the function in a distant part of the text segment
126 * to help keep it from taking up unnecessary icache when it isn't in use.
127 *
128 * Place this attribute at the very beginning of a function definition. For
129 * example, write
130 *
131 * MOZ_COLD int foo();
132 *
133 * or
134 *
135 * MOZ_COLD int foo() { return 42; }
136 */
137 #if defined(__GNUC__) || defined(__clang__)
138 # define MOZ_COLD __attribute__ ((cold))
139 #else
140 # define MOZ_COLD
141 #endif
143 /**
144 * MOZ_NONNULL tells the compiler that some of the arguments to a function are
145 * known to be non-null. The arguments are a list of 1-based argument indexes
146 * identifying arguments which are known to be non-null.
147 *
148 * Place this attribute at the very beginning of a function definition. For
149 * example, write
150 *
151 * MOZ_NONNULL(1, 2) int foo(char *p, char *q);
152 */
153 #if defined(__GNUC__) || defined(__clang__)
154 # define MOZ_NONNULL(...) __attribute__ ((nonnull(__VA_ARGS__)))
155 #else
156 # define MOZ_NONNULL(...)
157 #endif
159 /**
160 * MOZ_NONNULL_RETURN tells the compiler that the function's return value is
161 * guaranteed to be a non-null pointer, which may enable the compiler to
162 * optimize better at call sites.
163 *
164 * Place this attribute at the end of a function declaration. For example,
165 *
166 * char* foo(char *p, char *q) MOZ_NONNULL_RETURN;
167 */
168 #if defined(__GNUC__) || defined(__clang__)
169 # define MOZ_NONNULL_RETURN __attribute__ ((returns_nonnull))
170 #else
171 # define MOZ_NONNULL_RETURN
172 #endif
174 /*
175 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS, specified at the end of a function
176 * declaration, indicates that for the purposes of static analysis, this
177 * function does not return. (The function definition does not need to be
178 * annotated.)
179 *
180 * MOZ_ReportCrash(const char* s, const char* file, int ln)
181 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS
182 *
183 * Some static analyzers, like scan-build from clang, can use this information
184 * to eliminate false positives. From the upstream documentation of scan-build:
185 * "This attribute is useful for annotating assertion handlers that actually
186 * can return, but for the purpose of using the analyzer we want to pretend
187 * that such functions do not return."
188 *
189 */
190 #if defined(MOZ_HAVE_ANALYZER_NORETURN)
191 # define MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS MOZ_HAVE_ANALYZER_NORETURN
192 #else
194 #endif
196 /*
197 * MOZ_ASAN_BLACKLIST is a macro to tell AddressSanitizer (a compile-time
198 * instrumentation shipped with Clang and GCC) to not instrument the annotated
199 * function. Furthermore, it will prevent the compiler from inlining the
200 * function because inlining currently breaks the blacklisting mechanism of
201 * AddressSanitizer.
202 */
203 #if defined(__has_feature)
204 # if __has_feature(address_sanitizer)
205 # define MOZ_HAVE_ASAN_BLACKLIST
206 # endif
207 #elif defined(__GNUC__)
208 # if defined(__SANITIZE_ADDRESS__)
209 # define MOZ_HAVE_ASAN_BLACKLIST
210 # endif
211 #endif
213 #if defined(MOZ_HAVE_ASAN_BLACKLIST)
214 # define MOZ_ASAN_BLACKLIST MOZ_NEVER_INLINE __attribute__((no_sanitize_address))
215 #else
217 #endif
219 /*
220 * MOZ_TSAN_BLACKLIST is a macro to tell ThreadSanitizer (a compile-time
221 * instrumentation shipped with Clang) to not instrument the annotated function.
222 * Furthermore, it will prevent the compiler from inlining the function because
223 * inlining currently breaks the blacklisting mechanism of ThreadSanitizer.
224 */
225 #if defined(__has_feature)
226 # if __has_feature(thread_sanitizer)
227 # define MOZ_TSAN_BLACKLIST MOZ_NEVER_INLINE __attribute__((no_sanitize_thread))
228 # else
230 # endif
231 #else
233 #endif
235 #if defined(__has_attribute)
236 # if __has_attribute(no_sanitize)
237 # define MOZ_HAVE_NO_SANITIZE_ATTR
238 # endif
239 #endif
241 #ifdef __clang__
242 # ifdef MOZ_HAVE_NO_SANITIZE_ATTR
243 # define MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
244 # define MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
245 # endif
246 #endif
248 /*
249 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW disables *un*signed integer overflow
250 * checking on the function it annotates, in builds configured to perform it.
251 * (Currently this is only Clang using -fsanitize=unsigned-integer-overflow, or
252 * via --enable-unsigned-overflow-sanitizer in Mozilla's build system.) It has
253 * no effect in other builds.
254 *
255 * Place this attribute at the very beginning of a function declaration.
256 *
257 * Unsigned integer overflow isn't *necessarily* a bug. It's well-defined in
258 * C/C++, and code may reasonably depend upon it. For example,
259 *
260 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW inline bool
261 * IsDecimal(char aChar)
262 * {
263 * // For chars less than '0', unsigned integer underflow occurs, to a value
264 * // much greater than 10, so the overall test is false.
265 * // For chars greater than '0', no overflow occurs, and only '0' to '9'
266 * // pass the overall test.
267 * return static_cast<unsigned int>(aChar) - '0' < 10;
268 * }
269 *
270 * But even well-defined unsigned overflow often causes bugs when it occurs, so
271 * it should be restricted to functions annotated with this attribute.
272 *
273 * The compiler instrumentation to detect unsigned integer overflow has costs
274 * both at compile time and at runtime. Functions that are repeatedly inlined
275 * at compile time will also implicitly inline the necessary instrumentation,
276 * increasing compile time. Similarly, frequently-executed functions that
277 * require large amounts of instrumentation will also notice significant runtime
278 * slowdown to execute that instrumentation. Use this attribute to eliminate
279 * those costs -- but only after carefully verifying that no overflow can occur.
280 */
281 #ifdef MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
282 # define MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow")))
283 #else
285 #endif
287 /*
288 * MOZ_NO_SANITIZE_SIGNED_OVERFLOW disables *signed* integer overflow checking
289 * on the function it annotates, in builds configured to perform it. (Currently
290 * this is only Clang using -fsanitize=signed-integer-overflow, or via
291 * --enable-signed-overflow-sanitizer in Mozilla's build system. GCC support
292 * will probably be added in the future.) It has no effect in other builds.
293 *
294 * Place this attribute at the very beginning of a function declaration.
295 *
296 * Signed integer overflow is undefined behavior in C/C++: *anything* can happen
297 * when it occurs. *Maybe* wraparound behavior will occur, but maybe also the
298 * compiler will assume no overflow happens and will adversely optimize the rest
299 * of your code. Code that contains signed integer overflow needs to be fixed.
300 *
301 * The compiler instrumentation to detect signed integer overflow has costs both
302 * at compile time and at runtime. Functions that are repeatedly inlined at
303 * compile time will also implicitly inline the necessary instrumentation,
304 * increasing compile time. Similarly, frequently-executed functions that
305 * require large amounts of instrumentation will also notice significant runtime
306 * slowdown to execute that instrumentation. Use this attribute to eliminate
307 * those costs -- but only after carefully verifying that no overflow can occur.
308 */
309 #ifdef MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
310 # define MOZ_NO_SANITIZE_SIGNED_OVERFLOW __attribute__((no_sanitize("signed-integer-overflow")))
311 #else
313 #endif
315 #undef MOZ_HAVE_NO_SANITIZE_ATTR
318 /**
319 * MOZ_ALLOCATOR tells the compiler that the function it marks returns either a
320 * "fresh", "pointer-free" block of memory, or nullptr. "Fresh" means that the
321 * block is not pointed to by any other reachable pointer in the program.
322 * "Pointer-free" means that the block contains no pointers to any valid object
323 * in the program. It may be initialized with other (non-pointer) values.
324 *
325 * Placing this attribute on appropriate functions helps GCC analyze pointer
326 * aliasing more accurately in their callers.
327 *
328 * GCC warns if a caller ignores the value returned by a function marked with
329 * MOZ_ALLOCATOR: it is hard to imagine cases where dropping the value returned
330 * by a function that meets the criteria above would be intentional.
331 *
332 * Place this attribute after the argument list and 'this' qualifiers of a
333 * function definition. For example, write
334 *
335 * void *my_allocator(size_t) MOZ_ALLOCATOR;
336 *
337 * or
338 *
339 * void *my_allocator(size_t bytes) MOZ_ALLOCATOR { ... }
340 */
341 #if defined(__GNUC__) || defined(__clang__)
342 # define MOZ_ALLOCATOR __attribute__ ((malloc, warn_unused_result))
343 #else
344 # define MOZ_ALLOCATOR
345 #endif
347 /**
348 * MOZ_MUST_USE tells the compiler to emit a warning if a function's
349 * return value is not used by the caller.
350 *
351 * Place this attribute at the very beginning of a function declaration. For
352 * example, write
353 *
354 * MOZ_MUST_USE int foo();
355 * or
356 * MOZ_MUST_USE int foo() { return 42; }
357 *
358 * MOZ_MUST_USE is most appropriate for functions where the return value is
359 * some kind of success/failure indicator -- often |nsresult|, |bool| or |int|
360 * -- because these functions are most commonly the ones that have missing
361 * checks. There are three cases of note.
362 *
363 * - Fallible functions whose return values should always be checked. For
364 * example, a function that opens a file should always be checked because any
365 * subsequent operations on the file will fail if opening it fails. Such
366 * functions should be given a MOZ_MUST_USE annotation.
367 *
368 * - Fallible functions whose return value need not always be checked. For
369 * example, a function that closes a file might not be checked because it's
370 * common that no further operations would be performed on the file. Such
371 * functions do not need a MOZ_MUST_USE annotation.
372 *
373 * - Infallible functions, i.e. ones that always return a value indicating
374 * success. These do not need a MOZ_MUST_USE annotation. Ideally, they would
375 * be converted to not return a success/failure indicator, though sometimes
376 * interface constraints prevent this.
377 */
378 #if defined(__GNUC__) || defined(__clang__)
379 # define MOZ_MUST_USE __attribute__ ((warn_unused_result))
380 #else
381 # define MOZ_MUST_USE
382 #endif
384 /**
385 * MOZ_MAYBE_UNUSED suppresses compiler warnings about functions that are
386 * never called (in this build configuration, at least).
387 *
388 * Place this attribute at the very beginning of a function declaration. For
389 * example, write
390 *
391 * MOZ_MAYBE_UNUSED int foo();
392 *
393 * or
394 *
395 * MOZ_MAYBE_UNUSED int foo() { return 42; }
396 */
397 #if defined(__GNUC__) || defined(__clang__)
398 # define MOZ_MAYBE_UNUSED __attribute__ ((__unused__))
399 #elif defined(_MSC_VER)
400 # define MOZ_MAYBE_UNUSED __pragma(warning(suppress:4505))
401 #else
402 # define MOZ_MAYBE_UNUSED
403 #endif
405 #ifdef __cplusplus
407 /**
408 * MOZ_FALLTHROUGH is an annotation to suppress compiler warnings about switch
409 * cases that fall through without a break or return statement. MOZ_FALLTHROUGH
410 * is only needed on cases that have code.
411 *
412 * MOZ_FALLTHROUGH_ASSERT is an annotation to suppress compiler warnings about
413 * switch cases that MOZ_ASSERT(false) (or its alias MOZ_ASSERT_UNREACHABLE) in
414 * debug builds, but intentionally fall through in release builds. See comment
415 * in Assertions.h for more details.
416 *
417 * switch (foo) {
418 * case 1: // These cases have no code. No fallthrough annotations are needed.
419 * case 2:
420 * case 3: // This case has code, so a fallthrough annotation is needed!
421 * foo++;
422 * MOZ_FALLTHROUGH;
423 * case 4:
424 * return foo;
425 *
426 * default:
427 * // This case asserts in debug builds, falls through in release.
428 * MOZ_FALLTHROUGH_ASSERT("Unexpected foo value?!");
429 * case 5:
430 * return 5;
431 * }
432 */
433 #ifndef __has_cpp_attribute
434 # define __has_cpp_attribute(x) 0
435 #endif
437 #if __has_cpp_attribute(clang::fallthrough)
438 # define MOZ_FALLTHROUGH [[clang::fallthrough]]
439 #elif __has_cpp_attribute(gnu::fallthrough)
440 # define MOZ_FALLTHROUGH [[gnu::fallthrough]]
441 #elif defined(_MSC_VER)
442 /*
443 * MSVC's __fallthrough annotations are checked by /analyze (Code Analysis):
444 * https://msdn.microsoft.com/en-us/library/ms235402%28VS.80%29.aspx
445 */
446 # include <sal.h>
447 # define MOZ_FALLTHROUGH __fallthrough
448 #else
450 #endif
452 /*
453 * The following macros are attributes that support the static analysis plugin
454 * included with Mozilla, and will be implemented (when such support is enabled)
455 * as C++11 attributes. Since such attributes are legal pretty much everywhere
456 * and have subtly different semantics depending on their placement, the
457 * following is a guide on where to place the attributes.
458 *
459 * Attributes that apply to a struct or class precede the name of the class:
460 * (Note that this is different from the placement of final for classes!)
461 *
462 * class MOZ_CLASS_ATTRIBUTE SomeClass {};
463 *
464 * Attributes that apply to functions follow the parentheses and const
465 * qualifiers but precede final, override and the function body:
466 *
467 * void DeclaredFunction() MOZ_FUNCTION_ATTRIBUTE;
468 * void SomeFunction() MOZ_FUNCTION_ATTRIBUTE {}
469 * void PureFunction() const MOZ_FUNCTION_ATTRIBUTE = 0;
470 * void OverriddenFunction() MOZ_FUNCTION_ATTIRBUTE override;
471 *
472 * Attributes that apply to variables or parameters follow the variable's name:
473 *
474 * int variable MOZ_VARIABLE_ATTRIBUTE;
475 *
476 * Attributes that apply to types follow the type name:
477 *
478 * typedef int MOZ_TYPE_ATTRIBUTE MagicInt;
479 * int MOZ_TYPE_ATTRIBUTE someVariable;
480 * int* MOZ_TYPE_ATTRIBUTE magicPtrInt;
481 * int MOZ_TYPE_ATTRIBUTE* ptrToMagicInt;
482 *
483 * Attributes that apply to statements precede the statement:
484 *
485 * MOZ_IF_ATTRIBUTE if (x == 0)
486 * MOZ_DO_ATTRIBUTE do { } while (0);
487 *
488 * Attributes that apply to labels precede the label:
489 *
490 * MOZ_LABEL_ATTRIBUTE target:
491 * goto target;
492 * MOZ_CASE_ATTRIBUTE case 5:
493 * MOZ_DEFAULT_ATTRIBUTE default:
494 *
495 * The static analyses that are performed by the plugin are as follows:
496 *
497 * MOZ_CAN_RUN_SCRIPT: Applies to functions which can run script. Callers of
498 * this function must also be marked as MOZ_CAN_RUN_SCRIPT, and all refcounted
499 * arguments must be strongly held in the caller.
500 * MOZ_CAN_RUN_SCRIPT_BOUNDARY: Applies to functions which need to call
501 * MOZ_CAN_RUN_SCRIPT functions, but should not themselves be considered
502 * MOZ_CAN_RUN_SCRIPT. This is important for some bindings and low level code
503 * which need to opt out of the safety checks performed by MOZ_CAN_RUN_SCRIPT.
504 * MOZ_MUST_OVERRIDE: Applies to all C++ member functions. All immediate
505 * subclasses must provide an exact override of this method; if a subclass
506 * does not override this method, the compiler will emit an error. This
507 * attribute is not limited to virtual methods, so if it is applied to a
508 * nonvirtual method and the subclass does not provide an equivalent
509 * definition, the compiler will emit an error.
510 * MOZ_STATIC_CLASS: Applies to all classes. Any class with this annotation is
511 * expected to live in static memory, so it is a compile-time error to use
512 * it, or an array of such objects, as the type of a variable declaration, or
513 * as a temporary object, or as the type of a new expression (unless
514 * placement new is being used). If a member of another class uses this
515 * class, or if another class inherits from this class, then it is considered
516 * to be a static class as well, although this attribute need not be provided
517 * in such cases.
518 * MOZ_STACK_CLASS: Applies to all classes. Any class with this annotation is
519 * expected to live on the stack, so it is a compile-time error to use it, or
520 * an array of such objects, as a global or static variable, or as the type of
521 * a new expression (unless placement new is being used). If a member of
522 * another class uses this class, or if another class inherits from this
523 * class, then it is considered to be a stack class as well, although this
524 * attribute need not be provided in such cases.
525 * MOZ_NONHEAP_CLASS: Applies to all classes. Any class with this annotation is
526 * expected to live on the stack or in static storage, so it is a compile-time
527 * error to use it, or an array of such objects, as the type of a new
528 * expression. If a member of another class uses this class, or if another
529 * class inherits from this class, then it is considered to be a non-heap class
530 * as well, although this attribute need not be provided in such cases.
531 * MOZ_HEAP_CLASS: Applies to all classes. Any class with this annotation is
532 * expected to live on the heap, so it is a compile-time error to use it, or
533 * an array of such objects, as the type of a variable declaration, or as a
534 * temporary object. If a member of another class uses this class, or if
535 * another class inherits from this class, then it is considered to be a heap
536 * class as well, although this attribute need not be provided in such cases.
537 * MOZ_NON_TEMPORARY_CLASS: Applies to all classes. Any class with this
538 * annotation is expected not to live in a temporary. If a member of another
539 * class uses this class or if another class inherits from this class, then it
540 * is considered to be a non-temporary class as well, although this attribute
541 * need not be provided in such cases.
542 * MOZ_TEMPORARY_CLASS: Applies to all classes. Any class with this annotation
543 * is expected to only live in a temporary. If another class inherits from
544 * this class, then it is considered to be a non-temporary class as well,
545 * although this attribute need not be provided in such cases.
546 * MOZ_RAII: Applies to all classes. Any class with this annotation is assumed
547 * to be a RAII guard, which is expected to live on the stack in an automatic
548 * allocation. It is prohibited from being allocated in a temporary, static
549 * storage, or on the heap. This is a combination of MOZ_STACK_CLASS and
550 * MOZ_NON_TEMPORARY_CLASS.
551 * MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS: Applies to all classes that are
552 * intended to prevent introducing static initializers. This attribute
553 * currently makes it a compile-time error to instantiate these classes
554 * anywhere other than at the global scope, or as a static member of a class.
555 * In non-debug mode, it also prohibits non-trivial constructors and
556 * destructors.
557 * MOZ_TRIVIAL_CTOR_DTOR: Applies to all classes that must have both a trivial
558 * or constexpr constructor and a trivial destructor. Setting this attribute
559 * on a class makes it a compile-time error for that class to get a
560 * non-trivial constructor or destructor for any reason.
561 * MOZ_HEAP_ALLOCATOR: Applies to any function. This indicates that the return
562 * value is allocated on the heap, and will as a result check such allocations
563 * during MOZ_STACK_CLASS and MOZ_NONHEAP_CLASS annotation checking.
564 * MOZ_IMPLICIT: Applies to constructors. Implicit conversion constructors
565 * are disallowed by default unless they are marked as MOZ_IMPLICIT. This
566 * attribute must be used for constructors which intend to provide implicit
567 * conversions.
568 * MOZ_IS_REFPTR: Applies to class declarations of ref pointer to mark them as
569 * such for use with static-analysis.
570 * A ref pointer is an object wrapping a pointer and automatically taking care
571 * of its refcounting upon construction/destruction/transfer of ownership.
572 * This annotation implies MOZ_IS_SMARTPTR_TO_REFCOUNTED.
573 * MOZ_IS_SMARTPTR_TO_REFCOUNTED: Applies to class declarations of smart
574 * pointers to ref counted classes to mark them as such for use with
575 * static-analysis.
576 * MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT: Applies to functions. Makes it a compile
577 * time error to pass arithmetic expressions on variables to the function.
578 * MOZ_OWNING_REF: Applies to declarations of pointers to reference counted
579 * types. This attribute tells the compiler that the raw pointer is a strong
580 * reference, where ownership through methods such as AddRef and Release is
581 * managed manually. This can make the compiler ignore these pointers when
582 * validating the usage of pointers otherwise.
583 *
584 * Example uses include owned pointers inside of unions, and pointers stored
585 * in POD types where a using a smart pointer class would make the object
586 * non-POD.
587 * MOZ_NON_OWNING_REF: Applies to declarations of pointers to reference counted
588 * types. This attribute tells the compiler that the raw pointer is a weak
589 * reference, which is ensured to be valid by a guarantee that the reference
590 * will be nulled before the pointer becomes invalid. This can make the compiler
591 * ignore these pointers when validating the usage of pointers otherwise.
592 *
593 * Examples include an mOwner pointer, which is nulled by the owning class's
594 * destructor, and is null-checked before dereferencing.
595 * MOZ_UNSAFE_REF: Applies to declarations of pointers to reference counted types.
596 * Occasionally there are non-owning references which are valid, but do not take
597 * the form of a MOZ_NON_OWNING_REF. Their safety may be dependent on the behaviour
598 * of API consumers. The string argument passed to this macro documents the safety
599 * conditions. This can make the compiler ignore these pointers when validating
600 * the usage of pointers elsewhere.
601 *
602 * Examples include an nsAtom* member which is known at compile time to point to a
603 * static atom which is valid throughout the lifetime of the program, or an API which
604 * stores a pointer, but doesn't take ownership over it, instead requiring the API
605 * consumer to correctly null the value before it becomes invalid.
606 *
607 * Use of this annotation is discouraged when a strong reference or one of the above
608 * two annotations can be used instead.
609 * MOZ_NO_ADDREF_RELEASE_ON_RETURN: Applies to function declarations. Makes it
610 * a compile time error to call AddRef or Release on the return value of a
611 * function. This is intended to be used with operator->() of our smart
612 * pointer classes to ensure that the refcount of an object wrapped in a
613 * smart pointer is not manipulated directly.
614 * MOZ_MUST_USE_TYPE: Applies to type declarations. Makes it a compile time
615 * error to not use the return value of a function which has this type. This
616 * is intended to be used with types which it is an error to not use.
617 * MOZ_NEEDS_NO_VTABLE_TYPE: Applies to template class declarations. Makes it
618 * a compile time error to instantiate this template with a type parameter which
619 * has a VTable.
620 * MOZ_NON_MEMMOVABLE: Applies to class declarations for types that are not safe
621 * to be moved in memory using memmove().
622 * MOZ_NEEDS_MEMMOVABLE_TYPE: Applies to template class declarations where the
623 * template arguments are required to be safe to move in memory using
624 * memmove(). Passing MOZ_NON_MEMMOVABLE types to these templates is a
625 * compile time error.
626 * MOZ_NEEDS_MEMMOVABLE_MEMBERS: Applies to class declarations where each member
627 * must be safe to move in memory using memmove(). MOZ_NON_MEMMOVABLE types
628 * used in members of these classes are compile time errors.
629 * MOZ_NO_DANGLING_ON_TEMPORARIES: Applies to method declarations which return
630 * a pointer that is freed when the destructor of the class is called. This
631 * prevents these methods from being called on temporaries of the class,
632 * reducing risks of use-after-free.
633 * This attribute cannot be applied to && methods.
634 * In some cases, adding a deleted &&-qualified overload is too restrictive as
635 * this method should still be callable as a non-escaping argument to another
636 * function. This annotation can be used in those cases.
637 * MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS: Applies to template class
638 * declarations where an instance of the template should be considered, for
639 * static analysis purposes, to inherit any type annotations (such as
640 * MOZ_MUST_USE_TYPE and MOZ_STACK_CLASS) from its template arguments.
641 * MOZ_INIT_OUTSIDE_CTOR: Applies to class member declarations. Occasionally
642 * there are class members that are not initialized in the constructor,
643 * but logic elsewhere in the class ensures they are initialized prior to use.
644 * Using this attribute on a member disables the check that this member must be
645 * initialized in constructors via list-initialization, in the constructor body,
646 * or via functions called from the constructor body.
647 * MOZ_IS_CLASS_INIT: Applies to class method declarations. Occasionally the
648 * constructor doesn't initialize all of the member variables and another function
649 * is used to initialize the rest. This marker is used to make the static analysis
650 * tool aware that the marked function is part of the initialization process
651 * and to include the marked function in the scan mechanism that determines witch
652 * member variables still remain uninitialized.
653 * MOZ_NON_PARAM: Applies to types. Makes it compile time error to use the type
654 * in parameter without pointer or reference.
655 * MOZ_NON_AUTOABLE: Applies to class declarations. Makes it a compile time error to
656 * use `auto` in place of this type in variable declarations. This is intended to
657 * be used with types which are intended to be implicitly constructed into other
658 * other types before being assigned to variables.
659 * MOZ_REQUIRED_BASE_METHOD: Applies to virtual class method declarations.
660 * Sometimes derived classes override methods that need to be called by their
661 * overridden counterparts. This marker indicates that the marked method must
662 * be called by the method that it overrides.
663 * MOZ_MUST_RETURN_FROM_CALLER: Applies to function or method declarations.
664 * Callers of the annotated function/method must return from that function
665 * within the calling block using an explicit `return` statement.
666 * Only calls to Constructors, references to local and member variables,
667 * and calls to functions or methods marked as MOZ_MAY_CALL_AFTER_MUST_RETURN
668 * may be made after the MUST_RETURN_FROM_CALLER call.
669 * MOZ_MAY_CALL_AFTER_MUST_RETURN: Applies to function or method declarations.
670 * Calls to these methods may be made in functions after calls a
671 * MOZ_MUST_RETURN_FROM_CALLER function or method.
672 */
673 #ifdef MOZ_CLANG_PLUGIN
684 # ifdef DEBUG
685 /* in debug builds, these classes do have non-trivial constructors. */
686 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS __attribute__((annotate("moz_global_class")))
687 # else
688 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS __attribute__((annotate("moz_global_class"))) \
689 MOZ_TRIVIAL_CTOR_DTOR
690 # endif
692 # define MOZ_IS_SMARTPTR_TO_REFCOUNTED __attribute__((annotate("moz_is_smartptr_to_refcounted")))
694 MOZ_IS_SMARTPTR_TO_REFCOUNTED
695 # define MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT __attribute__((annotate("moz_no_arith_expr_in_arg")))
699 # define MOZ_NO_ADDREF_RELEASE_ON_RETURN __attribute__((annotate("moz_no_addref_release_on_return")))
705 # define MOZ_NO_DANGLING_ON_TEMPORARIES __attribute__((annotate("moz_no_dangling_on_temporaries")))
706 # define MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS \
709 # define MOZ_INIT_OUTSIDE_CTOR \
711 # define MOZ_IS_CLASS_INIT \
713 # define MOZ_NON_PARAM \
715 # define MOZ_REQUIRED_BASE_METHOD \
717 # define MOZ_MUST_RETURN_FROM_CALLER \
719 # define MOZ_MAY_CALL_AFTER_MUST_RETURN \
721 /*
722 * It turns out that clang doesn't like void func() __attribute__ {} without a
723 * warning, so use pragmas to disable the warning. This code won't work on GCC
724 * anyways, so the warning is safe to ignore.
725 */
726 # define MOZ_HEAP_ALLOCATOR \
731 #else
768 #define MOZ_RAII MOZ_NON_TEMPORARY_CLASS MOZ_STACK_CLASS
772 /**
773 * Printf style formats. MOZ_FORMAT_PRINTF can be used to annotate a
774 * function or method that is "printf-like"; this will let (some)
775 * compilers check that the arguments match the template string.
776 *
777 * This macro takes two arguments. The first argument is the argument
778 * number of the template string. The second argument is the argument
779 * number of the '...' argument holding the arguments.
780 *
781 * Argument numbers start at 1. Note that the implicit "this"
782 * argument of a non-static member function counts as an argument.
783 *
784 * So, for a simple case like:
785 * void print_something (int whatever, const char *fmt, ...);
786 * The corresponding annotation would be
787 * MOZ_FORMAT_PRINTF(2, 3)
788 * However, if "print_something" were a non-static member function,
789 * then the annotation would be:
790 * MOZ_FORMAT_PRINTF(3, 4)
791 *
792 * The second argument should be 0 for vprintf-like functions; that
793 * is, those taking a va_list argument.
794 *
795 * Note that the checking is limited to standards-conforming
796 * printf-likes, and in particular this should not be used for
797 * PR_snprintf and friends, which are "printf-like" but which assign
798 * different meanings to the various formats.
799 *
800 * MinGW requires special handling due to different format specifiers
801 * on different platforms. The macro __MINGW_PRINTF_FORMAT maps to
802 * either gnu_printf or ms_printf depending on where we are compiling
803 * to avoid warnings on format specifiers that are legal.
804 */
805 #ifdef __MINGW32__
806 #define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
807 __attribute__ ((format (__MINGW_PRINTF_FORMAT, stringIndex, firstToCheck)))
808 #elif __GNUC__
809 #define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
810 __attribute__ ((format (printf, stringIndex, firstToCheck)))
811 #else
812 #define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck)
813 #endif
815 /**
816 * To manually declare an XPCOM ABI-compatible virtual function, the following
817 * macros can be used to handle the non-standard ABI used on Windows for COM
818 * compatibility. E.g.:
819 *
820 * virtual ReturnType MOZ_XPCOM_ABI foo();
821 */
822 #if defined(XP_WIN)
823 # define MOZ_XPCOM_ABI __stdcall
824 #else
825 # define MOZ_XPCOM_ABI
826 #endif