1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Implementations of various class and method modifier attributes. */
9 #ifndef mozilla_Attributes_h
10 #define mozilla_Attributes_h
12 #include "mozilla/Compiler.h"
15 * MOZ_ALWAYS_INLINE is a macro which expands to tell the compiler that the
16 * method decorated with it must be inlined, even if the compiler thinks
17 * otherwise. This is only a (much) stronger version of the inline hint:
18 * compilers are not guaranteed to respect it (although they're much more likely
21 * The MOZ_ALWAYS_INLINE_EVEN_DEBUG macro is yet stronger. It tells the
22 * compiler to inline even in DEBUG builds. It should be used very rarely.
25 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __forceinline
26 #elif defined(__GNUC__)
27 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __attribute__((always_inline)) inline
29 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG inline
33 # define MOZ_ALWAYS_INLINE MOZ_ALWAYS_INLINE_EVEN_DEBUG
34 #elif defined(_MSC_VER) && !defined(__cplusplus)
35 # define MOZ_ALWAYS_INLINE __inline
37 # define MOZ_ALWAYS_INLINE inline
42 * g++ requires -std=c++0x or -std=gnu++0x to support C++11 functionality
43 * without warnings (functionality used by the macros below). These modes are
44 * detectable by checking whether __GXX_EXPERIMENTAL_CXX0X__ is defined or, more
45 * standardly, by checking whether __cplusplus has a C++11 or greater value.
46 * Current versions of g++ do not correctly set __cplusplus, so we check both
47 * for forward compatibility.
49 # define MOZ_HAVE_NEVER_INLINE __declspec(noinline)
50 # define MOZ_HAVE_NORETURN __declspec(noreturn)
51 #elif defined(__clang__)
53 * Per Clang documentation, "Note that marketing version numbers should not
54 * be used to check for language features, as different vendors use different
55 * numbering schemes. Instead, use the feature checking macros."
57 # ifndef __has_extension
58 # define __has_extension \
59 __has_feature /* compatibility, for older versions of clang */
61 # if __has_attribute(noinline)
62 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
64 # if __has_attribute(noreturn)
65 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
67 #elif defined(__GNUC__)
68 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
69 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
70 # define MOZ_HAVE_NORETURN_PTR __attribute__((noreturn))
74 * When built with clang analyzer (a.k.a scan-build), define MOZ_HAVE_NORETURN
75 * to mark some false positives
77 #ifdef __clang_analyzer__
78 # if __has_extension(attribute_analyzer_noreturn)
79 # define MOZ_HAVE_ANALYZER_NORETURN __attribute__((analyzer_noreturn))
84 * MOZ_NEVER_INLINE is a macro which expands to tell the compiler that the
85 * method decorated with it must never be inlined, even if the compiler would
86 * otherwise choose to inline the method. Compilers aren't absolutely
87 * guaranteed to support this, but most do.
89 #if defined(MOZ_HAVE_NEVER_INLINE)
90 # define MOZ_NEVER_INLINE MOZ_HAVE_NEVER_INLINE
92 # define MOZ_NEVER_INLINE /* no support */
96 * MOZ_NEVER_INLINE_DEBUG is a macro which expands to MOZ_NEVER_INLINE
97 * in debug builds, and nothing in opt builds.
100 # define MOZ_NEVER_INLINE_DEBUG MOZ_NEVER_INLINE
102 # define MOZ_NEVER_INLINE_DEBUG /* don't inline in opt builds */
105 * MOZ_NORETURN, specified at the start of a function declaration, indicates
106 * that the given function does not return. (The function definition does not
107 * need to be annotated.)
109 * MOZ_NORETURN void abort(const char* msg);
111 * This modifier permits the compiler to optimize code assuming a call to such a
112 * function will never return. It also enables the compiler to avoid spurious
113 * warnings about not initializing variables, or about any other seemingly-dodgy
114 * operations performed after the function returns.
116 * There are two variants. The GCC version of NORETURN may be applied to a
117 * function pointer, while for MSVC it may not.
119 * This modifier does not affect the corresponding function's linking behavior.
121 #if defined(MOZ_HAVE_NORETURN)
122 # define MOZ_NORETURN MOZ_HAVE_NORETURN
124 # define MOZ_NORETURN /* no support */
126 #if defined(MOZ_HAVE_NORETURN_PTR)
127 # define MOZ_NORETURN_PTR MOZ_HAVE_NORETURN_PTR
129 # define MOZ_NORETURN_PTR /* no support */
133 * MOZ_COLD tells the compiler that a function is "cold", meaning infrequently
134 * executed. This may lead it to optimize for size more aggressively than speed,
135 * or to allocate the body of the function in a distant part of the text segment
136 * to help keep it from taking up unnecessary icache when it isn't in use.
138 * Place this attribute at the very beginning of a function definition. For
141 * MOZ_COLD int foo();
145 * MOZ_COLD int foo() { return 42; }
147 #if defined(__GNUC__) || defined(__clang__)
148 # define MOZ_COLD __attribute__((cold))
154 * MOZ_NONNULL tells the compiler that some of the arguments to a function are
155 * known to be non-null. The arguments are a list of 1-based argument indexes
156 * identifying arguments which are known to be non-null.
158 * Place this attribute at the very beginning of a function definition. For
161 * MOZ_NONNULL(1, 2) int foo(char *p, char *q);
163 #if defined(__GNUC__) || defined(__clang__)
164 # define MOZ_NONNULL(...) __attribute__((nonnull(__VA_ARGS__)))
166 # define MOZ_NONNULL(...)
170 * MOZ_NONNULL_RETURN tells the compiler that the function's return value is
171 * guaranteed to be a non-null pointer, which may enable the compiler to
172 * optimize better at call sites.
174 * Place this attribute at the end of a function declaration. For example,
176 * char* foo(char *p, char *q) MOZ_NONNULL_RETURN;
178 #if defined(__GNUC__) || defined(__clang__)
179 # define MOZ_NONNULL_RETURN __attribute__((returns_nonnull))
181 # define MOZ_NONNULL_RETURN
185 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS, specified at the end of a function
186 * declaration, indicates that for the purposes of static analysis, this
187 * function does not return. (The function definition does not need to be
190 * MOZ_ReportCrash(const char* s, const char* file, int ln)
191 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS
193 * Some static analyzers, like scan-build from clang, can use this information
194 * to eliminate false positives. From the upstream documentation of scan-build:
195 * "This attribute is useful for annotating assertion handlers that actually
196 * can return, but for the purpose of using the analyzer we want to pretend
197 * that such functions do not return."
200 #if defined(MOZ_HAVE_ANALYZER_NORETURN)
201 # define MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS MOZ_HAVE_ANALYZER_NORETURN
203 # define MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS /* no support */
207 * MOZ_ASAN_BLACKLIST is a macro to tell AddressSanitizer (a compile-time
208 * instrumentation shipped with Clang and GCC) to not instrument the annotated
209 * function. Furthermore, it will prevent the compiler from inlining the
210 * function because inlining currently breaks the blacklisting mechanism of
213 #if defined(__has_feature)
214 # if __has_feature(address_sanitizer)
215 # define MOZ_HAVE_ASAN_BLACKLIST
217 #elif defined(__GNUC__)
218 # if defined(__SANITIZE_ADDRESS__)
219 # define MOZ_HAVE_ASAN_BLACKLIST
223 #if defined(MOZ_HAVE_ASAN_BLACKLIST)
224 # define MOZ_ASAN_BLACKLIST \
225 MOZ_NEVER_INLINE __attribute__((no_sanitize_address))
227 # define MOZ_ASAN_BLACKLIST /* nothing */
231 * MOZ_TSAN_BLACKLIST is a macro to tell ThreadSanitizer (a compile-time
232 * instrumentation shipped with Clang) to not instrument the annotated function.
233 * Furthermore, it will prevent the compiler from inlining the function because
234 * inlining currently breaks the blacklisting mechanism of ThreadSanitizer.
236 #if defined(__has_feature)
237 # if __has_feature(thread_sanitizer)
238 # define MOZ_TSAN_BLACKLIST \
239 MOZ_NEVER_INLINE __attribute__((no_sanitize_thread))
241 # define MOZ_TSAN_BLACKLIST /* nothing */
244 # define MOZ_TSAN_BLACKLIST /* nothing */
247 #if defined(__has_attribute)
248 # if __has_attribute(no_sanitize)
249 # define MOZ_HAVE_NO_SANITIZE_ATTR
254 # ifdef MOZ_HAVE_NO_SANITIZE_ATTR
255 # define MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
256 # define MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
261 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW disables *un*signed integer overflow
262 * checking on the function it annotates, in builds configured to perform it.
263 * (Currently this is only Clang using -fsanitize=unsigned-integer-overflow, or
264 * via --enable-unsigned-overflow-sanitizer in Mozilla's build system.) It has
265 * no effect in other builds.
267 * Place this attribute at the very beginning of a function declaration.
269 * Unsigned integer overflow isn't *necessarily* a bug. It's well-defined in
270 * C/C++, and code may reasonably depend upon it. For example,
272 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW inline bool
273 * IsDecimal(char aChar)
275 * // For chars less than '0', unsigned integer underflow occurs, to a value
276 * // much greater than 10, so the overall test is false.
277 * // For chars greater than '0', no overflow occurs, and only '0' to '9'
278 * // pass the overall test.
279 * return static_cast<unsigned int>(aChar) - '0' < 10;
282 * But even well-defined unsigned overflow often causes bugs when it occurs, so
283 * it should be restricted to functions annotated with this attribute.
285 * The compiler instrumentation to detect unsigned integer overflow has costs
286 * both at compile time and at runtime. Functions that are repeatedly inlined
287 * at compile time will also implicitly inline the necessary instrumentation,
288 * increasing compile time. Similarly, frequently-executed functions that
289 * require large amounts of instrumentation will also notice significant runtime
290 * slowdown to execute that instrumentation. Use this attribute to eliminate
291 * those costs -- but only after carefully verifying that no overflow can occur.
293 #ifdef MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
294 # define MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW \
295 __attribute__((no_sanitize("unsigned-integer-overflow")))
297 # define MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW /* nothing */
301 * MOZ_NO_SANITIZE_SIGNED_OVERFLOW disables *signed* integer overflow checking
302 * on the function it annotates, in builds configured to perform it. (Currently
303 * this is only Clang using -fsanitize=signed-integer-overflow, or via
304 * --enable-signed-overflow-sanitizer in Mozilla's build system. GCC support
305 * will probably be added in the future.) It has no effect in other builds.
307 * Place this attribute at the very beginning of a function declaration.
309 * Signed integer overflow is undefined behavior in C/C++: *anything* can happen
310 * when it occurs. *Maybe* wraparound behavior will occur, but maybe also the
311 * compiler will assume no overflow happens and will adversely optimize the rest
312 * of your code. Code that contains signed integer overflow needs to be fixed.
314 * The compiler instrumentation to detect signed integer overflow has costs both
315 * at compile time and at runtime. Functions that are repeatedly inlined at
316 * compile time will also implicitly inline the necessary instrumentation,
317 * increasing compile time. Similarly, frequently-executed functions that
318 * require large amounts of instrumentation will also notice significant runtime
319 * slowdown to execute that instrumentation. Use this attribute to eliminate
320 * those costs -- but only after carefully verifying that no overflow can occur.
322 #ifdef MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
323 # define MOZ_NO_SANITIZE_SIGNED_OVERFLOW \
324 __attribute__((no_sanitize("signed-integer-overflow")))
326 # define MOZ_NO_SANITIZE_SIGNED_OVERFLOW /* nothing */
329 #undef MOZ_HAVE_NO_SANITIZE_ATTR
332 * MOZ_ALLOCATOR tells the compiler that the function it marks returns either a
333 * "fresh", "pointer-free" block of memory, or nullptr. "Fresh" means that the
334 * block is not pointed to by any other reachable pointer in the program.
335 * "Pointer-free" means that the block contains no pointers to any valid object
336 * in the program. It may be initialized with other (non-pointer) values.
338 * Placing this attribute on appropriate functions helps GCC analyze pointer
339 * aliasing more accurately in their callers.
341 * GCC warns if a caller ignores the value returned by a function marked with
342 * MOZ_ALLOCATOR: it is hard to imagine cases where dropping the value returned
343 * by a function that meets the criteria above would be intentional.
345 * Place this attribute after the argument list and 'this' qualifiers of a
346 * function definition. For example, write
348 * void *my_allocator(size_t) MOZ_ALLOCATOR;
352 * void *my_allocator(size_t bytes) MOZ_ALLOCATOR { ... }
354 #if defined(__GNUC__) || defined(__clang__)
355 # define MOZ_ALLOCATOR __attribute__((malloc, warn_unused_result))
356 # define MOZ_INFALLIBLE_ALLOCATOR \
357 __attribute__((malloc, warn_unused_result, returns_nonnull))
359 # define MOZ_ALLOCATOR
360 # define MOZ_INFALLIBLE_ALLOCATOR
364 * MOZ_MUST_USE tells the compiler to emit a warning if a function's
365 * return value is not used by the caller.
367 * Place this attribute at the very beginning of a function declaration. For
370 * MOZ_MUST_USE int foo();
372 * MOZ_MUST_USE int foo() { return 42; }
374 * MOZ_MUST_USE is most appropriate for functions where the return value is
375 * some kind of success/failure indicator -- often |nsresult|, |bool| or |int|
376 * -- because these functions are most commonly the ones that have missing
377 * checks. There are three cases of note.
379 * - Fallible functions whose return values should always be checked. For
380 * example, a function that opens a file should always be checked because any
381 * subsequent operations on the file will fail if opening it fails. Such
382 * functions should be given a MOZ_MUST_USE annotation.
384 * - Fallible functions whose return value need not always be checked. For
385 * example, a function that closes a file might not be checked because it's
386 * common that no further operations would be performed on the file. Such
387 * functions do not need a MOZ_MUST_USE annotation.
389 * - Infallible functions, i.e. ones that always return a value indicating
390 * success. These do not need a MOZ_MUST_USE annotation. Ideally, they would
391 * be converted to not return a success/failure indicator, though sometimes
392 * interface constraints prevent this.
394 #if defined(__GNUC__) || defined(__clang__)
395 # define MOZ_MUST_USE __attribute__((warn_unused_result))
397 # define MOZ_MUST_USE
401 * MOZ_MAYBE_UNUSED suppresses compiler warnings about functions that are
402 * never called (in this build configuration, at least).
404 * Place this attribute at the very beginning of a function declaration. For
407 * MOZ_MAYBE_UNUSED int foo();
411 * MOZ_MAYBE_UNUSED int foo() { return 42; }
413 #if defined(__GNUC__) || defined(__clang__)
414 # define MOZ_MAYBE_UNUSED __attribute__((__unused__))
415 #elif defined(_MSC_VER)
416 # define MOZ_MAYBE_UNUSED __pragma(warning(suppress : 4505))
418 # define MOZ_MAYBE_UNUSED
424 * C++11 lets unions contain members that have non-trivial special member
425 * functions (default/copy/move constructor, copy/move assignment operator,
426 * destructor) if the user defines the corresponding functions on the union.
427 * (Such user-defined functions must rely on external knowledge about which arm
428 * is active to be safe. Be extra-careful defining these functions!)
430 * MSVC unfortunately warns/errors for this bog-standard C++11 pattern. Use
431 * these macro-guards around such member functions to disable the warnings:
438 * MOZ_PUSH_DISABLE_NONTRIVIAL_UNION_WARNINGS
440 * // |U| must have a user-defined default constructor because |std::string|
441 * // has a non-trivial default constructor.
444 * // |U| must have a user-defined destructor because |std::string| has a
445 * // non-trivial destructor.
448 * MOZ_POP_DISABLE_NONTRIVIAL_UNION_WARNINGS
451 # if defined(_MSC_VER)
452 # define MOZ_PUSH_DISABLE_NONTRIVIAL_UNION_WARNINGS \
453 __pragma(warning(push)) __pragma(warning(disable : 4582)) \
454 __pragma(warning(disable : 4583))
455 # define MOZ_POP_DISABLE_NONTRIVIAL_UNION_WARNINGS __pragma(warning(pop))
457 # define MOZ_PUSH_DISABLE_NONTRIVIAL_UNION_WARNINGS /* nothing */
458 # define MOZ_POP_DISABLE_NONTRIVIAL_UNION_WARNINGS /* nothing */
462 * The following macros are attributes that support the static analysis plugin
463 * included with Mozilla, and will be implemented (when such support is enabled)
464 * as C++11 attributes. Since such attributes are legal pretty much everywhere
465 * and have subtly different semantics depending on their placement, the
466 * following is a guide on where to place the attributes.
468 * Attributes that apply to a struct or class precede the name of the class:
469 * (Note that this is different from the placement of final for classes!)
471 * class MOZ_CLASS_ATTRIBUTE SomeClass {};
473 * Attributes that apply to functions follow the parentheses and const
474 * qualifiers but precede final, override and the function body:
476 * void DeclaredFunction() MOZ_FUNCTION_ATTRIBUTE;
477 * void SomeFunction() MOZ_FUNCTION_ATTRIBUTE {}
478 * void PureFunction() const MOZ_FUNCTION_ATTRIBUTE = 0;
479 * void OverriddenFunction() MOZ_FUNCTION_ATTIRBUTE override;
481 * Attributes that apply to variables or parameters follow the variable's name:
483 * int variable MOZ_VARIABLE_ATTRIBUTE;
485 * Attributes that apply to types follow the type name:
487 * typedef int MOZ_TYPE_ATTRIBUTE MagicInt;
488 * int MOZ_TYPE_ATTRIBUTE someVariable;
489 * int* MOZ_TYPE_ATTRIBUTE magicPtrInt;
490 * int MOZ_TYPE_ATTRIBUTE* ptrToMagicInt;
492 * Attributes that apply to statements precede the statement:
494 * MOZ_IF_ATTRIBUTE if (x == 0)
495 * MOZ_DO_ATTRIBUTE do { } while (0);
497 * Attributes that apply to labels precede the label:
499 * MOZ_LABEL_ATTRIBUTE target:
501 * MOZ_CASE_ATTRIBUTE case 5:
502 * MOZ_DEFAULT_ATTRIBUTE default:
504 * The static analyses that are performed by the plugin are as follows:
506 * MOZ_CAN_RUN_SCRIPT: Applies to functions which can run script. Callers of
507 * this function must also be marked as MOZ_CAN_RUN_SCRIPT, and all refcounted
508 * arguments must be strongly held in the caller. Note that MOZ_CAN_RUN_SCRIPT
509 * should only be applied to function declarations, not definitions. If you
510 * need to apply it to a definition (eg because both are generated by a macro)
511 * use MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION.
513 * MOZ_CAN_RUN_SCRIPT can be applied to XPIDL-generated declarations by
514 * annotating the method or attribute as [can_run_script] in the .idl file.
516 * MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION: Same as MOZ_CAN_RUN_SCRIPT, but usable on
517 * a definition. If the declaration is in a header file, users of that header
518 * file may not see the annotation.
519 * MOZ_CAN_RUN_SCRIPT_BOUNDARY: Applies to functions which need to call
520 * MOZ_CAN_RUN_SCRIPT functions, but should not themselves be considered
521 * MOZ_CAN_RUN_SCRIPT. This should generally be avoided but can be used in
523 * 1) As a temporary measure to limit the scope of changes when adding
524 * MOZ_CAN_RUN_SCRIPT. Such a use must be accompanied by a follow-up bug
525 * to replace the MOZ_CAN_RUN_SCRIPT_BOUNDARY with MOZ_CAN_RUN_SCRIPT and
526 * a comment linking to that bug.
527 * 2) If we can reason that the MOZ_CAN_RUN_SCRIPT callees of the function
528 * do not in fact run script (for example, because their behavior depends
529 * on arguments and we pass the arguments that don't allow script
530 * execution). Such a use must be accompanied by a comment that explains
531 * why it's OK to have the MOZ_CAN_RUN_SCRIPT_BOUNDARY, as well as
532 * comments in the callee pointing out that if its behavior changes the
533 * caller might need adjusting. And perhaps also a followup bug to
534 * refactor things so the "script" and "no script" codepaths do not share
536 * Importantly, any use MUST be accompanied by a comment explaining why it's
537 * there, and should ideally have an action plan for getting rid of the
538 * MOZ_CAN_RUN_SCRIPT_BOUNDARY annotation.
539 * MOZ_MUST_OVERRIDE: Applies to all C++ member functions. All immediate
540 * subclasses must provide an exact override of this method; if a subclass
541 * does not override this method, the compiler will emit an error. This
542 * attribute is not limited to virtual methods, so if it is applied to a
543 * nonvirtual method and the subclass does not provide an equivalent
544 * definition, the compiler will emit an error.
545 * MOZ_STATIC_CLASS: Applies to all classes. Any class with this annotation is
546 * expected to live in static memory, so it is a compile-time error to use
547 * it, or an array of such objects, as the type of a variable declaration, or
548 * as a temporary object, or as the type of a new expression (unless
549 * placement new is being used). If a member of another class uses this
550 * class, or if another class inherits from this class, then it is considered
551 * to be a static class as well, although this attribute need not be provided
553 * MOZ_STATIC_LOCAL_CLASS: Applies to all classes. Any class with this
554 * annotation is expected to be a static local variable, so it is
555 * a compile-time error to use it, or an array of such objects, or as a
556 * temporary object, or as the type of a new expression. If another class
557 * inherits from this class then it is considered to be a static local
558 * class as well, although this attribute need not be provided in such cases.
559 * It is also a compile-time error for any class with this annotation to have
560 * a non-trivial destructor.
561 * MOZ_STACK_CLASS: Applies to all classes. Any class with this annotation is
562 * expected to live on the stack, so it is a compile-time error to use it, or
563 * an array of such objects, as a global or static variable, or as the type of
564 * a new expression (unless placement new is being used). If a member of
565 * another class uses this class, or if another class inherits from this
566 * class, then it is considered to be a stack class as well, although this
567 * attribute need not be provided in such cases.
568 * MOZ_NONHEAP_CLASS: Applies to all classes. Any class with this annotation is
569 * expected to live on the stack or in static storage, so it is a compile-time
570 * error to use it, or an array of such objects, as the type of a new
571 * expression. If a member of another class uses this class, or if another
572 * class inherits from this class, then it is considered to be a non-heap
573 * class as well, although this attribute need not be provided in such cases.
574 * MOZ_HEAP_CLASS: Applies to all classes. Any class with this annotation is
575 * expected to live on the heap, so it is a compile-time error to use it, or
576 * an array of such objects, as the type of a variable declaration, or as a
577 * temporary object. If a member of another class uses this class, or if
578 * another class inherits from this class, then it is considered to be a heap
579 * class as well, although this attribute need not be provided in such cases.
580 * MOZ_NON_TEMPORARY_CLASS: Applies to all classes. Any class with this
581 * annotation is expected not to live in a temporary. If a member of another
582 * class uses this class or if another class inherits from this class, then it
583 * is considered to be a non-temporary class as well, although this attribute
584 * need not be provided in such cases.
585 * MOZ_TEMPORARY_CLASS: Applies to all classes. Any class with this annotation
586 * is expected to only live in a temporary. If another class inherits from
587 * this class, then it is considered to be a non-temporary class as well,
588 * although this attribute need not be provided in such cases.
589 * MOZ_RAII: Applies to all classes. Any class with this annotation is assumed
590 * to be a RAII guard, which is expected to live on the stack in an automatic
591 * allocation. It is prohibited from being allocated in a temporary, static
592 * storage, or on the heap. This is a combination of MOZ_STACK_CLASS and
593 * MOZ_NON_TEMPORARY_CLASS.
594 * MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS: Applies to all classes that are
595 * intended to prevent introducing static initializers. This attribute
596 * currently makes it a compile-time error to instantiate these classes
597 * anywhere other than at the global scope, or as a static member of a class.
598 * In non-debug mode, it also prohibits non-trivial constructors and
600 * MOZ_TRIVIAL_CTOR_DTOR: Applies to all classes that must have both a trivial
601 * or constexpr constructor and a trivial destructor. Setting this attribute
602 * on a class makes it a compile-time error for that class to get a
603 * non-trivial constructor or destructor for any reason.
604 * MOZ_ALLOW_TEMPORARY: Applies to constructors. This indicates that using the
605 * constructor is allowed in temporary expressions, if it would have otherwise
606 * been forbidden by the type being a MOZ_NON_TEMPORARY_CLASS. Useful for
607 * constructors like Maybe(Nothing).
608 * MOZ_HEAP_ALLOCATOR: Applies to any function. This indicates that the return
609 * value is allocated on the heap, and will as a result check such allocations
610 * during MOZ_STACK_CLASS and MOZ_NONHEAP_CLASS annotation checking.
611 * MOZ_IMPLICIT: Applies to constructors. Implicit conversion constructors
612 * are disallowed by default unless they are marked as MOZ_IMPLICIT. This
613 * attribute must be used for constructors which intend to provide implicit
615 * MOZ_IS_REFPTR: Applies to class declarations of ref pointer to mark them as
616 * such for use with static-analysis.
617 * A ref pointer is an object wrapping a pointer and automatically taking care
618 * of its refcounting upon construction/destruction/transfer of ownership.
619 * This annotation implies MOZ_IS_SMARTPTR_TO_REFCOUNTED.
620 * MOZ_IS_SMARTPTR_TO_REFCOUNTED: Applies to class declarations of smart
621 * pointers to ref counted classes to mark them as such for use with
623 * MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT: Applies to functions. Makes it a compile
624 * time error to pass arithmetic expressions on variables to the function.
625 * MOZ_OWNING_REF: Applies to declarations of pointers to reference counted
626 * types. This attribute tells the compiler that the raw pointer is a strong
627 * reference, where ownership through methods such as AddRef and Release is
628 * managed manually. This can make the compiler ignore these pointers when
629 * validating the usage of pointers otherwise.
631 * Example uses include owned pointers inside of unions, and pointers stored
632 * in POD types where a using a smart pointer class would make the object
634 * MOZ_NON_OWNING_REF: Applies to declarations of pointers to reference counted
635 * types. This attribute tells the compiler that the raw pointer is a weak
636 * reference, which is ensured to be valid by a guarantee that the reference
637 * will be nulled before the pointer becomes invalid. This can make the
638 * compiler ignore these pointers when validating the usage of pointers
641 * Examples include an mOwner pointer, which is nulled by the owning class's
642 * destructor, and is null-checked before dereferencing.
643 * MOZ_UNSAFE_REF: Applies to declarations of pointers to reference counted
644 * types. Occasionally there are non-owning references which are valid, but
645 * do not take the form of a MOZ_NON_OWNING_REF. Their safety may be
646 * dependent on the behaviour of API consumers. The string argument passed
647 * to this macro documents the safety conditions. This can make the compiler
648 * ignore these pointers when validating the usage of pointers elsewhere.
650 * Examples include an nsAtom* member which is known at compile time to point
651 * to a static atom which is valid throughout the lifetime of the program, or
652 * an API which stores a pointer, but doesn't take ownership over it, instead
653 * requiring the API consumer to correctly null the value before it becomes
656 * Use of this annotation is discouraged when a strong reference or one of
657 * the above two annotations can be used instead.
658 * MOZ_NO_ADDREF_RELEASE_ON_RETURN: Applies to function declarations. Makes it
659 * a compile time error to call AddRef or Release on the return value of a
660 * function. This is intended to be used with operator->() of our smart
661 * pointer classes to ensure that the refcount of an object wrapped in a
662 * smart pointer is not manipulated directly.
663 * MOZ_MUST_USE_TYPE: Applies to type declarations. Makes it a compile time
664 * error to not use the return value of a function which has this type. This
665 * is intended to be used with types which it is an error to not use.
666 * MOZ_NEEDS_NO_VTABLE_TYPE: Applies to template class declarations. Makes it
667 * a compile time error to instantiate this template with a type parameter
668 * which has a VTable.
669 * MOZ_NON_MEMMOVABLE: Applies to class declarations for types that are not safe
670 * to be moved in memory using memmove().
671 * MOZ_NEEDS_MEMMOVABLE_TYPE: Applies to template class declarations where the
672 * template arguments are required to be safe to move in memory using
673 * memmove(). Passing MOZ_NON_MEMMOVABLE types to these templates is a
674 * compile time error.
675 * MOZ_NEEDS_MEMMOVABLE_MEMBERS: Applies to class declarations where each member
676 * must be safe to move in memory using memmove(). MOZ_NON_MEMMOVABLE types
677 * used in members of these classes are compile time errors.
678 * MOZ_NO_DANGLING_ON_TEMPORARIES: Applies to method declarations which return
679 * a pointer that is freed when the destructor of the class is called. This
680 * prevents these methods from being called on temporaries of the class,
681 * reducing risks of use-after-free.
682 * This attribute cannot be applied to && methods.
683 * In some cases, adding a deleted &&-qualified overload is too restrictive as
684 * this method should still be callable as a non-escaping argument to another
685 * function. This annotation can be used in those cases.
686 * MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS: Applies to template class
687 * declarations where an instance of the template should be considered, for
688 * static analysis purposes, to inherit any type annotations (such as
689 * MOZ_MUST_USE_TYPE and MOZ_STACK_CLASS) from its template arguments.
690 * MOZ_INIT_OUTSIDE_CTOR: Applies to class member declarations. Occasionally
691 * there are class members that are not initialized in the constructor,
692 * but logic elsewhere in the class ensures they are initialized prior to use.
693 * Using this attribute on a member disables the check that this member must
694 * be initialized in constructors via list-initialization, in the constructor
695 * body, or via functions called from the constructor body.
696 * MOZ_IS_CLASS_INIT: Applies to class method declarations. Occasionally the
697 * constructor doesn't initialize all of the member variables and another
698 * function is used to initialize the rest. This marker is used to make the
699 * static analysis tool aware that the marked function is part of the
700 * initialization process and to include the marked function in the scan
701 * mechanism that determines which member variables still remain
703 * MOZ_NON_PARAM: Applies to types. Makes it compile time error to use the type
704 * in parameter without pointer or reference.
705 * MOZ_NON_AUTOABLE: Applies to class declarations. Makes it a compile time
706 * error to use `auto` in place of this type in variable declarations. This
707 * is intended to be used with types which are intended to be implicitly
708 * constructed into other other types before being assigned to variables.
709 * MOZ_REQUIRED_BASE_METHOD: Applies to virtual class method declarations.
710 * Sometimes derived classes override methods that need to be called by their
711 * overridden counterparts. This marker indicates that the marked method must
712 * be called by the method that it overrides.
713 * MOZ_MUST_RETURN_FROM_CALLER_IF_THIS_IS_ARG: Applies to method declarations.
714 * Callers of the annotated method must return from that function within the
715 * calling block using an explicit `return` statement if the "this" value for
716 * the call is a parameter of the caller. Only calls to Constructors,
717 * references to local and member variables, and calls to functions or methods
718 * marked as MOZ_MAY_CALL_AFTER_MUST_RETURN may be made after the
719 * MOZ_MUST_RETURN_FROM_CALLER_IF_THIS_IS_ARG call.
720 * MOZ_MAY_CALL_AFTER_MUST_RETURN: Applies to function or method declarations.
721 * Calls to these methods may be made in functions after calls a
722 * MOZ_MUST_RETURN_FROM_CALLER_IF_THIS_IS_ARG method.
723 * MOZ_LIFETIME_BOUND: Applies to method declarations.
724 * The result of calling these functions on temporaries may not be returned as
725 * a reference or bound to a reference variable.
728 // gcc emits a nuisance warning -Wignored-attributes because attributes do not
729 // affect mangled names, and therefore template arguments do not propagate
730 // their attributes. It is rare that this would affect anything in practice,
731 // and most compilers are silent about it. Similarly, -Wattributes complains
732 // about attributes being ignored during template instantiation.
734 // Be conservative and only suppress the warning when running in a
735 // configuration where it would be emitted, namely when compiling with the
736 // XGILL_PLUGIN for the rooting hazard analysis (which runs under gcc.) If we
737 // end up wanting these attributes in general GCC builds, change this to
740 // #if defined(__GNUC__) && ! defined(__clang__)
743 # pragma GCC diagnostic ignored "-Wignored-attributes"
744 # pragma GCC diagnostic ignored "-Wattributes"
747 # if defined(MOZ_CLANG_PLUGIN) || defined(XGILL_PLUGIN)
748 # define MOZ_CAN_RUN_SCRIPT __attribute__((annotate("moz_can_run_script")))
749 # define MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION \
750 __attribute__((annotate("moz_can_run_script")))
751 # define MOZ_CAN_RUN_SCRIPT_BOUNDARY \
752 __attribute__((annotate("moz_can_run_script_boundary")))
753 # define MOZ_MUST_OVERRIDE __attribute__((annotate("moz_must_override")))
754 # define MOZ_STATIC_CLASS __attribute__((annotate("moz_global_class")))
755 # define MOZ_STATIC_LOCAL_CLASS \
756 __attribute__((annotate("moz_static_local_class"))) \
757 __attribute__((annotate("moz_trivial_dtor")))
758 # define MOZ_STACK_CLASS __attribute__((annotate("moz_stack_class")))
759 # define MOZ_NONHEAP_CLASS __attribute__((annotate("moz_nonheap_class")))
760 # define MOZ_HEAP_CLASS __attribute__((annotate("moz_heap_class")))
761 # define MOZ_NON_TEMPORARY_CLASS \
762 __attribute__((annotate("moz_non_temporary_class")))
763 # define MOZ_TEMPORARY_CLASS __attribute__((annotate("moz_temporary_class")))
764 # define MOZ_TRIVIAL_CTOR_DTOR \
765 __attribute__((annotate("moz_trivial_ctor_dtor")))
766 # define MOZ_ALLOW_TEMPORARY __attribute__((annotate("moz_allow_temporary")))
768 /* in debug builds, these classes do have non-trivial constructors. */
769 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS \
770 __attribute__((annotate("moz_global_class")))
772 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS \
773 __attribute__((annotate("moz_global_class"))) MOZ_TRIVIAL_CTOR_DTOR
775 # define MOZ_IMPLICIT __attribute__((annotate("moz_implicit")))
776 # define MOZ_IS_SMARTPTR_TO_REFCOUNTED \
777 __attribute__((annotate("moz_is_smartptr_to_refcounted")))
778 # define MOZ_IS_REFPTR MOZ_IS_SMARTPTR_TO_REFCOUNTED
779 # define MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT \
780 __attribute__((annotate("moz_no_arith_expr_in_arg")))
781 # define MOZ_OWNING_REF __attribute__((annotate("moz_owning_ref")))
782 # define MOZ_NON_OWNING_REF __attribute__((annotate("moz_non_owning_ref")))
783 # define MOZ_UNSAFE_REF(reason) __attribute__((annotate("moz_unsafe_ref")))
784 # define MOZ_NO_ADDREF_RELEASE_ON_RETURN \
785 __attribute__((annotate("moz_no_addref_release_on_return")))
786 # define MOZ_MUST_USE_TYPE __attribute__((annotate("moz_must_use_type")))
787 # define MOZ_NEEDS_NO_VTABLE_TYPE \
788 __attribute__((annotate("moz_needs_no_vtable_type")))
789 # define MOZ_NON_MEMMOVABLE __attribute__((annotate("moz_non_memmovable")))
790 # define MOZ_NEEDS_MEMMOVABLE_TYPE \
791 __attribute__((annotate("moz_needs_memmovable_type")))
792 # define MOZ_NEEDS_MEMMOVABLE_MEMBERS \
793 __attribute__((annotate("moz_needs_memmovable_members")))
794 # define MOZ_NO_DANGLING_ON_TEMPORARIES \
795 __attribute__((annotate("moz_no_dangling_on_temporaries")))
796 # define MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS \
798 (annotate("moz_inherit_type_annotations_from_template_args")))
799 # define MOZ_NON_AUTOABLE __attribute__((annotate("moz_non_autoable")))
800 # define MOZ_INIT_OUTSIDE_CTOR
801 # define MOZ_IS_CLASS_INIT
802 # define MOZ_NON_PARAM __attribute__((annotate("moz_non_param")))
803 # define MOZ_REQUIRED_BASE_METHOD \
804 __attribute__((annotate("moz_required_base_method")))
805 # define MOZ_MUST_RETURN_FROM_CALLER_IF_THIS_IS_ARG \
806 __attribute__((annotate("moz_must_return_from_caller_if_this_is_arg")))
807 # define MOZ_MAY_CALL_AFTER_MUST_RETURN \
808 __attribute__((annotate("moz_may_call_after_must_return")))
809 # define MOZ_LIFETIME_BOUND __attribute__((annotate("moz_lifetime_bound")))
812 * It turns out that clang doesn't like void func() __attribute__ {} without a
813 * warning, so use pragmas to disable the warning.
816 # define MOZ_HEAP_ALLOCATOR \
817 _Pragma("clang diagnostic push") \
818 _Pragma("clang diagnostic ignored \"-Wgcc-compat\"") \
819 __attribute__((annotate("moz_heap_allocator"))) \
820 _Pragma("clang diagnostic pop")
822 # define MOZ_HEAP_ALLOCATOR __attribute__((annotate("moz_heap_allocator")))
825 # define MOZ_CAN_RUN_SCRIPT /* nothing */
826 # define MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION /* nothing */
827 # define MOZ_CAN_RUN_SCRIPT_BOUNDARY /* nothing */
828 # define MOZ_MUST_OVERRIDE /* nothing */
829 # define MOZ_STATIC_CLASS /* nothing */
830 # define MOZ_STATIC_LOCAL_CLASS /* nothing */
831 # define MOZ_STACK_CLASS /* nothing */
832 # define MOZ_NONHEAP_CLASS /* nothing */
833 # define MOZ_HEAP_CLASS /* nothing */
834 # define MOZ_NON_TEMPORARY_CLASS /* nothing */
835 # define MOZ_TEMPORARY_CLASS /* nothing */
836 # define MOZ_TRIVIAL_CTOR_DTOR /* nothing */
837 # define MOZ_ALLOW_TEMPORARY /* nothing */
838 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS /* nothing */
839 # define MOZ_IMPLICIT /* nothing */
840 # define MOZ_IS_SMARTPTR_TO_REFCOUNTED /* nothing */
841 # define MOZ_IS_REFPTR /* nothing */
842 # define MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT /* nothing */
843 # define MOZ_HEAP_ALLOCATOR /* nothing */
844 # define MOZ_OWNING_REF /* nothing */
845 # define MOZ_NON_OWNING_REF /* nothing */
846 # define MOZ_UNSAFE_REF(reason) /* nothing */
847 # define MOZ_NO_ADDREF_RELEASE_ON_RETURN /* nothing */
848 # define MOZ_MUST_USE_TYPE /* nothing */
849 # define MOZ_NEEDS_NO_VTABLE_TYPE /* nothing */
850 # define MOZ_NON_MEMMOVABLE /* nothing */
851 # define MOZ_NEEDS_MEMMOVABLE_TYPE /* nothing */
852 # define MOZ_NEEDS_MEMMOVABLE_MEMBERS /* nothing */
853 # define MOZ_NO_DANGLING_ON_TEMPORARIES /* nothing */
854 # define MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS /* nothing */
855 # define MOZ_INIT_OUTSIDE_CTOR /* nothing */
856 # define MOZ_IS_CLASS_INIT /* nothing */
857 # define MOZ_NON_PARAM /* nothing */
858 # define MOZ_NON_AUTOABLE /* nothing */
859 # define MOZ_REQUIRED_BASE_METHOD /* nothing */
860 # define MOZ_MUST_RETURN_FROM_CALLER_IF_THIS_IS_ARG /* nothing */
861 # define MOZ_MAY_CALL_AFTER_MUST_RETURN /* nothing */
862 # define MOZ_LIFETIME_BOUND /* nothing */
863 # endif /* defined(MOZ_CLANG_PLUGIN) || defined(XGILL_PLUGIN) */
865 # define MOZ_RAII MOZ_NON_TEMPORARY_CLASS MOZ_STACK_CLASS
867 // gcc has different rules governing attribute placement. Since none of these
868 // attributes are actually used by the gcc-based static analysis, just
869 // eliminate them rather than updating all of the code.
872 # undef MOZ_MUST_OVERRIDE
873 # define MOZ_MUST_OVERRIDE /* nothing */
874 # undef MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION
875 # define MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION /* nothing */
878 #endif /* __cplusplus */
881 * Printf style formats. MOZ_FORMAT_PRINTF can be used to annotate a
882 * function or method that is "printf-like"; this will let (some)
883 * compilers check that the arguments match the template string.
885 * This macro takes two arguments. The first argument is the argument
886 * number of the template string. The second argument is the argument
887 * number of the '...' argument holding the arguments.
889 * Argument numbers start at 1. Note that the implicit "this"
890 * argument of a non-static member function counts as an argument.
892 * So, for a simple case like:
893 * void print_something (int whatever, const char *fmt, ...);
894 * The corresponding annotation would be
895 * MOZ_FORMAT_PRINTF(2, 3)
896 * However, if "print_something" were a non-static member function,
897 * then the annotation would be:
898 * MOZ_FORMAT_PRINTF(3, 4)
900 * The second argument should be 0 for vprintf-like functions; that
901 * is, those taking a va_list argument.
903 * Note that the checking is limited to standards-conforming
904 * printf-likes, and in particular this should not be used for
905 * PR_snprintf and friends, which are "printf-like" but which assign
906 * different meanings to the various formats.
908 * MinGW requires special handling due to different format specifiers
909 * on different platforms. The macro __MINGW_PRINTF_FORMAT maps to
910 * either gnu_printf or ms_printf depending on where we are compiling
911 * to avoid warnings on format specifiers that are legal.
914 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
915 __attribute__((format(__MINGW_PRINTF_FORMAT, stringIndex, firstToCheck)))
917 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
918 __attribute__((format(printf, stringIndex, firstToCheck)))
920 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck)
924 * To manually declare an XPCOM ABI-compatible virtual function, the following
925 * macros can be used to handle the non-standard ABI used on Windows for COM
926 * compatibility. E.g.:
928 * virtual ReturnType MOZ_XPCOM_ABI foo();
931 # define MOZ_XPCOM_ABI __stdcall
933 # define MOZ_XPCOM_ABI
936 #endif /* mozilla_Attributes_h */