| blob | 5744918ae2831998ac2b22c8bff2bb2f27b8bca0 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /* Implementations of various class and method modifier attributes. */
9 #ifndef mozilla_Attributes_h
10 #define mozilla_Attributes_h
14 /*
15 * MOZ_ALWAYS_INLINE is a macro which expands to tell the compiler that the
16 * method decorated with it must be inlined, even if the compiler thinks
17 * otherwise. This is only a (much) stronger version of the inline hint:
18 * compilers are not guaranteed to respect it (although they're much more likely
19 * to do so).
20 *
21 * The MOZ_ALWAYS_INLINE_EVEN_DEBUG macro is yet stronger. It tells the
22 * compiler to inline even in DEBUG builds. It should be used very rarely.
23 */
24 #if defined(_MSC_VER)
25 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __forceinline
26 #elif defined(__GNUC__)
27 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG __attribute__((always_inline)) inline
28 #else
29 # define MOZ_ALWAYS_INLINE_EVEN_DEBUG inline
30 #endif
32 #if !defined(DEBUG)
33 # define MOZ_ALWAYS_INLINE MOZ_ALWAYS_INLINE_EVEN_DEBUG
34 #elif defined(_MSC_VER) && !defined(__cplusplus)
35 # define MOZ_ALWAYS_INLINE __inline
36 #else
37 # define MOZ_ALWAYS_INLINE inline
38 #endif
40 #if defined(_MSC_VER)
41 /*
42 * g++ requires -std=c++0x or -std=gnu++0x to support C++11 functionality
43 * without warnings (functionality used by the macros below). These modes are
44 * detectable by checking whether __GXX_EXPERIMENTAL_CXX0X__ is defined or, more
45 * standardly, by checking whether __cplusplus has a C++11 or greater value.
46 * Current versions of g++ do not correctly set __cplusplus, so we check both
47 * for forward compatibility.
48 */
49 # define MOZ_HAVE_NEVER_INLINE __declspec(noinline)
50 # define MOZ_HAVE_NORETURN __declspec(noreturn)
51 #elif defined(__clang__)
52 /*
53 * Per Clang documentation, "Note that marketing version numbers should not
54 * be used to check for language features, as different vendors use different
55 * numbering schemes. Instead, use the feature checking macros."
56 */
57 # ifndef __has_extension
58 # define __has_extension \
60 # endif
61 # if __has_attribute(noinline)
62 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
63 # endif
64 # if __has_attribute(noreturn)
65 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
66 # endif
67 #elif defined(__GNUC__)
68 # define MOZ_HAVE_NEVER_INLINE __attribute__((noinline))
69 # define MOZ_HAVE_NORETURN __attribute__((noreturn))
70 # define MOZ_HAVE_NORETURN_PTR __attribute__((noreturn))
71 #endif
73 /*
74 * When built with clang analyzer (a.k.a scan-build), define MOZ_HAVE_NORETURN
75 * to mark some false positives
76 */
77 #ifdef __clang_analyzer__
78 # if __has_extension(attribute_analyzer_noreturn)
79 # define MOZ_HAVE_ANALYZER_NORETURN __attribute__((analyzer_noreturn))
80 # endif
81 #endif
83 /*
84 * MOZ_NEVER_INLINE is a macro which expands to tell the compiler that the
85 * method decorated with it must never be inlined, even if the compiler would
86 * otherwise choose to inline the method. Compilers aren't absolutely
87 * guaranteed to support this, but most do.
88 */
89 #if defined(MOZ_HAVE_NEVER_INLINE)
90 # define MOZ_NEVER_INLINE MOZ_HAVE_NEVER_INLINE
91 #else
93 #endif
95 /*
96 * MOZ_NORETURN, specified at the start of a function declaration, indicates
97 * that the given function does not return. (The function definition does not
98 * need to be annotated.)
99 *
100 * MOZ_NORETURN void abort(const char* msg);
101 *
102 * This modifier permits the compiler to optimize code assuming a call to such a
103 * function will never return. It also enables the compiler to avoid spurious
104 * warnings about not initializing variables, or about any other seemingly-dodgy
105 * operations performed after the function returns.
106 *
107 * There are two variants. The GCC version of NORETURN may be applied to a
108 * function pointer, while for MSVC it may not.
109 *
110 * This modifier does not affect the corresponding function's linking behavior.
111 */
112 #if defined(MOZ_HAVE_NORETURN)
113 # define MOZ_NORETURN MOZ_HAVE_NORETURN
114 #else
116 #endif
117 #if defined(MOZ_HAVE_NORETURN_PTR)
118 # define MOZ_NORETURN_PTR MOZ_HAVE_NORETURN_PTR
119 #else
121 #endif
123 /**
124 * MOZ_COLD tells the compiler that a function is "cold", meaning infrequently
125 * executed. This may lead it to optimize for size more aggressively than speed,
126 * or to allocate the body of the function in a distant part of the text segment
127 * to help keep it from taking up unnecessary icache when it isn't in use.
128 *
129 * Place this attribute at the very beginning of a function definition. For
130 * example, write
131 *
132 * MOZ_COLD int foo();
133 *
134 * or
135 *
136 * MOZ_COLD int foo() { return 42; }
137 */
138 #if defined(__GNUC__) || defined(__clang__)
139 # define MOZ_COLD __attribute__((cold))
140 #else
141 # define MOZ_COLD
142 #endif
144 /**
145 * MOZ_NONNULL tells the compiler that some of the arguments to a function are
146 * known to be non-null. The arguments are a list of 1-based argument indexes
147 * identifying arguments which are known to be non-null.
148 *
149 * Place this attribute at the very beginning of a function definition. For
150 * example, write
151 *
152 * MOZ_NONNULL(1, 2) int foo(char *p, char *q);
153 */
154 #if defined(__GNUC__) || defined(__clang__)
155 # define MOZ_NONNULL(...) __attribute__((nonnull(__VA_ARGS__)))
156 #else
157 # define MOZ_NONNULL(...)
158 #endif
160 /**
161 * MOZ_NONNULL_RETURN tells the compiler that the function's return value is
162 * guaranteed to be a non-null pointer, which may enable the compiler to
163 * optimize better at call sites.
164 *
165 * Place this attribute at the end of a function declaration. For example,
166 *
167 * char* foo(char *p, char *q) MOZ_NONNULL_RETURN;
168 */
169 #if defined(__GNUC__) || defined(__clang__)
170 # define MOZ_NONNULL_RETURN __attribute__((returns_nonnull))
171 #else
172 # define MOZ_NONNULL_RETURN
173 #endif
175 /*
176 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS, specified at the end of a function
177 * declaration, indicates that for the purposes of static analysis, this
178 * function does not return. (The function definition does not need to be
179 * annotated.)
180 *
181 * MOZ_ReportCrash(const char* s, const char* file, int ln)
182 * MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS
183 *
184 * Some static analyzers, like scan-build from clang, can use this information
185 * to eliminate false positives. From the upstream documentation of scan-build:
186 * "This attribute is useful for annotating assertion handlers that actually
187 * can return, but for the purpose of using the analyzer we want to pretend
188 * that such functions do not return."
189 *
190 */
191 #if defined(MOZ_HAVE_ANALYZER_NORETURN)
192 # define MOZ_PRETEND_NORETURN_FOR_STATIC_ANALYSIS MOZ_HAVE_ANALYZER_NORETURN
193 #else
195 #endif
197 /*
198 * MOZ_ASAN_BLACKLIST is a macro to tell AddressSanitizer (a compile-time
199 * instrumentation shipped with Clang and GCC) to not instrument the annotated
200 * function. Furthermore, it will prevent the compiler from inlining the
201 * function because inlining currently breaks the blacklisting mechanism of
202 * AddressSanitizer.
203 */
204 #if defined(__has_feature)
205 # if __has_feature(address_sanitizer)
206 # define MOZ_HAVE_ASAN_BLACKLIST
207 # endif
208 #elif defined(__GNUC__)
209 # if defined(__SANITIZE_ADDRESS__)
210 # define MOZ_HAVE_ASAN_BLACKLIST
211 # endif
212 #endif
214 #if defined(MOZ_HAVE_ASAN_BLACKLIST)
215 # define MOZ_ASAN_BLACKLIST \
216 MOZ_NEVER_INLINE __attribute__((no_sanitize_address))
217 #else
219 #endif
221 /*
222 * MOZ_TSAN_BLACKLIST is a macro to tell ThreadSanitizer (a compile-time
223 * instrumentation shipped with Clang) to not instrument the annotated function.
224 * Furthermore, it will prevent the compiler from inlining the function because
225 * inlining currently breaks the blacklisting mechanism of ThreadSanitizer.
226 */
227 #if defined(__has_feature)
228 # if __has_feature(thread_sanitizer)
229 # define MOZ_TSAN_BLACKLIST \
230 MOZ_NEVER_INLINE __attribute__((no_sanitize_thread))
231 # else
233 # endif
234 #else
236 #endif
238 #if defined(__has_attribute)
239 # if __has_attribute(no_sanitize)
240 # define MOZ_HAVE_NO_SANITIZE_ATTR
241 # endif
242 #endif
244 #ifdef __clang__
245 # ifdef MOZ_HAVE_NO_SANITIZE_ATTR
246 # define MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
247 # define MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
248 # endif
249 #endif
251 /*
252 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW disables *un*signed integer overflow
253 * checking on the function it annotates, in builds configured to perform it.
254 * (Currently this is only Clang using -fsanitize=unsigned-integer-overflow, or
255 * via --enable-unsigned-overflow-sanitizer in Mozilla's build system.) It has
256 * no effect in other builds.
257 *
258 * Place this attribute at the very beginning of a function declaration.
259 *
260 * Unsigned integer overflow isn't *necessarily* a bug. It's well-defined in
261 * C/C++, and code may reasonably depend upon it. For example,
262 *
263 * MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW inline bool
264 * IsDecimal(char aChar)
265 * {
266 * // For chars less than '0', unsigned integer underflow occurs, to a value
267 * // much greater than 10, so the overall test is false.
268 * // For chars greater than '0', no overflow occurs, and only '0' to '9'
269 * // pass the overall test.
270 * return static_cast<unsigned int>(aChar) - '0' < 10;
271 * }
272 *
273 * But even well-defined unsigned overflow often causes bugs when it occurs, so
274 * it should be restricted to functions annotated with this attribute.
275 *
276 * The compiler instrumentation to detect unsigned integer overflow has costs
277 * both at compile time and at runtime. Functions that are repeatedly inlined
278 * at compile time will also implicitly inline the necessary instrumentation,
279 * increasing compile time. Similarly, frequently-executed functions that
280 * require large amounts of instrumentation will also notice significant runtime
281 * slowdown to execute that instrumentation. Use this attribute to eliminate
282 * those costs -- but only after carefully verifying that no overflow can occur.
283 */
284 #ifdef MOZ_HAVE_UNSIGNED_OVERFLOW_SANITIZE_ATTR
285 # define MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW \
287 #else
289 #endif
291 /*
292 * MOZ_NO_SANITIZE_SIGNED_OVERFLOW disables *signed* integer overflow checking
293 * on the function it annotates, in builds configured to perform it. (Currently
294 * this is only Clang using -fsanitize=signed-integer-overflow, or via
295 * --enable-signed-overflow-sanitizer in Mozilla's build system. GCC support
296 * will probably be added in the future.) It has no effect in other builds.
297 *
298 * Place this attribute at the very beginning of a function declaration.
299 *
300 * Signed integer overflow is undefined behavior in C/C++: *anything* can happen
301 * when it occurs. *Maybe* wraparound behavior will occur, but maybe also the
302 * compiler will assume no overflow happens and will adversely optimize the rest
303 * of your code. Code that contains signed integer overflow needs to be fixed.
304 *
305 * The compiler instrumentation to detect signed integer overflow has costs both
306 * at compile time and at runtime. Functions that are repeatedly inlined at
307 * compile time will also implicitly inline the necessary instrumentation,
308 * increasing compile time. Similarly, frequently-executed functions that
309 * require large amounts of instrumentation will also notice significant runtime
310 * slowdown to execute that instrumentation. Use this attribute to eliminate
311 * those costs -- but only after carefully verifying that no overflow can occur.
312 */
313 #ifdef MOZ_HAVE_SIGNED_OVERFLOW_SANITIZE_ATTR
314 # define MOZ_NO_SANITIZE_SIGNED_OVERFLOW \
316 #else
318 #endif
320 #undef MOZ_HAVE_NO_SANITIZE_ATTR
322 /**
323 * MOZ_ALLOCATOR tells the compiler that the function it marks returns either a
324 * "fresh", "pointer-free" block of memory, or nullptr. "Fresh" means that the
325 * block is not pointed to by any other reachable pointer in the program.
326 * "Pointer-free" means that the block contains no pointers to any valid object
327 * in the program. It may be initialized with other (non-pointer) values.
328 *
329 * Placing this attribute on appropriate functions helps GCC analyze pointer
330 * aliasing more accurately in their callers.
331 *
332 * GCC warns if a caller ignores the value returned by a function marked with
333 * MOZ_ALLOCATOR: it is hard to imagine cases where dropping the value returned
334 * by a function that meets the criteria above would be intentional.
335 *
336 * Place this attribute after the argument list and 'this' qualifiers of a
337 * function definition. For example, write
338 *
339 * void *my_allocator(size_t) MOZ_ALLOCATOR;
340 *
341 * or
342 *
343 * void *my_allocator(size_t bytes) MOZ_ALLOCATOR { ... }
344 */
345 #if defined(__GNUC__) || defined(__clang__)
346 # define MOZ_ALLOCATOR __attribute__((malloc, warn_unused_result))
347 #else
348 # define MOZ_ALLOCATOR
349 #endif
351 /**
352 * MOZ_MUST_USE tells the compiler to emit a warning if a function's
353 * return value is not used by the caller.
354 *
355 * Place this attribute at the very beginning of a function declaration. For
356 * example, write
357 *
358 * MOZ_MUST_USE int foo();
359 * or
360 * MOZ_MUST_USE int foo() { return 42; }
361 *
362 * MOZ_MUST_USE is most appropriate for functions where the return value is
363 * some kind of success/failure indicator -- often |nsresult|, |bool| or |int|
364 * -- because these functions are most commonly the ones that have missing
365 * checks. There are three cases of note.
366 *
367 * - Fallible functions whose return values should always be checked. For
368 * example, a function that opens a file should always be checked because any
369 * subsequent operations on the file will fail if opening it fails. Such
370 * functions should be given a MOZ_MUST_USE annotation.
371 *
372 * - Fallible functions whose return value need not always be checked. For
373 * example, a function that closes a file might not be checked because it's
374 * common that no further operations would be performed on the file. Such
375 * functions do not need a MOZ_MUST_USE annotation.
376 *
377 * - Infallible functions, i.e. ones that always return a value indicating
378 * success. These do not need a MOZ_MUST_USE annotation. Ideally, they would
379 * be converted to not return a success/failure indicator, though sometimes
380 * interface constraints prevent this.
381 */
382 #if defined(__GNUC__) || defined(__clang__)
383 # define MOZ_MUST_USE __attribute__((warn_unused_result))
384 #else
385 # define MOZ_MUST_USE
386 #endif
388 /**
389 * MOZ_MAYBE_UNUSED suppresses compiler warnings about functions that are
390 * never called (in this build configuration, at least).
391 *
392 * Place this attribute at the very beginning of a function declaration. For
393 * example, write
394 *
395 * MOZ_MAYBE_UNUSED int foo();
396 *
397 * or
398 *
399 * MOZ_MAYBE_UNUSED int foo() { return 42; }
400 */
401 #if defined(__GNUC__) || defined(__clang__)
402 # define MOZ_MAYBE_UNUSED __attribute__((__unused__))
403 #elif defined(_MSC_VER)
404 # define MOZ_MAYBE_UNUSED __pragma(warning(suppress : 4505))
405 #else
406 # define MOZ_MAYBE_UNUSED
407 #endif
409 #ifdef __cplusplus
411 /**
412 * MOZ_FALLTHROUGH is an annotation to suppress compiler warnings about switch
413 * cases that fall through without a break or return statement. MOZ_FALLTHROUGH
414 * is only needed on cases that have code.
415 *
416 * MOZ_FALLTHROUGH_ASSERT is an annotation to suppress compiler warnings about
417 * switch cases that MOZ_ASSERT(false) (or its alias MOZ_ASSERT_UNREACHABLE) in
418 * debug builds, but intentionally fall through in release builds. See comment
419 * in Assertions.h for more details.
420 *
421 * switch (foo) {
422 * case 1: // These cases have no code. No fallthrough annotations are needed.
423 * case 2:
424 * case 3: // This case has code, so a fallthrough annotation is needed!
425 * foo++;
426 * MOZ_FALLTHROUGH;
427 * case 4:
428 * return foo;
429 *
430 * default:
431 * // This case asserts in debug builds, falls through in release.
432 * MOZ_FALLTHROUGH_ASSERT("Unexpected foo value?!");
433 * case 5:
434 * return 5;
435 * }
436 */
437 # ifndef __has_cpp_attribute
438 # define __has_cpp_attribute(x) 0
439 # endif
441 # if __has_cpp_attribute(clang::fallthrough)
442 # define MOZ_FALLTHROUGH [[clang::fallthrough]]
443 # elif __has_cpp_attribute(gnu::fallthrough)
444 # define MOZ_FALLTHROUGH [[gnu::fallthrough]]
445 # elif defined(_MSC_VER)
446 /*
447 * MSVC's __fallthrough annotations are checked by /analyze (Code Analysis):
448 * https://msdn.microsoft.com/en-us/library/ms235402%28VS.80%29.aspx
449 */
450 # include <sal.h>
451 # define MOZ_FALLTHROUGH __fallthrough
452 # else
454 # endif
456 /**
457 * C++11 lets unions contain members that have non-trivial special member
458 * functions (default/copy/move constructor, copy/move assignment operator,
459 * destructor) if the user defines the corresponding functions on the union.
460 * (Such user-defined functions must rely on external knowledge about which arm
461 * is active to be safe. Be extra-careful defining these functions!)
462 *
463 * MSVC unfortunately warns/errors for this bog-standard C++11 pattern. Use
464 * these macro-guards around such member functions to disable the warnings:
465 *
466 * union U
467 * {
468 * std::string s;
469 * int x;
470 *
471 * MOZ_PUSH_DISABLE_NONTRIVIAL_UNION_WARNINGS
472 *
473 * // |U| must have a user-defined default constructor because |std::string|
474 * // has a non-trivial default constructor.
475 * U() ... { ... }
476 *
477 * // |U| must have a user-defined destructor because |std::string| has a
478 * // non-trivial destructor.
479 * ~U() { ... }
480 *
481 * MOZ_POP_DISABLE_NONTRIVIAL_UNION_WARNINGS
482 * };
483 */
484 # if defined(_MSC_VER)
485 # define MOZ_PUSH_DISABLE_NONTRIVIAL_UNION_WARNINGS \
486 __pragma(warning(push)) __pragma(warning(disable : 4582)) \
487 __pragma(warning(disable : 4583))
488 # define MOZ_POP_DISABLE_NONTRIVIAL_UNION_WARNINGS __pragma(warning(pop))
489 # else
492 # endif
494 /*
495 * The following macros are attributes that support the static analysis plugin
496 * included with Mozilla, and will be implemented (when such support is enabled)
497 * as C++11 attributes. Since such attributes are legal pretty much everywhere
498 * and have subtly different semantics depending on their placement, the
499 * following is a guide on where to place the attributes.
500 *
501 * Attributes that apply to a struct or class precede the name of the class:
502 * (Note that this is different from the placement of final for classes!)
503 *
504 * class MOZ_CLASS_ATTRIBUTE SomeClass {};
505 *
506 * Attributes that apply to functions follow the parentheses and const
507 * qualifiers but precede final, override and the function body:
508 *
509 * void DeclaredFunction() MOZ_FUNCTION_ATTRIBUTE;
510 * void SomeFunction() MOZ_FUNCTION_ATTRIBUTE {}
511 * void PureFunction() const MOZ_FUNCTION_ATTRIBUTE = 0;
512 * void OverriddenFunction() MOZ_FUNCTION_ATTIRBUTE override;
513 *
514 * Attributes that apply to variables or parameters follow the variable's name:
515 *
516 * int variable MOZ_VARIABLE_ATTRIBUTE;
517 *
518 * Attributes that apply to types follow the type name:
519 *
520 * typedef int MOZ_TYPE_ATTRIBUTE MagicInt;
521 * int MOZ_TYPE_ATTRIBUTE someVariable;
522 * int* MOZ_TYPE_ATTRIBUTE magicPtrInt;
523 * int MOZ_TYPE_ATTRIBUTE* ptrToMagicInt;
524 *
525 * Attributes that apply to statements precede the statement:
526 *
527 * MOZ_IF_ATTRIBUTE if (x == 0)
528 * MOZ_DO_ATTRIBUTE do { } while (0);
529 *
530 * Attributes that apply to labels precede the label:
531 *
532 * MOZ_LABEL_ATTRIBUTE target:
533 * goto target;
534 * MOZ_CASE_ATTRIBUTE case 5:
535 * MOZ_DEFAULT_ATTRIBUTE default:
536 *
537 * The static analyses that are performed by the plugin are as follows:
538 *
539 * MOZ_CAN_RUN_SCRIPT: Applies to functions which can run script. Callers of
540 * this function must also be marked as MOZ_CAN_RUN_SCRIPT, and all refcounted
541 * arguments must be strongly held in the caller. Note that MOZ_CAN_RUN_SCRIPT
542 * should only be applied to function declarations, not definitions. If you
543 * need to apply it to a definition (eg because both are generated by a macro)
544 * use MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION.
545 *
546 * MOZ_CAN_RUN_SCRIPT can be applied to XPIDL-generated declarations by
547 * annotating the method or attribute as [can_run_script] in the .idl file.
548 *
549 * MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION: Same as MOZ_CAN_RUN_SCRIPT, but usable on
550 * a definition. If the declaration is in a header file, users of that header
551 * file may not see the annotation.
552 * MOZ_CAN_RUN_SCRIPT_BOUNDARY: Applies to functions which need to call
553 * MOZ_CAN_RUN_SCRIPT functions, but should not themselves be considered
554 * MOZ_CAN_RUN_SCRIPT. This is important for some bindings and low level code
555 * which need to opt out of the safety checks performed by MOZ_CAN_RUN_SCRIPT.
556 * MOZ_MUST_OVERRIDE: Applies to all C++ member functions. All immediate
557 * subclasses must provide an exact override of this method; if a subclass
558 * does not override this method, the compiler will emit an error. This
559 * attribute is not limited to virtual methods, so if it is applied to a
560 * nonvirtual method and the subclass does not provide an equivalent
561 * definition, the compiler will emit an error.
562 * MOZ_STATIC_CLASS: Applies to all classes. Any class with this annotation is
563 * expected to live in static memory, so it is a compile-time error to use
564 * it, or an array of such objects, as the type of a variable declaration, or
565 * as a temporary object, or as the type of a new expression (unless
566 * placement new is being used). If a member of another class uses this
567 * class, or if another class inherits from this class, then it is considered
568 * to be a static class as well, although this attribute need not be provided
569 * in such cases.
570 * MOZ_STACK_CLASS: Applies to all classes. Any class with this annotation is
571 * expected to live on the stack, so it is a compile-time error to use it, or
572 * an array of such objects, as a global or static variable, or as the type of
573 * a new expression (unless placement new is being used). If a member of
574 * another class uses this class, or if another class inherits from this
575 * class, then it is considered to be a stack class as well, although this
576 * attribute need not be provided in such cases.
577 * MOZ_NONHEAP_CLASS: Applies to all classes. Any class with this annotation is
578 * expected to live on the stack or in static storage, so it is a compile-time
579 * error to use it, or an array of such objects, as the type of a new
580 * expression. If a member of another class uses this class, or if another
581 * class inherits from this class, then it is considered to be a non-heap
582 * class as well, although this attribute need not be provided in such cases.
583 * MOZ_HEAP_CLASS: Applies to all classes. Any class with this annotation is
584 * expected to live on the heap, so it is a compile-time error to use it, or
585 * an array of such objects, as the type of a variable declaration, or as a
586 * temporary object. If a member of another class uses this class, or if
587 * another class inherits from this class, then it is considered to be a heap
588 * class as well, although this attribute need not be provided in such cases.
589 * MOZ_NON_TEMPORARY_CLASS: Applies to all classes. Any class with this
590 * annotation is expected not to live in a temporary. If a member of another
591 * class uses this class or if another class inherits from this class, then it
592 * is considered to be a non-temporary class as well, although this attribute
593 * need not be provided in such cases.
594 * MOZ_TEMPORARY_CLASS: Applies to all classes. Any class with this annotation
595 * is expected to only live in a temporary. If another class inherits from
596 * this class, then it is considered to be a non-temporary class as well,
597 * although this attribute need not be provided in such cases.
598 * MOZ_RAII: Applies to all classes. Any class with this annotation is assumed
599 * to be a RAII guard, which is expected to live on the stack in an automatic
600 * allocation. It is prohibited from being allocated in a temporary, static
601 * storage, or on the heap. This is a combination of MOZ_STACK_CLASS and
602 * MOZ_NON_TEMPORARY_CLASS.
603 * MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS: Applies to all classes that are
604 * intended to prevent introducing static initializers. This attribute
605 * currently makes it a compile-time error to instantiate these classes
606 * anywhere other than at the global scope, or as a static member of a class.
607 * In non-debug mode, it also prohibits non-trivial constructors and
608 * destructors.
609 * MOZ_TRIVIAL_CTOR_DTOR: Applies to all classes that must have both a trivial
610 * or constexpr constructor and a trivial destructor. Setting this attribute
611 * on a class makes it a compile-time error for that class to get a
612 * non-trivial constructor or destructor for any reason.
613 * MOZ_ALLOW_TEMPORARY: Applies to constructors. This indicates that using the
614 * constructor is allowed in temporary expressions, if it would have otherwise
615 * been forbidden by the type being a MOZ_NON_TEMPORARY_CLASS. Useful for
616 * constructors like Maybe(Nothing).
617 * MOZ_HEAP_ALLOCATOR: Applies to any function. This indicates that the return
618 * value is allocated on the heap, and will as a result check such allocations
619 * during MOZ_STACK_CLASS and MOZ_NONHEAP_CLASS annotation checking.
620 * MOZ_IMPLICIT: Applies to constructors. Implicit conversion constructors
621 * are disallowed by default unless they are marked as MOZ_IMPLICIT. This
622 * attribute must be used for constructors which intend to provide implicit
623 * conversions.
624 * MOZ_IS_REFPTR: Applies to class declarations of ref pointer to mark them as
625 * such for use with static-analysis.
626 * A ref pointer is an object wrapping a pointer and automatically taking care
627 * of its refcounting upon construction/destruction/transfer of ownership.
628 * This annotation implies MOZ_IS_SMARTPTR_TO_REFCOUNTED.
629 * MOZ_IS_SMARTPTR_TO_REFCOUNTED: Applies to class declarations of smart
630 * pointers to ref counted classes to mark them as such for use with
631 * static-analysis.
632 * MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT: Applies to functions. Makes it a compile
633 * time error to pass arithmetic expressions on variables to the function.
634 * MOZ_OWNING_REF: Applies to declarations of pointers to reference counted
635 * types. This attribute tells the compiler that the raw pointer is a strong
636 * reference, where ownership through methods such as AddRef and Release is
637 * managed manually. This can make the compiler ignore these pointers when
638 * validating the usage of pointers otherwise.
639 *
640 * Example uses include owned pointers inside of unions, and pointers stored
641 * in POD types where a using a smart pointer class would make the object
642 * non-POD.
643 * MOZ_NON_OWNING_REF: Applies to declarations of pointers to reference counted
644 * types. This attribute tells the compiler that the raw pointer is a weak
645 * reference, which is ensured to be valid by a guarantee that the reference
646 * will be nulled before the pointer becomes invalid. This can make the
647 * compiler ignore these pointers when validating the usage of pointers
648 * otherwise.
649 *
650 * Examples include an mOwner pointer, which is nulled by the owning class's
651 * destructor, and is null-checked before dereferencing.
652 * MOZ_UNSAFE_REF: Applies to declarations of pointers to reference counted
653 * types. Occasionally there are non-owning references which are valid, but
654 * do not take the form of a MOZ_NON_OWNING_REF. Their safety may be
655 * dependent on the behaviour of API consumers. The string argument passed
656 * to this macro documents the safety conditions. This can make the compiler
657 * ignore these pointers when validating the usage of pointers elsewhere.
658 *
659 * Examples include an nsAtom* member which is known at compile time to point
660 * to a static atom which is valid throughout the lifetime of the program, or
661 * an API which stores a pointer, but doesn't take ownership over it, instead
662 * requiring the API consumer to correctly null the value before it becomes
663 * invalid.
664 *
665 * Use of this annotation is discouraged when a strong reference or one of
666 * the above two annotations can be used instead.
667 * MOZ_NO_ADDREF_RELEASE_ON_RETURN: Applies to function declarations. Makes it
668 * a compile time error to call AddRef or Release on the return value of a
669 * function. This is intended to be used with operator->() of our smart
670 * pointer classes to ensure that the refcount of an object wrapped in a
671 * smart pointer is not manipulated directly.
672 * MOZ_MUST_USE_TYPE: Applies to type declarations. Makes it a compile time
673 * error to not use the return value of a function which has this type. This
674 * is intended to be used with types which it is an error to not use.
675 * MOZ_NEEDS_NO_VTABLE_TYPE: Applies to template class declarations. Makes it
676 * a compile time error to instantiate this template with a type parameter
677 * which has a VTable.
678 * MOZ_NON_MEMMOVABLE: Applies to class declarations for types that are not safe
679 * to be moved in memory using memmove().
680 * MOZ_NEEDS_MEMMOVABLE_TYPE: Applies to template class declarations where the
681 * template arguments are required to be safe to move in memory using
682 * memmove(). Passing MOZ_NON_MEMMOVABLE types to these templates is a
683 * compile time error.
684 * MOZ_NEEDS_MEMMOVABLE_MEMBERS: Applies to class declarations where each member
685 * must be safe to move in memory using memmove(). MOZ_NON_MEMMOVABLE types
686 * used in members of these classes are compile time errors.
687 * MOZ_NO_DANGLING_ON_TEMPORARIES: Applies to method declarations which return
688 * a pointer that is freed when the destructor of the class is called. This
689 * prevents these methods from being called on temporaries of the class,
690 * reducing risks of use-after-free.
691 * This attribute cannot be applied to && methods.
692 * In some cases, adding a deleted &&-qualified overload is too restrictive as
693 * this method should still be callable as a non-escaping argument to another
694 * function. This annotation can be used in those cases.
695 * MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS: Applies to template class
696 * declarations where an instance of the template should be considered, for
697 * static analysis purposes, to inherit any type annotations (such as
698 * MOZ_MUST_USE_TYPE and MOZ_STACK_CLASS) from its template arguments.
699 * MOZ_INIT_OUTSIDE_CTOR: Applies to class member declarations. Occasionally
700 * there are class members that are not initialized in the constructor,
701 * but logic elsewhere in the class ensures they are initialized prior to use.
702 * Using this attribute on a member disables the check that this member must
703 * be initialized in constructors via list-initialization, in the constructor
704 * body, or via functions called from the constructor body.
705 * MOZ_IS_CLASS_INIT: Applies to class method declarations. Occasionally the
706 * constructor doesn't initialize all of the member variables and another
707 * function is used to initialize the rest. This marker is used to make the
708 * static analysis tool aware that the marked function is part of the
709 * initialization process and to include the marked function in the scan
710 * mechanism that determines which member variables still remain
711 * uninitialized.
712 * MOZ_NON_PARAM: Applies to types. Makes it compile time error to use the type
713 * in parameter without pointer or reference.
714 * MOZ_NON_AUTOABLE: Applies to class declarations. Makes it a compile time
715 * error to use `auto` in place of this type in variable declarations. This
716 * is intended to be used with types which are intended to be implicitly
717 * constructed into other other types before being assigned to variables.
718 * MOZ_REQUIRED_BASE_METHOD: Applies to virtual class method declarations.
719 * Sometimes derived classes override methods that need to be called by their
720 * overridden counterparts. This marker indicates that the marked method must
721 * be called by the method that it overrides.
722 * MOZ_MUST_RETURN_FROM_CALLER: Applies to function or method declarations.
723 * Callers of the annotated function/method must return from that function
724 * within the calling block using an explicit `return` statement.
725 * Only calls to Constructors, references to local and member variables,
726 * and calls to functions or methods marked as MOZ_MAY_CALL_AFTER_MUST_RETURN
727 * may be made after the MUST_RETURN_FROM_CALLER call.
728 * MOZ_MAY_CALL_AFTER_MUST_RETURN: Applies to function or method declarations.
729 * Calls to these methods may be made in functions after calls a
730 * MOZ_MUST_RETURN_FROM_CALLER function or method.
731 */
733 // gcc emits a nuisance warning -Wignored-attributes because attributes do not
734 // affect mangled names, and therefore template arguments do not propagate
735 // their attributes. It is rare that this would affect anything in practice,
736 // and most compilers are silent about it. Similarly, -Wattributes complains
737 // about attributes being ignored during template instantiation.
738 //
739 // Be conservative and only suppress the warning when running in a
740 // configuration where it would be emitted, namely when compiling with the
741 // XGILL_PLUGIN for the rooting hazard analysis (which runs under gcc.) If we
742 // end up wanting these attributes in general GCC builds, change this to
743 // something like
744 //
745 // #if defined(__GNUC__) && ! defined(__clang__)
746 //
747 # ifdef XGILL_PLUGIN
750 # endif
752 # if defined(MOZ_CLANG_PLUGIN) || defined(XGILL_PLUGIN)
754 # define MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION \
756 # define MOZ_CAN_RUN_SCRIPT_BOUNDARY \
763 # define MOZ_NON_TEMPORARY_CLASS \
766 # define MOZ_TRIVIAL_CTOR_DTOR \
769 # ifdef DEBUG
770 /* in debug builds, these classes do have non-trivial constructors. */
771 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS \
773 # else
774 # define MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS \
776 # endif
778 # define MOZ_IS_SMARTPTR_TO_REFCOUNTED \
780 # define MOZ_IS_REFPTR MOZ_IS_SMARTPTR_TO_REFCOUNTED
781 # define MOZ_NO_ARITHMETIC_EXPR_IN_ARGUMENT \
783 # define MOZ_OWNING_REF
784 # define MOZ_NON_OWNING_REF
785 # define MOZ_UNSAFE_REF(reason)
786 # define MOZ_NO_ADDREF_RELEASE_ON_RETURN \
789 # define MOZ_NEEDS_NO_VTABLE_TYPE \
792 # define MOZ_NEEDS_MEMMOVABLE_TYPE \
794 # define MOZ_NEEDS_MEMMOVABLE_MEMBERS \
796 # define MOZ_NO_DANGLING_ON_TEMPORARIES \
798 # define MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS \
799 __attribute__( \
802 # define MOZ_INIT_OUTSIDE_CTOR
803 # define MOZ_IS_CLASS_INIT
805 # define MOZ_REQUIRED_BASE_METHOD \
807 # define MOZ_MUST_RETURN_FROM_CALLER \
809 # define MOZ_MAY_CALL_AFTER_MUST_RETURN \
811 /*
812 * It turns out that clang doesn't like void func() __attribute__ {} without a
813 * warning, so use pragmas to disable the warning.
814 */
815 # ifdef __clang__
816 # define MOZ_HEAP_ALLOCATOR \
821 # else
823 # endif
824 # else
863 # define MOZ_RAII MOZ_NON_TEMPORARY_CLASS MOZ_STACK_CLASS
865 // gcc has different rules governing attribute placement. Since none of these
866 // attributes are actually used by the gcc-based static analysis, just
867 // eliminate them rather than updating all of the code.
869 # ifdef XGILL_PLUGIN
870 # undef MOZ_MUST_OVERRIDE
872 # undef MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION
874 # endif
878 /**
879 * Printf style formats. MOZ_FORMAT_PRINTF can be used to annotate a
880 * function or method that is "printf-like"; this will let (some)
881 * compilers check that the arguments match the template string.
882 *
883 * This macro takes two arguments. The first argument is the argument
884 * number of the template string. The second argument is the argument
885 * number of the '...' argument holding the arguments.
886 *
887 * Argument numbers start at 1. Note that the implicit "this"
888 * argument of a non-static member function counts as an argument.
889 *
890 * So, for a simple case like:
891 * void print_something (int whatever, const char *fmt, ...);
892 * The corresponding annotation would be
893 * MOZ_FORMAT_PRINTF(2, 3)
894 * However, if "print_something" were a non-static member function,
895 * then the annotation would be:
896 * MOZ_FORMAT_PRINTF(3, 4)
897 *
898 * The second argument should be 0 for vprintf-like functions; that
899 * is, those taking a va_list argument.
900 *
901 * Note that the checking is limited to standards-conforming
902 * printf-likes, and in particular this should not be used for
903 * PR_snprintf and friends, which are "printf-like" but which assign
904 * different meanings to the various formats.
905 *
906 * MinGW requires special handling due to different format specifiers
907 * on different platforms. The macro __MINGW_PRINTF_FORMAT maps to
908 * either gnu_printf or ms_printf depending on where we are compiling
909 * to avoid warnings on format specifiers that are legal.
910 */
911 #ifdef __MINGW32__
912 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
913 __attribute__((format(__MINGW_PRINTF_FORMAT, stringIndex, firstToCheck)))
914 #elif __GNUC__
915 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck) \
916 __attribute__((format(printf, stringIndex, firstToCheck)))
917 #else
918 # define MOZ_FORMAT_PRINTF(stringIndex, firstToCheck)
919 #endif
921 /**
922 * To manually declare an XPCOM ABI-compatible virtual function, the following
923 * macros can be used to handle the non-standard ABI used on Windows for COM
924 * compatibility. E.g.:
925 *
926 * virtual ReturnType MOZ_XPCOM_ABI foo();
927 */
928 #if defined(XP_WIN)
929 # define MOZ_XPCOM_ABI __stdcall
930 #else
931 # define MOZ_XPCOM_ABI
932 #endif