cronet/base/compiler_specific.h

*6777b538SAndroid Build Coastguard Worker// Copyright 2012 The Chromium Authors
*6777b538SAndroid Build Coastguard Worker// Use of this source code is governed by a BSD-style license that can be
*6777b538SAndroid Build Coastguard Worker// found in the LICENSE file.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#ifndef BASE_COMPILER_SPECIFIC_H_
*6777b538SAndroid Build Coastguard Worker#define BASE_COMPILER_SPECIFIC_H_
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#include "build/build_config.h"
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_MSVC) && !defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#error "Only clang-cl is supported on Windows, see https://crbug.com/988071"
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// This is a wrapper around `__has_cpp_attribute`, which can be used to test for
*6777b538SAndroid Build Coastguard Worker// the presence of an attribute. In case the compiler does not support this
*6777b538SAndroid Build Coastguard Worker// macro it will simply evaluate to 0.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// References:
*6777b538SAndroid Build Coastguard Worker// https://wg21.link/sd6#testing-for-the-presence-of-an-attribute-__has_cpp_attribute
*6777b538SAndroid Build Coastguard Worker// https://wg21.link/cpp.cond#:__has_cpp_attribute
*6777b538SAndroid Build Coastguard Worker#if defined(__has_cpp_attribute)
*6777b538SAndroid Build Coastguard Worker#define HAS_CPP_ATTRIBUTE(x) __has_cpp_attribute(x)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define HAS_CPP_ATTRIBUTE(x) 0
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// A wrapper around `__has_attribute`, similar to HAS_CPP_ATTRIBUTE.
*6777b538SAndroid Build Coastguard Worker#if defined(__has_attribute)
*6777b538SAndroid Build Coastguard Worker#define HAS_ATTRIBUTE(x) __has_attribute(x)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define HAS_ATTRIBUTE(x) 0
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// A wrapper around `__has_builtin`, similar to HAS_CPP_ATTRIBUTE.
*6777b538SAndroid Build Coastguard Worker#if defined(__has_builtin)
*6777b538SAndroid Build Coastguard Worker#define HAS_BUILTIN(x) __has_builtin(x)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define HAS_BUILTIN(x) 0
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Annotate a function indicating it should not be inlined.
*6777b538SAndroid Build Coastguard Worker// Use like:
*6777b538SAndroid Build Coastguard Worker//   NOINLINE void DoStuff() { ... }
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(noinline)
*6777b538SAndroid Build Coastguard Worker#define NOINLINE [[clang::noinline]]
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_GCC) && HAS_ATTRIBUTE(noinline)
*6777b538SAndroid Build Coastguard Worker#define NOINLINE __attribute__((noinline))
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_MSVC)
*6777b538SAndroid Build Coastguard Worker#define NOINLINE __declspec(noinline)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NOINLINE
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Annotate a function indicating it should not be optimized.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(optnone)
*6777b538SAndroid Build Coastguard Worker#define NOOPT [[clang::optnone]]
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_GCC) && HAS_ATTRIBUTE(optimize)
*6777b538SAndroid Build Coastguard Worker#define NOOPT __attribute__((optimize(0)))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NOOPT
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && defined(NDEBUG) && HAS_ATTRIBUTE(always_inline)
*6777b538SAndroid Build Coastguard Worker#define ALWAYS_INLINE [[clang::always_inline]] inline
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_GCC) && defined(NDEBUG) && HAS_ATTRIBUTE(always_inline)
*6777b538SAndroid Build Coastguard Worker#define ALWAYS_INLINE inline __attribute__((__always_inline__))
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_MSVC) && defined(NDEBUG)
*6777b538SAndroid Build Coastguard Worker#define ALWAYS_INLINE __forceinline
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define ALWAYS_INLINE inline
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Annotate a function indicating it should never be tail called. Useful to make
*6777b538SAndroid Build Coastguard Worker// sure callers of the annotated function are never omitted from call-stacks.
*6777b538SAndroid Build Coastguard Worker// To provide the complementary behavior (prevent the annotated function from
*6777b538SAndroid Build Coastguard Worker// being omitted) look at NOINLINE. Also note that this doesn't prevent code
*6777b538SAndroid Build Coastguard Worker// folding of multiple identical caller functions into a single signature. To
*6777b538SAndroid Build Coastguard Worker// prevent code folding, see NO_CODE_FOLDING() in base/debug/alias.h.
*6777b538SAndroid Build Coastguard Worker// Use like:
*6777b538SAndroid Build Coastguard Worker//   NOT_TAIL_CALLED void FooBar();
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(not_tail_called)
*6777b538SAndroid Build Coastguard Worker#define NOT_TAIL_CALLED [[clang::not_tail_called]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NOT_TAIL_CALLED
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Specify memory alignment for structs, classes, etc.
*6777b538SAndroid Build Coastguard Worker// Use like:
*6777b538SAndroid Build Coastguard Worker//   class ALIGNAS(16) MyClass { ... }
*6777b538SAndroid Build Coastguard Worker//   ALIGNAS(16) int array[4];
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// In most places you can use the C++11 keyword "alignas", which is preferred.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Historically, compilers had trouble mixing __attribute__((...)) syntax with
*6777b538SAndroid Build Coastguard Worker// alignas(...) syntax. However, at least Clang is very accepting nowadays. It
*6777b538SAndroid Build Coastguard Worker// may be that this macro can be removed entirely.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define ALIGNAS(byte_alignment) alignas(byte_alignment)
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_MSVC)
*6777b538SAndroid Build Coastguard Worker#define ALIGNAS(byte_alignment) __declspec(align(byte_alignment))
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_GCC) && HAS_ATTRIBUTE(aligned)
*6777b538SAndroid Build Coastguard Worker#define ALIGNAS(byte_alignment) __attribute__((aligned(byte_alignment)))
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// In case the compiler supports it NO_UNIQUE_ADDRESS evaluates to the C++20
*6777b538SAndroid Build Coastguard Worker// attribute [[no_unique_address]]. This allows annotating data members so that
*6777b538SAndroid Build Coastguard Worker// they need not have an address distinct from all other non-static data members
*6777b538SAndroid Build Coastguard Worker// of its class.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// References:
*6777b538SAndroid Build Coastguard Worker// * https://en.cppreference.com/w/cpp/language/attributes/no_unique_address
*6777b538SAndroid Build Coastguard Worker// * https://wg21.link/dcl.attr.nouniqueaddr
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_MSVC) && HAS_CPP_ATTRIBUTE(msvc::no_unique_address)
*6777b538SAndroid Build Coastguard Worker// Unfortunately MSVC ignores [[no_unique_address]] (see
*6777b538SAndroid Build Coastguard Worker// https://devblogs.microsoft.com/cppblog/msvc-cpp20-and-the-std-cpp20-switch/#msvc-extensions-and-abi),
*6777b538SAndroid Build Coastguard Worker// and clang-cl matches it for ABI compatibility reasons. We need to prefer
*6777b538SAndroid Build Coastguard Worker// [[msvc::no_unique_address]] when available if we actually want any effect.
*6777b538SAndroid Build Coastguard Worker#define NO_UNIQUE_ADDRESS [[msvc::no_unique_address]]
*6777b538SAndroid Build Coastguard Worker#elif HAS_CPP_ATTRIBUTE(no_unique_address)
*6777b538SAndroid Build Coastguard Worker#define NO_UNIQUE_ADDRESS [[no_unique_address]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NO_UNIQUE_ADDRESS
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Tells the compiler a function is using a printf-style format string.
*6777b538SAndroid Build Coastguard Worker// |format_param| is the one-based index of the format string parameter;
*6777b538SAndroid Build Coastguard Worker// |dots_param| is the one-based index of the "..." parameter.
*6777b538SAndroid Build Coastguard Worker// For v*printf functions (which take a va_list), pass 0 for dots_param.
*6777b538SAndroid Build Coastguard Worker// (This is undocumented but matches what the system C headers do.)
*6777b538SAndroid Build Coastguard Worker// For member functions, the implicit this parameter counts as index 1.
*6777b538SAndroid Build Coastguard Worker#if (defined(COMPILER_GCC) || defined(__clang__)) && HAS_ATTRIBUTE(format)
*6777b538SAndroid Build Coastguard Worker#define PRINTF_FORMAT(format_param, dots_param) \
*6777b538SAndroid Build Coastguard Worker  __attribute__((format(printf, format_param, dots_param)))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define PRINTF_FORMAT(format_param, dots_param)
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// WPRINTF_FORMAT is the same, but for wide format strings.
*6777b538SAndroid Build Coastguard Worker// This doesn't appear to yet be implemented in any compiler.
*6777b538SAndroid Build Coastguard Worker// See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38308 .
*6777b538SAndroid Build Coastguard Worker#define WPRINTF_FORMAT(format_param, dots_param)
*6777b538SAndroid Build Coastguard Worker// If available, it would look like:
*6777b538SAndroid Build Coastguard Worker//   __attribute__((format(wprintf, format_param, dots_param)))
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Sanitizers annotations.
*6777b538SAndroid Build Coastguard Worker#if HAS_ATTRIBUTE(no_sanitize)
*6777b538SAndroid Build Coastguard Worker#define NO_SANITIZE(what) __attribute__((no_sanitize(what)))
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#if !defined(NO_SANITIZE)
*6777b538SAndroid Build Coastguard Worker#define NO_SANITIZE(what)
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// MemorySanitizer annotations.
*6777b538SAndroid Build Coastguard Worker#if defined(MEMORY_SANITIZER) && !BUILDFLAG(IS_NACL)
*6777b538SAndroid Build Coastguard Worker#include <sanitizer/msan_interface.h>
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Mark a memory region fully initialized.
*6777b538SAndroid Build Coastguard Worker// Use this to annotate code that deliberately reads uninitialized data, for
*6777b538SAndroid Build Coastguard Worker// example a GC scavenging root set pointers from the stack.
*6777b538SAndroid Build Coastguard Worker#define MSAN_UNPOISON(p, size) __msan_unpoison(p, size)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Check a memory region for initializedness, as if it was being used here.
*6777b538SAndroid Build Coastguard Worker// If any bits are uninitialized, crash with an MSan report.
*6777b538SAndroid Build Coastguard Worker// Use this to sanitize data which MSan won't be able to track, e.g. before
*6777b538SAndroid Build Coastguard Worker// passing data to another process via shared memory.
*6777b538SAndroid Build Coastguard Worker#define MSAN_CHECK_MEM_IS_INITIALIZED(p, size) \
*6777b538SAndroid Build Coastguard Worker  __msan_check_mem_is_initialized(p, size)
*6777b538SAndroid Build Coastguard Worker#else  // MEMORY_SANITIZER
*6777b538SAndroid Build Coastguard Worker#define MSAN_UNPOISON(p, size)
*6777b538SAndroid Build Coastguard Worker#define MSAN_CHECK_MEM_IS_INITIALIZED(p, size)
*6777b538SAndroid Build Coastguard Worker#endif  // MEMORY_SANITIZER
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// DISABLE_CFI_PERF -- Disable Control Flow Integrity for perf reasons.
*6777b538SAndroid Build Coastguard Worker#if !defined(DISABLE_CFI_PERF)
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && defined(OFFICIAL_BUILD)
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_PERF NO_SANITIZE("cfi")
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_PERF
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// DISABLE_CFI_ICALL -- Disable Control Flow Integrity indirect call checks.
*6777b538SAndroid Build Coastguard Worker// Security Note: if you just need to allow calling of dlsym functions use
*6777b538SAndroid Build Coastguard Worker// DISABLE_CFI_DLSYM.
*6777b538SAndroid Build Coastguard Worker#if !defined(DISABLE_CFI_ICALL)
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_WIN)
*6777b538SAndroid Build Coastguard Worker// Windows also needs __declspec(guard(nocf)).
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_ICALL NO_SANITIZE("cfi-icall") __declspec(guard(nocf))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_ICALL NO_SANITIZE("cfi-icall")
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#if !defined(DISABLE_CFI_ICALL)
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_ICALL
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// DISABLE_CFI_DLSYM -- applies DISABLE_CFI_ICALL on platforms where dlsym
*6777b538SAndroid Build Coastguard Worker// functions must be called. Retains CFI checks on platforms where loaded
*6777b538SAndroid Build Coastguard Worker// modules participate in CFI (e.g. Windows).
*6777b538SAndroid Build Coastguard Worker#if !defined(DISABLE_CFI_DLSYM)
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_WIN)
*6777b538SAndroid Build Coastguard Worker// Windows modules register functions when loaded so can be checked by CFG.
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_DLSYM
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_DLSYM DISABLE_CFI_ICALL
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#if !defined(DISABLE_CFI_DLSYM)
*6777b538SAndroid Build Coastguard Worker#define DISABLE_CFI_DLSYM
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Macro useful for writing cross-platform function pointers.
*6777b538SAndroid Build Coastguard Worker#if !defined(CDECL)
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_WIN)
*6777b538SAndroid Build Coastguard Worker#define CDECL __cdecl
*6777b538SAndroid Build Coastguard Worker#else  // BUILDFLAG(IS_WIN)
*6777b538SAndroid Build Coastguard Worker#define CDECL
*6777b538SAndroid Build Coastguard Worker#endif  // BUILDFLAG(IS_WIN)
*6777b538SAndroid Build Coastguard Worker#endif  // !defined(CDECL)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Macro for hinting that an expression is likely to be false.
*6777b538SAndroid Build Coastguard Worker#if !defined(UNLIKELY)
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC) || defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define UNLIKELY(x) __builtin_expect(!!(x), 0)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define UNLIKELY(x) (x)
*6777b538SAndroid Build Coastguard Worker#endif  // defined(COMPILER_GCC)
*6777b538SAndroid Build Coastguard Worker#endif  // !defined(UNLIKELY)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if !defined(LIKELY)
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC) || defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define LIKELY(x) __builtin_expect(!!(x), 1)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define LIKELY(x) (x)
*6777b538SAndroid Build Coastguard Worker#endif  // defined(COMPILER_GCC)
*6777b538SAndroid Build Coastguard Worker#endif  // !defined(LIKELY)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Compiler feature-detection.
*6777b538SAndroid Build Coastguard Worker// clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension
*6777b538SAndroid Build Coastguard Worker#if defined(__has_feature)
*6777b538SAndroid Build Coastguard Worker#define HAS_FEATURE(FEATURE) __has_feature(FEATURE)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define HAS_FEATURE(FEATURE) 0
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC)
*6777b538SAndroid Build Coastguard Worker#define PRETTY_FUNCTION __PRETTY_FUNCTION__
*6777b538SAndroid Build Coastguard Worker#elif defined(COMPILER_MSVC)
*6777b538SAndroid Build Coastguard Worker#define PRETTY_FUNCTION __FUNCSIG__
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker// See https://en.cppreference.com/w/c/language/function_definition#func
*6777b538SAndroid Build Coastguard Worker#define PRETTY_FUNCTION __func__
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if !defined(CPU_ARM_NEON)
*6777b538SAndroid Build Coastguard Worker#if defined(__arm__)
*6777b538SAndroid Build Coastguard Worker#if !defined(__ARMEB__) && !defined(__ARM_EABI__) && !defined(__EABI__) && \
*6777b538SAndroid Build Coastguard Worker    !defined(__VFP_FP__) && !defined(_WIN32_WCE) && !defined(ANDROID)
*6777b538SAndroid Build Coastguard Worker#error Chromium does not support middle endian architecture
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#if defined(__ARM_NEON__)
*6777b538SAndroid Build Coastguard Worker#define CPU_ARM_NEON 1
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#endif  // defined(__arm__)
*6777b538SAndroid Build Coastguard Worker#endif  // !defined(CPU_ARM_NEON)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if !defined(HAVE_MIPS_MSA_INTRINSICS)
*6777b538SAndroid Build Coastguard Worker#if defined(__mips_msa) && defined(__mips_isa_rev) && (__mips_isa_rev >= 5)
*6777b538SAndroid Build Coastguard Worker#define HAVE_MIPS_MSA_INTRINSICS 1
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(uninitialized)
*6777b538SAndroid Build Coastguard Worker// Attribute "uninitialized" disables -ftrivial-auto-var-init=pattern for
*6777b538SAndroid Build Coastguard Worker// the specified variable.
*6777b538SAndroid Build Coastguard Worker// Library-wide alternative is
*6777b538SAndroid Build Coastguard Worker// 'configs -= [ "//build/config/compiler:default_init_stack_vars" ]' in .gn
*6777b538SAndroid Build Coastguard Worker// file.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// See "init_stack_vars" in build/config/compiler/BUILD.gn and
*6777b538SAndroid Build Coastguard Worker// http://crbug.com/977230
*6777b538SAndroid Build Coastguard Worker// "init_stack_vars" is enabled for non-official builds and we hope to enable it
*6777b538SAndroid Build Coastguard Worker// in official build in 2020 as well. The flag writes fixed pattern into
*6777b538SAndroid Build Coastguard Worker// uninitialized parts of all local variables. In rare cases such initialization
*6777b538SAndroid Build Coastguard Worker// is undesirable and attribute can be used:
*6777b538SAndroid Build Coastguard Worker//   1. Degraded performance
*6777b538SAndroid Build Coastguard Worker// In most cases compiler is able to remove additional stores. E.g. if memory is
*6777b538SAndroid Build Coastguard Worker// never accessed or properly initialized later. Preserved stores mostly will
*6777b538SAndroid Build Coastguard Worker// not affect program performance. However if compiler failed on some
*6777b538SAndroid Build Coastguard Worker// performance critical code we can get a visible regression in a benchmark.
*6777b538SAndroid Build Coastguard Worker//   2. memset, memcpy calls
*6777b538SAndroid Build Coastguard Worker// Compiler may replaces some memory writes with memset or memcpy calls. This is
*6777b538SAndroid Build Coastguard Worker// not -ftrivial-auto-var-init specific, but it can happen more likely with the
*6777b538SAndroid Build Coastguard Worker// flag. It can be a problem if code is not linked with C run-time library.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Note: The flag is security risk mitigation feature. So in future the
*6777b538SAndroid Build Coastguard Worker// attribute uses should be avoided when possible. However to enable this
*6777b538SAndroid Build Coastguard Worker// mitigation on the most of the code we need to be less strict now and minimize
*6777b538SAndroid Build Coastguard Worker// number of exceptions later. So if in doubt feel free to use attribute, but
*6777b538SAndroid Build Coastguard Worker// please document the problem for someone who is going to cleanup it later.
*6777b538SAndroid Build Coastguard Worker// E.g. platform, bot, benchmark or test name in patch description or next to
*6777b538SAndroid Build Coastguard Worker// the attribute.
*6777b538SAndroid Build Coastguard Worker#define STACK_UNINITIALIZED [[clang::uninitialized]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define STACK_UNINITIALIZED
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Attribute "no_stack_protector" disables -fstack-protector for the specified
*6777b538SAndroid Build Coastguard Worker// function.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// "stack_protector" is enabled on most POSIX builds. The flag adds a canary
*6777b538SAndroid Build Coastguard Worker// to each stack frame, which on function return is checked against a reference
*6777b538SAndroid Build Coastguard Worker// canary. If the canaries do not match, it's likely that a stack buffer
*6777b538SAndroid Build Coastguard Worker// overflow has occurred, so immediately crashing will prevent exploitation in
*6777b538SAndroid Build Coastguard Worker// many cases.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// In some cases it's desirable to remove this, e.g. on hot functions, or if
*6777b538SAndroid Build Coastguard Worker// we have purposely changed the reference canary.
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC) || defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#if HAS_ATTRIBUTE(__no_stack_protector__)
*6777b538SAndroid Build Coastguard Worker#define NO_STACK_PROTECTOR __attribute__((__no_stack_protector__))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NO_STACK_PROTECTOR __attribute__((__optimize__("-fno-stack-protector")))
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NO_STACK_PROTECTOR
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// The ANALYZER_ASSUME_TRUE(bool arg) macro adds compiler-specific hints
*6777b538SAndroid Build Coastguard Worker// to Clang which control what code paths are statically analyzed,
*6777b538SAndroid Build Coastguard Worker// and is meant to be used in conjunction with assert & assert-like functions.
*6777b538SAndroid Build Coastguard Worker// The expression is passed straight through if analysis isn't enabled.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// ANALYZER_SKIP_THIS_PATH() suppresses static analysis for the current
*6777b538SAndroid Build Coastguard Worker// codepath and any other branching codepaths that might follow.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang_analyzer__)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workerinline constexpr bool AnalyzerNoReturn() __attribute__((analyzer_noreturn)) {
*6777b538SAndroid Build Coastguard Worker  return false;
*6777b538SAndroid Build Coastguard Worker}
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workerinline constexpr bool AnalyzerAssumeTrue(bool arg) {
*6777b538SAndroid Build Coastguard Worker  // AnalyzerNoReturn() is invoked and analysis is terminated if |arg| is
*6777b538SAndroid Build Coastguard Worker  // false.
*6777b538SAndroid Build Coastguard Worker  return arg || AnalyzerNoReturn();
*6777b538SAndroid Build Coastguard Worker}
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#define ANALYZER_ASSUME_TRUE(arg) ::AnalyzerAssumeTrue(!!(arg))
*6777b538SAndroid Build Coastguard Worker#define ANALYZER_SKIP_THIS_PATH() static_cast<void>(::AnalyzerNoReturn())
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#else  // !defined(__clang_analyzer__)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#define ANALYZER_ASSUME_TRUE(arg) (arg)
*6777b538SAndroid Build Coastguard Worker#define ANALYZER_SKIP_THIS_PATH()
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#endif  // defined(__clang_analyzer__)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Use nomerge attribute to disable optimization of merging multiple same calls.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(nomerge)
*6777b538SAndroid Build Coastguard Worker#define NOMERGE [[clang::nomerge]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define NOMERGE
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Marks a type as being eligible for the "trivial" ABI despite having a
*6777b538SAndroid Build Coastguard Worker// non-trivial destructor or copy/move constructor. Such types can be relocated
*6777b538SAndroid Build Coastguard Worker// after construction by simply copying their memory, which makes them eligible
*6777b538SAndroid Build Coastguard Worker// to be passed in registers. The canonical example is std::unique_ptr.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Use with caution; this has some subtle effects on constructor/destructor
*6777b538SAndroid Build Coastguard Worker// ordering and will be very incorrect if the type relies on its address
*6777b538SAndroid Build Coastguard Worker// remaining constant. When used as a function argument (by value), the value
*6777b538SAndroid Build Coastguard Worker// may be constructed in the caller's stack frame, passed in a register, and
*6777b538SAndroid Build Coastguard Worker// then used and destructed in the callee's stack frame. A similar thing can
*6777b538SAndroid Build Coastguard Worker// occur when values are returned.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// TRIVIAL_ABI is not needed for types which have a trivial destructor and
*6777b538SAndroid Build Coastguard Worker// copy/move constructors, such as base::TimeTicks and other POD.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// It is also not likely to be effective on types too large to be passed in one
*6777b538SAndroid Build Coastguard Worker// or two registers on typical target ABIs.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// See also:
*6777b538SAndroid Build Coastguard Worker//   https://clang.llvm.org/docs/AttributeReference.html#trivial-abi
*6777b538SAndroid Build Coastguard Worker//   https://libcxx.llvm.org/docs/DesignDocs/UniquePtrTrivialAbi.html
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(trivial_abi)
*6777b538SAndroid Build Coastguard Worker#define TRIVIAL_ABI [[clang::trivial_abi]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define TRIVIAL_ABI
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Detect whether a type is trivially relocatable, ie. a move-and-destroy
*6777b538SAndroid Build Coastguard Worker// sequence can replaced with memmove(). This can be used to optimise the
*6777b538SAndroid Build Coastguard Worker// implementation of containers. This is automatically true for types that were
*6777b538SAndroid Build Coastguard Worker// defined with TRIVIAL_ABI such as scoped_refptr.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// See also:
*6777b538SAndroid Build Coastguard Worker//   https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p1144r8.html
*6777b538SAndroid Build Coastguard Worker//   https://clang.llvm.org/docs/LanguageExtensions.html#:~:text=__is_trivially_relocatable
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_BUILTIN(__is_trivially_relocatable)
*6777b538SAndroid Build Coastguard Worker#define IS_TRIVIALLY_RELOCATABLE(t) __is_trivially_relocatable(t)
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define IS_TRIVIALLY_RELOCATABLE(t) false
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Marks a member function as reinitializing a moved-from variable.
*6777b538SAndroid Build Coastguard Worker// See also
*6777b538SAndroid Build Coastguard Worker// https://clang.llvm.org/extra/clang-tidy/checks/bugprone/use-after-move.html#reinitialization
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(reinitializes)
*6777b538SAndroid Build Coastguard Worker#define REINITIALIZES_AFTER_MOVE [[clang::reinitializes]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define REINITIALIZES_AFTER_MOVE
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define GSL_OWNER [[gsl::Owner]]
*6777b538SAndroid Build Coastguard Worker#define GSL_POINTER [[gsl::Pointer]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define GSL_OWNER
*6777b538SAndroid Build Coastguard Worker#define GSL_POINTER
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Adds the "logically_const" tag to a symbol's mangled name. The "Mutable
*6777b538SAndroid Build Coastguard Worker// Constants" check [1] detects instances of constants that aren't in .rodata,
*6777b538SAndroid Build Coastguard Worker// e.g. due to a missing `const`. Using this tag suppresses the check for this
*6777b538SAndroid Build Coastguard Worker// symbol, allowing it to live outside .rodata without a warning.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// [1]:
*6777b538SAndroid Build Coastguard Worker// https://crsrc.org/c/docs/speed/binary_size/android_binary_size_trybot.md#Mutable-Constants
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC) || defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define LOGICALLY_CONST [[gnu::abi_tag("logically_const")]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define LOGICALLY_CONST
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// preserve_most clang's calling convention. Reduces register pressure for the
*6777b538SAndroid Build Coastguard Worker// caller and as such can be used for cold calls. Support for the
*6777b538SAndroid Build Coastguard Worker// "preserve_most" attribute is limited:
*6777b538SAndroid Build Coastguard Worker// - 32-bit platforms do not implement it,
*6777b538SAndroid Build Coastguard Worker// - component builds fail because _dl_runtime_resolve() clobbers registers,
*6777b538SAndroid Build Coastguard Worker// - there are crashes on arm64 on Windows (https://crbug.com/v8/14065), which
*6777b538SAndroid Build Coastguard Worker//   can hopefully be fixed in the future.
*6777b538SAndroid Build Coastguard Worker// Additionally, the initial implementation in clang <= 16 overwrote the return
*6777b538SAndroid Build Coastguard Worker// register(s) in the epilogue of a preserve_most function, so we only use
*6777b538SAndroid Build Coastguard Worker// preserve_most in clang >= 17 (see https://reviews.llvm.org/D143425).
*6777b538SAndroid Build Coastguard Worker// Clang only supports preserve_most on X86-64 and AArch64 for now.
*6777b538SAndroid Build Coastguard Worker// See https://clang.llvm.org/docs/AttributeReference.html#preserve-most for
*6777b538SAndroid Build Coastguard Worker// more details.
*6777b538SAndroid Build Coastguard Worker#if (defined(ARCH_CPU_ARM64) || defined(ARCH_CPU_X86_64)) && \
*6777b538SAndroid Build Coastguard Worker    !(BUILDFLAG(IS_WIN) && defined(ARCH_CPU_ARM64)) &&       \
*6777b538SAndroid Build Coastguard Worker    !defined(COMPONENT_BUILD) && defined(__clang__) &&       \
*6777b538SAndroid Build Coastguard Worker    __clang_major__ >= 17 && HAS_ATTRIBUTE(preserve_most)
*6777b538SAndroid Build Coastguard Worker#define PRESERVE_MOST __attribute__((preserve_most))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define PRESERVE_MOST
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Mark parameters or return types as having a lifetime attached to the class.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// When used to mark a method's pointer/reference parameter, the compiler is
*6777b538SAndroid Build Coastguard Worker// made aware that it will be stored internally in the class and the pointee
*6777b538SAndroid Build Coastguard Worker// must outlive the class. Typically used on constructor arguments. It should
*6777b538SAndroid Build Coastguard Worker// appear to the right of the parameter's variable name.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Example:
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker// struct S {
*6777b538SAndroid Build Coastguard Worker//    S(int* p LIFETIME_BOUND) : ptr_(p) {}
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker//    int* ptr_;
*6777b538SAndroid Build Coastguard Worker// };
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// When used on a method with a return value, the compiler is made aware that
*6777b538SAndroid Build Coastguard Worker// the returned type is/has a pointer to the internals of the class, and must
*6777b538SAndroid Build Coastguard Worker// not outlive the class object. It should appear after any method qualifiers.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Example:
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker// struct S {
*6777b538SAndroid Build Coastguard Worker//   int* GetPtr() const LIFETIME_BOUND { return i_; };
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker//   int i_;
*6777b538SAndroid Build Coastguard Worker// };
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// This allows the compiler to warn in (a limited set of) cases where the
*6777b538SAndroid Build Coastguard Worker// pointer would otherwise be left dangling, especially in cases where the
*6777b538SAndroid Build Coastguard Worker// pointee would be a destroyed temporary.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Docs: https://clang.llvm.org/docs/AttributeReference.html#lifetimebound
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define LIFETIME_BOUND [[clang::lifetimebound]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define LIFETIME_BOUND
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Mark a function as pure, meaning that it does not have side effects, meaning
*6777b538SAndroid Build Coastguard Worker// that it does not write anything external to the function's local variables
*6777b538SAndroid Build Coastguard Worker// and return value.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// WARNING: If this attribute is mis-used it will result in UB and
*6777b538SAndroid Build Coastguard Worker// miscompilation, as the optimizator may fold multiple calls into one and
*6777b538SAndroid Build Coastguard Worker// reorder them inappropriately. This shouldn't appear outside of key vocabulary
*6777b538SAndroid Build Coastguard Worker// types. It allows callers to work with the vocab type directly, and call its
*6777b538SAndroid Build Coastguard Worker// methods without having to worry about caching things into local variables in
*6777b538SAndroid Build Coastguard Worker// hot code.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// This attribute must not appear on functions that make use of function
*6777b538SAndroid Build Coastguard Worker// pointers, virtual methods, or methods of templates (including operators like
*6777b538SAndroid Build Coastguard Worker// comparison), as the "pure" function can not know what those functions do and
*6777b538SAndroid Build Coastguard Worker// can not guarantee there will never be sideeffects.
*6777b538SAndroid Build Coastguard Worker#if defined(COMPILER_GCC) || defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define PURE_FUNCTION [[gnu::pure]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define PURE_FUNCTION
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Functions should be marked with UNSAFE_BUFFER_USAGE when they lead to
*6777b538SAndroid Build Coastguard Worker// out-of-bounds bugs when called with incorrect inputs.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Ideally such functions should be paired with a safer version that works with
*6777b538SAndroid Build Coastguard Worker// safe primitives like `base::span`. Otherwise, another safer coding pattern
*6777b538SAndroid Build Coastguard Worker// should be documented along side the use of `UNSAFE_BUFFER_USAGE`.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// All functions marked with UNSAFE_BUFFER_USAGE should come with a safety
*6777b538SAndroid Build Coastguard Worker// comment that explains the requirements of the function to prevent an
*6777b538SAndroid Build Coastguard Worker// out-of-bounds bug. For example:
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker// // Function to do things between `input` and `end`.
*6777b538SAndroid Build Coastguard Worker// //
*6777b538SAndroid Build Coastguard Worker// // # Safety
*6777b538SAndroid Build Coastguard Worker// // The `input` must point to an array with size at least 5. The `end` must
*6777b538SAndroid Build Coastguard Worker// // point within the same allocation of `input` and not come before `input`.
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// The requirements described in the safety comment must be sufficient to
*6777b538SAndroid Build Coastguard Worker// guarantee that the function never goes out of bounds. Annotating a function
*6777b538SAndroid Build Coastguard Worker// in this way means that all callers will be required to wrap the call in an
*6777b538SAndroid Build Coastguard Worker// `UNSAFE_BUFFERS()` macro (see below), with a comment justifying how it meets
*6777b538SAndroid Build Coastguard Worker// the requirements.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__) && HAS_ATTRIBUTE(unsafe_buffer_usage)
*6777b538SAndroid Build Coastguard Worker#define UNSAFE_BUFFER_USAGE [[clang::unsafe_buffer_usage]]
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define UNSAFE_BUFFER_USAGE
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// UNSAFE_BUFFERS() wraps code that violates the -Wunsafe-buffer-usage warning,
*6777b538SAndroid Build Coastguard Worker// such as:
*6777b538SAndroid Build Coastguard Worker// - pointer arithmetic,
*6777b538SAndroid Build Coastguard Worker// - pointer subscripting, and
*6777b538SAndroid Build Coastguard Worker// - calls to functions annotated with UNSAFE_BUFFER_USAGE.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// This indicates code whose bounds correctness cannot be ensured
*6777b538SAndroid Build Coastguard Worker// systematically, and thus requires manual review.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// ** USE OF THIS MACRO SHOULD BE VERY RARE.** This should only be used when
*6777b538SAndroid Build Coastguard Worker// strictly necessary. Prefer to use `base::span` instead of pointers, or other
*6777b538SAndroid Build Coastguard Worker// safer coding patterns (like std containers) that avoid the opportunity for
*6777b538SAndroid Build Coastguard Worker// out-of-bounds bugs to creep into the code. Any use of UNSAFE_BUFFERS() can
*6777b538SAndroid Build Coastguard Worker// lead to a critical security bug if any assumptions are wrong, or ever become
*6777b538SAndroid Build Coastguard Worker// wrong in the future.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// The macro should be used to wrap the minimum necessary code, to make it clear
*6777b538SAndroid Build Coastguard Worker// what is unsafe, and prevent accidentally opting extra things out of the
*6777b538SAndroid Build Coastguard Worker// warning.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// All usage of UNSAFE_BUFFERS() should come with a `// SAFETY: ...` comment
*6777b538SAndroid Build Coastguard Worker// that explains how we have guaranteed that the pointer usage can never go
*6777b538SAndroid Build Coastguard Worker// out-of-bounds, or that the requirements of the UNSAFE_BUFFER_USAGE function
*6777b538SAndroid Build Coastguard Worker// are met. The safety comment should allow a reader to check that all
*6777b538SAndroid Build Coastguard Worker// requirements have been met, using only local invariants. Examples of local
*6777b538SAndroid Build Coastguard Worker// invariants include:
*6777b538SAndroid Build Coastguard Worker// - Runtime conditions or CHECKs near the UNSAFE_BUFFERS macros
*6777b538SAndroid Build Coastguard Worker// - Invariants guaranteed by types in the surrounding code
*6777b538SAndroid Build Coastguard Worker// - Invariants guaranteed by function calls in the surrounding code
*6777b538SAndroid Build Coastguard Worker// - Caller requirements, if the containing function is itself marked with
*6777b538SAndroid Build Coastguard Worker//   UNSAFE_BUFFER_USAGE
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// The last case should be an option of last resort. It is less safe and will
*6777b538SAndroid Build Coastguard Worker// require the caller also use the UNSAFE_BUFFERS() macro. Prefer directly
*6777b538SAndroid Build Coastguard Worker// capturing such invariants in types like `base::span`.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Safety explanations may not rely on invariants that are not fully
*6777b538SAndroid Build Coastguard Worker// encapsulated close to the UNSAFE_BUFFERS() usage. Instead, use safer coding
*6777b538SAndroid Build Coastguard Worker// patterns or stronger invariants.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__)
*6777b538SAndroid Build Coastguard Worker// clang-format off
*6777b538SAndroid Build Coastguard Worker// Formatting is off so that we can put each _Pragma on its own line, as
*6777b538SAndroid Build Coastguard Worker// recommended by the gcc docs.
*6777b538SAndroid Build Coastguard Worker#define UNSAFE_BUFFERS(...)                  \
*6777b538SAndroid Build Coastguard Worker  _Pragma("clang unsafe_buffer_usage begin") \
*6777b538SAndroid Build Coastguard Worker  __VA_ARGS__                                \
*6777b538SAndroid Build Coastguard Worker  _Pragma("clang unsafe_buffer_usage end")
*6777b538SAndroid Build Coastguard Worker// clang-format on
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define UNSAFE_BUFFERS(...) __VA_ARGS__
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Defines a condition for a function to be checked at compile time if the
*6777b538SAndroid Build Coastguard Worker// parameter's value is known at compile time. If the condition is failed, the
*6777b538SAndroid Build Coastguard Worker// function is omitted from the overload set resolution, much like `requires`.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// If the parameter is a runtime value, then the condition is unable to be
*6777b538SAndroid Build Coastguard Worker// checked and the function will be omitted from the overload set resolution.
*6777b538SAndroid Build Coastguard Worker// This ensures the function can only be called with values known at compile
*6777b538SAndroid Build Coastguard Worker// time. This is a clang extension.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// Example:
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker// void f(int a) ENABLE_IF_ATTR(a > 0) {}
*6777b538SAndroid Build Coastguard Worker// f(1);  // Ok.
*6777b538SAndroid Build Coastguard Worker// f(0);  // Error: no valid f() found.
*6777b538SAndroid Build Coastguard Worker// ```
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// The `ENABLE_IF_ATTR` annotation is preferred over `consteval` with a check
*6777b538SAndroid Build Coastguard Worker// that breaks compile because metaprogramming does not observe such checks. So
*6777b538SAndroid Build Coastguard Worker// with `consteval`, the function looks callable to concepts/type_traits but is
*6777b538SAndroid Build Coastguard Worker// not and will fail to compile even though it reports it's usable. Whereas
*6777b538SAndroid Build Coastguard Worker// `ENABLE_IF_ATTR` interacts correctly with metaprogramming. This is especially
*6777b538SAndroid Build Coastguard Worker// painful for constructors. See also
*6777b538SAndroid Build Coastguard Worker// https://github.com/chromium/subspace/issues/266.
*6777b538SAndroid Build Coastguard Worker#if defined(__clang__)
*6777b538SAndroid Build Coastguard Worker#define ENABLE_IF_ATTR(cond, msg) __attribute__((enable_if(cond, msg)))
*6777b538SAndroid Build Coastguard Worker#else
*6777b538SAndroid Build Coastguard Worker#define ENABLE_IF_ATTR(cond, msg)
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#endif  // BASE_COMPILER_SPECIFIC_H_