// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef BASE_COMPILER_SPECIFIC_H_ #define BASE_COMPILER_SPECIFIC_H_ #include "build/build_config.h" #if defined(COMPILER_MSVC) && !defined(__clang__) #error "Only clang-cl is supported on Windows, see https://crbug.com/988071" #endif // This is a wrapper around `__has_cpp_attribute`, which can be used to test for // the presence of an attribute. In case the compiler does not support this // macro it will simply evaluate to 0. // // References: // https://wg21.link/sd6#testing-for-the-presence-of-an-attribute-__has_cpp_attribute // https://wg21.link/cpp.cond#:__has_cpp_attribute #if defined(__has_cpp_attribute) #define HAS_CPP_ATTRIBUTE(x) … #else #define HAS_CPP_ATTRIBUTE … #endif // A wrapper around `__has_attribute`, similar to HAS_CPP_ATTRIBUTE. #if defined(__has_attribute) #define HAS_ATTRIBUTE(x) … #else #define HAS_ATTRIBUTE … #endif // A wrapper around `__has_builtin`, similar to HAS_CPP_ATTRIBUTE. #if defined(__has_builtin) #define HAS_BUILTIN(x) … #else #define HAS_BUILTIN … #endif // Annotate a function indicating it should not be inlined. // Use like: // NOINLINE void DoStuff() { ... } #if defined(__clang__) && HAS_ATTRIBUTE(noinline) #define NOINLINE … #elif defined(COMPILER_GCC) && HAS_ATTRIBUTE(noinline) #define NOINLINE … #elif defined(COMPILER_MSVC) #define NOINLINE … #else #define NOINLINE #endif // Annotate a function indicating it should not be optimized. #if defined(__clang__) && HAS_ATTRIBUTE(optnone) #define NOOPT … #elif defined(COMPILER_GCC) && HAS_ATTRIBUTE(optimize) #define NOOPT … #else #define NOOPT #endif #if defined(__clang__) && defined(NDEBUG) && HAS_ATTRIBUTE(always_inline) #define ALWAYS_INLINE … #elif defined(COMPILER_GCC) && defined(NDEBUG) && HAS_ATTRIBUTE(always_inline) #define ALWAYS_INLINE … #elif defined(COMPILER_MSVC) && defined(NDEBUG) #define ALWAYS_INLINE … #else #define ALWAYS_INLINE … #endif // Annotate a function indicating it should never be tail called. Useful to make // sure callers of the annotated function are never omitted from call-stacks. // To provide the complementary behavior (prevent the annotated function from // being omitted) look at NOINLINE. Also note that this doesn't prevent code // folding of multiple identical caller functions into a single signature. To // prevent code folding, see NO_CODE_FOLDING() in base/debug/alias.h. // Use like: // NOT_TAIL_CALLED void FooBar(); #if defined(__clang__) && HAS_ATTRIBUTE(not_tail_called) #define NOT_TAIL_CALLED … #else #define NOT_TAIL_CALLED #endif // Annotate a function indicating it must be tail called. // Can be used only on return statements, even for functions returning void. // Caller and callee must have the same number of arguments and its types must // be "similar". #if defined(__clang__) && HAS_ATTRIBUTE(musttail) #define MUSTTAIL … #else #define MUSTTAIL #endif // In case the compiler supports it NO_UNIQUE_ADDRESS evaluates to the C++20 // attribute [[no_unique_address]]. This allows annotating data members so that // they need not have an address distinct from all other non-static data members // of its class. // // References: // * https://en.cppreference.com/w/cpp/language/attributes/no_unique_address // * https://wg21.link/dcl.attr.nouniqueaddr #if defined(COMPILER_MSVC) && HAS_CPP_ATTRIBUTE(msvc::no_unique_address) // Unfortunately MSVC ignores [[no_unique_address]] (see // https://devblogs.microsoft.com/cppblog/msvc-cpp20-and-the-std-cpp20-switch/#msvc-extensions-and-abi), // and clang-cl matches it for ABI compatibility reasons. We need to prefer // [[msvc::no_unique_address]] when available if we actually want any effect. #define NO_UNIQUE_ADDRESS … #elif HAS_CPP_ATTRIBUTE(no_unique_address) #define NO_UNIQUE_ADDRESS … #else #define NO_UNIQUE_ADDRESS #endif // Tells the compiler a function is using a printf-style format string. // |format_param| is the one-based index of the format string parameter; // |dots_param| is the one-based index of the "..." parameter. // For v*printf functions (which take a va_list), pass 0 for dots_param. // (This is undocumented but matches what the system C headers do.) // For member functions, the implicit this parameter counts as index 1. #if (defined(COMPILER_GCC) || defined(__clang__)) && HAS_ATTRIBUTE(format) #define PRINTF_FORMAT(format_param, dots_param) … #else #define PRINTF_FORMAT … #endif // Sanitizers annotations. #if HAS_ATTRIBUTE(no_sanitize) #define NO_SANITIZE(what) … #endif #if !defined(NO_SANITIZE) #define NO_SANITIZE … #endif // MemorySanitizer annotations. #if defined(MEMORY_SANITIZER) && !BUILDFLAG(IS_NACL) #include <sanitizer/msan_interface.h> // Mark a memory region fully initialized. // Use this to annotate code that deliberately reads uninitialized data, for // example a GC scavenging root set pointers from the stack. #define MSAN_UNPOISON … // Check a memory region for initializedness, as if it was being used here. // If any bits are uninitialized, crash with an MSan report. // Use this to sanitize data which MSan won't be able to track, e.g. before // passing data to another process via shared memory. #define MSAN_CHECK_MEM_IS_INITIALIZED … #else // MEMORY_SANITIZER #define MSAN_UNPOISON(p, size) … #define MSAN_CHECK_MEM_IS_INITIALIZED(p, size) … #endif // MEMORY_SANITIZER // DISABLE_CFI_PERF -- Disable Control Flow Integrity for perf reasons. #if !defined(DISABLE_CFI_PERF) #if defined(__clang__) && defined(OFFICIAL_BUILD) #define DISABLE_CFI_PERF … #else #define DISABLE_CFI_PERF #endif #endif // DISABLE_CFI_ICALL -- Disable Control Flow Integrity indirect call checks. // Security Note: if you just need to allow calling of dlsym functions use // DISABLE_CFI_DLSYM. #if !defined(DISABLE_CFI_ICALL) #if BUILDFLAG(IS_WIN) // Windows also needs __declspec(guard(nocf)). #define DISABLE_CFI_ICALL … #else #define DISABLE_CFI_ICALL … #endif #endif #if !defined(DISABLE_CFI_ICALL) #define DISABLE_CFI_ICALL #endif // DISABLE_CFI_DLSYM -- applies DISABLE_CFI_ICALL on platforms where dlsym // functions must be called. Retains CFI checks on platforms where loaded // modules participate in CFI (e.g. Windows). #if !defined(DISABLE_CFI_DLSYM) #if BUILDFLAG(IS_WIN) // Windows modules register functions when loaded so can be checked by CFG. #define DISABLE_CFI_DLSYM #else #define DISABLE_CFI_DLSYM … #endif #endif #if !defined(DISABLE_CFI_DLSYM) #define DISABLE_CFI_DLSYM #endif // Compiler feature-detection. // clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension #if defined(__has_feature) #define HAS_FEATURE(FEATURE) … #else #define HAS_FEATURE … #endif #if defined(COMPILER_GCC) #define PRETTY_FUNCTION … #elif defined(COMPILER_MSVC) #define PRETTY_FUNCTION … #else // See https://en.cppreference.com/w/c/language/function_definition#func #define PRETTY_FUNCTION … #endif #if defined(__clang__) && HAS_ATTRIBUTE(uninitialized) // Attribute "uninitialized" disables -ftrivial-auto-var-init=pattern for // the specified variable. // Library-wide alternative is // 'configs -= [ "//build/config/compiler:default_init_stack_vars" ]' in .gn // file. // // See "init_stack_vars" in build/config/compiler/BUILD.gn and // http://crbug.com/977230 // "init_stack_vars" is enabled for non-official builds and we hope to enable it // in official build in 2020 as well. The flag writes fixed pattern into // uninitialized parts of all local variables. In rare cases such initialization // is undesirable and attribute can be used: // 1. Degraded performance // In most cases compiler is able to remove additional stores. E.g. if memory is // never accessed or properly initialized later. Preserved stores mostly will // not affect program performance. However if compiler failed on some // performance critical code we can get a visible regression in a benchmark. // 2. memset, memcpy calls // Compiler may replaces some memory writes with memset or memcpy calls. This is // not -ftrivial-auto-var-init specific, but it can happen more likely with the // flag. It can be a problem if code is not linked with C run-time library. // // Note: The flag is security risk mitigation feature. So in future the // attribute uses should be avoided when possible. However to enable this // mitigation on the most of the code we need to be less strict now and minimize // number of exceptions later. So if in doubt feel free to use attribute, but // please document the problem for someone who is going to cleanup it later. // E.g. platform, bot, benchmark or test name in patch description or next to // the attribute. #define STACK_UNINITIALIZED … #else #define STACK_UNINITIALIZED #endif // Attribute "no_stack_protector" disables -fstack-protector for the specified // function. // // "stack_protector" is enabled on most POSIX builds. The flag adds a canary // to each stack frame, which on function return is checked against a reference // canary. If the canaries do not match, it's likely that a stack buffer // overflow has occurred, so immediately crashing will prevent exploitation in // many cases. // // In some cases it's desirable to remove this, e.g. on hot functions, or if // we have purposely changed the reference canary. #if defined(COMPILER_GCC) || defined(__clang__) #if HAS_ATTRIBUTE(__no_stack_protector__) #define NO_STACK_PROTECTOR … #else #define NO_STACK_PROTECTOR … #endif #else #define NO_STACK_PROTECTOR #endif // The ANALYZER_ASSUME_TRUE(bool arg) macro adds compiler-specific hints // to Clang which control what code paths are statically analyzed, // and is meant to be used in conjunction with assert & assert-like functions. // The expression is passed straight through if analysis isn't enabled. // // ANALYZER_SKIP_THIS_PATH() suppresses static analysis for the current // codepath and any other branching codepaths that might follow. #if defined(__clang_analyzer__) inline constexpr bool AnalyzerNoReturn() __attribute__((analyzer_noreturn)) { return false; } inline constexpr bool AnalyzerAssumeTrue(bool arg) { // AnalyzerNoReturn() is invoked and analysis is terminated if |arg| is // false. return arg || AnalyzerNoReturn(); } #define ANALYZER_ASSUME_TRUE … #define ANALYZER_SKIP_THIS_PATH … #else // !defined(__clang_analyzer__) #define ANALYZER_ASSUME_TRUE(arg) … #define ANALYZER_SKIP_THIS_PATH() … #endif // defined(__clang_analyzer__) // Use nomerge attribute to disable optimization of merging multiple same calls. #if defined(__clang__) && HAS_ATTRIBUTE(nomerge) #define NOMERGE … #else #define NOMERGE #endif // Marks a type as being eligible for the "trivial" ABI despite having a // non-trivial destructor or copy/move constructor. Such types can be relocated // after construction by simply copying their memory, which makes them eligible // to be passed in registers. The canonical example is std::unique_ptr. // // Use with caution; this has some subtle effects on constructor/destructor // ordering and will be very incorrect if the type relies on its address // remaining constant. When used as a function argument (by value), the value // may be constructed in the caller's stack frame, passed in a register, and // then used and destructed in the callee's stack frame. A similar thing can // occur when values are returned. // // TRIVIAL_ABI is not needed for types which have a trivial destructor and // copy/move constructors, such as base::TimeTicks and other POD. // // It is also not likely to be effective on types too large to be passed in one // or two registers on typical target ABIs. // // See also: // https://clang.llvm.org/docs/AttributeReference.html#trivial-abi // https://libcxx.llvm.org/docs/DesignDocs/UniquePtrTrivialAbi.html #if defined(__clang__) && HAS_ATTRIBUTE(trivial_abi) #define TRIVIAL_ABI … #else #define TRIVIAL_ABI #endif // Detect whether a type is trivially relocatable, ie. a move-and-destroy // sequence can replaced with memmove(). This can be used to optimise the // implementation of containers. This is automatically true for types that were // defined with TRIVIAL_ABI such as scoped_refptr. // // See also: // https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p1144r8.html // https://clang.llvm.org/docs/LanguageExtensions.html#:~:text=__is_trivially_relocatable #if defined(__clang__) && HAS_BUILTIN(__is_trivially_relocatable) #define IS_TRIVIALLY_RELOCATABLE(t) … #else #define IS_TRIVIALLY_RELOCATABLE … #endif // Marks a member function as reinitializing a moved-from variable. // See also // https://clang.llvm.org/extra/clang-tidy/checks/bugprone/use-after-move.html#reinitialization #if defined(__clang__) && HAS_ATTRIBUTE(reinitializes) #define REINITIALIZES_AFTER_MOVE … #else #define REINITIALIZES_AFTER_MOVE #endif #if defined(__clang__) #define GSL_OWNER … #define GSL_POINTER … #else #define GSL_OWNER #define GSL_POINTER #endif // Adds the "logically_const" tag to a symbol's mangled name. The "Mutable // Constants" check [1] detects instances of constants that aren't in .rodata, // e.g. due to a missing `const`. Using this tag suppresses the check for this // symbol, allowing it to live outside .rodata without a warning. // // [1]: // https://crsrc.org/c/docs/speed/binary_size/android_binary_size_trybot.md#Mutable-Constants #if defined(COMPILER_GCC) || defined(__clang__) #define LOGICALLY_CONST … #else #define LOGICALLY_CONST #endif // preserve_most clang's calling convention. Reduces register pressure for the // caller and as such can be used for cold calls. Support for the // "preserve_most" attribute is limited: // - 32-bit platforms do not implement it, // - component builds fail because _dl_runtime_resolve() clobbers registers, // - there are crashes on arm64 on Windows (https://crbug.com/v8/14065), which // can hopefully be fixed in the future. // Additionally, the initial implementation in clang <= 16 overwrote the return // register(s) in the epilogue of a preserve_most function, so we only use // preserve_most in clang >= 17 (see https://reviews.llvm.org/D143425). // Clang only supports preserve_most on X86-64 and AArch64 for now. // See https://clang.llvm.org/docs/AttributeReference.html#preserve-most for // more details. #if (defined(ARCH_CPU_ARM64) || defined(ARCH_CPU_X86_64)) && \ !(BUILDFLAG(IS_WIN) && defined(ARCH_CPU_ARM64)) && \ !defined(COMPONENT_BUILD) && defined(__clang__) && \ __clang_major__ >= 17 && HAS_ATTRIBUTE(preserve_most) #define PRESERVE_MOST … #else #define PRESERVE_MOST #endif // Mark parameters or return types as having a lifetime attached to the class. // // When used to mark a method's pointer/reference parameter, the compiler is // made aware that it will be stored internally in the class and the pointee // must outlive the class. Typically used on constructor arguments. It should // appear to the right of the parameter's variable name. // // Example: // ``` // struct S { // S(int* p LIFETIME_BOUND) : ptr_(p) {} // // int* ptr_; // }; // ``` // // When used on a method with a return value, the compiler is made aware that // the returned type is/has a pointer to the internals of the class, and must // not outlive the class object. It should appear after any method qualifiers. // // Example: // ``` // struct S { // int* GetPtr() const LIFETIME_BOUND { return i_; }; // // int i_; // }; // ``` // // This allows the compiler to warn in (a limited set of) cases where the // pointer would otherwise be left dangling, especially in cases where the // pointee would be a destroyed temporary. // // Docs: https://clang.llvm.org/docs/AttributeReference.html#lifetimebound #if defined(__clang__) #define LIFETIME_BOUND … #else #define LIFETIME_BOUND #endif // Mark a function as pure, meaning that it does not have side effects, meaning // that it does not write anything external to the function's local variables // and return value. // // WARNING: If this attribute is mis-used it will result in UB and // miscompilation, as the optimizator may fold multiple calls into one and // reorder them inappropriately. This shouldn't appear outside of key vocabulary // types. It allows callers to work with the vocab type directly, and call its // methods without having to worry about caching things into local variables in // hot code. // // This attribute must not appear on functions that make use of function // pointers, virtual methods, or methods of templates (including operators like // comparison), as the "pure" function can not know what those functions do and // can not guarantee there will never be sideeffects. #if defined(COMPILER_GCC) || defined(__clang__) #define PURE_FUNCTION … #else #define PURE_FUNCTION #endif // Functions should be marked with UNSAFE_BUFFER_USAGE when they lead to // out-of-bounds bugs when called with incorrect inputs. // // Ideally such functions should be paired with a safer version that works with // safe primitives like `base::span`. Otherwise, another safer coding pattern // should be documented along side the use of `UNSAFE_BUFFER_USAGE`. // // All functions marked with UNSAFE_BUFFER_USAGE should come with a safety // comment that explains the requirements of the function to prevent an // out-of-bounds bug. For example: // ``` // // Function to do things between `input` and `end`. // // // // # Safety // // The `input` must point to an array with size at least 5. The `end` must // // point within the same allocation of `input` and not come before `input`. // ``` // // The requirements described in the safety comment must be sufficient to // guarantee that the function never goes out of bounds. Annotating a function // in this way means that all callers will be required to wrap the call in an // `UNSAFE_BUFFERS()` macro (see below), with a comment justifying how it meets // the requirements. #if defined(__clang__) && HAS_ATTRIBUTE(unsafe_buffer_usage) #define UNSAFE_BUFFER_USAGE … #else #define UNSAFE_BUFFER_USAGE #endif // UNSAFE_BUFFERS() wraps code that violates the -Wunsafe-buffer-usage warning, // such as: // - pointer arithmetic, // - pointer subscripting, and // - calls to functions annotated with UNSAFE_BUFFER_USAGE. // // This indicates code whose bounds correctness cannot be ensured // systematically, and thus requires manual review. // // ** USE OF THIS MACRO SHOULD BE VERY RARE.** This should only be used when // strictly necessary. Prefer to use `base::span` instead of pointers, or other // safer coding patterns (like std containers) that avoid the opportunity for // out-of-bounds bugs to creep into the code. Any use of UNSAFE_BUFFERS() can // lead to a critical security bug if any assumptions are wrong, or ever become // wrong in the future. // // The macro should be used to wrap the minimum necessary code, to make it clear // what is unsafe, and prevent accidentally opting extra things out of the // warning. // // All usage of UNSAFE_BUFFERS() *must* come with a `// SAFETY: ...` comment // that explains how we have guaranteed that the pointer usage can never go // out-of-bounds, or that the requirements of the UNSAFE_BUFFER_USAGE function // are met. The safety comment should allow the chrome security team to check // that all requirements have been met, using only local invariants. Contact // [email protected] to schedule such a review. // // Examples of local invariants include: // - Runtime conditions or CHECKs near the UNSAFE_BUFFERS macros // - Invariants guaranteed by types in the surrounding code // - Invariants guaranteed by function calls in the surrounding code // - Caller requirements, if the containing function is itself marked with // UNSAFE_BUFFER_USAGE // // The last case should be an option of last resort. It is less safe and will // require the caller also use the UNSAFE_BUFFERS() macro. Prefer directly // capturing such invariants in types like `base::span`. // // Safety explanations may not rely on invariants that are not fully // encapsulated close to the UNSAFE_BUFFERS() usage. Instead, use safer coding // patterns or stronger invariants. #if defined(__clang__) // clang-format off // Formatting is off so that we can put each _Pragma on its own line, as // recommended by the gcc docs. #define UNSAFE_BUFFERS(...) … // clang-format on #else #define UNSAFE_BUFFERS … #endif // Line-level suppression of unsafe buffers warnings. This gives finer-grained // control over opting out portions of code from buffer safety checks than the // file-level pragma. It is used to indicate code that should be re-written for // safety and makes such sections easy-to-find (contrast this with the // UNSAFE_BUFFERS macro that indicates code that is expected to remain present // and has been manually evaluated for safety). Use of this macro can increase // the number of non-exempt files, and hence prevent new unsafe code from // being written in them. #define UNSAFE_TODO(...) … // Defines a condition for a function to be checked at compile time if the // parameter's value is known at compile time. If the condition is failed, the // function is omitted from the overload set resolution, much like `requires`. // // If the parameter is a runtime value, then the condition is unable to be // checked and the function will be omitted from the overload set resolution. // This ensures the function can only be called with values known at compile // time. This is a clang extension. // // Example: // ``` // void f(int a) ENABLE_IF_ATTR(a > 0) {} // f(1); // Ok. // f(0); // Error: no valid f() found. // ``` // // The `ENABLE_IF_ATTR` annotation is preferred over `consteval` with a check // that breaks compile because metaprogramming does not observe such checks. So // with `consteval`, the function looks callable to concepts/type_traits but is // not and will fail to compile even though it reports it's usable. Whereas // `ENABLE_IF_ATTR` interacts correctly with metaprogramming. This is especially // painful for constructors. See also // https://github.com/chromium/subspace/issues/266. #if defined(__clang__) #define ENABLE_IF_ATTR(cond, msg) … #else #define ENABLE_IF_ATTR … #endif #endif // BASE_COMPILER_SPECIFIC_H_