gecko/mfbt/GuardObjects.h
Eric Rahm 6b37859755 Bug 1145056 - Assert that the guard notifier has been initialized. r=froydnj
In order to both verify that guard object notifiers are being properly used
and to silence a coverity warning about an explicit null dereference we
switch over to using a poison value rather than nullptr. An assertion is added
to make sure that the guard object notifier is properly initialized as well.
2015-04-21 16:47:52 -07:00

168 lines
5.8 KiB
C++

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Implementation of macros to ensure correct use of RAII Auto* objects. */
#ifndef mozilla_GuardObjects_h
#define mozilla_GuardObjects_h
#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
#include "mozilla/Types.h"
#ifdef __cplusplus
#ifdef DEBUG
/**
* A custom define is used rather than |mozPoisonValue()| due to cascading
* build failures relating to how mfbt is linked on different operating
* systems. See bug 1160253.
*/
#define MOZ_POISON uintptr_t(-1)
namespace mozilla {
namespace detail {
/*
* The following classes are designed to cause assertions to detect
* inadvertent use of guard objects as temporaries. In other words,
* when we have a guard object whose only purpose is its constructor and
* destructor (and is never otherwise referenced), the intended use
* might be:
*
* AutoRestore savePainting(mIsPainting);
*
* but is is easy to accidentally write:
*
* AutoRestore(mIsPainting);
*
* which compiles just fine, but runs the destructor well before the
* intended time.
*
* They work by adding (#ifdef DEBUG) an additional parameter to the
* guard object's constructor, with a default value, so that users of
* the guard object's API do not need to do anything. The default value
* of this parameter is a temporary object. C++ (ISO/IEC 14882:1998),
* section 12.2 [class.temporary], clauses 4 and 5 seem to assume a
* guarantee that temporaries are destroyed in the reverse of their
* construction order, but I actually can't find a statement that that
* is true in the general case (beyond the two specific cases mentioned
* there). However, it seems to be true.
*
* These classes are intended to be used only via the macros immediately
* below them:
*
* MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER declares (ifdef DEBUG) a member
* variable, and should be put where a declaration of a private
* member variable would be placed.
* MOZ_GUARD_OBJECT_NOTIFIER_PARAM should be placed at the end of the
* parameters to each constructor of the guard object; it declares
* (ifdef DEBUG) an additional parameter. (But use the *_ONLY_PARAM
* variant for constructors that take no other parameters.)
* MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL should likewise be used in
* the implementation of such constructors when they are not inline.
* MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT should be used in
* the implementation of such constructors to pass the parameter to
* a base class that also uses these macros
* MOZ_GUARD_OBJECT_NOTIFIER_INIT is a statement that belongs in each
* constructor. It uses the parameter declared by
* MOZ_GUARD_OBJECT_NOTIFIER_PARAM.
*
* For more details, and examples of using these macros, see
* https://developer.mozilla.org/en/Using_RAII_classes_in_Mozilla
*/
class GuardObjectNotifier
{
private:
bool* mStatementDone;
public:
GuardObjectNotifier()
: mStatementDone(reinterpret_cast<bool*>(MOZ_POISON))
{
}
~GuardObjectNotifier()
{
// Assert that the GuardObjectNotifier has been properly initialized by
// using the |MOZ_GUARD_OBJECT_NOTIFIER_INIT| macro. A poison value is
// used rather than a null check to appease static analyzers that were
// (incorrectly) detecting null pointer dereferences.
MOZ_ASSERT(mStatementDone != reinterpret_cast<bool*>(MOZ_POISON));
*mStatementDone = true;
}
void setStatementDone(bool* aStatementIsDone)
{
mStatementDone = aStatementIsDone;
}
};
class GuardObjectNotificationReceiver
{
private:
bool mStatementDone;
public:
GuardObjectNotificationReceiver() : mStatementDone(false) { }
~GuardObjectNotificationReceiver() {
/*
* Assert that the guard object was not used as a temporary. (Note that
* this assert might also fire if init is not called because the guard
* object's implementation is not using the above macros correctly.)
*/
MOZ_ASSERT(mStatementDone);
}
void init(GuardObjectNotifier& aNotifier)
{
aNotifier.setStatementDone(&mStatementDone);
}
};
} /* namespace detail */
} /* namespace mozilla */
#undef MOZ_POISON
#endif /* DEBUG */
#ifdef DEBUG
# define MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER \
mozilla::detail::GuardObjectNotificationReceiver _mCheckNotUsedAsTemporary;
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM \
, mozilla::detail::GuardObjectNotifier&& _notifier = \
mozilla::detail::GuardObjectNotifier()
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM \
mozilla::detail::GuardObjectNotifier&& _notifier = \
mozilla::detail::GuardObjectNotifier()
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL \
, mozilla::detail::GuardObjectNotifier&& _notifier
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL \
mozilla::detail::GuardObjectNotifier&& _notifier
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT \
, mozilla::Move(_notifier)
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_TO_PARENT \
mozilla::Move(_notifier)
# define MOZ_GUARD_OBJECT_NOTIFIER_INIT \
do { _mCheckNotUsedAsTemporary.init(_notifier); } while (0)
#else
# define MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_IN_IMPL
# define MOZ_GUARD_OBJECT_NOTIFIER_ONLY_PARAM_TO_PARENT
# define MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT
# define MOZ_GUARD_OBJECT_NOTIFIER_INIT do { } while (0)
#endif
#endif /* __cplusplus */
#endif /* mozilla_GuardObjects_h */