1 /* Compile-time assert-like macros. 2 3 Copyright (C) 2005-2006, 2009-2019 Free Software Foundation, Inc. 4 5 This program is free software: you can redistribute it and/or modify 6 it under the terms of the GNU General Public License as published by 7 the Free Software Foundation; either version 3 of the License, or 8 (at your option) any later version. 9 10 This program is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 GNU General Public License for more details. 14 15 You should have received a copy of the GNU General Public License 16 along with this program. If not, see <https://www.gnu.org/licenses/>. */ 17 18 /* Written by Paul Eggert, Bruno Haible, and Jim Meyering. */ 19 20 #ifndef _GL_VERIFY_H 21 #define _GL_VERIFY_H 22 23 24 /* Define _GL_HAVE__STATIC_ASSERT to 1 if _Static_assert works as per C11. 25 This is supported by GCC 4.6.0 and later, in C mode, and its use 26 here generates easier-to-read diagnostics when verify (R) fails. 27 28 Define _GL_HAVE_STATIC_ASSERT to 1 if static_assert works as per C++11. 29 This is supported by GCC 6.1.0 and later, in C++ mode. 30 31 Use this only with GCC. If we were willing to slow 'configure' 32 down we could also use it with other compilers, but since this 33 affects only the quality of diagnostics, why bother? */ 34 #if (4 < __GNUC__ + (6 <= __GNUC_MINOR__) \ 35 && (201112L <= __STDC_VERSION__ || !defined __STRICT_ANSI__) \ 36 && !defined __cplusplus) 37 # define _GL_HAVE__STATIC_ASSERT 1 38 #endif 39 #if (6 <= __GNUC__) && defined __cplusplus 40 # define _GL_HAVE_STATIC_ASSERT 1 41 #endif 42 43 /* FreeBSD 9.1 <sys/cdefs.h>, included by <stddef.h> and lots of other 44 system headers, defines a conflicting _Static_assert that is no 45 better than ours; override it. */ 46 #ifndef _GL_HAVE_STATIC_ASSERT 47 # include <stddef.h> 48 # undef _Static_assert 49 #endif 50 51 /* Each of these macros verifies that its argument R is nonzero. To 52 be portable, R should be an integer constant expression. Unlike 53 assert (R), there is no run-time overhead. 54 55 If _Static_assert works, verify (R) uses it directly. Similarly, 56 _GL_VERIFY_TRUE works by packaging a _Static_assert inside a struct 57 that is an operand of sizeof. 58 59 The code below uses several ideas for C++ compilers, and for C 60 compilers that do not support _Static_assert: 61 62 * The first step is ((R) ? 1 : -1). Given an expression R, of 63 integral or boolean or floating-point type, this yields an 64 expression of integral type, whose value is later verified to be 65 constant and nonnegative. 66 67 * Next this expression W is wrapped in a type 68 struct _gl_verify_type { 69 unsigned int _gl_verify_error_if_negative: W; 70 }. 71 If W is negative, this yields a compile-time error. No compiler can 72 deal with a bit-field of negative size. 73 74 One might think that an array size check would have the same 75 effect, that is, that the type struct { unsigned int dummy[W]; } 76 would work as well. However, inside a function, some compilers 77 (such as C++ compilers and GNU C) allow local parameters and 78 variables inside array size expressions. With these compilers, 79 an array size check would not properly diagnose this misuse of 80 the verify macro: 81 82 void function (int n) { verify (n < 0); } 83 84 * For the verify macro, the struct _gl_verify_type will need to 85 somehow be embedded into a declaration. To be portable, this 86 declaration must declare an object, a constant, a function, or a 87 typedef name. If the declared entity uses the type directly, 88 such as in 89 90 struct dummy {...}; 91 typedef struct {...} dummy; 92 extern struct {...} *dummy; 93 extern void dummy (struct {...} *); 94 extern struct {...} *dummy (void); 95 96 two uses of the verify macro would yield colliding declarations 97 if the entity names are not disambiguated. A workaround is to 98 attach the current line number to the entity name: 99 100 #define _GL_CONCAT0(x, y) x##y 101 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 102 extern struct {...} * _GL_CONCAT (dummy, __LINE__); 103 104 But this has the problem that two invocations of verify from 105 within the same macro would collide, since the __LINE__ value 106 would be the same for both invocations. (The GCC __COUNTER__ 107 macro solves this problem, but is not portable.) 108 109 A solution is to use the sizeof operator. It yields a number, 110 getting rid of the identity of the type. Declarations like 111 112 extern int dummy [sizeof (struct {...})]; 113 extern void dummy (int [sizeof (struct {...})]); 114 extern int (*dummy (void)) [sizeof (struct {...})]; 115 116 can be repeated. 117 118 * Should the implementation use a named struct or an unnamed struct? 119 Which of the following alternatives can be used? 120 121 extern int dummy [sizeof (struct {...})]; 122 extern int dummy [sizeof (struct _gl_verify_type {...})]; 123 extern void dummy (int [sizeof (struct {...})]); 124 extern void dummy (int [sizeof (struct _gl_verify_type {...})]); 125 extern int (*dummy (void)) [sizeof (struct {...})]; 126 extern int (*dummy (void)) [sizeof (struct _gl_verify_type {...})]; 127 128 In the second and sixth case, the struct type is exported to the 129 outer scope; two such declarations therefore collide. GCC warns 130 about the first, third, and fourth cases. So the only remaining 131 possibility is the fifth case: 132 133 extern int (*dummy (void)) [sizeof (struct {...})]; 134 135 * GCC warns about duplicate declarations of the dummy function if 136 -Wredundant-decls is used. GCC 4.3 and later have a builtin 137 __COUNTER__ macro that can let us generate unique identifiers for 138 each dummy function, to suppress this warning. 139 140 * This implementation exploits the fact that older versions of GCC, 141 which do not support _Static_assert, also do not warn about the 142 last declaration mentioned above. 143 144 * GCC warns if -Wnested-externs is enabled and verify() is used 145 within a function body; but inside a function, you can always 146 arrange to use verify_expr() instead. 147 148 * In C++, any struct definition inside sizeof is invalid. 149 Use a template type to work around the problem. */ 150 151 /* Concatenate two preprocessor tokens. */ 152 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 153 #define _GL_CONCAT0(x, y) x##y 154 155 /* _GL_COUNTER is an integer, preferably one that changes each time we 156 use it. Use __COUNTER__ if it works, falling back on __LINE__ 157 otherwise. __LINE__ isn't perfect, but it's better than a 158 constant. */ 159 #if defined __COUNTER__ && __COUNTER__ != __COUNTER__ 160 # define _GL_COUNTER __COUNTER__ 161 #else 162 # define _GL_COUNTER __LINE__ 163 #endif 164 165 /* Generate a symbol with the given prefix, making it unique if 166 possible. */ 167 #define _GL_GENSYM(prefix) _GL_CONCAT (prefix, _GL_COUNTER) 168 169 /* Verify requirement R at compile-time, as an integer constant expression 170 that returns 1. If R is false, fail at compile-time, preferably 171 with a diagnostic that includes the string-literal DIAGNOSTIC. */ 172 173 #define _GL_VERIFY_TRUE(R, DIAGNOSTIC) \ 174 (!!sizeof (_GL_VERIFY_TYPE (R, DIAGNOSTIC))) 175 176 #ifdef __cplusplus 177 # if !GNULIB_defined_struct__gl_verify_type 178 template <int w> 179 struct _gl_verify_type { 180 unsigned int _gl_verify_error_if_negative: w; 181 }; 182 # define GNULIB_defined_struct__gl_verify_type 1 183 # endif 184 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 185 _gl_verify_type<(R) ? 1 : -1> 186 #elif defined _GL_HAVE__STATIC_ASSERT 187 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 188 struct { \ 189 _Static_assert (R, DIAGNOSTIC); \ 190 int _gl_dummy; \ 191 } 192 #else 193 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 194 struct { unsigned int _gl_verify_error_if_negative: (R) ? 1 : -1; } 195 #endif 196 197 /* Verify requirement R at compile-time, as a declaration without a 198 trailing ';'. If R is false, fail at compile-time, preferably 199 with a diagnostic that includes the string-literal DIAGNOSTIC. 200 201 Unfortunately, unlike C11, this implementation must appear as an 202 ordinary declaration, and cannot appear inside struct { ... }. */ 203 204 #ifdef _GL_HAVE__STATIC_ASSERT 205 # define _GL_VERIFY _Static_assert 206 #else 207 # define _GL_VERIFY(R, DIAGNOSTIC) \ 208 extern int (*_GL_GENSYM (_gl_verify_function) (void)) \ 209 [_GL_VERIFY_TRUE (R, DIAGNOSTIC)] 210 #endif 211 212 /* _GL_STATIC_ASSERT_H is defined if this code is copied into assert.h. */ 213 #ifdef _GL_STATIC_ASSERT_H 214 # if !defined _GL_HAVE__STATIC_ASSERT && !defined _Static_assert 215 # define _Static_assert(R, DIAGNOSTIC) _GL_VERIFY (R, DIAGNOSTIC) 216 # endif 217 # if !defined _GL_HAVE_STATIC_ASSERT && !defined static_assert 218 # define static_assert _Static_assert /* C11 requires this #define. */ 219 # endif 220 #endif 221 222 /* @assert.h omit start@ */ 223 224 /* Each of these macros verifies that its argument R is nonzero. To 225 be portable, R should be an integer constant expression. Unlike 226 assert (R), there is no run-time overhead. 227 228 There are two macros, since no single macro can be used in all 229 contexts in C. verify_true (R) is for scalar contexts, including 230 integer constant expression contexts. verify (R) is for declaration 231 contexts, e.g., the top level. */ 232 233 /* Verify requirement R at compile-time, as an integer constant expression. 234 Return 1. This is equivalent to verify_expr (R, 1). 235 236 verify_true is obsolescent; please use verify_expr instead. */ 237 238 #define verify_true(R) _GL_VERIFY_TRUE (R, "verify_true (" #R ")") 239 240 /* Verify requirement R at compile-time. Return the value of the 241 expression E. */ 242 243 #define verify_expr(R, E) \ 244 (_GL_VERIFY_TRUE (R, "verify_expr (" #R ", " #E ")") ? (E) : (E)) 245 246 /* Verify requirement R at compile-time, as a declaration without a 247 trailing ';'. */ 248 249 #ifdef __GNUC__ 250 # define verify(R) _GL_VERIFY (R, "verify (" #R ")") 251 #else 252 /* PGI barfs if R is long. Play it safe. */ 253 # define verify(R) _GL_VERIFY (R, "verify (...)") 254 #endif 255 256 #ifndef __has_builtin 257 # define __has_builtin(x) 0 258 #endif 259 260 /* Assume that R always holds. This lets the compiler optimize 261 accordingly. R should not have side-effects; it may or may not be 262 evaluated. Behavior is undefined if R is false. */ 263 264 #if (__has_builtin (__builtin_unreachable) \ 265 || 4 < __GNUC__ + (5 <= __GNUC_MINOR__)) 266 # define assume(R) ((R) ? (void) 0 : __builtin_unreachable ()) 267 #elif 1200 <= _MSC_VER 268 # define assume(R) __assume (R) 269 #elif ((defined GCC_LINT || defined lint) \ 270 && (__has_builtin (__builtin_trap) \ 271 || 3 < __GNUC__ + (3 < __GNUC_MINOR__ + (4 <= __GNUC_PATCHLEVEL__)))) 272 /* Doing it this way helps various packages when configured with 273 --enable-gcc-warnings, which compiles with -Dlint. It's nicer 274 when 'assume' silences warnings even with older GCCs. */ 275 # define assume(R) ((R) ? (void) 0 : __builtin_trap ()) 276 #else 277 /* Some tools grok NOTREACHED, e.g., Oracle Studio 12.6. */ 278 # define assume(R) ((R) ? (void) 0 : /*NOTREACHED*/ (void) 0) 279 #endif 280 281 /* @assert.h omit end@ */ 282 283 #endif 284