Newer
Older
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
-----------------
Use ``__attribute__((guarded_by(l)))`` on a variable declaration to specify
that the variable must be accessed while holding lock ``l``.
``pt_guarded_by(l)``
--------------------
Use ``__attribute__((pt_guarded_by(l)))`` on a pointer declaration to specify
that the pointer must be dereferenced while holding lock ``l``.
``acquired_before(...)``
------------------------
Use ``__attribute__((acquired_before(...)))`` on a declaration of a lockable
variable to specify that the lock must be acquired before all attribute
arguments. Arguments must be lockable type, and there must be at least one
argument.
``acquired_after(...)``
-----------------------
Use ``__attribute__((acquired_after(...)))`` on a declaration of a lockable
variable to specify that the lock must be acquired after all attribute
arguments. Arguments must be lockable type, and there must be at least one
argument.
``exclusive_lock_function(...)``
--------------------------------
Use ``__attribute__((exclusive_lock_function(...)))`` on a function declaration
to specify that the function acquires all listed locks exclusively. This
attribute takes zero or more arguments: either of lockable type or integers
indexing into function parameters of lockable type. If no arguments are given,
the acquired lock is implicitly ``this`` of the enclosing object.
``shared_lock_function(...)``
-----------------------------
Use ``__attribute__((shared_lock_function(...)))`` on a function declaration to
specify that the function acquires all listed locks, although the locks may be
shared (e.g. read locks). This attribute takes zero or more arguments: either
of lockable type or integers indexing into function parameters of lockable
type. If no arguments are given, the acquired lock is implicitly ``this`` of
the enclosing object.
``exclusive_trylock_function(...)``
-----------------------------------
Use ``__attribute__((exclusive_lock_function(...)))`` on a function declaration
to specify that the function will try (without blocking) to acquire all listed
locks exclusively. This attribute takes one or more arguments. The first
argument is an integer or boolean value specifying the return value of a
successful lock acquisition. The remaining arugments are either of lockable
type or integers indexing into function parameters of lockable type. If only
one argument is given, the acquired lock is implicitly ``this`` of the
enclosing object.
``shared_trylock_function(...)``
--------------------------------
Use ``__attribute__((shared_lock_function(...)))`` on a function declaration to
specify that the function will try (without blocking) to acquire all listed
locks, although the locks may be shared (e.g. read locks). This attribute
takes one or more arguments. The first argument is an integer or boolean value
specifying the return value of a successful lock acquisition. The remaining
arugments are either of lockable type or integers indexing into function
parameters of lockable type. If only one argument is given, the acquired lock
is implicitly ``this`` of the enclosing object.
``unlock_function(...)``
------------------------
Use ``__attribute__((unlock_function(...)))`` on a function declaration to
specify that the function release all listed locks. This attribute takes zero
or more arguments: either of lockable type or integers indexing into function
parameters of lockable type. If no arguments are given, the acquired lock is
implicitly ``this`` of the enclosing object.
``lock_returned(l)``
--------------------
Use ``__attribute__((lock_returned(l)))`` on a function declaration to specify
that the function returns lock ``l`` (``l`` must be of lockable type). This
annotation is used to aid in resolving lock expressions.
``locks_excluded(...)``
-----------------------
Use ``__attribute__((locks_excluded(...)))`` on a function declaration to
specify that the function must not be called with the listed locks. Arguments
must be lockable type, and there must be at least one argument.
``exclusive_locks_required(...)``
---------------------------------
Use ``__attribute__((exclusive_locks_required(...)))`` on a function
declaration to specify that the function must be called while holding the
listed exclusive locks. Arguments must be lockable type, and there must be at
least one argument.
``shared_locks_required(...)``
------------------------------
Use ``__attribute__((shared_locks_required(...)))`` on a function declaration
to specify that the function must be called while holding the listed shared
locks. Arguments must be lockable type, and there must be at least one
argument.
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
Consumed Annotation Checking
============================
Clang supports additional attributes for checking basic resource management
properties, specifically for unique objects that have a single owning reference.
The following attributes are currently supported, although **the implementation
for these annotations is currently in development and are subject to change.**
``consumes``
------------
Use ``__attribute__((consumes))`` on a method that transitions an object into
the consumed state.
``callable_when_unconsumed``
----------------------------
Use ``__attribute__((callable_when_unconsumed))`` to indicate that a method may
only be called when the object is not in the consumed state.
``tests_unconsumed``
--------------------
Use `__attribute__((tests_unconsumed))`` to indicate that a method returns true
if the object is in the unconsumed state.
Type Safety Checking
====================
Clang supports additional attributes to enable checking type safety properties
that can't be enforced by the C type system. Use cases include:
* MPI library implementations, where these attributes enable checking that
the buffer type matches the passed ``MPI_Datatype``;
* for HDF5 library there is a similar use case to MPI;
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
* checking types of variadic functions' arguments for functions like
``fcntl()`` and ``ioctl()``.
You can detect support for these attributes with ``__has_attribute()``. For
example:
.. code-block:: c++
#if defined(__has_attribute)
# if __has_attribute(argument_with_type_tag) && \
__has_attribute(pointer_with_type_tag) && \
__has_attribute(type_tag_for_datatype)
# define ATTR_MPI_PWT(buffer_idx, type_idx) __attribute__((pointer_with_type_tag(mpi,buffer_idx,type_idx)))
/* ... other macros ... */
# endif
#endif
#if !defined(ATTR_MPI_PWT)
# define ATTR_MPI_PWT(buffer_idx, type_idx)
#endif
int MPI_Send(void *buf, int count, MPI_Datatype datatype /*, other args omitted */)
ATTR_MPI_PWT(1,3);
``argument_with_type_tag(...)``
-------------------------------
Use ``__attribute__((argument_with_type_tag(arg_kind, arg_idx,
type_tag_idx)))`` on a function declaration to specify that the function
accepts a type tag that determines the type of some other argument.
``arg_kind`` is an identifier that should be used when annotating all
applicable type tags.
This attribute is primarily useful for checking arguments of variadic functions
(``pointer_with_type_tag`` can be used in most non-variadic cases).
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
For example:
.. code-block:: c++
int fcntl(int fd, int cmd, ...)
__attribute__(( argument_with_type_tag(fcntl,3,2) ));
``pointer_with_type_tag(...)``
------------------------------
Use ``__attribute__((pointer_with_type_tag(ptr_kind, ptr_idx, type_tag_idx)))``
on a function declaration to specify that the function accepts a type tag that
determines the pointee type of some other pointer argument.
For example:
.. code-block:: c++
int MPI_Send(void *buf, int count, MPI_Datatype datatype /*, other args omitted */)
__attribute__(( pointer_with_type_tag(mpi,1,3) ));
``type_tag_for_datatype(...)``
------------------------------
Clang supports annotating type tags of two forms.
* **Type tag that is an expression containing a reference to some declared
identifier.** Use ``__attribute__((type_tag_for_datatype(kind, type)))`` on a
declaration with that identifier:
.. code-block:: c++
extern struct mpi_datatype mpi_datatype_int
__attribute__(( type_tag_for_datatype(mpi,int) ));
#define MPI_INT ((MPI_Datatype) &mpi_datatype_int)
* **Type tag that is an integral literal.** Introduce a ``static const``
variable with a corresponding initializer value and attach
``__attribute__((type_tag_for_datatype(kind, type)))`` on that declaration,
for example:
.. code-block:: c++
#define MPI_INT ((MPI_Datatype) 42)
static const MPI_Datatype mpi_datatype_int
__attribute__(( type_tag_for_datatype(mpi,int) )) = 42
The attribute also accepts an optional third argument that determines how the
expression is compared to the type tag. There are two supported flags:
* ``layout_compatible`` will cause types to be compared according to
layout-compatibility rules (C++11 [class.mem] p 17, 18). This is
implemented to support annotating types like ``MPI_DOUBLE_INT``.
For example:
.. code-block:: c++
/* In mpi.h */
struct internal_mpi_double_int { double d; int i; };
extern struct mpi_datatype mpi_datatype_double_int
__attribute__(( type_tag_for_datatype(mpi, struct internal_mpi_double_int, layout_compatible) ));
#define MPI_DOUBLE_INT ((MPI_Datatype) &mpi_datatype_double_int)
/* In user code */
struct my_pair { double a; int b; };
struct my_pair *buffer;
MPI_Send(buffer, 1, MPI_DOUBLE_INT /*, ... */); // no warning
struct my_int_pair { int a; int b; }
struct my_int_pair *buffer2;
MPI_Send(buffer2, 1, MPI_DOUBLE_INT /*, ... */); // warning: actual buffer element
// type 'struct my_int_pair'
// doesn't match specified MPI_Datatype
* ``must_be_null`` specifies that the expression should be a null pointer
constant, for example:
.. code-block:: c++
/* In mpi.h */
extern struct mpi_datatype mpi_datatype_null
__attribute__(( type_tag_for_datatype(mpi, void, must_be_null) ));
#define MPI_DATATYPE_NULL ((MPI_Datatype) &mpi_datatype_null)
/* In user code */
MPI_Send(buffer, 1, MPI_DATATYPE_NULL /*, ... */); // warning: MPI_DATATYPE_NULL
// was specified but buffer
// is not a null pointer
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
Format String Checking
======================
Clang supports the ``format`` attribute, which indicates that the function
accepts a ``printf`` or ``scanf``-like format string and corresponding
arguments or a ``va_list`` that contains these arguments.
Please see `GCC documentation about format attribute
<http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html>`_ to find details
about attribute syntax.
Clang implements two kinds of checks with this attribute.
#. Clang checks that the function with the ``format`` attribute is called with
a format string that uses format specifiers that are allowed, and that
arguments match the format string. This is the ``-Wformat`` warning, it is
on by default.
#. Clang checks that the format string argument is a literal string. This is
the ``-Wformat-nonliteral`` warning, it is off by default.
Clang implements this mostly the same way as GCC, but there is a difference
for functions that accept a ``va_list`` argument (for example, ``vprintf``).
GCC does not emit ``-Wformat-nonliteral`` warning for calls to such
fuctions. Clang does not warn if the format string comes from a function
Richard Smith
committed
parameter, where the function is annotated with a compatible attribute,
otherwise it warns. For example:
.. code-block:: c
__attribute__((__format__ (__scanf__, 1, 3)))
void foo(const char* s, char *buf, ...) {
va_list ap;
va_start(ap, buf);
vprintf(s, ap); // warning: format string is not a string literal
}
In this case we warn because ``s`` contains a format string for a
Richard Smith
committed
``scanf``-like function, but it is passed to a ``printf``-like function.
If the attribute is removed, clang still warns, because the format string is
not a string literal.
Richard Smith
committed
Another example:
__attribute__((__format__ (__printf__, 1, 3)))
void foo(const char* s, char *buf, ...) {
va_list ap;
va_start(ap, buf);
vprintf(s, ap); // warning
}
Richard Smith
committed
In this case Clang does not warn because the format string ``s`` and
the corresponding arguments are annotated. If the arguments are
incorrect, the caller of ``foo`` will receive a warning.