1 /* Compile-time assert-like macros. 2 3 Copyright (C) 2005-2006, 2009-2022 Free Software Foundation, Inc. 4 5 This file is free software: you can redistribute it and/or modify 6 it under the terms of the GNU Lesser General Public License as 7 published by the Free Software Foundation; either version 2.1 of the 8 License, or (at your option) any later version. 9 10 This file is distributed in the hope that it will be useful, 11 but WITHOUT ANY WARRANTY; without even the implied warranty of 12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 GNU Lesser General Public License for more details. 14 15 You should have received a copy of the GNU Lesser General Public License 16 along with this program. If not, see <https://www.gnu.org/licenses/>. */ 17 18 /* Written by Paul Eggert, Bruno Haible, and Jim Meyering. */ 19 20 #ifndef _GL_VERIFY_H 21 #define _GL_VERIFY_H 22 23 24 /* Define _GL_HAVE__STATIC_ASSERT to 1 if _Static_assert (R, DIAGNOSTIC) 25 works as per C11. This is supported by GCC 4.6.0+ and by clang 4+. 26 27 Define _GL_HAVE__STATIC_ASSERT1 to 1 if _Static_assert (R) works as 28 per C2x. This is supported by GCC 9.1+. 29 30 Support compilers claiming conformance to the relevant standard, 31 and also support GCC when not pedantic. If we were willing to slow 32 'configure' down we could also use it with other compilers, but 33 since this affects only the quality of diagnostics, why bother? */ 34 #ifndef __cplusplus 35 # if (201112L <= __STDC_VERSION__ \ 36 || (!defined __STRICT_ANSI__ \ 37 && (4 < __GNUC__ + (6 <= __GNUC_MINOR__) || 5 <= __clang_major__))) 38 # define _GL_HAVE__STATIC_ASSERT 1 39 # endif 40 # if (202000L <= __STDC_VERSION__ \ 41 || (!defined __STRICT_ANSI__ && 9 <= __GNUC__)) 42 # define _GL_HAVE__STATIC_ASSERT1 1 43 # endif 44 #endif 45 46 /* FreeBSD 9.1 <sys/cdefs.h>, included by <stddef.h> and lots of other 47 system headers, defines a conflicting _Static_assert that is no 48 better than ours; override it. */ 49 #ifndef _GL_HAVE__STATIC_ASSERT 50 # include <stddef.h> 51 # undef _Static_assert 52 #endif 53 54 /* Each of these macros verifies that its argument R is nonzero. To 55 be portable, R should be an integer constant expression. Unlike 56 assert (R), there is no run-time overhead. 57 58 If _Static_assert works, verify (R) uses it directly. Similarly, 59 _GL_VERIFY_TRUE works by packaging a _Static_assert inside a struct 60 that is an operand of sizeof. 61 62 The code below uses several ideas for C++ compilers, and for C 63 compilers that do not support _Static_assert: 64 65 * The first step is ((R) ? 1 : -1). Given an expression R, of 66 integral or boolean or floating-point type, this yields an 67 expression of integral type, whose value is later verified to be 68 constant and nonnegative. 69 70 * Next this expression W is wrapped in a type 71 struct _gl_verify_type { 72 unsigned int _gl_verify_error_if_negative: W; 73 }. 74 If W is negative, this yields a compile-time error. No compiler can 75 deal with a bit-field of negative size. 76 77 One might think that an array size check would have the same 78 effect, that is, that the type struct { unsigned int dummy[W]; } 79 would work as well. However, inside a function, some compilers 80 (such as C++ compilers and GNU C) allow local parameters and 81 variables inside array size expressions. With these compilers, 82 an array size check would not properly diagnose this misuse of 83 the verify macro: 84 85 void function (int n) { verify (n < 0); } 86 87 * For the verify macro, the struct _gl_verify_type will need to 88 somehow be embedded into a declaration. To be portable, this 89 declaration must declare an object, a constant, a function, or a 90 typedef name. If the declared entity uses the type directly, 91 such as in 92 93 struct dummy {...}; 94 typedef struct {...} dummy; 95 extern struct {...} *dummy; 96 extern void dummy (struct {...} *); 97 extern struct {...} *dummy (void); 98 99 two uses of the verify macro would yield colliding declarations 100 if the entity names are not disambiguated. A workaround is to 101 attach the current line number to the entity name: 102 103 #define _GL_CONCAT0(x, y) x##y 104 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 105 extern struct {...} * _GL_CONCAT (dummy, __LINE__); 106 107 But this has the problem that two invocations of verify from 108 within the same macro would collide, since the __LINE__ value 109 would be the same for both invocations. (The GCC __COUNTER__ 110 macro solves this problem, but is not portable.) 111 112 A solution is to use the sizeof operator. It yields a number, 113 getting rid of the identity of the type. Declarations like 114 115 extern int dummy [sizeof (struct {...})]; 116 extern void dummy (int [sizeof (struct {...})]); 117 extern int (*dummy (void)) [sizeof (struct {...})]; 118 119 can be repeated. 120 121 * Should the implementation use a named struct or an unnamed struct? 122 Which of the following alternatives can be used? 123 124 extern int dummy [sizeof (struct {...})]; 125 extern int dummy [sizeof (struct _gl_verify_type {...})]; 126 extern void dummy (int [sizeof (struct {...})]); 127 extern void dummy (int [sizeof (struct _gl_verify_type {...})]); 128 extern int (*dummy (void)) [sizeof (struct {...})]; 129 extern int (*dummy (void)) [sizeof (struct _gl_verify_type {...})]; 130 131 In the second and sixth case, the struct type is exported to the 132 outer scope; two such declarations therefore collide. GCC warns 133 about the first, third, and fourth cases. So the only remaining 134 possibility is the fifth case: 135 136 extern int (*dummy (void)) [sizeof (struct {...})]; 137 138 * GCC warns about duplicate declarations of the dummy function if 139 -Wredundant-decls is used. GCC 4.3 and later have a builtin 140 __COUNTER__ macro that can let us generate unique identifiers for 141 each dummy function, to suppress this warning. 142 143 * This implementation exploits the fact that older versions of GCC, 144 which do not support _Static_assert, also do not warn about the 145 last declaration mentioned above. 146 147 * GCC warns if -Wnested-externs is enabled and 'verify' is used 148 within a function body; but inside a function, you can always 149 arrange to use verify_expr instead. 150 151 * In C++, any struct definition inside sizeof is invalid. 152 Use a template type to work around the problem. */ 153 154 /* Concatenate two preprocessor tokens. */ 155 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 156 #define _GL_CONCAT0(x, y) x##y 157 158 /* _GL_COUNTER is an integer, preferably one that changes each time we 159 use it. Use __COUNTER__ if it works, falling back on __LINE__ 160 otherwise. __LINE__ isn't perfect, but it's better than a 161 constant. */ 162 #if defined __COUNTER__ && __COUNTER__ != __COUNTER__ 163 # define _GL_COUNTER __COUNTER__ 164 #else 165 # define _GL_COUNTER __LINE__ 166 #endif 167 168 /* Generate a symbol with the given prefix, making it unique if 169 possible. */ 170 #define _GL_GENSYM(prefix) _GL_CONCAT (prefix, _GL_COUNTER) 171 172 /* Verify requirement R at compile-time, as an integer constant expression 173 that returns 1. If R is false, fail at compile-time, preferably 174 with a diagnostic that includes the string-literal DIAGNOSTIC. */ 175 176 #define _GL_VERIFY_TRUE(R, DIAGNOSTIC) \ 177 (!!sizeof (_GL_VERIFY_TYPE (R, DIAGNOSTIC))) 178 179 #ifdef __cplusplus 180 # if !GNULIB_defined_struct__gl_verify_type 181 template <int w> 182 struct _gl_verify_type { 183 unsigned int _gl_verify_error_if_negative: w; 184 }; 185 # define GNULIB_defined_struct__gl_verify_type 1 186 # endif 187 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 188 _gl_verify_type<(R) ? 1 : -1> 189 #elif defined _GL_HAVE__STATIC_ASSERT 190 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 191 struct { \ 192 _Static_assert (R, DIAGNOSTIC); \ 193 int _gl_dummy; \ 194 } 195 #else 196 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 197 struct { unsigned int _gl_verify_error_if_negative: (R) ? 1 : -1; } 198 #endif 199 200 /* Verify requirement R at compile-time, as a declaration without a 201 trailing ';'. If R is false, fail at compile-time. 202 203 This macro requires three or more arguments but uses at most the first 204 two, so that the _Static_assert macro optionally defined below supports 205 both the C11 two-argument syntax and the C2x one-argument syntax. 206 207 Unfortunately, unlike C11, this implementation must appear as an 208 ordinary declaration, and cannot appear inside struct { ... }. */ 209 210 #if 200410 <= __cpp_static_assert 211 # define _GL_VERIFY(R, DIAGNOSTIC, ...) static_assert (R, DIAGNOSTIC) 212 #elif defined _GL_HAVE__STATIC_ASSERT 213 # define _GL_VERIFY(R, DIAGNOSTIC, ...) _Static_assert (R, DIAGNOSTIC) 214 #else 215 # define _GL_VERIFY(R, DIAGNOSTIC, ...) \ 216 extern int (*_GL_GENSYM (_gl_verify_function) (void)) \ 217 [_GL_VERIFY_TRUE (R, DIAGNOSTIC)] 218 # if 4 < __GNUC__ + (6 <= __GNUC_MINOR__) 219 # pragma GCC diagnostic ignored "-Wnested-externs" 220 # endif 221 #endif 222 223 /* _GL_STATIC_ASSERT_H is defined if this code is copied into assert.h. */ 224 #ifdef _GL_STATIC_ASSERT_H 225 # if !defined _GL_HAVE__STATIC_ASSERT1 && !defined _Static_assert 226 # define _Static_assert(...) \ 227 _GL_VERIFY (__VA_ARGS__, "static assertion failed", -) 228 # endif 229 # if __cpp_static_assert < 201411 && !defined static_assert 230 # define static_assert _Static_assert /* C11 requires this #define. */ 231 # endif 232 #endif 233 234 /* @assert.h omit start@ */ 235 236 #if 3 < __GNUC__ + (3 < __GNUC_MINOR__ + (4 <= __GNUC_PATCHLEVEL__)) 237 # define _GL_HAS_BUILTIN_TRAP 1 238 #elif defined __has_builtin 239 # define _GL_HAS_BUILTIN_TRAP __has_builtin (__builtin_trap) 240 #else 241 # define _GL_HAS_BUILTIN_TRAP 0 242 #endif 243 244 #if 4 < __GNUC__ + (5 <= __GNUC_MINOR__) 245 # define _GL_HAS_BUILTIN_UNREACHABLE 1 246 #elif defined __has_builtin 247 # define _GL_HAS_BUILTIN_UNREACHABLE __has_builtin (__builtin_unreachable) 248 #else 249 # define _GL_HAS_BUILTIN_UNREACHABLE 0 250 #endif 251 252 /* Each of these macros verifies that its argument R is nonzero. To 253 be portable, R should be an integer constant expression. Unlike 254 assert (R), there is no run-time overhead. 255 256 There are two macros, since no single macro can be used in all 257 contexts in C. verify_expr (R, E) is for scalar contexts, including 258 integer constant expression contexts. verify (R) is for declaration 259 contexts, e.g., the top level. */ 260 261 /* Verify requirement R at compile-time. Return the value of the 262 expression E. */ 263 264 #define verify_expr(R, E) \ 265 (_GL_VERIFY_TRUE (R, "verify_expr (" #R ", " #E ")") ? (E) : (E)) 266 267 /* Verify requirement R at compile-time, as a declaration without a 268 trailing ';'. verify (R) acts like static_assert (R) except that 269 it is portable to C11/C++14 and earlier, it can issue better 270 diagnostics, and its name is shorter and may be more convenient. */ 271 272 #ifdef __PGI 273 /* PGI barfs if R is long. */ 274 # define verify(R) _GL_VERIFY (R, "verify (...)", -) 275 #else 276 # define verify(R) _GL_VERIFY (R, "verify (" #R ")", -) 277 #endif 278 279 /* Assume that R always holds. Behavior is undefined if R is false, 280 fails to evaluate, or has side effects. 281 282 'assume (R)' is a directive from the programmer telling the 283 compiler that R is true so the compiler needn't generate code to 284 test R. This is why 'assume' is in verify.h: it's related to 285 static checking (in this case, static checking done by the 286 programmer), not dynamic checking. 287 288 'assume (R)' can affect compilation of all the code, not just code 289 that happens to be executed after the assume (R) is "executed". 290 For example, if the code mistakenly does 'assert (R); assume (R);' 291 the compiler is entitled to optimize away the 'assert (R)'. 292 293 Although assuming R can help a compiler generate better code or 294 diagnostics, performance can suffer if R uses hard-to-optimize 295 features such as function calls not inlined by the compiler. 296 297 Avoid Clang's __builtin_assume, as it breaks GNU Emacs master 298 as of 2020-08-23T21:09:49Z!eggert (at) cs.ucla.edu; see 299 <https://bugs.gnu.org/43152#71>. It's not known whether this breakage 300 is a Clang bug or an Emacs bug; play it safe for now. */ 301 302 #if _GL_HAS_BUILTIN_UNREACHABLE 303 # define assume(R) ((R) ? (void) 0 : __builtin_unreachable ()) 304 #elif 1200 <= _MSC_VER 305 # define assume(R) __assume (R) 306 #elif (defined GCC_LINT || defined lint) && _GL_HAS_BUILTIN_TRAP 307 /* Doing it this way helps various packages when configured with 308 --enable-gcc-warnings, which compiles with -Dlint. It's nicer 309 when 'assume' silences warnings even with older GCCs. */ 310 # define assume(R) ((R) ? (void) 0 : __builtin_trap ()) 311 #else 312 /* Some tools grok NOTREACHED, e.g., Oracle Studio 12.6. */ 313 # define assume(R) ((R) ? (void) 0 : /*NOTREACHED*/ (void) 0) 314 #endif 315 316 /* @assert.h omit end@ */ 317 318 #endif 319
Indexes created Fri Feb 27 05:31:41 UTC 2026