1 1.1 christos /* Compile-time assert-like macros. 2 1.1 christos 3 1.1.1.2 christos Copyright (C) 2005-2006, 2009-2022 Free Software Foundation, Inc. 4 1.1 christos 5 1.1.1.2 christos This file is free software: you can redistribute it and/or modify 6 1.1.1.2 christos it under the terms of the GNU Lesser General Public License as 7 1.1.1.2 christos published by the Free Software Foundation; either version 2.1 of the 8 1.1.1.2 christos License, or (at your option) any later version. 9 1.1 christos 10 1.1.1.2 christos This file is distributed in the hope that it will be useful, 11 1.1 christos but WITHOUT ANY WARRANTY; without even the implied warranty of 12 1.1 christos MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 1.1.1.2 christos GNU Lesser General Public License for more details. 14 1.1 christos 15 1.1.1.2 christos You should have received a copy of the GNU Lesser General Public License 16 1.1 christos along with this program. If not, see <https://www.gnu.org/licenses/>. */ 17 1.1 christos 18 1.1 christos /* Written by Paul Eggert, Bruno Haible, and Jim Meyering. */ 19 1.1 christos 20 1.1 christos #ifndef _GL_VERIFY_H 21 1.1 christos #define _GL_VERIFY_H 22 1.1 christos 23 1.1 christos 24 1.1 christos /* Define _GL_HAVE__STATIC_ASSERT to 1 if _Static_assert (R, DIAGNOSTIC) 25 1.1.1.2 christos works as per C11. This is supported by GCC 4.6.0+ and by clang 4+. 26 1.1 christos 27 1.1 christos Define _GL_HAVE__STATIC_ASSERT1 to 1 if _Static_assert (R) works as 28 1.1.1.2 christos per C2x. This is supported by GCC 9.1+. 29 1.1 christos 30 1.1 christos Support compilers claiming conformance to the relevant standard, 31 1.1 christos and also support GCC when not pedantic. If we were willing to slow 32 1.1 christos 'configure' down we could also use it with other compilers, but 33 1.1 christos since this affects only the quality of diagnostics, why bother? */ 34 1.1 christos #ifndef __cplusplus 35 1.1 christos # if (201112L <= __STDC_VERSION__ \ 36 1.1.1.2 christos || (!defined __STRICT_ANSI__ \ 37 1.1.1.2 christos && (4 < __GNUC__ + (6 <= __GNUC_MINOR__) || 5 <= __clang_major__))) 38 1.1 christos # define _GL_HAVE__STATIC_ASSERT 1 39 1.1 christos # endif 40 1.1 christos # if (202000L <= __STDC_VERSION__ \ 41 1.1 christos || (!defined __STRICT_ANSI__ && 9 <= __GNUC__)) 42 1.1 christos # define _GL_HAVE__STATIC_ASSERT1 1 43 1.1 christos # endif 44 1.1 christos #endif 45 1.1 christos 46 1.1 christos /* FreeBSD 9.1 <sys/cdefs.h>, included by <stddef.h> and lots of other 47 1.1 christos system headers, defines a conflicting _Static_assert that is no 48 1.1 christos better than ours; override it. */ 49 1.1 christos #ifndef _GL_HAVE__STATIC_ASSERT 50 1.1 christos # include <stddef.h> 51 1.1 christos # undef _Static_assert 52 1.1 christos #endif 53 1.1 christos 54 1.1 christos /* Each of these macros verifies that its argument R is nonzero. To 55 1.1 christos be portable, R should be an integer constant expression. Unlike 56 1.1 christos assert (R), there is no run-time overhead. 57 1.1 christos 58 1.1 christos If _Static_assert works, verify (R) uses it directly. Similarly, 59 1.1 christos _GL_VERIFY_TRUE works by packaging a _Static_assert inside a struct 60 1.1 christos that is an operand of sizeof. 61 1.1 christos 62 1.1 christos The code below uses several ideas for C++ compilers, and for C 63 1.1 christos compilers that do not support _Static_assert: 64 1.1 christos 65 1.1 christos * The first step is ((R) ? 1 : -1). Given an expression R, of 66 1.1 christos integral or boolean or floating-point type, this yields an 67 1.1 christos expression of integral type, whose value is later verified to be 68 1.1 christos constant and nonnegative. 69 1.1 christos 70 1.1 christos * Next this expression W is wrapped in a type 71 1.1 christos struct _gl_verify_type { 72 1.1 christos unsigned int _gl_verify_error_if_negative: W; 73 1.1 christos }. 74 1.1 christos If W is negative, this yields a compile-time error. No compiler can 75 1.1 christos deal with a bit-field of negative size. 76 1.1 christos 77 1.1 christos One might think that an array size check would have the same 78 1.1 christos effect, that is, that the type struct { unsigned int dummy[W]; } 79 1.1 christos would work as well. However, inside a function, some compilers 80 1.1 christos (such as C++ compilers and GNU C) allow local parameters and 81 1.1 christos variables inside array size expressions. With these compilers, 82 1.1 christos an array size check would not properly diagnose this misuse of 83 1.1 christos the verify macro: 84 1.1 christos 85 1.1 christos void function (int n) { verify (n < 0); } 86 1.1 christos 87 1.1 christos * For the verify macro, the struct _gl_verify_type will need to 88 1.1 christos somehow be embedded into a declaration. To be portable, this 89 1.1 christos declaration must declare an object, a constant, a function, or a 90 1.1 christos typedef name. If the declared entity uses the type directly, 91 1.1 christos such as in 92 1.1 christos 93 1.1 christos struct dummy {...}; 94 1.1 christos typedef struct {...} dummy; 95 1.1 christos extern struct {...} *dummy; 96 1.1 christos extern void dummy (struct {...} *); 97 1.1 christos extern struct {...} *dummy (void); 98 1.1 christos 99 1.1 christos two uses of the verify macro would yield colliding declarations 100 1.1 christos if the entity names are not disambiguated. A workaround is to 101 1.1 christos attach the current line number to the entity name: 102 1.1 christos 103 1.1 christos #define _GL_CONCAT0(x, y) x##y 104 1.1 christos #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 105 1.1 christos extern struct {...} * _GL_CONCAT (dummy, __LINE__); 106 1.1 christos 107 1.1 christos But this has the problem that two invocations of verify from 108 1.1 christos within the same macro would collide, since the __LINE__ value 109 1.1 christos would be the same for both invocations. (The GCC __COUNTER__ 110 1.1 christos macro solves this problem, but is not portable.) 111 1.1 christos 112 1.1 christos A solution is to use the sizeof operator. It yields a number, 113 1.1 christos getting rid of the identity of the type. Declarations like 114 1.1 christos 115 1.1 christos extern int dummy [sizeof (struct {...})]; 116 1.1 christos extern void dummy (int [sizeof (struct {...})]); 117 1.1 christos extern int (*dummy (void)) [sizeof (struct {...})]; 118 1.1 christos 119 1.1 christos can be repeated. 120 1.1 christos 121 1.1 christos * Should the implementation use a named struct or an unnamed struct? 122 1.1 christos Which of the following alternatives can be used? 123 1.1 christos 124 1.1 christos extern int dummy [sizeof (struct {...})]; 125 1.1 christos extern int dummy [sizeof (struct _gl_verify_type {...})]; 126 1.1 christos extern void dummy (int [sizeof (struct {...})]); 127 1.1 christos extern void dummy (int [sizeof (struct _gl_verify_type {...})]); 128 1.1 christos extern int (*dummy (void)) [sizeof (struct {...})]; 129 1.1 christos extern int (*dummy (void)) [sizeof (struct _gl_verify_type {...})]; 130 1.1 christos 131 1.1 christos In the second and sixth case, the struct type is exported to the 132 1.1 christos outer scope; two such declarations therefore collide. GCC warns 133 1.1 christos about the first, third, and fourth cases. So the only remaining 134 1.1 christos possibility is the fifth case: 135 1.1 christos 136 1.1 christos extern int (*dummy (void)) [sizeof (struct {...})]; 137 1.1 christos 138 1.1 christos * GCC warns about duplicate declarations of the dummy function if 139 1.1 christos -Wredundant-decls is used. GCC 4.3 and later have a builtin 140 1.1 christos __COUNTER__ macro that can let us generate unique identifiers for 141 1.1 christos each dummy function, to suppress this warning. 142 1.1 christos 143 1.1 christos * This implementation exploits the fact that older versions of GCC, 144 1.1 christos which do not support _Static_assert, also do not warn about the 145 1.1 christos last declaration mentioned above. 146 1.1 christos 147 1.1 christos * GCC warns if -Wnested-externs is enabled and 'verify' is used 148 1.1 christos within a function body; but inside a function, you can always 149 1.1 christos arrange to use verify_expr instead. 150 1.1 christos 151 1.1 christos * In C++, any struct definition inside sizeof is invalid. 152 1.1 christos Use a template type to work around the problem. */ 153 1.1 christos 154 1.1 christos /* Concatenate two preprocessor tokens. */ 155 1.1 christos #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y) 156 1.1 christos #define _GL_CONCAT0(x, y) x##y 157 1.1 christos 158 1.1 christos /* _GL_COUNTER is an integer, preferably one that changes each time we 159 1.1 christos use it. Use __COUNTER__ if it works, falling back on __LINE__ 160 1.1 christos otherwise. __LINE__ isn't perfect, but it's better than a 161 1.1 christos constant. */ 162 1.1 christos #if defined __COUNTER__ && __COUNTER__ != __COUNTER__ 163 1.1 christos # define _GL_COUNTER __COUNTER__ 164 1.1 christos #else 165 1.1 christos # define _GL_COUNTER __LINE__ 166 1.1 christos #endif 167 1.1 christos 168 1.1 christos /* Generate a symbol with the given prefix, making it unique if 169 1.1 christos possible. */ 170 1.1 christos #define _GL_GENSYM(prefix) _GL_CONCAT (prefix, _GL_COUNTER) 171 1.1 christos 172 1.1 christos /* Verify requirement R at compile-time, as an integer constant expression 173 1.1 christos that returns 1. If R is false, fail at compile-time, preferably 174 1.1 christos with a diagnostic that includes the string-literal DIAGNOSTIC. */ 175 1.1 christos 176 1.1 christos #define _GL_VERIFY_TRUE(R, DIAGNOSTIC) \ 177 1.1 christos (!!sizeof (_GL_VERIFY_TYPE (R, DIAGNOSTIC))) 178 1.1 christos 179 1.1 christos #ifdef __cplusplus 180 1.1 christos # if !GNULIB_defined_struct__gl_verify_type 181 1.1 christos template <int w> 182 1.1 christos struct _gl_verify_type { 183 1.1 christos unsigned int _gl_verify_error_if_negative: w; 184 1.1 christos }; 185 1.1 christos # define GNULIB_defined_struct__gl_verify_type 1 186 1.1 christos # endif 187 1.1 christos # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 188 1.1 christos _gl_verify_type<(R) ? 1 : -1> 189 1.1 christos #elif defined _GL_HAVE__STATIC_ASSERT 190 1.1 christos # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 191 1.1 christos struct { \ 192 1.1 christos _Static_assert (R, DIAGNOSTIC); \ 193 1.1 christos int _gl_dummy; \ 194 1.1 christos } 195 1.1 christos #else 196 1.1 christos # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \ 197 1.1 christos struct { unsigned int _gl_verify_error_if_negative: (R) ? 1 : -1; } 198 1.1 christos #endif 199 1.1 christos 200 1.1 christos /* Verify requirement R at compile-time, as a declaration without a 201 1.1 christos trailing ';'. If R is false, fail at compile-time. 202 1.1 christos 203 1.1 christos This macro requires three or more arguments but uses at most the first 204 1.1 christos two, so that the _Static_assert macro optionally defined below supports 205 1.1.1.2 christos both the C11 two-argument syntax and the C2x one-argument syntax. 206 1.1 christos 207 1.1 christos Unfortunately, unlike C11, this implementation must appear as an 208 1.1 christos ordinary declaration, and cannot appear inside struct { ... }. */ 209 1.1 christos 210 1.1.1.2 christos #if 200410 <= __cpp_static_assert 211 1.1.1.2 christos # define _GL_VERIFY(R, DIAGNOSTIC, ...) static_assert (R, DIAGNOSTIC) 212 1.1.1.2 christos #elif defined _GL_HAVE__STATIC_ASSERT 213 1.1 christos # define _GL_VERIFY(R, DIAGNOSTIC, ...) _Static_assert (R, DIAGNOSTIC) 214 1.1 christos #else 215 1.1 christos # define _GL_VERIFY(R, DIAGNOSTIC, ...) \ 216 1.1 christos extern int (*_GL_GENSYM (_gl_verify_function) (void)) \ 217 1.1 christos [_GL_VERIFY_TRUE (R, DIAGNOSTIC)] 218 1.1.1.2 christos # if 4 < __GNUC__ + (6 <= __GNUC_MINOR__) 219 1.1.1.2 christos # pragma GCC diagnostic ignored "-Wnested-externs" 220 1.1.1.2 christos # endif 221 1.1 christos #endif 222 1.1 christos 223 1.1 christos /* _GL_STATIC_ASSERT_H is defined if this code is copied into assert.h. */ 224 1.1 christos #ifdef _GL_STATIC_ASSERT_H 225 1.1 christos # if !defined _GL_HAVE__STATIC_ASSERT1 && !defined _Static_assert 226 1.1 christos # define _Static_assert(...) \ 227 1.1 christos _GL_VERIFY (__VA_ARGS__, "static assertion failed", -) 228 1.1 christos # endif 229 1.1.1.2 christos # if __cpp_static_assert < 201411 && !defined static_assert 230 1.1 christos # define static_assert _Static_assert /* C11 requires this #define. */ 231 1.1 christos # endif 232 1.1 christos #endif 233 1.1 christos 234 1.1 christos /* @assert.h omit start@ */ 235 1.1 christos 236 1.1 christos #if 3 < __GNUC__ + (3 < __GNUC_MINOR__ + (4 <= __GNUC_PATCHLEVEL__)) 237 1.1 christos # define _GL_HAS_BUILTIN_TRAP 1 238 1.1 christos #elif defined __has_builtin 239 1.1 christos # define _GL_HAS_BUILTIN_TRAP __has_builtin (__builtin_trap) 240 1.1 christos #else 241 1.1 christos # define _GL_HAS_BUILTIN_TRAP 0 242 1.1 christos #endif 243 1.1 christos 244 1.1 christos #if 4 < __GNUC__ + (5 <= __GNUC_MINOR__) 245 1.1 christos # define _GL_HAS_BUILTIN_UNREACHABLE 1 246 1.1 christos #elif defined __has_builtin 247 1.1 christos # define _GL_HAS_BUILTIN_UNREACHABLE __has_builtin (__builtin_unreachable) 248 1.1 christos #else 249 1.1 christos # define _GL_HAS_BUILTIN_UNREACHABLE 0 250 1.1 christos #endif 251 1.1 christos 252 1.1 christos /* Each of these macros verifies that its argument R is nonzero. To 253 1.1 christos be portable, R should be an integer constant expression. Unlike 254 1.1 christos assert (R), there is no run-time overhead. 255 1.1 christos 256 1.1 christos There are two macros, since no single macro can be used in all 257 1.1 christos contexts in C. verify_expr (R, E) is for scalar contexts, including 258 1.1 christos integer constant expression contexts. verify (R) is for declaration 259 1.1 christos contexts, e.g., the top level. */ 260 1.1 christos 261 1.1 christos /* Verify requirement R at compile-time. Return the value of the 262 1.1 christos expression E. */ 263 1.1 christos 264 1.1 christos #define verify_expr(R, E) \ 265 1.1 christos (_GL_VERIFY_TRUE (R, "verify_expr (" #R ", " #E ")") ? (E) : (E)) 266 1.1 christos 267 1.1 christos /* Verify requirement R at compile-time, as a declaration without a 268 1.1 christos trailing ';'. verify (R) acts like static_assert (R) except that 269 1.1 christos it is portable to C11/C++14 and earlier, it can issue better 270 1.1 christos diagnostics, and its name is shorter and may be more convenient. */ 271 1.1 christos 272 1.1 christos #ifdef __PGI 273 1.1 christos /* PGI barfs if R is long. */ 274 1.1 christos # define verify(R) _GL_VERIFY (R, "verify (...)", -) 275 1.1 christos #else 276 1.1 christos # define verify(R) _GL_VERIFY (R, "verify (" #R ")", -) 277 1.1 christos #endif 278 1.1 christos 279 1.1 christos /* Assume that R always holds. Behavior is undefined if R is false, 280 1.1 christos fails to evaluate, or has side effects. 281 1.1 christos 282 1.1 christos 'assume (R)' is a directive from the programmer telling the 283 1.1 christos compiler that R is true so the compiler needn't generate code to 284 1.1 christos test R. This is why 'assume' is in verify.h: it's related to 285 1.1 christos static checking (in this case, static checking done by the 286 1.1 christos programmer), not dynamic checking. 287 1.1 christos 288 1.1 christos 'assume (R)' can affect compilation of all the code, not just code 289 1.1 christos that happens to be executed after the assume (R) is "executed". 290 1.1 christos For example, if the code mistakenly does 'assert (R); assume (R);' 291 1.1 christos the compiler is entitled to optimize away the 'assert (R)'. 292 1.1 christos 293 1.1 christos Although assuming R can help a compiler generate better code or 294 1.1 christos diagnostics, performance can suffer if R uses hard-to-optimize 295 1.1.1.2 christos features such as function calls not inlined by the compiler. 296 1.1.1.2 christos 297 1.1.1.2 christos Avoid Clang's __builtin_assume, as it breaks GNU Emacs master 298 1.1.1.2 christos as of 2020-08-23T21:09:49Z!eggert (at) cs.ucla.edu; see 299 1.1.1.2 christos <https://bugs.gnu.org/43152#71>. It's not known whether this breakage 300 1.1.1.2 christos is a Clang bug or an Emacs bug; play it safe for now. */ 301 1.1 christos 302 1.1 christos #if _GL_HAS_BUILTIN_UNREACHABLE 303 1.1 christos # define assume(R) ((R) ? (void) 0 : __builtin_unreachable ()) 304 1.1 christos #elif 1200 <= _MSC_VER 305 1.1 christos # define assume(R) __assume (R) 306 1.1 christos #elif (defined GCC_LINT || defined lint) && _GL_HAS_BUILTIN_TRAP 307 1.1 christos /* Doing it this way helps various packages when configured with 308 1.1 christos --enable-gcc-warnings, which compiles with -Dlint. It's nicer 309 1.1 christos when 'assume' silences warnings even with older GCCs. */ 310 1.1 christos # define assume(R) ((R) ? (void) 0 : __builtin_trap ()) 311 1.1 christos #else 312 1.1 christos /* Some tools grok NOTREACHED, e.g., Oracle Studio 12.6. */ 313 1.1 christos # define assume(R) ((R) ? (void) 0 : /*NOTREACHED*/ (void) 0) 314 1.1 christos #endif 315 1.1 christos 316 1.1 christos /* @assert.h omit end@ */ 317 1.1 christos 318 1.1 christos #endif 319
Indexes created Sat Feb 28 05:31:39 UTC 2026