1 /* Compile-time assert-like macros.
2
3 Copyright (C) 2005-2006, 2009-2019 Free Software Foundation, Inc.
4
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU Lesser General Public License as published by
7 the Free Software Foundation; either version 2.1 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public License
16 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17
18 /* Written by Paul Eggert, Bruno Haible, and Jim Meyering. */
19
20 #ifndef _GL_VERIFY_H
21 #define _GL_VERIFY_H
22
23
24 /* Define _GL_HAVE__STATIC_ASSERT to 1 if _Static_assert works as per C11.
25 This is supported by GCC 4.6.0 and later, in C mode, and its use
26 here generates easier-to-read diagnostics when verify (R) fails.
27
28 Define _GL_HAVE_STATIC_ASSERT to 1 if static_assert works as per C++11.
29 This is supported by GCC 6.1.0 and later, in C++ mode.
30
31 Use this only with GCC. If we were willing to slow 'configure'
32 down we could also use it with other compilers, but since this
33 affects only the quality of diagnostics, why bother? */
34 #if (4 < __GNUC__ + (6 <= __GNUC_MINOR__) \
35 && (201112L <= __STDC_VERSION__ || !defined __STRICT_ANSI__) \
36 && !defined __cplusplus)
37 # define _GL_HAVE__STATIC_ASSERT 1
38 #endif
39 #if (6 <= __GNUC__) && defined __cplusplus
40 # define _GL_HAVE_STATIC_ASSERT 1
41 #endif
42
43 /* FreeBSD 9.1 <sys/cdefs.h>, included by <stddef.h> and lots of other
44 system headers, defines a conflicting _Static_assert that is no
45 better than ours; override it. */
46 #ifndef _GL_HAVE_STATIC_ASSERT
47 # include <stddef.h>
48 # undef _Static_assert
49 #endif
50
51 /* Each of these macros verifies that its argument R is nonzero. To
52 be portable, R should be an integer constant expression. Unlike
53 assert (R), there is no run-time overhead.
54
55 If _Static_assert works, verify (R) uses it directly. Similarly,
56 _GL_VERIFY_TRUE works by packaging a _Static_assert inside a struct
57 that is an operand of sizeof.
58
59 The code below uses several ideas for C++ compilers, and for C
60 compilers that do not support _Static_assert:
61
62 * The first step is ((R) ? 1 : -1). Given an expression R, of
63 integral or boolean or floating-point type, this yields an
64 expression of integral type, whose value is later verified to be
65 constant and nonnegative.
66
67 * Next this expression W is wrapped in a type
68 struct _gl_verify_type {
69 unsigned int _gl_verify_error_if_negative: W;
70 }.
71 If W is negative, this yields a compile-time error. No compiler can
72 deal with a bit-field of negative size.
73
74 One might think that an array size check would have the same
75 effect, that is, that the type struct { unsigned int dummy[W]; }
76 would work as well. However, inside a function, some compilers
77 (such as C++ compilers and GNU C) allow local parameters and
78 variables inside array size expressions. With these compilers,
79 an array size check would not properly diagnose this misuse of
80 the verify macro:
81
82 void function (int n) { verify (n < 0); }
83
84 * For the verify macro, the struct _gl_verify_type will need to
85 somehow be embedded into a declaration. To be portable, this
86 declaration must declare an object, a constant, a function, or a
87 typedef name. If the declared entity uses the type directly,
88 such as in
89
90 struct dummy {...};
91 typedef struct {...} dummy;
92 extern struct {...} *dummy;
93 extern void dummy (struct {...} *);
94 extern struct {...} *dummy (void);
95
96 two uses of the verify macro would yield colliding declarations
97 if the entity names are not disambiguated. A workaround is to
98 attach the current line number to the entity name:
99
100 #define _GL_CONCAT0(x, y) x##y
101 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y)
102 extern struct {...} * _GL_CONCAT (dummy, __LINE__);
103
104 But this has the problem that two invocations of verify from
105 within the same macro would collide, since the __LINE__ value
106 would be the same for both invocations. (The GCC __COUNTER__
107 macro solves this problem, but is not portable.)
108
109 A solution is to use the sizeof operator. It yields a number,
110 getting rid of the identity of the type. Declarations like
111
112 extern int dummy [sizeof (struct {...})];
113 extern void dummy (int [sizeof (struct {...})]);
114 extern int (*dummy (void)) [sizeof (struct {...})];
115
116 can be repeated.
117
118 * Should the implementation use a named struct or an unnamed struct?
119 Which of the following alternatives can be used?
120
121 extern int dummy [sizeof (struct {...})];
122 extern int dummy [sizeof (struct _gl_verify_type {...})];
123 extern void dummy (int [sizeof (struct {...})]);
124 extern void dummy (int [sizeof (struct _gl_verify_type {...})]);
125 extern int (*dummy (void)) [sizeof (struct {...})];
126 extern int (*dummy (void)) [sizeof (struct _gl_verify_type {...})];
127
128 In the second and sixth case, the struct type is exported to the
129 outer scope; two such declarations therefore collide. GCC warns
130 about the first, third, and fourth cases. So the only remaining
131 possibility is the fifth case:
132
133 extern int (*dummy (void)) [sizeof (struct {...})];
134
135 * GCC warns about duplicate declarations of the dummy function if
136 -Wredundant-decls is used. GCC 4.3 and later have a builtin
137 __COUNTER__ macro that can let us generate unique identifiers for
138 each dummy function, to suppress this warning.
139
140 * This implementation exploits the fact that older versions of GCC,
141 which do not support _Static_assert, also do not warn about the
142 last declaration mentioned above.
143
144 * GCC warns if -Wnested-externs is enabled and verify() is used
145 within a function body; but inside a function, you can always
146 arrange to use verify_expr() instead.
147
148 * In C++, any struct definition inside sizeof is invalid.
149 Use a template type to work around the problem. */
150
151 /* Concatenate two preprocessor tokens. */
152 #define _GL_CONCAT(x, y) _GL_CONCAT0 (x, y)
153 #define _GL_CONCAT0(x, y) x##y
154
155 /* _GL_COUNTER is an integer, preferably one that changes each time we
156 use it. Use __COUNTER__ if it works, falling back on __LINE__
157 otherwise. __LINE__ isn't perfect, but it's better than a
158 constant. */
159 #if defined __COUNTER__ && __COUNTER__ != __COUNTER__
160 # define _GL_COUNTER __COUNTER__
161 #else
162 # define _GL_COUNTER __LINE__
163 #endif
164
165 /* Generate a symbol with the given prefix, making it unique if
166 possible. */
167 #define _GL_GENSYM(prefix) _GL_CONCAT (prefix, _GL_COUNTER)
168
169 /* Verify requirement R at compile-time, as an integer constant expression
170 that returns 1. If R is false, fail at compile-time, preferably
171 with a diagnostic that includes the string-literal DIAGNOSTIC. */
172
173 #define _GL_VERIFY_TRUE(R, DIAGNOSTIC) \
174 (!!sizeof (_GL_VERIFY_TYPE (R, DIAGNOSTIC)))
175
176 #ifdef __cplusplus
177 # if !GNULIB_defined_struct__gl_verify_type
178 template <int w>
179 struct _gl_verify_type {
180 unsigned int _gl_verify_error_if_negative: w;
181 };
182 # define GNULIB_defined_struct__gl_verify_type 1
183 # endif
184 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \
185 _gl_verify_type<(R) ? 1 : -1>
186 #elif defined _GL_HAVE__STATIC_ASSERT
187 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \
188 struct { \
189 _Static_assert (R, DIAGNOSTIC); \
190 int _gl_dummy; \
191 }
192 #else
193 # define _GL_VERIFY_TYPE(R, DIAGNOSTIC) \
194 struct { unsigned int _gl_verify_error_if_negative: (R) ? 1 : -1; }
195 #endif
196
197 /* Verify requirement R at compile-time, as a declaration without a
198 trailing ';'. If R is false, fail at compile-time, preferably
199 with a diagnostic that includes the string-literal DIAGNOSTIC.
200
201 Unfortunately, unlike C11, this implementation must appear as an
202 ordinary declaration, and cannot appear inside struct { ... }. */
203
204 #ifdef _GL_HAVE__STATIC_ASSERT
205 # define _GL_VERIFY _Static_assert
206 #else
207 # define _GL_VERIFY(R, DIAGNOSTIC) \
208 extern int (*_GL_GENSYM (_gl_verify_function) (void)) \
209 [_GL_VERIFY_TRUE (R, DIAGNOSTIC)]
210 #endif
211
212 /* _GL_STATIC_ASSERT_H is defined if this code is copied into assert.h. */
213 #ifdef _GL_STATIC_ASSERT_H
214 # if !defined _GL_HAVE__STATIC_ASSERT && !defined _Static_assert
215 # define _Static_assert(R, DIAGNOSTIC) _GL_VERIFY (R, DIAGNOSTIC)
216 # endif
217 # if !defined _GL_HAVE_STATIC_ASSERT && !defined static_assert
218 # define static_assert _Static_assert /* C11 requires this #define. */
219 # endif
220 #endif
221
222 /* @assert.h omit start@ */
223
224 /* Each of these macros verifies that its argument R is nonzero. To
225 be portable, R should be an integer constant expression. Unlike
226 assert (R), there is no run-time overhead.
227
228 There are two macros, since no single macro can be used in all
229 contexts in C. verify_true (R) is for scalar contexts, including
230 integer constant expression contexts. verify (R) is for declaration
231 contexts, e.g., the top level. */
232
233 /* Verify requirement R at compile-time, as an integer constant expression.
234 Return 1. This is equivalent to verify_expr (R, 1).
235
236 verify_true is obsolescent; please use verify_expr instead. */
237
238 #define verify_true(R) _GL_VERIFY_TRUE (R, "verify_true (" #R ")")
239
240 /* Verify requirement R at compile-time. Return the value of the
241 expression E. */
242
243 #define verify_expr(R, E) \
244 (_GL_VERIFY_TRUE (R, "verify_expr (" #R ", " #E ")") ? (E) : (E))
245
246 /* Verify requirement R at compile-time, as a declaration without a
247 trailing ';'. */
248
249 #ifdef __GNUC__
250 # define verify(R) _GL_VERIFY (R, "verify (" #R ")")
251 #else
252 /* PGI barfs if R is long. Play it safe. */
253 # define verify(R) _GL_VERIFY (R, "verify (...)")
254 #endif
255
256 #ifndef __has_builtin
257 # define __has_builtin(x) 0
258 #endif
259
260 /* Assume that R always holds. This lets the compiler optimize
261 accordingly. R should not have side-effects; it may or may not be
262 evaluated. Behavior is undefined if R is false. */
263
264 #if (__has_builtin (__builtin_unreachable) \
265 || 4 < __GNUC__ + (5 <= __GNUC_MINOR__))
266 # define assume(R) ((R) ? (void) 0 : __builtin_unreachable ())
267 #elif 1200 <= _MSC_VER
268 # define assume(R) __assume (R)
269 #elif ((defined GCC_LINT || defined lint) \
270 && (__has_builtin (__builtin_trap) \
271 || 3 < __GNUC__ + (3 < __GNUC_MINOR__ + (4 <= __GNUC_PATCHLEVEL__))))
272 /* Doing it this way helps various packages when configured with
273 --enable-gcc-warnings, which compiles with -Dlint. It's nicer
274 when 'assume' silences warnings even with older GCCs. */
275 # define assume(R) ((R) ? (void) 0 : __builtin_trap ())
276 #else
277 /* Some tools grok NOTREACHED, e.g., Oracle Studio 12.6. */
278 # define assume(R) ((R) ? (void) 0 : /*NOTREACHED*/ (void) 0)
279 #endif
280
281 /* @assert.h omit end@ */
282
283 #endif