Open Bug 1616926 Opened 4 years ago Updated 2 years ago

A clang static analysis should require member functions of GC'd types to opt-in to allowing the return of pointers or references to members

Categories

(Developer Infrastructure :: Source Code Analysis, enhancement, P3)

Product:
Developer Infrastructure
Component:
Source Code Analysis
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: mgaudet, Unassigned)

References

Details

If you have a GC'd type T with member a, it's a hazard in general to allow a pointer or reference to T::a to escape.

While there are situations where this can be done and can be done safely, the general case is not safe, and should be a clang-static analyser error unless a type opts in:

class T : public gc::Cell {
 A a; 
public:
 // UNSAFE: 
 A& getA() { return a; } 
 A*  getAptr() { return &a; } 
 // Opt in. 
 MOZ_MEMBER_RETURN A& getAIPromiseIWillDoTheRightThingWithThis() { return a; } 
};

Should we stick to some function names?

Flags: needinfo?(mgaudet)

I think the important piece is not the name, but any type T that is managed by the GC; in particular if that type is relocatable during compaction.

Given that, any time a reference or pointer to a member of T (or T's parent types) escapes we should require that those functions be annotated.

Flags: needinfo?(mgaudet)

A way to make that promise would be to require an AutoRequireNoGC& parameter (const or not, it doesn't matter) in any accessor that is returning a field of any subtype of js::gc::Cell.

Priority: -- → P3
Product: Firefox Build System → Developer Infrastructure
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.