A clang static analysis should require member functions of GC'd types to opt-in to allowing the return of pointers or references to members
Categories
(Developer Infrastructure :: Source Code Analysis, enhancement, P3)
Tracking
(Not tracked)
People
(Reporter: mgaudet, Unassigned)
References
Details
If you have a GC'd type T
with member a
, it's a hazard in general to allow a pointer or reference to T::a
to escape.
While there are situations where this can be done and can be done safely, the general case is not safe, and should be a clang-static analyser error unless a type opts in:
class T : public gc::Cell {
A a;
public:
// UNSAFE:
A& getA() { return a; }
A* getAptr() { return &a; }
// Opt in.
MOZ_MEMBER_RETURN A& getAIPromiseIWillDoTheRightThingWithThis() { return a; }
};
Reporter | ||
Comment 2•5 years ago
|
||
I think the important piece is not the name, but any type T
that is managed by the GC; in particular if that type is relocatable during compaction.
Given that, any time a reference or pointer to a member of T
(or T
's parent types) escapes we should require that those functions be annotated.
Comment 3•5 years ago
|
||
A way to make that promise would be to require an AutoRequireNoGC& parameter (const or not, it doesn't matter) in any accessor that is returning a field of any subtype of js::gc::Cell.
Updated•5 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•