Open Bug 1693392 Opened 4 years ago Updated 4 years ago

[meta] Consistent Objective C exception guards

Categories

(Core :: Widget: Cocoa, task)

Product:
Core
Component:
Widget: Cocoa
Platform:
All
macOS
Type:
task

Tracking

()

Tracking Flags:
Tracking Status
firefox87 --- affected

People

(Reporter: mstange, Unassigned)

References

Details

(Keywords: meta)

We want to make sure that Objective C exceptions do not propagate into Gecko C++ code.

We achieve this using exception guard macros from nsObjCExceptions.h, by wrapping code in the appropriate places with these macros.

However, traditionally, we haven't been very disciplined when deciding where to place these guards; we may be missing a number of them. And sometimes we were overeager and placed them into Objective C methods where they are not needed.

I propose the following policy:

Exception guard policy

Classify all functions and methods as either "throwing" or "non-throwing":

  1. All objective C methods are classified as "throwing".
  2. Functions and C++ methods are classified as "throwing" if any of their parameters is an Objective C object.
  3. All other functions and C++ methods are classified as "non-throwing".

Here, "throwing" means "This function/method is allowed to throw or propagate an Objective C exception", and "non-throwing" means "This function/method must not and will definitely never throw an Objective C exception".

We require exception guards in all non-throwing functions/methods which contain a call to a throwing function/method.

Warning: This is a somewhat non-local requirement. Adding a call to a throwing method in the middle of a long non-throwing method suddenly requires the addition of exception guards at the beginning and end of that long non-throwing method. Care will need to be taken. Maybe we can have a static analysis job for this in the future.

Rationale

Under this definition, Gecko C++ code can only call non-throwing functions/methods directly, because C++ code cannot call Objective C methods directly, and because C++ code cannot have a pointer to an Objective C object of the correct type to pass as an argument. So C++ code is protected from exceptions.
This policy also means that no Objective C methods require exception guards in the method implementation. This removes visual noise and unnecessary overhead, and is still safe.
Furthermore, classifying C++ methods and functions as "throwing" if they have Objective C objects as arguments allows those methods/functions to omit exception guards as well, which is fine because they cannot be called by C++ code directly.

This bug tracks converting our code gradually to this policy.

Depends on: 1692647
No longer blocks: 1692375
Depends on: 1692375
You need to log in before you can comment on or make changes to this bug.