diff --git a/libc/src/__support/CPP/algorithm.h b/libc/src/__support/CPP/algorithm.h index de0c47369d945..1acd1581a942e 100644 --- a/libc/src/__support/CPP/algorithm.h +++ b/libc/src/__support/CPP/algorithm.h @@ -24,11 +24,15 @@ template struct bit_and {}; template struct bit_or {}; template struct bit_xor {}; -template LIBC_INLINE constexpr const T &max(const T &a, const T &b) { +template +LIBC_INLINE constexpr const T &max(LIBC_LIFETIME_BOUND const T &a, + LIBC_LIFETIME_BOUND const T &b) { return (a < b) ? b : a; } -template LIBC_INLINE constexpr const T &min(const T &a, const T &b) { +template +LIBC_INLINE constexpr const T &min(LIBC_LIFETIME_BOUND const T &a, + LIBC_LIFETIME_BOUND const T &b) { return (a < b) ? a : b; } diff --git a/libc/src/__support/CPP/array.h b/libc/src/__support/CPP/array.h index db0a986b71205..44c493fd2d50b 100644 --- a/libc/src/__support/CPP/array.h +++ b/libc/src/__support/CPP/array.h @@ -31,15 +31,22 @@ template struct array { LIBC_INLINE constexpr T *data() { return Data; } LIBC_INLINE constexpr const T *data() const { return Data; } - LIBC_INLINE constexpr T &front() { return Data[0]; } - LIBC_INLINE constexpr const T &front() const { return Data[0]; } + LIBC_INLINE constexpr T &front() LIBC_LIFETIME_BOUND { return Data[0]; } + LIBC_INLINE constexpr const T &front() const LIBC_LIFETIME_BOUND { + return Data[0]; + } - LIBC_INLINE constexpr T &back() { return Data[N - 1]; } - LIBC_INLINE constexpr const T &back() const { return Data[N - 1]; } + LIBC_INLINE constexpr T &back() LIBC_LIFETIME_BOUND { return Data[N - 1]; } + LIBC_INLINE constexpr const T &back() const LIBC_LIFETIME_BOUND { + return Data[N - 1]; + } - LIBC_INLINE constexpr T &operator[](size_t Index) { return Data[Index]; } + LIBC_INLINE constexpr T &operator[](size_t Index) LIBC_LIFETIME_BOUND { + return Data[Index]; + } - LIBC_INLINE constexpr const T &operator[](size_t Index) const { + LIBC_INLINE constexpr const T & + operator[](size_t Index) const LIBC_LIFETIME_BOUND { return Data[Index]; } diff --git a/libc/src/__support/CPP/atomic.h b/libc/src/__support/CPP/atomic.h index 53b583c04ba15..ac60f5e9cda09 100644 --- a/libc/src/__support/CPP/atomic.h +++ b/libc/src/__support/CPP/atomic.h @@ -256,7 +256,7 @@ template struct Atomic { LIBC_INLINE void set(T rhs) { val = rhs; } }; -template struct AtomicRef { +template struct LIBC_GSL_POINTER AtomicRef { static_assert(is_trivially_copyable_v && is_copy_constructible_v && is_move_constructible_v && is_copy_assignable_v && is_move_assignable_v, diff --git a/libc/src/__support/CPP/mutex.h b/libc/src/__support/CPP/mutex.h index 8a3102426e2d6..2ad33da34a80d 100644 --- a/libc/src/__support/CPP/mutex.h +++ b/libc/src/__support/CPP/mutex.h @@ -9,6 +9,7 @@ #ifndef LLVM_LIBC_SRC___SUPPORT_CPP_MUTEX_H #define LLVM_LIBC_SRC___SUPPORT_CPP_MUTEX_H +#include "src/__support/macros/attributes.h" #include "src/__support/macros/config.h" namespace LIBC_NAMESPACE_DECL { @@ -28,14 +29,17 @@ template class lock_guard { public: // Calls `m.lock()` upon resource acquisition. - explicit lock_guard(MutexType &m) : mutex(m) { mutex.lock(); } + LIBC_INLINE explicit lock_guard(LIBC_LIFETIME_BOUND MutexType &m) : mutex(m) { + mutex.lock(); + } // Acquires ownership of the mutex object `m` without attempting to lock // it. The behavior is undefined if the current thread does not hold the // lock on `m`. Does not call `m.lock()` upon resource acquisition. - lock_guard(MutexType &m, adopt_lock_t /* t */) : mutex(m) {} + LIBC_INLINE lock_guard(LIBC_LIFETIME_BOUND MutexType &m, adopt_lock_t /* t */) + : mutex(m) {} - ~lock_guard() { mutex.unlock(); } + LIBC_INLINE ~lock_guard() { mutex.unlock(); } // non-copyable lock_guard &operator=(const lock_guard &) = delete; diff --git a/libc/src/__support/CPP/optional.h b/libc/src/__support/CPP/optional.h index aed2269db1b11..15f389c89627e 100644 --- a/libc/src/__support/CPP/optional.h +++ b/libc/src/__support/CPP/optional.h @@ -108,11 +108,13 @@ template class optional { LIBC_INLINE constexpr void reset() { storage.reset(); } - LIBC_INLINE constexpr const T &value() const & { + LIBC_INLINE constexpr const T &value() const &LIBC_LIFETIME_BOUND { return storage.stored_value; } - LIBC_INLINE constexpr T &value() & { return storage.stored_value; } + LIBC_INLINE constexpr T &value() & LIBC_LIFETIME_BOUND { + return storage.stored_value; + } LIBC_INLINE constexpr explicit operator bool() const { return storage.in_use; @@ -122,10 +124,12 @@ template class optional { return &storage.stored_value; } LIBC_INLINE constexpr T *operator->() { return &storage.stored_value; } - LIBC_INLINE constexpr const T &operator*() const & { + LIBC_INLINE constexpr const T &operator*() const &LIBC_LIFETIME_BOUND { + return storage.stored_value; + } + LIBC_INLINE constexpr T &operator*() & LIBC_LIFETIME_BOUND { return storage.stored_value; } - LIBC_INLINE constexpr T &operator*() & { return storage.stored_value; } LIBC_INLINE constexpr T &&value() && { return move(storage.stored_value); } LIBC_INLINE constexpr T &&operator*() && { diff --git a/libc/src/__support/CPP/span.h b/libc/src/__support/CPP/span.h index 9234a26d201cd..58db573ef4761 100644 --- a/libc/src/__support/CPP/span.h +++ b/libc/src/__support/CPP/span.h @@ -28,7 +28,7 @@ namespace cpp { // - No implicit type conversion (e.g. Span, initialized with As where A // inherits from B), // - No reverse iterators -template class span { +template class LIBC_GSL_POINTER span { template LIBC_INLINE_VAR static constexpr bool is_const_view_v = !cpp::is_const_v && cpp::is_const_v && @@ -64,11 +64,12 @@ template class span { template , bool> = true> - LIBC_INLINE constexpr span(U (&arr)[N]) : span_data(arr), span_size(N) {} + LIBC_INLINE constexpr span(LIBC_LIFETIME_BOUND U (&arr)[N]) + : span_data(arr), span_size(N) {} template , bool> = true> - LIBC_INLINE constexpr span(array &arr) + LIBC_INLINE constexpr span(LIBC_LIFETIME_BOUND array &arr) : span_data(arr.data()), span_size(arr.size()) {} template , bool> = true> diff --git a/libc/src/__support/CPP/string.h b/libc/src/__support/CPP/string.h index 1ac04c7f1f9dc..6a3bf267bc021 100644 --- a/libc/src/__support/CPP/string.h +++ b/libc/src/__support/CPP/string.h @@ -106,16 +106,23 @@ class string { LIBC_INLINE constexpr const char *end() const { return data() + size_; } LIBC_INLINE char *end() { return data() + size_; } - LIBC_INLINE constexpr const char &front() const { return data()[0]; } - LIBC_INLINE char &front() { return data()[0]; } + LIBC_INLINE constexpr const char &front() const LIBC_LIFETIME_BOUND { + return data()[0]; + } + LIBC_INLINE char &front() LIBC_LIFETIME_BOUND { return data()[0]; } - LIBC_INLINE constexpr const char &back() const { return data()[size_ - 1]; } - LIBC_INLINE char &back() { return data()[size_ - 1]; } + LIBC_INLINE constexpr const char &back() const LIBC_LIFETIME_BOUND { + return data()[size_ - 1]; + } + LIBC_INLINE char &back() LIBC_LIFETIME_BOUND { return data()[size_ - 1]; } - LIBC_INLINE constexpr const char &operator[](size_t index) const { + LIBC_INLINE constexpr const char & + operator[](size_t index) const LIBC_LIFETIME_BOUND { + return data()[index]; + } + LIBC_INLINE char &operator[](size_t index) LIBC_LIFETIME_BOUND { return data()[index]; } - LIBC_INLINE char &operator[](size_t index) { return data()[index]; } LIBC_INLINE const char *c_str() const { return data(); } diff --git a/libc/src/__support/CPP/string_view.h b/libc/src/__support/CPP/string_view.h index aa15814b2e149..1a1601c0c7ba7 100644 --- a/libc/src/__support/CPP/string_view.h +++ b/libc/src/__support/CPP/string_view.h @@ -23,7 +23,7 @@ namespace cpp { // do the checks before invoking the methods. // // This class will be extended as needed in future. -class string_view { +class LIBC_GSL_POINTER string_view { private: const char *Data; size_t Len; @@ -44,6 +44,15 @@ class string_view { return static_cast(End - Str); } + template + LIBC_INLINE static constexpr size_t + bounded_length(LIBC_LIFETIME_BOUND const char (&Str)[N]) { + for (size_t i = 0; i < N; ++i) + if (Str[i] == '\0') + return i; + return N; + } + LIBC_INLINE bool equals(string_view Other) const { return (Len == Other.Len && compareMemory(Data, Other.Data, Other.Len) == 0); @@ -77,6 +86,10 @@ class string_view { LIBC_INLINE constexpr string_view(const char *Str, size_t N) : Data(Str), Len(N) {} + template + LIBC_INLINE constexpr string_view(LIBC_LIFETIME_BOUND const char (&Str)[N]) + : Data(Str), Len(bounded_length(Str)) {} + LIBC_INLINE constexpr const char *data() const { return Data; } // Returns the size of the string_view. diff --git a/libc/src/__support/CPP/stringstream.h b/libc/src/__support/CPP/stringstream.h index a16084c848688..a0039f2de4858 100644 --- a/libc/src/__support/CPP/stringstream.h +++ b/libc/src/__support/CPP/stringstream.h @@ -48,7 +48,9 @@ class StringStream { // null terminator was not explicitly written, then the return value // will not include one. In order to produce a string_view to a null // terminated string, write ENDS explicitly. - string_view str() const { return string_view(data.data(), write_ptr); } + [[nodiscard]] LIBC_INLINE string_view str() const { + return string_view(data.data(), write_ptr); + } // Write the characters from |str| to the stream. StringStream &operator<<(string_view str) { diff --git a/libc/src/__support/CPP/utility/forward.h b/libc/src/__support/CPP/utility/forward.h index 085b3d16f999b..f367a34dea57f 100644 --- a/libc/src/__support/CPP/utility/forward.h +++ b/libc/src/__support/CPP/utility/forward.h @@ -18,12 +18,14 @@ namespace cpp { // forward template -LIBC_INLINE constexpr T &&forward(remove_reference_t &value) { +LIBC_INLINE constexpr T && +forward(LIBC_LIFETIME_BOUND remove_reference_t &value) { return static_cast(value); } template -LIBC_INLINE constexpr T &&forward(remove_reference_t &&value) { +LIBC_INLINE constexpr T && +forward(LIBC_LIFETIME_BOUND remove_reference_t &&value) { static_assert(!is_lvalue_reference_v, "cannot forward an rvalue as an lvalue"); return static_cast(value); diff --git a/libc/src/__support/CPP/utility/move.h b/libc/src/__support/CPP/utility/move.h index b61f723e8d4cb..e77d64066270b 100644 --- a/libc/src/__support/CPP/utility/move.h +++ b/libc/src/__support/CPP/utility/move.h @@ -17,7 +17,8 @@ namespace cpp { // move template -LIBC_INLINE constexpr cpp::remove_reference_t &&move(T &&t) { +LIBC_INLINE constexpr cpp::remove_reference_t && +move(LIBC_LIFETIME_BOUND T &&t) { return static_cast &&>(t); } diff --git a/libc/src/__support/macros/attributes.h b/libc/src/__support/macros/attributes.h index d5ff028634940..a1129df936942 100644 --- a/libc/src/__support/macros/attributes.h +++ b/libc/src/__support/macros/attributes.h @@ -91,4 +91,84 @@ LIBC_THREAD_MODE_EXTERNAL. #define LIBC_NO_SANITIZE_OOB_ACCESS #endif +// LIBC_LIFETIME_BOUND indicates that a function parameter's lifetime is tied +// to the return value. This helps compilers detect use-after-free bugs. +// +// Example usage: +// const T &get_value(const Container &c LIBC_LIFETIME_BOUND, +/// const T &default_val LIBC_LIFETIME_BOUND); +// // Warns if temporary Container or default_val is bound to the result +// +// For member functions, apply after the function signature: +// const char *data() const LIBC_LIFETIME_BOUND; +// // The returned pointer should not outlive '*this' +#if __has_cpp_attribute(clang::lifetimebound) +#define LIBC_LIFETIME_BOUND [[clang::lifetimebound]] +#elif __has_cpp_attribute(msvc::lifetimebound) +#define LIBC_LIFETIME_BOUND [[msvc::lifetimebound]] +#elif __has_cpp_attribute(lifetimebound) +#define LIBC_LIFETIME_BOUND [[lifetimebound]] +#else +#define LIBC_LIFETIME_BOUND +#endif + +// LIBC_LIFETIME_CAPTURE_BY(X) indicates that parameter X captures/stores a +// reference to the annotated parameter. Warns if temporaries are passed. +// +// Example usage: +// void add_to_set(cpp::string_view a LIBC_LIFETIME_CAPTURE_BY(s), +// cpp::set& s) { +// s.insert(a); // 's' now holds a reference to 'a' +// } +// // Warns: add_to_set(cpp::string(), s); // temporary captured by 's' +// +// X can be: another parameter name, 'this', 'global', or 'unknown' +// Multiple capturing entities: LIBC_LIFETIME_CAPTURE_BY(s1, s2) +// +// For member functions capturing 'this', apply after function signature: +// void capture_self(cpp::set& s) LIBC_LIFETIME_CAPTURE_BY(s); +#if __has_cpp_attribute(clang::lifetime_capture_by) +#define LIBC_LIFETIME_CAPTURE_BY(X) [[clang::lifetime_capture_by(X)]] +#else +#define LIBC_LIFETIME_CAPTURE_BY(X) +#endif + +// LIBC_GSL_POINTER marks a class as a "view" type that points to data owned +// elsewhere. Lifetime analysis treats it as potentially dangling when the +// owner is destroyed. Use for types like string_view, span, or custom views. +// +// Example usage: +// class LIBC_GSL_POINTER StringView { +// const char *data_; +// public: +// StringView(const String& s); // Points into 's' +// }; +// // Warns: StringView sv = String(); // sv points to destroyed temporary +// +// The attribute takes an optional type parameter (e.g., [[gsl::Pointer(int)]]) +// but it's typically omitted in libc usage. +#if __has_cpp_attribute(gsl::Pointer) +#define LIBC_GSL_POINTER [[gsl::Pointer]] +#else +#define LIBC_GSL_POINTER +#endif + +// LIBC_GSL_OWNER marks a class as owning the data it manages. When an Owner +// is destroyed, any Pointer constructed from it becomes dangling. +// +// Example usage: +// class LIBC_GSL_OWNER String { +// char *data_; +// public: +// ~String() { delete[] data_; } +// }; +// +// Relationship: LIBC_GSL_POINTER types "point into" LIBC_GSL_OWNER types. +// When the owner dies, pointers derived from it are considered dangling. +#if __has_cpp_attribute(gsl::Owner) +#define LIBC_GSL_OWNER [[gsl::Owner]] +#else +#define LIBC_GSL_OWNER +#endif + #endif // LLVM_LIBC_SRC___SUPPORT_MACROS_ATTRIBUTES_H