XPCOMGC/Static Checker

From MozillaWiki
Jump to: navigation, search

Taras and/or dmandelin will work on an extended GCC which will provide additional static-checking capabilities for the Mozilla codebase. The following is a preliminary set of static checks to perform for the XPCOMGC codebase. Initially many of these checks will fail and should be warnings, not hard errors.

  • If a class inherits from XPCOMGCFinalizedObject, the left-most base other than XPCOMGCFinalizedObject must be MMgc::GCFinalizedBase
  • Certain classes may be allocated only on the stack or on the heap... bsmedberg is happy to annotate these classes. TODO: how to annotate? It's important to catch instances where these classes are members of other classes being heap or stack allocated. And it's important that in both these cases, static allocations are disallowed.
  • For any class which inherits from MMgc::GCFinalizedBase:
    • The destructor must not dereference any member pointer to a GC object
    • The destructor must not call functions which are not annotated "safe for finalizers" TODO: how to annotate?
  • For any class inheriting from XPCOMGCObject or XPCOMGCFinalizedObject
    • raw members pointing to GC objects are not allowed... they must either be nsCOMPtr or they must be annotated indicating that they are a "safe" raw pointer. TODO: how to annotate?
  • For any class *not* inheriting from XPCOMGCObject or XPCOMGCFinalizedObject
    • the class must not contain nsCOMPtr member variables
    • the class may not contain member pointers to GC objects, unless those members are annotated "safe for GC marking" TODO: how to annotate?

Annotations are combined to find the most restrictive combination.

Annotation Stack Malloc GCHeap Global Destructor is Finalizer-safe Notes
NS_STACK_CLASS No No No must only be on the stack
NS_MANAGED No No Yes Requires rooting
NS_GC_TYPE No No No May only appear on the GC heap
NS_NOGC_TYPE No Must not appear on the GC heap
NS_GCOK Yes May be GC-allocated.

Inferences

  • Class restrictions are inferred from their bases and members
  • Arrays and typedefs are inferred from their base type.
  • Pointers to managed and GC types are considered managed types, *unless* they are declared with NS_UNMANAGED
  • The destructor of all "managed" classes is inferred to be finalizer-safe. This includes NS_MANAGED, NS_GC_TYPE, and anything derived from MMgc::GCObject, MMgc::GCFinalizedObject, XPCOMGCObject, and XPCOMGCFinalizedObject
  • Any class with a destructor must be finalized unless it is annotated with NS_FINALIZER_NOT_REQUIRED