Using user-provided data as a format string is a well known source of
security vulnerabilities. For this reason, it is a good idea to compile
our code with -Wformat-nonliteral, which basically warns if a non-constant
string is used as a format specifier. This is the compiler’s best signal
that a format string call may be insecure.
I audited the code after adding the warning and made sure that the few
places where we used a non-literal string as a format string were not
potential security issues. I either disabled the warning locally for
those instances or fixed the warning by using a literal. The idea is
that after we add the warning to the build, any new use of a non-literal
string in a format string will trigger a diagnostic, and we can either
get rid of it or disable the warning locally, which is a way of
acknowledging that it has been audited.
I also looked into enabling it in the test suite, which would perhaps
allow finding additional instances of it in our headers, however that
is not possible at the moment because Clang doesn't support putting
__attribute__((__format__(...))) on variadic templates, which would
be needed.
rdar://84571685
Differential Revision: https://reviews.llvm.org/D112927
Deduction guides for containers should not participate in overload
resolution when called with certain incorrect types (e.g. when called
with a template argument in place of an `InputIterator` that doesn't
qualify as an input iterator). Similarly, class template argument
deduction should not select `unique_ptr` constructors that take a
a pointer.
The tests try out every possible incorrect parameter (but never more
than one incorrect parameter in the same invocation).
Also add deduction guides to the synopsis for associative and unordered
containers (this was accidentally omitted from [D112510](https://reviews.llvm.org/D112510)).
Differential Revision: https://reviews.llvm.org/D112904
`__vector_base` exists for historical reasons and cannot be eliminated
entirely without breaking the ABI. Member variables are left
untouched -- this patch only does changes that clearly cannot affect the
ABI.
Differential Revision: https://reviews.llvm.org/D112976
However, whether applications rely on the std::bad_function_call vtable
being in the dylib is still controlled by the ABI macro, since changing
that would be an ABI break.
Differential Revision: https://reviews.llvm.org/D92397
Before this patch, `try_acquire` blocks instead of returning false.
This is because `__libcpp_thread_poll_with_backoff` interprets zero
as meaning infinite, causing `try_acquire` to wait indefinitely.
Thanks to Pablo Busse (pabusse) for the patch!
Differential Revision: https://reviews.llvm.org/D98334
These can't be made constexpr-constructible (constinit'able),
so they aren't C++20-conforming. Also, the platform versions are
going to be bigger than the atomic/futex version, so we'd have
the awkward situation that `semaphore<42>` could be bigger than
`semaphore<43>`, and that's just silly.
Differential Revision: https://reviews.llvm.org/D110110
These are not standard methods, neither libstdc++ nor MSVC STL provide
them.
In practice, one of them was untested and the other one was only used in
one single test.
Differential Revision: https://reviews.llvm.org/D113027
I was going to make a change in that area of the code and I noticed that
we basically duplicated the same code 5 times to handle integral types
and floating point types. This commit simply pulls the duplication into
a function.
Differential Revision: https://reviews.llvm.org/D112830
Since we no longer officially support Clang 11 remove the work-arounds
for this version.
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D112727
Some types that inherit from `view_interface` do not meet the
preconditions. This came up during discussion
in https://reviews.llvm.org/D112631. Currently, the behavior is IFNDR,
but the preconditions can be easily checked, so let's do so.
In particular, we know each public member function calls the
`__derived()` private function, so we can do the check there. We
intentionally do it as a `static_assert` instead of a `requires` clause
to avoid hard erroring in some cases, such as with incomplete types. An
example hard error is:
```
llvm-project/build/include/c++/v1/__ranges/view_interface.h:48:14: note: because 'sizeof(_Tp)' would be invalid: invalid application of 'sizeof' to an incomplete type 'MoveOnlyForwardRange'
requires { sizeof(_Tp); } &&
^
llvm-project/build/include/c++/v1/__ranges/view_interface.h:73:26: error: no matching member function for call to '__derived'
return ranges::begin(__derived()) == ranges::end(__derived());
^~~~~~~~~
llvm-project/libcxx/test/std/ranges/range.utility/view.interface/view.interface.pass.cpp:187:31: note: in instantiation of function template specialization 'std::ranges::view_interface<MoveOnlyForwardRange>::empty<Mov
eOnlyForwardRange>' requested here
assert(!std::move(moveOnly).empty());
```
Reviewed By: Quuxplusone, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D112665
`is_error_condition_enum_v` and `is_error_code_enum_v` are currently of
type `size_t`, but the standard mandates they are of type `bool`.
This is an ABI break technically since the size of these variable
templates has changed. Document it as such in the release notes.
Fixes https://bugs.llvm.org/show_bug.cgi?id=50755
Reviewed By: ldionne, Quuxplusone, #libc, var-const
Differential Revision: https://reviews.llvm.org/D112553
Add deduction guides to `valarray` and `scoped_allocator_adaptor`. This largely
finishes implementation of the paper:
* deduction guides for other classes mentioned in the paper were
implemented previously (see the list below);
* deduction guides for several classes contained in the proposal
(`reference_wrapper`, `lock_guard`, `scoped_lock`, `unique_lock`,
`shared_lock`) were removed by [LWG2981](https://wg21.link/LWG2981).
Also add deduction guides to the synopsis for the few classes (e.g. `pair`)
where they were missing.
The only part of the paper that isn't fully implemented after this patch is
making sure certain deduction guides don't participate in overload resolution
when given incorrect template parameters.
List of significant commits implementing the other parts of P0433 (omitting some
minor fixes):
* [pair](af65856eec)
* [basic_string](6d9f750dec)
* [array](0ca8c0895c)
* [deque](dbb6f8a817)
* [forward_list](e076700b77)
* [list](4a227e582b)
* [vector](df8f754792)
* [queue/stack/priority_queue](5b8b8b5dce)
* [basic_regex](edd5e29cfe)
* [optional](f35b4bc395)
* [map/multimap](edfe8525de)
* [set/multiset](e20865c387)
* [unordered_set/unordered_multiset](296a80102a)
* [unordered_map/unordered_multimap](dfcd4384cb)
* [function](e1eabcdfad)
* [tuple](1308011e1b)
* [shared_ptr/weak_ptr](83564056d4)
Additional notes:
* It was revision 2 of the paper that was voted into the Standard.
P0433R3 is a separate paper that is not part of the Standard.
* The paper also mandates removing several `make_*_searcher` functions
(e.g. `make_boyer_moore_searcher`) which are currently not implemented
(except in `experimental/`).
* The `__cpp_lib_deduction_guides` feature test macro from the paper was
accidentally omitted from the Standard.
Differential Revision: https://reviews.llvm.org/D112510
This is going to be necessary to implement some range adaptors.
As a fly-by fix, rename _LIBCPP_INLINE_VISIBILITY to _LIBCPP_HIDE_FROM_ABI
and remove a redundant inline keyword.
Differential Revision: https://reviews.llvm.org/D112650
Mark LWG2731 as complete. The type alias `mutex_type` is only provided if
`scoped_lock` is given one mutex type and it has been implemented that
way since the beginning of Clang 5 it seems. There already are tests for
verifying existence (and lack thereof) for `mutex_type` type alias
depending on the number of mutex types, so there is nothing to
do for this LWG issue.
Reviewed By: Quuxplusone, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D112462
This patch refactors the shared_ptr methods from being defined out-of-line
to being defined inline in the class, like what we do for all new code in
the library. The benefits of doing that are that code is not as scattered
around and is hence easier to understand, and it avoids a ton of duplication
due to SFINAE checks. Defining the method where it is declared also removes
the possibility for mismatched attributes.
As a fly-by change, this also:
- Adds a few _LIBCPP_HIDE_FROM_ABI attributes
- Uses __enable_if_t instead of enable_if as a function argument, to match
the style that we use everywhere else.
Differential Revision: https://reviews.llvm.org/D112478
Several parts in the `chrono` synopsis for C++20 are not yet
implemented. The current recommendation is that things are added to the
synopsis when implemented -- not beforehand. As such, remove the
not-yet-implemented parts to avoid confusion.
Reviewed By: ldionne, Quuxplusone, #libc
Differential Revision: https://reviews.llvm.org/D111922
Also fix a few places in the `shared_ptr` implementation where
`element_type` was passed to the `__is_compatible` helper. This could
result in `remove_extent` being applied twice to the pointer's template
type (first by the definition of `element_type` and then by the helper),
potentially leading to somewhat less readable error messages for some
incorrect code.
Differential Revision: https://reviews.llvm.org/D112092
Based on the comment of @Quuxplusone in D111961. It seems no tests are
affected, but give it a run on the CI to be sure.
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D112231
This addresses the usage of `operator&` in `<vector>`.
I now added tests for the current offending cases. I wonder whether it
would be better to add one addressof test per directory and test all
possible violations. Also to guard against possible future errors?
(Note there are still more headers with the same issue.)
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D111961
According to the standard [vector.capacity]/5, std::vector<T>::reserve
shall throw an exception of type std::length_error when the requested
capacity exceeds max_size().
This behavior is not implemented correctly: the function 'reserve'
simply propagates the exception from allocator<T>::allocate. Before
D110846 that exception used to be of type std::length_error (which is
correct for vector<T>::reserve, but incorrect for
allocator<T>::allocate).
This patch fixes the issue and adds regression tests.
Reviewed By: Quuxplusone, ldionne, #libc
Differential Revision: https://reviews.llvm.org/D112068
std::vector<bool> rebinds the supplied allocator to construct objects
of type '__storage_type' rather than 'bool'. Allocators are allowed to
use explicit conversion constructors, so care must be taken when
performing conversions.
Reviewed By: ldionne, #libc
Differential Revision: https://reviews.llvm.org/D112150
The path functions in this patch are unimplemented (as per the TODO comment from upstream). To avoid running into a linker error (missing symbol), this patch raises a compile error by commenting out the functions, which is more user friendly.
Differential Revision: https://reviews.llvm.org/D111892
`weekday` has a static member function `__weekday_from_days` which is
not part of the mandated public interface of `weeekday` according to the
standard. Since it is only used internally in the constructors of
`weekday`, let's make it private.
Reviewed By: ldionne, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D112072
Currently the member functions std::allocator<T>::allocate,
std::experimental::pmr::polymorphic_allocator::allocate and
std::resource_adaptor<T>::do_allocate throw an exception of type
std::length_error when the requested size exceeds the maximum size.
According to the C++ standard ([allocator.members]/4,
[mem.poly.allocator.mem]/1), std::allocator<T>::allocate and
std::pmr::polymorphic_allocator::allocate must throw a
std::bad_array_new_length exception in this case.
The patch fixes the issue with std::allocator<T>::allocate and changes
the type the exception thrown by
std::experimental::pmr::resource_adaptor<T>::do_allocate to
std::bad_array_new_length as well for consistency.
The patch resolves LWG 3237, LWG 3038 and LWG 3190.
Reviewed By: ldionne, #libc, Quuxplusone
Differential Revision: https://reviews.llvm.org/D110846
Implement LWG3480 which enables `directory_iterator` and
`recursive_directory_iterator` to be both a `borrowed_range` and a
`view`.
Reviewed By: ldionne, #libc
Differential Revision: https://reviews.llvm.org/D111644
Mark LWG3274 as complete. The feature test macro `__cpp_lib_span` was added in
`6d2599e4f776d0cd88438cb82a00c4fc25cc3f67`.
https://wg21.link/p1024 mentions marking `span:::empty()` with
`[[nodiscard]]` which is not done yet. So, do that and add tests.
Reviewed By: ldionne, Quuxplusone, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D111516
Fixes the tests added in D110852 for the debug iterators.
Similar issues with hijacking `operator&` still exist, they will be
addressed separately.
Reviewed By: #libc, ldionne, Quuxplusone
Differential Revision: https://reviews.llvm.org/D111564
While looking at LWG-2988 and P0558 it seems the issues were already
implemented, but the synopsis wasn't updated. Some of the tests didn't
validate the `noexcept` status. A few tests were missing completely:
- `atomic_wait_explicit`
- `atomic_notify_one`
- `atomic_notify_all`
Mark P0558 as complete, didn't investigate which version of libc++ first
includes this. It seems the paper has been retroactively applied. I
couldn't find whether this is correct, but looking at cppreference it
seems intended.
Completes
- LWG-2988 Clause 32 cleanup missed one typename
- P0558 Resolving atomic<T> named base class inconsistencies
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D103765
Some embedded platforms do not wish to support the C library functionality
for handling wchar_t because they have no use for it. It makes sense for
libc++ to work properly on those platforms, so this commit adds a carve-out
of functionality for wchar_t.
Unfortunately, unlike some other carve-outs (e.g. random device), this
patch touches several parts of the library. However, despite the wide
impact of this patch, I still think it is important to support this
configuration since it makes it much simpler to port libc++ to some
embedded platforms.
Differential Revision: https://reviews.llvm.org/D111265
Implement P2401 which adds a `noexcept` specification to
`std::exchange`. Treated as a defect fix which is the motivation for
applying this change to all standards mode rather than just C++23 or
later as the paper suggests.
Reviewed By: Quuxplusone, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D111481
There is an empty `namespace std` in `type_traits` which was originally
used when `std::byte` was added in
c97d8aa866. At some point, the bitwise operators
on `std::byte` got relocated but this empty namespace was left around.
Remove it.
Reviewed By: Quuxplusone, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D111512
Implement parts of P1614, including three-way comparison for tuples, and expand testing.
Reviewed By: ldionne, Mordante, #libc
Differential Revision: https://reviews.llvm.org/D108250
While looking at the review comments in D103765 there was an oddity in
the tests for the following functions:
- atomic_fetch_add
- atomic_fetch_add_explicit
- atomic_fetch_sub
- atomic_fetch_sub_explicit
Libc++ allows usage of
`atomic_fetch_add<int>(atomic<int*>*, atomic<int*>::difference_type);`
MSVC and GCC reject this code: https://godbolt.org/z/9d8WzohbE
This makes the atomic `fetch(add|sub).*` Standard conforming and removes the non-conforming extensions.
Fixes PR47908
Reviewed By: ldionne, #libc
Differential Revision: https://reviews.llvm.org/D103983
Replace `&__rhs` with `_VSTD::addressof(__rhs)` to guard against ADL hijacking
of `operator&` in `operator=`. Thanks to @CaseyCarter for bringing it to our
attention.
Similar issues with hijacking `operator&` still exist, they will be
addressed separately.
Reviewed By: #libc, Quuxplusone, ldionne
Differential Revision: https://reviews.llvm.org/D110852
Implements the formatter for Boolean types.
[format.formatter.spec]/2.3
For each charT, for each cv-unqualified arithmetic type ArithmeticT other
than char, wchar_t, char8_t, char16_t, or char32_t, a specialization
```
template<> struct formatter<ArithmeticT, charT>;
```
This removes the stub implemented in D96664.
Implements parts of:
- P0645 Text Formatting
- P1652 Printf corner cases in std::format
Completes:
- P1868 width: clarifying units of width and precision in std::format
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D103670
Implements the formatter for all fundamental integer types.
[format.formatter.spec]/2.1
The specializations
```
template<> struct formatter<char, char>;
template<> struct formatter<char, wchar_t>;
template<> struct formatter<wchar_t, wchar_t>;
```
This removes the stub implemented in D96664.
Implements parts of:
- P0645 Text Formatting
Reviewed By: #libc, ldionne
Differential Revision: https://reviews.llvm.org/D103466
Louis Dionne