[patch/rfc] An opt-in warning for functions whose availability(introduced) is newer than the deployment target

Nico Weber thakis at chromium.org
Fri Mar 20 08:35:24 PDT 2015

On Fri, Mar 20, 2015 at 8:10 AM, Ted Kremenek <kremenek at apple.com> wrote:

> Hi Nico,
> I'm really sorry, but this is the first time I saw this.  When you first
> proposed the patch I was away from work for several weeks and wasn't
> reading email.  I then missed most of this.
> I honestly am very concerned about this approach.  The problem is
> certainly well-motivated, but it feels like a really partial solution to
> the problem that doesn't provide any real safety.  Looking back at the
> thread I see you and Doug discussed using dataflow analysis, which really
> seems like the right approach to me.  Even some basic lexical analysis to
> check if a guard existed before use probably would have provided some
> reasonable checking, and I disagree with Doug that the dataflow approach
> was "a heck of a lot more work".
> The thing I don't like about this approach is that as soon as you provide
> the redeclaration you lose all checking for uses of a method.  Here are my
> concerns:
> (1) You get a warning once for a method that is newer than your minimum
> deployment target regardless of whether or not you are using it safely.
> (2) You silence that warning by adding the redeclaration.  Then all future
> uses of that method that you introduce won't get a warning.
> I don't see how this provides any real checking at all.  Even if the first
> warning was valid in identify and unguarded case, you get no help from the
> compiler if you add the guard and do it incorrectly.
> My concern here is not that this problem isn't important to solve.  It's a
> very big problem.  I am concerned that this approach causes users to
> clutter their code with redeclarations and it provides them no much safety
> checking at all.  I know part of this was motivated by real issues you were
> seeing in Chrome, a large codebase that needs to run on multiple OS
> versions.  Do you think this will be a practical, and useful approach, to
> solving that problem in practice on a codebase of that size?

Hi Ted,

I agree that this is an imperfect solution. However, it's identical to our
current approach of just building against an old SDK (10.6). This is what
we currently do, and having to declare methods before using them does help
in practice. However, the OS suppresses some bug fixes when linking against
an old SDK, so we want to switch to a model where we use the newest SDK.
This warning is supposed to give us the same level of safety as using an
old SDK, without getting the drawbacks of an old SDK.

This isn't Chromium-specific either: I talked to the Firefox folks, and
they currently build against an old SDK for the same reasons we do.

(Also note that this warning is off by default and not in -Wall.)


> I'm very sorry to wade into this so late.
> Ted
> On Mar 19, 2015, at 12:23 PM, Nico Weber <thakis at chromium.org> wrote:
> r232750, thanks!
> On Tue, Mar 17, 2015 at 9:44 AM, Douglas Gregor <dgregor at apple.com> wrote:
>> On Mar 2, 2015, at 2:25 PM, Nico Weber <thakis at chromium.org> wrote:
>> One more tweak: Apparently for `@interface A @end @class A;`, a lookup
>> for A finds the @interface decl, not the @class redecl.
>> Yeah, I think this is a longstanding hack from when we starting tracking
>> redeclaration chains for Objective-C class declarations (and @class started
>> being an ObjCInterfaceDecl). We (ahem, I) didn’t hunt down all of the
>> places where we were expecting name lookup to return the definition.
>> So for ObjCInterfaceDecls, the explicit loop is necessary – this patch
>> adds it back for that case. With this change, I can build most of chrome
>> with this warning enabled (and some declaration tweaks in chrome). (Only
>> "most of" because the build is still running – no known bugs).
>> Okay. Everything else LGTM, I say “go for it!”.
>> - Doug
>> On Sun, Mar 1, 2015 at 7:52 PM, Nico Weber <thakis at chromium.org> wrote:
>>> On Mon, Feb 2, 2015 at 10:26 PM, Douglas Gregor <dgregor at apple.com>
>>> wrote:
>>>> Hi Nico,
>>>> On Jan 8, 2015, at 6:14 PM, Nico Weber <thakis at chromium.org> wrote:
>>>> Hi,
>>>> the Mac OS X and iOS SDKs add new functions in new releases. Apple
>>>> recommends using the newest SDK and setting the deployment target to
>>>> whatever old OS version one wants to support, and only calling new
>>>> functions after checking that they are available at runtime.
>>>> In practice, we (Chromium) get this wrong. Others who support old OS X
>>>> versions get this wrong too. Hence, we (Chromium) use a very old SDK and
>>>> then manually declare new functions when we want to call them – this
>>>> reduces the chance of us forgetting if they are available at runtime
>>>> considerably, in practice. But using an old SDK has its problems –
>>>> sometimes the frameworks check which SDK an app was linked against and only
>>>> then activate bug fixes, and newer Xcodes don't ship include old SDKs.
>>>> That’s an interesting approach to handling the availability problem; I
>>>> hadn’t heard of it before, but I see the logic there.
>>>> Ideally, we could use a new SDK but get a warning when we use a new API
>>>> without a manual redeclaration – this protects us against new APIs the same
>>>> way using an old SDK does without the drawbacks that this brings.
>>>> The attached patch is a sketch how such a warning might work. How
>>>> repulsive is this idea? Are there other approaches to this problem? If the
>>>> basic idea is ok:
>>>> This is a drastically different approach than I’d imagined. Whenever
>>>> I’ve thought about this problem, I’ve always come back to some form of
>>>> dataflow analysis that checks whether uses of “not-yet-introduced” API is
>>>> used in a sane way: is it dominated by some check that implies the
>>>> availability, e.g., a -respondsToSelector: check on a method with at least
>>>> that availability, or checking whether “[NSFoo class]” is non-null when the
>>>> class has availability. I suspect that’s the idea behind Deploymate (
>>>> http://www.deploymateapp.com), although I’ve never used it, and it has
>>>> the benefit that it should make idiomatic code (that does the right
>>>> checking) just work.
>>>> It’s also a heck of a lot more work to implement than the approach
>>>> you’re using.
>>> Right :-)
>>>> Any comments on the implementation?
>>>> The implementation generally looks fine. One minor comment:
>>>> +    case AR_NotYetIntroduced: {
>>>> +      // don't do this for enums, they can't be redeclared.
>>>> +      if (isa<EnumConstantDecl>(D) || isa<EnumDecl>(D))
>>>> +        break;
>>>> +      bool FoundRedecl = false;
>>>> +      for (Decl *Redecl = D->getMostRecentDecl(); Redecl &&
>>>> !FoundRedecl;
>>>> +           Redecl = Redecl->getPreviousDecl()) {
>>>> +        if (Redecl->getAttr<AvailabilityAttr>()->isInherited())
>>>> +          FoundRedecl = true;
>>>> +      }
>>>> +      if (!FoundRedecl)
>>>> +        S.EmitAvailabilityWarning(Sema::AD_Partial, D, Message, Loc,
>>>> +                                  UnknownObjCClass, ObjCPDecl,
>>>> +                                  ObjCPropertyAccess);
>>>> +      break;
>>>> +    }
>>>> Generally speaking, name lookup will always find the most recent
>>>> declaration, so you might be able to skip the D->getMostRecentDecl() bit
>>>> entirely and just check that the availability attribute was inherited.
>>> That worked, done.
>>> I also had to add some explicit code for handling redeclarations in
>>> @interfaces, as these aren't modeled as redeclarations in the AST. I also
>>> added the property note used in the other availability warnings, and I
>>> added lots of tests.
>> <clang-redecl.diff>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20150320/88b7510f/attachment.html>

More information about the cfe-commits mailing list