author J.C. Jones <>
Fri, 14 Dec 2018 19:40:03 +0000
changeset 450794 5dd52dc4e291a4e099f18dc718cb958f99b999eb
parent 448947 6f3709b3878117466168c40affa7bca0b60cf75b
child 454354 5f4630838d46dd81dadb13220a4af0da9e23a619
permissions -rw-r--r--
Bug 1514247 - Upgrade u2f-hid-rs to 0.2.3 r=emilio,keeler This patch moves u2f-hid-rs to 0.2.3 [1], which changes the dependency graph of u2f-hid-rs to not directly rely on the low-level core-foundation-sys library, as core-foundation has all the features u2f-hid-rs needs in 0.6.1+. This patch vendors core-foundation 0.6.3 and core-foundation-sys 0.6.2 as a consequence. [1] [2] Differential Revision:

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at */

/* Implementation of macros to ensure correct use of RAII Auto* objects. */

#ifndef mozilla_GuardObjects_h
#define mozilla_GuardObjects_h

#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
#include "mozilla/Types.h"

#ifdef __cplusplus

#ifdef DEBUG

 * A custom define is used rather than |mozPoisonValue()| due to cascading
 * build failures relating to how mfbt is linked on different operating
 * systems. See bug 1160253.
#define MOZ_POISON uintptr_t(-1)

namespace mozilla {
namespace detail {

 * The following classes are designed to cause assertions to detect
 * inadvertent use of guard objects as temporaries. In other words,
 * when we have a guard object whose only purpose is its constructor and
 * destructor (and is never otherwise referenced), the intended use
 * might be:
 *   AutoRestore savePainting(mIsPainting);
 * but is is easy to accidentally write:
 *   AutoRestore(mIsPainting);
 * which compiles just fine, but runs the destructor well before the
 * intended time.
 * They work by adding (#ifdef DEBUG) an additional parameter to the
 * guard object's constructor, with a default value, so that users of
 * the guard object's API do not need to do anything. The default value
 * of this parameter is a temporary object. C++ (ISO/IEC 14882:1998),
 * section 12.2 [class.temporary], clauses 4 and 5 seem to assume a
 * guarantee that temporaries are destroyed in the reverse of their
 * construction order, but I actually can't find a statement that that
 * is true in the general case (beyond the two specific cases mentioned
 * there). However, it seems to be true.
 * These classes are intended to be used only via the macros immediately
 * below them:
 *   MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER declares (ifdef DEBUG) a member
 *     variable, and should be put where a declaration of a private
 *     member variable would be placed.
 *   MOZ_GUARD_OBJECT_NOTIFIER_PARAM should be placed at the end of the
 *     parameters to each constructor of the guard object; it declares
 *     (ifdef DEBUG) an additional parameter. (But use the *_ONLY_PARAM
 *     variant for constructors that take no other parameters.)
 *   MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL should likewise be used in
 *     the implementation of such constructors when they are not inline.
 *     the implementation of such constructors to pass the parameter to
 *     a base class that also uses these macros
 *   MOZ_GUARD_OBJECT_NOTIFIER_INIT is a statement that belongs in each
 *     constructor. It uses the parameter declared by
 * For more details, and examples of using these macros, see
class GuardObjectNotifier {
  bool* mStatementDone;

  GuardObjectNotifier() : mStatementDone(reinterpret_cast<bool*>(MOZ_POISON)) {}

  ~GuardObjectNotifier() {
    // Assert that the GuardObjectNotifier has been properly initialized by
    // using the |MOZ_GUARD_OBJECT_NOTIFIER_INIT| macro. A poison value is
    // used rather than a null check to appease static analyzers that were
    // (incorrectly) detecting null pointer dereferences.
    MOZ_ASSERT(mStatementDone != reinterpret_cast<bool*>(MOZ_POISON));
    *mStatementDone = true;

  void setStatementDone(bool* aStatementIsDone) {
    mStatementDone = aStatementIsDone;

class GuardObjectNotificationReceiver {
  bool mStatementDone;

  GuardObjectNotificationReceiver() : mStatementDone(false) {}

  ~GuardObjectNotificationReceiver() {
     * Assert that the guard object was not used as a temporary.  (Note that
     * this assert might also fire if init is not called because the guard
     * object's implementation is not using the above macros correctly.)
               "Guard object should not be used as a temporary.");

  void init(GuardObjectNotifier& aNotifier) {

} /* namespace detail */
} /* namespace mozilla */


#endif /* DEBUG */

#ifdef DEBUG
  ::mozilla::detail::GuardObjectNotificationReceiver _mCheckNotUsedAsTemporary;
#define MOZ_GUARD_OBJECT_NOTIFIER_PARAM                  \
  , ::mozilla::detail::GuardObjectNotifier&& _notifier = \
  ::mozilla::detail::GuardObjectNotifier&& _notifier = \
  , ::mozilla::detail::GuardObjectNotifier&& _notifier
  ::mozilla::detail::GuardObjectNotifier&& _notifier
#define MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT , ::std::move(_notifier)
  do {                                         \
    _mCheckNotUsedAsTemporary.init(_notifier); \
  } while (0)
  do {                                 \
  } while (0)

#endif /* __cplusplus */

#endif /* mozilla_GuardObjects_h */