On Aug 21, 2023, at 4:25 PM, Ryosuke Niwa via webkit-dev <webkit-dev@lists.webkit.org> wrote:

Hi all,

It has been a while since I last announced the plan to adopt smart pointers using clang static analyzer:
https://lists.webkit.org/pipermail/webkit-dev/2020-September/031386.html

Here are some updates.

1. We’ve made a progress in implementing all the rules including rules for local variables in clang static analyzer:
https://github.com/WebKit/WebKit/wiki/Smart-Pointer-Usage-Guidelines#rules-for-using-ref-counted-objects

2. We also have a new kind of smart pointers: CheckedRef / CheckedPtr. These behave like Ref and RefPtr in that they increment & decrement a counter in an object but unlike them don’t extend the lifetime of the object. Instead, the destructor of the base object release asserts that there are no live CheckedRef / CheckedPtr left.

I added a new section in the guide describing when to use each smart pointer type:
https://github.com/WebKit/WebKit/wiki/Smart-Pointer-Usage-Guidelines#when-to-use-which-smart-pointer

3. I wanted to describe what applying these smart pointer rules mean. A lot of code changes needed for this work involves creating Ref / RefPtr / CheckedRef / CheckedPtr in stack:
https://commits.webkit.org/267082@main

One subtle thing is that even when a member variable is already Ref / RefPtr / CheckedRef / CheckedPtr, we must create another one in stack as seen here:
https://commits.webkit.org/267108@main

(I asked rniwa to send this mail because this patch surprised me, so I hope now we can chat about it).

The scope of this rule, and the … lack of elegance … at so many callsites worries me a bit. If it’s possible to automate enforcement, that might help with part of the problem, but it’s also just really not very pretty, and I wonder if someone can come up with some clever alternative solution before we go too far down this path (not me!).

Alternatively, it’s possible other people OK with this syntax/requirement and I should just get over it. What do you all think?

This is because these member variables can be cleared during the course of invoking a non-trivial function; or put it another way, it’s not immediately obvious from the code inspection that the object pointed to stays alive over the course of a non-trivial function call.

- R. Niwa

_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev