Migrate NOTREACHED() macro to be [[noreturn]] |
|
Issue description
base/logging.h provides a NOTREACHED() macro to annotate code paths which we never expect to reach (e.g. in the bodies of virtual methods that can never be called in a particular implemented).
Today in most Chromium builds NOTREACHED() expands to DCHECK(false), i.e:
- It will log a message in DCHECK-enabled builds, and call-sites can append extra information to the logged message.
- It is a noop in non-DCHECK builds, so call-sites must still be written as though it could be reached, e.g. by adding dummy "returns", or following it with "break" in switch statements, etc.
We would like to instead have NOTREACHED() be [[noreturn]] annotated, so that call-sites need no longer provide unused fallback code. One possible implementation would be:
#define NOTREACHED() { DLOG(FATAL) << "NOTREACHED() hit."; IMMEDIATE_CRASH(); }
i.e. Log a FATAL error message in DCHECK builds, otherwise crash, and be [[noreturn]] in all builds.
Potential issue:
1. ChromeOS non-DCHECK builds treat NOTREACHED() as LOG(ERROR).
- Proposed implementation will crash rather than logging. Shouldn't be an issue, otherwise ChromeOS logs would be filled with NOTREACHED() logging.
2. Many call-sites append information to NOTREACHED().
- Is the additional information actually useful? Should those call-sites be [D]CHECKs or similar instead?
- If we do need ability to append data then we'll need a LogMessage specialization with a [[noreturn]] destructor.
3. Many call-sites follow NOTREACHED() with fallback code, to satisfy the compiler.
- Much of the fallback code (e.g. FALLTHROUGH(); annotations immediately following NOTREACHED() in switch cases), will need removing.
4. Albatross and coverage builds have special non-fatal CHECK/DCHECK configurations.
- NOTREACHED() will be fatal in both Release and Debug, so no change for Albatross config.
- Hopefully not an issue for coverage build, since NOTREACHED() should clearly not be "covered" by tests.
5. Binary size/performance impact.
- NOTREACHED() is currently a noop in Release builds; this change will introduce 5 bytes of crash instruction at each of ~6,000 call-sites, in x86 builds.
- Addition of [[noreturn]]/__builtin_unreachable() annotations to IMMEDIATE_CRASH() and TerminateCurrentProcessImmediately() gave slight size reduction, presumably due to optimizer removing unreachable code.
,
Jun 23 2018
Proposed plan: 1. Define NOTREACHED() as CHECK(false), to flush out sites that are hitting the no-op or LOG-only behaviour in Release builds. 2. Iterate through call-sites removing log parameters. 3. Re-define NOTREACHED() to be IMMEDIATE_CRASH(), with an opt-out via macro definition for targets that need it. 4. Run through the opted-out targets, fixing the FALLTHROUGH sites and removing the macro. 5. Remove the NOTREACHED opt-out macro from base/logging.h. #inf. Happy dance. |
|
►
Sign in to add a comment |
|
Comment 1 by w...@chromium.org
, Jun 8 2018Status: Assigned (was: Untriaged)