New linter (clang-tidy?) proposal
103 views
Skip to first unread message
Greg Thompson
Mar 13, 2025, 8:29:39 AMMar 13
to cxx
Hi folks. I recently landed a CL that de-virtuallized a handful of structs/classes that had some spiritual variant of:
struct Foo final {
...
virtual ~Foo() = default;
};
The reviewer on that CL suggested that it might be good to do a cleanup like this across the codebase. This provoked me into thinking that it could be quite useful to have some kind of linter that rejects (or at least remarks on) CLs with things like:
- a final class/struct with virtual (but not override) methods -- this makes no sense.
- a class/struct with a virtual dtor (or any virtual methods) with nothing derived from it -- this is wasteful.
- a class/struct with virtual methods but missing a virtual dtor (possibly declared in a base class) -- this is unsafe.
Thoughts?
Hans Wennborg
Mar 13, 2025, 9:12:21 AMMar 13
to Greg Thompson, cxx
On Thu, Mar 13, 2025 at 9:29 AM Greg Thompson <g...@chromium.org> wrote:
Hi folks. I recently landed a CL that de-virtuallized a handful of structs/classes that had some spiritual variant of:struct Foo final {...virtual ~Foo() = default;};The reviewer on that CL suggested that it might be good to do a cleanup like this across the codebase. This provoked me into thinking that it could be quite useful to have some kind of linter that rejects (or at least remarks on) CLs with things like:- a final class/struct with virtual (but not override) methods -- this makes no sense.
I like this and it seems straight-forward. Filed as https://github.com/llvm/llvm-project/issues/131108
- a class/struct with a virtual dtor (or any virtual methods) with nothing derived from it -- this is wasteful.
This needs whole-program analysis in general. Also an API may want to allow overriding functions, even if they aren't currently overridden. But for classes in anonymous namespaces it could be done. I've mentioned it in the bug above.
- a class/struct with virtual methods but missing a virtual dtor (possibly declared in a base class) -- this is unsafe.
Clang already has -Wnon-virtual-dtor for this: https://godbolt.org/z/s9f9W837o
--Thoughts?
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAKQnr0RFEX9coFYYoPh%2Bc04k4O4wvNA2Lde5pJPPV3PPa8f_Yw%40mail.gmail.com.
Greg Thompson
Mar 13, 2025, 9:18:42 AMMar 13
to Hans Wennborg, cxx
Thanks, Hans!
Regarding -Wnon-virtual-dtor, is it possible to run it on Chromium to find existing violations? I fixed one such in this recent CL I mentioned. I can imagine there must be more in there somewhere.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAB8jPhfNTTKNrVsmyPOgZp1S3E8HvA3p0FGk%2BYp8AuMHX5aE2w%40mail.gmail.com.
Hans Wennborg
Mar 13, 2025, 9:38:39 AMMar 13
to Greg Thompson, cxx
On Thu, Mar 13, 2025 at 10:18 AM Greg Thompson <g...@chromium.org> wrote:
Thanks, Hans!Regarding -Wnon-virtual-dtor, is it possible to run it on Chromium to find existing violations? I fixed one such in this recent CL I mentioned. I can imagine there must be more in there somewhere.
I think Chromium relies on -Wdelete-non-virtual-dtor which is a bit more pointed (only fires when actually calling delete on such a class, which is the dangerous use case).
I found https://crbug.com/41327406 "Consider turning on -Wnon-virtual-dtor for clang", but I don't know if there would be downsides in pursuing that. Others in this group may know the history and potential issues here better :-)
Mark Mentovai
Mar 13, 2025, 1:03:30 PMMar 13
to Hans Wennborg, Greg Thompson, cxx
Hans Wennborg wrote:
On Thu, Mar 13, 2025 at 10:18 AM Greg Thompson <g...@chromium.org> wrote:Thanks, Hans!Regarding -Wnon-virtual-dtor, is it possible to run it on Chromium to find existing violations? I fixed one such in this recent CL I mentioned. I can imagine there must be more in there somewhere.I think Chromium relies on -Wdelete-non-virtual-dtor which is a bit more pointed (only fires when actually calling delete on such a class, which is the dangerous use case).I found https://crbug.com/41327406 "Consider turning on -Wnon-virtual-dtor for clang", but I don't know if there would be downsides in pursuing that. Others in this group may know the history and potential issues here better :-)
I don’t like -Wnon-virtual-dtor when better alternatives are available, like -Wdelete-non-virtual-dtor.
If a base class’ destructor is protected, it doesn’t really need to be virtual. In that case, an object of that type can only be deleted (by code outside of the class hierarchy) through a derived class pointer’s public destructor, which is safe, particularly if the derived class is final. -Wnon-virtual-dtor forces the base class’ destructor to become virtual, even in this case where it isn’t necessary for correctness.
Peter Kasting
Mar 13, 2025, 2:05:44 PMMar 13
to Hans Wennborg, Greg Thompson, cxx
Within the past two months I have had to fix a bug this warning would have caught, which took me hours to track down (and help from someone else).
While I respect Mark's comment, as long as enabling this doesn't start forcing us to make non-virtual classes virtual just to silence a warning, it seems like there's little downside to having a vtable entry for the destructor, and the existing warning is clearly insufficient to catch real problems. It's also easier to explain and understand "base classes with virtual methods should have a virtual destructor".
PK
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAB8jPhcqBJkn6rKFSGn9MCb_x2jCOb%3Dzwz-W4t9Z1VJdmFq1UQ%40mail.gmail.com.
Joe Mason
Mar 13, 2025, 2:19:43 PMMar 13
to Peter Kasting, Hans Wennborg, Greg Thompson, cxx
Can you give more context on why -Wdelete-non-virtual-dtor didn't catch that bug?
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFC_A68426UbJ9b_ZwLCFTz1Zk39ApXcT0NFUs2HU845Yg%40mail.gmail.com.
Devon Loehr
Mar 13, 2025, 2:21:53 PMMar 13
to cxx, Peter Kasting, Hans Wennborg, Greg Thompson
I'll take a look at this, filed crbug.com/403236787 as a tracking bug for the first two suggestions. Seems like enabling -Wnon-virtual-dtor is a separate discussion that already has several related bugs.
Nico Weber
Mar 13, 2025, 2:27:52 PMMar 13
to Peter Kasting, Hans Wennborg, Greg Thompson, cxx
On Thu, Mar 13, 2025 at 10:05 AM Peter Kasting <pkas...@chromium.org> wrote:
Within the past two months I have had to fix a bug this warning would have caught, which took me hours to track down (and help from someone else).
Do you have a link to that bug?
Back when I looked into this (13 years ago, so I might misremember things), -Wnon-virtual-dtor was very noisy and didn't find any actual bug that Wdelete-non-virtual-dtor didn't also find. That's why crbug.com/41327406 got duped into crbug.com/40576935.
There was one issue where that warning didn't fire under certain circumstances that we fixed (https://github.com/llvm/llvm-project/issues/28834).
It'd be good to understand why it didn't help here; hopefully we can figure it out and make Wdelete-non-virtual-dtor work, instead of looking at Wnon-virtual-dtor.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFC_A68426UbJ9b_ZwLCFTz1Zk39ApXcT0NFUs2HU845Yg%40mail.gmail.com.
Mark Mentovai
Mar 13, 2025, 4:04:20 PMMar 13
to Peter Kasting, Hans Wennborg, Greg Thompson, cxx
Peter Kasting wrote:
Within the past two months I have had to fix a bug this warning would have caught, which took me hours to track down (and help from someone else).While I respect Mark's comment, as long as enabling this doesn't start forcing us to make non-virtual classes virtual just to silence a warning, it seems like there's little downside to having a vtable entry for the destructor,
It’s not just a vtable entry, it’s also having to make destructor calls through that entry.
The indirection can be avoided if the derived class is final, but there’s little hint or indication that final might be a good idea if you’ve already marked the base class’ destructor virtual.
and the existing warning is clearly insufficient to catch real problems.
I’d like to understand more about that, because my experience doesn’t agree. -Wdelete-non-virtual-dtor does catch the problems that matter, while avoiding a substantial body of false positives that come with -Wnon-virtual-dtor.
It's also easier to explain and understand "base classes with virtual methods should have a virtual destructor".
If the warning fires when it needs to, there isn’t that much to explain, but if you do want to explain it, it’s only two more words to say “or protected”.
Interface classes as used for delegates are often a great opportunity to deploy a protected destructor. When nobody deletes through an interface class pointer because the objects aren’t owned in that form, there’s no reason to force vtable indirecton on unrelated deletes of derived objects either.
protected destructors may be a more advanced technique, but they’re a valid technique that I don’t see any reason to discourage. Engineers will probably only write them because they know what they’re doing, and we shouldn’t adopt an overly-broad warning that forbids their use as collateral damage, when better alternatives are available.
If you’re able to dig up the cases where -Wdelete-non-virtual-dtor let you down, we should focus on fixing them, rather than reaching for the over-broad -Wnon-virtual-dtor.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFC_A68426UbJ9b_ZwLCFTz1Zk39ApXcT0NFUs2HU845Yg%40mail.gmail.com.
Peter Kasting
Mar 17, 2025, 7:28:06 PMMar 17
to Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
On Thu, Mar 13, 2025 at 9:04 AM Mark Mentovai <ma...@chromium.org> wrote:
I’d like to understand more about that, because my experience doesn’t agree. -Wdelete-non-virtual-dtor does catch the problems that matter, while avoiding a substantial body of false positives that come with -Wnon-virtual-dtor.
I finally had time to look this back up.
The problem happened in https://chromium-review.googlesource.com/c/chromium/src/+/6166130/3, though I'd avoid trying to read through that as there are a ton of other failures masking this issue and the change is complex. The core of the issue is multiple inheritance + virtual methods on one base class + deleting through a pointer to the _other_ base class, a la:
class NoVirtuals {
static void FuncA();
};
class HasVirtuals {
virtual void FuncB();
};
class Concrete : public NoVirtuals, public HasVirtuals {
Concrete();
~Concrete() override;
};
std::unique_ptr<NoVirtuals> Factory() {
return std::make_unique<Concrete>();
}
auto instance = Factory();
instance.reset(); // Boom
The errors I got from this were very strange, e.g. "attempt to call delete() from inside of free()", but they boiled down to NoVirtuals having an autogenerated non-virtual destructor that was invoked when we tried to destroy instance, which didn't correctly deal with the fact that the actual object was a subclass. This generated no warnings.
I suspect -Wnon-virtual-dtor doesn't save you here either, because NoVirtuals has no virtual methods to tell the compile something is amiss. What we need is to warn in the case of "class with vtable inherits from class without", or at least "...and you delete through a pointer to the class without". Not sure if this falls in the scope of -Wdelete-non-virtual-dtor.
I have not yet tried to reduce this to something in godbolt I can file with LLVM (I will do so this afternoon), but the pattern above, while uncommon, isn't unknown in e.g. UI code.
PK
Mark Mentovai
Mar 17, 2025, 7:57:27 PMMar 17
to Peter Kasting, Hans Wennborg, Greg Thompson, cxx
Peter Kasting wrote:
Neither -Wnon-virtual-dtor nor -Wdelete-non-virtual-dtor can see this problem. Fundamentally, vtables have nothing to do with this, and the presence of a vtable offers no useful signal, other than a hint that a derived class may be used through a base pointer. Here, the code is buggy without typing virtual even a single time. Replace HasVirtuals with AlsoNoVirtuals, and make AlsoNoVirtuals::FuncB non-virtual. You’ll observe the same problem.
It doesn’t take multiple inheritance to write this sort of bug. More generally:
#include <stdio.h>
class Base {
public:
~Base() { printf("Base::~Base\n"); }
};
class Derived : public Base {
public:
~Derived() { printf("Derived::~Derived\n"); }
};
int main(int, char *[]) {
Derived * derived = new Derived();
Base * base = static_cast<Base *>(derived);
delete base;
return 0;
}
class Base {
public:
~Base() { printf("Base::~Base\n"); }
};
class Derived : public Base {
public:
~Derived() { printf("Derived::~Derived\n"); }
};
int main(int, char *[]) {
Derived * derived = new Derived();
Base * base = static_cast<Base *>(derived);
delete base;
return 0;
}
But I don’t think we can feasibly forbid delete on anything non-virtual and non-final, even if only because we haven’t applied final judiciously throughout the codebase.
Peter Kasting
Mar 17, 2025, 8:18:45 PMMar 17
to Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
Yeah, fundamentally this is getting at "if you want polymorphism you need things to be virtual". Agree with all your comments; I suppose with whole program optimization we might be able to warn on cases when we know we're deleting through a pointer to a class with non-virtual destructor that is actually subclassed. But we wouldn't have that info all the time.
I wonder if we could use scripts to mark classes "final" when possible and then do something like the warning you propose. There might be side benefits to codegen too. It could be more hassle than it's worth, but I wouldn't write it off immediately.
PK
Peter Kasting
Mar 17, 2025, 8:51:35 PMMar 17
to Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
More thought: could we warn whenever a class publicly inherits from another class, whose dtor is neither protected nor virtual? I realize this is even _more_ zealous than -Wnon-virtual-dtor and thus people are unlikely to be happy about it -- but it seems more tractably achievable than "all leaf classes must be marked final".
PK
Daniel Cheng
Mar 17, 2025, 9:24:42 PMMar 17
to Peter Kasting, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
I'm almost 100% sure we have instances of this today where the dtors are intentionally public. I feel this warning would be disruptive without providing proportional benefit.
Daniel
On Mon, 17 Mar 2025 at 13:51, Peter Kasting <pkas...@chromium.org> wrote:
More thought: could we warn whenever a class publicly inherits from another class, whose dtor is neither protected nor virtual? I realize this is even _more_ zealous than -Wnon-virtual-dtor and thus people are unlikely to be happy about it -- but it seems more tractably achievable than "all leaf classes must be marked final".PK
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/cxx/CAAHOzFASZXfmVGNCjajzTgWHrQ_67UV6Exu6aC08%2BeMMV--6hw%40mail.gmail.com.
Peter Kasting
Mar 17, 2025, 9:27:43 PMMar 17
to Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
On Mon, Mar 17, 2025 at 2:24 PM Daniel Cheng <dch...@chromium.org> wrote:
I'm almost 100% sure we have instances of this today where the dtors are intentionally public. I feel this warning would be disruptive without providing proportional benefit.
Can you sketch that out more? If the dtor is intentionally public-not-protected, we want people to be able to delete through that class. But if it's also non-virtual AND the class is inherited from, we have a land mine. What's a case where both "make virtual" and "make protected" wouldn't be a net improvement to the code here?
PK
Daniel Cheng
Mar 17, 2025, 9:34:25 PMMar 17
to Peter Kasting, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
It's only problematic if someone polymorphically deletes it through a pointer. Such classes can safely live on the stack.
Daniel
PK
Peter Kasting
Mar 17, 2025, 9:42:56 PMMar 17
to Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
Sure, but in that case their destructors could have been protected, right? I'm wondering about the "intentionally public" destructor part here.
PK
Daniel Cheng
Mar 17, 2025, 10:52:30 PMMar 17
to Peter Kasting, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
Sure, but in that case their destructors could have been protected, right? I'm wondering about the "intentionally public" destructor part here.\
We do say "prefer composition over inheritance", but the fact remains that we use inheritance a lot. It's not uncommon to see code use inheritance to add a bit of additional functionality to a class that's already used elsewhere, just because it's convenient.
In these cases, one workaround I see appearing is a BaseBase class with all the logic + a protector destructor, and a Base class that does nothing other than inherit BaseBase with a public dtor.
Daniel
PK
Peter Kasting
Mar 17, 2025, 11:00:57 PMMar 17
to Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
On Mon, Mar 17, 2025 at 3:52 PM Daniel Cheng <dch...@chromium.org> wrote:
On Mon, 17 Mar 2025 at 14:42, Peter Kasting <pkas...@chromium.org> wrote:Sure, but in that case their destructors could have been protected, right? I'm wondering about the "intentionally public" destructor part here.\We do say "prefer composition over inheritance", but the fact remains that we use inheritance a lot. It's not uncommon to see code use inheritance to add a bit of additional functionality to a class that's already used elsewhere, just because it's convenient.
We do indeed do that a lot, but almost always with a virtual destructor, in which case this would be fine.
When the destructor isn't virtual... I'm kinda not sympathetic to "the base class had no intent to ever be reused, and there's nothing virtual in it today, but I nevertheless want to extend it via inheritance, and I don't think the compiler should ask me to make the destructor virtual in such a case". That's not "safe, sane usage that is a false positive to warn on", that's atypical poor practice with good alternative routes. If we have a lot of that combo of things today, then even if we're only rarely bitten by them in practice, I wouldn't consider a warning that forces us to fix them to be full of "false positives" so much as "not-yet-exploded land mines".
In these cases, one workaround I see appearing is a BaseBase class with all the logic + a protector destructor, and a Base class that does nothing other than inherit BaseBase with a public dtor.
Not sure how to parse this; do you mean "foresee appearing" or "see happening already today", and are you describing this pattern as desirable or undesirable? I'm reading it as "foresee" and "undesirable", but I would be surprised if many people would go to this length over either using composition (like we wanted, but a minority will actually do) or marking the base class' destructor virtual (which is at least less bad than inheritance without doing that).
PK
Daniel Cheng
Mar 17, 2025, 11:09:15 PMMar 17
to Peter Kasting, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
On Mon, 17 Mar 2025 at 16:00, Peter Kasting <pkas...@chromium.org> wrote:
On Mon, Mar 17, 2025 at 3:52 PM Daniel Cheng <dch...@chromium.org> wrote:On Mon, 17 Mar 2025 at 14:42, Peter Kasting <pkas...@chromium.org> wrote:Sure, but in that case their destructors could have been protected, right? I'm wondering about the "intentionally public" destructor part here.\We do say "prefer composition over inheritance", but the fact remains that we use inheritance a lot. It's not uncommon to see code use inheritance to add a bit of additional functionality to a class that's already used elsewhere, just because it's convenient.We do indeed do that a lot, but almost always with a virtual destructor, in which case this would be fine.When the destructor isn't virtual... I'm kinda not sympathetic to "the base class had no intent to ever be reused, and there's nothing virtual in it today, but I nevertheless want to extend it via inheritance, and I don't think the compiler should ask me to make the destructor virtual in such a case". That's not "safe, sane usage that is a false positive to warn on", that's atypical poor practice with good alternative routes. If we have a lot of that combo of things today, then even if we're only rarely bitten by them in practice, I wouldn't consider a warning that forces us to fix them to be full of "false positives" so much as "not-yet-exploded land mines".
Whether or not it's something that's a good idea (e.g. scales well, is maintainable) is different from whether or not it is safe. It is safe *except* when deleted polymorphically. There are plenty of instances in our codebase where we don't need to polymorphically delete, just because it's not owned by a unique_ptr or otherwise heap allocated; those are precisely the instances it's perfectly safe to avoid using virtual at all.
We can say "don't use inheritance at all; use composition", but there can be a *lot* of boilerplate delegation with composition too.
In these cases, one workaround I see appearing is a BaseBase class with all the logic + a protector destructor, and a Base class that does nothing other than inherit BaseBase with a public dtor.Not sure how to parse this; do you mean "foresee appearing" or "see happening already today", and are you describing this pattern as desirable or undesirable? I'm reading it as "foresee" and "undesirable", but I would be surprised if many people would go to this length over either using composition (like we wanted, but a minority will actually do) or marking the base class' destructor virtual (which is at least less bad than inheritance without doing that).
I think there will be at least some group of people who would be motivated to avoid adding vtables where they don't already exist and this is the most straightforward path to that goal. I certainly would consider such a workaround over adding virtual. :)
I am sympathetic to the problem, but my personal feeling is that this is a warning that's more annoying than useful.
PK
Peter Kasting
Mar 17, 2025, 11:28:37 PMMar 17
to Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
Whoops, somehow only sent this to Daniel. Trying again...
On Mon, Mar 17, 2025 at 4:09 PM Daniel Cheng <dch...@chromium.org> wrote:
Whether or not it's something that's a good idea (e.g. scales well, is maintainable) is different from whether or not it is safe. It is safe *except* when deleted polymorphically.
The deletion is safe if the subclass is stack-allocated, yes. Inheriting from a no-vtable public-destructor class is still potentially "unsafe" in other ways (e.g. if you hide a nonvirtual method in the base class, that may or may not be safe; the compiler can't tell), and it's certainly a signal that you're using the base class in ways its authors likely didn't anticipate.
We can say "don't use inheritance at all; use composition", but there can be a *lot* of boilerplate delegation with composition too.
There are certainly reasons to use inheritance over composition sometimes, but I'm not convinced any of them justify this particular sort of construction.
In these cases, one workaround I see appearing is a BaseBase class with all the logic + a protector destructor, and a Base class that does nothing other than inherit BaseBase with a public dtor.Not sure how to parse this; do you mean "foresee appearing" or "see happening already today", and are you describing this pattern as desirable or undesirable? I'm reading it as "foresee" and "undesirable", but I would be surprised if many people would go to this length over either using composition (like we wanted, but a minority will actually do) or marking the base class' destructor virtual (which is at least less bad than inheritance without doing that).I think there will be at least some group of people who would be motivated to avoid adding vtables where they don't already exist and this is the most straightforward path to that goal. I certainly would consider such a workaround over adding virtual. :)
OK. I think that would be extremely rare, and I think people doing that, while unfortunate, is _still_ less bad than what we have today.
I am sympathetic to the problem, but my personal feeling is that this is a warning that's more annoying than useful.
It's hard to definitively answer who's correct without actual data. It's hard to collect such data when no such warning exists. Filed https://github.com/llvm/llvm-project/issues/131693 to suggest it.
PK
Adam Rice
Mar 18, 2025, 1:12:02 AMMar 18
to Peter Kasting, Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
I support the warning proposed by Peter. It would be nice if we could suppress the warning for classes marked STACK_ALLOCATED() but I don't see how that could be integrated with Clang.
For existing violations, maybe adding a
#define VIRTUAL_DESTRUCTOR_NEEDS_TRIAGE virtual
macro would be useful to get code owners to think about what they actually need?
I worry that there may be third-party code that forces us to use unsafe patterns, but without the warning implemented it's hard to tell.
--
You received this message because you are subscribed to the Google Groups "cxx" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cxx+uns...@chromium.org.
Daniel Cheng
Mar 18, 2025, 5:41:02 AMMar 18
to Adam Rice, Peter Kasting, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
I'm just going to point out that there are 2200+ existing violations using the suggested heuristics: https://docs.google.com/spreadsheets/d/1xmezGru9k5h_H2zf4dV1l8lsE5hYjdnlZOuQtfR8BVs/edit?usp=sharing
The vast majority of these are not problematic. Forcing them to be virtual or jump through other hoops doesn't seem like the best use of a warning.
Daniel
Mark Mentovai
Mar 18, 2025, 11:00:58 AMMar 18
to Daniel Cheng, Adam Rice, Peter Kasting, Hans Wennborg, Greg Thompson, cxx
I agree with you, Daniel.
The proposed warning bends the language to suit a very narrow ideal. There will be collateral damage.
Peter Kasting
Mar 18, 2025, 2:59:58 PMMar 18
to Daniel Cheng, Adam Rice, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
Thanks for collecting that!
That's similar in magnitude to what -Wshadow was before I fixed all those. It's certainly significant, but nowhere near the cost of the unsafe narrowing earnings (which we decided not to do) or the unsafe buffer usage warnings (which we're fixing).
I don't think I'd characterize marking the destructor protected when that's easy as "jumping through hoops". And I wouldn't reach for something like the BaseBase ugliness you suggested. When marking the base destructor protected is impossible, just mark it virtual. The cost of having the destructor call be virtual is negligible in all but very, very narrow circumstances -- namely, object destruction inside a tight loop, which has other problems already.
If we don't want to do this, we don't do it. But the destructor bug I got hit with in January burned hours and would have been more if Jeremy hadn't helped me out, and it wasn't the first such bug I've encountered in chrome. Other folks in Chrome have described hitting such bugs too. Doubtless some of your 2200 are real bugs. If these were all fixed, would the ongoing cost of further compliance be higher than the savings from not having this subtle thing bite us? I don't believe so, no; it's trivial to address this warning when it comes up while you're writing new code.
So I disagree with Mark's characterization of this as imposing "collateral damage" or "twisting" anything. To me that is using hyperbole to try to frame the issue so the desired conclusion is the only reasonable one. I believe reasonable people could make either decision here, and if the llvm folks do decide to add such a warning I would be happy to volunteer my time to look into the effects of enabling it.
PK
Adam Rice
Mar 24, 2025, 9:58:28 AMMar 24
to Peter Kasting, Daniel Cheng, Mark Mentovai, Hans Wennborg, Greg Thompson, cxx
I looked at a handful of the items on the list, and I would not characterise them as "not problematic". All of the ones I saw were doing inheritance of implementation, usually just to save writing a few delegating methods. If anything, they make a compelling argument in favour of enforcing the proposed warning as a means of discouraging abuse of inheritance.
Reply all
Reply to author
Forward
0 new messages