Transcript
[ Background Conversations ]
[ Applause ]
>> Hello. Welcome to What's New
in LLVM.
I'm Devin, an engineer on the
Program Analysis Team.
We've got a lot of great, new
features to tell you about
today.
We'll start by introducing you
to availability checking for
Objective-C.
This will help you safely deploy
your apps back to older OS's.
Then, we'll describe new static
analyzer checks and compiler
warnings to help you find bugs.
We'll dive into some fantastic,
new features for C++ developers,
including a tour of refactoring
support for C++ in Xcode, and
wrap up with an update on
link-time optimization.
Let's start with availability
checking.
Every major OS release comes
with great, new features, and
your customers expect you to
adopt these APIs in your apps.
But you still have to support
your users on older OS's where
those APIs aren't available.
On our platforms, we support
backwards deployment by
separating the Base SDK version
from the deployment target
version.
What this means is that you will
always compile against the
newest SDK, even when deploying
back to older OS's.
So for example, in Xcode 9, you
use the iOS 11 SDK, and if your
app only targets iOS 11, you'll
use that as the deployment
target as well.
But I know a lot of you will
want to support your users on
iOS 10 to give them a chance to
upgrade.
To do that, you can go to your
Build settings and select 10.0
for your deployment target.
This is a promise on the part of
your app that it will support
all versions of iOS 10 and
greater.
Now, this can be tricky because
it's only safe to call APIs that
are actually available on the
running OS.
If you call in newer API on an
older OS, then your app could
crash or have other unexpected
behavior.
In the past, we've recommended
querying the Objective-C runtime
to determine whether an API is
available.
But this was easy to get wrong
or even forget, and it was hard
to test.
Further, it required a different
syntax for checking each of
globals, functions, classes,
instance methods, and class
methods.
Now, those of you using Swift
may be wondering, what's the big
deal here?
Swift has a unified syntax,
#available, for querying API
availability at runtime, and the
compiler can even catch missing
availability checks at compile
time.
For more information on
availability in Swift, you
should check out the Swift in
Practice talk from WWDC 2015.
Today we brought Swift-style
availability checking to
Objective-C.
[ Applause ]
I would love to tell you about
it.
So suppose you have an app that
you're deploying back to iOS 10
and you decide to take advantage
of the fantastic, new face
detection APIs from the Vision
framework in iOS 11.
When you add these APIs to your
app and then build, you will now
get a compiler warning telling
you that these APIs are only
available in iOS 11 or newer.
You can address these warnings
by using the new @available
construct to query for API
availability.
This will return true when iOS
11 APIs are available.
It's safe to call them.
And if they're not, you can
provide a fallback.
Let's take a closer look at the
query.
As I mentioned, on iOS 11 or
greater, this will return true.
The star is required.
It indicates that on all other
platforms, the query always
returns true.
What this means is that if you
decide to port your app to
another platform -- say, macOS
-- then by default it will take
advantage of the new face
detection APIs.
Of course, the compiler will
still warn you if your port to
macOS supports an earlier
deployment target where those
APIs aren't available.
So you'll need to add a check.
Once you've been working with
availability for a while, you
will find that it's really
useful to write entire methods
that will only be called on iOS
11 or greater.
You can annotate these methods
with the new API availability
macro.
Then, inside that method, you
don't need to use @available to
check for availability, but
anyone who calls the method will
need to do so.
Otherwise, they'll get a
warning.
You can similarly apply this to
entire classes.
Then, you don't need to use
@available inside the class, but
anyone who instantiates it will
need to do so.
Now, availability checking is
not just for Objective-C.
We also support C and C++ with
the builtin available query.
This acts exactly like
@available.
It has the same syntax.
It just has a different name
that's compatible with C and
C++.
You can also use the API
availability macro in C, but you
will need to include the os
availability.h header to get
access to it.
And you can even annotate your
C++ class definitions.
All right, so how's this going
to work in practice?
For existing projects, we will
warn starting with APIs
introduced in iOS 11, tvOS 11,
macOS 10.13, and watchOS 4.
APIs from older SDKs will not be
checked at compile time.
This means that you won't need
to change any existing code, but
if you do decide to adopt the
new APIs, you'll need to use
@available to check for them.
We think this is the best and
safest way to check for
availability, and so we highly
encourage you to use it.
For new projects, all APIs will
be checked at compile time.
This means you'll need to use
@available for all APIs
introduced after your deployment
target.
Existing projects can opt in to
this all-API behavior by going
to the Build settings and
selecting Yes (All Versions) for
the Unguarded availability
setting.
This is going to make it a lot
easier to safely deploy your
apps back to older OS's.
So that's availability checking.
You could say it's now
@available for C, C++, and
Objective-C.
[ Applause ]
All right, let's move on to the
static analyzer.
The analyzer is great at
catching hard-to-reproduce
edge-case bugs, and it can even
show you the sequence of
corner-case events that led to
those bugs.
Today I'm going to tell you
about three new checks that
we've added to the analyzer: a
check for suspicious comparison
of NSNumber, a check for use of
dispatch once on instance
variables, and a check for
auto-synthesized copy properties
of NSMutable type.
A particularly pernicious bug is
to mistakenly compare an
NSNumber pointer value to the
scalar zero because this
actually compares to nil and not
the zero NSNumber instance.
Here's an example of how this
can be a problem.
In the hasPhotos method, the
programmer intends to return no
when the photo album is empty,
but because they're comparing
the photo count to nil, this
will actually return yes, even
when photo count holds the zero
NSNumber instance.
And so the analyzer will now
warn about this.
You can fix this error by
instead calling the integerValue
property to compare integers to
integers.
This is safe.
There's a similar problem with
implicit conversions to Booleans
because these also check for nil
and not the zero number.
This method counts the number of
faces in a photo, and since this
is an expensive operation, it
returns early if they've already
been counted.
But someone reading this code
might find it ambiguous.
Did the programmer intend to
return early if face count was
non-nil or non-zero?
The analyzer will now warn about
this kind of ambiguity.
In this case, the programmer
meant non-nil, and so she can
express her intent directly in
the code and silence the
analyzer warning by adding the
comparison explicitly.
You can control the level of
this check in your Build
setting.
If you choose Yes (Aggressive),
then the analyzer will warn when
it's not sure that you've made a
mistake, but it does think your
code is ambiguous.
Let's move on to dispatch once.
Grand Central Dispatch provides
a fantastic API, dispatch once,
that guarantees that a block is
called once and only once.
It is really useful for safely
initializing shared global
state.
In this example, the programmer
uses it to load and initialize a
shared array of photos.
The first argument to dispatch
once is the address of a
variable of a special type,
dispatch once t.
Grand Central Dispatch uses this
to make sure that the block is
only called once.
Now, it's really important that
this variable be either a static
or a global variable.
That's because if it's ever been
the case that the variable held
a non-zero value in the past,
then Grand Central Dispatch
might not be able to make the
once and only once guarantee in
multithreaded code.
What this means is that it's not
safe to use dispatch once t in
instance variables or, indeed,
in any other memory on the heap
that might have been reused.
And so the analyzer will now
warn about this.
To fix this, you can use your
favorite non-recursive lock.
Here I'll use NSLock, but you
could use OSUnfairLock or a
pthread mutex as well.
After acquiring the lock, check
to see whether the data's
initialized, and if not,
initialize it, and then don't
forget to release the lock.
This will guarantee that the
data's initialized once and only
once, exactly like you expect.
Finally, I'm going to tell you
about a check that we've added
for auto-synthesized copy
properties of NSMutable types.
Copy properties call the copy
method in their setter on the
passed-in value to story a copy.
But calling copy on a mutable
array results in an immutable
copy.
Here's how this can be a
problem.
It, this method tries to reset
the photos property by setting
it to an empty mutable array and
then adding in a single photo.
Unfortunately, this will lead to
a really nasty surprise at
runtime because you can't add an
object to an immutable array.
You'll get an exception.
The analyzer will now warn you
about these kinds of properties
to help you prevent this runtime
exception.
The fix here is simple.
All you need to do is write the
setter explicitly to have it
call mutableCopy.
This guarantees that your
property always holds a mutable
array.
So those are just three of the
new checks that we've added to
the analyzer this year.
You should run it on your code.
It will help you find bugs.
To do that, choose Analyze from
Xcode's Product menu.
You could even have Xcode run
the analyzer on every compile by
going to your Build settings and
enabling Analyze During 'Build.'
This will help you catch your
bugs early and often.
If you're interested in other
tools to help you find bugs, I
highly encourage you to check
out finding bugs using Xcode
runtime tools online.
So that's what's new in the
analyzer.
I'm not going to hand it over to
Duncan, who will tell us about
new compiler warnings.
[ Applause ]
>> Thanks, Devin.
Xcode 9 comes with over 100 new
errors and warnings to help find
bugs in your code.
Let's talk about two warnings
that are important for
Objective-C.
Under ARC, most parameters are
safe to capture in blocks.
In this example, the
validateDictionary usingChecker
method takes an NSDictionary and
visits every entry by calling
enumerateKeysAndObjects
UsingBlock.
Block captures the checker
parameter.
This is safe and works really
well.
Notice the checkObject forKey
can fail.
The block sets stop to yes to
abort the enumeration early.
Since this is a validation
method, it should also return
BOOL and create an NS error.
Let's make that change.
OK. Let's walk through the code.
Before enumerating, isValid is
set to yes.
The block runs the checker and
returns on success.
If the checker fails, isValid is
set to no and an NS error is
created.
After enumerating, isValid is
returned, but there's a bug
here.
Out parameters like error are
implicitly autoreleasing.
Assigning to them is not safe in
a block.
enumerateKeysAndObjects
UsingBlock calls the block
inside an autorelease pool.
When it returns, the NS error
will get destroyed as well.
It isn't safe to use.
In Xcode 9, this unsafe capture
will trigger a warning.
The easiest fix is to make the
out parameter a strong
reference.
This will keep the value alive
across any autorelease pools.
This works as long as all
callers of validateDictionary
usingChecker are using ARC.
The other option is to use a
local block variable.
Here strongError is initialized
to nil.
If the enumeration stops early,
strongError safely stores the NS
error.
Then, the out parameter is
updated after the enumeration is
complete.
That's the first warning.
Let's move on to the second.
In this example, the function
foo is declared without any
parameters.
In C and Objective-C, that means
that foo can be called with any
number or type of argument.
A function with an empty
parameter list is called a
non-prototype declaration.
This behavior dates from the
early days of C where parameters
were only listed at function
definitions, but this
declaration is not type safe.
This is never really what you
want.
Calls that don't match the
definition can crash at runtime.
In Xcode 9, the compiler has a
new warning that enforces strict
prototypes.
Usually, the fix is to add void.
This specifies exactly zero
parameters.
Any calls with arguments will
give an error.
Since function pointers and
blocks have a common declaration
syntax with functions, you'll
also see this if you have a
function or method that takes a
block as an argument.
The fix is the same as with
function declarations.
Add void to specify exactly zero
parameters.
Then, you'll get an error if you
pass in a block with the wrong
type.
Xcode's project modernization
will turn these warnings on in
your Build settings, or you can
upgrade later by selecting your
project and choosing Validate
Settings from the Editor menu.
You can also upgrade new
warnings to errors by selecting
Yes (Error) in the Build
settings.
That's it today for new
warnings.
Let's move on to C++.
This year, we've put a lot of
effort into improving the C++
experience in Xcode.
That includes refactoring
support.
We support a lot of operations.
I'd like to give a short tour of
using Xcode to refactor LLVM.
This is a large C++ code base
that shows off the engine.
But even if you're not a C++
developer, you could still get
an idea of how refactoring in
Xcode can improve your work
flow.
I started at a member function
definition from the InstCombiner
class.
This is a utility for combining
instructions.
I never liked the Inst short
form for instruction, so I
Command-clicked in Xcode and
selected Rename.
This worked even though I wasn't
at the class declaration.
InstructionCombiner is more
clear to me.
Xcode updated the name in place.
This saved me a lot of hunting
around.
I double-checked the class
declaration.
It was updated too.
So was its use in the CRTP base
class, InstVisitor.
InstVisitor uses the same short
form, and so does
InstCombineWorklist.
But I had better leave those for
a separate commit.
Since changing a class name from
one of its member functions
worked, I moved on to something
even more complicated.
I went to a template
specialization for simplified
type, a utility we use on smart
pointers and custom iterators.
I think the function
getSimplifiedValue is named
wrong.
It should use STL naming
conventions like its class name.
I selected Rename again.
Tying together template
specializations from across the
project is complicated, but
Xcode can handle it.
The specialization I was looking
at was updated and so was the
main template declaration.
There's another specialization
right below, and it was fixed
too.
Next, I moved to Constants.h,
where we have a class called
ConstantInt for representing
constant integers.
It has nice convenience
functions for getting true and
false values.
I added declarations for a
getMax function to get the
maximum integer value.
Then, I Command-clicked and
generated the missing function
definitions for each of them.
Here they are in Constants.cpp.
What I like about this is where
the functions showed up in the
file.
My new definitions were
generated after the last member
functions defined for the same
class, ConstantInt, but before
the member functions for the
next class.
This is exactly where I want
them.
[ Applause ]
LVM has lots of code for
representing integers.
I had a look at this greatest
common divisor function, and I
noticed a local variable, Pow2,
that is complicated to
calculate.
Its computation really belongs
in its own function.
I selected the code and opened
the contextual menu, where I
clicked on Extract Function.
I was a little sloppy with my
selection, but Xcode is smart
enough that it worked anyway.
That entered me straight into
rename at the bottom of the
screen.
I chose countCommonPowersOf2.
Let's scroll up and look at the
definition.
The key thing here is that the
arguments A and B were
automatically captured by
reference.
That's important because they're
being modified.
Extract Function got it right.
Extracting the function was a
nice opportunity to clean up the
code to use early returns.
That got me bouncing around a
little, and I found this code in
the optimizer for unrolling
loops.
I noticed a call to getLoopFor
and an if statement.
The same function is called with
the same argument again right
below in a while loop.
getLoopFor does a hash table
lookup, which isn't free.
Since the while loop doesn't
change the hash table, I
Command-clicked and selected
Extract Repeated Expression.
This stored the result of the
function call in a local
variable, so it was only called
once, and then I immediately
used Rename.
I chose the name LoopLatch.
That was easy.
Extract and Rename work cleanly
together.
After all that refactoring, I
thought I'd write some new code.
ArrayRef is a generalized
reference to contiguous values,
whether they're in an STL vector
or in one of LVM's custom data
structures.
Notice that ArrayRef is
templated on the value type in
the array.
I thought it might be useful to
compare two ArrayRefs.
Why not implement a string like
comparison?
I need to loop from zero to the
minimum size between left-hand
side and right-hand side.
When I hit the dot after
left-hand side, code completion
kicked in.
Remember, left-hand side is
templated on T here.
That's pretty cool.
Code completion works with
templates, new in Xcode 9.
[ Applause ]
And that's C++ refactoring and
code completion in Xcode.
Let's talk about a few features
from the C++17 standard.
I'll start with STL's tuple, a
useful type from C++11 that
enables multiple return values.
But decomposing it is awkward.
Decomposition requires a tie
around the variables, the types
can't be inferred, and the
variable names need to be
duplicated.
C++17 solves this with
structured binding, which binds
names directly to the returned
tuple elements.
This is a great feature.
Now, it's much easier to work
with tuples.
Structured binding can be used
anywhere get can be used.
It also works out of the box
with plain-old data types like
Point.
The syntax is exactly the same
as with tuples.
That's structured binding.
The next feature is initializers
in if statements.
Here's an example.
The initializer finds the last
slash in a path string.
The slash variable scope is
limited to the if statement.
Then, the condition checks
whether slash was found.
If so, then slash is used to
split the path.
The same feature works for
switch statements.
Minimizing the scope of the
slash variable helps to prevent
bugs.
If this function continues,
we'll get an error if we try to
reuse the slash variable.
This is good because the logic
is unrelated.
Let's move on to a feature for
templated functions.
Advance is a simple template
algorithm for in advancing an
iterator.
It has been in the STL for a
long time, but let's use it as
an example.
For n greater than 0, it moves
the iterator forward, and for n
less than 0, it moves the
iterator backward.
For example, you might want to
look ahead five nodes in a
linked list.
Advance will count forward one
by one.
The same code works for getting
the fifth character in a string.
It's powerful to have the same
interface for advancing in both
data structures.
But this code is really slow for
strings.
For strings in arrays, which
have random access iterators, we
don't need a loop.
Operator + will jump ahead in
concept time.
But adding a simple if statement
won't work because it's just a
runtime check.
Its body is required to compile
for all template instantiations,
but linked list iterators don't
have operator +.
We have a problem.
Advance needs a common interface
that compiles for linked lists
and a fast path for strings and
arrays.
The classic solution is a
technique called compile time
dispatch, where the logic is
split into overloaded helper
functions and advance calls the
right overload based on a
compile time type trait.
And compile time dispatch works.
It's what C++ Library authors
have been doing for decades.
But it's an advanced technique,
and what we're trying to do is
pretty simple.
The original not working code
was easy to understand.
In C++17, constexpr if allows
you to express this logic
naturally.
constexpr if discards the not
taken paths when instantiating
temples, so the linked list code
will still compile, but advance
will use the fast path for
strings and arrays.
constexpr if makes reading and
writing generic code much
simpler.
Let's finish with a new library
facility for strings.
The STL string class has a rich
API, but it's not always the
right tool.
This example might look
familiar.
The function split searches for
the last slash in the path
argument.
If it finds a slash, it splits
the path into directory and
filename.
Without a slash, it returns the
full path as the filename.
Because of string's API, this
code was easy to write, but
there's a performance problem
lurking.
Split is returning copies of the
string.
Heavy use of functions like
split can introduce expensive
allocations.
C++17 has a new facility for
referencing strings.
It's called string view.
A string view encapsulates a raw
const char [inaudible] and a
size.
It has a rich API, just like
string, so it's convenient for
string manipulation.
And as the name suggests, it's
just a view.
It doesn't own any storage, and
so it never makes a copy.
String view is great for
performance, but there is a
caveat: String view isn't always
safe.
Because it doesn't own its
storage, using a string view
after the original string is
destroyed or modified can cause
a use after free.
Referencing a raw string literal
like resources/images is always
safe because raw string literals
have the lifetime of the
program.
Taking a string view as an
argument is safe, but avoid
storing a string view argument
past the function return.
Be careful of return values.
If a string view is derived from
an argument, it will be safe to
use as long as the argument
isn't changed or destroyed.
In this example, directory and
filename are safe to use as long
as path remains constant and
valid.
But if we replace path with a
computed string, then accessing
either directory or filename
will cause a use after free.
The root cause is that split was
passed a temporary.
The temporary is destroyed after
the call to split, and its
references are invalidated.
Accessing the temporary invokes
undefined behavior.
AddressSanitizer can catch this
bug.
Watch Understanding Undefined
Behavior to learn more about
this kind of bug and Finding
Bugs Using Xcode Runtime Tools
to learn about tools to combat
them.
String view is the last C++17
feature I'll show you today.
To try out C++17, set the C++
language dialect in your Build
settings.
C++17 gives you the standardized
language without extensions.
GNU++17 adds the usual
extensions.
Now, I have a quick update on
link-time optimization.
Link-time optimization, or LTO,
optimizes the executable at link
time, blurring the line between
source files and enabling
powerful optimizations.
Incremental LTO, which we
introduced last year, is the
state of the art.
For more information, watch last
year's talk, What's New in LLVM.
In the past, when using LTO on
large C++ programs, we've
recommended changing the Debug
Info Level Build setting to Line
Tables Only.
But in Xcode 9, we took
incremental LTO to the next
level.
Let's look at the time to link
the Apple LLVM compiler itself.
In Xcode 8, a clean link with
full debug info took almost six
minutes.
Line Tables Only was
three-and-a-half minutes faster.
We sped up incremental LTO with
full debug info by 35% in Xcode
9.
Line Tables Only is still
faster, but the overhead is now
only 90 seconds.
That was a clean link.
The true power of incremental
LTO is its fast incremental
builds.
When only one file changes, the
link doesn't repeat
optimizations unnecessarily.
In Xcode 8, an incremental link
of the Apple LLVM compiler
itself took 21 seconds with full
debug info, more than two times
longer than Line Tables Only.
This is why we recommended
changing the debug info level in
the past.
But in Xcode 9, the same
incremental link is
two-and-a-half times faster.
At just over eight seconds, it's
even faster than Line Tables
Only mode was last year.
If you looked at incremental LTO
but didn't want to change your
debug info level, it's time to
look again.
[ Applause ]
We recommend turning on
incremental LTO today, even if
you're using full debug info.
So that's what's new in LLVM.
Use @available to safely use new
APIs when supporting older OS's.
Run the static analyzer while
you build.
Use Xcode to refactor your code.
Try out the new features in
C++17.
And turn on incremental LTO to
upgrade your performance without
sacrificing incremental build
time.
For more information, see the
website.
I recommend you watch the
related sessions.
Thank you.
[ Applause ]