Note I took my range generation code from CGExpr.cpp function getRangeForType(...) I was considering perhaps making the code common, maybe this could be a helper in EnumDecl? Does that makes sense?

Mostly Ok with this. The diagnostic seems a little subtle with the mathematical notation... just looking at the diagnostics I was like, "wait, why is 8 NOT included in the range -8, 8.... oh wait". This will be a little shocking to others perhaps?

Also, misisng any tests for the E3, I'd like to see the range for that too.

In D130058#3682192, @aaron.ballman wrote:

LGTM, with some minor nits. Also, please be sure to add a release note.

@erichkeane -- should we update the cxx_dr_status.html page for this? We currently claim Clang 12 for this DR, but it seems like Clang 16 (or 15 if we cherry-pick this) will be the actual release we finished the DR in.

Yeah, I suspect we should update the dr-status.

Hello, this breaks a bunch of existing code over here (and I imagine elsewhere).

Can we make this a warning that's mapped to an error by default, so that people can turn it off for a while while they fix their code?

In D130058#3687680, @thakis wrote:

Hello, this breaks a bunch of existing code over here (and I imagine elsewhere).

Do you have an idea on how much a bunch is and whether the fixes are particularly involved or not? Did it break a system header?

Can we make this a warning that's mapped to an error by default, so that people can turn it off for a while while they fix their code?

It might be possible to do that, but I'd like to better understand the situation before we make a decision. This was fixing an accepts-invalid bug in Clang and we usually don't turn that into a warning-as-error unless there's a significant amount of code to be fixed in the ecosystem (like implicit int being accepted for a decade+ even when it was "wrong" for compilers to do so). However, Clang is the first compiler to actually get this particular behavior right, so I am sympathetic to turning it into a warning that defaults to an error.

Here's a reduced repro of one case:

% cat test.cc
typedef enum VkResult {
    VK_ERROR_INVALID_OPAQUE_CAPTURE_ADDRESS = -1000257000,
    VK_RESULT_MAX_ENUM = 0x7FFFFFFF
} VkResult;

constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);

% out/gn/bin/clang -c test.cc -std=c++17
test.cc:6:20: error: constexpr variable 'VK_FAKE_DEVICE_OOM_FOR_TESTING' must be initialized by a constant expression
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                   ^                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.cc:6:53: note: integer value 2147483646 is outside the valid range of values [-2147483648, -2147483648) for this enumeration type
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                                                    ^
1 error generated.

Isn't valid range of values [-2147483648, -2147483648) just wrong here?

In D130058#3688049, @thakis wrote:

Here's a reduced repro of one case:

% cat test.cc
typedef enum VkResult {
    VK_ERROR_INVALID_OPAQUE_CAPTURE_ADDRESS = -1000257000,
    VK_RESULT_MAX_ENUM = 0x7FFFFFFF
} VkResult;

constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);

% out/gn/bin/clang -c test.cc -std=c++17
test.cc:6:20: error: constexpr variable 'VK_FAKE_DEVICE_OOM_FOR_TESTING' must be initialized by a constant expression
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                   ^                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.cc:6:53: note: integer value 2147483646 is outside the valid range of values [-2147483648, -2147483648) for this enumeration type
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                                                    ^
1 error generated.

Isn't valid range of values [-2147483648, -2147483648) just wrong here?

That range with the leading negative looks wrong to me, but perhaps that is a diagnostic problem? Either way, this test case SHOULD work, it is within the correct range.

In D130058#3688049, @thakis wrote:

Here's a reduced repro of one case:

% cat test.cc
typedef enum VkResult {
    VK_ERROR_INVALID_OPAQUE_CAPTURE_ADDRESS = -1000257000,
    VK_RESULT_MAX_ENUM = 0x7FFFFFFF
} VkResult;

constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);

% out/gn/bin/clang -c test.cc -std=c++17
test.cc:6:20: error: constexpr variable 'VK_FAKE_DEVICE_OOM_FOR_TESTING' must be initialized by a constant expression
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                   ^                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.cc:6:53: note: integer value 2147483646 is outside the valid range of values [-2147483648, -2147483648) for this enumeration type
constexpr VkResult VK_FAKE_DEVICE_OOM_FOR_TESTING = static_cast<VkResult>(VK_RESULT_MAX_ENUM - 1);
                                                    ^
1 error generated.

Isn't valid range of values [-2147483648, -2147483648) just wrong here?

That is a bug, I am looking at possible fixes right now and if I can't figure out something good in the next day otherwise I will revert.

In D130058#3687868, @aaron.ballman wrote:

In D130058#3687680, @thakis wrote:

Hello, this breaks a bunch of existing code over here (and I imagine elsewhere).

Do you have an idea on how much a bunch is and whether the fixes are particularly involved or not? Did it break a system header?

Sorry for the slow reply, this was fairly involved to count. (Since this is an error, not a warning, I had to do local builds on all our supported platforms, and fix all instances before I could know I found everything.)

With D130811, the most annoying instance is resolved. I'd say it's now few enough instances in few enough repositories that this isn't necessary for Chromium, but based on the numbers below I'd expect that this change will be fairly annoying for people with larger codebases.

For Chromium, this affects:

• 6 different places in v8, all due to due using enums with a spiffy BitField class (reduced example here https://bugs.chromium.org/p/chromium/issues/detail?id=1348574#c7). This BitField class takes a "size" template arg, and clang now happens to complain if that size arg is too large to hold all enum fields: If you have an enum with 8 values but try to store it in a BitField<.., 4> you now happen to get an error, because a BitField<..., 3>. (This is kind of cool!) (https://chromium-review.googlesource.com/c/v8/v8/+/3794708)

• 11 different places in chromium that are related to a macro that takes an enum (summary here: https://bugs.chromium.org/p/chromium/issues/detail?id=1348574#c11) where the workaround is to give those enums a fixed underlying type
• 4 places in unit tests that do something like constexpr auto kImpossibleEnumValue = static_cast<MyEnumType>(-1); (replaced "constexpr" with "const" as workaround)
• 1 place that checked that static_assert()ed that two enumerators from two distinct enum types have the same value, this just needed rewriting the expression slightly

After D130811, we're lucky that no code in difficult-to-change third-party repositories are affected.

It does affect 22 distinct places though, so it seems likely that other projects might be less lucky.

(But since it's no longer a problem for us, I also won't push for a warning more than I did in this comment.)

In D130058#3689053, @thakis wrote:

In D130058#3687868, @aaron.ballman wrote:

In D130058#3687680, @thakis wrote:

Hello, this breaks a bunch of existing code over here (and I imagine elsewhere).

Do you have an idea on how much a bunch is and whether the fixes are particularly involved or not? Did it break a system header?

Sorry for the slow reply, this was fairly involved to count. (Since this is an error, not a warning, I had to do local builds on all our supported platforms, and fix all instances before I could know I found everything.)

Thank you for helping to track those numbers down, I really appreciate it!

With D130811, the most annoying instance is resolved. I'd say it's now few enough instances in few enough repositories that this isn't necessary for Chromium, but based on the numbers below I'd expect that this change will be fairly annoying for people with larger codebases.

For Chromium, this affects:

• 6 different places in v8, all due to due using enums with a spiffy BitField class (reduced example here https://bugs.chromium.org/p/chromium/issues/detail?id=1348574#c7). This BitField class takes a "size" template arg, and clang now happens to complain if that size arg is too large to hold all enum fields: If you have an enum with 8 values but try to store it in a BitField<.., 4> you now happen to get an error, because a BitField<..., 3>. (This is kind of cool!) (https://chromium-review.googlesource.com/c/v8/v8/+/3794708)

That's neat!

• 11 different places in chromium that are related to a macro that takes an enum (summary here: https://bugs.chromium.org/p/chromium/issues/detail?id=1348574#c11) where the workaround is to give those enums a fixed underlying type
• 4 places in unit tests that do something like constexpr auto kImpossibleEnumValue = static_cast<MyEnumType>(-1); (replaced "constexpr" with "const" as workaround)
• 1 place that checked that static_assert()ed that two enumerators from two distinct enum types have the same value, this just needed rewriting the expression slightly

After D130811, we're lucky that no code in difficult-to-change third-party repositories are affected.

Glad to hear that!

It does affect 22 distinct places though, so it seems likely that other projects might be less lucky.

(But since it's no longer a problem for us, I also won't push for a warning more than I did in this comment.)

Thank you for these details! That does seem like a fairly substantial amount of broken code for one project, but it also sounds like everything it caught was a true positive (at least as far as the language standard is concerned) and none of it required major changes to fix the issues. Based on that, I think we're still okay with the functionality as-is, but if we start to find cases where the fix is really involved (or is in a system header) and the code is otherwise reasonable, we may want to reconsider.

Sorry for chiming in a bit late here.

I'm working on getting a large internal codebase to compile after this change. Most of the issues are easy enough to deal with, but there's one Boost error I'd like to highlight: P8289. (We might be using a slightly older Boost version, but upgrading it would be a pretty significant undertaking, unfortunately, and current Boost appears to have similar code: https://github.com/boostorg/mpl/blob/8f10d06b9637a67b23a3a11791de5bd6bcd2e112/include/boost/mpl/aux_/integral_wrapper.hpp#L72-L73.)

There's a couple of things that make this error hard to parse:

• The note about the integer value being out of range for the enumeration doesn't appear until towards the end of the error (line 55 in my paste), even though it's the key to understanding why the argument isn't considered a constant expression
• The note doesn't mention which enumeration type the value is out of the valid range for, and with the mix of macros and templates going on in this error message, that's non-trivial to decipher

After digging through the preprocessor output, it turns out that AUX_WRAPPER_VALUE_TYPE is defined as T here (after being undefined and redefined a bunch of times, which makes this even trickier), and coupled with the types in the templates in the error you can determine that T is boost::numeric::udt_builtin_mixture_enum, but it'd be much easier if the diagnostic gave you the type directly and also appeared much earlier.

Diagnostic quality aside, I'm not really sure what to do about this error. It appears to ultimately originate from here, which will attempt to compute a prior for the first enum value, which is incorrect. I can fix the issue by giving udt_builtin_mixture_enum and int_float_mixture_enum an underlying type of int, but I lack the Boost know-how to understand if that's reasonable.

Given that we have a non-obvious (at least to me) issue in a widely used third-party library, would we consider giving users some way to opt out of this error, at least as a transition tool?

Given that we have a non-obvious (at least to me) issue in a widely used third-party library, would we consider giving users some way to opt out of this error, at least as a transition tool?

Thank your feedback, this is very helpful. I won't have time to dig into this in detail till tomorrow but it does not look like there is a nice fix here. I think we may want to consider turning this into a warning for some transition period.

In D130058#3697949, @smeenai wrote:

Given that we have a non-obvious (at least to me) issue in a widely used third-party library, would we consider giving users some way to opt out of this error, at least as a transition tool?

Thank you for the feedback! I agree that providing information like which enumeration type the value is out of range for would be super helpful. (Changing the note order might be significantly more involved but I can see how it would be helpful here.)

Because the error is happening in boost, I think we have two paths forward: 1) targeted workaround for just boost, 2) downgrade the error to a warning-defaults-to-error. Because this is the second project to have run into some pain, I'm leaning towards downgrading the diagnostic for a release. One thing I would recommend is: add information to the release notes to set expectations about the warning being upgraded (if we downgrade it but don't tell users we're going to upgrade it to an error Real Soon Now, users will come to rely on the crutch).

https://godbolt.org/z/axhbj3MPE is a simpler repro in Godbolt with Boost 1.79 (the latest version).

I agree that it'll be tricky to manage expectations if we downgrade to a warning, but I also suspect that the first time many people will run into this new error is when we start doing the RCs for LLVM 16, and we'll discover lots more breakage then. I'd hope that giving the warning a sufficiently scary name (e.g. suffixing it with -will-be-removed-in-clang-17) and having a release notes entry would help us actually be able to convert this into an error in the future though and not just keep kicking the can down the road. It'd also help if we could compile the fixes for issues with this new error in common libraries (e.g. the Boost error here) somewhere, so that people using those common libraries can reference that to fix their own codebases.

I've filed a bug against Boost MPL, https://github.com/boostorg/mpl/issues/69

In D130058#3698213, @shafik wrote:

Given that we have a non-obvious (at least to me) issue in a widely used third-party library, would we consider giving users some way to opt out of this error, at least as a transition tool?

Thank your feedback, this is very helpful. I won't have time to dig into this in detail till tomorrow but it does not look like there is a nice fix here. I think we may want to consider turning this into a warning for some transition period.

Following up because we have an internal integration blocked on this. Are we planning to turn this into a warning soon, or should I just put in local workarounds in the meantime?

In D130058#3701485, @smeenai wrote:

In D130058#3698213, @shafik wrote:

Given that we have a non-obvious (at least to me) issue in a widely used third-party library, would we consider giving users some way to opt out of this error, at least as a transition tool?

Thank your feedback, this is very helpful. I won't have time to dig into this in detail till tomorrow but it does not look like there is a nice fix here. I think we may want to consider turning this into a warning for some transition period.

Following up because we have an internal integration blocked on this. Are we planning to turn this into a warning soon, or should I just put in local workarounds in the meantime?

I plan on having a PR up tomorrow and hopefully turn around will be quick.

+1 on downgrading to a warning, so that users can have time to do cleanup on their codebase.

We also see internal breakages caused by this change. It breaks some code using the magic_enum library, a simple repro example:

#include <iostream>                                                             
#include "magic_enum.hpp"                                
                                                                                
enum Color { Red, Black };                                                      
int main(int argc, char* argv[]) {                                              
   Color color = Black;                                                          
   switch (color) {                                                              
     case Red:                                                                   
       break;                                                                    
     default:                                                                    
       std::cout << magic_enum::enum_name(color);                                
       break;                                                                    
   }                                                                                                                                                             
   return 0;                                                                     
 }

Errors:

./magic_enum/magic_enum.hpp:436:10: note: in instantiation of function template specialization 'magic_enum::detail::values<Color, false, 0, 0UL, 1UL, 2UL, 3UL, 4UL, 5UL, 6UL, 7UL, 8UL, 9UL, 10UL, 11UL, 12UL, 13UL, 14UL, 15UL, 16UL, 17UL, 18UL, 19UL, 20UL, 21UL, 22UL, 23UL, 24UL, 25UL, 26UL, 27UL, 28UL, 29UL, 30UL, 31UL, 32UL, 33UL, 34UL, 35UL, 36UL, 37UL, 38UL, 39UL, 40UL, 41UL, 42UL, 43UL, 44UL, 45UL, 46UL, 47UL, 48UL, 49UL, 50UL, 51UL, 52UL, 53UL, 54UL, 55UL, 56UL, 57UL, 58UL, 59UL, 60UL, 61UL, 62UL, 63UL, 64UL, 65UL, 66UL, 67UL, 68UL, 69UL, 70UL, 71UL, 72UL, 73UL, 74UL, 75UL, 76UL, 77UL, 78UL, 79UL, 80UL, 81UL, 82UL, 83UL, 84UL, 85UL, 86UL, 87UL, 88UL, 89UL, 90UL, 91UL, 92UL, 93UL, 94UL, 95UL, 96UL, 97UL, 98UL, 99UL, 100UL, 101UL, 102UL, 103UL, 104UL, 105UL, 106UL, 107UL, 108UL, 109UL, 110UL, 111UL, 112UL, 113UL, 114UL, 115UL, 116UL, 117UL, 118UL, 119UL, 120UL, 121UL, 122UL, 123UL, 124UL, 125UL, 126UL, 127UL, 128UL>' requested here
  return values<E, IsFlags, reflected_min_v<E, IsFlags>>(std::make_index_sequence<range_size>{});
         ^
./magic_enum/magic_enum.hpp:440:34: note: in instantiation of function template specialization 'magic_enum::detail::values<Color, false, unsigned int>' requested here
inline constexpr auto values_v = values<E, IsFlags>();
                                 ^
./magic_enum/magic_enum.hpp:446:33: note: in instantiation of variable template specialization 'magic_enum::detail::values_v' requested here
inline constexpr auto count_v = values_v<E, IsFlags>.size();
                                ^
./magic_enum/magic_enum.hpp:567:17: note: in instantiation of variable template specialization 'magic_enum::detail::count_v' requested here
  static_assert(count_v<D, false> > 0, "magic_enum requires enum implementation and valid max and min.");
                ^
./magic_enum/magic_enum.hpp:579:1: note: in instantiation of template class 'magic_enum::detail::enable_if_enum<true, false, Color, std::string_view>' requested here
using enable_if_enum_t = typename enable_if_enum<std::is_enum_v<std::decay_t<T>>, false, T, R>::type;
^
./magic_enum/magic_enum.hpp:690:69: note: in instantiation of template type alias 'enable_if_enum_t' requested here
[[nodiscard]] constexpr auto enum_name(E value) noexcept -> detail::enable_if_enum_t<E, string_view> {
                                                                    ^
main.cc:17:20: note: while substituting deduced template arguments into function template 'enum_name' [with E = Color]
      std::cout << magic_enum::enum_name(color);

+2 turning it in to warning. It's breaking our builds, due to boost. :(

In D130058#3708209, @ayermolo wrote:

+2 turning it in to warning. It's breaking our builds, due to boost. :(

This was done by D131307, which I'm hoping will land soon :)

This catches https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir_reader.cpp#732 but not https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir.cpp#654. Is that expected?

In D130058#3714672, @glandium wrote:

This catches https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir_reader.cpp#732 but not https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir.cpp#654. Is that expected?

Maybe something changed? A couple days ago it was catching https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/gfx/cairo/cairo/src/win32/cairo-dwrite-font.cpp#238 but apparently not anymore.

Also not caught: a cast of 0 when 0 is not a valid value in the enum.

Having looked around in the Firefox codebase for cases that now fail to build because of this, and looking at the clarification in DR2338, I wonder if enums in extern "C" sections should be treated as if they had an explicit type of int as if it were e.g. enum Foo: int { ... }.

In D130058#3714880, @glandium wrote:

In D130058#3714672, @glandium wrote:

This catches https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir_reader.cpp#732 but not https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/third_party/rust/glslopt/glsl-optimizer/src/compiler/glsl/ir.cpp#654. Is that expected?

Maybe something changed? A couple days ago it was catching https://searchfox.org/mozilla-central/rev/c77834ec635c523f2ba0092fcd1728c9b1c3005b/gfx/cairo/cairo/src/win32/cairo-dwrite-font.cpp#238 but apparently not anymore.

Correct, the diagnostic was previously over-eager, but that's been fixed.

In D130058#3714882, @glandium wrote:

Also not caught: a cast of 0 when 0 is not a valid value in the enum.

I don't think that situation will ever be UB. When the underlying type of the enum is not fixed, the range of values it can represent is whatever values fit into a hypothetical bit-field that is large enough to cover the full range of stated values (https://eel.is/c++draft/enum#dcl.enum-8.sentence-2). 0 is something that can always be represented in such a bit-field (there's a special provision for empty enumerations or one that can only store 0).

In D130058#3715183, @glandium wrote:

Having looked around in the Firefox codebase for cases that now fail to build because of this, and looking at the clarification in DR2338, I wonder if enums in extern "C" sections should be treated as if they had an explicit type of int as if it were e.g. enum Foo: int { ... }.

That doesn't match the C++ language rules for constant expression evaluation, so I don't think we should go that route unless WG21 decides they want to.

In D130058#3714882, @glandium wrote:

Also not caught: a cast of 0 when 0 is not a valid value in the enum.

I don't think that situation will ever be UB. When the underlying type of the enum is not fixed, the range of values it can represent is whatever values fit into a hypothetical bit-field that is large enough to cover the full range of stated values (https://eel.is/c++draft/enum#dcl.enum-8.sentence-2). 0 is something that can always be represented in such a bit-field (there's a special provision for empty enumerations or one that can only store 0).

Correct here. A 'valid value' of an enum is NOT just the list of values listed. It is every value that would be represent-able by the smallest-bit-sized bitfield required to represent all of the possible enumerators. Since 0 is represent-able by all 1+ bit integers, zero is always valid.