Removing the quotes here because of a suggested edit later (the diagnostics engine will add the quotes for you).

Why the SC_None case?

You should add an explicit test for _ by itself.

You should have a test like this but within the global namespace (which should diagnose).

+1 to this request.

You should also have some tests for:

template <typename T>
void _Foobar(); // Even though it's not instantiated, it's still reserved.

template <typename _Ty> // Reserved
void whatever();

void func() {
  int array[10];
  for (auto _A : array) // Reserved
    ;
}

class _C { // Reserved
public:
  _C(); // Not reserved
};

unsigned operator "" huttah(unsigned long long); // Reserved (http://eel.is/c++draft/usrlit.suffix#1)

unsigned operator "" _W(unsigned long long); // Reserved
unsigned operator "" _w(unsigned long long); // Reserved

static unsigned operator "" _X(unsigned long long); // Not reserved
static unsigned operator "" _x(unsigned long long); // Not reserved

It happens when no explicit linkage is provided.

I probably missed a lot of declarations, but I've hardened that part to handle template parameters and concepts

Still missing the trailing full stop on the comment.

The usual convention in the project is west const rather than east const, FWIW.

This reference no longer exists. I think you want [lex.name]p3

Actually, I think the real question is: why check the storage class at all? e.g.,

static int _this_is_still_reserved_at_file_scope;

The reservation is for use at file scope (or the global namespace in C++ parlance) -- it would make a good test case to add.

"followed by an uppercase letter or another underscore"

also, the (2.11) is ambiguous.

Another awful test case:

struct _reserved { int a; } func(void) { // Should diagnose
  return (struct _reserved){1};
}

void func(struct _reserved { int a; } r) {} // Should not diagnose

I think @aaron.ballman is right; there was some earlier confusion (that I think I added to, apologies) over the rules for _these since there seems to be some conflicting information online (e.g. the cppreference page for the C rules appears to be wrong), but rereading both C and C++ standards carefully, I believe _these are reserved at file scope / in the global namespace in both languages, whether static or not.

The comment should probably explain why we do this rather than check if the decl context is the translation unit.

One worry I have with this approach is that there are more declaration contexts than what you've got handled here, like ObjCContainers, linkage specifications, etc.

I think "for use in the global namespace" may be a bit of a red herring here. Consider user code like:

namespace my_awesome_stuff {
// Not at global namespace.
unsigned _w() { return 0; }
}

unsigned func() {
  using namespace my_awesome_stuff;
  return _w();
}

If an implementation (or a future version of the standard) adds int _w = 12; to the global namespace, the user's code becomes ambiguous and fails to compile.

Another example of this would be if the implementation adds a macro. e.g.,

// If this gets defined by the implementation...
#define _strdup strdup

// ... it could break this user code due to duplicate symbols.
char *_strdup(const char *str);

@rsmith -- what's your feeling on this?

Can you add a test that we do not warn on an extern declaration? e.g.,

extern char *_strdup(const char *);

This is sometimes used (esp in older C code bases) to avoid having to include an entire header to scrape one declaration out of it, and there are popular libraries (like the MSVC CRT) that have APIs starting with a single underscore and lowercase letter.

The idea here is: if it's an extern declaration, the identifier is "owned" by some other declaration and this is not likely something the user has control over.

I'm on the fence about whether this should have no warning or not. Enumeration constants in C (and sometimes in C++, depending on the enumeration) are in the enclosing scope. e.g.,

enum foo {
  _bar
};

int i = _bar;

So if a user has an enumeration constant named _bar, the implementation is not free to add int _bar(void); as it will cause compile errors. WDYT?

I think some of these tests are still missing. I'm especially worried about the user-defined literal cases being diagnosed, as we'd be warning to not do the exact thing users are expected to do.

This is another case that I'm on the fence about failing to warn on because the name _barbatruc would conflict with a name introduced by the implementation. Another interesting variant of the same problem, for C++:

static union {
  int _field;
};

I wonder if the rule should not be whether the declaration is at file scope or not, but whether the declared identifier can be found at file scope or not?

If you leave it like this, you will receive multiple bug reports per year about how in some contexts the compiler diagnoses _X and _x equally, and in other contexts the compiler diagnoses _X but fails to diagnose _x.

You should make two diagnostics: -Wreserved-extern-identifier and -Wreserved-pp-identifier (or something along those lines), and their messages should be carefully worded to explain why the warning is happening — "identifier %0 is reserved for use at file scope," "identifier %0 is reserved in all contexts," etc.

Btw, the reason some identifiers (like _X) are reserved in all contexts is so that the implementation can define them as macros (e.g. header guards).

Should that logic also apply to a forward declaration like struct _foo;? Should it apply to struct _foo { int i; };? These are also things the user might not have control over. (And they're equally things that the user could pull out into a separate .h file surrounded by disabled-warning pragmas, if they really wanted to.)

I'd say 100% yeah to the forward declaration, but I'm unsure about the actual definition, because there's no way to distinguish it from a user definition.

We could state it that way: would the code still compile if there's a int _bar symbol defined in a system header. here the answer is no, so reserved.

User defined literal tested below and behave as expected.

whether the declared identifier can be found at file scope or not?

100% agree. As

static union {
  int _field;
};
int _field;

is invalid, I considered that one and tested it.

@aaron.ballman, the "not reserved" comment re: _X for the literal operator using the operator string-literal identifier form above seems suspect to me. See _Bq example in [over.literal].

This should get a warning, since it's using an identifier "reserved for any use."
https://stackoverflow.com/questions/228783/what-are-the-rules-about-using-an-underscore-in-a-c-identifier
http://eel.is/c++draft/lex.name#3.1
If the implementation predefines #define _BarbeBleue 42 (which the implementation is permitted to do), then this code won't compile.

Rather than trying to manually decide whether the name will be exposed at the top level, I wonder if we should use Sema::LookupName() to try to find the name in the global scope. That would move this code from AST into Sema to avoid layering issues, so it'd be something more like bool Sema::IsDeclReserved(const NamedDecl *ND) const or bool Sema::IsIdentifierReserved(const IdentifierInfo *II) const.

The idea is to perform the lookup in global scope and if the lookup finds the identifier, then regardless of how it got there (anonymous union field, anonymous namespaces, enumeration constants, etc), we know it may conflict with an external declaration and diagnose.

WDYT?

Thanks, @hubert.reinterpretcast, you're correct -- I forgot just how hard we made the rules for UDLs when we decided to require a leading underscore. :-(

That's an interesting proposal.Let me try that!

I don't understand why name lookup is involved here. Whether an identifier is reserved doesn't depend on whether it's already been declared in the global namespace or not. It's valid to declare _foo in some user-defined namespace regardless of whether there's already a _foo in the global namespace, and it's invalid to declare _foo in the global namespace regardless of whether there's already a _foo in the global namespace.

If you're trying to detect whether the name is being introduced in the global namespace scope, per C++ [lex.name]/3.2, you can't do that like this; you'll need to look at the DeclContext of the declaration instead of just the identifier.

Why does the presence / absence of extern matter here?

Is there somewhere more central you can do this, rather than repeating it once for each kind of declaration? (Eg, PushOnScopeChains)

Why do we not diagnose the other possible TagUseKinds? struct _foo; and struct _foo *p; both use reserved identifiers too.

Sorry @serge-sans-paille for my think-o, Richard is right.

My thinking was "if the declaration can be found at the global namespace, then it's reserved", but.. that's a hypothetical declaration, not an actual one, so of course the name lookup won't find it. Derp.

I guess we really do have to look at the DeclContext.

@rsmith -- just to be clear, from http://eel.is/c++draft/lex.name#3.2, does "for use as a name in the global namespace" imply macros as well? e.g., can an implementation decide to use this reservation to #define _foo 12, which would cause problems with a _foo declared in a user-defined namespace? If so, then we can ignore what the declaration context is because the name could be snatched out from under the user via a macro anyway.

Regarding macros, I think it depends what you mean.

The implementation is permitted to declare additional _foo names in the global namespace, and I think the intent is that these can be either predeclared or declared in headers. The user is permitted to declare _foo names in other (non-reserved) namespaces.

As a result, neither party should define an _foo macro, because doing so would step on the other party's namespace (though it would be OK for user code to do so after all of their standard library includes, I suppose). Specifically, I think it would be non-conforming for the implementation to #define such a macro (because the name is not reserved to the implementation in all contexts), and I think it would be UB via [macro.names]/1 for user code to #define such a macro that actually collided with a name that happened to be declared in the global namespace by a standard library header.

We can probably warn on #define _foo if we want to, but I don't think we can produce a -pedantic-error for that case, because I think it's (sometimes) valid for user code to do that.

If you're trying to detect whether the name is being introduced in the global namespace scope,

That's indeed the goal

you'll need to look at the DeclContext of the declaration instead of just the identifier.

That would be sane. I'll check that.

We have a test case for struct _foo and its correctly diagnosed. I'll double check for pointer / reference too.

I tried PushOnScopeChains, and this does not capture all the required declarations. I failed to find another place :-/

Test case added for pointers, works like a charm.

I think splitting the diagnostic into two groups could be useful, but I'd still like the groups to be under a common grouping so I can enable/disable all reserved identifier warnings at once.

As for adding the extra rationale to the diagnostic message: I think if we want to add extra wording, it should be more about how the user can fix the name and less about why the standard reserves something. e.g., "identifier %0 is reserved because %select{it starts with '__'|it contains '__'|it is the same identifier as a keyword|etc}0". Knowing that something is reserved at file scope is somewhat helpful, but knowing how to change the name to appease the compiler is too.

You may want to run the patch through clang-format.

Unrelated changes?

Can you not call warnOnReservedIdentifier(TheDecl) in this case?

Should that logic also apply to a forward declaration like struct _foo;?

I could see a case for not warning on a forward declaration like that, but I think it's a bit less compelling because I can't seem to find that pattern happening in the wild like I can for extern function declarations.

Should it apply to struct _foo { int i; };?

This is a definition of the type and so I think it should be warned on (unless it's in a system header).

I think we're correct to warn on this. Because the type specifier appears within the parameter list, it has function prototype scope per C2x 6.2.1p4. However, the identifier _preserved is put into the struct name space, which hits the "in the tag name spaces" part of: "All identifiers that begin with an underscore are reserved for use as identifiers with file scope in both the ordinary and tag name spaces".

This is a case I don't think we should warn on. As some examples showing this sort of thing in the wild:

https://codesearch.isocpp.org/actcd19/main/m/mcrl2/mcrl2_201409.0-1/3rd-party/svc/source/lz.cpp
https://codesearch.isocpp.org/actcd19/main/m/mcrl2/mcrl2_201409.0-1/3rd-party/svc/source/svc1.cpp

+1, this really is reserved.

The lexical parent doesn't matter here; what we care about is whether this declaration would conflict with a declaration in the global namespace, which means we should check the semantic parent. So we want getDeclContext()->getRedeclContext()->isTranslationUnit().

For a variable or function, you should also check isExternC(), because extern "C" functions and variables (declared in any scope) conflict with variables and functions with the same name declared in the global namespace scope.

Swap the order of these checks; the "is reserved" check is faster and will usually allow us to short-circuit, whereas we're probably usually not in a system header and that check involves nontrivial work recursively decomposing the given source location.

What cases is it missing? Can we add calls to PushOnScopeChains to those cases (perhaps with a new flag to say "don't actually push it into scope"?) I'm not super happy about adding a new thing that all places that create declarations and add them to scope need to remember to do, to drive this warning. Cases are going to get forgotten that way.

It would be more consistent with the other calls to this function to call this when we create each individual field, not when we finalize the record definition.

Again, it'd be more consistent to do this when we finish creating the declaration and push it into scope, for all kinds of declaration.

It'd be useful to test that we don't diagnose

void foo(unsigned int _not_reserved) { ... }

You don't seem to have a test for TUK_Reference:

struct _Zebulon3 *p;

(Nor for TUK_Friend.)

_preserved is not an identifier with file scope, so I think we shouldn't warn here. Perhaps the problem is that we're doing this check before the struct gets reparented into the function declaration (which only happens after we finish parsing all the parameters and build the function declaration).

We could perhaps check the Scope in addition to checking the DeclContext to detect such cases.

You mean, specifically for _strdup? In general, this looks exactly the like the kind of declaration we'd want to warn on. If we don't want a warning here, we could perhaps recognize _strdup as a builtin lib function. (I think they shouldn't warn, because we'll inject a builtin declaration, so this would be a redeclaration. We should test that!)

Please also test the _not_reserved case here. Parameters are weird, because they're parsed before we have a DeclContext created to correspond with their scope, so they start off with the translation unit as their parent.

This should warn: this declaration would conflict with an int _barbeFleurie(); in a system header.

... although weirdly Clang doesn't diagnose that conflict. Hm. That looks like a bug.

_preserved is not an identifier with file scope, so I think we shouldn't warn here.

Hmm, my thinking was that if the implementation added a conflicting definition of what _preserved is, it'd break the user's code. But you're right, the identifier is in the tag name space but not with file scope, so not warning is correct.

You mean, specifically for _strdup?

Yes, but it's a more general pattern than just _strdup. C code (esp older C code) will sometimes add an external declaration to avoid having to use a #include for just one symbol. Additionally, some popular platforms (like Windows) add a bunch of functions in the implementation namespace like _strdup (and many, many others).

Perhaps an option would be to always warn, and if we find that users run into this situation a lot in practice, we could split the diagnostic so that users can control whether to warn on forward declarations of functions.

Because this is not a scoped enum, should these enumerators get an RIR_ prefix added to them?

Any reason not to return the enumeration as the result? We could add NotReserved = 0 to the enumeration so that calls to D->isReserved() will do the right thing.

(Also, might as well name the LangOptions parameter here.)

Were you planning to use this new diagnostic group?

Might as well address the lint warning.

I used a class enum with a stream operator instead. Not a big fan of prefixed enum ;-)

yeah,that would require checking if the name with trailing underscores is a libc function. I agree we should wait for more user feedback to install such check.

Totally fine by me, thank you!

You may want to add a comment here to alert people to the fact that passing 0 for %1 is not valid but the | exists to make the enum order match the diagnostic. Otherwise it looks like it's possible to get a diagnostic identifier 'whatever' is reserved because .

Still missing a full stop at the end of the comment here.

Richard's comment is still unaddressed as well.

I'm still wondering about this as well.

This check should be reversed as well.

I'll investigate that one more deeply, I do share your concern.

This is hopefully more useful to future readers and also terser. (I like including <ERROR> in the diagnostic in the bad case because if it ever happens we're more likely to get a bug report that way.)

Please reorder the literal operator case after the plain getIdentifier case. I think this'd be more readable if the common and expected case is first, and it doesn't make any functional difference since a literal operator doesn't have a "regular" identifier name.

Would it make sense to move the rest of this function to a member on IdentifierInfo? That is, the rest of this function would become:

ReservedIdentifierStatus Status = II->isReserved(LangOpts);
if (Status == ReservedIdentifierStatus::StartsWithUnderscoreAtGlobalScope &&
    isa<ParmVarDecl>(this) || isTemplateParameter() ||
    !getDeclContext()->getRedeclContext()->isTranslationUnit())
  return ReservedIdentifierStatus::NotReserved;
return Status;

That way, we should be able to reuse the same implementation to detect reserved macros too.

This can be simplified a bit; I suggested edits above. Also, we want the semantic parent here, not the lexical parent, in order to warn on cases like

struct A {
  friend struct _b; // warning, starts with underscore at global scope
  friend void _f(); // warning, starts with underscore at global scope
};
void g() {
  void _h(); // warning, starts with underscore at global scope
  extern int _n; // warning, starts with underscore at global scope
}

I did the II->isReserved(LangOpts) part, but the updated condition !getDeclContext()->getRedeclContext()->isTranslationUnit() fails the validation. I did already spend a lot of time getting one that catches the behavior we wanted, so 'm not super-eager to investigate why this change would not work ;-)

The current lexical context check does not look correct -- the lexical context is not relevant here, because the language rule is constrained by the semantic context. What test cases does the new condition fail?

Please also add something like the testcases from my other comment; I can't find any tests for friends or for local extern declarations in the current set of tests, and that's the kind of corner case that would be affected by this.

Ooh, I like that suggestion, thanks!

It looks like this code still needs to move.

This comment should be updated -- we no longer walk the lexical parents.

I think comments here may help -- we don't know that the identifier is at global scope within this call, so the return value looks a bit strange. This is a case where the enumerator name is a bit awkward in this context but makes a lot of sense in the context of the check.

There's a slight functionality change here in that the code used to allow identifiers that start with a single underscore followed by a lowercase letter and that now early returns. Is that expected (and tested)?

Spurious whitespace change.

Spurious whitespace change.

Doesn't PushOnScopeChains() do this already?

This still needs to be reversed so we check for system headers after checking the reserved status.

Is this handled by PushOnScopeChains()?

This should be declared with the definition of ReservedIdentifierStatus -- or simply removed. We usually include the cast at the diagnostic emission site, which I find makes it locally clear that we're making an assumption about the numerical values of the enumerators.

Some of the uses of this warning are for non-external identifiers. It'd also be nice for the diagnostics in this area to have consistent names. Currently we have: -Wreserved-id-macro, -Wreserved-extern-identifier, -Wreserved-identifier. I'd like to see either consistent use of "identifier" or consistent use of "id' (preferably "identifier") and consistent word order.

Should we instead be asking whether CalleeDecl has a reserved name, now that we can?

Should we be using ND->isReserved here?

I'm surprised we don't warn in user headers. Is that intentional?