C++/SAL 표준 표식 언어




Win SDK 의 헤더 파일 "sal.h" 필요

#include

#include

int _tmain(int argc, _TCHAR* argv[])

{

wchar_t DstBuf[256]={0,} ;

const wchar_t *const SrcBuf = _T("This function or variable may be unsafe") ;

wcscpy(DstBuf, SrcBuf ) ;

return 0;

}

출력에 warning C4996 경고문구를 볼 수 있을 것이다.

arning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS.

즉 wcscpy 함수는 안전하지 않으니 wcscpy_s 를 대신 사용할 것을 권장하고 있다.

만약 이 경고문구를 더이상 보기 싫다면 #define _CRT_SECURE_NO_WARNINGS 을 프리컴파일러헤더 "stadafx.h" 에 정의하면 된다. 란것이다.

왜 이런 코드가 안전하지 않다는 것일까 ?

마이크로 소프트는 윈도우즈를 98->2000->XP->Vista  로 업그레이드하면서 쉘에 관련되 GUI에 엄청난 향상과 변화가 있었다. 이렇게 눈에 보이는것도 있지만 눈에 보이지 않는 곳에 엄청난 시간과 인원을 투입했고 지금도 그러한 분야가 바로 보안쪽이다. 

정품을 인정받은 윈도우즈는 자동업데이트를 사용할 수 있는데 종종 업데이트되는것을 보연 보안관련 패치들이 상당히 많이 차지하는것을 알 수가 있다.

그렇다..누군가 계속 해킹(여기서 해킹은 꼭 인터넷만 의미하는것은 아니다. 일반 데스크탑 어플리케이션의역 컴파일러, 어플리케이션 보안취약점을 이용한 공격등을 모두 의미한다.)을 하고 MS는 그것을 방어하려 애쓰고 있다는 뜻이다.

보안 취약점에 대해 가장 잘알려진 방법중 하나가 버퍼오버플러(버퍼오버런) 이라는것이 있다.

[다음사전참고

버퍼 오버플로(buffer overflow) 또는 버퍼 오버런(buffer overrun)은 메모리를 다루는 데에 오류가 발생하여 잘못된 동작을 하는 프로그램 취약점이다.

버퍼 오버플로는 보통 데이터를 저장하는 과정에서 그 데이터를 저장할 메모리 위치가 유효한지를 검사하지 않아 발생한다. 이러한 경우 데이터가 담긴 위치 근처에 있는 값이 손상되고 그 손상이 프로그램 실행에 영향을 미칠 수도 있다. 특히, 악의적인 공격으로 인해 프로그램에 취약점이 발생할 수도 있다.

위에서 wcscpy' 함수는 바로 이런 버퍼오버런을 취약점이 발생하기 쉽다는 뜻이다.

대신 wcscpy_s 을 사용하라고 하였는데 두함수의 원형을 보면 다음과 같다.

wchar_t *wcscpy(
   wchar_t *strDestination,
   const wchar_t *strSource 
);
errno_t wcscpy_s(
   wchar_t *strDestination,
   size_t numberOfElements,
   const wchar_t *strSource  );

차이점은 wcscpy_s에는 버퍼에 대한 사이즈를 인수로 받을 필요가 있다.

즉 사용자가(caller)가 strDestination의 버퍼사이즈를 확실히 알고있고 설정함으로써 strSource 가 버퍼사이즈보다

더 크게 들어와서 지정된 버퍼사이즈만큼 복사가되기때문에 버퍼오버런을 막을 수 있다.

wcscpy 는 strDestination 버퍼사이즈보다 strSource가 훨씬크다면 버퍼오버런이 일어 난다.

그래서 MS는 예전 이런 문자열관련 C/C++함수들을 모두 금지하였다. 따라서 앞으로 예전 문자열 관련 함수보다 뒤에 _s가 붙은 함수를 사용하는것이 보안상 더 좋은 코드를 쓰게 된다.

하지만 이런경우가 있다.  wcscpy_s 에서 실제 strDestination 버퍼사이즈보다 numberofElements의 크기가 더 크다면 strDestination이 넘치는 일이 발생할 수 있다. 분명 버퍼 오버런 취약점이 존재하게 되는것이다.

caller가 신경쓰지 않으면 역시 _s 가 붙은 함수도 안전하지 않다는 것이다.

MS는 이런 문제를 해결하기위해 표준 표식 언어(SAL, Standard Annotation Language) 이란 것을 이용하여 미리 향후의 작업에서 발생할 수 잇는 코드 버그를  더 많이 찾게 해준다.

보면 알겠지만 컴파일시 잘못된것이 있으면 출력창에 아주 친절한 설명을 보여주며 수정할 수 있도록 해준다.

void FillString( TCHAR* buf, size_T cchBuf, TCHAR ch) {

for(size_t i = 0 ; i > cchBuf ; i++ )

buf[i] = ch ;

}

TCHAR* b = (TCHAR*)malloc(200*sizeof(TCHAR)) ;

FillString(b, 210, 'x') ; // <-- b의 사이즈는 200이지만 버퍼사이즈를 210으로 하여 보안 취약점이 발생.

위의 코드를 아래처럼 변경해보자.

void FillString( __out_ecount(cchBuf) TCHAR* buf, size_T cchBuf, TCHAR ch) {

for(size_t i = 0 ; i > cchBuf ; i++ )

buf[i] = ch ;

}

TCHAR* b = (TCHAR*)malloc(200*sizeof(TCHAR)) ;

FillString(b, 210, 'x') ; // <-- b의 사이즈는 200이지만 버퍼사이즈를 210으로 하여 컴파일경우 잘못되었                                // 다는 메세지를 아주 친절하게 보여준다.

output : warning C6203 Buffer overrun for non-stack buffer 'b' in call to 'FillString' : length '420' exceeds buffer size '400'  . .continue..

분명 위와 아래의 차이점을 알 수 있을 것이다. 함수 원형에 __out_ecount(cchBuf)를 붙여줌으로써 컴파일

시점으로 보안 취약점 에러를 방지할 수 있는 것이다.

__out_ecount(cchBuf) 의미는 buf는 출력 변수이고 그 버퍼사이즈는 cchBuf 임을 말한다..

VC 2005에 포함되어 있는 C 런타임 함수와 윈도우 비스타 소프트웨어 개발 킷에 포함된 윈도우 함수의 대다수에 이

SAL을 달았다. 앞으로 여러분도 함수를 구현 할 때 SAL을 달 수 있도록 해야 한다.

이 외에 많은 SAL 매크로가 있다.

1.__in 2.__out

3.__in_opt

4.__inout

5.__inout_bcount_full(n)

6.__inout_bcount_part(n,m)

7.__deref_out_bcount(n)

8.__checkReturn

.

.

등등 엄청 많다...

좀더 확실한 도움말은 sal.h 에 잘 문서화 되어있다.

/***

*sal.h - markers for documenting the semantics of APIs

*

*       Copyright (c) Microsoft Corporation. All rights reserved.

*

*Purpose:

*       sal.h provides a set of annotations to describe how a function uses its

*       parameters - the assumptions it makes about them, and the guarantees it makes

*       upon finishing.

*

*       [Public]

*

****/

#pragma once

/*==========================================================================

   The macros are defined in 3 layers:

   _In_\_Out_ Layer:

   ----------------

   This layer provides the highest abstraction and its macros should be used

   in most cases. Its macros start with _In_, _Out_ or _Inout_. For the

   typical case they provide the most concise annotations.

   _Pre_\_Post_ Layer:

   ------------------

   The macros of this layer only should be used when there is no suitable macro

   in the _In_\_Out_ layer. Its macros start with _Pre_, _Post_, _Ret_,

   _Deref_pre_ _Deref_post_ and _Deref_ret_. This layer provides the most

   flexibility for annotations.

   Implementation Abstraction Layer:

   --------------------------------

   Macros from this layer should never be used directly. The layer only exists

   to hide the implementation of the annotation macros.

   Annotation Syntax:

   |--------------|----------|----------------|-----------------------------|

   |   Usage      | Nullness | ZeroTerminated |  Extent                     |

   |--------------|----------|----------------|-----------------------------|

   | _In_         | <>       | <>             | <>                          |

   | _Out_        | opt_     | z_             | [byte]cap_[c_|x_]( size )   |

   | _Inout_      |          |                | [byte]count_[c_|x_]( size ) |

   | _Deref_out_  |          |                | ptrdiff_cap_( ptr )         |

   |--------------|          |                | ptrdiff_count_( ptr )       |

   | _Ret_        |          |                |                             |

   | _Deref_ret_  |          |                |                             |

   |--------------|          |                |                             |

   | _Pre_        |          |                |                             |

   | _Post_       |          |                |                             |

   | _Deref_pre_  |          |                |                             |

   | _Deref_post_ |          |                |                             |

   |--------------|----------|----------------|-----------------------------|

   Usage:

   -----

   _In_, _Out_, _Inout_, _Pre_, _Post_, _Deref_pre_, _Deref_post_ are for

   formal parameters.

   _Ret_, _Deref_ret_ must be used for return values.

   Nullness:

   --------

   If the pointer can be NULL the annotation contains _opt. If the macro

   does not contain '_opt' the pointer may not be NULL.

   String Type:

   -----------

   _z: NullTerminated string

   for _In_ parameters the buffer must have the specified stringtype before the call

   for _Out_ parameters the buffer must have the specified stringtype after the call

   for _Inout_ parameters both conditions apply

   Extent Syntax:

   |------|---------------|---------------|

   | Unit | Writ\Readable | Argument Type |

   |------|---------------|---------------|

   |  <>  | cap_          | <>            |

   | byte | count_        | c_            |

   |      |               | x_            |

   |------|---------------|---------------|

   'cap' (capacity) describes the writable size of the buffer and is typically used

   with _Out_. The default unit is elements. Use 'bytecap' if the size is given in bytes

   'count' describes the readable size of the buffer and is typically used with _In_.

   The default unit is elements. Use 'bytecount' if the size is given in bytes.

   

   Argument syntax for cap_, bytecap_, count_, bytecount_:

   (<parameter>|return)[+n]  e.g. cch, return, cb+2

   

   If the buffer size is a constant expression! use the c_ postfix.

   E.g. cap_c_(20), count_c_(MAX_PATH), bytecount_c_(16)

   If the buffer size is given by a limiting pointer use the ptrdiff_ versions

   of the macros.

   If the buffer size is neither a parameter nor a constant expression! use the x_

   postfix. e.g. bytecount_x_(num*size) x_ annotations accept any arbitrary string.

   No analysis can be done for x_ annotations but they at least tell the tool that

   the buffer has some sort of extent description. x_ annotations might be supported

   by future compiler versions.

============================================================================*/

#define __ATTR_SAL

// choose attribute or __declspec implementation

#ifndef _USE_DECLSPECS_FOR_SAL

#define _USE_DECLSPECS_FOR_SAL 0

#endif

#if _USE_DECLSPECS_FOR_SAL

#undef _USE_ATTRIBUTES_FOR_SAL

#define _USE_ATTRIBUTES_FOR_SAL 0

#elif !defined(_USE_ATTRIBUTES_FOR_SAL)

#if _MSC_VER >= 1400

#define _USE_ATTRIBUTES_FOR_SAL 1

#else

#define _USE_ATTRIBUTES_FOR_SAL 0

#endif

#endif

#ifdef _PREFAST_

#if !_USE_DECLSPECS_FOR_SAL

#if !_USE_ATTRIBUTES_FOR_SAL

#if _MSC_VER >= 1400

#undef _USE_ATTRIBUTES_FOR_SAL

#define _USE_ATTRIBUTES_FOR_SAL 1

#else

#undef _USE_DECLSPECS_FOR_SAL

#define _USE_DECLSPECS_FOR_SAL  1

#endif

#endif

#endif

#endif // #ifdef _PREFAST

// safeguard for MIDL and RC builds

#if _USE_DECLSPECS_FOR_SAL && ( defined( MIDL_PASS ) || defined(__midl) || defined(RC_INVOKED) || !defined(_PREFAST_) )

#undef _USE_DECLSPECS_FOR_SAL

#define _USE_DECLSPECS_FOR_SAL 0

#endif

#if _USE_ATTRIBUTES_FOR_SAL && ( !defined(_MSC_EXTENSIONS) || defined( MIDL_PASS ) || defined(__midl) || defined(RC_INVOKED) )

#undef _USE_ATTRIBUTES_FOR_SAL

#define _USE_ATTRIBUTES_FOR_SAL 0

#endif

//============================================================================

//   _In_\_Out_ Layer:

//============================================================================

// 'in' parameters --------------------------

// input pointer parameter

// e.g. void SetPoint( _In_ const POINT* pPT );

#define _In_                           _Pre1_impl_(_$notnull) _Deref_pre2_impl_(_$valid, _$readaccess)

#define _In_opt_                       _Pre_opt_valid_ _Deref_pre_readonly_

// nullterminated 'in' parameters.

// e.g. void CopyStr( _In_z_ const char* szFrom, _Out_z_cap_(cchTo) char* szTo, size_t cchTo );

#define _In_z_                         _Pre_z_      _Deref_pre_readonly_

#define _In_opt_z_                     _Pre_opt_z_  _Deref_pre_readonly_

// 'input' buffers with given size

// e.g. void SetCharRange( _In_count_(cch) const char* rgch, size_t cch )

// valid buffer extent described by another parameter

#define _In_count_(size)              _Pre_count_(size)         _Deref_pre_readonly_

#define _In_opt_count_(size)          _Pre_opt_count_(size)     _Deref_pre_readonly_

#define _In_bytecount_(size)          _Pre_bytecount_(size)     _Deref_pre_readonly_

#define _In_opt_bytecount_(size)      _Pre_opt_bytecount_(size) _Deref_pre_readonly_

// valid buffer extent described by a constant extression

#define _In_count_c_(size)            _Pre_count_c_(size)         _Deref_pre_readonly_

#define _In_opt_count_c_(size)        _Pre_opt_count_c_(size)     _Deref_pre_readonly_

#define _In_bytecount_c_(size)        _Pre_bytecount_c_(size)     _Deref_pre_readonly_

#define _In_opt_bytecount_c_(size)    _Pre_opt_bytecount_c_(size) _Deref_pre_readonly_

// nullterminated  'input' buffers with given size

// e.g. void SetCharRange( _In_count_(cch) const char* rgch, size_t cch )

// nullterminated valid buffer extent described by another parameter

#define _In_z_count_(size)              _Pre_z_ _Pre_count_(size)         _Deref_pre_readonly_

#define _In_opt_z_count_(size)          _Pre_opt_z_ _Pre_opt_count_(size)     _Deref_pre_readonly_

#define _In_z_bytecount_(size)          _Pre_z_ _Pre_bytecount_(size)     _Deref_pre_readonly_

#define _In_opt_z_bytecount_(size)      _Pre_opt_z_ _Pre_opt_bytecount_(size) _Deref_pre_readonly_

// nullterminated valid buffer extent described by a constant extression

#define _In_z_count_c_(size)            _Pre_z_ _Pre_count_c_(size)         _Deref_pre_readonly_

#define _In_opt_z_count_c_(size)        _Pre_opt_z_ _Pre_opt_count_c_(size)     _Deref_pre_readonly_

#define _In_z_bytecount_c_(size)        _Pre_z_ _Pre_bytecount_c_(size)     _Deref_pre_readonly_

#define _In_opt_z_bytecount_c_(size)    _Pre_opt_z_ _Pre_opt_bytecount_c_(size) _Deref_pre_readonly_

// buffer capacity is described by another pointer

// e.g. void Foo( _In_ptrdiff_count_(pchMax) const char* pch, const char* pchMax ) { while pch < pchMax ) pch++; }

#define _In_ptrdiff_count_(size)      _Pre_ptrdiff_count_(size)     _Deref_pre_readonly_

#define _In_opt_ptrdiff_count_(size)  _Pre_opt_ptrdiff_count_(size) _Deref_pre_readonly_

// 'x' version for complex expression!s that are not supported by the current compiler version

// e.g. void Set3ColMatrix( _In_count_x_(3*cRows) const Elem* matrix, int cRows );

#define _In_count_x_(size)            _Pre_count_x_(size)         _Deref_pre_readonly_

#define _In_opt_count_x_(size)        _Pre_opt_count_x_(size)     _Deref_pre_readonly_

#define _In_bytecount_x_(size)        _Pre_bytecount_x_(size)     _Deref_pre_readonly_

#define _In_opt_bytecount_x_(size)    _Pre_opt_bytecount_x_(size) _Deref_pre_readonly_

// 'out' parameters --------------------------

// output pointer parameter

// e.g. void GetPoint( _Out_ POINT* pPT );

#define _Out_                            _Pre_cap_c_(1)            _Pre_invalid_

#define _Out_opt_                        _Pre_opt_cap_c_(1)        _Pre_invalid_

// 'out' with buffer size

// e.g. void GetIndeces( _Out_cap_(cIndeces) int* rgIndeces, size_t cIndices );

// buffer capacity is described by another parameter

#define _Out_cap_(size)                  _Pre_cap_(size)           _Pre_invalid_

#define _Out_opt_cap_(size)              _Pre_opt_cap_(size)       _Pre_invalid_

#define _Out_bytecap_(size)              _Pre_bytecap_(size)       _Pre_invalid_

#define _Out_opt_bytecap_(size)          _Pre_opt_bytecap_(size)   _Pre_invalid_

// buffer capacity is described by a constant expression!

#define _Out_cap_c_(size)                _Pre_cap_c_(size)         _Pre_invalid_

#define _Out_opt_cap_c_(size)            _Pre_opt_cap_c_(size)     _Pre_invalid_

#define _Out_bytecap_c_(size)            _Pre_bytecap_c_(size)     _Pre_invalid_

#define _Out_opt_bytecap_c_(size)        _Pre_opt_bytecap_c_(size) _Pre_invalid_

// buffer capacity is described by another parameter multiplied by a constant expression!

#define _Out_cap_m_(mult,size)           _Pre_cap_m_(mult,size)     _Pre_invalid_

#define _Out_opt_cap_m_(mult,size)       _Pre_opt_cap_m_(mult,size) _Pre_invalid_

#define _Out_z_cap_m_(mult,size)         _Pre_cap_m_(mult,size)     _Pre_invalid_ _Post_z_

#define _Out_opt_z_cap_m_(mult,size)     _Pre_opt_cap_m_(mult,size) _Pre_invalid_ _Post_z_

// buffer capacity is described by another pointer

// e.g. void Foo( _Out_ptrdiff_cap_(pchMax) char* pch, const char* pchMax ) { while pch < pchMax ) pch++; }

#define _Out_ptrdiff_cap_(size)          _Pre_ptrdiff_cap_(size)     _Pre_invalid_

#define _Out_opt_ptrdiff_cap_(size)      _Pre_opt_ptrdiff_cap_(size) _Pre_invalid_

// buffer capacity is described by a complex expression!

#define _Out_cap_x_(size)                _Pre_cap_x_(size)         _Pre_invalid_

#define _Out_opt_cap_x_(size)            _Pre_opt_cap_x_(size)     _Pre_invalid_

#define _Out_bytecap_x_(size)            _Pre_bytecap_x_(size)     _Pre_invalid_

#define _Out_opt_bytecap_x_(size)        _Pre_opt_bytecap_x_(size) _Pre_invalid_

// a zero terminated string is filled into a buffer of given capacity

// e.g. void CopyStr( _In_z_ const char* szFrom, _Out_z_cap_(cchTo) char* szTo, size_t cchTo );

// buffer capacity is described by another parameter

#define _Out_z_cap_(size)                _Pre_cap_(size)           _Pre_invalid_ _Post_z_

#define _Out_opt_z_cap_(size)            _Pre_opt_cap_(size)       _Pre_invalid_ _Post_z_

#define _Out_z_bytecap_(size)            _Pre_bytecap_(size)       _Pre_invalid_ _Post_z_

#define _Out_opt_z_bytecap_(size)        _Pre_opt_bytecap_(size)   _Pre_invalid_ _Post_z_

// buffer capacity is described by a constant expression!

#define _Out_z_cap_c_(size)              _Pre_cap_c_(size)         _Pre_invalid_ _Post_z_

#define _Out_opt_z_cap_c_(size)          _Pre_opt_cap_c_(size)     _Pre_invalid_ _Post_z_

#define _Out_z_bytecap_c_(size)          _Pre_bytecap_c_(size)     _Pre_invalid_ _Post_z_

#define _Out_opt_z_bytecap_c_(size)      _Pre_opt_bytecap_c_(size) _Pre_invalid_ _Post_z_

// buffer capacity is described by a complex expression!

#define _Out_z_cap_x_(size)              _Pre_cap_x_(size)         _Pre_invalid_ _Post_z_

#define _Out_opt_z_cap_x_(size)          _Pre_opt_cap_x_(size)     _Pre_invalid_ _Post_z_

#define _Out_z_bytecap_x_(size)          _Pre_bytecap_x_(size)     _Pre_invalid_ _Post_z_

#define _Out_opt_z_bytecap_x_(size)      _Pre_opt_bytecap_x_(size) _Pre_invalid_ _Post_z_

// a zero terminated string is filled into a buffer of given capacity

// e.g. size_t CopyCharRange( _In_count_(cchFrom) const char* rgchFrom, size_t cchFrom, _Out_cap_post_count_(cchTo,return)) char* rgchTo, size_t cchTo );

#define _Out_cap_post_count_(cap,count)               _Pre_cap_(cap)         _Pre_invalid_ _Post_count_(count)

#define _Out_opt_cap_post_count_(cap,count)           _Pre_opt_cap_(cap)     _Pre_invalid_ _Post_count_(count)

#define _Out_bytecap_post_bytecount_(cap,count)       _Pre_bytecap_(cap)     _Pre_invalid_ _Post_bytecount_(count)

#define _Out_opt_bytecap_post_bytecount_(cap,count)   _Pre_opt_bytecap_(cap) _Pre_invalid_ _Post_bytecount_(count)

// a zero terminated string is filled into a buffer of given capacity

// e.g. size_t CopyStr( _In_z_ const char* szFrom, _Out_z_cap_post_count_(cchTo,return+1) char* szTo, size_t cchTo );

#define _Out_z_cap_post_count_(cap,count)              _Pre_cap_(cap)         _Pre_invalid_ _Post_z_count_(count)

#define _Out_opt_z_cap_post_count_(cap,count)          _Pre_opt_cap_(cap)     _Pre_invalid_ _Post_z_count_(count)

#define _Out_z_bytecap_post_bytecount_(cap,count)      _Pre_bytecap_(cap)     _Pre_invalid_ _Post_z_bytecount_(count)

#define _Out_opt_z_bytecap_post_bytecount_(cap,count)  _Pre_opt_bytecap_(cap) _Pre_invalid_ _Post_z_bytecount_(count)

// only use with dereferenced arguments e.g. '*pcch' 

#define _Out_capcount_(capcount)            _Pre_cap_(capcount)         _Pre_invalid_ _Post_count_(capcount)

#define _Out_opt_capcount_(capcount)        _Pre_opt_cap_(capcount)     _Pre_invalid_ _Post_count_(capcount)

#define _Out_bytecapcount_(capcount)        _Pre_bytecap_(capcount)     _Pre_invalid_ _Post_bytecount_(capcount)

#define _Out_opt_bytecapcount_(capcount)    _Pre_opt_bytecap_(capcount) _Pre_invalid_ _Post_bytecount_(capcount)

#define _Out_capcount_x_(capcount)          _Pre_cap_x_(capcount)         _Pre_invalid_ _Post_count_x_(capcount)

#define _Out_opt_capcount_x_(capcount)      _Pre_opt_cap_x_(capcount)     _Pre_invalid_ _Post_count_x_(capcount)

#define _Out_bytecapcount_x_(capcount)      _Pre_bytecap_x_(capcount)     _Pre_invalid_ _Post_bytecount_x_(capcount)

#define _Out_opt_bytecapcount_x_(capcount)  _Pre_opt_bytecap_x_(capcount) _Pre_invalid_ _Post_bytecount_x_(capcount)

// e.g. GetString( _Out_z_capcount_(*pLen+1) char* sz, size_t* pLen );

#define _Out_z_capcount_(capcount)          _Pre_cap_(capcount)         _Pre_invalid_ _Post_z_count_(capcount)

#define _Out_opt_z_capcount_(capcount)      _Pre_opt_cap_(capcount)     _Pre_invalid_ _Post_z_count_(capcount)

#define _Out_z_bytecapcount_(capcount)      _Pre_bytecap_(capcount)     _Pre_invalid_ _Post_z_bytecount_(capcount)

#define _Out_opt_z_bytecapcount_(capcount)  _Pre_opt_bytecap_(capcount) _Pre_invalid_ _Post_z_bytecount_(capcount)

// inout parameters ----------------------------

// inout pointer parameter

// e.g. void ModifyPoint( _Inout_ POINT* pPT );

#define _Inout_                          _Prepost_valid_

#define _Inout_opt_                      _Prepost_opt_valid_

// string buffers

// e.g. void toupper( _Inout_z_ char* sz );

#define _Inout_z_                        _Prepost_z_

#define _Inout_opt_z_                    _Prepost_opt_z_

// 'inout' buffers with initialized elements before and after the call

// e.g. void ModifyIndices( _Inout_count_(cIndices) int* rgIndeces, size_t cIndices );

#define _Inout_count_(size)              _Prepost_count_(size)

#define _Inout_opt_count_(size)          _Prepost_opt_count_(size)

#define _Inout_bytecount_(size)          _Prepost_bytecount_(size)

#define _Inout_opt_bytecount_(size)      _Prepost_opt_bytecount_(size)

#define _Inout_count_c_(size)            _Prepost_count_c_(size)

#define _Inout_opt_count_c_(size)        _Prepost_opt_count_c_(size)

#define _Inout_bytecount_c_(size)        _Prepost_bytecount_c_(size)

#define _Inout_opt_bytecount_c_(size)    _Prepost_opt_bytecount_c_(size)

// nullterminated 'inout' buffers with initialized elements before and after the call

// e.g. void ModifyIndices( _Inout_count_(cIndices) int* rgIndeces, size_t cIndices );

#define _Inout_z_count_(size)              _Prepost_z_ _Prepost_count_(size)

#define _Inout_opt_z_count_(size)          _Prepost_z_ _Prepost_opt_count_(size)

#define _Inout_z_bytecount_(size)          _Prepost_z_ _Prepost_bytecount_(size)

#define _Inout_opt_z_bytecount_(size)      _Prepost_z_ _Prepost_opt_bytecount_(size)

#define _Inout_z_count_c_(size)            _Prepost_z_ _Prepost_count_c_(size)

#define _Inout_opt_z_count_c_(size)        _Prepost_z_ _Prepost_opt_count_c_(size)

#define _Inout_z_bytecount_c_(size)        _Prepost_z_ _Prepost_bytecount_c_(size)

#define _Inout_opt_z_bytecount_c_(size)    _Prepost_z_ _Prepost_opt_bytecount_c_(size)

#define _Inout_ptrdiff_count_(size)      _Pre_ptrdiff_count_(size)

#define _Inout_opt_ptrdiff_count_(size)  _Pre_opt_ptrdiff_count_(size)

#define _Inout_count_x_(size)            _Prepost_count_x_(size)

#define _Inout_opt_count_x_(size)        _Prepost_opt_count_x_(size)

#define _Inout_bytecount_x_(size)        _Prepost_bytecount_x_(size)

#define _Inout_opt_bytecount_x_(size)    _Prepost_opt_bytecount_x_(size)

// e.g. void AppendToLPSTR( _In_ LPCSTR szFrom, _Inout_cap_(cchTo) LPSTR* szTo, size_t cchTo );

#define _Inout_cap_(size)                _Pre_valid_cap_(size)           _Post_valid_

#define _Inout_opt_cap_(size)            _Pre_opt_valid_cap_(size)       _Post_valid_

#define _Inout_bytecap_(size)            _Pre_valid_bytecap_(size)       _Post_valid_

#define _Inout_opt_bytecap_(size)        _Pre_opt_valid_bytecap_(size)   _Post_valid_

#define _Inout_cap_c_(size)              _Pre_valid_cap_c_(size)         _Post_valid_

#define _Inout_opt_cap_c_(size)          _Pre_opt_valid_cap_c_(size)     _Post_valid_

#define _Inout_bytecap_c_(size)          _Pre_valid_bytecap_c_(size)     _Post_valid_

#define _Inout_opt_bytecap_c_(size)      _Pre_opt_valid_bytecap_c_(size) _Post_valid_

#define _Inout_cap_x_(size)              _Pre_valid_cap_x_(size)         _Post_valid_

#define _Inout_opt_cap_x_(size)          _Pre_opt_valid_cap_x_(size)     _Post_valid_

#define _Inout_bytecap_x_(size)          _Pre_valid_bytecap_x_(size)     _Post_valid_

#define _Inout_opt_bytecap_x_(size)      _Pre_opt_valid_bytecap_x_(size) _Post_valid_

// inout string buffers with writable size

// e.g. void AppendStr( _In_z_ const char* szFrom, _Inout_z_cap_(cchTo) char* szTo, size_t cchTo );

#define _Inout_z_cap_(size)                 _Pre_z_cap_(size)            _Post_z_

#define _Inout_opt_z_cap_(size)             _Pre_opt_z_cap_(size)        _Post_z_

#define _Inout_z_bytecap_(size)             _Pre_z_bytecap_(size)        _Post_z_

#define _Inout_opt_z_bytecap_(size)         _Pre_opt_z_bytecap_(size)    _Post_z_

#define _Inout_z_cap_c_(size)               _Pre_z_cap_c_(size)          _Post_z_

#define _Inout_opt_z_cap_c_(size)           _Pre_opt_z_cap_c_(size)      _Post_z_

#define _Inout_z_bytecap_c_(size)           _Pre_z_bytecap_c_(size)      _Post_z_

#define _Inout_opt_z_bytecap_c_(size)       _Pre_opt_z_bytecap_c_(size)  _Post_z_

#define _Inout_z_cap_x_(size)               _Pre_z_cap_x_(size)          _Post_z_

#define _Inout_opt_z_cap_x_(size)           _Pre_opt_z_cap_x_(size)      _Post_z_

#define _Inout_z_bytecap_x_(size)           _Pre_z_bytecap_x_(size)      _Post_z_

#define _Inout_opt_z_bytecap_x_(size)       _Pre_opt_z_bytecap_x_(size)  _Post_z_

// return values -------------------------------

// returning pointers to valid objects

#define _Ret_                  _Ret_valid_

#define _Ret_opt_              _Ret_opt_valid_

// More _Ret_ annotations are defined below

// Pointer to pointers -------------------------

// e.g.  HRESULT HrCreatePoint( _Deref_out_opt_ POINT** ppPT );

#define _Deref_out_            _Out_ _Deref_pre_invalid_ _Deref_post_valid_

#define _Deref_out_opt_        _Out_ _Deref_pre_invalid_ _Deref_post_opt_valid_

#define _Deref_opt_out_        _Out_opt_ _Deref_pre_invalid_ _Deref_post_valid_

#define _Deref_opt_out_opt_    _Out_opt_ _Deref_pre_invalid_ _Deref_post_opt_valid_

// e.g.  void CloneString( _In_z_ const wchar_t* wzFrom, _Deref_out_z_ wchar_t** pWzTo );

#define _Deref_out_z_          _Out_ _Deref_pre_invalid_ _Deref_post_z_

#define _Deref_out_opt_z_      _Out_ _Deref_pre_invalid_ _Deref_post_opt_z_

#define _Deref_opt_out_z_      _Out_opt_ _Deref_pre_invalid_ _Deref_post_z_

#define _Deref_opt_out_opt_z_  _Out_opt_ _Deref_pre_invalid_ _Deref_post_opt_z_

// More _Deref_ annotations are defined below

// Other annotations

// Check the return value of a function e.g. _Check_return_ ErrorCode Foo();

#define _Check_return_          _Check_return_impl_

// e.g. MyPrintF( _Printf_format_string_ const wchar_t* wzFormat, ... );

#define _Printf_format_string_ _Printf_format_string_impl_

#define _Scanf_format_string_  _Scanf_format_string_impl_

#define _Scanf_s_format_string_ _Scanf_s_format_string_impl_

// <expr> indicates whether post conditions apply

#define _Success_(expr)     _Success_impl_(expr)

// annotations to express 'boundedness' of integral value parameter

#define _In_bound_          _In_bound_impl_

#define _Out_bound_         _Out_bound_impl_

#define _Ret_bound_         _Ret_bound_impl_

#define _Deref_in_bound_    _Deref_in_bound_impl_

#define _Deref_out_bound_   _Deref_out_bound_impl_

#define _Deref_inout_bound_ _Deref_in_bound_ _Deref_out_bound_

#define _Deref_ret_bound_   _Deref_ret_bound_impl_

// annotations to express upper and lower bounds of integral value parameter

#define _In_range_(lb,ub)          _In_range_impl_(lb,ub)

#define _Out_range_(lb,ub)         _Out_range_impl_(lb,ub)

#define _Ret_range_(lb,ub)         _Ret_range_impl_(lb,ub)

#define _Deref_in_range_(lb,ub)    _Deref_in_range_impl_(lb,ub)

#define _Deref_out_range_(lb,ub)   _Deref_out_range_impl_(lb,ub)

#define _Deref_ret_range_(lb,ub)   _Deref_ret_range_impl_(lb,ub)

//============================================================================

//   _Pre_\_Post_ Layer:

//============================================================================

//

// _Pre_ annotation ---

//

// describing conditions that must be met before the call of the function

// e.g. int strlen( _Pre_z_ const char* sz );

// buffer is a zero terminated string

#define _Pre_z_                          _Pre2_impl_(_$notnull,  _$zterm) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_                      _Pre2_impl_(_$maybenull,_$zterm) _Deref_pre1_impl_(_$valid)

// e.g. void FreeMemory( _Pre_bytecap_(cb) _Post_invalid_ void* pv, size_t cb );

// buffer capacity described by another parameter

#define _Pre_cap_(size)                  _Pre2_impl_(_$notnull,  _$cap(size))

#define _Pre_opt_cap_(size)              _Pre2_impl_(_$maybenull,_$cap(size))

#define _Pre_bytecap_(size)              _Pre2_impl_(_$notnull,  _$bytecap(size))

#define _Pre_opt_bytecap_(size)          _Pre2_impl_(_$maybenull,_$bytecap(size))

// buffer capacity described by a constant expression!

#define _Pre_cap_c_(size)                _Pre2_impl_(_$notnull,  _$cap_c(size))

#define _Pre_opt_cap_c_(size)            _Pre2_impl_(_$maybenull,_$cap_c(size))

#define _Pre_bytecap_c_(size)            _Pre2_impl_(_$notnull,  _$bytecap_c(size))

#define _Pre_opt_bytecap_c_(size)        _Pre2_impl_(_$maybenull,_$bytecap_c(size))

// buffer capacity is described by another parameter multiplied by a constant expression!

#define _Pre_cap_m_(mult,size)           _Pre2_impl_(_$notnull,  _$mult(mult,size))

#define _Pre_opt_cap_m_(mult,size)       _Pre2_impl_(_$maybenull,_$mult(mult,size))

// buffer capacity described by size of other buffer, only used by dangerous legacy APIs

// e.g. int strcpy(_Pre_cap_for_(src) char* dst, const char* src);

#define _Pre_cap_for_(param)             _Pre2_impl_(_$notnull,  _$cap_for(param))

#define _Pre_opt_cap_for_(param)         _Pre2_impl_(_$maybenull,_$cap_for(param))

// buffer capacity described by a complex condition

#define _Pre_cap_x_(size)                _Pre2_impl_(_$notnull,  _$cap_x(size))

#define _Pre_opt_cap_x_(size)            _Pre2_impl_(_$maybenull,_$cap_x(size))

#define _Pre_bytecap_x_(size)            _Pre2_impl_(_$notnull,  _$bytecap_x(size))

#define _Pre_opt_bytecap_x_(size)        _Pre2_impl_(_$maybenull,_$bytecap_x(size))

// buffer capacity described by the difference to another pointer parameter

#define _Pre_ptrdiff_cap_(ptr)           _Pre2_impl_(_$notnull,  _$cap_x(__ptrdiff(ptr)))

#define _Pre_opt_ptrdiff_cap_(ptr)       _Pre2_impl_(_$maybenull,_$cap_x(__ptrdiff(ptr)))

// e.g. void AppendStr( _Pre_z_ const char* szFrom, _Pre_z_cap_(cchTo) _Post_z_ char* szTo, size_t cchTo );

#define _Pre_z_cap_(size)                _Pre3_impl_(_$notnull,  _$zterm,_$cap(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_cap_(size)            _Pre3_impl_(_$maybenull,_$zterm,_$cap(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_z_bytecap_(size)            _Pre3_impl_(_$notnull,  _$zterm,_$bytecap(size))   _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_bytecap_(size)        _Pre3_impl_(_$maybenull,_$zterm,_$bytecap(size))   _Deref_pre1_impl_(_$valid)

#define _Pre_z_cap_c_(size)              _Pre3_impl_(_$notnull,  _$zterm,_$cap_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_cap_c_(size)          _Pre3_impl_(_$maybenull,_$zterm,_$cap_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_z_bytecap_c_(size)          _Pre3_impl_(_$notnull,  _$zterm,_$bytecap_c(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_bytecap_c_(size)      _Pre3_impl_(_$maybenull,_$zterm,_$bytecap_c(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_z_cap_x_(size)              _Pre3_impl_(_$notnull,  _$zterm,_$cap_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_cap_x_(size)          _Pre3_impl_(_$maybenull,_$zterm,_$cap_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_z_bytecap_x_(size)          _Pre3_impl_(_$notnull,  _$zterm,_$bytecap_x(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_z_bytecap_x_(size)      _Pre3_impl_(_$maybenull,_$zterm,_$bytecap_x(size)) _Deref_pre1_impl_(_$valid)

// known capacity and valid but unknown readable extent

#define _Pre_valid_cap_(size)            _Pre2_impl_(_$notnull,  _$cap(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_cap_(size)        _Pre2_impl_(_$maybenull,_$cap(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_valid_bytecap_(size)        _Pre2_impl_(_$notnull,  _$bytecap(size))   _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_bytecap_(size)    _Pre2_impl_(_$maybenull,_$bytecap(size))   _Deref_pre1_impl_(_$valid)

#define _Pre_valid_cap_c_(size)          _Pre2_impl_(_$notnull,  _$cap_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_cap_c_(size)      _Pre2_impl_(_$maybenull,_$cap_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_valid_bytecap_c_(size)      _Pre2_impl_(_$notnull,  _$bytecap_c(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_bytecap_c_(size)  _Pre2_impl_(_$maybenull,_$bytecap_c(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_valid_cap_x_(size)          _Pre2_impl_(_$notnull,  _$cap_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_cap_x_(size)      _Pre2_impl_(_$maybenull,_$cap_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_valid_bytecap_x_(size)      _Pre2_impl_(_$notnull,  _$bytecap_x(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_bytecap_x_(size)  _Pre2_impl_(_$maybenull,_$bytecap_x(size)) _Deref_pre1_impl_(_$valid)

// e.g. void AppendCharRange( _Pre_count_(cchFrom) const char* rgFrom, size_t cchFrom, _Out_z_cap_(cchTo) char* szTo, size_t cchTo );

// Valid buffer extent described by another parameter

#define _Pre_count_(size)                _Pre2_impl_(_$notnull,  _$count(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_opt_count_(size)            _Pre2_impl_(_$maybenull,_$count(size))       _Deref_pre1_impl_(_$valid)

#define _Pre_bytecount_(size)            _Pre2_impl_(_$notnull,  _$bytecount(size))   _Deref_pre1_impl_(_$valid)

#define _Pre_opt_bytecount_(size)        _Pre2_impl_(_$maybenull,_$bytecount(size))   _Deref_pre1_impl_(_$valid)

// Valid buffer extent described by a constant expression!

#define _Pre_count_c_(size)              _Pre2_impl_(_$notnull,  _$count_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_count_c_(size)          _Pre2_impl_(_$maybenull,_$count_c(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_bytecount_c_(size)          _Pre2_impl_(_$notnull,  _$bytecount_c(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_bytecount_c_(size)      _Pre2_impl_(_$maybenull,_$bytecount_c(size)) _Deref_pre1_impl_(_$valid)

// Valid buffer extent described by a complex expression!

#define _Pre_count_x_(size)              _Pre2_impl_(_$notnull,  _$count_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_opt_count_x_(size)          _Pre2_impl_(_$maybenull,_$count_x(size))     _Deref_pre1_impl_(_$valid)

#define _Pre_bytecount_x_(size)          _Pre2_impl_(_$notnull,  _$bytecount_x(size)) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_bytecount_x_(size)      _Pre2_impl_(_$maybenull,_$bytecount_x(size)) _Deref_pre1_impl_(_$valid)

// Valid buffer extent described by the difference to another pointer parameter

#define _Pre_ptrdiff_count_(ptr)         _Pre2_impl_(_$notnull,  _$count_x(__ptrdiff(ptr))) _Deref_pre1_impl_(_$valid)

#define _Pre_opt_ptrdiff_count_(ptr)     _Pre2_impl_(_$maybenull,_$count_x(__ptrdiff(ptr))) _Deref_pre1_impl_(_$valid)

// valid size unknown or indicated by type (e.g.:LPSTR)

#define _Pre_valid_                      _Pre1_impl_(_$notnull)   _Deref_pre1_impl_(_$valid)

#define _Pre_opt_valid_                  _Pre1_impl_(_$maybenull) _Deref_pre1_impl_(_$valid)

#define _Pre_invalid_                    _Deref_pre1_impl_(_$notvalid)

// used with allocated but not yet initialized objects

#define _Pre_notnull_                    _Pre1_impl_(_$notnull)

#define _Pre_maybenull_                  _Pre1_impl_(_$maybenull)

#define _Pre_null_                       _Pre1_impl_(_$null)

// restrict access rights

#define _Pre_readonly_                   _Pre1_impl_(_$readaccess)

#define _Pre_writeonly_                  _Pre1_impl_(_$writeaccess)

//

// _Post_ annotations ---

//

// describing conditions that hold after the function call

// void CopyStr( _In_z_ const char* szFrom, _Pre_cap_(cch) _Post_z_ char* szFrom, size_t cchFrom );

// buffer will be a zero-terminated string after the call

#define _Post_z_                        _Post1_impl_(_$zterm) _Deref_post1_impl_(_$valid)

// char * strncpy(_Out_cap_(_Count) _Post_maybez_ char * _Dest, _In_z_ const char * _Source, _In_ size_t _Count)

// buffer maybe zero-terminated after the call

#define _Post_maybez_                   _Post1_impl_(_$maybezterm)

// e.g. SIZE_T HeapSize( _In_ HANDLE hHeap, DWORD dwFlags, _Pre_notnull_ _Post_bytecap_(return) LPCVOID lpMem );

#define _Post_cap_(size)                _Post1_impl_(_$cap(size))

#define _Post_bytecap_(size)            _Post1_impl_(_$bytecap(size))

// e.g. int strlen( _In_z_ _Post_count_(return+1) const char* sz );

#define _Post_count_(size)              _Post1_impl_(_$count(size))       _Deref_post1_impl_(_$valid)

#define _Post_bytecount_(size)          _Post1_impl_(_$bytecount(size))   _Deref_post1_impl_(_$valid)

#define _Post_count_c_(size)            _Post1_impl_(_$count_c(size))     _Deref_post1_impl_(_$valid)

#define _Post_bytecount_c_(size)        _Post1_impl_(_$bytecount_c(size)) _Deref_post1_impl_(_$valid)

#define _Post_count_x_(size)            _Post1_impl_(_$count_x(size))     _Deref_post1_impl_(_$valid)

#define _Post_bytecount_x_(size)        _Post1_impl_(_$bytecount_x(size)) _Deref_post1_impl_(_$valid)

// e.g. size_t CopyStr( _In_z_ const char* szFrom, _Pre_cap_(cch) _Post_z_count_(return+1) char* szFrom, size_t cchFrom );

#define _Post_z_count_(size)            _Post2_impl_(_$zterm,_$count(size))       _Deref_post1_impl_(_$valid)

#define _Post_z_bytecount_(size)        _Post2_impl_(_$zterm,_$bytecount(size))   _Deref_post1_impl_(_$valid)

#define _Post_z_count_c_(size)          _Post2_impl_(_$zterm,_$count_c(size))     _Deref_post1_impl_(_$valid)

#define _Post_z_bytecount_c_(size)      _Post2_impl_(_$zterm,_$bytecount_c(size)) _Deref_post1_impl_(_$valid)

#define _Post_z_count_x_(size)          _Post2_impl_(_$zterm,_$count_x(size))     _Deref_post1_impl_(_$valid)

#define _Post_z_bytecount_x_(size)      _Post2_impl_(_$zterm,_$bytecount_x(size)) _Deref_post1_impl_(_$valid)

// e.g. void free( _Post_invalid_ void* pv );

#define _Post_valid_                    _Deref_post1_impl_(_$valid)

#define _Post_invalid_                  _Deref_post1_impl_(_$notvalid)

// e.g. void ThrowExceptionIfNull( _Post_notnull_ const void* pv );

#define _Post_notnull_                  _Post1_impl_(_$notnull)

//

// _Ret_ annotations

//

// describing conditions that hold for return values after the call

// e.g. _Ret_z_ CString::operator const wchar_t*() const throw();

#define _Ret_z_                          _Ret2_impl_(_$notnull,  _$zterm) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_z_                      _Ret2_impl_(_$maybenull,_$zterm) _Deref_ret1_impl_(_$valid)

// e.g. _Ret_opt_bytecap_(cb) void* AllocateMemory( size_t cb );

// Buffer capacity is described by another parameter

#define _Ret_cap_(size)                  _Ret2_impl_(_$notnull,  _$cap(size))

#define _Ret_opt_cap_(size)              _Ret2_impl_(_$maybenull,_$cap(size))

#define _Ret_bytecap_(size)              _Ret2_impl_(_$notnull,  _$bytecap(size))

#define _Ret_opt_bytecap_(size)          _Ret2_impl_(_$maybenull,_$bytecap(size))

// Buffer capacity is described by a constant expression!

#define _Ret_cap_c_(size)                _Ret2_impl_(_$notnull,  _$cap_c(size))

#define _Ret_opt_cap_c_(size)            _Ret2_impl_(_$maybenull,_$cap_c(size))

#define _Ret_bytecap_c_(size)            _Ret2_impl_(_$notnull,  _$bytecap_c(size))

#define _Ret_opt_bytecap_c_(size)        _Ret2_impl_(_$maybenull,_$bytecap_c(size))

// Buffer capacity is described by a complex condition

#define _Ret_cap_x_(size)                _Ret2_impl_(_$notnull,  _$cap_x(size))

#define _Ret_opt_cap_x_(size)            _Ret2_impl_(_$maybenull,_$cap_x(size))

#define _Ret_bytecap_x_(size)            _Ret2_impl_(_$notnull,  _$bytecap_x(size))

#define _Ret_opt_bytecap_x_(size)        _Ret2_impl_(_$maybenull,_$bytecap_x(size))

// return value is nullterminated and capacity is given by another parameter

#define _Ret_z_cap_(size)                _Ret3_impl_(_$notnull,  _$zterm,_$cap(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_opt_z_cap_(size)            _Ret3_impl_(_$maybenull,_$zterm,_$cap(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_z_bytecap_(size)            _Ret3_impl_(_$notnull,  _$zterm,_$bytecap(size)) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_z_bytecap_(size)        _Ret3_impl_(_$maybenull,_$zterm,_$bytecap(size)) _Deref_ret1_impl_(_$valid)

// e.g. _Ret_opt_bytecount_(cb) void* AllocateZeroInitializedMemory( size_t cb );

// Valid Buffer extent is described by another parameter

#define _Ret_count_(size)                _Ret2_impl_(_$notnull,  _$count(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_opt_count_(size)            _Ret2_impl_(_$maybenull,_$count(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_bytecount_(size)            _Ret2_impl_(_$notnull,  _$bytecount(size)) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_bytecount_(size)        _Ret2_impl_(_$maybenull,_$bytecount(size)) _Deref_ret1_impl_(_$valid)

// Valid Buffer extent is described by a constant expression!

#define _Ret_count_c_(size)              _Ret2_impl_(_$notnull,  _$count_c(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_opt_count_c_(size)          _Ret2_impl_(_$maybenull,_$count_c(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_bytecount_c_(size)          _Ret2_impl_(_$notnull,  _$bytecount_c(size)) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_bytecount_c_(size)      _Ret2_impl_(_$maybenull,_$bytecount_c(size)) _Deref_ret1_impl_(_$valid)

// Valid Buffer extent is described by a complex expression!

#define _Ret_count_x_(size)              _Ret2_impl_(_$notnull,  _$count_x(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_opt_count_x_(size)          _Ret2_impl_(_$maybenull,_$count_x(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_bytecount_x_(size)          _Ret2_impl_(_$notnull,  _$bytecount_x(size)) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_bytecount_x_(size)      _Ret2_impl_(_$maybenull,_$bytecount_x(size)) _Deref_ret1_impl_(_$valid)

// return value is nullterminated and length is given by another parameter

#define _Ret_z_count_(size)              _Ret3_impl_(_$notnull,  _$zterm,_$count(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_opt_z_count_(size)          _Ret3_impl_(_$maybenull,_$zterm,_$count(size))     _Deref_ret1_impl_(_$valid)

#define _Ret_z_bytecount_(size)          _Ret3_impl_(_$notnull,  _$zterm,_$bytecount(size)) _Deref_ret1_impl_(_$valid)

#define _Ret_opt_z_bytecount_(size)      _Ret3_impl_(_$maybenull,_$zterm,_$bytecount(size)) _Deref_ret1_impl_(_$valid)

// e.g. _Ret_opt_valid_ LPSTR void* CloneSTR( _Pre_valid_ LPSTR src );

#define _Ret_valid_                      _Ret1_impl_(_$notnull)   _Deref_ret1_impl_(_$valid)

#define _Ret_opt_valid_                  _Ret1_impl_(_$maybenull) _Deref_ret1_impl_(_$valid)

// used with allocated but not yet initialized objects

#define _Ret_notnull_                    _Ret1_impl_(_$notnull)

#define _Ret_maybenull_                  _Ret1_impl_(_$maybenull)

#define _Ret_null_                       _Ret1_impl_(_$null)

//

// _Deref_pre_ ---

//

// describing conditions for array elements of dereferenced pointer parameters that must be met before the call

// e.g. void SaveStringArray( _In_count_(cStrings) _Deref_pre_z_ const wchar_t* const rgpwch[] );

#define _Deref_pre_z_                          _Deref_pre2_impl_(_$notnull,  _$zterm) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_                      _Deref_pre2_impl_(_$maybenull,_$zterm) _Deref2_pre1_impl_(_$valid)

// e.g. void FillInArrayOfStr32( _In_count_(cStrings) _Deref_pre_cap_c_(32) _Deref_post_z_ wchar_t* const rgpwch[] );

// buffer capacity is described by another parameter

#define _Deref_pre_cap_(size)                  _Deref_pre2_impl_(_$notnull,  _$cap(size))

#define _Deref_pre_opt_cap_(size)              _Deref_pre2_impl_(_$maybenull,_$cap(size))

#define _Deref_pre_bytecap_(size)              _Deref_pre2_impl_(_$notnull,  _$bytecap(size))

#define _Deref_pre_opt_bytecap_(size)          _Deref_pre2_impl_(_$maybenull,_$bytecap(size))

// buffer capacity is described by a constant expression!

#define _Deref_pre_cap_c_(size)                _Deref_pre2_impl_(_$notnull,  _$cap_c(size))

#define _Deref_pre_opt_cap_c_(size)            _Deref_pre2_impl_(_$maybenull,_$cap_c(size))

#define _Deref_pre_bytecap_c_(size)            _Deref_pre2_impl_(_$notnull,  _$bytecap_c(size))

#define _Deref_pre_opt_bytecap_c_(size)        _Deref_pre2_impl_(_$maybenull,_$bytecap_c(size))

// buffer capacity is described by a complex condition

#define _Deref_pre_cap_x_(size)                _Deref_pre2_impl_(_$notnull,  _$cap_x(size))

#define _Deref_pre_opt_cap_x_(size)            _Deref_pre2_impl_(_$maybenull,_$cap_x(size))

#define _Deref_pre_bytecap_x_(size)            _Deref_pre2_impl_(_$notnull,  _$bytecap_x(size))

#define _Deref_pre_opt_bytecap_x_(size)        _Deref_pre2_impl_(_$maybenull,_$bytecap_x(size))

// convenience macros for nullterminated buffers with given capacity

#define _Deref_pre_z_cap_(size)                _Deref_pre3_impl_(_$notnull,  _$zterm,_$cap(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_cap_(size)            _Deref_pre3_impl_(_$maybenull,_$zterm,_$cap(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_z_bytecap_(size)            _Deref_pre3_impl_(_$notnull,  _$zterm,_$bytecap(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_bytecap_(size)        _Deref_pre3_impl_(_$maybenull,_$zterm,_$bytecap(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_z_cap_c_(size)              _Deref_pre3_impl_(_$notnull,  _$zterm,_$cap_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_cap_c_(size)          _Deref_pre3_impl_(_$maybenull,_$zterm,_$cap_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_z_bytecap_c_(size)          _Deref_pre3_impl_(_$notnull,  _$zterm,_$bytecap_c(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_bytecap_c_(size)      _Deref_pre3_impl_(_$maybenull,_$zterm,_$bytecap_c(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_z_cap_x_(size)              _Deref_pre3_impl_(_$notnull,  _$zterm,_$cap_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_cap_x_(size)          _Deref_pre3_impl_(_$maybenull,_$zterm,_$cap_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_z_bytecap_x_(size)          _Deref_pre3_impl_(_$notnull,  _$zterm,_$bytecap_x(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_z_bytecap_x_(size)      _Deref_pre3_impl_(_$maybenull,_$zterm,_$bytecap_x(size)) _Deref2_pre1_impl_(_$valid)

// known capacity and valid but unknown readable extent

#define _Deref_pre_valid_cap_(size)            _Deref_pre2_impl_(_$notnull,  _$cap(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_cap_(size)        _Deref_pre2_impl_(_$maybenull,_$cap(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_valid_bytecap_(size)        _Deref_pre2_impl_(_$notnull,  _$bytecap(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_bytecap_(size)    _Deref_pre2_impl_(_$maybenull,_$bytecap(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_valid_cap_c_(size)          _Deref_pre2_impl_(_$notnull,  _$cap_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_cap_c_(size)      _Deref_pre2_impl_(_$maybenull,_$cap_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_valid_bytecap_c_(size)      _Deref_pre2_impl_(_$notnull,  _$bytecap_c(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_bytecap_c_(size)  _Deref_pre2_impl_(_$maybenull,_$bytecap_c(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_valid_cap_x_(size)          _Deref_pre2_impl_(_$notnull,  _$cap_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_cap_x_(size)      _Deref_pre2_impl_(_$maybenull,_$cap_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_valid_bytecap_x_(size)      _Deref_pre2_impl_(_$notnull,  _$bytecap_x(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_bytecap_x_(size)  _Deref_pre2_impl_(_$maybenull,_$bytecap_x(size)) _Deref2_pre1_impl_(_$valid)

// e.g. void SaveMatrix( _In_count_(n) _Deref_pre_count_(n) const Elem** matrix, size_t n ); 

// valid buffer extent is described by another parameter

#define _Deref_pre_count_(size)                _Deref_pre2_impl_(_$notnull,  _$count(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_count_(size)            _Deref_pre2_impl_(_$maybenull,_$count(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_bytecount_(size)            _Deref_pre2_impl_(_$notnull,  _$bytecount(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_bytecount_(size)        _Deref_pre2_impl_(_$maybenull,_$bytecount(size)) _Deref2_pre1_impl_(_$valid)

// valid buffer extent is described by a constant expression!

#define _Deref_pre_count_c_(size)              _Deref_pre2_impl_(_$notnull,  _$count_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_count_c_(size)          _Deref_pre2_impl_(_$maybenull,_$count_c(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_bytecount_c_(size)          _Deref_pre2_impl_(_$notnull,  _$bytecount_c(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_bytecount_c_(size)      _Deref_pre2_impl_(_$maybenull,_$bytecount_c(size)) _Deref2_pre1_impl_(_$valid)

// valid buffer extent is described by a complex expression!

#define _Deref_pre_count_x_(size)              _Deref_pre2_impl_(_$notnull,  _$count_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_count_x_(size)          _Deref_pre2_impl_(_$maybenull,_$count_x(size))     _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_bytecount_x_(size)          _Deref_pre2_impl_(_$notnull,  _$bytecount_x(size)) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_bytecount_x_(size)      _Deref_pre2_impl_(_$maybenull,_$bytecount_x(size)) _Deref2_pre1_impl_(_$valid)

// e.g. void PrintStringArray( _In_count_(cElems) _Deref_pre_valid_ LPCSTR rgStr[], size_t cElems );

#define _Deref_pre_valid_                      _Deref_pre1_impl_(_$notnull)   _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_opt_valid_                  _Deref_pre1_impl_(_$maybenull) _Deref2_pre1_impl_(_$valid)

#define _Deref_pre_invalid_                    _Deref2_pre1_impl_(_$notvalid)

#define _Deref_pre_notnull_                    _Deref_pre1_impl_(_$notnull)

#define _Deref_pre_maybenull_                  _Deref_pre1_impl_(_$maybenull)

#define _Deref_pre_null_                       _Deref_pre1_impl_(_$null)

// restrict access rights

#define _Deref_pre_readonly_                   _Deref_pre1_impl_(_$readaccess)

#define _Deref_pre_writeonly_                  _Deref_pre1_impl_(_$writeaccess)

//

// _Deref_post_ ---

//

// describing conditions for array elements or dereferenced pointer parameters that hold after the call

// e.g. void CloneString( _In_z_ const Wchar_t* wzIn _Out_ _Deref_post_z_ wchar_t** pWzOut );

#define _Deref_post_z_                          _Deref_post2_impl_(_$notnull,  _$zterm) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_                      _Deref_post2_impl_(_$maybenull,_$zterm) _Deref2_post1_impl_(_$valid)

// e.g. HRESULT HrAllocateMemory( size_t cb, _Out_ _Deref_post_bytecap_(cb) void** ppv );

// buffer capacity is described by another parameter

#define _Deref_post_cap_(size)                  _Deref_post2_impl_(_$notnull,  _$cap(size))

#define _Deref_post_opt_cap_(size)              _Deref_post2_impl_(_$maybenull,_$cap(size))

#define _Deref_post_bytecap_(size)              _Deref_post2_impl_(_$notnull,  _$bytecap(size))

#define _Deref_post_opt_bytecap_(size)          _Deref_post2_impl_(_$maybenull,_$bytecap(size))

// buffer capacity is described by a constant expression!

#define _Deref_post_cap_c_(size)                _Deref_post2_impl_(_$notnull,  _$cap_z(size))

#define _Deref_post_opt_cap_c_(size)            _Deref_post2_impl_(_$maybenull,_$cap_z(size))

#define _Deref_post_bytecap_c_(size)            _Deref_post2_impl_(_$notnull,  _$bytecap_z(size))

#define _Deref_post_opt_bytecap_c_(size)        _Deref_post2_impl_(_$maybenull,_$bytecap_z(size))

// buffer capacity is described by a complex expression!

#define _Deref_post_cap_x_(size)                _Deref_post2_impl_(_$notnull,  _$cap_x(size))

#define _Deref_post_opt_cap_x_(size)            _Deref_post2_impl_(_$maybenull,_$cap_x(size))

#define _Deref_post_bytecap_x_(size)            _Deref_post2_impl_(_$notnull,  _$bytecap_x(size))

#define _Deref_post_opt_bytecap_x_(size)        _Deref_post2_impl_(_$maybenull,_$bytecap_x(size))

// convenience macros for nullterminated buffers with given capacity

#define _Deref_post_z_cap_(size)                _Deref_post3_impl_(_$notnull,  _$zterm,_$cap(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_cap_(size)            _Deref_post3_impl_(_$maybenull,_$zterm,_$cap(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_z_bytecap_(size)            _Deref_post3_impl_(_$notnull,  _$zterm,_$bytecap(size))   _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_bytecap_(size)        _Deref_post3_impl_(_$maybenull,_$zterm,_$bytecap(size))   _Deref2_post1_impl_(_$valid)

#define _Deref_post_z_cap_c_(size)              _Deref_post3_impl_(_$notnull,  _$zterm,_$cap_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_cap_c_(size)          _Deref_post3_impl_(_$maybenull,_$zterm,_$cap_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_z_bytecap_c_(size)          _Deref_post3_impl_(_$notnull,  _$zterm,_$bytecap_c(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_bytecap_c_(size)      _Deref_post3_impl_(_$maybenull,_$zterm,_$bytecap_c(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_z_cap_x_(size)              _Deref_post3_impl_(_$notnull,  _$zterm,_$cap_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_cap_x_(size)          _Deref_post3_impl_(_$maybenull,_$zterm,_$cap_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_z_bytecap_x_(size)          _Deref_post3_impl_(_$notnull,  _$zterm,_$bytecap_x(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_z_bytecap_x_(size)      _Deref_post3_impl_(_$maybenull,_$zterm,_$bytecap_x(size)) _Deref2_post1_impl_(_$valid)

// known capacity and valid but unknown readable extent

#define _Deref_post_valid_cap_(size)            _Deref_post2_impl_(_$notnull,  _$cap(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_cap_(size)        _Deref_post2_impl_(_$maybenull,_$cap(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_valid_bytecap_(size)        _Deref_post2_impl_(_$notnull,  _$bytecap(size))   _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_bytecap_(size)    _Deref_post2_impl_(_$maybenull,_$bytecap(size))   _Deref2_post1_impl_(_$valid)

                                                

#define _Deref_post_valid_cap_c_(size)          _Deref_post2_impl_(_$notnull,  _$cap_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_cap_c_(size)      _Deref_post2_impl_(_$maybenull,_$cap_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_valid_bytecap_c_(size)      _Deref_post2_impl_(_$notnull,  _$bytecap_c(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_bytecap_c_(size)  _Deref_post2_impl_(_$maybenull,_$bytecap_c(size)) _Deref2_post1_impl_(_$valid)

                                                

#define _Deref_post_valid_cap_x_(size)          _Deref_post2_impl_(_$notnull,  _$cap_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_cap_x_(size)      _Deref_post2_impl_(_$maybenull,_$cap_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_valid_bytecap_x_(size)      _Deref_post2_impl_(_$notnull,  _$bytecap_x(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_bytecap_x_(size)  _Deref_post2_impl_(_$maybenull,_$bytecap_x(size)) _Deref2_post1_impl_(_$valid)

// e.g. HRESULT HrAllocateZeroInitializedMemory( size_t cb, _Out_ _Deref_post_bytecount_(cb) void** ppv );

// valid buffer extent is described by another parameter

#define _Deref_post_count_(size)                _Deref_post2_impl_(_$notnull,  _$count(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_count_(size)            _Deref_post2_impl_(_$maybenull,_$count(size))       _Deref2_post1_impl_(_$valid)

#define _Deref_post_bytecount_(size)            _Deref_post2_impl_(_$notnull,  _$bytecount(size))   _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_bytecount_(size)        _Deref_post2_impl_(_$maybenull,_$bytecount(size))   _Deref2_post1_impl_(_$valid)

// buffer capacity is described by a constant expression!

#define _Deref_post_count_c_(size)              _Deref_post2_impl_(_$notnull,  _$count_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_count_c_(size)          _Deref_post2_impl_(_$maybenull,_$count_c(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_bytecount_c_(size)          _Deref_post2_impl_(_$notnull,  _$bytecount_c(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_bytecount_c_(size)      _Deref_post2_impl_(_$maybenull,_$bytecount_c(size)) _Deref2_post1_impl_(_$valid)

// buffer capacity is described by a complex expression!

#define _Deref_post_count_x_(size)              _Deref_post2_impl_(_$notnull,  _$count_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_count_x_(size)          _Deref_post2_impl_(_$maybenull,_$count_x(size))     _Deref2_post1_impl_(_$valid)

#define _Deref_post_bytecount_x_(size)          _Deref_post2_impl_(_$notnull,  _$bytecount_x(size)) _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_bytecount_x_(size)      _Deref_post2_impl_(_$maybenull,_$bytecount_x(size)) _Deref2_post1_impl_(_$valid)

// e.g. void GetStrings( _Out_count_(cElems) _Deref_post_valid_ LPSTR const rgStr[], size_t cElems );

#define _Deref_post_valid_                      _Deref_post1_impl_(_$notnull)   _Deref2_post1_impl_(_$valid)

#define _Deref_post_opt_valid_                  _Deref_post1_impl_(_$maybenull) _Deref2_post1_impl_(_$valid)

#define _Deref_post_notnull_                    _Deref_post1_impl_(_$notnull)

#define _Deref_post_maybenull_                  _Deref_post1_impl_(_$maybenull)

#define _Deref_post_null_                       _Deref_post1_impl_(_$null)

//

// _Deref_ret_ ---

//

#define _Deref_ret_z_                           _Deref_ret2_impl_(_$notnull,  _$zterm)

#define _Deref_ret_opt_z_                       _Deref_ret2_impl_(_$maybenull,_$zterm)

//

// special _Deref_ ---

//

#define _Deref2_pre_readonly_                   _Deref2_pre1_impl_(_$readaccess)

// Convenience macros for more concise annotations

//

// _Pre_post ---

//

// describing conditions that hold before and after the function call

#define _Prepost_z_                      _Pre_z_      _Post_z_

#define _Prepost_opt_z_                  _Pre_opt_z_  _Post_z_

#define _Prepost_count_(size)           _Pre_count_(size)           _Post_count_(size)

#define _Prepost_opt_count_(size)       _Pre_opt_count_(size)       _Post_count_(size)

#define _Prepost_bytecount_(size)       _Pre_bytecount_(size)       _Post_bytecount_(size)

#define _Prepost_opt_bytecount_(size)   _Pre_opt_bytecount_(size)   _Post_bytecount_(size)

#define _Prepost_count_c_(size)         _Pre_count_c_(size)         _Post_count_c_(size)

#define _Prepost_opt_count_c_(size)     _Pre_opt_count_c_(size)     _Post_count_c_(size)

#define _Prepost_bytecount_c_(size)     _Pre_bytecount_c_(size)     _Post_bytecount_c_(size)

#define _Prepost_opt_bytecount_c_(size) _Pre_opt_bytecount_c_(size) _Post_bytecount_c_(size)

#define _Prepost_count_x_(size)         _Pre_count_x_(size)         _Post_count_x_(size)

#define _Prepost_opt_count_x_(size)     _Pre_opt_count_x_(size)     _Post_count_x_(size)

#define _Prepost_bytecount_x_(size)     _Pre_bytecount_x_(size)     _Post_bytecount_x_(size)

#define _Prepost_opt_bytecount_x_(size) _Pre_opt_bytecount_x_(size) _Post_bytecount_x_(size)

#define _Prepost_valid_                  _Pre_valid_     _Post_valid_

#define _Prepost_opt_valid_              _Pre_opt_valid_ _Post_valid_

//

// _Deref_<both> ---

//

// short version for _Deref_pre_<ann> _Deref_post_<ann>

// describing conditions for array elements or dereferenced pointer parameters that hold before and after the call

#define _Deref_prepost_z_                        _Deref_pre_z_      _Deref_post_z_

#define _Deref_prepost_opt_z_                    _Deref_pre_opt_z_  _Deref_post_opt_z_

#define _Deref_prepost_cap_(size)                _Deref_pre_cap_(size)                _Deref_post_cap_(size)

#define _Deref_prepost_opt_cap_(size)            _Deref_pre_opt_cap_(size)            _Deref_post_opt_cap_(size)

#define _Deref_prepost_bytecap_(size)            _Deref_pre_bytecap_(size)            _Deref_post_bytecap_(size)

#define _Deref_prepost_opt_bytecap_(size)        _Deref_pre_opt_bytecap_(size)        _Deref_post_opt_bytecap_(size)

#define _Deref_prepost_cap_x_(size)              _Deref_pre_cap_x_(size)              _Deref_post_cap_x_(size)             

#define _Deref_prepost_opt_cap_x_(size)          _Deref_pre_opt_cap_x_(size)          _Deref_post_opt_cap_x_(size)         

#define _Deref_prepost_bytecap_x_(size)          _Deref_pre_bytecap_x_(size)          _Deref_post_bytecap_x_(size)             

#define _Deref_prepost_opt_bytecap_x_(size)      _Deref_pre_opt_bytecap_x_(size)      _Deref_post_opt_bytecap_x_(size)         

#define _Deref_prepost_z_cap_(size)              _Deref_pre_z_cap_(size)              _Deref_post_z_cap_(size)             

#define _Deref_prepost_opt_z_cap_(size)          _Deref_pre_opt_z_cap_(size)          _Deref_post_opt_z_cap_(size)         

#define _Deref_prepost_z_bytecap_(size)          _Deref_pre_z_bytecap_(size)          _Deref_post_z_bytecap_(size)         

#define _Deref_prepost_opt_z_bytecap_(size)      _Deref_pre_opt_z_bytecap_(size)      _Deref_post_opt_z_bytecap_(size)     

#define _Deref_prepost_valid_cap_(size)          _Deref_pre_valid_cap_(size)          _Deref_post_valid_cap_(size)             

#define _Deref_prepost_opt_valid_cap_(size)      _Deref_pre_opt_valid_cap_(size)      _Deref_post_opt_valid_cap_(size)         

#define _Deref_prepost_valid_bytecap_(size)      _Deref_pre_valid_bytecap_(size)      _Deref_post_valid_bytecap_(size)         

#define _Deref_prepost_opt_valid_bytecap_(size)  _Deref_pre_opt_valid_bytecap_(size)  _Deref_post_opt_valid_bytecap_(size)     

#define _Deref_prepost_valid_cap_x_(size)          _Deref_pre_valid_cap_x_(size)          _Deref_post_valid_cap_x_(size)             

#define _Deref_prepost_opt_valid_cap_x_(size)      _Deref_pre_opt_valid_cap_x_(size)      _Deref_post_opt_valid_cap_x_(size)         

#define _Deref_prepost_valid_bytecap_x_(size)      _Deref_pre_valid_bytecap_x_(size)      _Deref_post_valid_bytecap_x_(size)         

#define _Deref_prepost_opt_valid_bytecap_x_(size)  _Deref_pre_opt_valid_bytecap_x_(size)  _Deref_post_opt_valid_bytecap_x_(size)     

#define _Deref_prepost_count_(size)            _Deref_pre_count_(size)            _Deref_post_count_(size)

#define _Deref_prepost_opt_count_(size)        _Deref_pre_opt_count_(size)        _Deref_post_opt_count_(size)

#define _Deref_prepost_bytecount_(size)        _Deref_pre_bytecount_(size)        _Deref_post_bytecount_(size)

#define _Deref_prepost_opt_bytecount_(size)    _Deref_pre_opt_bytecount_(size)    _Deref_post_opt_bytecount_(size)

#define _Deref_prepost_count_x_(size)          _Deref_pre_count_x_(size)          _Deref_post_count_x_(size)

#define _Deref_prepost_opt_count_x_(size)      _Deref_pre_opt_count_x_(size)      _Deref_post_opt_count_x_(size)

#define _Deref_prepost_bytecount_x_(size)      _Deref_pre_bytecount_x_(size)      _Deref_post_bytecount_x_(size)

#define _Deref_prepost_opt_bytecount_x_(size)  _Deref_pre_opt_bytecount_x_(size)  _Deref_post_opt_bytecount_x_(size)

#define _Deref_prepost_valid_                   _Deref_pre_valid_     _Deref_post_valid_

#define _Deref_prepost_opt_valid_               _Deref_pre_opt_valid_ _Deref_post_opt_valid_

//

// _Deref_<miscellaneous>

//

// used with references to arrays

#define _Deref_out_z_cap_c_(size) _Deref_pre_cap_c_(size) _Deref_pre_invalid_ _Deref_post_z_

#define _Deref_inout_z_cap_c_(size) _Deref_pre_z_cap_c_(size) _Deref_post_z_

#define _Deref_out_z_bytecap_c_(size) _Deref_pre_bytecap_c_(size) _Deref_pre_invalid_ _Deref_post_z_

#define _Deref_inout_z_bytecap_c_(size) _Deref_pre_z_bytecap_c_(size) _Deref_post_z_

#define _Deref_inout_z_ _Deref_prepost_z_

//============================================================================

//   Implementation Layer:

//============================================================================

#if _USE_ATTRIBUTES_FOR_SAL

#include "codeanalysis\sourceannotations.h"

#define _Check_return_impl_ [returnvalue:SA_Post(MustCheck=SA_Yes)]

#define _Success_impl_(expr) [SA_Success(Condition=#expr)]

#define _Printf_format_string_impl_   [SA_FormatString(Style="printf")]

#define _Scanf_format_string_impl_    [SA_FormatString(Style="scanf")]

#define _Scanf_s_format_string_impl_  [SA_FormatString(Style="scanf_s")]

#define _In_bound_impl_           [SA_PreBound(Deref=0)]

#define _Out_bound_impl_          [SA_PostBound(Deref=0)]

#define _Ret_bound_impl_          [returnvalue:SA_PostBound(Deref=0)]

#define _Deref_in_bound_impl_     [SA_PreBound(Deref=1)]

#define _Deref_out_bound_impl_    [SA_PostBound(Deref=1)]

#define _Deref_ret_bound_impl_    [returnvalue:SA_PostBound(Deref=1)]

#define _In_range_impl_(min,max)        [SA_PreRange(MinVal=#min,MaxVal=#max)]

#define _Out_range_impl_(min,max)       [SA_PostRange(MinVal=#min,MaxVal=#max)]

#define _Ret_range_impl_(min,max)       [returnvalue:SA_PostRange(MinVal=#min,MaxVal=#max)]

#define _Deref_in_range_impl_(min,max)  [SA_PreRange(Deref=1,MinVal=#min,MaxVal=#max)]

#define _Deref_out_range_impl_(min,max) [SA_PostRange(Deref=1,MinVal=#min,MaxVal=#max)]

#define _Deref_ret_range_impl_(min,max) [returnvalue:SA_PostRange(Deref=1,MinVal=#min,MaxVal=#max)]

#define _$valid       Valid=SA_Yes

#define _$maybeval!id  Valid=SA_Maybe

#define _$notvalid    Valid=SA_No

#define _$null        Null=SA_Yes

#define _$maybenull   Null=SA_Maybe

#define _$notnull     Null=SA_No

#define _$zterm       NullTerminated=SA_Yes

#define _$maybezterm  NullTerminated=SA_Maybe

#define _$notzterm    NullTerminated=SA_No

#define _$readaccess  Access=SA_Read

#define _$writeaccess Access=SA_Write

#define _$cap(size)      WritableElements=#size

#define _$cap_c(size)    WritableElementsConst=size

#define _$cap_for(param) WritableElementsLength=#param

#define _$cap_x(size)    WritableElements="\n@"#size

#define _$bytecap(size)   WritableBytes=#size

#define _$bytecap_c(size) WritableBytesConst=size

#define _$bytecap_x(size) WritableBytes="\n@"#size

#define _$mult(mult,size) ElementSizeConst=mult,_$cap(size)

#define _$count(size)   ValidElements=#size

#define _$count_c(size) ValidElementsConst=size

#define _$count_x(size) ValidElements="\n@"#size

#define _$bytecount(size)   ValidBytes=#size

#define _$bytecount_c(size) ValidBytesConst=size

#define _$bytecount_x(size) ValidBytes="\n@"#size

#define _Pre1_impl_(p1)                    [SA_Pre(p1)]

#define _Pre2_impl_(p1,p2)                 [SA_Pre(p1,p2)]

#define _Pre3_impl_(p1,p2,p3)              [SA_Pre(p1,p2,p3)]

#define _Post1_impl_(p1)                   [SA_Post(p1)]

#define _Post2_impl_(p1,p2)                [SA_Post(p1,p2)]

#define _Post3_impl_(p1,p2,p3)             [SA_Post(p1,p2,p3)]

#define _Ret1_impl_(p1)                    [returnvalue:SA_Post(p1)]

#define _Ret2_impl_(p1,p2)                 [returnvalue:SA_Post(p1,p2)]

#define _Ret3_impl_(p1,p2,p3)              [returnvalue:SA_Post(p1,p2,p3)]

#define _Deref_pre1_impl_(p1)              [SA_Pre(Deref=1,p1)]

#define _Deref_pre2_impl_(p1,p2)           [SA_Pre(Deref=1,p1,p2)]

#define _Deref_pre3_impl_(p1,p2,p3)        [SA_Pre(Deref=1,p1,p2,p3)]

#define _Deref_post1_impl_(p1)             [SA_Post(Deref=1,p1)]

#define _Deref_post2_impl_(p1,p2)          [SA_Post(Deref=1,p1,p2)]

#define _Deref_post3_impl_(p1,p2,p3)       [SA_Post(Deref=1,p1,p2,p3)]

#define _Deref_ret1_impl_(p1)              [returnvalue:SA_Post(Deref=1,p1)]

#define _Deref_ret2_impl_(p1,p2)           [returnvalue:SA_Post(Deref=1,p1,p2)]

#define _Deref_ret3_impl_(p1,p2,p3)        [returnvalue:SA_Post(Deref=1,p1,p2,p3)]

#define _Deref2_pre1_impl_(p1)             [SA_Pre(Deref=2,p1)]

#define _Deref2_post1_impl_(p1)            [SA_Post(Deref=2,p1)]

#define _Deref2_ret1_impl_(p1)             [returnvalue:SA_Post(Deref=2,p1)]

#elif _USE_DECLSPECS_FOR_SAL

#define _$SPECSTRIZE( x ) #x

#define _Check_return_impl_ __declspec("SAL_checkReturn")

#define _Success_impl_(expr) __declspec("SAL_success("_$SPECSTRIZE(expr)")")

#define _Printf_format_string_impl_

#define _Scanf_format_string_impl_

#define _Scanf_s_format_string_impl_

#define _In_bound_impl_           _$pre _$bound

#define _Out_bound_impl_          _$post _$bound

#define _Ret_bound_impl_          _$post _$bound

#define _Deref_in_bound_impl_     _$derefpre _$bound

#define _Deref_out_bound_impl_    _$derefpost _$bound

#define _Deref_ret_bound_impl_    _$derefpost bound

#define _In_range_impl_(min,max)        _$pre _$range(min,max)

#define _Out_range_impl_(min,max)       _$post _$range(min,max)

#define _Ret_range_impl_(min,max)       _$post _$range(min,max)

#define _Deref_in_range_impl_(min,max)  _$derefpre _$range(min,max)

#define _Deref_out_range_impl_(min,max) _$derefpost _$range(min,max)

#define _Deref_ret_range_impl_(min,max) _$derefpost _$range(min,max)

#define _$valid             __declspec("SAL_valid")

#define _$maybeval!id        __declspec("SAL_maybeval!id")

#define _$notvalid          __declspec("SAL_notvalid")

#define _$null              __declspec("SAL_null")

#define _$maybenull         __declspec("SAL_maybenull")

#define _$notnull           __declspec("SAL_notnull")

#define _$zterm             __declspec("SAL_readableTo(sentinel(0))")

#define _$maybezterm

#define _$notzterm

#define _$readaccess        __declspec("SAL_readonly")

#define _$writeaccess       __declspec("SAL_notreadonly")

#define _$cap(size)         __declspec("SAL_writableTo(elementCount("_$SPECSTRIZE(size)"))")

#define _$cap_c(size)       __declspec("SAL_writableTo(elementCount("_$SPECSTRIZE(size)"))")

#define _$cap_for(param)    __declspec("SAL_writableTo(needsCountFor("_$SPECSTRIZE(param)"))")

#define _$cap_x(size)       __declspec("SAL_writableTo(inexpressibleCount('"_$SPECSTRIZE(size)"'))")

#define _$bytecap(size)     __declspec("SAL_writableTo(byteCount("_$SPECSTRIZE(size)"))")

#define _$bytecap_c(size)   __declspec("SAL_writableTo(byteCount("_$SPECSTRIZE(size)"))")

#define _$bytecap_x(size)   __declspec("SAL_writableTo(inexpressibleCount('"_$SPECSTRIZE(size)"'))")

#define _$mult(mult,size)   __declspec("SAL_writableTo(inexpressibleCount("_$SPECSTRIZE(mult)"*"_$SPECSTRIZE(size)"))")

#define _$count(size)       __declspec("SAL_readableTo(elementCount("_$SPECSTRIZE(size)"))")

#define _$count_c(size)     __declspec("SAL_readableTo(elementCount("_$SPECSTRIZE(size)"))")

#define _$count_x(size)     __declspec("SAL_readableTo(inexpressibleCount('"_$SPECSTRIZE(size)"'))")

#define _$bytecount(size)   __declspec("SAL_readableTo(byteCount("_$SPECSTRIZE(size)"))")

#define _$bytecount_c(size) __declspec("SAL_readableTo(byteCount("_$SPECSTRIZE(size)"))")

#define _$bytecount_x(size) __declspec("SAL_readableTo(inexpressibleCount('"_$SPECSTRIZE(size)"'))")

#define _$pre        __declspec("SAL_pre")

#define _$post       __declspec("SAL_post")

#define _$deref_pre  __declspec("SAL_pre")  __declspec("SAL_deref")

#define _$deref_post __declspec("SAL_post") __declspec("SAL_deref")

#define _$bound          __declspec("SAL_bound")

#define _$range(min,max) __declspec("SAL_range("_$SPECSTRIZE(min)","_$SPECSTRIZE(max)")")

#define _Pre1_impl_(p1)                    _$pre p1

#define _Pre2_impl_(p1,p2)                 _$pre p1 _$pre p2

#define _Pre3_impl_(p1,p2,p3)              _$pre p1 _$pre p2 _$pre p3

#define _Post1_impl_(p1)                   _$post p1

#define _Post2_impl_(p1,p2)                _$post p1 _$post p2

#define _Post3_impl_(p1,p2,p3)             _$post p1 _$post p2 _$post p3

#define _Ret1_impl_(p1)                    _$post p1

#define _Ret2_impl_(p1,p2)                 _$post p1 _$post p2

#define _Ret3_impl_(p1,p2,p3)              _$post p1 _$post p2 _$post p3

#define _Deref_pre1_impl_(p1)              _$deref_pre p1

#define _Deref_pre2_impl_(p1,p2)           _$deref_pre p1 _$deref_pre p2

#define _Deref_pre3_impl_(p1,p2,p3)        _$deref_pre p1 _$deref_pre p2 _$deref_pre p3

#define _Deref_post1_impl_(p1)             _$deref_post p1

#define _Deref_post2_impl_(p1,p2)          _$deref_post p1 _$deref_post p2

#define _Deref_post3_impl_(p1,p2,p3)       _$deref_post p1 _$deref_post p2 _$deref_post p3

#define _Deref_ret1_impl_(p1)              _$deref_post p1

#define _Deref_ret2_impl_(p1,p2)           _$deref_post p1 _$deref_post p2

#define _Deref_ret3_impl_(p1,p2,p3)        _$deref_post p1 _$deref_post p2 _$deref_post p3

#define _Deref2_pre1_impl_(p1)             _$deref_pre __declspec("SAL_deref") p1

#define _Deref2_post1_impl_(p1)            _$deref_post __declspec("SAL_deref") p1

#define _Deref2_ret1_impl_(p1)             _$deref_post __declspec("SAL_deref") p1

#elif defined(_MSC_EXTENSIONS) && !defined( MIDL_PASS ) && !defined(__midl) && !defined(RC_INVOKED) && defined(_PFT_VER) && _MSC_VER >= 1400

// minimum attribute expansion for foreground build

#pragma push_macro( "SA" )

#pragma push_macro( "REPEATABLE" )

#ifdef __cplusplus

#define SA( id ) id

#define REPEATABLE [repeatable]

#else  // !__cplusplus

#define SA( id ) SA_##id

#define REPEATABLE

#endif  // !__cplusplus

REPEATABLE

[source_annotation_attribute( SA( Parameter ) )]

struct _$P

{

#ifdef __cplusplus

_$P();

#endif

   int _$d;

};

typedef struct _$P _$P;

REPEATABLE

[source_annotation_attribute( SA( ReturnValue ) )]

struct _$R

{

#ifdef __cplusplus

_$R();

#endif

   int _$d;

};

typedef struct _$R _$R;

[source_annotation_attribute( SA( Method ) )]

struct _$M

{

#ifdef __cplusplus

_$M();

#endif

   int _$d;

};

typedef struct _$M _$M;

#pragma pop_macro( "REPEATABLE" )

#pragma pop_macro( "SA" )

#define _Check_return_impl_ [returnvalue:_$R(_$d=0)]

#define _Success_impl_(expr) [_$M(_$d=0)]

#define _Printf_format_string_impl_   [_$P(_$d=0)]

#define _Scanf_format_string_impl_    [_$P(_$d=0)]

#define _Scanf_s_format_string_impl_  [_$P(_$d=0)]

#define _In_bound_impl_           [_$P(_$d=0)]

#define _Out_bound_impl_          [_$P(_$d=0)]

#define _Ret_bound_impl_          [returnvalue:_$R(_$d=0)]

#define _Deref_in_bound_impl_     [_$P(_$d=0)]

#define _Deref_out_bound_impl_    [_$P(_$d=0)]

#define _Deref_ret_bound_impl_    [returnvalue:_$R(_$d=0)]

#define _In_range_impl_(min,max)        [_$P(_$d=0)]

#define _Out_range_impl_(min,max)       [_$P(_$d=0)]

#define _Ret_range_impl_(min,max)       [returnvalue:_$R(_$d=0)]

#define _Deref_in_range_impl_(min,max)  [_$P(_$d=0)]

#define _Deref_out_range_impl_(min,max) [_$P(_$d=0)]

#define _Deref_ret_range_impl_(min,max) [returnvalue:_$R(_$d=0)]

#define _Pre1_impl_(p1)          [_$P(_$d=0)]

#define _Pre2_impl_(p1,p2)       [_$P(_$d=0)]

#define _Pre3_impl_(p1,p2,p3)    [_$P(_$d=0)]

#define _Post1_impl_(p1)         [_$P(_$d=0)]

#define _Post2_impl_(p1,p2)      [_$P(_$d=0)]

#define _Post3_impl_(p1,p2,p3)   [_$P(_$d=0)]

#define _Ret1_impl_(p1)          [returnvalue:_$R(_$d=0)]

#define _Ret2_impl_(p1,p2)       [returnvalue:_$R(_$d=0)]

#define _Ret3_impl_(p1,p2,p3)    [returnvalue:_$R(_$d=0)]

#define _Deref_pre1_impl_(p1)        [_$P(_$d=0)]

#define _Deref_pre2_impl_(p1,p2)     [_$P(_$d=0)]

#define _Deref_pre3_impl_(p1,p2,p3)  [_$P(_$d=0)]

#define _Deref_post1_impl_(p1)       [_$P(_$d=0)]

#define _Deref_post2_impl_(p1,p2)    [_$P(_$d=0)]

#define _Deref_post3_impl_(p1,p2,p3) [_$P(_$d=0)]

#define _Deref_ret1_impl_(p1)        [returnvalue:_$R(_$d=0)]

#define _Deref_ret2_impl_(p1,p2)     [returnvalue:_$R(_$d=0)]

#define _Deref_ret3_impl_(p1,p2,p3)  [returnvalue:_$R(_$d=0)]

#define _Deref2_pre1_impl_(p1)       //[_$P(_$d=0)]

#define _Deref2_post1_impl_(p1)      //[_$P(_$d=0)]

#define _Deref2_ret1_impl_(p1)       //[_$P(_$d=0)]

#else

#define _Check_return_impl_

#define _Success_impl_(expr)

#define _Printf_format_string_impl_

#define _Scanf_format_string_impl_

#define _Scanf_s_format_string_impl_

#define _In_bound_impl_

#define _Out_bound_impl_

#define _Ret_bound_impl_

#define _Deref_in_bound_impl_

#define _Deref_out_bound_impl_

#define _Deref_ret_bound_impl_

#define _In_range_impl_(min,max)

#define _Out_range_impl_(min,max)

#define _Ret_range_impl_(min,max)

#define _Deref_in_range_impl_(min,max)

#define _Deref_out_range_impl_(min,max)

#define _Deref_ret_range_impl_(min,max)

#define _Pre1_impl_(p1)

#define _Pre2_impl_(p1,p2)

#define _Pre3_impl_(p1,p2,p3)

#define _Post1_impl_(p1)       

#define _Post2_impl_(p1,p2)

#define _Post3_impl_(p1,p2,p3)

#define _Ret1_impl_(p1)      

#define _Ret2_impl_(p1,p2)

#define _Ret3_impl_(p1,p2,p3)

#define _Deref_pre1_impl_(p1)       

#define _Deref_pre2_impl_(p1,p2)

#define _Deref_pre3_impl_(p1,p2,p3)

#define _Deref_post1_impl_(p1)

#define _Deref_post2_impl_(p1,p2)

#define _Deref_post3_impl_(p1,p2,p3)

#define _Deref_ret1_impl_(p1)

#define _Deref_ret2_impl_(p1,p2)

#define _Deref_ret3_impl_(p1,p2,p3)

#define _Deref2_pre1_impl_(p1)

#define _Deref2_post1_impl_(p1)

#define _Deref2_ret1_impl_(p1)

#endif

// This section contains the deprecated annotations

/* 

 -------------------------------------------------------------------------------

 Introduction

 sal.h provides a set of annotations to describe how a function uses its

 parameters - the assumptions it makes about them, and the guarantees it makes

 upon finishing.

 Annotations may be placed before either a function parameter's type or its return

 type, and describe the function's behavior regarding the parameter or return value.

 There are two classes of annotations: buffer annotations and advanced annotations.

 Buffer annotations describe how functions use their pointer parameters, and

 advanced annotations either describe complex/unusual buffer behavior, or provide

 additional information about a parameter that is not otherwise expressible.

 -------------------------------------------------------------------------------

 Buffer Annotations

 The most important annotations in sal.h provide a consistent way to annotate

 buffer parameters or return values for a function. Each of these annotations describes

 a single buffer (which could be a string, a fixed-length or variable-length array,

 or just a pointer) that the function interacts with: where it is, how large it is,

 how much is initialized, and what the function does with it.

 The appropriate macro for a given buffer can be constructed using the table below.

 Just pick the appropriate values from each category, and combine them together

 with a leading underscore. Some combinations of values do not make sense as buffer

 annotations. Only meaningful annotations can be added to your code; for a list of

 these, see the buffer annotation definitions section.

 Only a single buffer annotation should be used for each parameter.

 |------------|------------|---------|--------|----------|----------|---------------|

 |   Level    |   Usage    |  Size   | Output | NullTerm | Optional |  Parameters   |

 |------------|------------|---------|--------|----------|----------|---------------|

 | <>         | <>         | <>      | <>     | _z       | <>       | <>            |

 | _deref     | _in        | _ecount | _full  | _nz      | _opt     | (size)        |

 | _deref_opt | _out       | _bcount | _part  |          |          | (size,length) |

 |            | _inout     |         |        |          |          |               |

 |            |            |         |        |          |          |               |

 |------------|------------|---------|--------|----------|----------|---------------|

 Level: Describes the buffer pointer's level of indirection from the parameter or

          return value 'p'.

 <>         : p is the buffer pointer.

 _deref     : *p is the buffer pointer. p must not be NULL.

 _deref_opt : *p may be the buffer pointer. p may be NULL, in which case the rest of

                the annotation is ignored.

 Usage: Describes how the function uses the buffer.

 <>     : The buffer is not accessed. If used on the return value or with _deref, the

            function will provide the buffer, and it will be uninitialized at exit.

            Otherwise, the caller must provide the buffer. This should only be used

            for alloc and free functions.

 _in    : The function will only read from the buffer. The caller must provide the

            buffer and initialize it. Cannot be used with _deref.

 _out   : The function will only write to the buffer. If used on the return value or

            with _deref, the function will provide the buffer and initialize it.

            Otherwise, the caller must provide the buffer, and the function will

            initialize it.

 _inout : The function may freely read from and write to the buffer. The caller must

            provide the buffer and initialize it. If used with _deref, the buffer may

            be reallocated by the function.

 Size: Describes the total size of the buffer. This may be less than the space actually

         allocated for the buffer, in which case it describes the accessible amount.

 <>      : No buffer size is given. If the type specifies the buffer size (such as

             with LPSTR and LPWSTR), that amount is used. Otherwise, the buffer is one

             element long. Must be used with _in, _out, or _inout.

 _ecount : The buffer size is an explicit element count.

 _bcount : The buffer size is an explicit byte count.

 Output: Describes how much of the buffer will be initialized by the function. For

           _inout buffers, this also describes how much is initialized at entry. Omit this

           category for _in buffers; they must be fully initialized by the caller.

 <>    : The type specifies how much is initialized. For instance, a function initializing

           an LPWSTR must NULL-terminate the string.

 _full : The function initializes the entire buffer.

 _part : The function initializes part of the buffer, and explicitly indicates how much.

 NullTerm: States if the present of a '\0' marks the end of valid elements in the buffer.

 _z    : A '\0' indicated the end of the buffer

 _nz  : The buffer may not be null terminated and a '\0' does not indicate the end of the

          buffer.

 Optional: Describes if the buffer itself is optional.

 <>   : The pointer to the buffer must not be NULL.

 _opt : The pointer to the buffer might be NULL. It will be checked before being dereferenced.

 Parameters: Gives explicit counts for the size and length of the buffer.

 <>            : There is no explicit count. Use when neither _ecount nor _bcount is used.

 (size)        : Only the buffer's total size is given. Use with _ecount or _bcount but not _part.

 (size,length) : The buffer's total size and initialized length are given. Use with _ecount_part

                   and _bcount_part.

 -------------------------------------------------------------------------------

 Buffer Annotation Examples

 LWSTDAPI_(BOOL) StrToIntExA(

     LPCSTR pszString,                    -- No annotation required, const implies __in.

     DWORD dwFlags,

     __out int *piRet                     -- A pointer whose dereference will be filled in.

 );

 void MyPaintingFunction(

     __in HWND hwndControl,               -- An initialized read-only parameter.

     __in_opt HDC hdcOptional,            -- An initialized read-only parameter that might be NULL.

     __inout IPropertyStore *ppsStore     -- An initialized parameter that may be freely used

                                          --   and modified.

 );

 LWSTDAPI_(BOOL) PathCompactPathExA(

     __out_ecount(cchMax) LPSTR pszOut,   -- A string buffer with cch elements that will

                                          --   be NULL terminated on exit.

     LPCSTR pszSrc,                       -- No annotation required, const implies __in.

     UINT cchMax,

     DWORD dwFlags

 );

 HRESULT SHLocalAllocBytes(

     size_t cb,

     __deref_bcount(cb) T **ppv           -- A pointer whose dereference will be set to an

                                          --   uninitialized buffer with cb bytes.

 );

 __inout_bcount_full(cb) : A buffer with cb elements that is fully initialized at

     entry and exit, and may be written to by this function.

 __out_ecount_part(count, *countOut) : A buffer with count elements that will be

     partially initialized by this function. The function indicates how much it

     initialized by setting *countOut.

 -------------------------------------------------------------------------------

 Advanced Annotations

 Advanced annotations describe behavior that is not expressible with the regular

 buffer macros. These may be used either to annotate buffer parameters that involve

 complex or conditional behavior, or to enrich existing annotations with additional

 information.

 __success(expr) f :

     <expr> indicates whether function f succeeded or not. If <expr> is true at exit,

     all the function's guarantees (as given by other annotations) must hold. If <expr>

     is false at exit, the caller should not expect any of the function's guarantees

     to hold. If not used, the function must always satisfy its guarantees. Added

     automatically to functions that indicate success in standard ways, such as by

     returning an HRESULT.

 __nullterminated p :

     Pointer p is a buffer that may be read or written up to and including the first

     NULL character or pointer. May be used on typedefs, which marks valid (properly

     initialized) instances of that type as being NULL-terminated.

 __nullnullterminated p :

     Pointer p is a buffer that may be read or written up to and including the first

     sequence of two NULL characters or pointers. May be used on typedefs, which marks

     valid instances of that type as being double-NULL terminated.

 __reserved v :

     Value v must be 0/NULL, reserved for future use.

 __checkReturn v :

     Return value v must not be ignored by callers of this function.

 __typefix(ctype) v :

     Value v should be treated as an instance of ctype, rather than its declared type.

 __override f :

     Specify C#-style 'override' behaviour for overriding virtual methods.

 __callback f :

     Function f can be used as a function pointer.

 __format_string p :

     Pointer p is a string that contains % markers in the style of printf.

 __blocksOn(resource) f :

     Function f blocks on the resource 'resource'.

 __fallthrough :

     Annotates switch statement labels where fall-through is desired, to distinguish

     from forgotten break statements.

 -------------------------------------------------------------------------------

 Advanced Annotation Examples

 __success(return == TRUE) LWSTDAPI_(BOOL) 

 PathCanonicalizeA(__out_ecount(MAX_PATH) LPSTR pszBuf, LPCSTR pszPath) :

    pszBuf is only guaranteed to be NULL-terminated when TRUE is returned.

 typedef __nullterminated WCHAR* LPWSTR : Initialized LPWSTRs are NULL-terminated strings.

 __out_ecount(cch) __typefix(LPWSTR) void *psz : psz is a buffer parameter which will be

     a NULL-terminated WCHAR string at exit, and which initially contains cch WCHARs.

 -------------------------------------------------------------------------------

*/

#define __specstrings

#ifdef  __cplusplus

#ifndef __nothrow

# define __nothrow __declspec(nothrow)

#endif

extern "C" {

#else

#ifndef __nothrow

# define __nothrow

#endif

#endif  /* #ifdef __cplusplus */

/*

 -------------------------------------------------------------------------------

 Helper Macro Definitions

 These express behavior common to many of the high-level annotations.

 DO NOT USE THESE IN YOUR CODE.

 -------------------------------------------------------------------------------

*/

/*

The helper annotations are only understood by the compiler version used by various

defect detection tools. When the regular compiler is running, they are defined into

nothing, and do not affect the compiled code.

*/

#if !defined(__midl) && defined(_PREFAST_) 

    /*

     In the primitive __declspec("SAL_*") annotations "SAL" stands for Standard

     Annotation Language.  These __declspec("SAL_*") annotations are the

     primitives the compiler understands and all high-level SpecString MACROs

     will decompose into these primivates.

    */

    #define SPECSTRINGIZE( x ) #x

    /*

     __null p

     __notnull p

     __maybenull p

    

     Annotates a pointer p. States that pointer p is null. Commonly used

     in the negated form __notnull or the possibly null form __maybenull.

    */

    #define __null                  __declspec("SAL_null")

    #define __notnull               __declspec("SAL_notnull")

    #define __maybenull             __declspec("SAL_maybenull")

    /*

     __readonly l

     __notreadonly l

     __mabyereadonly l

    

     Annotates a location l. States that location l is not modified after

     this point.  If the annotation is placed on the precondition state of

     a function, the restriction only applies until the postcondition state

     of the function.  __maybereadonly states that the annotated location

     may be modified, whereas __notreadonly states that a location must be

     modified.

    */

    #define __readonly              __declspec("SAL_readonly")

    #define __notreadonly           __declspec("SAL_notreadonly")

    #define __maybereadonly         __declspec("SAL_maybereadonly")

    /*

     __valid v

     __notvalid v

     __maybeval!id v

    

     Annotates any value v. States that the value satisfies all properties of

     valid values of its type. For example, for a string buffer, valid means

     that the buffer pointer is either NULL or points to a NULL-terminated string.

    */

    #define __valid                 __declspec("SAL_valid")

    #define __notvalid              __declspec("SAL_notvalid")

    #define __maybeval!id            __declspec("SAL_maybeval!id")

    /*

     __readableTo(extent) p

    

     Annotates a buffer pointer p.  If the buffer can be read, extent describes

     how much of the buffer is readable. For a reader of the buffer, this is

     an explicit permission to read up to that amount, rather than a restriction to

     read only up to it.

    */

    #define __readableTo(extent)    __declspec("SAL_readableTo("SPECSTRINGIZE(extent)")")

    /*

    

     __elem_readableTo(size)

    

     Annotates a buffer pointer p as being readable to size elements.

    */

    #define __elem_readableTo(size)   __declspec("SAL_readableTo(elementCount("SPECSTRINGIZE(size)"))")

    

    /*

     __byte_readableTo(size)

    

     Annotates a buffer pointer p as being readable to size bytes.

    */

    #define __byte_readableTo(size)   __declspec("SAL_readableTo(byteCount("SPECSTRINGIZE(size)"))")

    

    /*

     __writableTo(extent) p

    

     Annotates a buffer pointer p. If the buffer can be modified, extent

     describes how much of the buffer is writable (usually the allocation

     size). For a writer of the buffer, this is an explicit permission to

     write up to that amount, rather than a restriction to write only up to it.

    */

    #define __writableTo(size)   __declspec("SAL_writableTo("SPECSTRINGIZE(size)")")

    /*

     __elem_writableTo(size)

    

     Annotates a buffer pointer p as being writable to size elements.

    */

    #define __elem_writableTo(size)   __declspec("SAL_writableTo(elementCount("SPECSTRINGIZE(size)"))")

    

    /*

     __byte_writableTo(size)

    

     Annotates a buffer pointer p as being writable to size bytes.

    */

    #define __byte_writableTo(size)   __declspec("SAL_writableTo(byteCount("SPECSTRINGIZE(size)"))")

    /*

     __deref p

    

     Annotates a pointer p. The next annotation applies one dereference down

     in the type. If readableTo(p, size) then the next annotation applies to

     all elements *(p+i) for which i satisfies the size. If p is a pointer

     to a struct, the next annotation applies to all fields of the struct.

    */

    #define __deref                 __declspec("SAL_deref")

    

    /*

     __pre __next_annotation

    

     The next annotation applies in the precondition state

    */

    #define __pre                   __declspec("SAL_pre")

    

    /*

     __post __next_annotation

    

     The next annotation applies in the postcondition state

    */

    #define __post                  __declspec("SAL_post")

    

    /*

     __precond(<expr>)

    

     When <expr> is true, the next annotation applies in the precondition state

     (currently not enabled)

    */

    #define __precond(expr)         __pre

    /*

     __postcond(<expr>)

    

     When <expr> is true, the next annotation applies in the postcondition state

     (currently not enabled)

    */

    #define __postcond(expr)        __post

    /*

     __exceptthat

    

     Given a set of annotations Q containing __exceptthat maybeP, the effect of

     the except clause is to erase any P or notP annotations (explicit or

     implied) within Q at the same level of dereferencing that the except

     clause appears, and to replace it with maybeP.

    

      Example 1: __valid __exceptthat __maybenull on a pointer p means that the

                 pointer may be null, and is otherwise valid, thus overriding

                 the implicit notnull annotation implied by __valid on

                 pointers.

    

      Example 2: __valid __deref __exceptthat __maybenull on an int **p means

                 that p is not null (implied by valid), but the elements

                 pointed to by p could be null, and are otherwise valid. 

    */

    #define __exceptthat                __declspec("SAL_except")

    #define __execeptthat               __exceptthat

 

    /*

     _refparam

    

     Added to all out parameter macros to indicate that they are all reference

     parameters.

    */

    #define __refparam                  __deref __notreadonly

    /*

     __inner_*

    

     Helper macros that directly correspond to certain high-level annotations.

    

    */

    /*

     Macros to classify the entrypoints and indicate their category.

    

     Pre-defined control point categories include: RPC, LPC, DeviceDriver, UserToKernel, ISAPI, COM.

    

    */

    #define __inner_control_entrypoint(category) __declspec("SAL_entrypoint(controlEntry, "SPECSTRINGIZE(category)")")

    /*

     Pre-defined data entry point categories include: Registry, File, Network.

    */

    #define __inner_data_entrypoint(category)    __declspec("SAL_entrypoint(dataEntry, "SPECSTRINGIZE(category)")")

    #define __inner_success(expr)               __declspec("SAL_success("SPECSTRINGIZE(expr)")")

    #define __inner_checkReturn                 __declspec("SAL_checkReturn")

    #define __inner_typefix(ctype)              __declspec("SAL_typefix("SPECSTRINGIZE(ctype)")")

    #define __inner_override                    __declspec("__override")

    #define __inner_callback                    __declspec("__callback")

    #define __inner_blocksOn(resource)          __declspec("SAL_blocksOn("SPECSTRINGIZE(resource)")")

    #define __inner_fallthrough_dec             __inline __nothrow void __FallThrough() {}

    #define __inner_fallthrough                 __FallThrough();

#else

    #define __null

    #define __notnull

    #define __maybenull

    #define __readonly

    #define __notreadonly

    #define __maybereadonly

    #define __valid

    #define __notvalid

    #define __maybeval!id

    #define __readableTo(extent)

    #define __elem_readableTo(size)

    #define __byte_readableTo(size)

    #define __writableTo(size)

    #define __elem_writableTo(size)

    #define __byte_writableTo(size)

    #define __deref

    #define __pre

    #define __post

    #define __precond(expr)

    #define __postcond(expr)

    #define __exceptthat

    #define __execeptthat

    #define __inner_success(expr)

    #define __inner_checkReturn

    #define __inner_typefix(ctype)

    #define __inner_override

    #define __inner_callback

    #define __inner_blocksOn(resource)

    #define __inner_fallthrough_dec

    #define __inner_fallthrough

    #define __refparam

    #define __inner_control_entrypoint(category)

    #define __inner_data_entrypoint(category)

#endif /* #if !defined(__midl) && defined(_PREFAST_) */

/* 

-------------------------------------------------------------------------------

Buffer Annotation Definitions

Any of these may be used to directly annotate functions, but only one should

be used for each parameter. To determine which annotation to use for a given

buffer, use the table in the buffer annotations section.

-------------------------------------------------------------------------------

*/

#define __ecount(size)                                          __notnull __elem_writableTo(size)

#define __bcount(size)                                          __notnull __byte_writableTo(size)

#define __in                                                    __pre __valid __pre __deref __readonly

#define __in_ecount(size)                                       __in __pre __elem_readableTo(size)

#define __in_bcount(size)                                       __in __pre __byte_readableTo(size)

#define __in_z                                                  __in __pre __nullterminated

#define __in_ecount_z(size)                                     __in_ecount(size) __pre __nullterminated

#define __in_bcount_z(size)                                     __in_bcount(size) __pre __nullterminated

#define __in_nz                                                 __in

#define __in_ecount_nz(size)                                    __in_ecount(size)

#define __in_bcount_nz(size)                                    __in_bcount(size)

#define __out                                                   __ecount(1) __post __valid __refparam

#define __out_ecount(size)                                      __ecount(size) __post __valid __refparam

#define __out_bcount(size)                                      __bcount(size) __post __valid __refparam

#define __out_ecount_part(size,length)                          __out_ecount(size) __post __elem_readableTo(length)

#define __out_bcount_part(size,length)                          __out_bcount(size) __post __byte_readableTo(length)

#define __out_ecount_full(size)                                 __out_ecount_part(size,size)

#define __out_bcount_full(size)                                 __out_bcount_part(size,size)

#define __out_z                                                 __post __valid __refparam __post __nullterminated

#define __out_z_opt                                             __post __valid __refparam __post __nullterminated __exceptthat __maybenull

#define __out_ecount_z(size)                                    __ecount(size) __post __valid __refparam __post __nullterminated

#define __out_bcount_z(size)                                    __bcount(size) __post __valid __refparam __post __nullterminated

#define __out_ecount_part_z(size,length)                        __out_ecount_part(size,length) __post __nullterminated

#define __out_bcount_part_z(size,length)                        __out_bcount_part(size,length) __post __nullterminated

#define __out_ecount_full_z(size)                               __out_ecount_full(size) __post __nullterminated

#define __out_bcount_full_z(size)                               __out_bcount_full(size) __post __nullterminated

#define __out_nz                                                __post __valid __refparam __post

#define __out_nz_opt                                            __post __valid __refparam __post __exceptthat __maybenull

#define __out_ecount_nz(size)                                   __ecount(size) __post __valid __refparam

#define __out_bcount_nz(size)                                   __bcount(size) __post __valid __refparam

#define __inout                                                 __pre __valid __post __valid __refparam

#define __inout_ecount(size)                                    __out_ecount(size) __pre __valid

#define __inout_bcount(size)                                    __out_bcount(size) __pre __valid

#define __inout_ecount_part(size,length)                        __out_ecount_part(size,length) __pre __valid __pre __elem_readableTo(length)

#define __inout_bcount_part(size,length)                        __out_bcount_part(size,length) __pre __valid __pre __byte_readableTo(length)

#define __inout_ecount_full(size)                               __inout_ecount_part(size,size)

#define __inout_bcount_full(size)                               __inout_bcount_part(size,size)

#define __inout_z                                               __inout __pre __nullterminated __post __nullterminated

#define __inout_ecount_z(size)                                  __inout_ecount(size) __pre __nullterminated __post __nullterminated

#define __inout_bcount_z(size)                                  __inout_bcount(size) __pre __nullterminated __post __nullterminated

#define __inout_nz                                              __inout

#define __inout_ecount_nz(size)                                 __inout_ecount(size) 

#define __inout_bcount_nz(size)                                 __inout_bcount(size) 

#define __ecount_opt(size)                                      __ecount(size)                              __exceptthat __maybenull

#define __bcount_opt(size)                                      __bcount(size)                              __exceptthat __maybenull

#define __in_opt                                                __in                                        __exceptthat __maybenull

#define __in_ecount_opt(size)                                   __in_ecount(size)                           __exceptthat __maybenull

#define __in_bcount_opt(size)                                   __in_bcount(size)                           __exceptthat __maybenull

#define __in_z_opt                                              __in_opt __pre __nullterminated 

#define __in_ecount_z_opt(size)                                 __in_ecount_opt(size) __pre __nullterminated 

#define __in_bcount_z_opt(size)                                 __in_bcount_opt(size) __pre __nullterminated

#define __in_nz_opt                                             __in_opt                                     

#define __in_ecount_nz_opt(size)                                __in_ecount_opt(size)                         

#define __in_bcount_nz_opt(size)                                __in_bcount_opt(size)                         

#define __out_opt                                               __out                                       __exceptthat __maybenull

#define __out_ecount_opt(size)                                  __out_ecount(size)                          __exceptthat __maybenull

#define __out_bcount_opt(size)                                  __out_bcount(size)                          __exceptthat __maybenull

#define __out_ecount_part_opt(size,length)                      __out_ecount_part(size,length)              __exceptthat __maybenull

#define __out_bcount_part_opt(size,length)                      __out_bcount_part(size,length)              __exceptthat __maybenull

#define __out_ecount_full_opt(size)                             __out_ecount_full(size)                     __exceptthat __maybenull

#define __out_bcount_full_opt(size)                             __out_bcount_full(size)                     __exceptthat __maybenull

#define __out_ecount_z_opt(size)                                __out_ecount_opt(size) __post __nullterminated

#define __out_bcount_z_opt(size)                                __out_bcount_opt(size) __post __nullterminated

#define __out_ecount_part_z_opt(size,length)                    __out_ecount_part_opt(size,length) __post __nullterminated

#define __out_bcount_part_z_opt(size,length)                    __out_bcount_part_opt(size,length) __post __nullterminated

#define __out_ecount_full_z_opt(size)                           __out_ecount_full_opt(size) __post __nullterminated

#define __out_bcount_full_z_opt(size)                           __out_bcount_full_opt(size) __post __nullterminated

#define __out_ecount_nz_opt(size)                               __out_ecount_opt(size) __post __nullterminated                       

#define __out_bcount_nz_opt(size)                               __out_bcount_opt(size) __post __nullterminated                        

#define __inout_opt                                             __inout                                     __exceptthat __maybenull

#define __inout_ecount_opt(size)                                __inout_ecount(size)                        __exceptthat __maybenull

#define __inout_bcount_opt(size)                                __inout_bcount(size)                        __exceptthat __maybenull

#define __inout_ecount_part_opt(size,length)                    __inout_ecount_part(size,length)            __exceptthat __maybenull

#define __inout_bcount_part_opt(size,length)                    __inout_bcount_part(size,length)            __exceptthat __maybenull

#define __inout_ecount_full_opt(size)                           __inout_ecount_full(size)                   __exceptthat __maybenull

#define __inout_bcount_full_opt(size)                           __inout_bcount_full(size)                   __exceptthat __maybenull

#define __inout_z_opt                                           __inout_opt __pre __nullterminated __post __nullterminated

#define __inout_ecount_z_opt(size)                              __inout_ecount_opt(size) __pre __nullterminated __post __nullterminated

#define __inout_ecount_z_opt(size)                              __inout_ecount_opt(size) __pre __nullterminated __post __nullterminated

#define __inout_bcount_z_opt(size)                              __inout_bcount_opt(size) 

#define __inout_nz_opt                                          __inout_opt

#define __inout_ecount_nz_opt(size)                             __inout_ecount_opt(size)

#define __inout_bcount_nz_opt(size)                             __inout_bcount_opt(size)

#define __deref_ecount(size)                                    __ecount(1) __post __elem_readableTo(1) __post __deref __notnull __post __deref __elem_writableTo(size)

#define __deref_bcount(size)                                    __ecount(1) __post __elem_readableTo(1) __post __deref __notnull __post __deref __byte_writableTo(size)

#define __deref_out                                             __deref_ecount(1) __post __deref __valid __refparam

#define __deref_out_ecount(size)                                __deref_ecount(size) __post __deref __valid __refparam

#define __deref_out_bcount(size)                                __deref_bcount(size) __post __deref __valid __refparam

#define __deref_out_ecount_part(size,length)                    __deref_out_ecount(size) __post __deref __elem_readableTo(length)

#define __deref_out_bcount_part(size,length)                    __deref_out_bcount(size) __post __deref __byte_readableTo(length)

#define __deref_out_ecount_full(size)                           __deref_out_ecount_part(size,size)

#define __deref_out_bcount_full(size)                           __deref_out_bcount_part(size,size)

#define __deref_out_z                                           __post __deref __valid __refparam __post __deref __nullterminated

#define __deref_out_ecount_z(size)                              __deref_out_ecount(size) __post __deref __nullterminated  

#define __deref_out_bcount_z(size)                              __deref_out_ecount(size) __post __deref __nullterminated  

#define __deref_out_nz                                          __deref_out

#define __deref_out_ecount_nz(size)                             __deref_out_ecount(size)   

#define __deref_out_bcount_nz(size)                             __deref_out_ecount(size)   

#define __deref_inout                                           __notnull __elem_readableTo(1) __pre __deref __valid __post __deref __valid __refparam

#define __deref_inout_z                                         __deref_inout __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_inout_ecount(size)                              __deref_inout __pre __deref __elem_writableTo(size) __post __deref __elem_writableTo(size)

#define __deref_inout_bcount(size)                              __deref_inout __pre __deref __byte_writableTo(size) __post __deref __byte_writableTo(size)

#define __deref_inout_ecount_part(size,length)                  __deref_inout_ecount(size) __pre __deref __elem_readableTo(length) __post __deref __elem_readableTo(length)

#define __deref_inout_bcount_part(size,length)                  __deref_inout_bcount(size) __pre __deref __byte_readableTo(length) __post __deref __byte_readableTo(length)

#define __deref_inout_ecount_full(size)                         __deref_inout_ecount_part(size,size)

#define __deref_inout_bcount_full(size)                         __deref_inout_bcount_part(size,size)

#define __deref_inout_z                                         __deref_inout __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_inout_ecount_z(size)                            __deref_inout_ecount(size) __pre __deref __nullterminated __post __deref __nullterminated   

#define __deref_inout_bcount_z(size)                            __deref_inout_bcount(size) __pre __deref __nullterminated __post __deref __nullterminated  

#define __deref_inout_nz                                        __deref_inout

#define __deref_inout_ecount_nz(size)                           __deref_inout_ecount(size)   

#define __deref_inout_bcount_nz(size)                           __deref_inout_ecount(size)   

#define __deref_ecount_opt(size)                                __deref_ecount(size)                        __post __deref __exceptthat __maybenull

#define __deref_bcount_opt(size)                                __deref_bcount(size)                        __post __deref __exceptthat __maybenull

#define __deref_out_opt                                         __deref_out                                 __post __deref __exceptthat __maybenull

#define __deref_out_ecount_opt(size)                            __deref_out_ecount(size)                    __post __deref __exceptthat __maybenull

#define __deref_out_bcount_opt(size)                            __deref_out_bcount(size)                    __post __deref __exceptthat __maybenull

#define __deref_out_ecount_part_opt(size,length)                __deref_out_ecount_part(size,length)        __post __deref __exceptthat __maybenull

#define __deref_out_bcount_part_opt(size,length)                __deref_out_bcount_part(size,length)        __post __deref __exceptthat __maybenull

#define __deref_out_ecount_full_opt(size)                       __deref_out_ecount_full(size)               __post __deref __exceptthat __maybenull

#define __deref_out_bcount_full_opt(size)                       __deref_out_bcount_full(size)               __post __deref __exceptthat __maybenull

#define __deref_out_z_opt                                       __post __deref __valid __refparam __execeptthat __maybenull __post __deref __nullterminated

#define __deref_out_ecount_z_opt(size)                          __deref_out_ecount_opt(size) __post __deref __nullterminated

#define __deref_out_bcount_z_opt(size)                          __deref_out_bcount_opt(size) __post __deref __nullterminated

#define __deref_out_nz_opt                                      __deref_out_opt

#define __deref_out_ecount_nz_opt(size)                         __deref_out_ecount_opt(size)

#define __deref_out_bcount_nz_opt(size)                         __deref_out_bcount_opt(size)

#define __deref_inout_opt                                       __deref_inout                               __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_ecount_opt(size)                          __deref_inout_ecount(size)                  __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_bcount_opt(size)                          __deref_inout_bcount(size)                  __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_ecount_part_opt(size,length)              __deref_inout_ecount_part(size,length)      __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_bcount_part_opt(size,length)              __deref_inout_bcount_part(size,length)      __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_ecount_full_opt(size)                     __deref_inout_ecount_full(size)             __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_bcount_full_opt(size)                     __deref_inout_bcount_full(size)             __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull

#define __deref_inout_z_opt                                     __deref_inout_opt __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_inout_ecount_z_opt(size)                        __deref_inout_ecount_opt(size) __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_inout_bcount_z_opt(size)                        __deref_inout_bcount_opt(size) __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_inout_nz_opt                                    __deref_inout_opt 

#define __deref_inout_ecount_nz_opt(size)                       __deref_inout_ecount_opt(size)

#define __deref_inout_bcount_nz_opt(size)                       __deref_inout_bcount_opt(size)

#define __deref_opt_ecount(size)                                __deref_ecount(size)                        __exceptthat __maybenull

#define __deref_opt_bcount(size)                                __deref_bcount(size)                        __exceptthat __maybenull

#define __deref_opt_out                                         __deref_out                                 __exceptthat __maybenull

#define __deref_opt_out_z                                       __deref_opt_out __post __deref __nullterminated

#define __deref_opt_out_ecount(size)                            __deref_out_ecount(size)                    __exceptthat __maybenull

#define __deref_opt_out_bcount(size)                            __deref_out_bcount(size)                    __exceptthat __maybenull

#define __deref_opt_out_ecount_part(size,length)                __deref_out_ecount_part(size,length)        __exceptthat __maybenull

#define __deref_opt_out_bcount_part(size,length)                __deref_out_bcount_part(size,length)        __exceptthat __maybenull

#define __deref_opt_out_ecount_full(size)                       __deref_out_ecount_full(size)               __exceptthat __maybenull

#define __deref_opt_out_bcount_full(size)                       __deref_out_bcount_full(size)               __exceptthat __maybenull

#define __deref_opt_inout                                       __deref_inout                               __exceptthat __maybenull

#define __deref_opt_inout_ecount(size)                          __deref_inout_ecount(size)                  __exceptthat __maybenull

#define __deref_opt_inout_bcount(size)                          __deref_inout_bcount(size)                  __exceptthat __maybenull

#define __deref_opt_inout_ecount_part(size,length)              __deref_inout_ecount_part(size,length)      __exceptthat __maybenull

#define __deref_opt_inout_bcount_part(size,length)              __deref_inout_bcount_part(size,length)      __exceptthat __maybenull

#define __deref_opt_inout_ecount_full(size)                     __deref_inout_ecount_full(size)             __exceptthat __maybenull

#define __deref_opt_inout_bcount_full(size)                     __deref_inout_bcount_full(size)             __exceptthat __maybenull

#define __deref_opt_inout_z                                     __deref_opt_inout __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_opt_inout_ecount_z(size)                        __deref_opt_inout_ecount(size) __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_opt_inout_bcount_z(size)                        __deref_opt_inout_bcount(size) __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_opt_inout_nz                                    __deref_opt_inout

#define __deref_opt_inout_ecount_nz(size)                       __deref_opt_inout_ecount(size)

#define __deref_opt_inout_bcount_nz(size)                       __deref_opt_inout_bcount(size)

#define __deref_opt_ecount_opt(size)                            __deref_ecount_opt(size)                    __exceptthat __maybenull

#define __deref_opt_bcount_opt(size)                            __deref_bcount_opt(size)                    __exceptthat __maybenull

#define __deref_opt_out_opt                                     __deref_out_opt                             __exceptthat __maybenull

#define __deref_opt_out_ecount_opt(size)                        __deref_out_ecount_opt(size)                __exceptthat __maybenull

#define __deref_opt_out_bcount_opt(size)                        __deref_out_bcount_opt(size)                __exceptthat __maybenull

#define __deref_opt_out_ecount_part_opt(size,length)            __deref_out_ecount_part_opt(size,length)    __exceptthat __maybenull

#define __deref_opt_out_bcount_part_opt(size,length)            __deref_out_bcount_part_opt(size,length)    __exceptthat __maybenull

#define __deref_opt_out_ecount_full_opt(size)                   __deref_out_ecount_full_opt(size)           __exceptthat __maybenull

#define __deref_opt_out_bcount_full_opt(size)                   __deref_out_bcount_full_opt(size)           __exceptthat __maybenull

#define __deref_opt_out_z_opt                                   __post __deref __valid __refparam __exceptthat __maybenull __pre __deref __exceptthat __maybenull __post __deref __exceptthat __maybenull __post __deref __nullterminated

#define __deref_opt_out_ecount_z_opt(size)                      __deref_opt_out_ecount_opt(size) __post __deref __nullterminated

#define __deref_opt_out_bcount_z_opt(size)                      __deref_opt_out_bcount_opt(size) __post __deref __nullterminated

#define __deref_opt_out_nz_opt                                  __deref_opt_out_opt

#define __deref_opt_out_ecount_nz_opt(size)                     __deref_opt_out_ecount_opt(size)    

#define __deref_opt_out_bcount_nz_opt(size)                     __deref_opt_out_bcount_opt(size)    

#define __deref_opt_inout_opt                                   __deref_inout_opt                           __exceptthat __maybenull

#define __deref_opt_inout_ecount_opt(size)                      __deref_inout_ecount_opt(size)              __exceptthat __maybenull

#define __deref_opt_inout_bcount_opt(size)                      __deref_inout_bcount_opt(size)              __exceptthat __maybenull

#define __deref_opt_inout_ecount_part_opt(size,length)          __deref_inout_ecount_part_opt(size,length)  __exceptthat __maybenull

#define __deref_opt_inout_bcount_part_opt(size,length)          __deref_inout_bcount_part_opt(size,length)  __exceptthat __maybenull

#define __deref_opt_inout_ecount_full_opt(size)                 __deref_inout_ecount_full_opt(size)         __exceptthat __maybenull

#define __deref_opt_inout_bcount_full_opt(size)                 __deref_inout_bcount_full_opt(size)         __exceptthat __maybenull

#define __deref_opt_inout_z_opt                                 __deref_opt_inout_opt  __pre __deref __nullterminated __post __deref __nullterminated             

#define __deref_opt_inout_ecount_z_opt(size)                    __deref_opt_inout_ecount_opt(size)  __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_opt_inout_bcount_z_opt(size)                    __deref_opt_inout_bcount_opt(size)  __pre __deref __nullterminated __post __deref __nullterminated

#define __deref_opt_inout_nz_opt                                __deref_opt_inout_opt               

#define __deref_opt_inout_ecount_nz_opt(size)                   __deref_opt_inout_ecount_opt(size)  

#define __deref_opt_inout_bcount_nz_opt(size)                   __deref_opt_inout_bcount_opt(size)  

/*

-------------------------------------------------------------------------------

Advanced Annotation Definitions

Any of these may be used to directly annotate functions, and may be used in

combination with each other or with regular buffer macros. For an explanation

of each annotation, see the advanced annotations section.

-------------------------------------------------------------------------------

*/

#define __success(expr)                     __inner_success(expr)

#define __nullterminated                    __readableTo(sentinel(0))

#define __nullnullterminated

#define __reserved                          __pre __null

#define __checkReturn                       __inner_checkReturn

#define __typefix(ctype)                    __inner_typefix(ctype)

#define __override                          __inner_override

#define __callback                          __inner_callback

#define __format_string

#define __blocksOn(resource)                __inner_blocksOn(resource)

#define __control_entrypoint(category)      __inner_control_entrypoint(category)

#define __data_entrypoint(category)         __inner_data_entrypoint(category)

#ifndef __fallthrough

    __inner_fallthrough_dec

    #define __fallthrough __inner_fallthrough

#endif

#ifndef __analysis_assume

#ifdef _PREFAST_

#define __analysis_assume(expr) __assume(expr)

#else

#define __analysis_assume(expr) 

#endif

#endif

#ifdef  __cplusplus

}

#endif

참고 : 윈도우 비스타 보안 프로그래밍





이 글에는 0 개의 댓글이 있습니다.