[Bug c/46936] New: turn __attribute__ ((nonnull (x))) into assert in debug mode

[Bug c/46936] New: turn __attribute__ ((nonnull (x))) into assert in debug mode

[eike@sf-mail.de]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46936

           Summary: turn __attribute__ ((nonnull (x))) into assert in
                    debug mode
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: P3
         Component: c
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: eike@sf-mail.de


I have this simple function to free a linked list:

void freeips(struct ips *p)
{
    while (p) {
        struct ips *thisip = p;

        p = thisip->next;
        free(thisip);
    }
}

I accidentially annotated this as __attribute__ ((nonnull (1))) and called it
with a NULL argument. This still worked as long as I was building with -g. Once
I build this in release mode it crashed (correctly). I would like to have some
sort of automatic assert once I annotate a function this way. So when I build
this function annotated and pass NULL I get a meaningful crash and I can debug
this. If I need to explicitely switch this on by a command line switch it's
fine for me.

[Bug c/46936] turn __attribute__ ((nonnull (x))) into assert in debug mode

[neleai at seznam dot cz]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46936

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neleai at seznam dot cz

--- Comment #1 from Ondrej Bilka <neleai at seznam dot cz> ---
I put it here to avoid being marked as duplicate,

I also wanted propose nonnul checks but they should be enabled by
FORTIFY_SOURCE.

In glibc we played with idea of scanning headers for nonnull attribute and
automatically generate wrappers of these functions. Then by LD_PRELOADing these
enable extra checks if attribute is null. We realized that offloading this
functionality to gcc is better as it will cover everybody that annotates
prototypes with nonnull, checks when pointer is known nonnull can be avoided.

[Bug c/46936] turn __attribute__ ((nonnull (x))) into assert in debug mode

[brooks at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46936

Brooks Moses <brooks at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |brooks at gcc dot gnu.org

--- Comment #2 from Brooks Moses <brooks at gcc dot gnu.org> ---
As per http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html, the
annotation on the example function there "causes the compiler to check that, in
calls to my_memcpy, arguments dest and src are non-null."  Is this a
documentation bug, or does the functionality that you're asking for already
exist?

(My guess is that this is a documentation bug.  If so, a patch to fix it may
call some attention to this feature request!)

[Bug c/46936] turn __attribute__ ((nonnull (x))) into assert in debug mode

[neleai at seznam dot cz]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46936

--- Comment #3 from Ondrej Bilka <neleai at seznam dot cz> ---
> As per http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html, the
> annotation on the example function there "causes the compiler to check that, in > calls to my_memcpy, arguments dest and src are non-null."  Is this a 
> documentation bug, or does the functionality that you're asking for already exist?

Gcc does not check that. Also this is not documentation request but request to
add checks when _FORTIFY_SOURCE is defined.

This would also mostly solve following bug
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308

[Bug c/46936] turn __attribute__ ((nonnull (x))) into assert in debug mode

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=46936

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
_FORTIFY_SOURCE is not a debug mode you put all kinds of extra checks into.