From: Jonny Grant <jg@jguk.org>
To: Gabriel Ravier <gabravier@gmail.com>,
Xi Ruoyao <xry111@xry111.site>,
Jonathan Wakely <jwakely.gcc@gmail.com>
Cc: gcc-help <gcc-help@gcc.gnu.org>
Subject: Re: std::string add nullptr attribute
Date: Mon, 20 Feb 2023 11:38:11 +0000 [thread overview]
Message-ID: <dbcc1690-deac-5e36-73ff-ca61841fd3a2@jguk.org> (raw)
In-Reply-To: <dda07dae-8e7a-1f61-d6fd-aa485d423c57@gmail.com>
On 20/02/2023 11:10, Gabriel Ravier wrote:
> On 2/20/23 11:54, Xi Ruoyao via Gcc-help wrote:
>> On Mon, 2023-02-20 at 10:37 +0000, Jonathan Wakely wrote:
>>> On Mon, 20 Feb 2023 at 10:26, Xi Ruoyao <xry111@xry111.site> wrote:
>>>> On Sun, 2023-02-19 at 21:33 +0000, Jonny Grant wrote:
>>>>
>>>>> I noticed -Wanalyzer-null-dereference reports at build time a
>>>>> dereference. Also works if a function parameter. I wondered why
>>>>> std::string isn't detected by this static analyser option.
>>>> Because the analyzer does not know the C++ standard disallows to use
>>>> NULL here. It just analyzes the code. The code in libstdc++ reads:
>>>>
>>>> basic_string(const _CharT* __s, const _Alloc& __a = _Alloc())
>>>> : _M_dataplus(_M_local_data(), __a)
>>>> {
>>>> // NB: Not required, but considered best practice.
>>>> if (__s == 0)
>>>> std::__throw_logic_error(__N("basic_string: "
>>>> "construction from null is not valid"));
>>>> const _CharT* __end = __s + traits_type::length(__s);
>>>> _M_construct(__s, __end, forward_iterator_tag());
>>>> }
>>>>
>>>> As you can see yourself, though the standard implies using NULL here is
>>>> a UB, libstdc++ does not really code a UB here. So the analyzer will
>>>> consider the code absolutely valid.
>>> Right, it's defined behaviour in libstdc++, as an extension.
>>>
>>>> Note that throwing a C++ exception is not a programming error. It's
>>>> perfectly legal to catch the exception elsewhere. It's also perfectly
>>>> legal not to catch it and treat it as an abort() (calling abort is also
>>>> not a programming error).
>>>>
>>>>
>>>>> It's not pretty, but this wrapper catches NULL passed at compile time:
>>>>>
>>>>> std::string make_std_string(const char * const str)
>>>>> {
>>>>> // This line ensures: warning: dereference of NULL '0' [CWE-476]
>>>>> [-Wanalyzer-null-dereference]
>>>>> char b = *str;
>>>> You are invoking an undefined behavior here if str is NULL, so it's
>>>> essentially same as using a nonnull attribute for make_std_string.
>>> And turned defined behaviour back into UB. The warning isn't reliable
>>> (only if the compiler can see the point is null, which isn't the case
>>> without optimization, or if the pointer comes from some non-inline
>>> function), the exception is. You're trading guaranteed exception for a
>>> not guaranteed warning and unbounded misoptimization due to undefined
>>> behaviour.
>> Well, maybe we should have a warning here with -Wpedantic (or something)
>> as the standard does not allow people to pass NULL and expect a
>> logic_error. But "deliberately making a UB to raise the warning" is not
>> good.
>
> This is the kind of thing that makes me wonder why there isn't some kind of `__builtin_unreachable_do_not_optimize()` builtin that allows one to mark places in code that should never be reached and should thus be warned about if such a thing happens while at the same time never doing any optimization on the basis of the presence of the call.
>
That sounds really useful. So something would give a useful build warning?
<source>:6:8: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference]
12 | char b = *str;
void f(const char * str)
{
if(NULL == str)
{
__builtin_unreachable_do_not_optimize();
}
__builtin_printf(str);
}
Regards, Jonny
next prev parent reply other threads:[~2023-02-20 11:38 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-09 13:26 Jonny Grant
2023-02-09 14:56 ` Jonathan Wakely
2023-02-09 16:30 ` Xi Ruoyao
2023-02-09 17:52 ` Jonathan Wakely
2023-02-10 21:30 ` Jonny Grant
2023-02-10 22:03 ` Jonathan Wakely
2023-02-10 22:38 ` Jonny Grant
2023-02-11 0:32 ` Jonathan Wakely
2023-02-13 22:02 ` Jonny Grant
2023-02-19 20:43 ` Jonny Grant
2023-02-19 21:33 ` Jonny Grant
2023-02-20 10:26 ` Xi Ruoyao
2023-02-20 10:37 ` Jonathan Wakely
2023-02-20 10:54 ` Xi Ruoyao
2023-02-20 11:10 ` Gabriel Ravier
2023-02-20 11:18 ` Marc Glisse
2023-02-20 11:28 ` Segher Boessenkool
2023-02-20 12:00 ` Jonny Grant
2023-02-20 14:50 ` Gabriel Ravier
2023-02-20 11:44 ` Jonny Grant
2023-02-21 15:02 ` Jonny Grant
2023-02-20 11:38 ` Jonny Grant [this message]
2023-02-20 11:30 ` Jonny Grant
2023-02-20 12:59 ` Xi Ruoyao
2023-02-20 13:44 ` Jonathan Wakely
2023-02-20 19:21 ` Jonny Grant
2023-02-20 19:35 ` Jonathan Wakely
2023-02-20 19:39 ` Jonny Grant
2023-02-22 20:27 ` Jonny Grant
2023-02-21 15:04 ` Jonny Grant
2023-02-21 22:48 ` Jonny Grant
2023-03-04 15:00 ` Jonny Grant
2023-02-20 11:25 ` Jonny Grant
2023-03-12 22:10 ` Jonny Grant
2023-03-13 10:10 ` Jonathan Wakely
2023-03-13 19:55 ` Jonny Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dbcc1690-deac-5e36-73ff-ca61841fd3a2@jguk.org \
--to=jg@jguk.org \
--cc=gabravier@gmail.com \
--cc=gcc-help@gcc.gnu.org \
--cc=jwakely.gcc@gmail.com \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).