From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <xry111@mengyan1223.wang>
Received: from mengyan1223.wang (mengyan1223.wang [89.208.246.23])
 by sourceware.org (Postfix) with ESMTPS id 760883857810
 for <gcc-help@gcc.gnu.org>; Fri, 18 Jun 2021 04:16:14 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 760883857810
Received: from [IPv6:240e:35a:1094:5e00:dc73:854d:832e:3] (unknown
 [IPv6:240e:35a:1094:5e00:dc73:854d:832e:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest
 SHA384) (Client did not present a certificate)
 (Authenticated sender: xry111@mengyan1223.wang)
 by mengyan1223.wang (Postfix) with ESMTPSA id E66AD65A93;
 Fri, 18 Jun 2021 00:16:07 -0400 (EDT)
Message-ID: <fa05b76faf6eb894d6752d93c7cb24ec4d8f1736.camel@mengyan1223.wang>
Subject: Re: gcc warn when pointers not checked non-null before de-referencing.
From: Xi Ruoyao <xry111@mengyan1223.wang>
To: Jonny Grant <jg@jguk.org>, Segher Boessenkool <segher@kernel.crashing.org>
Cc: gcc-help <gcc-help@gcc.gnu.org>
Date: Fri, 18 Jun 2021 12:16:00 +0800
In-Reply-To: <ffa2f90f-e1c9-4dc7-8f42-fddd1229063b@jguk.org>
References: <0a9ccbb7-135a-b342-e5cb-35b7c6a44a00@jguk.org>
 <97eb7315fd136ff8a818925b1704760a856ffe64.camel@mengyan1223.wang>
 <0770e060-6388-fc27-1178-205b867bfae2@jguk.org>
 <20210616175941.GJ5077@gate.crashing.org>
 <ffa2f90f-e1c9-4dc7-8f42-fddd1229063b@jguk.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.40.2 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3031.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, JMQ_SPF_NEUTRAL, SPF_HELO_PASS,
 SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-help@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-help mailing list <gcc-help.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-help>,
 <mailto:gcc-help-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-help/>
List-Post: <mailto:gcc-help@gcc.gnu.org>
List-Help: <mailto:gcc-help-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-help>,
 <mailto:gcc-help-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2021 04:16:16 -0000

On Thu, 2021-06-17 at 21:44 +0100, Jonny Grant wrote:
> 
> 
> On 16/06/2021 18:59, Segher Boessenkool wrote:
> > On Wed, Jun 16, 2021 at 02:01:05PM +0100, Jonny Grant wrote:
> > > I guess a separate static analyser would do it, GCC is more
> > > focused on compilation so I shouldn't ask for it to have so many
> > > features it can't support.
> > 
> > -fsanitize=undefined already catches null pointer dereferences, is
> > that
> > enough for your case?
> > 
> > 
> > Segher
> 
> Hello
> Thank you for the suggestion, yes, I had used that before. I did just
> check, it's runtime checks. I had hoped for something at compile time.
> warning for every function that didn't check pointer for NULL before
> de-referencing.

There is no way to do this.

int foo(struct dev *dev)
{
    int r = sanitize_input(dev);
    if (r)
        return r;

    bar(&dev->id);
    return dev->id->result;
}

While there is no way to know the behavior of `sanitize_input` (it may
be defined in another TU), there is no way to tell if `foo` has done "a
proper non-null check".

And this "warning" does not make any sense.  It's perfectly legal for a
function to assume the input is not null and the caller should guarantee
it.  Adding a non-null check in every function is just paranoid.  This
really looks like a suggestion from some professors who don't program at
all, but unfortunately teach C and tell their own misconcept of
"defensive programming" everywhere.
-- 
Xi Ruoyao <xry111@mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University