Re: [cfe-dev] ISO C3X proposal: nonnull qualifier

["Alejandro Colomar (man-pages)" <alx.manpages@gmail.com>]

Hi Dmitry,

On 11/23/21 12:17, Dmitri Gribenko wrote:
> Hi Alejandro,
> 
> On Tue, Nov 16, 2021 at 1:34 PM Alejandro Colomar (man-pages) via
> cfe-dev <cfe-dev@lists.llvm.org> wrote:
>> First of all,
>> I see unnecessary (probably over-engineered) qualifiers:
>>
>> - _Null_unspecified seems to me the same as nothing.
>> If I didn't specify its nullability,
>> it's by definition unspecified.  Right?
>>
>> - _Nullable seems to me also the same as nothing.
>> The language allows for a pointer to be NULL,
>> so if you don't specify if it can or not be null,
>> you better stay on the safe side and consider it as nullable.
> 
> _Nullable is used in conjunction with the `#pragma clang
> assume_nonnull begin/end` pragma that flips the default:
> 
> ```
> #pragma clang assume_nonnull begin
> int *global_int_ptr; // implicitly _Nonnull
> #pragma clang assume_nonnull end
> ```
> 
> Within these pragma brackets, you need to use _Nullable to get the
> opposite behavior.
> 
> The pragma itself is useful because it reduces the amount of noise the
> annotations introduce. When these annotations were adopted in Apple
> SDKs, it was found that in practice most pointers are non-nullable. So
> if we only had _Nonnull, we would have to annotate most pointers.
> Instead, Apple's SDKs bracket every header contents with this pragma,
> and instead annotate nullable pointers, significantly reducing the
> amount of annotations.

That's interesting.  Most of my functions also tipically are full of 
[[gnu::nonnull]], so the _Nonnull default seems the best thing.

However, would that be viable in old code that relies on standard C?
I think that it would, but maybe you have more experience.  Do you agree 
with the following?

Let's imagine a scenario where C3X specifies that non-qualified pointers 
are nonnull.  And there's only a qualifier, _Nullable, to allow NULL. 
Asigning _Nullable to nonnull would issue a diagnostic.

Old code will stop compiling if it uses NULL, but that can easily be 
fixed by marking the pointers as _Nullable, and maybe while at that, 
programmers will find a few bugs.

Compilers will have to be carefull, because memcpy() will make NULL 
members of structures, so they'll need to know if that can be done or 
not, and many structure members will need to be marked as _Nullable, if 
the structure is expected to be bzero()ed.

Also, do you have any experience in avoiding to diagnose a _Nullable to 
nonnull assignment _after_ explicitly comparing to NULL?  I.e., allow 
the following:

int *_Nullable p;
int *q;

if (!p)
	q = p;

Thanks,
Alex