From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <yair.lenga@gmail.com>
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com
 [IPv6:2607:f8b0:4864:20::112a])
 by sourceware.org (Postfix) with ESMTPS id BD78F3839C55
 for <gcc@gcc.gnu.org>; Sat,  4 Jun 2022 10:26:21 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BD78F3839C55
Received: by mail-yw1-x112a.google.com with SMTP id
 00721157ae682-30fa61b1a83so98313757b3.0
 for <gcc@gcc.gnu.org>; Sat, 04 Jun 2022 03:26:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=tTj4rz22qmuCRzrpdFWAUeNASQnp790o0QiwBmINiPg=;
 b=QztxF+SJM+8vPUKGqDcFUqO0PLnmoY4i1KFKk+yhi644tm55p7KL+8W4ZyikVqcHkB
 ABtVkM82OuFUPefGalSMPGJgxB3pejqhRJ9gRN7JQjzb5cHA2Kqbz4o1n/D7HodnN7q9
 dRu7jTxWrkm3MHUSNWiCCavHobVXtop6QzobOkTaGu7Sgqvyoy+7vB49f9Z1DY9tvBBx
 1T22jWlYU5aaGSPQk6bAz6cnelU4Q9lUefmxtrHV7r0pIGgMX2HSz2kwSaFwNdJjF78t
 lMCWq48L6+Du8oqc0zykCFwDrbCzmYYarDBZ5xj6c/BE8MuL56DZlz0wt4ab/dDhA4LI
 AfZw==
X-Gm-Message-State: AOAM532EN1NJlEgvm2XLR55s9S0twEWjxro1sO+K4Vn7JC04nN/ZGpaH
 EBQIU6ML2bs35QNtNFn9Y49ioxkJJxTgibf0XF0rQt3c
X-Google-Smtp-Source: ABdhPJxU3whQBOtyLv8lEnjTIO++9hZH+pghDLZrSEsUUL/0v1yIjZj3uI78dDhiDA6xQHMoCn+7hHAyqidMNkPpHqo=
X-Received: by 2002:a0d:cb05:0:b0:30c:c962:6491 with SMTP id
 n5-20020a0dcb05000000b0030cc9626491mr15564129ywd.468.1654338380882; Sat, 04
 Jun 2022 03:26:20 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.2312.1654300374.1672222.gcc@gcc.gnu.org>
In-Reply-To: <mailman.2312.1654300374.1672222.gcc@gcc.gnu.org>
From: Yair Lenga <yair.lenga@gmail.com>
Date: Sat, 4 Jun 2022 06:26:09 -0400
Message-ID: <CAK3_KpO=VFWmB0AdtNOqNrVjv29pU4jxNgfko14qTWHzYBxivw@mail.gmail.com>
Subject: [RFC] Support for nonzero attribute
To: gcc@gcc.gnu.org
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: gcc@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc mailing list <gcc.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <mailto:gcc-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2022 10:26:23 -0000

Before becoming a "C" programmer, I spent few years building simulations in
Pascal. I still remember (and long for) the ability to define integer with
range constraints:

var foobar: 10..50 ;         // Accept 10, 11, 12, ..., 49, 50

The specific non-zero constraint is a specific implementation of the range
operator (with some exception see below). Wanted to suggest going for
more ambitious goal: add min and max attributes to (integer) types and
variables. This will address the specific case of non-zero, but has a lot
of potential to be built upon: can be used for compile time testing, run
time parameter checking, storage optimization (similar to packed), run time
optimization (e.g. eliminating runtime tests), .... Also expected range
information can have a positive impact on code safety/validation.

typedef int postivieInt __attribute__ (minValue(1), maxValue(INTMAX) ;
typedef int foobar __attribute__ ((minValue(10), maxValue(50)) ;

If this can be implemented, it will provide for much more
flexibility (e.g., ability to specify that any specific parameter must be
non-zero).

int foo (int x __attribute__ (minValue(1)), int y, int z __attribute__
(minValue(1))  ;

int foo (positiveInt x, int y, positiveInt y) ;

Assuming this can be implemented, compile time tests should be automatic,
whenever possible. Run time tests should be enabled with flags (to allow
optimized code to run without expensive run time tests).

Note1:
While for many use cases non-zero (including  forcing ENUM value, and
minValue(1) are the same, the above does not cover the user case where a
signed int does not accept a zero. For this use case, I believe the nonZero
attribute is still needed.

typedef int limitedInt __attribute((minValue(-20)), maxValue(+20), nonZero)

I do recall that few other languages had similar abilities (Ada, Java (via
annotations), ...)

Yair


>
>
>
> ---------- Forwarded message ----------
> From: Miika <nykseli@protonmail.com>
> To: "gcc@gcc.gnu.org" <gcc@gcc.gnu.org>
> Cc:
> Bcc:
> Date: Fri, 03 Jun 2022 16:34:48 +0000
> Subject: [RFC] Support for nonzero attribute
> Hello,
>
> I would like to add support for new attribute: nonzero.
> Nonzero attribute works the same way as nonnull but instead of checking for
> NULL, it checks for integer or enum with value 0.
>
> Nonzero attribute would issue warnings with new compiler flag
> -Wnonzero and -Wnonzero-compare.
>
> Nonzero could be useful when user wants to make sure that for example enum
> with value of 0 is not used or flag argument is not set to 0.
>
>
> For example compiling following code with "gcc -Wnonzero -Wnonzero-compare
> foo.c"
>
> #include <stdio.h>
> enum bar{NONE, SOME};
>
> void foo(int d, enum bar b) __attribute__ ((nonzero (1, 2)));
> void foo(int d, enum bar b) {
>         printf("%d\n", d == 0);
>         printf("%d\n", b == NONE);
> }
>
> int main() {
>         foo(0, NONE);
> }
>
>
> Would give the following error
>
> foo.c: In function 'main':
> foo.c:11:9: warning: zero argument where nonzero required (argument 1)
> [-Wnonzero]
>    11 |         foo(0, NONE);
>       |         ^~~
> ...