From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by sourceware.org (Postfix) with ESMTPS id 5EC9D3858D39 for ; Mon, 15 Nov 2021 16:30:27 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 5EC9D3858D39 Received: by mail-wm1-x333.google.com with SMTP id c71-20020a1c9a4a000000b0032cdcc8cbafso255250wme.3 for ; Mon, 15 Nov 2021 08:30:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:from:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=/PREzazPedBYV/aVk9qDb8zT26RgTrI+t/oF1w9AQ7E=; b=ckZUWQK8iG5AnBc5PiwHZg7G13yAdxOAkDA5kjeO6kh1isWazBtEKXkPvL7sr16IG7 ZiIEhUA6ZNGH8Xvsa/Y3y9DCghR7ee8GdYzHIpOMkzgNAnaL4P8GcQdCNkMp4yLwzL7+ 9vPyyKKsg2zgGB015WcPBE+rtnzo9Mwe/Tw9m8qJyE/bCbcM/lkTtE3kC3MEZRO8q231 N7v+npjEIQ0ER78jIaPQnSSmZEmxAHQGwPrT56K3nN0KHjIUi4pBaJa9kOCPheP1udWk 0mQdRTvrMJ+G3h+aVuLDqkNKwfe3j0kR+Kl+93xcd0d99X67ohpncCs63b9bQ9uhSJoW W26w== X-Gm-Message-State: AOAM532XdhfsRMkEtph1gY5J021HluXYVhKbGT2CmVgApVPQB/MvZwb8 SsAlmFJgoiiiEszq2U1CquA= X-Google-Smtp-Source: ABdhPJw/T9atrZ62oQS/lDOUTeEbFHNoNemxWgQ8F2ypDzEosA1sRLE5NE8ps29XDilRZeB8lJJB+g== X-Received: by 2002:a05:600c:510d:: with SMTP id o13mr61108917wms.104.1636993826257; Mon, 15 Nov 2021 08:30:26 -0800 (PST) Received: from [192.168.0.160] ([170.253.36.171]) by smtp.gmail.com with ESMTPSA id y6sm15783057wrh.18.2021.11.15.08.30.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Nov 2021 08:30:25 -0800 (PST) Subject: Re: ISO C3X proposal: nonnull qualifier From: "Alejandro Colomar (man-pages)" To: JeanHeyd Meneide , gcc@gcc.gnu.org, cfe-dev@lists.llvm.org References: Message-ID: Date: Mon, 15 Nov 2021 17:30:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2021 16:30:29 -0000 Hi, On 11/15/21 5:01 PM, Alejandro Colomar (man-pages) wrote: > Hi all, > > I'd like to propose the following feature for ISO C (and also ISO C++). > It is based on a mix of GCC's [[gnu::nonnull]] and Clang's _Nonnull, > with a pinch of salt of mine. > > I'd like to get some feedback from GCC and Clang, > before sending it as an official proposal. > > BTW, since the working group is probably very busy with C2X, > I may delay sending it more than a year. > Or I may propose it first to ISO C++, > and then to ISO C. > > I wrote the initial draft in the form of a manual page, > whose source code can be found here: > > > It has a Makefile to easily transform it into a PDF. > I also rendered it with cat to inline it in this email. I just came up with some addition to the initial draft: $ git diff diff --git a/nonnull.7 b/nonnull.7 index 1390b2d..75370e1 100644 --- a/nonnull.7 +++ b/nonnull.7 @@ -44,7 +44,10 @@ through the use of an lvalue with .BR \%nonnull -qualified type, -the behavior is undefined. +the behavior is undefined, +except if preceeding code +can prove at compile time that the pointer will not possibly be +.BR NULL . .PP The intended use of the .B \%nonnull @@ -212,6 +215,32 @@ since the user isn't properly informed that may cause undefined behavior in the implementation of the function .RI ( dest is dereferenced). +.SS non-nonnull-qualified to nonnull-qualified valid assignment +.EX +int *nonnull foo(int *p) +{ + if (!p) + exit(EXIT_FAILURE); + + return p; +} +.EE +.PP +The code above is guaranteed to behave correctly, +since the check against +.B NULL +guarantees that the +(otherwise causing undefined behaviour) +assignment is only done if +.I p +is not +.BR NULL . +Forcing the user to add casts would be dangerous, +since casts usually disable most compiler diagnostics. +Since this qualifier pretends to improve programs' correctness, +that would be disastrous. +Casts also unnecessarily make code less readable. +Letting the compiler decide if some assignment is valid is safer. .SH AUTHORS Alejandro Colomar .UR alx.manpages@gmail.com The affected paragraphs now render as: [ If an attempt is made to assign NULL to a pointer defined with the nonnull qualifier, the behavior is undefined. If an attempt is made to refer to a pointer with a non‐‐ nonnull‐qualified type through the use of an lvalue with nonnull‐qualified type, the behavior is undefined, except if preceeding code can prove at compile time that the pointer will not possibly be NULL. ] [ non‐nonnull‐qualified to nonnull‐qualified valid assignment int *nonnull foo(int *p) { if (!p) exit(EXIT_FAILURE); return p; } The code above is guaranteed to behave correctly, since the check against NULL guarantees that the (otherwise causing undefined behaviour) assignment is only done if p is not NULL. Forcing the user to add casts would be dan‐ gerous, since casts usually disable most compiler diag‐ nostics. Since this qualifier pretends to improve pro‐ grams' correctness, that would be disastrous. Casts also unnecessarily make code less readable. Letting the com‐ piler decide if some assignment is valid is safer. ] However, I'm not sure if this imposes too much complexity for compilers, and maybe it's better to say that it's implementation-defined. Thanks, Alex -- Alejandro Colomar Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/ http://www.alejandro-colomar.es/