Hi Martin! On 2023-08-09 14:03, Martin Uecker wrote: [...] >> GCC could perfectly add a warning for the following case: >> >>     void foo(size_t n, int a[n]); >> >>     int >>     main(void) >>     { >>         int a[7]; >> >>         foo(42, a); >>     } >> >> Nobody in their right mind would specify a size of an array >> in a parameter and expect that passing a smaller array than >> that can produce a valid program. So, why not make that a >> Wall warning? > > But we have this warning! is even activated by  > default without -Wall and already since GCC 11: Ahh, I hadn't realized that was added (relatievly) recently. That's great news! Thanks! > https://godbolt.org/z/sMbTon458 > > But this is for minimum required elements. How do  > we differentiate between null and non-null? > > We have: > > int[] or int* // no bound, nullable > int[N] // at least N, nullable > int[static N] // at least N, nonnull > > The 'static' implies nonnull, so we could  > use 'static' to diffentiate between nonnull  > and nullable. Since static is only for arrays (okay, they're all pointers, but it's only usable with array syntax), and nullability is a thing of pointers, I think static is not the right choice. I oppose using array syntax for pointers, as it can confuse programmers. In any case, [static] is not that different from [_Nonnull], and _Nonnull is more flexible, since you can also use it as *_Nonnull. Regarding the issues you have with _Nonnull being a qualifier, I've been thinking about it for a long time and don't yet have a concrete answer. The more I think about it, the more I'm convinced it is like `restrict`. You can't have null correctness as we can do with `const`. With const, we know it's always bad to store a const object in a non-const pointer. With NULL, it depends on the context: if you've checked for NULL in the lines above, then it's fine to do the conversion. There is a proposal for Clang to add `_Optional`, a qualifier to the pointee, as a more correct version of _Nullable. The following would be equivalent: int *_Nullable i; _Optional int *j; However, I don't believe it's a good choice, because of the above. Instead, I think _Nullable or _Nonnull should be like `restrict` and used only in function prototypes. Let the analyzer do the job. I know `restrict` is hard to grasp, but I couldn't think of anything better. > > What is missing something which implies bounds > also inside the callee. You can use the "access" > attribute or we extend the meaning of int[N] > and int[static N] also imply a maximum bound. Why is the upper bound important? It's usually irrelevant. In the case where one wants to make sure that an array is of an exact size (instead of just "at least"), pointers to arrays can be used. They're just not often used, because you don't need that so often. I don't think we need a new addition to the language, do we? $ cat ap.c #include void foo(size_t n, int (*a)[n]) { for (size_t i = 0; i < n; i++) (*a)[i] = 42; } $ gcc-13 -S -Wall -Wextra ap.c $ In the function above, n is not a lower bound, but an exact bound. GCC should add a warning for the following code: $ cat ap2.c #include void foo(size_t n, int (*a)[n]); void bar(void) { int x[7]; foo(3, &x); foo(9, &x); } $ gcc-13 -S -Wall -Wextra ap2.c $ Neither GCC nor Clang warn about that. Not even with -fanalyzer. Cheers, Alex -- GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5