On 02/15/2011 07:40 AM, Eric Blake wrote: > # if STATIC_ANALYSIS > # undef NDEBUG /* Don't let a prior NDEBUG definition cause trouble. */ > # include <assert.h> > # define sa_assert(expr) assert (expr) > # else > # define sa_assert(expr) /* empty */ > # endif
It doesn't feel right that sa_assert uses assert. They should be more independent. One should be able to assert (X) as well as sa_assert (X), or do just the assert, or just the sa_assert. I think part of the problem here is the naming convention. Ordinary C "assert (X)" means "crash if X is false". But sa_assert (X) means "assume that X is true". These are two very different different things. I have some qualms about colliding with a C naming convention that has been used for over three decades, even if the C name is "wrong" from a static analysis point of view. If we want to do this sort of thing, I suggest using a different name for the static analysis macro, a name that more obviously differs from "assert (X)". How about "assume (X)"? I also suggest that "assume (X)" not be implemented in terms of "assert (X)", so that the two notions are more clearly independent. It's OK if both are implemented as "if (! (X)) abort ();"; the point is that one should be able to enable or disable runtime checking (by flipping NDEBUG on and off) without worrying whether static analysis will get garbled.
