when a coder writes (erroneously) such a code:
char *m_strrtrim(char *s) __attribute__((nonull(1));
char *m_strrtrim(char *s)
{
int len = s ? strlen(s) : 0;
while (len > 1 && isspace((unsigned char)s[len - 1]))
len--;
return s + len;
}
Then gcc uses the __attribute__((nonnull(1)) — which again is a
programming mistake — to optimize the check of s beeing NULL or not. That
is very correct from a compiling point of view, but it generated segfaults in
my code, that I had a very hard time to find, because of it beeing in the
header file rather than in the implementation where I looked for it (as the
backtrace pointed me in that function).
I suppose that gcc do the optimization because it knows that 's' is non NULL,
though it should make a distinction between s beeing non NULL because it knows
so (e.g. because s is a local buffer) or because it comes from a programmer
assertion.
When it's the latter, it should warn about any trivial test, like it does when
you test if an unsigned int is greater or equal to 0 for example. What I mean
is that:
__attribute__((nonull(1))) void foo(char *s) {
if (!s) {
if (!s) {
// do sth;
}
}
}
here, the first test on s SHOULD NOT be optimized silently, because at this
point s is marked as beeing NONNNUL thanks to a /programmer/ assertion, not
constant folding. I don't know for the second though, maybe it's worth to warn,
maybe not.
--
Summary: __attribute__((nonull(...))) and silent optimizations
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: enhancement
Priority: P3
Component: c
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: madcoder at debian dot org
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30043
