Hi Dmitry,
On 11/23/21 12:17, Dmitri Gribenko wrote:
Hi Alejandro,
On Tue, Nov 16, 2021 at 1:34 PM Alejandro Colomar (man-pages) via
cfe-dev <cfe-...@lists.llvm.org> wrote:
First of all,
I see unnecessary (probably over-engineered) qualifiers:
- _Null_unspecified seems to me the same as nothing.
If I didn't specify its nullability,
it's by definition unspecified. Right?
- _Nullable seems to me also the same as nothing.
The language allows for a pointer to be NULL,
so if you don't specify if it can or not be null,
you better stay on the safe side and consider it as nullable.
_Nullable is used in conjunction with the `#pragma clang
assume_nonnull begin/end` pragma that flips the default:
```
#pragma clang assume_nonnull begin
int *global_int_ptr; // implicitly _Nonnull
#pragma clang assume_nonnull end
```
Within these pragma brackets, you need to use _Nullable to get the
opposite behavior.
The pragma itself is useful because it reduces the amount of noise the
annotations introduce. When these annotations were adopted in Apple
SDKs, it was found that in practice most pointers are non-nullable. So
if we only had _Nonnull, we would have to annotate most pointers.
Instead, Apple's SDKs bracket every header contents with this pragma,
and instead annotate nullable pointers, significantly reducing the
amount of annotations.
That's interesting. Most of my functions also tipically are full of
[[gnu::nonnull]], so the _Nonnull default seems the best thing.
However, would that be viable in old code that relies on standard C?
I think that it would, but maybe you have more experience. Do you agree
with the following?
Let's imagine a scenario where C3X specifies that non-qualified pointers
are nonnull. And there's only a qualifier, _Nullable, to allow NULL.
Asigning _Nullable to nonnull would issue a diagnostic.
Old code will stop compiling if it uses NULL, but that can easily be
fixed by marking the pointers as _Nullable, and maybe while at that,
programmers will find a few bugs.
Compilers will have to be carefull, because memcpy() will make NULL
members of structures, so they'll need to know if that can be done or
not, and many structure members will need to be marked as _Nullable, if
the structure is expected to be bzero()ed.
Also, do you have any experience in avoiding to diagnose a _Nullable to
nonnull assignment _after_ explicitly comparing to NULL? I.e., allow
the following:
int *_Nullable p;
int *q;
if (!p)
q = p;
Thanks,
Alex
