On Wed, Feb 17, 2016 at 05:43:51PM +0100, Petr Spacek wrote:
> Hello,
>
> I'm facing problems with new behavior in GCC 6.
>
> Let's assume we have trivial program like this:
>
> $ cat assert.c
> #include <assert.h>
> #include <stddef.h>
>
> __attribute__((nonnull))
> int f(char *txt) {
> assert(txt != NULL);
>
> return 0;
> }
>
> int main(int argc, char **argv) {
>
> return 0;
> }
>
>
> And because upstream is paranoid, it is being compiled with:
> $ gcc -Werror -Wall
>
>
> This code does not compile anymore on Fedora 24:
> $ gcc -Werror -Wall assert.c
> In file included from assert.c:1:0:
> assert.c: In function ‘f’:
> assert.c:6:13: error: nonnull argument ‘txt’ compared to NULL
> [-Werror=nonnull]
> assert(txt != NULL);
> ^
>
> Did anyone met similar problem? What did you do with it?
>
> __attribute__((nonnull)) is tremendously useful for static code analysis and
> helped to uncover a lot of (not-yet triggered) issues in the code, so just
> removing the attribute would not make me happy.
>
> On the other hand, assert(var != NULL) checks are tremendously useful at
> run-time. They detects problems early/near the place when the problem occurred
> and makes debugging easier.
Instead of using __attribute__((nonnull)) directly in the code, define a
macro for it. When compiling normal builds with gcc, make the macro
expand to nothing, but when compiling with coverity or other static analysis
tools make it expand normally.
This is what we do in libvirt for a while, because we long ago hit the
problem that gcc kills your asserts() if it sees the nonnull annotation :-(
[quote $libvirt/src/internal.h]
/* gcc's handling of attribute nonnull is less than stellar - it does
* NOT improve diagnostics, and merely allows gcc to optimize away
* null code checks even when the caller manages to pass null in spite
* of the attribute, leading to weird crashes. Coverity, on the other
* hand, knows how to do better static analysis based on knowing
* whether a parameter is nonnull. Make this attribute conditional
* based on whether we are compiling for real or for analysis, while
* still requiring correct gcc syntax when it is turned off. See also
* http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308 */
# ifndef ATTRIBUTE_NONNULL
# if __GNUC_PREREQ (3, 3)
# if STATIC_ANALYSIS
# define ATTRIBUTE_NONNULL(m) __attribute__((__nonnull__(m)))
# else
# define ATTRIBUTE_NONNULL(m) __attribute__(())
# endif
# else
# define ATTRIBUTE_NONNULL(m)
# endif
# endif
[/quote]
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
