On Mon, May 18, 2026 at 5:22 PM Dmitry Ilvokhin <[email protected]> wrote: > > Add __nonnull() to unconditional guard constructors so the compiler > verifies at each call site that NULL is never passed:
> This provides automated, compiler-enforced verification that no > unconditional guard constructor receives NULL. I wouldn't say "verify", since the compiler does a best-effort here with the information it has statically. In other words, the attribute does not prevent NULL pointers to be passed. > + * gcc: > https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-nonnull-function-attribute Hmm... It appears GCC has changed the docs in commit 6e3c137f5dbb ("doc: Merge function, variable, type, and statement attribute sections [PR88472]"), dropping the per-kind attribute pages. So the right link would need to be now: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-nonnull I will need to send a patch to fix the other links. > + * clang: https://clang.llvm.org/docs/AttributeReference.html#nonnull I think this link goes to `_Nonnull` -- the GNU one is instead: https://clang.llvm.org/docs/AttributeReference.html#id10 (I don't love the numeric IDs, though, since they break, so I think it is fine either way -- the `_Nonnull` is fairly close to the one we want and I hope that one doesn't break) > + */ > +#define __nonnull(x...) > __attribute__((__nonnull__(x))) This is indeed available for a long time, and we already use it elsewhere in the kernel tree (which would be nice to clean up separately). If you don't mind, please place it before `__nonstring__` (the file is meant to be sorted by the actual attribute name -- there are a few instances where this is not the case anymore, which I will eventually clean up) Thanks! Cheers, Miguel
