<div dir="ltr"><div><span style="font-size:12.8000001907349px">Just to clarify...</span></div><span style="font-size:12.8000001907349px"><div><span style="font-size:12.8000001907349px"><br></span></div>__has_extension(nullability) always returning true is exactly what I would expect from reading the clang documentation. I would also expect that __has_extension(</span><span style="font-size:12.8000001907349px">assume_nonnull) always returns true (which it currently doesn't).</span><br><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">I am hoping someone can explain why GNU mode is required for </span><span style="font-size:12.8000001907349px">__has_feature(</span><span style="font-size:12.8000001907349px">nullability) and __has_feature(</span><span style="font-size:12.8000001907349px">assume_nonnull) to return true.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jun 27, 2015 at 4:54 PM, Aaron Ballman <span dir="ltr"><<a href="mailto:aaron@aaronballman.com" target="_blank">aaron@aaronballman.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sat, Jun 27, 2015 at 10:45 AM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>> wrote:<br>
> __has_extension(nullability) returns true in non-GNU mode, on the other<br>
> hand,__has_extension(assume_nonnull) returns false in non-GNU mode. Are you<br>
> saying this difference is by design. If so, why?<br>
<br>
</span>I answered a bit too early in the morning. ;-) I forgot that<br>
__has_extension inherits functionality from __has_feature. So<br>
assume_nonnull should be true with either __has_feature or<br>
__has_extension in GNU or ObjC mode, but is currently false in other<br>
modes. You are correct that nullability is a bit different, and I'm<br>
not certain why. __has_feature(nullability) will return true for GNU<br>
and ObjC mode. __has_extension(nullability) will always return true.<br>
<br>
I am not certain whether this is by design or is a bug, but perhaps<br>
Doug can explain. (I'm also a bit curious as to why GNU mode is<br>
required.)<br>
<div class="HOEnZb"><div class="h5"><br>
~Aaron<br>
<br>
><br>
> On Sat, Jun 27, 2015 at 4:35 PM, Aaron Ballman <<a href="mailto:aaron@aaronballman.com">aaron@aaronballman.com</a>><br>
> wrote:<br>
>><br>
>> On Sat, Jun 27, 2015 at 8:06 AM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>> wrote:<br>
>> > I figured out my issue. I was compiling with -std=c++14 and the<br>
>> > nullability<br>
>> > and assume_nonnull features are only enabled for ObjC and GNU mode. Why<br>
>> > are<br>
>> > these only supported in GNU mode? I thought GNU mode was only for<br>
>> > features<br>
>> > that contradict the standard. How does this feature contradict the<br>
>> > standard<br>
>> > given that the names are double and single underscore prefixed? I would<br>
>> > rather not have to compile my code in GNU mode just to enable<br>
>> > nullability. I<br>
>> > can check with __has_extension() but at least Apple headers seem to only<br>
>> > use<br>
>> > __has_feature so the checks there won't be enabled when not compiling in<br>
>> > GNU<br>
>> > mode. If the consensus is that __has_feature(nullability) should only be<br>
>> > enabled for GNU mode, would it make sense to have an f-group flag like<br>
>> > -fnullability to enable it for __has_feature when not compiling in GNU<br>
>> > mode?<br>
>> ><br>
>> > Also I found a bug in clang. __has_extension(assume_nonnull) doesn't<br>
>> > work<br>
>> > properly. It is missing from the StringCase at the end of the<br>
>> > HasExtension()<br>
>> > function in lib/Lex/PPMacroExpansion.cpp. I think it should be there.<br>
>><br>
>> __has_feature(assume_nonnull) is the way to test for that feature<br>
>> (which is also GNU and Obj-C only).<br>
>><br>
>> ~Aaron<br>
>><br>
>> ><br>
>> > On Sat, Jun 27, 2015 at 12:44 AM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>> wrote:<br>
>> >><br>
>> >> Apple please implement __has_feature(nullability) in clang for Xcode 7<br>
>> >> release. :-)<br>
>> >><br>
>> >><br>
>> >> On Sat, Jun 27, 2015 at 12:31 AM, Aaron Ballman<br>
>> >> <<a href="mailto:aaron@aaronballman.com">aaron@aaronballman.com</a>><br>
>> >> wrote:<br>
>> >>><br>
>> >>> On Fri, Jun 26, 2015 at 6:29 PM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>> wrote:<br>
>> >>> > It also appears that the current versions of Apple clang (even the<br>
>> >>> > newest<br>
>> >>> > beta) don't even support __has_feature(nullability). I take it this<br>
>> >>> > has<br>
>> >>> > been<br>
>> >>> > fixed in trunk?<br>
>> >>><br>
>> >>> Correct, trunk is likely also the only place that has _Nonnull and<br>
>> >>> friends, too. If you're developing on OS X and don't need cross<br>
>> >>> compiler support for your code base, I would stick with __nonnull<br>
>> >>> there and you'll be fine. If you need cross compiler support, you'll<br>
>> >>> likely have to piece it together with macros.<br>
>> >>><br>
>> >>> ~Aaron<br>
>> >>><br>
>> >>> ><br>
>> >>> > On Fri, Jun 26, 2015 at 11:53 PM, Aaron Ballman<br>
>> >>> > <<a href="mailto:aaron@aaronballman.com">aaron@aaronballman.com</a>><br>
>> >>> > wrote:<br>
>> >>> >><br>
>> >>> >> On Fri, Jun 26, 2015 at 5:44 PM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>><br>
>> >>> >> wrote:<br>
>> >>> >> > OK. What would be the best way to detect if Apple clang supports<br>
>> >>> >> > _Nonnull or<br>
>> >>> >> > only __nonnull though.<br>
>> >>> >><br>
>> >>> >> I cannot speak for how Apple's Clang works in this regard, but<br>
>> >>> >> perhaps<br>
>> >>> >> Doug can.<br>
>> >>> >><br>
>> >>> >> ~Aaron<br>
>> >>> >><br>
>> >>> >> ><br>
>> >>> >> > On Fri, Jun 26, 2015 at 11:40 PM, Aaron Ballman<br>
>> >>> >> > <<a href="mailto:aaron@aaronballman.com">aaron@aaronballman.com</a>><br>
>> >>> >> > wrote:<br>
>> >>> >> >><br>
>> >>> >> >> On Fri, Jun 26, 2015 at 5:36 PM, b17 c0de <<a href="mailto:b17c0de@gmail.com">b17c0de@gmail.com</a>><br>
>> >>> >> >> wrote:<br>
>> >>> >> >> > How can one detect if an Apple clang supports the new<br>
>> >>> >> >> > nullability<br>
>> >>> >> >> > attributes. I tried something like:<br>
>> >>> >> >> ><br>
>> >>> >> >> > #if __has_attribute(_Nonnull)<br>
>> >>> >> >> > #elif __has_attribute(__nonnull)<br>
>> >>> >> >> > #define _Nonnull __nonnull<br>
>> >>> >> >> > #else<br>
>> >>> >> >> > #define _Nonnull<br>
>> >>> >> >> > #endif<br>
>> >>> >> >> ><br>
>> >>> >> >> > But this didn't work. Why doesn't _Nonnull/__nonnull work with<br>
>> >>> >> >> > __has_attribute?<br>
>> >>> >> >><br>
>> >>> >> >> __has_attribute is used to test for GNU-style attribute support<br>
>> >>> >> >> only.<br>
>> >>> >> >> To test for nullability, you should use:<br>
>> >>> >> >> __has_feature(nullability)<br>
>> >>> >> >><br>
>> >>> >> >> ~Aaron<br>
>> >>> >> >><br>
>> >>> >> >> ><br>
>> >>> >> >> > On Wed, Jun 24, 2015 at 10:39 PM, Douglas Gregor<br>
>> >>> >> >> > <<a href="mailto:dgregor@apple.com">dgregor@apple.com</a>><br>
>> >>> >> >> > wrote:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Another addendum: due to the conflict with glibc’s __nonnull,<br>
>> >>> >> >> >> we’ll<br>
>> >>> >> >> >> be<br>
>> >>> >> >> >> renaming the __double_underscored keywords to<br>
>> >>> >> >> >> _Big_underscored<br>
>> >>> >> >> >> keywords,<br>
>> >>> >> >> >> e.g.,<br>
>> >>> >> >> >><br>
>> >>> >> >> >> __nonnull -> _Nonnull<br>
>> >>> >> >> >> __nullable -> _Nullable<br>
>> >>> >> >> >> __null_unspecified -> _Null_unspecified<br>
>> >>> >> >> >><br>
>> >>> >> >> >> On Darwin, we’ll add predefines<br>
>> >>> >> >> >><br>
>> >>> >> >> >> #define __nonnull _Nonnull<br>
>> >>> >> >> >> #define __nullable _Nullable<br>
>> >>> >> >> >> #define __null_unspecified _Null_unspecified<br>
>> >>> >> >> >><br>
>> >>> >> >> >> to keep the existing headers working.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> - Doug<br>
>> >>> >> >> >><br>
>> >>> >> >> >> On Mar 2, 2015, at 1:22 PM, Douglas Gregor<br>
>> >>> >> >> >> <<a href="mailto:dgregor@apple.com">dgregor@apple.com</a>><br>
>> >>> >> >> >> wrote:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Hello all,<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Null pointers are a significant source of problems in<br>
>> >>> >> >> >> applications.<br>
>> >>> >> >> >> Whether it’s SIGSEGV taking down a process or a foolhardy<br>
>> >>> >> >> >> attempt to<br>
>> >>> >> >> >> recover<br>
>> >>> >> >> >> from NullPointerException breaking invariants everywhere,<br>
>> >>> >> >> >> it’s a<br>
>> >>> >> >> >> problem<br>
>> >>> >> >> >> that’s bad enough for Tony Hoare to call the invention of the<br>
>> >>> >> >> >> null<br>
>> >>> >> >> >> reference<br>
>> >>> >> >> >> his billion dollar mistake [1]. It’s not the ability to<br>
>> >>> >> >> >> create a<br>
>> >>> >> >> >> null<br>
>> >>> >> >> >> pointer that is a problem—having a common sentinel value<br>
>> >>> >> >> >> meaning<br>
>> >>> >> >> >> “no<br>
>> >>> >> >> >> value”<br>
>> >>> >> >> >> is extremely useful—but that it’s very hard to determine<br>
>> >>> >> >> >> whether,<br>
>> >>> >> >> >> for a<br>
>> >>> >> >> >> particular pointer, one is expected to be able to use null. C<br>
>> >>> >> >> >> doesn’t<br>
>> >>> >> >> >> distinguish between “nullable” and “nonnull” pointers, so we<br>
>> >>> >> >> >> turn to<br>
>> >>> >> >> >> documentation and experimentation. Consider strchr from the C<br>
>> >>> >> >> >> standard<br>
>> >>> >> >> >> library:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> char *strchr(const char *s, int c);<br>
>> >>> >> >> >><br>
>> >>> >> >> >> It is “obvious” to a programmer who knows the semantics of<br>
>> >>> >> >> >> strchr<br>
>> >>> >> >> >> that<br>
>> >>> >> >> >> it’s important to check for a returned null, because null is<br>
>> >>> >> >> >> used as<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> sentinel for “not found”. Of course, your tools don’t know<br>
>> >>> >> >> >> that,<br>
>> >>> >> >> >> so<br>
>> >>> >> >> >> they<br>
>> >>> >> >> >> cannot help when you completely forget to check for the null<br>
>> >>> >> >> >> case.<br>
>> >>> >> >> >> Bugs<br>
>> >>> >> >> >> ensue.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Can I pass a null string to strchr? The standard is unclear<br>
>> >>> >> >> >> [2],<br>
>> >>> >> >> >> and<br>
>> >>> >> >> >> my<br>
>> >>> >> >> >> platform’s implementation happily accepts a null parameter<br>
>> >>> >> >> >> and<br>
>> >>> >> >> >> returns<br>
>> >>> >> >> >> null,<br>
>> >>> >> >> >> so obviously I shouldn’t worry about it… until I port my<br>
>> >>> >> >> >> code,<br>
>> >>> >> >> >> or<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> underlying implementation changes because my expectations and<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> library<br>
>> >>> >> >> >> implementor’s expectations differ. Given the age of strchr, I<br>
>> >>> >> >> >> suspect<br>
>> >>> >> >> >> that<br>
>> >>> >> >> >> every implementation out there has an explicit, defensive<br>
>> >>> >> >> >> check<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> a<br>
>> >>> >> >> >> null<br>
>> >>> >> >> >> string, because it’s easier to add yet more defensive (and<br>
>> >>> >> >> >> generally<br>
>> >>> >> >> >> useless) null checks than it is to ask your clients to fix<br>
>> >>> >> >> >> their<br>
>> >>> >> >> >> code.<br>
>> >>> >> >> >> Scale<br>
>> >>> >> >> >> this up, and code bloat ensues, as well as wasted programmer<br>
>> >>> >> >> >> effort<br>
>> >>> >> >> >> that<br>
>> >>> >> >> >> obscures the places where checking for null really does<br>
>> >>> >> >> >> matter.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> In a recent version of Xcode, Apple introduced an extension<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> C/C++/Objective-C that expresses the nullability of pointers<br>
>> >>> >> >> >> in<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> type<br>
>> >>> >> >> >> system via new nullability qualifiers . Nullability<br>
>> >>> >> >> >> qualifiers<br>
>> >>> >> >> >> express<br>
>> >>> >> >> >> nullability as part of the declaration of strchr [2]:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> __nullable char *strchr(__nonnull const char *s, int c);<br>
>> >>> >> >> >><br>
>> >>> >> >> >> With this, programmers and tools alike can better reason<br>
>> >>> >> >> >> about<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> use<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> strchr with null pointers.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> We’d like to contribute the implementation (and there is a<br>
>> >>> >> >> >> patch<br>
>> >>> >> >> >> attached<br>
>> >>> >> >> >> at the end [3]), but since this is a nontrivial extension to<br>
>> >>> >> >> >> all<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> C<br>
>> >>> >> >> >> family of languages that Clang supports, we believe that it<br>
>> >>> >> >> >> needs to<br>
>> >>> >> >> >> be<br>
>> >>> >> >> >> discussed here first.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Goals<br>
>> >>> >> >> >> We have several specific goals that informed the design of<br>
>> >>> >> >> >> this<br>
>> >>> >> >> >> feature.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Allow the intended nullability to be expressed on all<br>
>> >>> >> >> >> pointers:<br>
>> >>> >> >> >> Pointers<br>
>> >>> >> >> >> are used throughout library interfaces, and the nullability<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> those<br>
>> >>> >> >> >> pointers is an important part of the API contract with users.<br>
>> >>> >> >> >> It’s<br>
>> >>> >> >> >> too<br>
>> >>> >> >> >> simplistic to only allow function parameters to have<br>
>> >>> >> >> >> nullability,<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> example, because it’s also important information for data<br>
>> >>> >> >> >> members,<br>
>> >>> >> >> >> pointers-to-pointers (e.g., "a nonnull pointer to a nullable<br>
>> >>> >> >> >> pointer<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> an<br>
>> >>> >> >> >> integer”), arrays of pointers, etc.<br>
>> >>> >> >> >> Enable better tools support for detecting nullability<br>
>> >>> >> >> >> problems:<br>
>> >>> >> >> >> The<br>
>> >>> >> >> >> nullability annotations should be useful for tools<br>
>> >>> >> >> >> (especially<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> static<br>
>> >>> >> >> >> analyzer) that can reason about the use of null, to give<br>
>> >>> >> >> >> warnings<br>
>> >>> >> >> >> about<br>
>> >>> >> >> >> both<br>
>> >>> >> >> >> missed null checks (the result of strchr could be null…) as<br>
>> >>> >> >> >> well<br>
>> >>> >> >> >> as<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> unnecessarily-defensive code.<br>
>> >>> >> >> >> Support workflows where all interfaces provide nullability<br>
>> >>> >> >> >> annotations:<br>
>> >>> >> >> >> In<br>
>> >>> >> >> >> moving from a world where there are no nullability<br>
>> >>> >> >> >> annotations<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> one<br>
>> >>> >> >> >> where<br>
>> >>> >> >> >> we hope to see many such annotations, we’ve found it helpful<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> move<br>
>> >>> >> >> >> header-by-header, auditing a complete header to give it<br>
>> >>> >> >> >> nullability<br>
>> >>> >> >> >> qualifiers. Once one has done that, additions to the header<br>
>> >>> >> >> >> need<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> be<br>
>> >>> >> >> >> held<br>
>> >>> >> >> >> to the same standard, so we need a design that allows us to<br>
>> >>> >> >> >> warn<br>
>> >>> >> >> >> about<br>
>> >>> >> >> >> pointers that don’t provide nullability annotations for some<br>
>> >>> >> >> >> declarations in<br>
>> >>> >> >> >> a header that already has some nullability annotations.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Zero effect on ABI or code generation: There are a huge<br>
>> >>> >> >> >> number<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> interfaces that could benefit from the use of nullability<br>
>> >>> >> >> >> qualifiers,<br>
>> >>> >> >> >> but we<br>
>> >>> >> >> >> won’t get widespread adoption if introducing the nullability<br>
>> >>> >> >> >> qualifiers<br>
>> >>> >> >> >> means breaking existing code, either in the ABI (say, because<br>
>> >>> >> >> >> nullability<br>
>> >>> >> >> >> qualifiers are mangled into the type) or at execution time<br>
>> >>> >> >> >> (e.g.,<br>
>> >>> >> >> >> because a<br>
>> >>> >> >> >> non-null pointer ends up being null along some error path and<br>
>> >>> >> >> >> causes<br>
>> >>> >> >> >> undefined behavior).<br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >> Why not __attribute__((nonnull))?<br>
>> >>> >> >> >> Clang already has an attribute to express nullability,<br>
>> >>> >> >> >> “nonnull”,<br>
>> >>> >> >> >> which<br>
>> >>> >> >> >> we<br>
>> >>> >> >> >> inherited from GCC [4]. The “nonnull” attribute can be placed<br>
>> >>> >> >> >> on<br>
>> >>> >> >> >> functions<br>
>> >>> >> >> >> to indicate which parameters cannot be null: one either<br>
>> >>> >> >> >> specifies<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> indices of the arguments that cannot be null, e.g.,<br>
>> >>> >> >> >><br>
>> >>> >> >> >> extern void *my_memcpy (void *dest, const void *src, size_t<br>
>> >>> >> >> >> len)<br>
>> >>> >> >> >> __attribute__((nonnull (1, 2)));<br>
>> >>> >> >> >><br>
>> >>> >> >> >> or omits the list of indices to state that all pointer<br>
>> >>> >> >> >> arguments<br>
>> >>> >> >> >> cannot<br>
>> >>> >> >> >> be<br>
>> >>> >> >> >> null, e.g.,<br>
>> >>> >> >> >><br>
>> >>> >> >> >> extern void *my_memcpy (void *dest, const void *src, size_t<br>
>> >>> >> >> >> len)<br>
>> >>> >> >> >> __attribute__((nonnull));<br>
>> >>> >> >> >><br>
>> >>> >> >> >> More recently, “nonnull” has grown the ability to be applied<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> parameters, and one can use the companion attribute<br>
>> >>> >> >> >> returns_nonnull<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> state<br>
>> >>> >> >> >> that a function returns a non-null pointer:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> extern void *my_memcpy (__attribute__((nonnull)) void *dest,<br>
>> >>> >> >> >> __attribute__((nonnull)) const void *src, size_t len)<br>
>> >>> >> >> >> __attribute__((returns_nonnull));<br>
>> >>> >> >> >><br>
>> >>> >> >> >> There are a number of problems here. First, there are<br>
>> >>> >> >> >> different<br>
>> >>> >> >> >> attributes<br>
>> >>> >> >> >> to express the same idea at different places in the grammar,<br>
>> >>> >> >> >> and<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> use of<br>
>> >>> >> >> >> the “nonnull” attribute on the function actually has an<br>
>> >>> >> >> >> effect<br>
>> >>> >> >> >> on<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> function parameters can get very, very confusing. Quick,<br>
>> >>> >> >> >> which<br>
>> >>> >> >> >> pointers<br>
>> >>> >> >> >> are<br>
>> >>> >> >> >> nullable vs. non-null in this example?<br>
>> >>> >> >> >><br>
>> >>> >> >> >> __attribute__((nonnull)) void *my_realloc (void *ptr, size_t<br>
>> >>> >> >> >> size);<br>
>> >>> >> >> >><br>
>> >>> >> >> >> According to that declaration, ptr is nonnull and the<br>
>> >>> >> >> >> function<br>
>> >>> >> >> >> returns<br>
>> >>> >> >> >> a<br>
>> >>> >> >> >> nullable pointer… but that’s the opposite of how it reads<br>
>> >>> >> >> >> (and<br>
>> >>> >> >> >> behaves,<br>
>> >>> >> >> >> if<br>
>> >>> >> >> >> this is anything like a realloc that cannot fail). Moreover,<br>
>> >>> >> >> >> because<br>
>> >>> >> >> >> these<br>
>> >>> >> >> >> two attributes are declaration attributes, not type<br>
>> >>> >> >> >> attributes,<br>
>> >>> >> >> >> you<br>
>> >>> >> >> >> cannot<br>
>> >>> >> >> >> express that nullability of the inner pointer in a<br>
>> >>> >> >> >> multi-level<br>
>> >>> >> >> >> pointer<br>
>> >>> >> >> >> or an<br>
>> >>> >> >> >> array of pointers, which makes these attributes verbose,<br>
>> >>> >> >> >> confusing,<br>
>> >>> >> >> >> and<br>
>> >>> >> >> >> not<br>
>> >>> >> >> >> sufficiently generally. These attributes fail the first of<br>
>> >>> >> >> >> our<br>
>> >>> >> >> >> goals.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> These attributes aren’t as useful as they could be for tools<br>
>> >>> >> >> >> support<br>
>> >>> >> >> >> (the<br>
>> >>> >> >> >> second and third goals), because they only express the<br>
>> >>> >> >> >> nonnull<br>
>> >>> >> >> >> case,<br>
>> >>> >> >> >> leaving<br>
>> >>> >> >> >> no way to distinguish between the unannotated case (nobody<br>
>> >>> >> >> >> has<br>
>> >>> >> >> >> documented<br>
>> >>> >> >> >> the nullability of some parameter) and the nullable case (we<br>
>> >>> >> >> >> know<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> pointer can be null). From a tooling perspective, this is a<br>
>> >>> >> >> >> killer:<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> static analyzer absolutely cannot warn that one has forgotten<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> check<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> null for every unannotated pointer, because the<br>
>> >>> >> >> >> false-positive<br>
>> >>> >> >> >> rate<br>
>> >>> >> >> >> would be<br>
>> >>> >> >> >> astronomical.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Finally, we’ve recently started considering violations of the<br>
>> >>> >> >> >> __attribute__((nonnull)) contract to be undefined behavior,<br>
>> >>> >> >> >> which<br>
>> >>> >> >> >> fails<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> last of our goals. This is something we could debate further<br>
>> >>> >> >> >> if<br>
>> >>> >> >> >> it<br>
>> >>> >> >> >> were<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> only problem, but these declaration attributes fall all of<br>
>> >>> >> >> >> our<br>
>> >>> >> >> >> criteria, so<br>
>> >>> >> >> >> it’s not worth discussing.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Nullability Qualifiers<br>
>> >>> >> >> >> We propose the addition of a new set of type qualifiers,<br>
>> >>> >> >> >> spelled<br>
>> >>> >> >> >> __nullable, __nonnull, and __null_unspecified, to Clang.<br>
>> >>> >> >> >> These<br>
>> >>> >> >> >> are<br>
>> >>> >> >> >> collectively known as nullability qualifiers and may be<br>
>> >>> >> >> >> written<br>
>> >>> >> >> >> anywhere any<br>
>> >>> >> >> >> other type qualifier may be written (such as const) on any<br>
>> >>> >> >> >> type<br>
>> >>> >> >> >> subject<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> the following restrictions:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Two nullability qualifiers shall not appear in the same set<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> qualifiers.<br>
>> >>> >> >> >> A nullability qualifier shall qualify any pointer type,<br>
>> >>> >> >> >> including<br>
>> >>> >> >> >> pointers<br>
>> >>> >> >> >> to objects, pointers to functions, C++ pointers to members,<br>
>> >>> >> >> >> block<br>
>> >>> >> >> >> pointers,<br>
>> >>> >> >> >> and Objective-C object pointers.<br>
>> >>> >> >> >> A nullability qualifier in the declaration-specifiers applies<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> innermost pointer type of each declarator (e.g., __nonnull<br>
>> >>> >> >> >> int *<br>
>> >>> >> >> >> is<br>
>> >>> >> >> >> equivalent to int * __nonnull).<br>
>> >>> >> >> >> A nullability qualifier applied to a typedef of a<br>
>> >>> >> >> >> nullability-qualified<br>
>> >>> >> >> >> pointer type shall specify the same nullability as the<br>
>> >>> >> >> >> underlying<br>
>> >>> >> >> >> type<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> the typedef.<br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >> The meanings of the three nullability qualifiers are as<br>
>> >>> >> >> >> follows:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> __nullable: the pointer may store a null value at runtime (as<br>
>> >>> >> >> >> part<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> API contract)<br>
>> >>> >> >> >> __nonnull: the pointer should not store a null value at<br>
>> >>> >> >> >> runtime<br>
>> >>> >> >> >> (as<br>
>> >>> >> >> >> part<br>
>> >>> >> >> >> of the API contract). it is possible that the value can be<br>
>> >>> >> >> >> null,<br>
>> >>> >> >> >> e.g.,<br>
>> >>> >> >> >> in<br>
>> >>> >> >> >> erroneous historic uses of an API, and it is up to the<br>
>> >>> >> >> >> library<br>
>> >>> >> >> >> implementor<br>
>> >>> >> >> >> to decide to what degree she will accommodate such clients.<br>
>> >>> >> >> >> __null_unspecified: it is unclear whether the pointer can be<br>
>> >>> >> >> >> null or<br>
>> >>> >> >> >> not.<br>
>> >>> >> >> >> Use of this type qualifier is extremely rare in practice, but<br>
>> >>> >> >> >> it<br>
>> >>> >> >> >> fills<br>
>> >>> >> >> >> a<br>
>> >>> >> >> >> small but important niche when auditing a particular header<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> add<br>
>> >>> >> >> >> nullability qualifiers: sometimes the nullability contract<br>
>> >>> >> >> >> for a<br>
>> >>> >> >> >> few<br>
>> >>> >> >> >> APIs in<br>
>> >>> >> >> >> the header is unclear even when looking at the implementation<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> historical<br>
>> >>> >> >> >> reasons, and establishing the contract requires more<br>
>> >>> >> >> >> extensive<br>
>> >>> >> >> >> study.<br>
>> >>> >> >> >> In<br>
>> >>> >> >> >> such cases, it’s often best to mark that pointer as<br>
>> >>> >> >> >> __null_unspecified<br>
>> >>> >> >> >> (which will help silence the warning about unannotated<br>
>> >>> >> >> >> pointers<br>
>> >>> >> >> >> in a<br>
>> >>> >> >> >> header)<br>
>> >>> >> >> >> and move on, coming back to __null_unspecified pointers when<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> appropriate<br>
>> >>> >> >> >> graybeard has been summoned out of retirement [5].<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Assumes-nonnull Regions<br>
>> >>> >> >> >> We’ve found that it's fairly common for the majority of<br>
>> >>> >> >> >> pointers<br>
>> >>> >> >> >> within<br>
>> >>> >> >> >> a<br>
>> >>> >> >> >> particular header to be __nonnull. Therefore, we’ve<br>
>> >>> >> >> >> introduced<br>
>> >>> >> >> >> assumes-nonnull regions that assume that certain unannotated<br>
>> >>> >> >> >> pointers<br>
>> >>> >> >> >> implicitly get the __nonnull nullability qualifiers.<br>
>> >>> >> >> >> Assumes-nonnull<br>
>> >>> >> >> >> regions<br>
>> >>> >> >> >> are marked by pragmas:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> #pragma clang assume_nonnull begin<br>
>> >>> >> >> >> __nullable char *strchr(const char *s, int c); // s<br>
>> >>> >> >> >> is<br>
>> >>> >> >> >> inferred<br>
>> >>> >> >> >> to<br>
>> >>> >> >> >> be __nonnull<br>
>> >>> >> >> >> void *my_realloc (__nullable void *ptr, size_t size); //<br>
>> >>> >> >> >> my_realloc<br>
>> >>> >> >> >> is<br>
>> >>> >> >> >> inferred to return __nonnull<br>
>> >>> >> >> >> #pragma clang assume_nonnull end<br>
>> >>> >> >> >><br>
>> >>> >> >> >> We infer __nonnull within an assumes_nonnull region when:<br>
>> >>> >> >> >><br>
>> >>> >> >> >> The pointer is a non-typedef declaration, such as a function<br>
>> >>> >> >> >> parameter,<br>
>> >>> >> >> >> variable, or data member, or the result type of a function.<br>
>> >>> >> >> >> It’s<br>
>> >>> >> >> >> very<br>
>> >>> >> >> >> rare<br>
>> >>> >> >> >> for one to warn typedefs to specify nullability information;<br>
>> >>> >> >> >> rather,<br>
>> >>> >> >> >> it’s<br>
>> >>> >> >> >> usually the user of the typedef that needs to specify<br>
>> >>> >> >> >> nullability.<br>
>> >>> >> >> >> The pointer is a single-level pointer, e.g., int* but not<br>
>> >>> >> >> >> int**,<br>
>> >>> >> >> >> because<br>
>> >>> >> >> >> we’ve found that programmers can get confused about the<br>
>> >>> >> >> >> nullability<br>
>> >>> >> >> >> of<br>
>> >>> >> >> >> multi-level pointers (is it a __nullable pointer to __nonnull<br>
>> >>> >> >> >> pointers,<br>
>> >>> >> >> >> or<br>
>> >>> >> >> >> the other way around?) and inferring nullability for any of<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> pointers in<br>
>> >>> >> >> >> a multi-level pointer compounds the situation.<br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >> Note that no #include may occur within an assumes_nonnull<br>
>> >>> >> >> >> region,<br>
>> >>> >> >> >> and<br>
>> >>> >> >> >> assumes_nonnull regions cannot cross header boundaries.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Type System Impact<br>
>> >>> >> >> >> Nullability qualifiers are mapped to type attributes within<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> Clang<br>
>> >>> >> >> >> type<br>
>> >>> >> >> >> system, but a nullability-qualified pointer type is not<br>
>> >>> >> >> >> semantically<br>
>> >>> >> >> >> distinct from its unqualified pointer type. Therefore, one<br>
>> >>> >> >> >> may<br>
>> >>> >> >> >> freely<br>
>> >>> >> >> >> convert between nullability-qualified and<br>
>> >>> >> >> >> non-nullability-qualified<br>
>> >>> >> >> >> pointers, or between nullability-qualified pointers with<br>
>> >>> >> >> >> different<br>
>> >>> >> >> >> nullability qualifiers. One cannot overload on nullability<br>
>> >>> >> >> >> qualifiers,<br>
>> >>> >> >> >> write<br>
>> >>> >> >> >> C++ class template partial specializations that identify<br>
>> >>> >> >> >> nullability<br>
>> >>> >> >> >> qualifiers, or inspect nullability via type traits in any<br>
>> >>> >> >> >> way.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Said more strongly, removing nullability qualifiers from a<br>
>> >>> >> >> >> well-formed<br>
>> >>> >> >> >> program will not change its behavior in any way, nor will the<br>
>> >>> >> >> >> semantics<br>
>> >>> >> >> >> of a<br>
>> >>> >> >> >> program change when any set of (well-formed) nullability<br>
>> >>> >> >> >> qualifiers<br>
>> >>> >> >> >> are<br>
>> >>> >> >> >> added to it. Operationally, this means that nullability<br>
>> >>> >> >> >> qualifiers<br>
>> >>> >> >> >> are<br>
>> >>> >> >> >> not<br>
>> >>> >> >> >> part of the canonical type in Clang’s type system, and that<br>
>> >>> >> >> >> any<br>
>> >>> >> >> >> warnings we<br>
>> >>> >> >> >> produce based on nullability information will necessarily be<br>
>> >>> >> >> >> dependent<br>
>> >>> >> >> >> on<br>
>> >>> >> >> >> Clang’s ability to retain type sugar during semantic<br>
>> >>> >> >> >> analysis.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> While it’s somewhat exceptional for us to introduce new type<br>
>> >>> >> >> >> qualifiers<br>
>> >>> >> >> >> that don’t produce semantically distinct types, we feel that<br>
>> >>> >> >> >> this is<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> only plausible design and implementation strategy for this<br>
>> >>> >> >> >> feature:<br>
>> >>> >> >> >> pushing<br>
>> >>> >> >> >> nullability qualifiers into the type system semantically<br>
>> >>> >> >> >> would<br>
>> >>> >> >> >> cause<br>
>> >>> >> >> >> significant changes to the language (e.g., overloading,<br>
>> >>> >> >> >> partial<br>
>> >>> >> >> >> specialization) and break ABI (due to name mangling) that<br>
>> >>> >> >> >> would<br>
>> >>> >> >> >> drastically<br>
>> >>> >> >> >> reduce the number of potential users, and we feel that<br>
>> >>> >> >> >> Clang’s<br>
>> >>> >> >> >> support<br>
>> >>> >> >> >> for<br>
>> >>> >> >> >> maintaining type sugar throughout semantic analysis is<br>
>> >>> >> >> >> generally<br>
>> >>> >> >> >> good<br>
>> >>> >> >> >> enough<br>
>> >>> >> >> >> [6] to get the benefits of nullability annotations in our<br>
>> >>> >> >> >> tools.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> Looking forward to our discussion.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> - Doug (with Jordan Rose and Anna Zaks)<br>
>> >>> >> >> >><br>
>> >>> >> >> >> [1]<br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__en.wikipedia.org_wiki_Tony-5FHoare-23Apologies-5Fand-5Fretractions&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=CnzuN65ENJ1H9py9XLiRvC_UQz6u3oG6GUNn7_wosSM&m=e8SqcFLd2tLz7_YQnwbDQVvgX-DvBUPkl4O_jGqLG34&s=JgxXcYT-AU4Ed7Q8PVpvHNpzNNc7hNrc-55KHl8-1Zs&e=" rel="noreferrer" target="_blank">http://en.wikipedia.org/wiki/Tony_Hoare#Apologies_and_retractions</a><br>
>> >>> >> >> >> [2] The standard description of strchr seems to imply that<br>
>> >>> >> >> >> the<br>
>> >>> >> >> >> parameter<br>
>> >>> >> >> >> cannot be null<br>
>> >>> >> >> >> [3] The patch is complete, but should be reviewed on<br>
>> >>> >> >> >> cfe-commits<br>
>> >>> >> >> >> rather<br>
>> >>> >> >> >> than here. There are also several logic parts to this<br>
>> >>> >> >> >> monolithic<br>
>> >>> >> >> >> patch:<br>
>> >>> >> >> >> (a) __nonnull/__nullable/__null_unspecified type specifiers<br>
>> >>> >> >> >> (b) nonnull/nullable/null_unspecified syntactic sugar for<br>
>> >>> >> >> >> Objective-C<br>
>> >>> >> >> >> (c) Warning about inconsistent application of nullability<br>
>> >>> >> >> >> specifiers<br>
>> >>> >> >> >> within a given header<br>
>> >>> >> >> >> (d) assume_nonnnull begin/end pragmas<br>
>> >>> >> >> >> (e) Objective-C null_resettable property attribute<br>
>> >>> >> >> >> [4]<br>
>> >>> >> >> >> <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__gcc.gnu.org_onlinedocs_gcc_Function-2DAttributes.html&d=AwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=CnzuN65ENJ1H9py9XLiRvC_UQz6u3oG6GUNn7_wosSM&m=e8SqcFLd2tLz7_YQnwbDQVvgX-DvBUPkl4O_jGqLG34&s=LyTZ1fp0aB4Bb3bo0FNpVAUpCRL3_70axi91xqe1xlA&e=" rel="noreferrer" target="_blank">https://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html</a><br>
>> >>> >> >> >> (search<br>
>> >>> >> >> >> for “nonnull”)<br>
>> >>> >> >> >> [5] No graybeards were harmed in the making of this feature.<br>
>> >>> >> >> >> [6] Template instantiation is the notable exception here,<br>
>> >>> >> >> >> because it<br>
>> >>> >> >> >> always canonicalizes types.<br>
>> >>> >> >> >><br>
>> >>> >> >> >> <nullability.patch><br>
>> >>> >> >> >> _______________________________________________<br>
>> >>> >> >> >> cfe-dev mailing list<br>
>> >>> >> >> >> <a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a><br>
>> >>> >> >> >> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >><br>
>> >>> >> >> >> _______________________________________________<br>
>> >>> >> >> >> cfe-dev mailing list<br>
>> >>> >> >> >> <a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a><br>
>> >>> >> >> >> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
>> >>> >> >> >><br>
>> >>> >> >> ><br>
>> >>> >> >> ><br>
>> >>> >> >> > _______________________________________________<br>
>> >>> >> >> > cfe-dev mailing list<br>
>> >>> >> >> > <a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a><br>
>> >>> >> >> > <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
>> >>> >> >> ><br>
>> >>> >> ><br>
>> >>> >> ><br>
>> >>> ><br>
>> >>> ><br>
>> >><br>
>> >><br>
>> ><br>
>> ><br>
>> > _______________________________________________<br>
>> > cfe-dev mailing list<br>
>> > <a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a><br>
>> > <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
>> ><br>
><br>
><br>
</div></div></blockquote></div><br></div>