[PATCH] D11948: Add some macros to abstract marking of parameters as "not null", and use them in <cstring>

Tue Aug 11 10:48:18 PDT 2015

mclow.lists created this revision.
mclow.lists added reviewers: chandlerc, rsmith, EricWF.
mclow.lists added a subscriber: cfe-commits.
Herald added subscribers: danalbert, tberghammer.

The C standard says that calling `memcpy`, etc with null parameters is undefined behavior.
GCC (and clang) have attributes that allow us to mark the parameters of functions as "must not be null".

Define a mechanism to do this, and use it (for the first time) to mark the parameters of `memcpy`, `memmove`, `memcmp` and `strncmp` as "must not be null".

This gives us compile time checking for constant pointers, and hints to the code generator.

Note: This will not be a big win on systems that use glibc, because it marks the global functions `::memcpy`, etc the same way. On Mac OS X, iOS, Android, FreeBSD, etc, this will make a bigger difference.

I will be adding tests as well; this post is to gather consensus that this is the right way to go.


http://reviews.llvm.org/D11948

Files:
  include/__config
  include/cstring

Index: include/cstring
===================================================================

--- include/cstring
+++ include/cstring
@@ -67,15 +67,34 @@
 _LIBCPP_BEGIN_NAMESPACE_STD
 
 using ::size_t;
-using ::memcpy;
-using ::memmove;
+
+// using ::memcpy;
+inline _LIBCPP_INLINE_VISIBILITY _LIBCPP_NON_NULL2(1, 2)
+void* memcpy(void* __s1, const void* __s2, size_t __n) 
+{ return ::memcpy(__s1, __s2, __n); }
+
+// using ::memmove;
+inline _LIBCPP_INLINE_VISIBILITY _LIBCPP_NON_NULL2(1, 2)
+void* memmove(void* __s1, const void* __s2, size_t __n)
+{ return ::memmove(__s1, __s2, __n); }
+
 using ::strcpy;
 using ::strncpy;
 using ::strcat;
 using ::strncat;
-using ::memcmp;
+
+// using ::memcmp;
+inline _LIBCPP_INLINE_VISIBILITY _LIBCPP_NON_NULL2(1, 2)
+int memcmp(const void* __s1, const void* __s2, size_t __n)
+{ return ::memcmp(__s1, __s2, __n); }
+
 using ::strcmp;
-using ::strncmp;
+
+// using ::strncmp;
+inline _LIBCPP_INLINE_VISIBILITY _LIBCPP_NON_NULL2(1, 2)
+int strncmp(const char* __s1, const char* __s2, size_t __n)
+{ return ::memcmp(__s1, __s2, __n); }
+
 using ::strcoll;
 using ::strxfrm;
 
Index: include/__config
===================================================================
--- include/__config
+++ include/__config
@@ -273,6 +273,11 @@
 
 #define _LIBCPP_UNUSED __attribute__((__unused__))
 
+#define	_LIBCPP_NON_NULL			__attribute__((__nonnull__))
+#define	_LIBCPP_NON_NULL1(x)		__attribute__((__nonnull__(x)))
+#define	_LIBCPP_NON_NULL2(x,y)		__attribute__((__nonnull__(x,y)))
+#define	_LIBCPP_NON_NULL3(x,y,z)	__attribute__((__nonnull__(x,y,z)))
+
 #if !(__has_feature(cxx_defaulted_functions))
 #define _LIBCPP_HAS_NO_DEFAULTED_FUNCTIONS
 #endif  // !(__has_feature(cxx_defaulted_functions))
@@ -405,6 +410,11 @@
 
 #define _LIBCPP_UNUSED __attribute__((__unused__))
 
+#define	_LIBCPP_NON_NULL			__attribute__((__nonnull__))
+#define	_LIBCPP_NON_NULL1(x)		__attribute__((__nonnull__(x)))
+#define	_LIBCPP_NON_NULL2(x,y)		__attribute__((__nonnull__(x,y)))
+#define	_LIBCPP_NON_NULL3(x,y,z)	__attribute__((__nonnull__(x,y,z)))
+
 #if _GNUC_VER >= 407
 #define _LIBCPP_UNDERLYING_TYPE(T) __underlying_type(T)
 #define _LIBCPP_IS_LITERAL(T) __is_literal_type(T)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D11948.31829.patch
Type: text/x-patch
Size: 2196 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20150811/b416f856/attachment-0001.bin>
