[PATCH] D76083: [clang-tidy] Expand the list of functions in bugprone-unused-return-value

Sam McCall via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Apr 13 08:02:14 PDT 2020 

sammccall added inline comments.


================
Comment at: clang-tools-extra/clang-tidy/bugprone/UnusedReturnValueCheck.cpp:98
+                                   "::access;"
+                                   "::bind;"
+                                   "::connect;"
----------------
aaron.ballman wrote:
> aaron.ballman wrote:
> > sammccall wrote:
> > > aaron.ballman wrote:
> > > > sammccall wrote:
> > > > > aaron.ballman wrote:
> > > > > > jranieri-grammatech wrote:
> > > > > > > alexfh wrote:
> > > > > > > > bind has a side effect and returns a success status. Thus, the result being unused isn't necessarily a bug. Same for `connect`. And probably for `setjmp` as well.
> > > > > > > In terms of bind, connect, and setjmp: while I personally would say that code not using the return value is bugprone, the data suggests that the vast majority of developers are using these functions in the intended manner and the false-positive rate should be low.
> > > > > > I think we have sufficient statistical data to suggest that these APIs should be on the list because the majority of programmers *do not* use them solely for side effects without using the return value, so my preference is to keep them in the list.
> > > > > I stumbled upon this review as we're considering turning this check on by default in clangd.
> > > > > 
> > > > > There's a significant difference between unused std::async() (programmer misunderstood contract) and unused ::connect() (ignoring error conditions). The former is ~never noise, and the latter may be (e.g. in experimental or incomplete code).
> > > > > 
> > > > > So there's some value in separating these two lists out either as an option or a separate named check (bugprone-unhandled-error?) I think we probably wouldn't enable this check by default if it includes the error-code functions.
> > > > > 
> > > > > > the majority of programmers *do not* use them solely for side effects
> > > > > ...in popular, distributed software :-)
> > > > > So there's some value in separating these two lists out either as an option or a separate named check (bugprone-unhandled-error?) I think we probably wouldn't enable this check by default if it includes the error-code functions.
> > > > 
> > > > I think that adds complexity to this check when the complexity isn't necessary. clang-tidy has traditionally been a place for checks that are chattier than what the compiler should provide, and this check has a trivial, well-understood mechanism to silence the diagnostics (cast to void) which also expresses intent properly to the toolchain.
> > > > 
> > > > >>the majority of programmers *do not* use them solely for side effects
> > > > > ...in popular, distributed software :-)
> > > > 
> > > > I have not seen anyone provide data to suggest that the functions in question appear in any statistically significant amount in practice without checking the return value, just worries that they *could*. I don't think that's compelling in the face of data. Remember, this is for bugprone patterns, not bugknown patterns.
> > > I think we're talking past each other here. I'm not saying clang-tidy shouldn't have the check, or that it's not a bugprone pattern, or that the clang-tidy default should be different.
> > > 
> > > But there are scenarios where you want one but not the other. Concretely, warnings shown in an IDE **as you type and by default**. If you're misusing an API rendering it completely useless, you should see that ASAP. If you fail to check an error code, some users won't want to be warned about that until later.
> > > 
> > > By bundling them into a single check without options (other than duplicating the whole list), it's hard to create that useful but inoffensive default setup. That's OK, clangd can remove the check from the whitelist, but I think we'd get a lot of value out of it.
> > > 
> > > > I have not seen anyone provide data to suggest that the functions in question appear in any statistically significant amount in practice
> > > Right, we don't have data either way on incomplete code. Based on experience of writing code and watching others write code, I believe people write sloppy code they'd never check in, and appreciate being told early when it doesn't do what they intend, but some don't appreciate being told to be less sloppy. Is your intuition different? Do you think the data provided addresses this question?
> > > But there are scenarios where you want one but not the other. Concretely, warnings shown in an IDE as you type and by default. If you're misusing an API rendering it completely useless, you should see that ASAP. If you fail to check an error code, some users won't want to be warned about that until later.
> > 
> > You're right, we were talking past one another because this was not a scenario I had in mind at all. Thank you for raising it!
> > 
> > > Is your intuition different? Do you think the data provided addresses this question?
> > 
> > I will have to spend some time figuring out what my intuition is for checks that are run as you are typing the code, but my wildly unconsidered opinion is that there's not a big difference between as-you-type and not for these checks. Either it's a bad idea to ignore the return value or it's not a bad idea -- whether you're still typing or not does seem to change the answer. However, as I said, this is an unconsidered opinion. :-)
> > 
> > However, the data we've found *definitely* does not address the question.
> > 
> > One thing this check does not do is add a fix-it hint to automatically cast to void. If such a fixit were added, would that help the as-you-type scenario by providing a way to quickly insert the way to silence the diagnostic for those who really do want to ignore the return value?
> I thought about this more over the weekend and my thinking is that these really are APIs where we believe ignoring the return value is almost always a correctness issue regardless of whether it happens in test code, or while the user is typing in their editor, experimental code, etc. If ignoring the return value is desired behavior for one of these functions, it would most likely be an outlier where the code could stand to be made more clear via casting the return to void (and probably some comments explaining why it's still correct to ignore the return value). We could have separate lists for these identifiers, as suggested, but it's not clear to me what metric would be used to decide which list to put any given identifier on. So, to me, this is about designing the feature for the 95% case or the 5% case, and I think maintaining two separate lists would add a lot of overhead for little value. I think there is value to telling the programmer "you're ignoring this return value and 'most' people don't do that" as quickly as possible as it also may catch a bug the developer wasn't thinking about yet.
I think this is pretty simple, it's the distinction between "almost always" vs "always", and "a correctness issue" vs "wrong".

Calling bind() or whatever without checking the error code is sometimes useful, if only for prototyping, and calling back_inserter() never is.

But we're going around circles on this and it's blocking useful work. I'll send a separate patch to split the lists or remove the few bad entries or something.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D76083/new/

https://reviews.llvm.org/D76083

More information about the cfe-commits mailing list