[cfe-dev] ISO C3X proposal: nonnull qualifier

Alejandro Colomar (man-pages) via cfe-dev cfe-dev at lists.llvm.org
Wed Dec 1 13:57:51 PST 2021 

Hi Joerg,

On 11/30/21 20:43, Joerg Sonnenberger via cfe-dev wrote:
> On Mon, Nov 15, 2021 at 05:01:49PM +0100, Alejandro Colomar (man-pages) via cfe-dev wrote:
>>        Clang doesn't specify the behavior  as  being  undefined.
>>        That  forbids optimizations, that would otherwise be pos‐
>>        sible.  We prefer to allow for those optimizations.
> 
> Have you read the old discussions on this topic? Without wanting to
> sound harsh, I'm missing the justification for why the optimisation is
> useful. The clang _Nonnull exists exactly because the GCC attribute has
> proven to be much more harmful than it ever helped to produce better
> code. Your proposal should therefore at the very least discuss two
> related topics:
> 
> (1) Why is it a good idea to remove explicit sanity checks from the
> code? History of many libraries have proven that this checks are much
> more useful than the branching cost and it is very surprising if the
> compiler drops them.
> 
> (2) Why can propagation of assumptions not result in the
> removal of range checks? See the whole deferencing-implies-notnull
> discussion from the Linux kernel a few years ago for why this can be
> problematic.
> 
> As it stands, this just seems to repeat the mistakes of the GCC
> attributes in a slightly different shape.

I think my wording was incorrect.  And after having thought about some
complex situations with _Nonnull (i.e., don't warn about
nonnull-to-nullable assignment if nonnull-ness can be proven), I think
UB should be out of the table.  The more I play with Clang's _Nonnull,
the more I'm convinced that it's exactly what C3X should add.  I didn't
reply to this thread in a long time because I was testing it.

I've read some of the discussions about nonnull, but not many others.
If someone can provide links to them, it'd be great.  So, thanks in advance.

So,

(1):  No.  Explicit sanity checks should never be removed by the
compiler.  Instead it should warn about them being unnecessary, and let
the user remove them.  If the user removes the checks, the resulting
optimization should be the same as if the compiler had done so, plus the
user has the opportunity to ignore warnings, as always, and keep the
checks if for some weird reason they are needed.


(2):  I'm not sure I understand this one.  I also didn't find the LKML
thread.  My idea is that if the compiler enforces nonnull-ness as it
does currently with const, it will be possible to guarantee that sanity
checks are unnecessary, and therefore they can be safely omitted (by the
user, not the compiler).


The idea is making it impossible to pass a null pointer to a _Nonnull
pointer, so if I declare a parameter as _Nonnull, the sanity checks are
unnecessary.  Only ignoring warnings (this should go into -Wall) could
then produce UB.


Cheers,
Alex

More information about the cfe-dev mailing list