On Thu, 2021-06-17 at 21:44 +0100, Jonny Grant wrote:
>
>
> On 16/06/2021 18:59, Segher Boessenkool wrote:
> > On Wed, Jun 16, 2021 at 02:01:05PM +0100, Jonny Grant wrote:
> > > I guess a separate static analyser would do it, GCC is more
> > > focused on compilation so I shouldn't ask for it to have so many
> > > features it can't support.
> >
> > -fsanitize=undefined already catches null pointer dereferences, is
> > that
> > enough for your case?
> >
> >
> > Segher
>
> Hello
> Thank you for the suggestion, yes, I had used that before. I did just
> check, it's runtime checks. I had hoped for something at compile time.
> warning for every function that didn't check pointer for NULL before
> de-referencing.
There is no way to do this.
int foo(struct dev *dev)
{
int r = sanitize_input(dev);
if (r)
return r;
bar(&dev->id);
return dev->id->result;
}
While there is no way to know the behavior of `sanitize_input` (it may
be defined in another TU), there is no way to tell if `foo` has done "a
proper non-null check".
And this "warning" does not make any sense. It's perfectly legal for a
function to assume the input is not null and the caller should guarantee
it. Adding a non-null check in every function is just paranoid. This
really looks like a suggestion from some professors who don't program at
all, but unfortunately teach C and tell their own misconcept of
"defensive programming" everywhere.
--
Xi Ruoyao <xry111@xxxxxxxxxxxxxxxx>
School of Aerospace Science and Technology, Xidian University
