Re: std::string add nullptr attribute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 19/02/2023 20:43, Jonny Grant wrote:
> 
> 
> On 11/02/2023 00:32, Jonathan Wakely wrote:
>> On Fri, 10 Feb 2023 at 22:38, Jonny Grant <jg@xxxxxxxx> wrote:
>>>
>>>
>>>
>>> On 10/02/2023 22:03, Jonathan Wakely wrote:
>>>> On Fri, 10 Feb 2023 at 21:30, Jonny Grant <jg@xxxxxxxx> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 09/02/2023 17:52, Jonathan Wakely wrote:
>>>>>> On Thu, 9 Feb 2023 at 16:30, Xi Ruoyao wrote:
>>>>>>>
>>>>>>> On Thu, 2023-02-09 at 14:56 +0000, Jonathan Wakely via Gcc-help wrote:
>>>>>>>>> Note, my code isn't like this, it is just an example to suggest
>>>>>>>>> adding the nullptr attribute, as its clearly already rejected at
>>>>>>>>> runtime.
>>>>>>>>
>>>>>>>> I assume you mean the nonnull attribute. That was added in 2020 and
>>>>>>>> then reverted because it broke some things:
>>>>>>>
>>>>>>> I remember I'd once made the same mistake when I suggested to add
>>>>>>> nonnull for ostream::operator<<(const string &) and I was lectured:
>>>>>>> nonnull is not only a diagnostic attribute, it also allows the compiler
>>>>>>> to assume the parameter is never null and rendering std::string(nullptr)
>>>>>>> an undefined behavior.
>>>>>>
>>>>>> Yes, I think that's what might have happened with the std::string change.
>>>>>
>>>>> My apologies, Jonathan, Xi, yes it is the __attribute__((nonnull)); I was mistaken to type as nullptr.
>>>>>
>>>>> I re-read, and it does seem nonnull is really an optimization that as a side effect may give some warnings. So I'm going to stop using it.
>>>>> https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#Common-Function-Attributes
>>>>>
>>>>> (there is a typo in that manual section saying "nonnul" - I don't know if you have a moment to make a change in git? I didn't get replies on gcc-patches to my patches...)
>>>>>
>>>>> I searched and see like someone investigated this problem and saw it removed NULL checks http://www.rkoucha.fr/tech_corner/nonnull_gcc_attribute.html
>>>>>
>>>>> I saw wget2 removed the nonnull attribute due to the optimizer removing checks against NULL too
>>>>> https://gitlab.com/gnuwget/wget2/-/issues/200
>>>>>
>>>>>>> Then the example may just silently continue to run, instead of throwing
>>>>>>> an exception.  It would be an ironic example: an attempt to improve
>>>>>>> diagnostic finally made diagnostic more difficult.
>>>>>>
>>>>>> Indeed.
>>>>>>
>>>>>> Maybe we can add __attribute__((access(read, 1))) instead, which says
>>>>>> that we will read from the pointer, which also implies it must be
>>>>>> non-null.
>>>>>
>>>>> I tried this with gcc 12, as read_only, but it didn't stop when compiling. Maybe you have an example that demonstrates please?
>>>>>
>>>>> void f(const char * p) __attribute__((access(read_only, 1)));
>>>>>
>>>>>>
>>>>>> N.B. in C++23 string(nullptr) produces an error, although
>>>>>> string((const char*)nullptr) doesn't, so in practice it only prevents
>>>>>> the dumbest calls with a literal 'nullptr' token, and not the more
>>>>>> realistic problems where you have a pointer that happens to be null.
>>>>>
>>>>> That's good it stops compiling, the error is not that clear "use of deleted function" for me though.
>>>>>
>>>>> string.cpp: In function ‘int main()’:
>>>>> string.cpp:13:26: error: use of deleted function ‘std::__cxx11::basic_string<_CharT, _Traits, _Alloc>::basic_string(std::nullptr_t) [with _CharT = char; _Traits = std::char_traits<char>; _Alloc = std::allocator<char>; std::nullptr_t = std::nullptr_t]’
>>>>>    13 |     std::string c(nullptr);
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I made my own test class str_string which stops the build a different way. It only works if the dumbest calls with 'nullptr' as you found in your test.
>>>>>
>>>>> void nullptr_compile_abort() __attribute__((error("nullptr compile error")));
>>>>>
>>>>> str_string(nullptr_t) { nullptr_compile_abort(); }
>>>>
>>>> This doesn't work because std::is_constructible_v<std::string,
>>>> std::nullptr_t> would be true, and we want it to be false.
>>>
>>> Hmm, for me, this output is 0.
>>>   std::cout << std::is_constructible_v<std::string,std::nullptr_t> << "\n";
>>
>> For C++23, yes, but if you add a constructor like your
>> str_string(nullptr_t) it would become 1.
>>
>> Using a deleted function is observably different to using a
>> constructor that then produces an error when called.
> 
> I noticed -Wanalyzer-null-dereference reports at build time a dereference. Also works if a function parameter. I wondered why std::string isn't detected by this static analyser option.
> 
> <source>:9:10: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference]
>     9 |     char b = *a;
>       |          ^
> 
> #include <string>
> #include <iostream>
> 
> int main()
> {
>     const char * a = nullptr;
>     char b = *a;
> 
>     std::cout << b;
> }



It's not pretty, but this wrapper catches NULL passed at compile time:

std::string make_std_string(const char * const str)
{
    // This line ensures: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference]
    char b = *str; 
    std::string s(str);
    s[0] = b; // copy it back to avoid unused variable warning
    return s;
}

int main()
{
    const char * a = NULL;
    std::string result = make_std_string(a);
    std::cout << result;
}


note, there a PR in latest gcc for an issue, so need to use -Wno-analyzer-use-of-uninitialized-value to avoid std::string having an incorrect warning reported.




[Index of Archives]     [Linux C Programming]     [Linux Kernel]     [eCos]     [Fedora Development]     [Fedora Announce]     [Autoconf]     [The DWARVES Debugging Tools]     [Yosemite Campsites]     [Yosemite News]     [Linux GCC]

  Powered by Linux