On 19/02/2023 20:43, Jonny Grant wrote: > > > On 11/02/2023 00:32, Jonathan Wakely wrote: >> On Fri, 10 Feb 2023 at 22:38, Jonny Grant <jg@xxxxxxxx> wrote: >>> >>> >>> >>> On 10/02/2023 22:03, Jonathan Wakely wrote: >>>> On Fri, 10 Feb 2023 at 21:30, Jonny Grant <jg@xxxxxxxx> wrote: >>>>> >>>>> >>>>> >>>>> On 09/02/2023 17:52, Jonathan Wakely wrote: >>>>>> On Thu, 9 Feb 2023 at 16:30, Xi Ruoyao wrote: >>>>>>> >>>>>>> On Thu, 2023-02-09 at 14:56 +0000, Jonathan Wakely via Gcc-help wrote: >>>>>>>>> Note, my code isn't like this, it is just an example to suggest >>>>>>>>> adding the nullptr attribute, as its clearly already rejected at >>>>>>>>> runtime. >>>>>>>> >>>>>>>> I assume you mean the nonnull attribute. That was added in 2020 and >>>>>>>> then reverted because it broke some things: >>>>>>> >>>>>>> I remember I'd once made the same mistake when I suggested to add >>>>>>> nonnull for ostream::operator<<(const string &) and I was lectured: >>>>>>> nonnull is not only a diagnostic attribute, it also allows the compiler >>>>>>> to assume the parameter is never null and rendering std::string(nullptr) >>>>>>> an undefined behavior. >>>>>> >>>>>> Yes, I think that's what might have happened with the std::string change. >>>>> >>>>> My apologies, Jonathan, Xi, yes it is the __attribute__((nonnull)); I was mistaken to type as nullptr. >>>>> >>>>> I re-read, and it does seem nonnull is really an optimization that as a side effect may give some warnings. So I'm going to stop using it. >>>>> https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#Common-Function-Attributes >>>>> >>>>> (there is a typo in that manual section saying "nonnul" - I don't know if you have a moment to make a change in git? I didn't get replies on gcc-patches to my patches...) >>>>> >>>>> I searched and see like someone investigated this problem and saw it removed NULL checks http://www.rkoucha.fr/tech_corner/nonnull_gcc_attribute.html >>>>> >>>>> I saw wget2 removed the nonnull attribute due to the optimizer removing checks against NULL too >>>>> https://gitlab.com/gnuwget/wget2/-/issues/200 >>>>> >>>>>>> Then the example may just silently continue to run, instead of throwing >>>>>>> an exception. It would be an ironic example: an attempt to improve >>>>>>> diagnostic finally made diagnostic more difficult. >>>>>> >>>>>> Indeed. >>>>>> >>>>>> Maybe we can add __attribute__((access(read, 1))) instead, which says >>>>>> that we will read from the pointer, which also implies it must be >>>>>> non-null. >>>>> >>>>> I tried this with gcc 12, as read_only, but it didn't stop when compiling. Maybe you have an example that demonstrates please? >>>>> >>>>> void f(const char * p) __attribute__((access(read_only, 1))); >>>>> >>>>>> >>>>>> N.B. in C++23 string(nullptr) produces an error, although >>>>>> string((const char*)nullptr) doesn't, so in practice it only prevents >>>>>> the dumbest calls with a literal 'nullptr' token, and not the more >>>>>> realistic problems where you have a pointer that happens to be null. >>>>> >>>>> That's good it stops compiling, the error is not that clear "use of deleted function" for me though. >>>>> >>>>> string.cpp: In function ‘int main()’: >>>>> string.cpp:13:26: error: use of deleted function ‘std::__cxx11::basic_string<_CharT, _Traits, _Alloc>::basic_string(std::nullptr_t) [with _CharT = char; _Traits = std::char_traits<char>; _Alloc = std::allocator<char>; std::nullptr_t = std::nullptr_t]’ >>>>> 13 | std::string c(nullptr); >>>>> >>>>> >>>>> >>>>> >>>>> I made my own test class str_string which stops the build a different way. It only works if the dumbest calls with 'nullptr' as you found in your test. >>>>> >>>>> void nullptr_compile_abort() __attribute__((error("nullptr compile error"))); >>>>> >>>>> str_string(nullptr_t) { nullptr_compile_abort(); } >>>> >>>> This doesn't work because std::is_constructible_v<std::string, >>>> std::nullptr_t> would be true, and we want it to be false. >>> >>> Hmm, for me, this output is 0. >>> std::cout << std::is_constructible_v<std::string,std::nullptr_t> << "\n"; >> >> For C++23, yes, but if you add a constructor like your >> str_string(nullptr_t) it would become 1. >> >> Using a deleted function is observably different to using a >> constructor that then produces an error when called. > > I noticed -Wanalyzer-null-dereference reports at build time a dereference. Also works if a function parameter. I wondered why std::string isn't detected by this static analyser option. > > <source>:9:10: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference] > 9 | char b = *a; > | ^ > > #include <string> > #include <iostream> > > int main() > { > const char * a = nullptr; > char b = *a; > > std::cout << b; > } It's not pretty, but this wrapper catches NULL passed at compile time: std::string make_std_string(const char * const str) { // This line ensures: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference] char b = *str; std::string s(str); s[0] = b; // copy it back to avoid unused variable warning return s; } int main() { const char * a = NULL; std::string result = make_std_string(a); std::cout << result; } note, there a PR in latest gcc for an issue, so need to use -Wno-analyzer-use-of-uninitialized-value to avoid std::string having an incorrect warning reported.
