On 08/07/2021 12:06, Alejandro Colomar (man-pages) wrote: > On 7/8/21 12:07 PM, Jonny Grant wrote: >> Thank you for your reply. >> >> We can't guarantee safestrlen() won't be called with NULL. So because strlen() itself doesn't check for NULL in C standard we'd need to call the wrapper so that NULL can be checked for. >> >> I'd like to avoid the compiler removing certain execution paths. >> I'd rather keep all code paths, even if they are not taken, just in case a NULL pointer creeps in due to an external device that is connected to an embedded system. >> >> >> Probably this would work: >> >> size_t __attribute__((optimize("O0"))) safestrlen(const char * s) >> { >> if (NULL == s) return 0; >> else return strlen(s); >> } > > I don't think you don't need that. Unless there's a bug in GCC, it shouldn't optimize that path unless it is 100% sure that it will never be called. That is good, so the code will always be kept! As compiler will never find all calls to strlen() and be sure those calls are never NULL. > Moreover, I recommend you to optimize as much as possible. > Even though NULL is possible in your code, I guess it's unlikely. > > Also, calling a function safe is too generic. > I'd call it with the suffix null, as it act different on null. > > Also, I recommend avoiding 'size_t' (and any other unsigned types, BTW). > See <https://google.github.io/styleguide/cppguide.html#Integer_Types>. > Use the POSIX type 'ssize_t'. > That also allows differentiating a length of 0 (i.e., "") from an invalid string (i.e., NULL), by returning -1 for NULL. > https://man7.org/linux/man-pages/man3/strlen.3.html size_t strlen(const char *s); I'd rather not change the return type from POSIX size_t in any wrapper of strlen. Unless it is part of C11 Annex K style standards improvement. Cheers, Jonny