Use ATTR_NONNULL to annotate declarations#156
Conversation
BenBE
force-pushed
the
attr-nonnull
branch
4 times, most recently
from
333fb8c to
7f08922
Compare
|
I personally think this is becoming quite invasive for very marginal gain - the FORMAT and NORETURN macros I'm OK with, but those NULL macros everywhere is making my eyes bleed, and IMO doesn't really help. Coverity, cppcheck, et al do a fine job of checking these things without the noise. I reckon we can rely on static checkers for most of what's proposed here - could you rework it to use just FORMAT and NORETURN? (and maybe not even the latter TBH - does this really help us to prevent/solve bugs?) |
|
This patch already only adds Regarding bugs: While adding the specifiers I started off with all functions marked Thus regarding effectiveness: While we don't currently have (obvious) What can be done is putting these attributes into the same line as the actual declaration, which should reduce the visual noise a bit. |
Yep, understood. Judicious, strategic use of attributes on key functions is fine and helpful IMO, but no more than that.
I think these are issues that static code checkers would find anyway.
IMO the signal-to-noise ratio is not in favour of any of the proposed NULL annotations.
That still seems to me like its going to be alot of noise for very little gain. The static checker tools are able to verify these same problem scenarios (and many more) without the code changes. Its a NAK for me - lets leave it at the simpler level of annotation that's already been merged. |
|
8e7ada4 looks good. |
BenBE
force-pushed
the
attr-nonnull
branch
2 times, most recently
from
5d6ae55 to
358fdf9
Compare
Should be resolved. The conflict originated from some recent work in @natoscott Would be nice if you could review+merge these 3 PRs ASAP. The next PR which is kinda urgend after receiving a rebase is #160 as it contains quite a few changes to track when rebasing; though for #160 I'll wait until #155, #156 & #161 are merged until I do the next rebase there. |
This issue was previously hidden as xSnprintf expanded to only one large command that didn't trigger the GCC formatting check.
| va_end(vl); | ||
|
|
||
| if (_r < 0) { | ||
| fail(); |
There was a problem hiding this comment.
I do not like these fail() calls:
In case of an allocation error (or in the xSnprintf() case a too small buffer) we just exit cleanly, with no message or hint for the user why and no information for us developers where.
See also #115
There was a problem hiding this comment.
Replacing this call by some error handler shouldn't be an issue.
With the current base for this PR there's only fail() available as a sensible place to call, but replacing it with the functions introduced in #115 should be fine.
I'd prefer not touching this PR right now, as bugfixes remarked on in #115 are already addressed in #155 which this PR is based upon.
3 participants
If #155 gets merged before this, a minor change in
XAlloc.his recommended to include these attributes for the newly created/renamed functionsxAsnprintf,xSnprintfandxStrdup.I can also rebase this PR onto #155. If okay, I'd add the necessary changes to the above mentioned functions.