Jim Meyering wrote:
> > Arguments for doing it:
> > - Allows GCC to produce its warning when passed a literal NULL value.
> > - An added piece of documentation (but only when done completely,
> > throughout gnulib).
>
> - Allows tools like the clang static analyzer to avoid warning about
> what it would otherwise call a potential NULL dereference.
Good point. The analysis is not very capable at this point, but it can
improve in the future. For example, in this code, I get a warning only
about the first function. The static analysis done by the Eclipse Java
compiler would also warn about a redundant 'if' in the second function.
=========================== foo.c ==============================
#include <stddef.h>
extern int func1 (char *);
extern int func2 (char *) __attribute__ ((__nonnull__ (1)));
int
foo1 (char *s)
{
int n = func1 (s);
if (s == NULL)
n += func2 (s);
return n;
}
int
foo2 (char *s)
{
int n = func2 (s);
if (s != NULL)
n++;
return n;
}
=================================================================
$ scan-build gcc -c -O foo.c
ANALYZE: foo.c foo1
foo.c:11:10: warning: Null pointer passed as an argument to a 'nonnull'
parameter
n += func2 (s);
^ ~
ANALYZE: foo.c foo2
1 diagnostic generated.
I'll post a proposal for __nonnull__ declarations.
Bruno
