------- Comment #3 from pgut001 at cs dot auckland dot ac dot nz 2008-06-10 09:02 ------- It's more than just a documentation bug, two different portions of gcc are interpreting this attribute in completely different ways, and the interaction between the two breaks otherwise perfectly valid code. The intended use of the nonnull attribute is to warn, at compile time, against the inadvertent use of NULL pointers where they should be nonnull. By overloading it to also change the way code generation works gcc is making it far too dangerous to use and more or less destroying its usefulness for its original application - a single error in counting parameters or applying the annotation and your otherwise fully correct code suddenly breaks. In fact gcc seems to be doing the opposite of what ISO WG 14 is proposing for this attribute, which was to add extra checking to make sure the attribute isn't NULL. gcc instead *removes* extra checking to make sure the attribute isn't NULL.
As it stands, gcc's interpretation of nonnull is unsafe at any speed, it doesn't reliably warn about NULL pointers, but it does reliably break your code when used. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36166
