Ian Lance Taylor wrote: > [...] developers can not always be trusted. Instead, we assume that there at > least one trusted developer who can add warn_unused_result when > appropriate. Then the compiler arranges matters such that other developers > can not easily avoid the warning. Thus security is, ideally, increased. > > I would interpret your suggestion as being that we should abandon the > security goals of warn_unused_result, and settle for the weaker version which > glibc and Debian seem to want. Perhaps that is the correct way to go. But > it does not seem so to me.
The problem with the suggested scenario with one trusted developer that uses this option is that other developers won't see these warnings at all. However, IMO we can have our cake and eat it too -- and, leave most of the involved parties generally happy...er. Say, we allow the void-casting to suppress the warning but we have yet another compilation flag (or macro) which the trusted developer can turn on to get warnings on the void-casted calls too. This way, regular developers can suppress the warning where they believe it should be suppressed while the code reviewer still can see all such suppressed warnings. So, the regular developers will be able to see the warnings -- and either fix or easily suppress them. And the security (provided by the code reviewer armed with that other flag/macro) won't be compromised. Denis
