46936 – turn __attribute__ ((nonnull (x))) into assert in debug mode

Bug 46936 - turn __attribute__ ((nonnull (x))) into assert in debug mode

Summary: turn __attribute__ ((nonnull (x))) into assert in debug mode

Status:	RESOLVED DUPLICATE of bug 17308

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	c (show other bugs)
Version:	unknown

Importance:	P3 enhancement
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-12-14 12:53 UTC by Rolf Eike Beer
Modified:	2015-07-25 20:04 UTC (History)
CC List:	4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rolf Eike Beer 2010-12-14 12:53:53 UTC

I have this simple function to free a linked list:

void freeips(struct ips *p)
{
	while (p) {
		struct ips *thisip = p;

		p = thisip->next;
		free(thisip);
	}
}

I accidentially annotated this as __attribute__ ((nonnull (1))) and called it with a NULL argument. This still worked as long as I was building with -g. Once I build this in release mode it crashed (correctly). I would like to have some sort of automatic assert once I annotate a function this way. So when I build this function annotated and pass NULL I get a meaningful crash and I can debug this. If I need to explicitely switch this on by a command line switch it's fine for me.

Comment 1 Ondrej Bilka 2013-10-23 13:47:25 UTC

I put it here to avoid being marked as duplicate,

I also wanted propose nonnul checks but they should be enabled by FORTIFY_SOURCE.

In glibc we played with idea of scanning headers for nonnull attribute and automatically generate wrappers of these functions. Then by LD_PRELOADing these enable extra checks if attribute is null. We realized that offloading this functionality to gcc is better as it will cover everybody that annotates prototypes with nonnull, checks when pointer is known nonnull can be avoided.

Comment 2 Brooks Moses 2013-10-24 04:05:13 UTC

As per http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html, the annotation on the example function there "causes the compiler to check that, in calls to my_memcpy, arguments dest and src are non-null."  Is this a documentation bug, or does the functionality that you're asking for already exist?

(My guess is that this is a documentation bug.  If so, a patch to fix it may call some attention to this feature request!)

Comment 3 Ondrej Bilka 2013-11-05 14:39:37 UTC

> As per http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html, the
> annotation on the example function there "causes the compiler to check that, in > calls to my_memcpy, arguments dest and src are non-null."  Is this a 
> documentation bug, or does the functionality that you're asking for already exist?

Gcc does not check that. Also this is not documentation request but request to add checks when _FORTIFY_SOURCE is defined.

This would also mostly solve following bug
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308

Comment 4 Jakub Jelinek 2013-11-05 14:49:32 UTC

_FORTIFY_SOURCE is not a debug mode you put all kinds of extra checks into.

Comment 5 Manuel López-Ibáñez 2015-07-25 20:04:10 UTC

I think -fsanitize should already detect this at run time, but GCC could indeed warn for those cases that it detects.

*** This bug has been marked as a duplicate of bug 17308 ***