[Bug c/30043] New: __attribute__((nonull(...))) and silent optimizations

["madcoder at debian dot org" <gcc-bugzilla at gcc dot gnu dot org>]

when a coder writes (erroneously) such a code:

char *m_strrtrim(char *s) __attribute__((nonull(1));

char *m_strrtrim(char *s)
{
    int len = s ? strlen(s) : 0;
    while (len > 1 && isspace((unsigned char)s[len - 1]))
        len--;
    return s + len;
}

Then gcc uses the __attribute__((nonnull(1)) — which again is a
programming mistake — to optimize the check of s beeing NULL or not. That
is very correct from a compiling point of view, but it generated segfaults in
my code, that I had a very hard time to find, because of it beeing in the
header file rather than in the implementation where I looked for it (as the
backtrace pointed me in that function).

I suppose that gcc do the optimization because it knows that 's' is non NULL,
though it should make a distinction between s beeing non NULL because it knows
so (e.g. because s is a local buffer) or because it comes from a programmer
assertion.

When it's the latter, it should warn about any trivial test, like it does when
you test if an unsigned int is greater or equal to 0 for example. What I mean
is that:

__attribute__((nonull(1))) void foo(char *s) {
    if (!s) {
        if (!s) {
            // do sth;
        }
    }
}

here, the first test on s SHOULD NOT be optimized silently, because at this
point s is marked as beeing NONNNUL thanks to a /programmer/ assertion, not
constant folding. I don't know for the second though, maybe it's worth to warn,
maybe not.


-- 
           Summary: __attribute__((nonull(...))) and silent optimizations
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: madcoder at debian dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30043