std::string add nullptr attribute
Jonny Grant
jg@jguk.org
Mon Feb 20 11:38:11 GMT 2023
On 20/02/2023 11:10, Gabriel Ravier wrote:
> On 2/20/23 11:54, Xi Ruoyao via Gcc-help wrote:
>> On Mon, 2023-02-20 at 10:37 +0000, Jonathan Wakely wrote:
>>> On Mon, 20 Feb 2023 at 10:26, Xi Ruoyao <xry111@xry111.site> wrote:
>>>> On Sun, 2023-02-19 at 21:33 +0000, Jonny Grant wrote:
>>>>
>>>>> I noticed -Wanalyzer-null-dereference reports at build time a
>>>>> dereference. Also works if a function parameter. I wondered why
>>>>> std::string isn't detected by this static analyser option.
>>>> Because the analyzer does not know the C++ standard disallows to use
>>>> NULL here. It just analyzes the code. The code in libstdc++ reads:
>>>>
>>>> basic_string(const _CharT* __s, const _Alloc& __a = _Alloc())
>>>> : _M_dataplus(_M_local_data(), __a)
>>>> {
>>>> // NB: Not required, but considered best practice.
>>>> if (__s == 0)
>>>> std::__throw_logic_error(__N("basic_string: "
>>>> "construction from null is not valid"));
>>>> const _CharT* __end = __s + traits_type::length(__s);
>>>> _M_construct(__s, __end, forward_iterator_tag());
>>>> }
>>>>
>>>> As you can see yourself, though the standard implies using NULL here is
>>>> a UB, libstdc++ does not really code a UB here. So the analyzer will
>>>> consider the code absolutely valid.
>>> Right, it's defined behaviour in libstdc++, as an extension.
>>>
>>>> Note that throwing a C++ exception is not a programming error. It's
>>>> perfectly legal to catch the exception elsewhere. It's also perfectly
>>>> legal not to catch it and treat it as an abort() (calling abort is also
>>>> not a programming error).
>>>>
>>>>
>>>>> It's not pretty, but this wrapper catches NULL passed at compile time:
>>>>>
>>>>> std::string make_std_string(const char * const str)
>>>>> {
>>>>> // This line ensures: warning: dereference of NULL '0' [CWE-476]
>>>>> [-Wanalyzer-null-dereference]
>>>>> char b = *str;
>>>> You are invoking an undefined behavior here if str is NULL, so it's
>>>> essentially same as using a nonnull attribute for make_std_string.
>>> And turned defined behaviour back into UB. The warning isn't reliable
>>> (only if the compiler can see the point is null, which isn't the case
>>> without optimization, or if the pointer comes from some non-inline
>>> function), the exception is. You're trading guaranteed exception for a
>>> not guaranteed warning and unbounded misoptimization due to undefined
>>> behaviour.
>> Well, maybe we should have a warning here with -Wpedantic (or something)
>> as the standard does not allow people to pass NULL and expect a
>> logic_error. But "deliberately making a UB to raise the warning" is not
>> good.
>
> This is the kind of thing that makes me wonder why there isn't some kind of `__builtin_unreachable_do_not_optimize()` builtin that allows one to mark places in code that should never be reached and should thus be warned about if such a thing happens while at the same time never doing any optimization on the basis of the presence of the call.
>
That sounds really useful. So something would give a useful build warning?
<source>:6:8: warning: dereference of NULL '0' [CWE-476] [-Wanalyzer-null-dereference]
12 | char b = *str;
void f(const char * str)
{
if(NULL == str)
{
__builtin_unreachable_do_not_optimize();
}
__builtin_printf(str);
}
Regards, Jonny
More information about the Gcc-help
mailing list