Re: [PATCH v3 3/4] cleanup: Annotate guard constructors with __nonnull()

Re: [PATCH v3 3/4] cleanup: Annotate guard constructors with __nonnull()

[Miguel Ojeda]

On Mon, May 18, 2026 at 5:22 PM Dmitry Ilvokhin <d@ilvokhin.com> wrote:
>
> Add __nonnull() to unconditional guard constructors so the compiler
> verifies at each call site that NULL is never passed:

> This provides automated, compiler-enforced verification that no
> unconditional guard constructor receives NULL.

I wouldn't say "verify", since the compiler does a best-effort here
with the information it has statically.

In other words, the attribute does not prevent NULL pointers to be passed.

> + *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-nonnull-function-attribute

Hmm... It appears GCC has changed the docs in commit 6e3c137f5dbb
("doc: Merge function, variable, type, and statement attribute
sections [PR88472]"), dropping the per-kind attribute pages.

So the right link would need to be now:

  https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-nonnull

I will need to send a patch to fix the other links.

> + * clang: https://clang.llvm.org/docs/AttributeReference.html#nonnull

I think this link goes to `_Nonnull` -- the GNU one is instead:

  https://clang.llvm.org/docs/AttributeReference.html#id10

(I don't love the numeric IDs, though, since they break, so I think it
is fine either way -- the `_Nonnull` is fairly close to the one we
want and I hope that one doesn't break)

> + */
> +#define __nonnull(x...)                        __attribute__((__nonnull__(x)))

This is indeed available for a long time, and we already use it
elsewhere in the kernel tree (which would be nice to clean up
separately).

If you don't mind, please place it before `__nonstring__` (the file is
meant to be sorted by the actual attribute name -- there are a few
instances where this is not the case anymore, which I will eventually
clean up)

Thanks!

Cheers,
Miguel

Re: [PATCH v3 3/4] cleanup: Annotate guard constructors with __nonnull()

[Dmitry Ilvokhin]

On Mon, May 18, 2026 at 08:19:35PM +0200, Miguel Ojeda wrote:
> On Mon, May 18, 2026 at 5:22 PM Dmitry Ilvokhin <d@ilvokhin.com> wrote:
> >
> > Add __nonnull() to unconditional guard constructors so the compiler
> > verifies at each call site that NULL is never passed:
> 
> > This provides automated, compiler-enforced verification that no
> > unconditional guard constructor receives NULL.
> 
> I wouldn't say "verify", since the compiler does a best-effort here
> with the information it has statically.
> 
> In other words, the attribute does not prevent NULL pointers to be passed.

Fair enough.

I'll re-word this paragraph as "Add __nonnull() to unconditional guard
constructors so the compiler warns when NULL is statically known to be
passed" and drop the "compiler-enforced verification" paragraph.

> 
> > + *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-nonnull-function-attribute
> 
> Hmm... It appears GCC has changed the docs in commit 6e3c137f5dbb
> ("doc: Merge function, variable, type, and statement attribute
> sections [PR88472]"), dropping the per-kind attribute pages.
> 
> So the right link would need to be now:
> 
>   https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-nonnull
> 
> I will need to send a patch to fix the other links.

Fixed locally. Thanks!

> 
> > + * clang: https://clang.llvm.org/docs/AttributeReference.html#nonnull
> 
> I think this link goes to `_Nonnull` -- the GNU one is instead:
> 
>   https://clang.llvm.org/docs/AttributeReference.html#id10
> 
> (I don't love the numeric IDs, though, since they break, so I think it
> is fine either way -- the `_Nonnull` is fairly close to the one we
> want and I hope that one doesn't break)

I don't quite like numeric IDs either. There is only one #id reference
in include/linux/compiler_attributes.h and link is already dead. I'll
keep current link since it gives at least some clue what to look for on
the page.

> 
> > + */
> > +#define __nonnull(x...)                        __attribute__((__nonnull__(x)))
> 
> This is indeed available for a long time, and we already use it
> elsewhere in the kernel tree (which would be nice to clean up
> separately).

> 
> If you don't mind, please place it before `__nonstring__` (the file is
> meant to be sorted by the actual attribute name -- there are a few
> instances where this is not the case anymore, which I will eventually
> clean up)

Thanks, fixed locally.

> 
> Thanks!
> 
> Cheers,
> Miguel

Re: [PATCH v3 3/4] cleanup: Annotate guard constructors with __nonnull()

[Miguel Ojeda]

On Tue, May 19, 2026 at 1:54 PM Dmitry Ilvokhin <d@ilvokhin.com> wrote:
>
> Thanks, fixed locally.

Sounds good, thanks!

Acked-by: Miguel Ojeda <ojeda@kernel.org>

Cheers,
Miguel