Re: [Qemu-devel] [RFC PATCH v1 0/5] Add error_abort and associated cleanups

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]

On 12/04/2013 02:11 AM, Markus Armbruster wrote:

> No objection to asserting that the caller passed an error object when
> the error object is the only way to signal failure.  You can't force
> your callers to check for failure, but the assertion could help prevent
> accidental misuse.
> 
> Assertions fire at run-time, though.

Unfortunately true.

> 
> Asserting "argument not null" first thing in the function should enable
> a sufficiently smart whole-program static checker to flag null
> arguments.

Coverity is such a checker; I think clang can as well.

> 
> But having such a static check right at compile-time would be much
> better.  Could attribute nonnull do it?  If yes, do we still need the
> assertion?

gcc's implementation of attribute nonnull is complete trash.  And the
gcc developers know it.  The attribute is still useful for Coverity, but
at least in libvirt, we have taken to using the attribute ONLY when
compiling under a static checker and omitting it under gcc because gcc's
implementation of the attribute is so horribly botched.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308

So even with attribute nonnull, you still need the assertion.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]