Differential D9004
Addition of clang nullability attributes. Authored by pfg on Dec 30 2016, 9:55 PM. Tags None Referenced Files
Subscribers
Details Add two new attributes for use in static checkers: _Nonnull _Nullable These seem to have been introduced in Clang 3.7: Currently building world with them.
Diff Detail
Event TimelineComment Actions Learn a bit more from Bionic's libc. The cdefs.h definition in Android is a bit different, since it's known Most of our uses of the __nonnull attribute were based on Bionic so The difference is: "Unlike the nonnull attribute, this annotation indicated that a value More information at: Comment Actions Minor updates. Comment Actions Ugh! Use of these attributes breaks the build in ugly ways. For example: in file included from
/scratch/tmp/pfg/head/contrib/llvm/projects/libunwind/src/libunwind.cpp:27:
In file included from
/scratch/tmp/pfg/head/contrib/llvm/projects/libunwind/src/UnwindCursor.hpp:19:
/scratch/tmp/pfg/obj/i386.i386/scratch/tmp/pfg/head/tmp/usr/include/pthread.h:149:26:
error: pointer is missing a nullability type specifier (_Nonnull,
_Nullable, or _Null_unspecified) [-Werror,-Wnullability-completeness]
int pthread_atfork(void (*)(void), void (*)(void), void (*)(void));
^
/scratch/tmp/pfg/obj/i386.i386/scratch/tmp/pfg/head/tmp/usr/include/pthread.h:151:33:
error: pointer is missing a nullability type specifier (_Nonnull,
_Nullable, or _Null_unspecified) [-Werror,-Wnullability-completeness]
int pthread_attr_getstack(const pthread_attr_t * _Nonnull __restrict,
^
/scratch/tmp/pfg/obj/i386.i386/scratch/tmp/pfg/head/tmp/usr/include/pthread.h:152:8:
error: pointer is missing a nullability type specifier (_Nonnull,
_Nullable, or _Null_unspecified) [-Werror,-Wnullability-completeness]
void ** _Nonnull __restrict, size_t * _Nonnull
__restrict);
^
/scratch/tmp/pfg/obj/i386.i386/scratch/tmp/pfg/head/tmp/usr/include/pthread.h:153:37:
error: pointer is missing a nullability type specifier (_Nonnull,
_Nullable, or _Null_unspecified) [-Werror,-Wnullability-completeness]
...More investigation will be required :(. Comment Actions The '__nonnull()' attribute is rather dangerous, it seems reasonable to replace it with the '_Nonnull' qualifier. Unfortunately it seems like a lot more changes than those from either bionic or Apple are required to build cleanly. Turning off -Wnullability-completeness is not an option. I will abandon this revision and will be back when/if I get something working :(. Comment Actions I figured it out: We need to add pragmas to the headers where we use nullablity specifiers, While this approach is the same used in Android, Apple appears to build Comment Actions More cleanups: the pragmas have to appear before *any* pointer is This passes a tinderbox build. Comment Actions I suspect this is fine (haven't yet looked in detail). Is turning off -Wnullability-completeness a nonstarter because we have some headers that are already completely annotated and want to prevent new, unannotated declarations from appearing? Comment Actions Sort of: we can'r really annotate everything without adding a lot of annotations. As soon as the compiler sees *one* annotation, it complains about all other pointers that haven't been annotated, therefore we need to turn off the warnings. For reference, the patch uses this inspiration: I haven't yet added nonnull checks in the stdlib string functions that are in Glibc and that Android carries. the new _Nonnull qualifier is safe enough that we should probably consider those as well. Comment Actions I see, but you write
I'm curious why it's not an option. Comment Actions Adding it as a global option would certain solve any buildworld issues cleanly. Comment Actions
Of course, very good point. Thank you. Comment Actions Update some of the threading functions. Comment Actions Why is this useful at all ? IMO it adds enormous and useless noise to the headers, while providing a doubtful value, if any. If only referencing pthread*(3) functions, POSIX recommends that implementations detect invalid or uninitialized pointer to pthread_t and return EINVAL in that case. Our libthr usually checks for the pthread pointer == NULL and returns EINVAL in this case. More, apps might reasonably rely on this behavior and knowingly use it.
Comment Actions Note that I am only replacing the very dangerous GCC __nonnull__ attribute with the much more benign clang _Nonnull. Most cases were pre-existing, except for some functions where we are followinh Apple Darwin, in the hope of being more firendly to swift (and clang in the Mac)
We introduced those after review in D2101 following Android. The idea is that it is very easy to get threading wrong so the extra warnings are useful. The previously-existing attributes actually "optimized" away the NULL checks. Android since then have acknowledged that such attributes are wrong and replaced them with the corresponding clang qualifier (which doesn't do stupid things). I will fix the issues you found and update the revision .. Thanks!
Comment Actions Update to bring the pop pragmas. I left the copyinstr(9) as it is for consistency with the previous Comment Actions 0 is absolutely (potentially) valid pointer to a userspace string. More, in past there were ABIs where there was a zero-length string located at address zero. Comment Actions OK, so these are wrong since r117837, although I see it wouldn't make much sense to call this with an explicit NULL. I will remove it and I guess I should do some partial MFC to avoid completely the GCC __nonnull__ attribute. Furthermore I think __nonnull() should be removed from cdefs.h, at least from current. Comment Actions Looking at deprecating the __nonnull() attribute completely, I found a There are also a couple of uses in Comment Actions Add check for nullability feature before using the pragmas. I am currently touching many critical headers so I will request an Comment Actions I like the idea, but I think it would make more sense to do this a bit more slowly. For example, we could use this change to add stubs for these keywords for old compilers to sys/cdefs.h. Then we could decide to add these annotations header by header and not add those #pragma directives at all. Simply annotate a header file entirely or don't do it at all. Thoughts? Comment Actions The stubs are in place already since r310977, this had to be done so that the GCC ports have ample time to catch up.. MFC's are a problem due to the way GCC forks our C headers. My plan was to remove the __nonnull() in a different commit.
Annotating all the headers would make them pretty much unreadable: we would have to add _Null_unspecified to almost every pointer. I would feel happier if there were a nice macro to deal with the pragmas: something like we do for __BEGIN_DECLS and __END_DECLS. Comment Actions
Something like this: /*
* Nullability qualifiers: currently only supported by Clang.
*/
#if !(defined(__clang__) && __has_feature(nullability))
#define _Nonnull
#define _Nullable
#define __BEGIN_NULLABILITY
#define __END_NULLABILITY
#else
#define __BEGIN_NULLABILITY _Pragma("clang diagnostic push") \
_Pragma("clang diagnostic ignored \"-Wnullability-completeness\"")
#define __END_NULLABILITY _Pragma("clang diagnostic pop")
#endifHowever _Pragma was introduced in C99, so bde@ would probably object. Comment Actions Trying the _Pragma suddenly doesn't look like a bad idea after all: if GCC adopts Any comments? Comment Actions I was not very happy about the old naming for the macros so I have new NULLABILITY_PRAGMA_PUSH At least now we know what the macros do. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||