Nullable/Notnull : syntax proposal

[sarnold]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

Regards,
Stéphane A.

 

[Richard]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

Regards,
Stéphane A.

Simplify it. There is no need for "nullable" since it's already there.

In addition I think it's a silly idea. Just wrap malloc to do what you want to
do rather than have the assignment to a notnull variable. Much more
efficient. Otherwise every time you assign to a notnull the system will
be performing these checks.

 

[Ben Pfaff]

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.

How does this relate to the GCC extension that provides for a
"nonnull" attribute on function arguments? Here is the
documentation for the GCC extension:

`nonnull (ARG-INDEX, ...)'
The `nonnull' attribute specifies that some function parameters
should be non-null pointers. For instance, the declaration:

extern void *
my_memcpy (void *dest, const void *src, size_t len)
__attribute__((nonnull (1, 2)));

causes the compiler to check that, in calls to `my_memcpy',
arguments DEST and SRC are non-null. If the compiler determines
that a null pointer is passed in an argument slot marked as
non-null, and the `-Wnonnull' option is enabled, a warning is
issued. The compiler may also choose to make optimizations based
on the knowledge that certain function arguments will not be null.

If no argument index list is given to the `nonnull' attribute, all
pointer arguments are marked as non-null. To illustrate, the
following declaration is equivalent to the previous example:

extern void *
my_memcpy (void *dest, const void *src, size_t len)
__attribute__((nonnull));

By the way, comp.std.c would be a better place to discuss this.
Followups set.

 

[pete]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

I don't need it.
I don't want it.
I don't like it.
I'm surprised it isn't already in C99.

 

[jacob navia]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

Regards,
Stéphane A.

You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);

This means that the parameter MyTable has at least one
element, i.e. it can't be NULL.

True, it is NOT a GREAT syntax but it is standard.

jacob

 

[santosh]

I am proposing to create two new keywords for C, [ ... ]

Since you are apparently proposing changes to the language the correct
group for that would be <news:comp.std.c>

 

[Richard]

I am proposing to create two new keywords for C, [ ... ]

Since you are apparently proposing changes to the language the correct
group for that would be <news:comp.std.c>

He is asking for C programmer's opinions. So here is perfectly valid.

 

[=?iso-2022-kr?q?=1B=24=29CHarald_van_D=0E=29=26=0F]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71 Please read it and tell me what
you think of it.

Regards,
Stéphane A.

You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);

Almost, but not quite.

This means that the parameter MyTable has at least one element, i.e. it
can't be NULL.

It means you can't call function with the result of malloc(1), while
occasionally (okay, rarely) that's actually useful.

 

[jacob navia]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71 Please read it and tell me what
you think of it.

Regards,
Stéphane A.

You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);

Almost, but not quite.

This means that the parameter MyTable has at least one element, i.e. it
can't be NULL.

It means you can't call function with the result of malloc(1), while
occasionally (okay, rarely) that's actually useful.

Can you explain what you say?

I didn't understand what you are saying.

 

[Jack Klein]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

No. Because...no.

Not even if you made them _Notnull and _Nullable, which I'm fairly
sure the committee would insist on to keep them in the implementation
namespace to avoid breaking existing code.

Just no.

--
Jack Klein
Home: http://JK-Technology.Com
FAQs for
comp.lang.c http://c-faq.com/
comp.lang.c++ http://www.parashift.com/c++-faq-lite/
alt.comp.lang.learn.c-c++
http://www.club.cc.cmu.edu/~ajo/docs/FAQ-acllc.html

 

[Eric Sosman]

Hello,

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are
verified at compile-time. It should not require additional runtime-
checks
to be implemented.
I have posted my description of how it should work at this URL:
http://sarnold.free.fr/wordpress/?p=71
Please read it and tell me what you think of it.

Your proposal should describe why the proposed feature
would be useful, why it would make life better for programmers
and/or improve the quality of programs. If the information
is already there, it is presented too subtly for me to grasp.

By the way, the example with free() is not well-chosen.
The behavior of free() with a NULL argument is well-defined;
there is no need to assert that the argument cannot be NULL,
because it can be. Perhaps an example with fclose() or
strlen() would raise fewer eyebrows.

 

[Richard]

Your proposal should describe why the proposed feature
would be useful, why it would make life better for programmers
and/or improve the quality of programs. If the information
is already there, it is presented too subtly for me to grasp.

It is pretty obvious what "notnull" means. But as I said in a previous
post if the use is limited to allocation assignments better to do the
checks and relevant dumps in the allocation functions themselves.

 

[=?iso-2022-kr?q?=1B=24=29CHarald_van_D=0E=29=26=0F]

You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);

Almost, but not quite.

This means that the parameter MyTable has at least one element, i.e.
it can't be NULL.

It means you can't call function with the result of malloc(1), while
occasionally (okay, rarely) that's actually useful.

Can you explain what you say?

I didn't understand what you are saying.

Assuming sizeof(int) > 1, and some free memory, malloc(1) is a non-null
pointer that doesn't point to at least one int. So if you pass that
pointer to a function defined as taking int[static 1], the behaviour is
undefined. If you could specify a function as needing a non-null pointer,
it would (presumably) be allowed, since it is a valid pointer which is not
a null pointer.

 

[jacob navia]

On Sun, 04 Nov 2007 18:53:49 +0100, jacob navia wrote:
You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);
Almost, but not quite.

This means that the parameter MyTable has at least one element, i.e.
it can't be NULL.
It means you can't call function with the result of malloc(1), while
occasionally (okay, rarely) that's actually useful.

Can you explain what you say?

I didn't understand what you are saying.

Assuming sizeof(int) > 1, and some free memory, malloc(1) is a non-null
pointer that doesn't point to at least one int. So if you pass that
pointer to a function defined as taking int[static 1], the behaviour is
undefined. If you could specify a function as needing a non-null pointer,
it would (presumably) be allowed, since it is a valid pointer which is not
a null pointer.

I think the "static 1" means that you have AT LEAST 1 int (in this case)

This means that passing a pointer to a buffer less than sizeof(int)
is illegal. Of course you can pass a non null pointer to a wrong
buffer but the interface requirements mean that the pointer points
to a buffer AT LEAST bigger than sizeof(int).

 

[=?iso-2022-kr?q?=1B=24=29CHarald_van_D=0E=29=26=0F]

Harald van Dijk wrote:
On Sun, 04 Nov 2007 18:53:49 +0100, jacob navia wrote:
You can assert a parameter not being null in standard C by

int function(int MyTable[static 1]);
Almost, but not quite.

This means that the parameter MyTable has at least one element, i.e.
it can't be NULL.
It means you can't call function with the result of malloc(1), while
occasionally (okay, rarely) that's actually useful.
Can you explain what you say?

I didn't understand what you are saying.

Assuming sizeof(int) > 1, and some free memory, malloc(1) is a non-null
pointer that doesn't point to at least one int. So if you pass that
pointer to a function defined as taking int[static 1], the behaviour is
undefined. If you could specify a function as needing a non-null
pointer, it would (presumably) be allowed, since it is a valid pointer
which is not a null pointer.

I think the "static 1" means that you have AT LEAST 1 int (in this case)
Exactly.

This means that passing a pointer to a buffer less than sizeof(int) is
illegal.
Exactly.

Of course you can pass a non null pointer to a wrong buffer but
the interface requirements mean that the pointer points to a buffer AT
LEAST bigger than sizeof(int).

Which means int[static 1] is a stronger requirement than what
int *nonnull would mean if nonnull existed as a keyword.

 

[Stephen Sprunk]

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.
Their meaning is a sort of 'design by contract', ensuring some rules
are verified at compile-time. It should not require additional runtime-
checks to be implemented.

I don't see the point if there's no runtime checking. A compile-time check
could only flag cases where a pointer _might_ be null, but any pointer
_might_ be null if you don't know where it came from.

For this to be useful, you'd need to do the checks at runtime; that
basically boils down to the compiler inserting an assert() for the
programmer either before each assignment and either before each function
call or after each function entry. If I wanted that (and I almost always
do), I'd put the necessary assert()s in myself, or use some sort of if/else
logic for more friendly results.

S

 

[Christopher Benson-Manica]

I am proposing to create two new keywords for C, 'notnull' and
'nullable'.

Your proposal should describe why the proposed feature
would be useful, why it would make life better for programmers
and/or improve the quality of programs. If the information
is already there, it is presented too subtly for me to grasp.

<topicality level="dubious">

I may be mistaken, but I suspect that OP's motivation for proposing
this change stems from the @NotNull and @Nullable annotations provided
by certain Java IDE's. Within the context of an IDE, the "nullable"
and "notnull" keywords could have significant value, as the IDE could
warn you prior to compilation that

void foo( notnull void *bar ) {
/* ... */
}

void baz() {
void *qux = NULL;
/* Oops, forgot to initialize pointer */
foo( qux );
}

probably represents an error. It seems to me that it would be
slightly less distasteful to the Committee to propose an annotation
mechanism similar to Java's, where an annotation (possibly in the Java
style) could be prepended to any variable or definition, where the
meaning of any such annotation would be implementation-defined.

That said, Java and C are generally (IMVHO) developed in
different styles - Java developers are much more likely to develop
using IDE's that can benefit from such annotations than C developers
(if indeed there are any IDE's for C of that level of sophistication).
I don't see a lot of use in a language change which would
realistically only benefit a small subset of C programmers.

 

[Eric Sosman]

Christopher Benson-Manica wrote On 11/06/07 11:07,:

Your proposal should describe why the proposed feature
would be useful, why it would make life better for programmers
and/or improve the quality of programs. If the information
is already there, it is presented too subtly for me to grasp.

<topicality level="dubious">

I may be mistaken, but I suspect that OP's motivation for proposing
this change stems from the @NotNull and @Nullable annotations provided
by certain Java IDE's. Within the context of an IDE, the "nullable"
and "notnull" keywords could have significant value, as the IDE could
warn you prior to compilation that

void foo( notnull void *bar ) {
/* ... */
}

void baz() {
void *qux = NULL;
/* Oops, forgot to initialize pointer */
foo( qux );
}

probably represents an error. [...]

Maybe I'm just being dense today (or this year, or
this life), but I still don't get it. Drop the silly
initialization, and a good compiler will *already* warn
about the probable error -- and not just for pointers,
either.

As far as I can see, the only "use case" is for
variations on

char *p = malloc(strlen(s) + 1);
/* no NULL check here */
strcpy (p, s);

This is a class of error I can't recall having made (I
make others instead), so I'm not especially attracted by
machinery that helps me solve a problem I don't have.

A way to make assertions about values might be a
useful thing, but I think it should be in a more general
framework than just NULL-or-not.

 

[Richard Heathfield]

Christopher Benson-Manica said:

void baz() {
void *qux = NULL;
/* Oops, forgot to initialize pointer */

Wrong. qux has in fact been initialised.

 

[Mark McIntyre]

Drop the silly
initialization, and a good compiler will *already* warn
about the probable error -- and not just for pointers,
either.

Mind you, a compiler has no obligation to warn, and additionally
warnings can be ignored by the programmer / build engine, especially
when your code is packed with spurious warnings generated from your
implementation's headers. OTOH the OP's suggestion seems to be
intended to generate a fatal error message?

--
Mark McIntyre

"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it."
--Brian Kernighan