On 12/04/2013 02:11 AM, Markus Armbruster wrote: > No objection to asserting that the caller passed an error object when > the error object is the only way to signal failure. You can't force > your callers to check for failure, but the assertion could help prevent > accidental misuse. > > Assertions fire at run-time, though.
Unfortunately true. > > Asserting "argument not null" first thing in the function should enable > a sufficiently smart whole-program static checker to flag null > arguments. Coverity is such a checker; I think clang can as well. > > But having such a static check right at compile-time would be much > better. Could attribute nonnull do it? If yes, do we still need the > assertion? gcc's implementation of attribute nonnull is complete trash. And the gcc developers know it. The attribute is still useful for Coverity, but at least in libvirt, we have taken to using the attribute ONLY when compiling under a static checker and omitting it under gcc because gcc's implementation of the attribute is so horribly botched. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=17308 So even with attribute nonnull, you still need the assertion. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
