[libvirt] [PATCH 6/7] xend_internal.c: assure clang that we do not dereference NULL

Jim Meyering jim at meyering.net
Wed Apr 14 17:29:44 UTC 2010


Eric Blake wrote:
> On 04/14/2010 10:02 AM, Jim Meyering wrote:
>> From: Jim Meyering <meyering at redhat.com>
>>
>> * src/xen/xend_internal.c (xend_parse_sexp_desc_char): Add three
>> uses of sa_assert, each preceding a strchr(value,... to assure
>> clang that "value" is non-NULL.
>> ---
>>  src/xen/xend_internal.c |    3 +++
>>  1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/src/xen/xend_internal.c b/src/xen/xend_internal.c
>> index c4e73b7..950f1b5 100644
>> --- a/src/xen/xend_internal.c
>> +++ b/src/xen/xend_internal.c
>> @@ -1284,6 +1284,7 @@ xend_parse_sexp_desc_char(virBufferPtr buf,
>>          virBufferVSprintf(buf, "      <source path='%s'/>\n",
>>                            value);
>>      } else if (STREQ(type, "tcp")) {
>> +        sa_assert (value);
>>          const char *offset = strchr(value, ':');
>
> This introduces an expression before a declaration, even when sa_assert
> is empty.  I know that we already rely on several other C99 features
> (like __VA_ARGS__ from the preprocessor), but my understanding has been
> that we have been trying to stick with C89 declarations first still.
> Does this need to be refactored accordingly?

There have been others like this, and no one objected then.
Prohibiting stmt-after-decl is detrimental.
Take this example.  Prohibiting it here would change perfectly
usable/readable code into this longer and slightly inferior equivalent:
(inferior because it's longer and hence detracts from overall readability,
and because "offset" is now duplicated)

            const char *offset;
            sa_assert (value);
            offset = strchr(value, ':');

> Besides, xend_parse_sexp_desc_char already dereferences value at line
> 1224;

True, but just after that, it may be set to NULL:

    if (value[0] == '/') {
        type = "dev";
    } else if (STRPREFIX(value, "null")) {
        type = "null";
        value = NULL;      <<<<===================
    } else if (STRPREFIX(value, "vc")) {
        ...

and *that* is the case clang complains about.

> would it be possible to fix this by marking the argument as
> NONNULL, rather than adding sa_assert()?

No.




More information about the libvir-list mailing list