Perl should has tests to prove that derefing NULL stops execution and
shows the user that there was a failure. A couple other C fatal runtime
errors should also be tested. See attached rough patch. HPUX perl uses a
CC flag to make derefing NULL SEGV instead of evaluate to 0, since the
"successful evaluate to 0" is insane in traditional C world. one
complement integers, and 9 and 7 bit chars would be other harmful CC
architectures.
The optimization I think is very important.

destroybig(sv) {
if(sv->flags == 123) {
destroyextra(sv->body.extra);
}
SvREFCNT_dec(sv);
}

If destroybig's sv argument is marked NN, GCC will remove the NULL test
in SvREFCNT_dec when SvREFCNT_dec is inlined into destroybig(). A
computer can find cases of automatic optimization to SvREFCNT_dec_NN
better than a human hunting and pecking for it by eye (try understanding
what "tryAMAGICunTARGETlist(meth, jump)" does, it 1 or 2 screenfuls of
code, or what about cop.h's 1 screenful big macros?).
Reliable SEGVing of refering of NULL I think should be relied on. Perl
already SEGVs intentionally in 1 place
http://perl5.git.perl.org/perl.git/blob/749f0eb1485a7bb7561d71f9539d9b7655363136:/win32/vmem.h#l200


Any segv of an address < ~0x200 is easy to diagnose. In Perlese its
"Can't call method "foo" on an undefined value at -e line 1." In C its
SIGSEGV. undef/NULL means object/struct not there.

"Bizarre copy of %s in %s" is as equally vague as a SEGV that requires a
C debugger,

The only SEGVs that are very hard to debug is is SEGV on addr 0x3778C8
since that isnt "object not created", that is memory corruption or use
after free corruption.

I have sometimes used http://www.splint.org/ to add not-null annotations
to C programs. It is mentioned in perlhacktips. However, its standard
behaviour is to take all pointers as declared 'not null' unless they are
annotated with /*@null@*/. Sprinkling that through the codebase might be
a step too far.

In theory this thing should be useful. It ought to help in situations like
ours where there's macro rich code which contains a bunch of NULL checks, but
it's used in functions where the call path ensures that that parameter isn't
NULL.

But, in practice as I think I'd said privately to various people over the
past 5 years, but I don't think I'd mailed the list, I see it as a design
flaw that *only* function parameters can get this designation. It ought to
be be possible to also annotate variables and structure members as not-NULL,
and so have your not-NULL-ness be analysed, and faulted.

What gcc offers right now is rather like having function parameters be allowed
to be declared const, with various optimisations then made on that basis,
but

1) variables and structure elements not being permitted to be declared const
2) *and* constness silently being cast away by the compiler

and that's self-evidently awesome and all the best compilers do that.
I'm coming to that view.

The intent of the asserts was on the

1) assumption that the code generation would be useful
2) the above observation that it's only 1/3rd finished in gcc
3) that we have good enough test coverage to find the bad annotations

Experience is suggesting that assumption 3 *is* good enough, at least for the
core, because we've not hit a failed assert in years.

But as others (Aristotle?) observed that's not something we can guarantee
(or "guarantee" or empirically "prove" correct) for library code.

Which would mean that we ought not have Not Null declarations on any API
function.


I did a test on dromedary.

Two build trees, same config.sh, confirmed that all object files were byte
for byte identical (apart from perl.o, __DATE__)


Did this, and re-ran embed.pl, to get rid of all __attribute__nonnull__:

diff --git a/regen/embed.pl b/regen/embed.pl
index 07438de..d882c0d 100755
--- a/regen/embed.pl
+++ b/regen/embed.pl
@@ -206,7 +206,7 @@ my ($embed, $core, $ext, $api) = setup_embed();
$prefix, $pat, $args;
}
}
- if ( @nonnull ) {
+ if ( 0 && @nonnull ) {
my @pos = map { $has_context ? "pTHX_$_" : $_ } @nonnull;
push @attrs, map { sprintf( "__attribute__nonnull__(%s)", $_ ) } @pos;
}


Total object file size goes from 3607011 to 3608299
So it *is* making a difference.

What I can't tell (obviously) is whether it's a difference that matters.
Is this in hot code?

There isn't anything I'm comfortable to use as a benchmark.
What is Dave using to figure out (and measure) potential optimisations for
booking.com?


Hence I'm wondering, what the benefit of this is.

We have accurate information currently about which function parameters are
never NULL. In machine readable form. With tokens at all the right places
in the C code.

So it would be possible to programmatically convert all the lines such as

PERL_ARGS_ASSERT_DO_SPAWN_NOWAIT;

into

if (!cmd)
Perl_croak(aTHX_ "Perl_do_spawn_nowait called with NULL cmd");


(we know the function name, whether the function has aTHX_ available, and
the command name, and where in the C source code to s/.../.../)


at which point, I believe, we've given the C compiler's optmimiser the same
information as the current not_null attribute does, which means that if its
optimiser is competent, it can propagate that through and do exactly the same
dead code elimination.

But not just for gcc :-)
I don't know. I'd not thought about that.
IIRC I was the one who changed the perl.h assert() macro from something
that called croak() [yes, pretty] into something that would actually DIE DIE
DIE. And not get trapped by eval (wah!)

[and tomorrow I'm off on holiday with no Internet coverage for the next 11
days, so I'm not going to be in a position to reply to any replies any time
soon]

Nicholas Clark

Yes.
Anecdote from parrot, where we used nonnull attributes heavily:

It is very dangerous to let NULL slip through, as the optimizer omits
all checks at run-time, no asserts are in place without “DEBUGGING”.
I spent a few days finding a crazy bug with NN, just to find out that NULL
was passed to a nonnull attribute, and the optimizer removed the
if (!param) {} block. Even if the check is there, the compiler will remove it.

It is a very good attribute to speed up -O2, but the dead-code elimination
should be visible somewhere. It is not.

Reini

My read on the discussion is that the __attribute__((nonnull(...)) could
and should indeed go. (Hey, I admit I was prebiased on this.)
Unless good argumentation tells me otherwise, in few days I'll just
go ahead and do that.

According to
https://gcc.gnu.org/onlinedocs/gcc-4.4.2/gcc/Function-Attributes.html,
it means:

If the compiler determines that a null pointer is passed in an argument slot
marked as non-null, and the -Wnonnull option is enabled, a warning is issued.
The compiler may also choose to make optimizations based on the knowledge that
certain function arguments will not be null.

I.e. the primary purpose is code verification rather than optimization.

Correct. As he ought to.
Please don’t.

Regards,