Stop using __attribute__((nonnull)): It gets us occcasional warnings when we do somet...

svn:r15803

diff --git a/ChangeLog b/ChangeLog
index e54a1ebd027170f861d8d80ad8576fd7cb230d85..2184ef4010b45fa29057c8640e1f71afe7d96af0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,9 @@ Changes in version 0.2.1.3-alpha - 2008-07-xx
     - Change the contrib/tor.logrotate script so it makes the new
       logs as "_tor:_tor" rather than the default, which is generally
       "root:wheel". Fixes bug 676, reported by Serge Koksharov.
+    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
+      warnings (occasionally), but it can also cause the compiler to
+      eliminate error-checking code.  Suggested by Peter Gutmann.
 
 
 Changes in version 0.2.0.29-rc - 2008-07-08

diff --git a/src/common/compat.h b/src/common/compat.h
index 5ec969fa1142060df2c95e1f57da18fe4621212a..7ad964c75d08634b4510dab7908452750f6d59da 100644 (file)
--- a/src/common/compat.h
+++ b/src/common/compat.h
@@ -122,7 +122,17 @@ extern INLINE double U64_TO_DBL(uint64_t x) {
 #define ATTR_CONST __attribute__((const))
 #define ATTR_MALLOC __attribute__((malloc))
 #define ATTR_NORETURN __attribute__((noreturn))
-#define ATTR_NONNULL(x) __attribute__((nonnull x))
+/* Alas, nonnull is not at present a good idea for us.  We'd like to get
+ * warnings when we pass NULL where we shouldn't (which nonnull does, albeit
+ * spottily), but we don't want to tell the compiler to make optimizations
+ * with the assumption that the argument can't be NULL (since this would make
+ * many of our checks go away, and make our code less robust against
+ * programming errors).  Unfortunately, nonnull currently does both of these
+ * things, and there's no good way to split them up.
+ *
+ * #define ATTR_NONNULL(x) __attribute__((nonnull x)) */
+#define ATTR_NONNULL(x)
+
 /** Macro: Evaluates to <b>exp</b> and hints the compiler that the value
  * of <b>exp</b> will probably be true. */
 #define PREDICT_LIKELY(exp) __builtin_expect((exp), 1)