| Message ID | 20230703131059.975829-1-xry111@xry111.site |
|---|---|
| State | New |
| Headers | show |
| Series | [v4] libio: Add nonnull attribute for most FILE * arguments in stdio.h | expand |
On 2023-07-03 09:10, Xi Ruoyao via Libc-alpha wrote: > During the review of a GCC analyzer test case, we found most stdio > functions accepting a FILE * argument expect it to be nonnull and just > segfault when the argument is NULL. Add nonnull attribute for them. > > fflush and fflush_unlocked are well defined when __stream is NULL so > they are not touched. > > For fputs, fgets, fread, fwrite, fprintf, vfprintf, and their unlocked > version, if __stream is empty but there is nothing to read or write, > they did not segfault. But the standard disallow __stream to be empty > here, so nonnull attribute is also added for them. Note that this may > blow up some old code already subtly broken. The null checks within those functions won't get optimized away because internally __nonnull gets undefined (see include/sys/cdefs.h), thus retaining any NULL checks. The other possibility of the compiler optimizing away some NULL checks within the caller is a global possibility IMO, so that's not limited to these functions. So the change looks largely OK to me, please send a v5 with fixes to some minor nits below. > Signed-off-by: Xi Ruoyao <xry111@xry111.site> > --- > > v3 -> v4: Add nonnull attribute for anything the standard disallows > NULL. > > libio/stdio.h | 142 +++++++++++++++++++++++++++----------------------- > 1 file changed, 76 insertions(+), 66 deletions(-) > > diff --git a/libio/stdio.h b/libio/stdio.h > index 4cf9f1c012..c709a65f5e 100644 > --- a/libio/stdio.h > +++ b/libio/stdio.h Please add a line: Copyright The GNU Toolchain Authors. below the FSF copyright assignment line. > @@ -278,7 +278,7 @@ extern FILE *__REDIRECT (fopen, (const char *__restrict __filename, > extern FILE *__REDIRECT (freopen, (const char *__restrict __filename, > const char *__restrict __modes, > FILE *__restrict __stream), freopen64) > - __wur; > + __wur __nonnull ((3)); > # else > # define fopen fopen64 > # define freopen freopen64 > @@ -330,21 +330,22 @@ extern __FILE *open_wmemstream (wchar_t **__bufloc, size_t *__sizeloc) __THROW > > /* If BUF is NULL, make STREAM unbuffered. > Else make it use buffer BUF, of size BUFSIZ. */ > -extern void setbuf (FILE *__restrict __stream, char *__restrict __buf) __THROW; > +extern void setbuf (FILE *__restrict __stream, char *__restrict __buf) __THROW > + __nonnull ((1)); > /* Make STREAM use buffering mode MODE. > If BUF is not NULL, use N bytes of it for buffering; > else allocate an internal buffer N bytes long. */ > extern int setvbuf (FILE *__restrict __stream, char *__restrict __buf, > - int __modes, size_t __n) __THROW; > + int __modes, size_t __n) __THROW __nonnull ((1)); > > #ifdef __USE_MISC > /* If BUF is NULL, make STREAM unbuffered. > Else make it use SIZE bytes of BUF for buffering. */ > extern void setbuffer (FILE *__restrict __stream, char *__restrict __buf, > - size_t __size) __THROW; > + size_t __size) __THROW __nonnull ((1)); > > /* Make STREAM line-buffered. */ > -extern void setlinebuf (FILE *__stream) __THROW; > +extern void setlinebuf (FILE *__stream) __THROW __nonnull ((1)); > #endif > > > @@ -353,7 +354,7 @@ extern void setlinebuf (FILE *__stream) __THROW; > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern int fprintf (FILE *__restrict __stream, > - const char *__restrict __format, ...); > + const char *__restrict __format, ...) __nonnull ((1)); > /* Write formatted output to stdout. > > This function is a possible cancellation point and therefore not > @@ -368,7 +369,7 @@ extern int sprintf (char *__restrict __s, > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern int vfprintf (FILE *__restrict __s, const char *__restrict __format, > - __gnuc_va_list __arg); > + __gnuc_va_list __arg) __nonnull ((1)); > /* Write formatted output to stdout from argument list ARG. > > This function is a possible cancellation point and therefore not > @@ -418,7 +419,7 @@ extern int dprintf (int __fd, const char *__restrict __fmt, ...) > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern int fscanf (FILE *__restrict __stream, > - const char *__restrict __format, ...) __wur; > + const char *__restrict __format, ...) __wur __nonnull ((1)); > /* Read formatted input from stdin. > > This function is a possible cancellation point and therefore not > @@ -439,7 +440,7 @@ extern int sscanf (const char *__restrict __s, > # ifdef __REDIRECT > extern int __REDIRECT (fscanf, (FILE *__restrict __stream, > const char *__restrict __format, ...), > - __isoc23_fscanf) __wur; > + __isoc23_fscanf) __wur __nonnull ((1)); > extern int __REDIRECT (scanf, (const char *__restrict __format, ...), > __isoc23_scanf) __wur; > extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, > @@ -447,7 +448,7 @@ extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, > __isoc23_sscanf); > # else > extern int __isoc23_fscanf (FILE *__restrict __stream, > - const char *__restrict __format, ...) __wur; > + const char *__restrict __format, ...) __wur __nonnull ((1)); This crosses 79 chars. > extern int __isoc23_scanf (const char *__restrict __format, ...) __wur; > extern int __isoc23_sscanf (const char *__restrict __s, > const char *__restrict __format, ...) __THROW; > @@ -459,7 +460,7 @@ extern int __isoc23_sscanf (const char *__restrict __s, > # ifdef __REDIRECT > extern int __REDIRECT (fscanf, (FILE *__restrict __stream, > const char *__restrict __format, ...), > - __isoc99_fscanf) __wur; > + __isoc99_fscanf) __wur __nonnull ((1)); > extern int __REDIRECT (scanf, (const char *__restrict __format, ...), > __isoc99_scanf) __wur; > extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, > @@ -467,7 +468,7 @@ extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, > __isoc99_sscanf); > # else > extern int __isoc99_fscanf (FILE *__restrict __stream, > - const char *__restrict __format, ...) __wur; > + const char *__restrict __format, ...) __wur __nonnull ((1)); Likewise, this. > extern int __isoc99_scanf (const char *__restrict __format, ...) __wur; > extern int __isoc99_sscanf (const char *__restrict __s, > const char *__restrict __format, ...) __THROW; > @@ -485,7 +486,7 @@ extern int __isoc99_sscanf (const char *__restrict __s, > marked with __THROW. */ > extern int vfscanf (FILE *__restrict __s, const char *__restrict __format, > __gnuc_va_list __arg) > - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; > + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); > > /* Read formatted input from stdin into argument list ARG. > > @@ -508,7 +509,7 @@ extern int __REDIRECT (vfscanf, > (FILE *__restrict __s, > const char *__restrict __format, __gnuc_va_list __arg), > __isoc23_vfscanf) > - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; > + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); > extern int __REDIRECT (vscanf, (const char *__restrict __format, > __gnuc_va_list __arg), __isoc23_vscanf) > __attribute__ ((__format__ (__scanf__, 1, 0))) __wur; > @@ -520,7 +521,7 @@ extern int __REDIRECT_NTH (vsscanf, > # elif !defined __REDIRECT > extern int __isoc23_vfscanf (FILE *__restrict __s, > const char *__restrict __format, > - __gnuc_va_list __arg) __wur; > + __gnuc_va_list __arg) __wur __nonnull ((1)); > extern int __isoc23_vscanf (const char *__restrict __format, > __gnuc_va_list __arg) __wur; > extern int __isoc23_vsscanf (const char *__restrict __s, > @@ -537,7 +538,7 @@ extern int __REDIRECT (vfscanf, > (FILE *__restrict __s, > const char *__restrict __format, __gnuc_va_list __arg), > __isoc99_vfscanf) > - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; > + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); > extern int __REDIRECT (vscanf, (const char *__restrict __format, > __gnuc_va_list __arg), __isoc99_vscanf) > __attribute__ ((__format__ (__scanf__, 1, 0))) __wur; > @@ -549,7 +550,7 @@ extern int __REDIRECT_NTH (vsscanf, > # elif !defined __REDIRECT > extern int __isoc99_vfscanf (FILE *__restrict __s, > const char *__restrict __format, > - __gnuc_va_list __arg) __wur; > + __gnuc_va_list __arg) __wur __nonnull ((1)); > extern int __isoc99_vscanf (const char *__restrict __format, > __gnuc_va_list __arg) __wur; > extern int __isoc99_vsscanf (const char *__restrict __s, > @@ -568,8 +569,8 @@ extern int __isoc99_vsscanf (const char *__restrict __s, > > These functions are possible cancellation points and therefore not > marked with __THROW. */ > -extern int fgetc (FILE *__stream); > -extern int getc (FILE *__stream); > +extern int fgetc (FILE *__stream) __nonnull ((1)); > +extern int getc (FILE *__stream) __nonnull ((1)); > > /* Read a character from stdin. > > @@ -582,7 +583,7 @@ extern int getchar (void); > > These functions are possible cancellation points and therefore not > marked with __THROW. */ > -extern int getc_unlocked (FILE *__stream); > +extern int getc_unlocked (FILE *__stream) __nonnull ((1)); > extern int getchar_unlocked (void); > #endif /* Use POSIX. */ > > @@ -593,7 +594,7 @@ extern int getchar_unlocked (void); > cancellation point. But due to similarity with an POSIX interface > or due to the implementation it is a cancellation point and > therefore not marked with __THROW. */ > -extern int fgetc_unlocked (FILE *__stream); > +extern int fgetc_unlocked (FILE *__stream) __nonnull ((1)); > #endif /* Use MISC. */ > > > @@ -604,8 +605,8 @@ extern int fgetc_unlocked (FILE *__stream); > > These functions is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fputc (int __c, FILE *__stream); > -extern int putc (int __c, FILE *__stream); > +extern int fputc (int __c, FILE *__stream) __nonnull ((2)); > +extern int putc (int __c, FILE *__stream) __nonnull ((2)); > > /* Write a character to stdout. > > @@ -620,7 +621,7 @@ extern int putchar (int __c); > cancellation point. But due to similarity with an POSIX interface > or due to the implementation it is a cancellation point and > therefore not marked with __THROW. */ > -extern int fputc_unlocked (int __c, FILE *__stream); > +extern int fputc_unlocked (int __c, FILE *__stream) __nonnull ((2)); > #endif /* Use MISC. */ > > #ifdef __USE_POSIX199506 > @@ -628,7 +629,7 @@ extern int fputc_unlocked (int __c, FILE *__stream); > > These functions are possible cancellation points and therefore not > marked with __THROW. */ > -extern int putc_unlocked (int __c, FILE *__stream); > +extern int putc_unlocked (int __c, FILE *__stream) __nonnull ((2)); > extern int putchar_unlocked (int __c); > #endif /* Use POSIX. */ > > @@ -636,10 +637,10 @@ extern int putchar_unlocked (int __c); > #if defined __USE_MISC \ > || (defined __USE_XOPEN && !defined __USE_XOPEN2K) > /* Get a word (int) from STREAM. */ > -extern int getw (FILE *__stream); > +extern int getw (FILE *__stream) __nonnull ((1)); > > /* Write a word (int) to STREAM. */ > -extern int putw (int __w, FILE *__stream); > +extern int putw (int __w, FILE *__stream) __nonnull ((2)); > #endif > > > @@ -648,7 +649,7 @@ extern int putw (int __w, FILE *__stream); > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern char *fgets (char *__restrict __s, int __n, FILE *__restrict __stream) > - __wur __fortified_attr_access (__write_only__, 1, 2); > + __wur __fortified_attr_access (__write_only__, 1, 2) __nonnull ((3)); > > #if __GLIBC_USE (DEPRECATED_GETS) > /* Get a newline-terminated string from stdin, removing the newline. > @@ -672,7 +673,7 @@ extern char *gets (char *__s) __wur __attribute_deprecated__; > therefore not marked with __THROW. */ > extern char *fgets_unlocked (char *__restrict __s, int __n, > FILE *__restrict __stream) __wur > - __fortified_attr_access (__write_only__, 1, 2); > + __fortified_attr_access (__write_only__, 1, 2) __nonnull ((3)); > #endif > > > @@ -689,10 +690,10 @@ extern char *fgets_unlocked (char *__restrict __s, int __n, > therefore not marked with __THROW. */ > extern __ssize_t __getdelim (char **__restrict __lineptr, > size_t *__restrict __n, int __delimiter, > - FILE *__restrict __stream) __wur; > + FILE *__restrict __stream) __wur __nonnull ((4)); > extern __ssize_t getdelim (char **__restrict __lineptr, > size_t *__restrict __n, int __delimiter, > - FILE *__restrict __stream) __wur; > + FILE *__restrict __stream) __wur __nonnull ((4)); > > /* Like `getdelim', but reads up to a newline. > > @@ -702,7 +703,7 @@ extern __ssize_t getdelim (char **__restrict __lineptr, > therefore not marked with __THROW. */ > extern __ssize_t getline (char **__restrict __lineptr, > size_t *__restrict __n, > - FILE *__restrict __stream) __wur; > + FILE *__restrict __stream) __wur __nonnull ((3)); > #endif > > > @@ -710,7 +711,8 @@ extern __ssize_t getline (char **__restrict __lineptr, > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fputs (const char *__restrict __s, FILE *__restrict __stream); > +extern int fputs (const char *__restrict __s, FILE *__restrict __stream) > + __nonnull ((2)); > > /* Write a string, followed by a newline, to stdout. > > @@ -723,7 +725,7 @@ extern int puts (const char *__s); > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int ungetc (int __c, FILE *__stream); > +extern int ungetc (int __c, FILE *__stream) __nonnull ((2)); > > > /* Read chunks of generic data from STREAM. > @@ -731,13 +733,14 @@ extern int ungetc (int __c, FILE *__stream); > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern size_t fread (void *__restrict __ptr, size_t __size, > - size_t __n, FILE *__restrict __stream) __wur; > + size_t __n, FILE *__restrict __stream) __wur > + __nonnull((4)); > /* Write chunks of generic data to STREAM. > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > extern size_t fwrite (const void *__restrict __ptr, size_t __size, > - size_t __n, FILE *__restrict __s); > + size_t __n, FILE *__restrict __s) __nonnull((4)); > > #ifdef __USE_GNU > /* This function does the same as `fputs' but does not lock the stream. > @@ -747,7 +750,7 @@ extern size_t fwrite (const void *__restrict __ptr, size_t __size, > or due to the implementation it is a cancellation point and > therefore not marked with __THROW. */ > extern int fputs_unlocked (const char *__restrict __s, > - FILE *__restrict __stream); > + FILE *__restrict __stream) __nonnull ((2)); > #endif > > #ifdef __USE_MISC > @@ -758,9 +761,11 @@ extern int fputs_unlocked (const char *__restrict __s, > or due to the implementation they are cancellation points and > therefore not marked with __THROW. */ > extern size_t fread_unlocked (void *__restrict __ptr, size_t __size, > - size_t __n, FILE *__restrict __stream) __wur; > + size_t __n, FILE *__restrict __stream) __wur > + __nonnull ((4)); > extern size_t fwrite_unlocked (const void *__restrict __ptr, size_t __size, > - size_t __n, FILE *__restrict __stream); > + size_t __n, FILE *__restrict __stream) > + __nonnull ((4)); > #endif > > > @@ -768,17 +773,17 @@ extern size_t fwrite_unlocked (const void *__restrict __ptr, size_t __size, > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fseek (FILE *__stream, long int __off, int __whence); > +extern int fseek (FILE *__stream, long int __off, int __whence) __nonnull ((1)); Likewise, this. > /* Return the current position of STREAM. > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern long int ftell (FILE *__stream) __wur; > +extern long int ftell (FILE *__stream) __wur __nonnull ((1)); > /* Rewind to the beginning of STREAM. > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern void rewind (FILE *__stream); > +extern void rewind (FILE *__stream) __nonnull ((1)); > > /* The Single Unix Specification, Version 2, specifies an alternative, > more adequate interface for the two functions above which deal with > @@ -791,18 +796,19 @@ extern void rewind (FILE *__stream); > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fseeko (FILE *__stream, __off_t __off, int __whence); > +extern int fseeko (FILE *__stream, __off_t __off, int __whence) __nonnull ((1)); Likewise, this. > /* Return the current position of STREAM. > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern __off_t ftello (FILE *__stream) __wur; > +extern __off_t ftello (FILE *__stream) __wur __nonnull ((1)); > # else > # ifdef __REDIRECT > extern int __REDIRECT (fseeko, > (FILE *__stream, __off64_t __off, int __whence), > - fseeko64); > -extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64); > + fseeko64) __nonnull ((1)); > +extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64) > + __nonnull ((1)); > # else > # define fseeko fseeko64 > # define ftello ftello64 > @@ -815,18 +821,20 @@ extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64); > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fgetpos (FILE *__restrict __stream, fpos_t *__restrict __pos); > +extern int fgetpos (FILE *__restrict __stream, fpos_t *__restrict __pos) > + __nonnull ((1)); > /* Set STREAM's position. > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int fsetpos (FILE *__stream, const fpos_t *__pos); > +extern int fsetpos (FILE *__stream, const fpos_t *__pos) __nonnull ((1)); > #else > # ifdef __REDIRECT > extern int __REDIRECT (fgetpos, (FILE *__restrict __stream, > - fpos_t *__restrict __pos), fgetpos64); > + fpos_t *__restrict __pos), fgetpos64) __nonnull ((1)); Likewise, this. > extern int __REDIRECT (fsetpos, > - (FILE *__stream, const fpos_t *__pos), fsetpos64); > + (FILE *__stream, const fpos_t *__pos), fsetpos64) > + __nonnull ((1)); > # else > # define fgetpos fgetpos64 > # define fsetpos fsetpos64 > @@ -834,24 +842,26 @@ extern int __REDIRECT (fsetpos, > #endif > > #ifdef __USE_LARGEFILE64 > -extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence); > -extern __off64_t ftello64 (FILE *__stream) __wur; > -extern int fgetpos64 (FILE *__restrict __stream, fpos64_t *__restrict __pos); > -extern int fsetpos64 (FILE *__stream, const fpos64_t *__pos); > +extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence) > + __nonnull ((1)); > +extern __off64_t ftello64 (FILE *__stream) __wur __nonnull ((1)); > +extern int fgetpos64 (FILE *__restrict __stream, fpos64_t *__restrict __pos) > + __nonnull ((1)); > +extern int fsetpos64 (FILE *__stream, const fpos64_t *__pos) __nonnull ((1)); > #endif > > /* Clear the error and EOF indicators for STREAM. */ > -extern void clearerr (FILE *__stream) __THROW; > +extern void clearerr (FILE *__stream) __THROW __nonnull ((1)); > /* Return the EOF indicator for STREAM. */ > -extern int feof (FILE *__stream) __THROW __wur; > +extern int feof (FILE *__stream) __THROW __wur __nonnull ((1)); > /* Return the error indicator for STREAM. */ > -extern int ferror (FILE *__stream) __THROW __wur; > +extern int ferror (FILE *__stream) __THROW __wur __nonnull ((1)); > > #ifdef __USE_MISC > /* Faster versions when locking is not required. */ > -extern void clearerr_unlocked (FILE *__stream) __THROW; > -extern int feof_unlocked (FILE *__stream) __THROW __wur; > -extern int ferror_unlocked (FILE *__stream) __THROW __wur; > +extern void clearerr_unlocked (FILE *__stream) __THROW __nonnull ((1)); > +extern int feof_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); > +extern int ferror_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); > #endif > > > @@ -864,12 +874,12 @@ extern void perror (const char *__s) __COLD; > > #ifdef __USE_POSIX > /* Return the system file descriptor for STREAM. */ > -extern int fileno (FILE *__stream) __THROW __wur; > +extern int fileno (FILE *__stream) __THROW __wur __nonnull ((1)); > #endif /* Use POSIX. */ > > #ifdef __USE_MISC > /* Faster version when locking is not required. */ > -extern int fileno_unlocked (FILE *__stream) __THROW __wur; > +extern int fileno_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); > #endif > > > @@ -878,7 +888,7 @@ extern int fileno_unlocked (FILE *__stream) __THROW __wur; > > This function is a possible cancellation point and therefore not > marked with __THROW. */ > -extern int pclose (FILE *__stream); > +extern int pclose (FILE *__stream) __nonnull ((1)); > > /* Create a new stream connected to a pipe running the given command. > > @@ -922,14 +932,14 @@ extern int obstack_vprintf (struct obstack *__restrict __obstack, > /* These are defined in POSIX.1:1996. */ > > /* Acquire ownership of STREAM. */ > -extern void flockfile (FILE *__stream) __THROW; > +extern void flockfile (FILE *__stream) __THROW __nonnull ((1)); > > /* Try to acquire ownership of STREAM but do not block if it is not > possible. */ > -extern int ftrylockfile (FILE *__stream) __THROW __wur; > +extern int ftrylockfile (FILE *__stream) __THROW __wur __nonnull ((1)); > > /* Relinquish the ownership granted for STREAM. */ > -extern void funlockfile (FILE *__stream) __THROW; > +extern void funlockfile (FILE *__stream) __THROW __nonnull ((1)); > #endif /* POSIX */ > > #if defined __USE_XOPEN && !defined __USE_XOPEN2K && !defined __USE_GNU
diff --git a/libio/stdio.h b/libio/stdio.h index 4cf9f1c012..c709a65f5e 100644 --- a/libio/stdio.h +++ b/libio/stdio.h @@ -278,7 +278,7 @@ extern FILE *__REDIRECT (fopen, (const char *__restrict __filename, extern FILE *__REDIRECT (freopen, (const char *__restrict __filename, const char *__restrict __modes, FILE *__restrict __stream), freopen64) - __wur; + __wur __nonnull ((3)); # else # define fopen fopen64 # define freopen freopen64 @@ -330,21 +330,22 @@ extern __FILE *open_wmemstream (wchar_t **__bufloc, size_t *__sizeloc) __THROW /* If BUF is NULL, make STREAM unbuffered. Else make it use buffer BUF, of size BUFSIZ. */ -extern void setbuf (FILE *__restrict __stream, char *__restrict __buf) __THROW; +extern void setbuf (FILE *__restrict __stream, char *__restrict __buf) __THROW + __nonnull ((1)); /* Make STREAM use buffering mode MODE. If BUF is not NULL, use N bytes of it for buffering; else allocate an internal buffer N bytes long. */ extern int setvbuf (FILE *__restrict __stream, char *__restrict __buf, - int __modes, size_t __n) __THROW; + int __modes, size_t __n) __THROW __nonnull ((1)); #ifdef __USE_MISC /* If BUF is NULL, make STREAM unbuffered. Else make it use SIZE bytes of BUF for buffering. */ extern void setbuffer (FILE *__restrict __stream, char *__restrict __buf, - size_t __size) __THROW; + size_t __size) __THROW __nonnull ((1)); /* Make STREAM line-buffered. */ -extern void setlinebuf (FILE *__stream) __THROW; +extern void setlinebuf (FILE *__stream) __THROW __nonnull ((1)); #endif @@ -353,7 +354,7 @@ extern void setlinebuf (FILE *__stream) __THROW; This function is a possible cancellation point and therefore not marked with __THROW. */ extern int fprintf (FILE *__restrict __stream, - const char *__restrict __format, ...); + const char *__restrict __format, ...) __nonnull ((1)); /* Write formatted output to stdout. This function is a possible cancellation point and therefore not @@ -368,7 +369,7 @@ extern int sprintf (char *__restrict __s, This function is a possible cancellation point and therefore not marked with __THROW. */ extern int vfprintf (FILE *__restrict __s, const char *__restrict __format, - __gnuc_va_list __arg); + __gnuc_va_list __arg) __nonnull ((1)); /* Write formatted output to stdout from argument list ARG. This function is a possible cancellation point and therefore not @@ -418,7 +419,7 @@ extern int dprintf (int __fd, const char *__restrict __fmt, ...) This function is a possible cancellation point and therefore not marked with __THROW. */ extern int fscanf (FILE *__restrict __stream, - const char *__restrict __format, ...) __wur; + const char *__restrict __format, ...) __wur __nonnull ((1)); /* Read formatted input from stdin. This function is a possible cancellation point and therefore not @@ -439,7 +440,7 @@ extern int sscanf (const char *__restrict __s, # ifdef __REDIRECT extern int __REDIRECT (fscanf, (FILE *__restrict __stream, const char *__restrict __format, ...), - __isoc23_fscanf) __wur; + __isoc23_fscanf) __wur __nonnull ((1)); extern int __REDIRECT (scanf, (const char *__restrict __format, ...), __isoc23_scanf) __wur; extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, @@ -447,7 +448,7 @@ extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, __isoc23_sscanf); # else extern int __isoc23_fscanf (FILE *__restrict __stream, - const char *__restrict __format, ...) __wur; + const char *__restrict __format, ...) __wur __nonnull ((1)); extern int __isoc23_scanf (const char *__restrict __format, ...) __wur; extern int __isoc23_sscanf (const char *__restrict __s, const char *__restrict __format, ...) __THROW; @@ -459,7 +460,7 @@ extern int __isoc23_sscanf (const char *__restrict __s, # ifdef __REDIRECT extern int __REDIRECT (fscanf, (FILE *__restrict __stream, const char *__restrict __format, ...), - __isoc99_fscanf) __wur; + __isoc99_fscanf) __wur __nonnull ((1)); extern int __REDIRECT (scanf, (const char *__restrict __format, ...), __isoc99_scanf) __wur; extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, @@ -467,7 +468,7 @@ extern int __REDIRECT_NTH (sscanf, (const char *__restrict __s, __isoc99_sscanf); # else extern int __isoc99_fscanf (FILE *__restrict __stream, - const char *__restrict __format, ...) __wur; + const char *__restrict __format, ...) __wur __nonnull ((1)); extern int __isoc99_scanf (const char *__restrict __format, ...) __wur; extern int __isoc99_sscanf (const char *__restrict __s, const char *__restrict __format, ...) __THROW; @@ -485,7 +486,7 @@ extern int __isoc99_sscanf (const char *__restrict __s, marked with __THROW. */ extern int vfscanf (FILE *__restrict __s, const char *__restrict __format, __gnuc_va_list __arg) - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); /* Read formatted input from stdin into argument list ARG. @@ -508,7 +509,7 @@ extern int __REDIRECT (vfscanf, (FILE *__restrict __s, const char *__restrict __format, __gnuc_va_list __arg), __isoc23_vfscanf) - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); extern int __REDIRECT (vscanf, (const char *__restrict __format, __gnuc_va_list __arg), __isoc23_vscanf) __attribute__ ((__format__ (__scanf__, 1, 0))) __wur; @@ -520,7 +521,7 @@ extern int __REDIRECT_NTH (vsscanf, # elif !defined __REDIRECT extern int __isoc23_vfscanf (FILE *__restrict __s, const char *__restrict __format, - __gnuc_va_list __arg) __wur; + __gnuc_va_list __arg) __wur __nonnull ((1)); extern int __isoc23_vscanf (const char *__restrict __format, __gnuc_va_list __arg) __wur; extern int __isoc23_vsscanf (const char *__restrict __s, @@ -537,7 +538,7 @@ extern int __REDIRECT (vfscanf, (FILE *__restrict __s, const char *__restrict __format, __gnuc_va_list __arg), __isoc99_vfscanf) - __attribute__ ((__format__ (__scanf__, 2, 0))) __wur; + __attribute__ ((__format__ (__scanf__, 2, 0))) __wur __nonnull ((1)); extern int __REDIRECT (vscanf, (const char *__restrict __format, __gnuc_va_list __arg), __isoc99_vscanf) __attribute__ ((__format__ (__scanf__, 1, 0))) __wur; @@ -549,7 +550,7 @@ extern int __REDIRECT_NTH (vsscanf, # elif !defined __REDIRECT extern int __isoc99_vfscanf (FILE *__restrict __s, const char *__restrict __format, - __gnuc_va_list __arg) __wur; + __gnuc_va_list __arg) __wur __nonnull ((1)); extern int __isoc99_vscanf (const char *__restrict __format, __gnuc_va_list __arg) __wur; extern int __isoc99_vsscanf (const char *__restrict __s, @@ -568,8 +569,8 @@ extern int __isoc99_vsscanf (const char *__restrict __s, These functions are possible cancellation points and therefore not marked with __THROW. */ -extern int fgetc (FILE *__stream); -extern int getc (FILE *__stream); +extern int fgetc (FILE *__stream) __nonnull ((1)); +extern int getc (FILE *__stream) __nonnull ((1)); /* Read a character from stdin. @@ -582,7 +583,7 @@ extern int getchar (void); These functions are possible cancellation points and therefore not marked with __THROW. */ -extern int getc_unlocked (FILE *__stream); +extern int getc_unlocked (FILE *__stream) __nonnull ((1)); extern int getchar_unlocked (void); #endif /* Use POSIX. */ @@ -593,7 +594,7 @@ extern int getchar_unlocked (void); cancellation point. But due to similarity with an POSIX interface or due to the implementation it is a cancellation point and therefore not marked with __THROW. */ -extern int fgetc_unlocked (FILE *__stream); +extern int fgetc_unlocked (FILE *__stream) __nonnull ((1)); #endif /* Use MISC. */ @@ -604,8 +605,8 @@ extern int fgetc_unlocked (FILE *__stream); These functions is a possible cancellation point and therefore not marked with __THROW. */ -extern int fputc (int __c, FILE *__stream); -extern int putc (int __c, FILE *__stream); +extern int fputc (int __c, FILE *__stream) __nonnull ((2)); +extern int putc (int __c, FILE *__stream) __nonnull ((2)); /* Write a character to stdout. @@ -620,7 +621,7 @@ extern int putchar (int __c); cancellation point. But due to similarity with an POSIX interface or due to the implementation it is a cancellation point and therefore not marked with __THROW. */ -extern int fputc_unlocked (int __c, FILE *__stream); +extern int fputc_unlocked (int __c, FILE *__stream) __nonnull ((2)); #endif /* Use MISC. */ #ifdef __USE_POSIX199506 @@ -628,7 +629,7 @@ extern int fputc_unlocked (int __c, FILE *__stream); These functions are possible cancellation points and therefore not marked with __THROW. */ -extern int putc_unlocked (int __c, FILE *__stream); +extern int putc_unlocked (int __c, FILE *__stream) __nonnull ((2)); extern int putchar_unlocked (int __c); #endif /* Use POSIX. */ @@ -636,10 +637,10 @@ extern int putchar_unlocked (int __c); #if defined __USE_MISC \ || (defined __USE_XOPEN && !defined __USE_XOPEN2K) /* Get a word (int) from STREAM. */ -extern int getw (FILE *__stream); +extern int getw (FILE *__stream) __nonnull ((1)); /* Write a word (int) to STREAM. */ -extern int putw (int __w, FILE *__stream); +extern int putw (int __w, FILE *__stream) __nonnull ((2)); #endif @@ -648,7 +649,7 @@ extern int putw (int __w, FILE *__stream); This function is a possible cancellation point and therefore not marked with __THROW. */ extern char *fgets (char *__restrict __s, int __n, FILE *__restrict __stream) - __wur __fortified_attr_access (__write_only__, 1, 2); + __wur __fortified_attr_access (__write_only__, 1, 2) __nonnull ((3)); #if __GLIBC_USE (DEPRECATED_GETS) /* Get a newline-terminated string from stdin, removing the newline. @@ -672,7 +673,7 @@ extern char *gets (char *__s) __wur __attribute_deprecated__; therefore not marked with __THROW. */ extern char *fgets_unlocked (char *__restrict __s, int __n, FILE *__restrict __stream) __wur - __fortified_attr_access (__write_only__, 1, 2); + __fortified_attr_access (__write_only__, 1, 2) __nonnull ((3)); #endif @@ -689,10 +690,10 @@ extern char *fgets_unlocked (char *__restrict __s, int __n, therefore not marked with __THROW. */ extern __ssize_t __getdelim (char **__restrict __lineptr, size_t *__restrict __n, int __delimiter, - FILE *__restrict __stream) __wur; + FILE *__restrict __stream) __wur __nonnull ((4)); extern __ssize_t getdelim (char **__restrict __lineptr, size_t *__restrict __n, int __delimiter, - FILE *__restrict __stream) __wur; + FILE *__restrict __stream) __wur __nonnull ((4)); /* Like `getdelim', but reads up to a newline. @@ -702,7 +703,7 @@ extern __ssize_t getdelim (char **__restrict __lineptr, therefore not marked with __THROW. */ extern __ssize_t getline (char **__restrict __lineptr, size_t *__restrict __n, - FILE *__restrict __stream) __wur; + FILE *__restrict __stream) __wur __nonnull ((3)); #endif @@ -710,7 +711,8 @@ extern __ssize_t getline (char **__restrict __lineptr, This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int fputs (const char *__restrict __s, FILE *__restrict __stream); +extern int fputs (const char *__restrict __s, FILE *__restrict __stream) + __nonnull ((2)); /* Write a string, followed by a newline, to stdout. @@ -723,7 +725,7 @@ extern int puts (const char *__s); This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int ungetc (int __c, FILE *__stream); +extern int ungetc (int __c, FILE *__stream) __nonnull ((2)); /* Read chunks of generic data from STREAM. @@ -731,13 +733,14 @@ extern int ungetc (int __c, FILE *__stream); This function is a possible cancellation point and therefore not marked with __THROW. */ extern size_t fread (void *__restrict __ptr, size_t __size, - size_t __n, FILE *__restrict __stream) __wur; + size_t __n, FILE *__restrict __stream) __wur + __nonnull((4)); /* Write chunks of generic data to STREAM. This function is a possible cancellation point and therefore not marked with __THROW. */ extern size_t fwrite (const void *__restrict __ptr, size_t __size, - size_t __n, FILE *__restrict __s); + size_t __n, FILE *__restrict __s) __nonnull((4)); #ifdef __USE_GNU /* This function does the same as `fputs' but does not lock the stream. @@ -747,7 +750,7 @@ extern size_t fwrite (const void *__restrict __ptr, size_t __size, or due to the implementation it is a cancellation point and therefore not marked with __THROW. */ extern int fputs_unlocked (const char *__restrict __s, - FILE *__restrict __stream); + FILE *__restrict __stream) __nonnull ((2)); #endif #ifdef __USE_MISC @@ -758,9 +761,11 @@ extern int fputs_unlocked (const char *__restrict __s, or due to the implementation they are cancellation points and therefore not marked with __THROW. */ extern size_t fread_unlocked (void *__restrict __ptr, size_t __size, - size_t __n, FILE *__restrict __stream) __wur; + size_t __n, FILE *__restrict __stream) __wur + __nonnull ((4)); extern size_t fwrite_unlocked (const void *__restrict __ptr, size_t __size, - size_t __n, FILE *__restrict __stream); + size_t __n, FILE *__restrict __stream) + __nonnull ((4)); #endif @@ -768,17 +773,17 @@ extern size_t fwrite_unlocked (const void *__restrict __ptr, size_t __size, This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int fseek (FILE *__stream, long int __off, int __whence); +extern int fseek (FILE *__stream, long int __off, int __whence) __nonnull ((1)); /* Return the current position of STREAM. This function is a possible cancellation point and therefore not marked with __THROW. */ -extern long int ftell (FILE *__stream) __wur; +extern long int ftell (FILE *__stream) __wur __nonnull ((1)); /* Rewind to the beginning of STREAM. This function is a possible cancellation point and therefore not marked with __THROW. */ -extern void rewind (FILE *__stream); +extern void rewind (FILE *__stream) __nonnull ((1)); /* The Single Unix Specification, Version 2, specifies an alternative, more adequate interface for the two functions above which deal with @@ -791,18 +796,19 @@ extern void rewind (FILE *__stream); This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int fseeko (FILE *__stream, __off_t __off, int __whence); +extern int fseeko (FILE *__stream, __off_t __off, int __whence) __nonnull ((1)); /* Return the current position of STREAM. This function is a possible cancellation point and therefore not marked with __THROW. */ -extern __off_t ftello (FILE *__stream) __wur; +extern __off_t ftello (FILE *__stream) __wur __nonnull ((1)); # else # ifdef __REDIRECT extern int __REDIRECT (fseeko, (FILE *__stream, __off64_t __off, int __whence), - fseeko64); -extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64); + fseeko64) __nonnull ((1)); +extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64) + __nonnull ((1)); # else # define fseeko fseeko64 # define ftello ftello64 @@ -815,18 +821,20 @@ extern __off64_t __REDIRECT (ftello, (FILE *__stream), ftello64); This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int fgetpos (FILE *__restrict __stream, fpos_t *__restrict __pos); +extern int fgetpos (FILE *__restrict __stream, fpos_t *__restrict __pos) + __nonnull ((1)); /* Set STREAM's position. This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int fsetpos (FILE *__stream, const fpos_t *__pos); +extern int fsetpos (FILE *__stream, const fpos_t *__pos) __nonnull ((1)); #else # ifdef __REDIRECT extern int __REDIRECT (fgetpos, (FILE *__restrict __stream, - fpos_t *__restrict __pos), fgetpos64); + fpos_t *__restrict __pos), fgetpos64) __nonnull ((1)); extern int __REDIRECT (fsetpos, - (FILE *__stream, const fpos_t *__pos), fsetpos64); + (FILE *__stream, const fpos_t *__pos), fsetpos64) + __nonnull ((1)); # else # define fgetpos fgetpos64 # define fsetpos fsetpos64 @@ -834,24 +842,26 @@ extern int __REDIRECT (fsetpos, #endif #ifdef __USE_LARGEFILE64 -extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence); -extern __off64_t ftello64 (FILE *__stream) __wur; -extern int fgetpos64 (FILE *__restrict __stream, fpos64_t *__restrict __pos); -extern int fsetpos64 (FILE *__stream, const fpos64_t *__pos); +extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence) + __nonnull ((1)); +extern __off64_t ftello64 (FILE *__stream) __wur __nonnull ((1)); +extern int fgetpos64 (FILE *__restrict __stream, fpos64_t *__restrict __pos) + __nonnull ((1)); +extern int fsetpos64 (FILE *__stream, const fpos64_t *__pos) __nonnull ((1)); #endif /* Clear the error and EOF indicators for STREAM. */ -extern void clearerr (FILE *__stream) __THROW; +extern void clearerr (FILE *__stream) __THROW __nonnull ((1)); /* Return the EOF indicator for STREAM. */ -extern int feof (FILE *__stream) __THROW __wur; +extern int feof (FILE *__stream) __THROW __wur __nonnull ((1)); /* Return the error indicator for STREAM. */ -extern int ferror (FILE *__stream) __THROW __wur; +extern int ferror (FILE *__stream) __THROW __wur __nonnull ((1)); #ifdef __USE_MISC /* Faster versions when locking is not required. */ -extern void clearerr_unlocked (FILE *__stream) __THROW; -extern int feof_unlocked (FILE *__stream) __THROW __wur; -extern int ferror_unlocked (FILE *__stream) __THROW __wur; +extern void clearerr_unlocked (FILE *__stream) __THROW __nonnull ((1)); +extern int feof_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); +extern int ferror_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); #endif @@ -864,12 +874,12 @@ extern void perror (const char *__s) __COLD; #ifdef __USE_POSIX /* Return the system file descriptor for STREAM. */ -extern int fileno (FILE *__stream) __THROW __wur; +extern int fileno (FILE *__stream) __THROW __wur __nonnull ((1)); #endif /* Use POSIX. */ #ifdef __USE_MISC /* Faster version when locking is not required. */ -extern int fileno_unlocked (FILE *__stream) __THROW __wur; +extern int fileno_unlocked (FILE *__stream) __THROW __wur __nonnull ((1)); #endif @@ -878,7 +888,7 @@ extern int fileno_unlocked (FILE *__stream) __THROW __wur; This function is a possible cancellation point and therefore not marked with __THROW. */ -extern int pclose (FILE *__stream); +extern int pclose (FILE *__stream) __nonnull ((1)); /* Create a new stream connected to a pipe running the given command. @@ -922,14 +932,14 @@ extern int obstack_vprintf (struct obstack *__restrict __obstack, /* These are defined in POSIX.1:1996. */ /* Acquire ownership of STREAM. */ -extern void flockfile (FILE *__stream) __THROW; +extern void flockfile (FILE *__stream) __THROW __nonnull ((1)); /* Try to acquire ownership of STREAM but do not block if it is not possible. */ -extern int ftrylockfile (FILE *__stream) __THROW __wur; +extern int ftrylockfile (FILE *__stream) __THROW __wur __nonnull ((1)); /* Relinquish the ownership granted for STREAM. */ -extern void funlockfile (FILE *__stream) __THROW; +extern void funlockfile (FILE *__stream) __THROW __nonnull ((1)); #endif /* POSIX */ #if defined __USE_XOPEN && !defined __USE_XOPEN2K && !defined __USE_GNU
During the review of a GCC analyzer test case, we found most stdio functions accepting a FILE * argument expect it to be nonnull and just segfault when the argument is NULL. Add nonnull attribute for them. fflush and fflush_unlocked are well defined when __stream is NULL so they are not touched. For fputs, fgets, fread, fwrite, fprintf, vfprintf, and their unlocked version, if __stream is empty but there is nothing to read or write, they did not segfault. But the standard disallow __stream to be empty here, so nonnull attribute is also added for them. Note that this may blow up some old code already subtly broken. Signed-off-by: Xi Ruoyao <xry111@xry111.site> --- v3 -> v4: Add nonnull attribute for anything the standard disallows NULL. libio/stdio.h | 142 +++++++++++++++++++++++++++----------------------- 1 file changed, 76 insertions(+), 66 deletions(-)