[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] uml_conf.c: don't return an uninitialized pointer



Daniel Veillard wrote:

> On Thu, Sep 03, 2009 at 01:39:25PM +0200, Jim Meyering wrote:
>> Jim Meyering wrote:
>> > Daniel P. Berrange wrote:
>> > ...
>> >>> Actually I did that first, but then un-did it in favor
>> >>> of the change above.  Why?  because that initialization could
>> >>> mask a failure to initialize in a new case.
>> >>>
>> >>> With per-case initialization, we'd detect the bug at
>> >>> compile/static-analysis time.  With the up-front unconditional
>> >>> initialization, we cannot, and would have to rely on testing to find it.
>> >>
>> >> It is a tradeoff, but I still prefer the initialization at time of
>> >> declaration as a safety net, and we do use this pattern pretty much
>> >> everywhere
>> >
>> > Ok.  adjusted
>>
>> Actually, I will now try to convince you that we should
>> do it the other way.  Not only is it better to have the compiler
>> tell us about this problem, but if ever someone were to add the
>> definition that seems to be missing in the default case, clang
>> would report the preceding initialization (the one you prefer)
>> as a "dead store" error.
>>
> [...]
>>
>> And in every "case" of that switch, there is an assignment to "group".
>> That renders the preceding assignment useless, and hence clang calls it
>> a dead initialization.
>>
>> Just to show you that they're not all so ambiguous, node_device_conf.c:116
>> has a "dead initialization" that is obviously worth fixing:
>>
>>     virNodeDevCapsDefPtr caps = def->caps;
>>     ...
>>     for (caps = def->caps; caps; caps = caps->next) {
>>
>> Posting that separately.
>
>   I must admit I don't see a NULL initialization of a pointer for safety
> when entering a routine as a bad thing, actually this could be
> considered a standard feature in any highlevel language.

Then perhaps I didn't explain well.
Here's a small example:

    int
    foo (void)
    {
      int ret = 0;
      switch (f())
        {
        case 0:
          do_something ();
          ret = -1;
          break;

        case 1:
          do_something_else ();
          ret = -1;
          break;

        default:
          ret = -2;
          break;
        }

      return ret;
    }

In that function, the initialization of "ret" is officially unnecessary.
Or, make it more like the code in question, initializing to
the value used in the "default" case:

    int
    foo (void)
    {
      int ret = -2;
      switch (f())
        {
        case 0:
          do_something ();
          ret = -1;
          break;

        case 1:
          do_something_else ();
          ret = -1;
          break;

        default:
          break;
        }

      return ret;
    }

However, Dan argued that he wants to be sure "ret" is defined, in case
someone else (one of the case stmts) forgets.  However, that's precisely
the case in which you do *not* want there to be an overarching
definition, because with that "extra", initial assignment, the compiler
cannot warn you if you add a case like this:

        case 2:
          // ...do things, but forget to set "ret"
          break;

However, if you merely declare "ret", with no initial value,
adding that erroneous "case 2" would provoke a warning
about "ret" being used (via the return) undefined.

I prefer to use the compiler as a safety net, whenever possible.
I.e., imho, it is clear that this toy function should be written
like this, with no initial assignment to "ret":

    int
    foo (void)
    {
      int ret;
      switch (f())
        {
        case 0:
          do_something ();
          ret = -1;
          break;

        case 1:
          do_something_else ();
          ret = -1;
          break;

        default:
          ret = -2;
          break;
        }

      return ret;
    }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]