GCC has "nonnull" and "warn_unused_result" attributes that are really great for finding bugs, assuming they're used everywhere. The problem is, they would have to be used for >99% of the functions, which makes them way too much trouble to be worth it for normal code. So wouldn't it be better to just make that the default behavior, and add "null" and "nowarn_unused_result" attributes for the few exceptions where the opposite behavior is needed?
I've implemented both of those myself, although only the "null" attribute code is made public in http://llvm.org/bugs/show_bug.cgi?id=6786 I'm now wondering (hoping!) if there's a way to make these changes part of the standard clang. I know the current patch isn't good enough, but before trying to improving it, I'd like to know:
* How realistic is it to get this feature included at all? I guess I could just keep patching clang myself, but it's rather annoying. I think this feature would be very useful for anyone who wants to write high quality C code, since it forces dealing with return values and specifying if NULL pointers are valid as parameters. I found maybe 20 bugs (mainly missing error handling) from my own code with these patches.
* What would be the correct parameter names to enable these? -fattribute-nonnull-default & -fattribute-warn-unused-result-default or -Wattribute-nonnull-default & -Wattribute-warn-unused-result-default or ..?
* Getting these warnings from libraries you can't modify (libc, etc.) is rather pointless. So the patch I wrote enables these only for functions found from non-system headers. Is this too much of a special case? Should there be separate settings to enable these also for system headers? Although libc already adds the nonnull attributes for almost everything, so it could also add the null attributes for the rest of them to make both behaviors work..
* For the "null" attribute we could follow either the current "nonnull" attribute behavior by giving a list of parameter numbers which can be NULL (which is rather ugly) or the "unused" attribute behavior where you simply mark the parameter with null attribute. Since GCC doesn't have this new "null" attribute and with the default change there's really no need to use "nonnull" at all, I think perhaps it would be better to use the unused-like behavior?