Re: [PATCH v3 3/4] cleanup: Annotate guard constructors with __nonnull()

[Miguel Ojeda]

On Mon, May 18, 2026 at 5:22 PM Dmitry Ilvokhin <d@xxxxxxxxxxxx> wrote:
>
> Add __nonnull() to unconditional guard constructors so the compiler
> verifies at each call site that NULL is never passed:

> This provides automated, compiler-enforced verification that no
> unconditional guard constructor receives NULL.

I wouldn't say "verify", since the compiler does a best-effort here
with the information it has statically.

In other words, the attribute does not prevent NULL pointers to be passed.

> + *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-nonnull-function-attribute

Hmm... It appears GCC has changed the docs in commit 6e3c137f5dbb
("doc: Merge function, variable, type, and statement attribute
sections [PR88472]"), dropping the per-kind attribute pages.

So the right link would need to be now:

  https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-nonnull

I will need to send a patch to fix the other links.

> + * clang: https://clang.llvm.org/docs/AttributeReference.html#nonnull

I think this link goes to `_Nonnull` -- the GNU one is instead:

  https://clang.llvm.org/docs/AttributeReference.html#id10

(I don't love the numeric IDs, though, since they break, so I think it
is fine either way -- the `_Nonnull` is fairly close to the one we
want and I hope that one doesn't break)

> + */
> +#define __nonnull(x...)                        __attribute__((__nonnull__(x)))

This is indeed available for a long time, and we already use it
elsewhere in the kernel tree (which would be nice to clean up
separately).

If you don't mind, please place it before `__nonstring__` (the file is
meant to be sorted by the actual attribute name -- there are a few
instances where this is not the case anymore, which I will eventually
clean up)

Thanks!

Cheers,
Miguel