Hi Andreas, On 12/3/22 20:05, Andreas Schwab wrote: > On Dez 03 2022, Xi Ruoyao via Libc-alpha wrote: > >> Currently the man page says: >> >> EFAULT: addr points outside the user's accessible address space. >> >> And bind(2) indeed sets errno to EFAULT and return -1 when NULL is >> passed as addr. > > You can never depend on EFAULT for invalid addresses. > >> gnu::nonnull is not only a diagnostic attribute: it also allows the >> compiler to assume addr is never NULL. i. e. if addr was gnu::nonnull >> and bind(2) is called with addr == NULL, the behavior would be >> undefined. > > It is already undefined now, so this would be a valid change. Hmm, if so, please CC me on any such changes. I'm interested in them. So far I'm being very careful about it, with the following approach: I'm using _Nullable (Clang syntax), which is less invasive (there are very few calls that would need it, compared to either _Nonnull or [[gnu::nonnull]]). Also, in cases like this one (bind(2)), I can leave the prototype untouched, so I'm not really saying it's nonnull (but I'm implying it very much). But certainly, I won't be adding _Nullable to functions like bind(2). However, since there are a lot of libc syscall wrappers (and maybe functions, but I didn't yet arrive to that, so don't know) that don't specify __nonnull when they should, my work is very manual, and might make some mistakes. I can send the patches to anyone that want to have a look at them before I push them (please tell me if so), but there will be many changes, and I'd prefer if I could just follow the glibc qualifiers. Thank you! Cheers, Alex --