diff --git a/include/extern.h b/include/extern.h index 9f6e39191..8333aaa37 100644 --- a/include/extern.h +++ b/include/extern.h @@ -10,7 +10,7 @@ #if 0 extern long *alloc(unsigned int); #endif -extern char *fmt_ptr(const void *); +extern char *fmt_ptr(const void *) NONNULL; /* This next pre-processor directive covers almost the entire file, * interrupted only occasionally to pick up specific functions as needed. */ diff --git a/include/global.h b/include/global.h index d274b8667..b04668ea2 100644 --- a/include/global.h +++ b/include/global.h @@ -303,9 +303,9 @@ typedef uchar nhsym; if nethack is built with MONITOR_HEAP enabled and they aren't; this declaration has been moved out of the '#else' below to avoid getting a complaint from -Wmissing-prototypes when building with MONITOR_HEAP */ -extern char *dupstr(const char *); +extern char *dupstr(const char *) NONNULL; /* same, but return strlen(string) */ -extern char *dupstr_n(const char *string, unsigned int *lenout); +extern char *dupstr_n(const char *string, unsigned int *lenout) NONNULL; /* * MONITOR_HEAP is conditionally used for primitive memory leak debugging. @@ -317,10 +317,10 @@ extern char *dupstr_n(const char *string, unsigned int *lenout); */ #ifdef MONITOR_HEAP /* plain alloc() is not declared except in alloc.c */ -extern long *nhalloc(unsigned int, const char *, int); -extern long *nhrealloc(long *, unsigned int, const char *, int); +extern long *nhalloc(unsigned int, const char *, int) NONNULL; +extern long *nhrealloc(long *, unsigned int, const char *, int) NONNULL; extern void nhfree(genericptr_t, const char *, int); -extern char *nhdupstr(const char *, const char *, int); +extern char *nhdupstr(const char *, const char *, int) NONNULL; /* this predates C99's __func__; that is trickier to use conditionally because it is not implemented as a preprocessor macro; MONITOR_HEAP wouldn't gain much benefit from it anyway so continue to live without it; @@ -337,8 +337,8 @@ extern char *nhdupstr(const char *, const char *, int); #define dupstr(s) nhdupstr(s, __FILE__, (int) __LINE__) #else /* !MONITOR_HEAP */ /* declare alloc.c's alloc(); allocations made with it use ordinary free() */ -extern long *alloc(unsigned int); /* alloc.c */ -extern long *re_alloc(long *, unsigned int); +extern long *alloc(unsigned int) NONNULL; /* alloc.c */ +extern long *re_alloc(long *, unsigned int) NONNULL; #endif /* ?MONITOR_HEAP */ /* Used for consistency checks of various data files; declare it here so diff --git a/include/tradstdc.h b/include/tradstdc.h index b75153d70..68da53777 100644 --- a/include/tradstdc.h +++ b/include/tradstdc.h @@ -404,6 +404,7 @@ typedef genericptr genericptr_t; /* (void *) or (char *) */ #if __GNUC__ >= 3 #define UNUSED __attribute__((unused)) #define NORETURN __attribute__((noreturn)) +#define NONNULL __attribute__((returns_nonnull)) #if !defined(__linux__) || defined(GCC_URWARN) /* disable gcc's __attribute__((__warn_unused_result__)) since explicitly discarding the result by casting to (void) is not accepted as a 'use' */ @@ -422,5 +423,8 @@ typedef genericptr genericptr_t; /* (void *) or (char *) */ #ifndef NORETURN #define NORETURN #endif +#ifndef NONNULL +#define NONNULL +#endif #endif /* TRADSTDC_H */ diff --git a/src/alloc.c b/src/alloc.c index 8113a9389..a40156ace 100644 --- a/src/alloc.c +++ b/src/alloc.c @@ -19,7 +19,7 @@ extern int FITSint_(LUA_INTEGER, const char *, int); #define FITSuint(x) FITSuint_(x, __func__, (int) __LINE__) extern unsigned FITSuint_(unsigned long long, const char *, int); -char *fmt_ptr(const genericptr); +char *fmt_ptr(const genericptr) NONNULL; #ifdef MONITOR_HEAP #undef alloc @@ -32,8 +32,8 @@ static FILE *heaplog = 0; static boolean tried_heaplog = FALSE; #endif -long *alloc(unsigned int); -long *re_alloc(long *, unsigned int); +long *alloc(unsigned int) NONNULL; +long *re_alloc(long *, unsigned int) NONNULL; extern void panic(const char *, ...); long * @@ -221,7 +221,8 @@ char * dupstr_n(const char *string, unsigned int *lenout) { size_t len = strlen(string); - if(len >= LARGEST_INT) + + if (len >= LARGEST_INT) panic("string too long"); *lenout = (unsigned int) len; return strcpy((char *) alloc(len + 1), string);