7

NULL is the billion-dollar mistake but there is nothing in the type system of C++ to prevent it. However, C++ already has const-correctness so implementing NULL-correctness seems trivial:

  • introduce a keyword, __nonnull, as a specifier in the same class as const, which can only be placed after the * in a declaration.
  • All pointers obtained by & operator is __nonnull.
  • A __nonnull pointer value or const reference can be automatically converted to a normal pointer, but not vice-versa without a cast. (T *__nonnull can be converted to T *, and T *__nonnull & can be converted to T *const &)

  • Writable references of pointers cannot be automatically converted between normal and __nonnull (T *__nonnull & CANNOT be converted to T *&), i.e.

    int x;
int *__nonnull p = &x;
int *q = p; // OK
int *const &r = p; // OK
int *const *s = &p; // OK
int *&t = p; // ERROR, don't want to assign NULL to t
int **u = &p; // ERROR, don't want to assign NULL to *u

  • const_cast can be used to cast a normal pointer to a __nonnull pointer, in which if the pointer is really NULL, the behaviour is undefined.

  • Assigning a null-pointer constant 0, NULL and nullptr to a __nonnull pointer variable is an error.
  • __nonnull pointers cannot be default initialised, like a reference.
  • Have a standard library function to convert a normal pointer to a __nonnull pointer, which throws an exception on NULL.
  • An optional warning will be given by compiler for dereferencing normal pointers without NULL check, which the practice is going to be deprecated.

Is the above proposal viable? Are the above things enough for a NULL-safe type system?

Nicol Bolas
12.1k4 gold badges39 silver badges48 bronze badges
asked Jan 6, 2017 at 7:08
7
  • 1
    Did you look at not_null in the gsl library? Here is one article about it: visualstudiomagazine.com/articles/2016/06/01/… Commented Jan 6, 2017 at 7:40
  • 4
    References already are non null pointers, with the restriction that you may not reassign them. Most of your suggested behaviours can be implemented with a nonnull<T*> wrapper, no language changes required. Commented Jan 6, 2017 at 8:00
  • The question would be "is there a good reason for a NULL-safe type system?" - NULL is there for a good reason. Commented Jan 6, 2017 at 12:10
  • 1
    This question would be handled better on the ISO-C++ proposal forum. Q&A is not an effective means for tempering a proposal. Commented Jan 6, 2017 at 15:00
  • 2
    @tofro And that good reason is? I can't think of any advantages null has over a proper option type. Commented Jan 6, 2017 at 18:30

1 Answer 1

2

Is the above proposal viable?

No.

First, it doesn't work for user-defined types. Whereas const does. Even volatile does. And with lots of smart pointer types, having it work with user-defined types is kind of important.

Second, using const_cast to convert to __notnull is... silly.

Third, C++ is not C. If something is important enough to get a keyword in C++, then it's important enough to get a keyword that doesn't look terrible.

Fourth, this can be done adequately through a simple type. The C++ core guidelines support library provides not_null, which essentially has the properties you suggest. And, unlike __notnull, it works with user-defined smart pointers too (though not unique_ptr).

answered Jan 6, 2017 at 15:00
3
  • I don't understand why it doesn't work for user-defined types. The mechanism does not matter what type the pointer points to. Commented Jan 7, 2017 at 16:36
  • @MichaelTsang: Not pointers to user-defined types. User-defined types that act like pointers: shared_ptr, unique_ptr, etc. Your mechanism does not allow me to declare __notnull shared_ptr<T>. Whereas gsl::not_null<shared_ptr<T>> works (though not unique_ptr). Commented Jan 7, 2017 at 16:47
  • Pointer-like user-defined types are already awkward and badly-supported by the language though. They don't work with return value covariance, yet are often evangelized as if they were a drop-in replacement for pointers. The language should add better support for those types to be a true drop-in replacement, and while it's at it, implement some kind of nonnull keyword or attribute that can also work with those types. Better than to use the awkwardness of those types to shut down even more proposals. By the way, gsl::not_null isn't that fun to use in templates and is not taking off. Commented Mar 27 at 0:20

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.