[Libreoffice] [PUSHED, partial] Remove NULL checks from delete
Stephan Bergmann
sbergman at redhat.com
Fri Nov 18 03:30:41 PST 2011
On 11/10/2011 12:05 AM, Andrew Douglas Pitonyak wrote:
> I would feel safer if pointers were set to NULL (or nullptr if we
> support C++11) since it is not safe to delete a pointer twice.
I would rather argue that adding redundant "p = 0;" following a "delete
p;" makes our code worse, not better (even if that may sound paradoxical
at first):
For code to be maintainable, you need to be able to reason about it.
One important concept here is to abstract over the typically huge space
of potential program states, by introducing invariants.
For each use of a pointer in a C/C++ program text, an important piece of
information is whether the pointer (a) is guaranteed to always point to
valid memory when execution of the program passes that textual
occurrence, (b) is guaranteed to never point to valid memory, or (c) can
point to either valid or invalid memory. It is highly desirable to be
able to attach an invariant to each such textual occurrence. Either the
invariant that the pointer is guaranteed to always point to valid memory
(so that, e.g., the pointer can be dereferenced), or the invariant that
it is guaranteed to always not point to valid memory (so that, e.g., the
pointer can be assigned a new value without having to delete its old
value first).
If such an invariant can be attached to each occurrence of a given
pointer, there is obviously no need to null the pointer after deletion.
However, if you do add that nulling, people will start to wonder what it
is good for. They will assume that it is there for a reason, that from
this textual occurrence of nulling the pointer other occurrences of
using that pointer in the program text can be reached for which it
cannot be guaranteed that the pointer always either points to valid or
invalid memory. So that those other occurrences need a way to check
what state the pointer is in before they dereference it, by first
comparing the pointer against null, like
if (p) {
p->foo();
} else {
???
}
So the code is made more complex for no reason. People will stop to
understand the invariants that were once attached to each occurrence of
p, and will instead assume that at each occurrence of p the worst will
have to be assumed and catered for. But what to put into that else
branch? Defensive programming perversion. It won't be long until the
first bug is introduced that goes unnoticed because it is hidden by one
of those "defensive" else branches.
Stephan
More information about the LibreOffice
mailing list