tags:

views:

614

answers:

13

Most people use pointers like this...

if ( p != NULL ) {
  DoWhateverWithP();
}

However, if the pointer is null for whatever reason, the function won't be called.

My question is, could it possibly be more beneficial to just not check for NULL? Obviously on safety critical systems this isn't an option, but your program crashing in a blaze of glory is more obvious than a function not being called if the program can still run without it.

In relation to the first question, do you always check for NULL before you use pointers?

Secondly, consider you have a function that takes a pointer as an argument, and you use this function multiple times on multiple pointers throughout your program. Do you find it more beneficial to test for NULL in the function (the benefit being you don't have to test for NULL all over the place), or on the pointer before calling the function (the benefit being no overhead from calling the function)?

+5  A: 

I prefer this style:

if (p == NULL) {
    // throw some exception here
}

DoWhateverWithP();

This means that whatever function this code lives in will fail quickly in the event that p is NULL. You are correct that if p is NULL there is no way that DoWhateverWithP can execute but using a null pointer or simply not executing the function are both unacceptable ways to handle the fack the p is NULL.

The important thing to remember is to exit early and fail fast - this kind of approach yields code that is easier to debug.

Andrew Hare
+1 for throwing exception. Exceptions make the code more readable and debug easier.
Paulo Santos
-1 for throwing exceptions. Is it truly an exceptional circumstance, or is it a routine thing your code has to be able to deal with?
mch
@mch, if the program has to be able to deal with it, then certainly, crashing is not an option. That's what is under discussion.
Bahbar
@mch, yes, it's an exceptional circumstance.
rpg
A: 

I think I've seen more of. This way you don't proceed if you know it's going to blow up anyway.

if (NULL == p)
{
  goto FunctionExit; // or some other common label to exit the function.
}
Gishu
Erm... Dijkstra wouldn't approve: http://www.u.arizona.edu/~rubinson/copyright_violations/Go_To_Considered_Harmful.html
mrkj
I don't approve of C++ in the hands of mankind in general. This is just what I've seen in the wild... because he/she has been bitten by C++ so many times that he doesn't trust any incoming data... ever. So the same argument is checked at each step down the call chain.
Gishu
Also maybe because exceptions are more work and more in your face :).. which is precisely what the authors wanted to avoid.
Gishu
I think the common label is referred to as `return;`
GMan
Ok maybe I'm looking at some MLoc of uncommon c++ code, FunctionExit is a label just at the end of the function, which does a bunch of local cleanup (closing reg keys, freeing pointers that are not null, disposing of strings SysFreeString calls, etc.) before calling return;
Gishu
That's exactly what destructors and RAII are supposed to do.
Crashworks
@Crashworks: that bwould require that the author of the code knows what s/he is doing, which obviously isn't the case here.
MSalters
+8  A: 

When it's acceptable for the program to just crash if a NULL pointer comes up, I'm partial to:

assert(p);
DoWhateverWithP();

This will only check the pointer in debug builds since defining NDEBUG usually #undefs assert() at the preprocessor level. It documents your assumption and assists with debugging but has zero performance impact on the released binary (though, to be fair, checking for a NULL pointer should have effectively zero impact on performance in the vast majority of circumstances).

As a side benefit, this is legal for C as well as C++ and, in the latter case, doesn't require exceptions to be enabled in your compiler/runtime.

Concerning your second question, I prefer to put the assertions at the beginning of the subroutine. Again, the beauty of assert() is the fact that there's really no 'overhead' to speak of. As such, there's nothing to weigh against the benefits of only requiring one assertion in the subroutine definition.

Of course, the caveat is that you never want to assert an expression with side-effects:

assert(p = malloc(1)); // NEVER DO THIS!
DoSomethingWithP();    // If NDEBUG was defined, malloc() was never called!
mrkj
The problem with assert is that it causes additional delay in debug mode. Thus, the timing is not the same as in release build. Especially in real time applications, if you have many asserts the whole program may stop working.
PauliL
True; I was working with some code that did something like assert(ValidGraph(g)); where ValidGraph() was some expensive routine that checked a whole lot of characteristics of the graph. This was called inside a loop and resulted in an unusably slow debug version (and this application was not real-time).
mrkj
assert() is no panacea, but I believe it's an attractive solution in a lot of common, realistic instances.
mrkj
"The problem with assert is that it causes additional delay in debug mode. Thus, the timing is not the same as in release build. Especially in real time applications, if you have many asserts the whole program may stop working" --- if you rely on your debug build performing the same as relase build, you're doing it wrong. STL is often WAY slower in debug mode and this is typical in 3rd-party libs.
John
A: 

Well the answer to the first question is: you are talking about ideal situation, most of the code that I see which uses if ( p != NULL ) are legacy. Also suppose, you want to return an evaluator, and then call the evaluator with the data, but say there is no evaluator for that data, its make logical sense to return NULL and check for NULL before calling the evaluator.

The answer to the second question is, it depends on the situation, like the delete checks for the NULL pointer, whereas lots of other function don't. Sometimes, if you test the pointer inside the function, then you might have to test it in lots of functions like:

ABC(p);
a = DEF(p);
d = GHI(a);
JKL(p, d);

but this code would be much better:

if(p)
{
 ABC(p);
 a = DEF(p);
 d = GHI(a);
 JKL(p, d);
}
Priyank Bolia
A: 

Could it possibly be more beneficial to just not check for NULL?

I wouldn't do it, I favor assertions on the frontline and some form of recovery in the body past that. What would assertions not provide to you, that not checking for null would? Similar effect, with easier interpretation and a formal acknowledgement.

In relation to the first question, do you always check for NULL before you use pointers?

It really depends on the code and the time available, but I am irritatingly good at it; a good chunk of 'implementation' in my programs consists of what a program should not do, rather than the usual 'what it should do'.

Secondly, consider you have a function that takes a pointer as an argument...

I test it in the function, as the function is (hopefully) the program that is reused more frequently. I also tend to test it before making the call, without that test, the error loses localization (useful for reporting and isolation).

Justin
+12  A: 

You are right in thinking that NULL pointers often result in immediate crashes, but do not forget that if you are indexing into a large array through a NULL pointer, you might indeed get a valid memory address if your index is high enough. And then, you'll get memory corruption or incorrect memory reads, which will be much harder to locate.

Whenever I can assume that calling a function with NULL is a bug, which should never happen in production code, I prefer using ASSERT guards in the function, which are only compiled into real code in a debug build, and not checking for NULL otherwise.

And from my point of view, generally, a function should check its arguments, not the caller. You should always assume that your callers might have been a bit sloppy about the checking, or that they might contain bugs...

Morality: check for NULL in the function being called, either through some if() statement that throws, or using some ASSERT construct (possibly with a clear message of why this happened). Also check for NULL in the callers, but only if the callers know that this condition might happen in a normal program execution, and act accordingly.

Pierre
After wish washing it in my head for awhile, I finally came to the conclusion that, calling a function on a null pointer leads to undefined behavior, and even if it causes the program to crash in a blaze of glory, it's an undefined blaze of glory. I'd rather check for null than do that.
trikker
+4  A: 
Alok
A: 

I think it is better to check for null. Although, you can cut down on the amount of checks you need to make.

For most cases I prefer a simple guard clause at the top of a function:

if (p == NULL) return;

That said, I typically only put the check on functions that are publicly exposed.

However, when the null pointer in unexpected I will throw an exception. (There are some functions it doesn't make any sense to call with null, and the consumer should be responsible enough to use it right.)

Constructor initialization can be used as an alternative to checking for null all the time. This is especially useful when the class contains a collection. The collection can be used throughout the class without checking whether it has been initialized.

Guster_Q
+1  A: 

How about: a comment clarifying the intent? If the intent is "this can't happen", then perhaps an assert would be the right thing to do instead of the if statement.

On the other hand, if a null value is normal, perhaps an "else comment" explaining why we can skip the "then" step would be in order. Stevel McConnel has a good section in "Code Complete" about if/else statements, and how a missing else is a very common error (distracted, forgot it?).

Consequently, I usually put a comment in for a "no-op else", unless it is something of the form "if done, return/break".

Roboprog
A: 

Dereferencing a null pointer is undefined behavior. If you want to crash if the pointer is null, use an assert or something similar (and, depending on the defined behavior of your class, that can be a perfectly valid response - it's certainly better than continuing to run when people may be expecting something to have been done!).

Since the behavior of dereferencing a null pointer is undefined, it can do anything. Crash, corrupt memory, create a wormhole to an alternate dimension allowing the Elder Gods to come forth and devour all of mankind... anything. While bugs happen, depending upon undefined behavior is, by definition, a bug. So don't do it deliberately.

kyoryu
+2  A: 

This non-NULLness check can be avoided by using references instead of pointers. This way, the compiler ensures the parameter passed is not NULL. For example:

void f(Param& param)
{
    // "param" is a pointer that is guaranteed not to be NULL      
}

In this case, it is up to the client to do the checking. However, mostly the client situation will be like this:

Param instance;
f(instance);

No non-NULLness checking is needed.

When using with objects allocated on the heap, you can do the following:

Param& instance = *new Param();
f(*instance);

Update: As user Crashworks remarks, it is still possible to make you program crash. However, when using references, it is the responsibility of the client to pass a valid reference, and as I show in the example, this is very easy to do.

It's possible to have a reference that is null. For example, if I called int *foo =NULL; f(*foo);. This will compile and call into f, and then segfault on actually using the reference.
Crashworks
You're wrong: `param` is not a pointer, it's a reference.
Alok
@Crashworks: you are right, but that doesn't make much sense, does it?
You only get a segmentation fault? You're lucky. When I run that code, demons fly out my nose!
Rob Kennedy
Well you obviously wouldn't deliberately dereference a NULL like that, but it can happen in a large program where some variable is usually stored as a pointer, and you dereference it to pass into a function like that. I've fixed many such crashes.
Crashworks
@Crashworks: In these rare cases, I suggest you do the non-NULLness check in the client code.
It's not always possible to avoid pointers in C++. So many standard libraries and external APIs use pointers that you end up making it uglier forcing them into references. Just part of using C++, in my opinion.
John
@John: Can you explain what is ugly about the "if (ptr!=NULL) f(*ptr)" solution?
Dimitri C.
A: 

When you check for NULL, it is not good idea just to skip the function call. You should have an else-part that does something meaningful in case of NULL, for example throws an error or returns error code to upper level.

On the other hand, NULL is not always an error. It is often used to indicate for example that end of data has been reached. In such case, you will have to handle the situation as normal program flow.

PauliL
+3  A: 

Don't make it a rule to just check for null and do nothing if you find it.

If the pointer is allowed to be null, then you have to think about what your code does in the case that it actually is null. Usually, just doing nothing is the wrong answer. With care it's possible to define APIs which work like that, but this requires more than just scattering a few NULL checks about the place.

So, if the pointer is allowed to be null, then you must check for null, and you must do whatever is appropriate.

If the pointer is not allowed be null, then it's perfectly reasonable to write code which invokes undefined behaviour if it is null. It's no different from writing string-handling routines which invoke undefined behaviour if the input is not NUL-terminated, or writing buffer-using routines which invoke undefined behaviour if the caller passes in the wrong value for the length, or writing a function that takes a file* parameter, and invokes undefined behaviour if the user passes in a file descriptor reinterpret_cast to file*. In C and C++, you simply have to be able to rely on what your caller tells you. Garbage in, garbage out.

However, you might like to write code which helps out your caller (who is probably you, after all) when the most likely kinds of garbage are passed in. Asserts and exceptions are good for this.

Taking up the analogy from Franci's comment on the question: most people do not look for cars when crossing a footpath, or before sitting down on their sofa. They could still be hit by a car. It happens. But it would generally be considered paranoid to spend any effort checking for cars in those circumstances, or for the instructions on a can of soup to say "first, check for cars in your kitchen. Then, heat the soup".

The same goes for your code. It's much easier to pass an invalid value to a function than it is to accidentally drive your car into someone's kitchen. But it's still the fault of the driver if they do so and hit someone, not a failure of the cook to exercise due care. You don't necessarily want cooks (or callees) to clutter up their recipes (code) with checks that ought to be redundant.

There are other ways to find problems, such as unit tests and debuggers. In any case it is much safer to create a car-free environment except where necessary (roads), than it is to drive cars willy-nilly all over the place and hope everybody can cope with them at all times. So, if you do check for null in cases where it isn't allowed, you shouldn't let this give people the idea that it is allowed after all.

[Edit - I literally just hit an example of a bug where checking for null would not find an invalid pointer. I'm going to use a map to hold some objects. I will be using pointers to those objects (to represent a graph), which is fine because map never relocates its contents. But I haven't defined an ordering for the objects yet (and it's going to be a bit tricky to do so). So, to get things moving and prove that some other code works, I used a vector and a linear search instead of a map. That's right, I didn't mean vector, I meant deque. So after the first time the vector resized, I wasn't passing null pointers into functions, but I was passing pointers to memory which had been freed.

I make dumb errors which pass invalid garbage approximately as often as I make dumb errors which pass null pointers invalidly. So regardless of whether I add checking for null, I still need to be able to diagnose problems where the program just crashes for reasons I can't check. Since this will also diagnose null pointer accesses, I usually don't bother checking for null unless I'm writing code to generally check the preconditions on entry to the function. In that case it should if possible do a lot more than just check null.]

Steve Jessop
I've slightly rethought the matter after sleeping on it. Due to the nature of the program, pointers are never supposed to be NULL under any circumstances. However, checking for NULL can be useful under circumstances in which the programmer failed to initialize the pointer to the correct value or did something dumb like ( if p = NULL ). Just seeing the program crash isn't terribly helpful, so printing a message when this occurs seems ideal (only in debug mode).
trikker
"Just seeing the program crash isn't terribly helpful" - it usually is, if you run your tests under a debugger. But depending on your platform, you might not have a debugger available. And you might not always use it even if it is there. So I think switch-on-and-offable checks, such as assert, are useful
Steve Jessop
If my program crashes, I generally do a a glance through of what I believe the potential problem to be. If I can't find anything, or I'm dead wrong, I go to the debugger. However, a message saying "null pointer error" would certainly make that search a lot easier because I'd know what to look for.
trikker