Consider removing attribute((nonnull)) annotations
Please consider removing attribute((nonnull)) function annotations from the codebase, because it's almost useless for diagnostics and dangerous at the same time.
Its diagnostic value is limited with GCC: having an annotated function foo, a foo(NULL) call is warned for, but void* bar = NULL; foo(bar); already isn't, nevermind the more complicated dataflows, where the warning could be actually useful.
Then the dangerous part is that the compiler is free to optimise any NULL checks from the function body away as it will consider NULL comparisons to evaluate always false. This is not a purely theoretical concern, we had an instance of this in InnoDB: https://bugs.launchpad.net/percona-server/+bug/1390695, comments #19 and #20 for analysis.
With GCC 6, a new warning -Wnonnull-compare points out many instances of nonnull arg being compared to NULL, effectively dead code, even though its intention is opposite