From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 939903857400; Mon, 6 Mar 2023 19:38:15 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 939903857400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1678131495; bh=sSWowIV0fnjKnQAeEXne2eWRLfdiFiLwkf/fEFBC1T0=; h=From:To:Subject:Date:In-Reply-To:References:From; b=euw9+/5CZ8RAmnTqBdeU92dN68nwi+YBp2QB/fpCdhLTGX1PtDQYEd95yxjlg6JOo Sdisq9bEequS/t6/i8y1cmIr3ut4UTBDdwXjWSEbcITLUcUKPV7rFKD+6BZOiEIbOV fum1ZS8d2Vfl1csH9d5lpke7IFflPqWwEviOr7I0= From: "muecker at gwdg dot de" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/108896] provide "element_count" attribute to give more context to __builtin_dynamic_object_size() and -fsanitize=bounds Date: Mon, 06 Mar 2023 19:38:15 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: unknown X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: muecker at gwdg dot de X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: qinzhao at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108896 --- Comment #20 from Martin Uecker --- Am Montag, dem 06.03.2023 um 19:15 +0000 schrieb isanbard at gmail dot com: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108896 >=20 > --- Comment #18 from Bill Wendling --- > (In reply to Martin Uecker from comment #17) > > Am Freitag, dem 03.03.2023 um 23:18 +0000 schrieb isanbard at gmail dot= com: > >=20 ... >=20 > > But even we make it resolve the name, which we > > have to do for all proposals, it is something different. > >=20 > > If offsetof it would resolve the count of a different > > struct of the same *type* (here a non-existent one at=C2=A0 > > address zero). Here we need a self reference to the > > same *object*. > >=20 > If we make it an attribute, we have more control over what the arguments = mean, > what they refer to, etc. >=20 > For the record, I'm not opposed to the idea of using the designated initi= alizer > syntax. I just think it's good to explore other ideas before settling on > extending C (which is a bit heavy-handed). I agree. An attribute is simple and extending C will take more care (and work). The reason I think we should also extend C (together with WG14) is because this would allow writing code where the bound is never lost because it is encoded in the type, while the=C2=A0 __builtin_dynamic_object_size is extremely useful to enhance existing code bases, but is best effort only. So I think we should do both. ... >=20 > > > > > It also has the benefit of > > > > > allowing one to reference a variable not in the structure: > > > > >=20 > > > > > const int items; > > > > > struct object { > > > > > =C2=A0=C2=A0=C2=A0=C2=A0... > > > > > =C2=A0=C2=A0=C2=A0=C2=A0char items; > > > > > =C2=A0=C2=A0=C2=A0=C2=A0... > > > > > =C2=A0=C2=A0=C2=A0=C2=A0struct inner { > > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0... > > > > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0int flex[] __attr= ibute__((__element_count__(items))); /* References > > > > > global "items" */ > > > > > =C2=A0=C2=A0=C2=A0=C2=A0}; > > > > > } *ptr; > > > >=20 > > > > Whether you allow this or not has nothing to do with the syntax. > > > >=20 > > > > The question is what semantics you attach to this and this is > > > > also a question in your example.=20 > > > >=20 > > > > If you define > > > >=20 > > > > struct inner* a =3D ... > > > >=20 > > > > What does it say for a->flex ? > > > >=20 > > > I need to point out that I used "offsetof" only as an example. It's p= ossible to > > > create something more robust which will carry along type information,= etc., > > > which the current offsetof macro throws away. I should have made that= clear. > > >=20 > > > The sanitizers that see "a->flex" will try to find the correct variab= le. If > > > they can't, then they won't generate a check. In the case of it refer= encing a > > > non-field member, it'll use that if it's within scope. If it refers t= o a field > > > member of a parent container that's not within scope, it'll also not = generate a > > > check. It's unfortunate that these checks are done as a "best effort,= " but it > > > could lead to software changes to improve security checks (like passi= ng a > > > parent structure into a function rather than an inner structure. > >=20 > > Yes. We could also have an optional warning which warns about accessing > > 'flex' in a context where 'items' is not accessible. My point is that > > this feature of potentially referring to stuff which may not be accessi= ble > > in all cases makes implementation more complicated. > >=20 > It does make it more complicated, that's true. >=20 > I haven't seen comments on Kees's first example, where "malloc" returns an > "__alloc_size" hint that's lost when "p" is returned from the function (at > least in Clang). If that information is kept around, it would expand the = number > of bounds checks we could perform. (Kudos if this is currently the case in > GCC.) I think not. But this would not work across TU boundaries anyway. https://godbolt.org/z/eW9GT579r Martin=