public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-20 22:32 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-20 22:32 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:11842645a31b166a7ac55bd2b2f7aa3ce6596ca8
commit 11842645a31b166a7ac55bd2b2f7aa3ce6596ca8
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 80c80cdc805..eb116f8f55a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index af87d6624a9..b0f3bcb78bd 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-23 20:13 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-23 20:13 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:8071e29f38ec5c1c61ab35330719a47c9c25997f
commit 8071e29f38ec5c1c61ab35330719a47c9c25997f
Author: Alexandre Oliva <oliva@adacore.com>
Date: Fri Jun 23 17:10:09 2023 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-throw-no-xthrow-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-no-xthrow-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index e2792ca6898..c12211cb4d4 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5412,6 +5415,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 3040a9bdea6..a3b37337bd3 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -3000,6 +3000,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-no-xthrow-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-no-xthrow-expected.C
new file mode 100644
index 00000000000..de37b2ab1c5
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-no-xthrow-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=no-xthrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-23 20:12 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-23 20:12 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:14289a5cb40c747a04b6e645b3ace30a3937a195
commit 14289a5cb40c747a04b6e645b3ace30a3937a195
Author: Alexandre Oliva <oliva@adacore.com>
Date: Fri Jun 23 17:10:05 2023 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 2eddf206763..e1de80d072b 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=no-xthrow` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-09 8:07 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-09 8:07 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:c2adf71b5e5036e412fc150245764f0d2246bec2
commit c2adf71b5e5036e412fc150245764f0d2246bec2
Author: Alexandre Oliva <oliva@adacore.com>
Date: Thu Jun 8 01:35:20 2023 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-throw-not-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index 072cfb69147..d59acccb42a 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5403,6 +5406,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index ac476801ed8..4834a8e0b40 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -2997,6 +2997,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-09 6:17 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-09 6:17 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:dd0074d3c64357bb85b5ec15cbb8a02464c0cdd1
commit dd0074d3c64357bb85b5ec15cbb8a02464c0cdd1
Author: Alexandre Oliva <oliva@adacore.com>
Date: Thu Jun 8 01:35:20 2023 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index 072cfb69147..d59acccb42a 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5403,6 +5406,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index ac476801ed8..4834a8e0b40 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -2997,6 +2997,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-09 6:16 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-09 6:16 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:1a53282064a7c99b4b03cc705182d4c3812a2bbb
commit 1a53282064a7c99b4b03cc705182d4c3812a2bbb
Author: Alexandre Oliva <oliva@adacore.com>
Date: Thu Jun 8 01:35:16 2023 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 1cbd7fd6705..5c45fc2d42a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 10:58 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 10:58 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:2b92db9168c78e900c80d30eae7e205dcb2008a9
commit 2b92db9168c78e900c80d30eae7e205dcb2008a9
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index e2792ca6898..c12211cb4d4 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5412,6 +5415,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cdbd4b34a35..2de212c8c2d 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -3000,6 +3000,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 10:58 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 10:58 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:766368d9366dd69b4e84b084f60bc69f3ea21df5
commit 766368d9366dd69b4e84b084f60bc69f3ea21df5
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 1cbd7fd6705..5c45fc2d42a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 10:43 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 10:43 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:14952c214d032162b891479b490044a6491574a9
commit 14952c214d032162b891479b490044a6491574a9
Author: Alexandre Oliva <oliva@adacore.com>
Date: Thu Jun 8 01:35:20 2023 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index e2792ca6898..c12211cb4d4 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5412,6 +5415,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cdbd4b34a35..2de212c8c2d 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -3000,6 +3000,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 10:43 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 10:43 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:20f802affb148b8ae67f1046969a58e401bb92d9
commit 20f802affb148b8ae67f1046969a58e401bb92d9
Author: Alexandre Oliva <oliva@adacore.com>
Date: Thu Jun 8 01:35:16 2023 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 1cbd7fd6705..5c45fc2d42a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 9:17 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 9:17 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:2b92db9168c78e900c80d30eae7e205dcb2008a9
commit 2b92db9168c78e900c80d30eae7e205dcb2008a9
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index e2792ca6898..c12211cb4d4 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5412,6 +5415,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cdbd4b34a35..2de212c8c2d 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -3000,6 +3000,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 9:17 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 9:17 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:766368d9366dd69b4e84b084f60bc69f3ea21df5
commit 766368d9366dd69b4e84b084f60bc69f3ea21df5
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 1cbd7fd6705..5c45fc2d42a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 4:47 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 4:47 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:ae6a9e6a22d1ad5cd46f23fe869ead7e51263e55
commit ae6a9e6a22d1ad5cd46f23fe869ead7e51263e55
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index e2792ca6898..c12211cb4d4 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5412,6 +5415,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 56aa81c8c37..17d6dd2c355 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -3000,6 +3000,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@cindex @code{expected_throw} function attribute
+@item expected_throw
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@cindex @code{externally_visible} function attribute
@item externally_visible
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2023-06-08 4:47 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2023-06-08 4:47 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:162a958ba3638f43b292fb4c339ebd9a223b668a
commit 162a958ba3638f43b292fb4c339ebd9a223b668a
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 1cbd7fd6705..5c45fc2d42a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index 7949b5907b6..897c68a6101 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-25 2:52 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-25 2:52 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:01df13453d3729b15f33266dff84912ac9371897
commit 01df13453d3729b15f33266dff84912ac9371897
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index 92ac93ba2ce..0d2bcf57616 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5398,6 +5401,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index bf11956c467..16f161ebf8a 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -2991,6 +2991,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@item expected_throw
+@cindex @code{expected_throw} function attribute
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@item externally_visible
@cindex @code{externally_visible} function attribute
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-25 2:52 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-25 2:52 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:a917fac963436c8a3a033c2cb879d11d7a7ce034
commit a917fac963436c8a3a033c2cb879d11d7a7ce034
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Mark exception-raising subprograms with expected_throw attribute.
Document the use of the attribute in Control Flow Redundancy.
for gcc/ada/ChangeLog
* libgnat/a-except.ads (Raise_Exception): Mark expected_throw.
(Reraise_Occurrence): Likewise.
(Raise_Exception_Always): Likewise.
(Raise_From_Controlled_Operation): Likewise.
(Reraise_Occurrence_Always): Likewise.
(Reraise_Occurrence_No_Defer): Likewise.
* doc/gnat_rm/security_hardening_features.rt (Control Flow
Hardening): Note the influence of expected_throw.
Diff:
---
gcc/ada/doc/gnat_rm/security_hardening_features.rst | 4 +++-
gcc/ada/libgnat/a-except.ads | 8 ++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index 80c80cdc805..eb116f8f55a 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -489,7 +489,9 @@ gets modified as follows:
Verification may also be performed before No_Return calls, whether all
of them, with :switch:`-fhardcfr-check-noreturn-calls=always`; all but
-internal subprograms involved in exception-raising or -reraising, with
+internal subprograms involved in exception-raising or -reraising or
+subprograms explicitly marked with both :samp:`No_Return` and
+:samp:`Machine_Attribute` :samp:`expected_throw` pragmas, with
:switch:`-fhardcfr-check-noreturn-calls=not-always` (default); only
nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`;
or none, with :switch:`-fhardcfr-check-noreturn-calls=never`.
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index af87d6624a9..b0f3bcb78bd 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-20 22:32 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-20 22:32 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:53ad4b10c5edbda6dca728a5b4d7738c7712e27a
commit 53ad4b10c5edbda6dca728a5b4d7738c7712e27a
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Add support for explicit expected_throw attributes to be added in
C-family languages. Document it.
for gcc/ChangeLog
* c-family/c-attribs.cc (handle_expected_throw_attribute):
New.
(c_common_attribute_table): Add expected_throw.
* doc/extend.texi: Document it.
for gcc/testsuite/ChangeLog
* g++.dg/torture/harden-cfr-thro-wnot-always-expected.C: New.
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index 92ac93ba2ce..0d2bcf57616 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5398,6 +5401,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 04af0584d82..3532728aa1a 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -2991,6 +2991,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@item expected_throw
+@cindex @code{expected_throw} function attribute
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@item externally_visible
@cindex @code{externally_visible} function attribute
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-20 4:09 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-20 4:09 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:a2b78e7795a32a0ca00848077e6f67ab23c40ab5
commit a2b78e7795a32a0ca00848077e6f67ab23c40ab5
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:26 2022 -0300
Expose expected_throw attribute
Diff:
---
gcc/c-family/c-attribs.cc | 22 ++++++++++++++++++++++
gcc/doc/extend.texi | 11 +++++++++++
.../torture/harden-cfr-throw-not-always-expected.C | 16 ++++++++++++++++
3 files changed, 49 insertions(+)
diff --git a/gcc/c-family/c-attribs.cc b/gcc/c-family/c-attribs.cc
index 92ac93ba2ce..0d2bcf57616 100644
--- a/gcc/c-family/c-attribs.cc
+++ b/gcc/c-family/c-attribs.cc
@@ -136,6 +136,7 @@ static tree handle_vector_mask_attribute (tree *, tree, tree, int,
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonstring_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_cleanup_attribute (tree *, tree, tree, int, bool *);
static tree handle_warn_unused_result_attribute (tree *, tree, tree, int,
bool *);
@@ -437,6 +438,8 @@ const struct attribute_spec c_common_attribute_table[] =
handle_nonstring_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "may_alias", 0, 0, false, true, false, false, NULL, NULL },
{ "cleanup", 1, 1, true, false, false, false,
handle_cleanup_attribute, NULL },
@@ -5398,6 +5401,25 @@ handle_nothrow_attribute (tree *node, tree name, tree ARG_UNUSED (args),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree name, tree ARG_UNUSED (args),
+ int ARG_UNUSED (flags), bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ /* ??? TODO: Support types. */
+ else
+ {
+ warning (OPT_Wattributes, "%qE attribute ignored", name);
+ *no_add_attrs = true;
+ }
+
+ return NULL_TREE;
+}
+
/* Handle a "cleanup" attribute; arguments as in
struct attribute_spec.handler. */
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 04af0584d82..3532728aa1a 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -2991,6 +2991,17 @@ when using these attributes the problem is diagnosed
earlier and with exact location of the call even in presence of inline
functions or when not emitting debugging information.
+@item expected_throw
+@cindex @code{expected_throw} function attribute
+This attribute, attached to a function, tells the compiler the function
+is more likely to raise or propagate an exception than to return, loop
+forever, or terminate the program.
+
+This hint is mostly ignored by the compiler. The only effect is when
+it's applied to @code{noreturn} functions and
+@samp{-fharden-control-flow-redundancy} is enabled, and
+@samp{-fhardcfr-check-noreturn-calls=not-always} is not overridden.
+
@item externally_visible
@cindex @code{externally_visible} function attribute
This attribute, attached to a global variable or function, nullifies
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
new file mode 100644
index 00000000000..f42f870bdcf
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-not-always-expected.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-returning-calls -fhardcfr-check-noreturn-calls=not-always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g (void);
+extern void __attribute__ ((__noreturn__, __expected_throw__)) g2 (void);
+
+#include "harden-cfr-throw.C"
+
+/* In f and h3, there are checkpoints at return and exception escape. . */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 4 "hardcfr" } } */
+/* Other functions get a single cleanup checkpoint. */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 5 "hardcfr" } } */
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-20 4:09 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-20 4:09 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:2bf450062dd91d54e51d467a61dd7e8248e50d4d
commit 2bf450062dd91d54e51d467a61dd7e8248e50d4d
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:25 2022 -0300
Expose expected_throw attribute
Diff:
---
gcc/ada/libgnat/a-except.ads | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gcc/ada/libgnat/a-except.ads b/gcc/ada/libgnat/a-except.ads
index af87d6624a9..b0f3bcb78bd 100644
--- a/gcc/ada/libgnat/a-except.ads
+++ b/gcc/ada/libgnat/a-except.ads
@@ -79,11 +79,13 @@ package Ada.Exceptions is
procedure Raise_Exception (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception);
+ pragma Machine_Attribute (Raise_Exception, "expected_throw");
-- Note: In accordance with AI-466, CE is raised if E = Null_Id
function Exception_Message (X : Exception_Occurrence) return String;
procedure Reraise_Occurrence (X : Exception_Occurrence);
+ pragma Machine_Attribute (Reraise_Occurrence, "expected_throw");
-- Note: it would be really nice to give a pragma No_Return for this
-- procedure, but it would be wrong, since Reraise_Occurrence does return
-- if the argument is the null exception occurrence. See also procedure
@@ -177,6 +179,7 @@ private
procedure Raise_Exception_Always (E : Exception_Id; Message : String := "");
pragma No_Return (Raise_Exception_Always);
+ pragma Machine_Attribute (Raise_Exception_Always, "expected_throw");
pragma Export (Ada, Raise_Exception_Always, "__gnat_raise_exception");
-- This differs from Raise_Exception only in that the caller has determined
-- that for sure the parameter E is not null, and that therefore no check
@@ -195,6 +198,9 @@ private
"__gnat_raise_from_controlled_operation");
-- Raise Program_Error, providing information about X (an exception raised
-- during a controlled operation) in the exception message.
+ pragma Machine_Attribute (Raise_From_Controlled_Operation,
+ "expected_throw");
+ -- Mark it like internal exception-raising subprograms
procedure Reraise_Library_Exception_If_Any;
pragma Export
@@ -205,6 +211,7 @@ private
procedure Reraise_Occurrence_Always (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_Always);
+ pragma Machine_Attribute (Reraise_Occurrence_Always, "expected_throw");
-- This differs from Raise_Occurrence only in that the caller guarantees
-- that for sure the parameter X is not the null occurrence, and that
-- therefore this procedure cannot return. The expander uses this routine
@@ -212,6 +219,7 @@ private
procedure Reraise_Occurrence_No_Defer (X : Exception_Occurrence);
pragma No_Return (Reraise_Occurrence_No_Defer);
+ pragma Machine_Attribute (Reraise_Occurrence_No_Defer, "expected_throw");
-- Exactly like Reraise_Occurrence, except that abort is not deferred
-- before the call and the parameter X is known not to be the null
-- occurrence. This is used in generated code when it is known that abort
^ permalink raw reply [flat|nested] 20+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute
@ 2022-10-20 4:09 Alexandre Oliva
0 siblings, 0 replies; 20+ messages in thread
From: Alexandre Oliva @ 2022-10-20 4:09 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:b96bdb8e2028adaaa21b5bcb1b993329043e8527
commit b96bdb8e2028adaaa21b5bcb1b993329043e8527
Author: Alexandre Oliva <oliva@adacore.com>
Date: Wed Oct 19 20:36:23 2022 -0300
Expose expected_throw attribute
Diff:
---
gcc/ada/gcc-interface/utils.cc | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/gcc/ada/gcc-interface/utils.cc b/gcc/ada/gcc-interface/utils.cc
index 5942de150b9..9b3d60099fa 100644
--- a/gcc/ada/gcc-interface/utils.cc
+++ b/gcc/ada/gcc-interface/utils.cc
@@ -87,6 +87,7 @@ tree gnat_raise_decls_ext[(int) LAST_REASON_CODE + 1];
/* Forward declarations for handlers of attributes. */
static tree handle_const_attribute (tree *, tree, tree, int, bool *);
static tree handle_nothrow_attribute (tree *, tree, tree, int, bool *);
+static tree handle_expected_throw_attribute (tree *, tree, tree, int, bool *);
static tree handle_pure_attribute (tree *, tree, tree, int, bool *);
static tree handle_novops_attribute (tree *, tree, tree, int, bool *);
static tree handle_nonnull_attribute (tree *, tree, tree, int, bool *);
@@ -143,6 +144,8 @@ const struct attribute_spec gnat_internal_attribute_table[] =
handle_const_attribute, NULL },
{ "nothrow", 0, 0, true, false, false, false,
handle_nothrow_attribute, NULL },
+ { "expected_throw", 0, 0, true, false, false, false,
+ handle_expected_throw_attribute, NULL },
{ "pure", 0, 0, true, false, false, false,
handle_pure_attribute, NULL },
{ "no vops", 0, 0, true, false, false, false,
@@ -6378,6 +6381,22 @@ handle_nothrow_attribute (tree *node, tree ARG_UNUSED (name),
return NULL_TREE;
}
+/* Handle a "nothrow" attribute; arguments as in
+ struct attribute_spec.handler. */
+
+static tree
+handle_expected_throw_attribute (tree *node, tree ARG_UNUSED (name),
+ tree ARG_UNUSED (args), int ARG_UNUSED (flags),
+ bool *no_add_attrs)
+{
+ if (TREE_CODE (*node) == FUNCTION_DECL)
+ /* No flag to set here. */;
+ else
+ *no_add_attrs = true;
+
+ return NULL_TREE;
+}
+
/* Handle a "pure" attribute; arguments as in
struct attribute_spec.handler. */
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2023-06-23 20:13 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-20 22:32 [gcc(refs/users/aoliva/heads/testme)] Expose expected_throw attribute Alexandre Oliva
-- strict thread matches above, loose matches on Subject: below --
2023-06-23 20:13 Alexandre Oliva
2023-06-23 20:12 Alexandre Oliva
2023-06-09 8:07 Alexandre Oliva
2023-06-09 6:17 Alexandre Oliva
2023-06-09 6:16 Alexandre Oliva
2023-06-08 10:58 Alexandre Oliva
2023-06-08 10:58 Alexandre Oliva
2023-06-08 10:43 Alexandre Oliva
2023-06-08 10:43 Alexandre Oliva
2023-06-08 9:17 Alexandre Oliva
2023-06-08 9:17 Alexandre Oliva
2023-06-08 4:47 Alexandre Oliva
2023-06-08 4:47 Alexandre Oliva
2022-10-25 2:52 Alexandre Oliva
2022-10-25 2:52 Alexandre Oliva
2022-10-20 22:32 Alexandre Oliva
2022-10-20 4:09 Alexandre Oliva
2022-10-20 4:09 Alexandre Oliva
2022-10-20 4:09 Alexandre Oliva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).