From: Qing Zhao <qing.zhao@oracle.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>,
Richard Biener <richard.guenther@gmail.com>
Cc: Joseph Myers <josmyers@redhat.com>,
Richard Biener <richard.guenther@gmail.com>,
"uecker@tugraz.at" <uecker@tugraz.at>,
Kees Cook <keescook@chromium.org>,
"isanbard@gmail.com" <isanbard@gmail.com>,
"gcc-patches@gcc.gnu.org" <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH v8 3/5] Use the .ACCESS_WITH_SIZE in builtin object size.
Date: Thu, 11 Apr 2024 13:19:52 +0000 [thread overview]
Message-ID: <15A1FD7E-940F-40D2-B7C1-966DC130C87B@oracle.com> (raw)
In-Reply-To: <857967f8-affb-4d43-b1f7-2078237a33b8@gotplt.org>
Sid,
Thanks a lot for your review!
> On Apr 10, 2024, at 17:45, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
>
> On 2024-03-29 12:07, Qing Zhao wrote:
>> gcc/ChangeLog:
>> * tree-object-size.cc (access_with_size_object_size): New function.
>> (call_object_size): Call the new function.
>> gcc/testsuite/ChangeLog:
>> * gcc.dg/builtin-object-size-common.h: Add a new macro EXPECT.
>> * gcc.dg/flex-array-counted-by-3.c: New test.
>> * gcc.dg/flex-array-counted-by-4.c: New test.
>> * gcc.dg/flex-array-counted-by-5.c: New test.
>
> This version looks fine to me for stage 1, but I'm not a maintainer so you'll need an ack from one to commit.
Richard,
Could you please comment on this patch? Is this one okay for stage 1?
Thanks
Qing
>
> Thanks,
> Sid
>
>> ---
>> .../gcc.dg/builtin-object-size-common.h | 11 ++
>> .../gcc.dg/flex-array-counted-by-3.c | 63 +++++++
>> .../gcc.dg/flex-array-counted-by-4.c | 178 ++++++++++++++++++
>> .../gcc.dg/flex-array-counted-by-5.c | 48 +++++
>> gcc/tree-object-size.cc | 60 ++++++
>> 5 files changed, 360 insertions(+)
>> create mode 100644 gcc/testsuite/gcc.dg/flex-array-counted-by-3.c
>> create mode 100644 gcc/testsuite/gcc.dg/flex-array-counted-by-4.c
>> create mode 100644 gcc/testsuite/gcc.dg/flex-array-counted-by-5.c
>> diff --git a/gcc/testsuite/gcc.dg/builtin-object-size-common.h b/gcc/testsuite/gcc.dg/builtin-object-size-common.h
>> index 66ff7cdd953a..b677067c6e6b 100644
>> --- a/gcc/testsuite/gcc.dg/builtin-object-size-common.h
>> +++ b/gcc/testsuite/gcc.dg/builtin-object-size-common.h
>> @@ -30,3 +30,14 @@ unsigned nfails = 0;
>> __builtin_abort (); \
>> return 0; \
>> } while (0)
>> +
>> +#define EXPECT(p, _v) do { \
>> + size_t v = _v; \
>> + if (p == v) \
>> + __builtin_printf ("ok: %s == %zd\n", #p, p); \
>> + else \
>> + { \
>> + __builtin_printf ("WAT: %s == %zd (expected %zd)\n", #p, p, v); \
>> + FAIL (); \
>> + } \
>> +} while (0);
>> diff --git a/gcc/testsuite/gcc.dg/flex-array-counted-by-3.c b/gcc/testsuite/gcc.dg/flex-array-counted-by-3.c
>> new file mode 100644
>> index 000000000000..78f50230e891
>> --- /dev/null
>> +++ b/gcc/testsuite/gcc.dg/flex-array-counted-by-3.c
>> @@ -0,0 +1,63 @@
>> +/* Test the attribute counted_by and its usage in
>> + * __builtin_dynamic_object_size. */
>> +/* { dg-do run } */
>> +/* { dg-options "-O2" } */
>> +
>> +#include "builtin-object-size-common.h"
>> +
>> +struct flex {
>> + int b;
>> + int c[];
>> +} *array_flex;
>> +
>> +struct annotated {
>> + int b;
>> + int c[] __attribute__ ((counted_by (b)));
>> +} *array_annotated;
>> +
>> +struct nested_annotated {
>> + struct {
>> + union {
>> + int b;
>> + float f;
>> + };
>> + int n;
>> + };
>> + int c[] __attribute__ ((counted_by (b)));
>> +} *array_nested_annotated;
>> +
>> +void __attribute__((__noinline__)) setup (int normal_count, int attr_count)
>> +{
>> + array_flex
>> + = (struct flex *)malloc (sizeof (struct flex)
>> + + normal_count * sizeof (int));
>> + array_flex->b = normal_count;
>> +
>> + array_annotated
>> + = (struct annotated *)malloc (sizeof (struct annotated)
>> + + attr_count * sizeof (int));
>> + array_annotated->b = attr_count;
>> +
>> + array_nested_annotated
>> + = (struct nested_annotated *)malloc (sizeof (struct nested_annotated)
>> + + attr_count * sizeof (int));
>> + array_nested_annotated->b = attr_count;
>> +
>> + return;
>> +}
>> +
>> +void __attribute__((__noinline__)) test ()
>> +{
>> + EXPECT(__builtin_dynamic_object_size(array_flex->c, 1), -1);
>> + EXPECT(__builtin_dynamic_object_size(array_annotated->c, 1),
>> + array_annotated->b * sizeof (int));
>> + EXPECT(__builtin_dynamic_object_size(array_nested_annotated->c, 1),
>> + array_nested_annotated->b * sizeof (int));
>> +}
>> +
>> +int main(int argc, char *argv[])
>> +{
>> + setup (10,10);
>> + test ();
>> + DONE ();
>> +}
>> diff --git a/gcc/testsuite/gcc.dg/flex-array-counted-by-4.c b/gcc/testsuite/gcc.dg/flex-array-counted-by-4.c
>> new file mode 100644
>> index 000000000000..20103d58ef51
>> --- /dev/null
>> +++ b/gcc/testsuite/gcc.dg/flex-array-counted-by-4.c
>> @@ -0,0 +1,178 @@
>> +/* Test the attribute counted_by and its usage in
>> +__builtin_dynamic_object_size: what's the correct behavior when the
>> +allocation size mismatched with the value of counted_by attribute?
>> +We should always use the latest value that is hold by the counted_by
>> +field. */
>> +/* { dg-do run } */
>> +/* { dg-options "-O -fstrict-flex-arrays=3" } */
>> +
>> +#include "builtin-object-size-common.h"
>> +
>> +struct annotated {
>> + size_t foo;
>> + char others;
>> + char array[] __attribute__((counted_by (foo)));
>> +};
>> +
>> +#define noinline __attribute__((__noinline__))
>> +#define SIZE_BUMP 10
>> +#define MAX(a, b) ((a) > (b) ? (a) : (b))
>> +
>> +/* In general, Due to type casting, the type for the pointee of a pointer
>> + does not say anything about the object it points to,
>> + So, __builtin_object_size can not directly use the type of the pointee
>> + to decide the size of the object the pointer points to.
>> +
>> + There are only two reliable ways:
>> + A. observed allocations (call to the allocation functions in the routine)
>> + B. observed accesses (read or write access to the location of the
>> + pointer points to)
>> +
>> + That provide information about the type/existence of an object at
>> + the corresponding address.
>> +
>> + For A, we use the "alloc_size" attribute for the corresponding allocation
>> + functions to determine the object size;
>> + (We treat counted_by attribute the same as the "alloc_size" attribute)
>> +
>> + For B, we use the SIZE info of the TYPE attached to the corresponding access.
>> +
>> + The only other way in C which ensures that a pointer actually points
>> + to an object of the correct type is 'static':
>> +
>> + void foo(struct P *p[static 1]);
>> +
>> + See https://gcc.gnu.org/pipermail/gcc-patches/2023-July/624814.html
>> + for more details. */
>> +
>> +/* In the following function, malloc allocated more space than the value
>> + of counted_by attribute. Then what's the correct behavior we expect
>> + the __builtin_dynamic_object_size should have for each of the cases? */
>> +
>> +static struct annotated * noinline alloc_buf_more (size_t index)
>> +{
>> + struct annotated *p;
>> + size_t allocated_size
>> + = MAX (sizeof (struct annotated),
>> + (__builtin_offsetof (struct annotated, array[0])
>> + + (index + SIZE_BUMP) * sizeof (char)));
>> + p = (struct annotated *) malloc (allocated_size);
>> +
>> + p->foo = index;
>> +
>> + /* When checking the observed access p->array, we have info on both
>> + observered allocation and observed access,
>> + A.1 from observed allocation:
>> + allocated_size - offsetof (struct annotated, array[0])
>> +
>> + A.2 from the counted-by attribute:
>> + p->foo * sizeof (char)
>> +
>> + We always use the latest value that is hold by the counted-by field.
>> + */
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 0),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 1),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 2),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 3),
>> + (p->foo) * sizeof(char));
>> +
>> + /* When checking the pointer p, we only have info on the observed allocation.
>> + So, the object size info can only been obtained from the call to malloc.
>> + For both MAXIMUM and MINIMUM: A = (index + SIZE_BUMP) * sizeof (char) */
>> + EXPECT(__builtin_dynamic_object_size(p, 0), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 1), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 2), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 3), allocated_size);
>> + return p;
>> +}
>> +
>> +/* In the following function, malloc allocated less space than the value
>> + of counted_by attribute. Then what's the correct behavior we expect
>> + the __builtin_dynamic_object_size should have for each of the cases?
>> + NOTE: this is an user error, GCC should issue warnings for such case.
>> + This is a seperate issue we should address later. */
>> +
>> +static struct annotated * noinline alloc_buf_less (size_t index)
>> +{
>> + struct annotated *p;
>> + size_t allocated_size
>> + = MAX (sizeof (struct annotated),
>> + (__builtin_offsetof (struct annotated, array[0])
>> + + (index) * sizeof (char)));
>> + p = (struct annotated *) malloc (allocated_size);
>> +
>> + p->foo = index + SIZE_BUMP;
>> +
>> + /* When checking the observed access p->array, we have info on both
>> + observered allocation and observed access,
>> + A.1 from observed allocation:
>> + allocated_size - offsetof (struct annotated, array[0])
>> + A.2 from the counted-by attribute:
>> + p->foo * sizeof (char)
>> +
>> + We always use the latest value that is hold by the counted-by field.
>> + */
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 0),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 1),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 2),
>> + (p->foo) * sizeof(char));
>> +
>> + EXPECT(__builtin_dynamic_object_size(p->array, 3),
>> + (p->foo) * sizeof(char));
>> +
>> + /* When checking the pointer p, we only have info on the observed
>> + allocation. So, the object size info can only been obtained from
>> + the call to malloc. */
>> + EXPECT(__builtin_dynamic_object_size(p, 0), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 1), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 2), allocated_size);
>> + EXPECT(__builtin_dynamic_object_size(p, 3), allocated_size);
>> + return p;
>> +}
>> +
>> +int main ()
>> +{
>> + struct annotated *p, *q;
>> + p = alloc_buf_more (10);
>> + q = alloc_buf_less (10);
>> +
>> + /* When checking the access p->array, we only have info on the counted-by
>> + value. */
>> + EXPECT(__builtin_dynamic_object_size(p->array, 0), p->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(p->array, 1), p->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(p->array, 2), p->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(p->array, 3), p->foo * sizeof(char));
>> + /* When checking the pointer p, we have no observed allocation nor observed
>> + access, therefore, we cannot determine the size info here. */
>> + EXPECT(__builtin_dynamic_object_size(p, 0), -1);
>> + EXPECT(__builtin_dynamic_object_size(p, 1), -1);
>> + EXPECT(__builtin_dynamic_object_size(p, 2), 0);
>> + EXPECT(__builtin_dynamic_object_size(p, 3), 0);
>> +
>> + /* When checking the access p->array, we only have info on the counted-by
>> + value. */
>> + EXPECT(__builtin_dynamic_object_size(q->array, 0), q->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(q->array, 1), q->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(q->array, 2), q->foo * sizeof(char));
>> + EXPECT(__builtin_dynamic_object_size(q->array, 3), q->foo * sizeof(char));
>> + /* When checking the pointer p, we have no observed allocation nor observed
>> + access, therefore, we cannot determine the size info here. */
>> + EXPECT(__builtin_dynamic_object_size(q, 0), -1);
>> + EXPECT(__builtin_dynamic_object_size(q, 1), -1);
>> + EXPECT(__builtin_dynamic_object_size(q, 2), 0);
>> + EXPECT(__builtin_dynamic_object_size(q, 3), 0);
>> +
>> + DONE ();
>> +}
>> diff --git a/gcc/testsuite/gcc.dg/flex-array-counted-by-5.c b/gcc/testsuite/gcc.dg/flex-array-counted-by-5.c
>> new file mode 100644
>> index 000000000000..68f9b0f7c8d2
>> --- /dev/null
>> +++ b/gcc/testsuite/gcc.dg/flex-array-counted-by-5.c
>> @@ -0,0 +1,48 @@
>> +/* Test the attribute counted_by and its usage in
>> + * __builtin_dynamic_object_size: when the counted_by field is negative. */
>> +/* { dg-do run } */
>> +/* { dg-options "-O2" } */
>> +
>> +#include "builtin-object-size-common.h"
>> +
>> +struct annotated {
>> + int b;
>> + int c[] __attribute__ ((counted_by (b)));
>> +} *array_annotated;
>> +
>> +struct nested_annotated {
>> + struct {
>> + union {
>> + int b;
>> + float f;
>> + };
>> + int n;
>> + };
>> + int c[] __attribute__ ((counted_by (b)));
>> +} *array_nested_annotated;
>> +
>> +void __attribute__((__noinline__)) setup (int attr_count)
>> +{
>> + array_annotated
>> + = (struct annotated *)malloc (sizeof (struct annotated));
>> + array_annotated->b = attr_count;
>> +
>> + array_nested_annotated
>> + = (struct nested_annotated *)malloc (sizeof (struct nested_annotated));
>> + array_nested_annotated->b = attr_count -1;
>> +
>> + return;
>> +}
>> +
>> +void __attribute__((__noinline__)) test ()
>> +{
>> + EXPECT(__builtin_dynamic_object_size(array_annotated->c, 1), 0);
>> + EXPECT(__builtin_dynamic_object_size(array_nested_annotated->c, 1), 0);
>> +}
>> +
>> +int main(int argc, char *argv[])
>> +{
>> + setup (-10);
>> + test ();
>> + DONE ();
>> +}
>> diff --git a/gcc/tree-object-size.cc b/gcc/tree-object-size.cc
>> index 018fbc30cbb6..8de264d1dee2 100644
>> --- a/gcc/tree-object-size.cc
>> +++ b/gcc/tree-object-size.cc
>> @@ -37,6 +37,7 @@ along with GCC; see the file COPYING3. If not see
>> #include "attribs.h"
>> #include "builtins.h"
>> #include "gimplify-me.h"
>> +#include "gimplify.h"
>> struct object_size_info
>> {
>> @@ -60,6 +61,7 @@ static tree compute_object_offset (tree, const_tree);
>> static bool addr_object_size (struct object_size_info *,
>> const_tree, int, tree *, tree *t = NULL);
>> static tree alloc_object_size (const gcall *, int);
>> +static tree access_with_size_object_size (const gcall *, int);
>> static tree pass_through_call (const gcall *);
>> static void collect_object_sizes_for (struct object_size_info *, tree);
>> static void expr_object_size (struct object_size_info *, tree, tree);
>> @@ -749,6 +751,60 @@ addr_object_size (struct object_size_info *osi, const_tree ptr,
>> return false;
>> }
>> +/* Compute __builtin_object_size for a CALL to .ACCESS_WITH_SIZE,
>> + OBJECT_SIZE_TYPE is the second argument from __builtin_object_size.
>> + The 2nd, 3rd, and the 4th parameters of the call determine the size of
>> + the CALL:
>> +
>> + 2nd argument REF_TO_SIZE: The reference to the size of the object,
>> + 3rd argument CLASS_OF_SIZE: The size referenced by the REF_TO_SIZE represents
>> + 0: the number of bytes;
>> + 1: the number of the elements of the object type;
>> + 4th argument TYPE_OF_SIZE: A constant 0 with its TYPE being the same as the TYPE
>> + of the object referenced by REF_TO_SIZE
>> +
>> + The size of the element can be retrived from the result type of the call,
>> + which is the pointer to the array type. */
>> +static tree
>> +access_with_size_object_size (const gcall *call, int object_size_type)
>> +{
>> + /* If not for dynamic object size, return. */
>> + if ((object_size_type & OST_DYNAMIC) == 0)
>> + return size_unknown (object_size_type);
>> +
>> + gcc_assert (gimple_call_internal_p (call, IFN_ACCESS_WITH_SIZE));
>> + /* Result type is a pointer type to the original flexible array type. */
>> + tree result_type = gimple_call_return_type (call);
>> + gcc_assert (POINTER_TYPE_P (result_type));
>> + tree element_size = TYPE_SIZE_UNIT (TREE_TYPE (TREE_TYPE (result_type)));
>> + tree ref_to_size = gimple_call_arg (call, 1);
>> + unsigned int class_of_size = TREE_INT_CST_LOW (gimple_call_arg (call, 2));
>> + tree type = TREE_TYPE (gimple_call_arg (call, 3));
>> +
>> + tree size = fold_build2 (MEM_REF, type, ref_to_size,
>> + build_int_cst (ptr_type_node, 0));
>> +
>> + /* If size is negative value, treat it as zero. */
>> + if (!TYPE_UNSIGNED (type))
>> + {
>> + tree cond_expr = fold_build2 (LT_EXPR, boolean_type_node,
>> + unshare_expr (size), build_zero_cst (type));
>> + size = fold_build3 (COND_EXPR, integer_type_node, cond_expr,
>> + build_zero_cst (type), size);
>> + }
>> +
>> + if (class_of_size == 1)
>> + size = size_binop (MULT_EXPR,
>> + fold_convert (sizetype, size),
>> + fold_convert (sizetype, element_size));
>> + else
>> + size = fold_convert (sizetype, size);
>> +
>> + if (!todo)
>> + todo = TODO_update_ssa_only_virtuals;
>> +
>> + return size;
>> +}
>> /* Compute __builtin_object_size for CALL, which is a GIMPLE_CALL.
>> Handles calls to functions declared with attribute alloc_size.
>> @@ -1350,8 +1406,12 @@ call_object_size (struct object_size_info *osi, tree ptr, gcall *call)
>> bool is_strdup = gimple_call_builtin_p (call, BUILT_IN_STRDUP);
>> bool is_strndup = gimple_call_builtin_p (call, BUILT_IN_STRNDUP);
>> + bool is_access_with_size
>> + = gimple_call_internal_p (call, IFN_ACCESS_WITH_SIZE);
>> if (is_strdup || is_strndup)
>> bytes = strdup_object_size (call, object_size_type, is_strndup);
>> + else if (is_access_with_size)
>> + bytes = access_with_size_object_size (call, object_size_type);
>> else
>> bytes = alloc_object_size (call, object_size_type);
>>
next prev parent reply other threads:[~2024-04-11 13:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 16:06 [PATCH v8 0/5] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896) Qing Zhao
2024-03-29 16:06 ` [PATCH v8 1/5] Provide counted_by attribute to flexible array member field (PR108896) Qing Zhao
2024-04-10 17:35 ` Joseph Myers
2024-04-10 18:05 ` Qing Zhao
2024-04-10 18:44 ` Joseph Myers
2024-04-10 19:21 ` Qing Zhao
2024-04-10 21:56 ` Joseph Myers
2024-04-11 13:17 ` Qing Zhao
2024-04-10 18:25 ` Martin Uecker
2024-04-10 19:05 ` Martin Uecker
2024-04-10 19:35 ` Qing Zhao
2024-04-11 6:02 ` Martin Uecker
2024-04-11 13:16 ` Qing Zhao
2024-03-29 16:07 ` [PATCH v8 2/5] Convert references with "counted_by" attributes to/from .ACCESS_WITH_SIZE Qing Zhao
2024-04-10 18:36 ` Joseph Myers
2024-04-10 19:38 ` Qing Zhao
2024-04-11 13:27 ` Qing Zhao
2024-03-29 16:07 ` [PATCH v8 3/5] Use the .ACCESS_WITH_SIZE in builtin object size Qing Zhao
2024-04-10 21:45 ` Siddhesh Poyarekar
2024-04-11 13:19 ` Qing Zhao [this message]
2024-03-29 16:07 ` [PATCH v8 4/5] Use the .ACCESS_WITH_SIZE in bound sanitizer Qing Zhao
2024-04-10 18:37 ` Joseph Myers
2024-04-10 21:46 ` Siddhesh Poyarekar
2024-04-11 13:22 ` Qing Zhao
2024-03-29 16:07 ` [PATCH v8 5/5] Add the 6th argument to .ACCESS_WITH_SIZE Qing Zhao
2024-04-10 18:38 ` Joseph Myers
2024-04-10 21:48 ` Siddhesh Poyarekar
2024-04-11 13:24 ` Qing Zhao
2024-03-29 18:09 ` [PATCH v8 0/5] New attribute "counted_by" to annotate bounds for C99 FAM(PR108896) Tom Tromey
2024-03-29 19:16 ` Kees Cook
2024-03-29 19:58 ` Qing Zhao
2024-03-30 0:16 ` Tom Tromey
2024-03-30 0:15 ` Tom Tromey
2024-03-30 13:57 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15A1FD7E-940F-40D2-B7C1-966DC130C87B@oracle.com \
--to=qing.zhao@oracle.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=isanbard@gmail.com \
--cc=josmyers@redhat.com \
--cc=keescook@chromium.org \
--cc=richard.guenther@gmail.com \
--cc=siddhesh@gotplt.org \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).