From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by sourceware.org (Postfix) with ESMTPS id 402FD3858D28 for ; Tue, 1 Aug 2023 22:45:50 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 402FD3858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1bbf0f36ce4so28516315ad.0 for ; Tue, 01 Aug 2023 15:45:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1690929949; x=1691534749; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=vKU4HSGhzFpeOn6YqjR6/XZq8imNwHdmdaMLnbkHroU=; b=KIzAEq7vczetCPIb2D0K2BlZ6Y5B+jmNJJTO/uVfmPbjPNSeywr5RSx5cO3F5m74UM GYTTtxFehguspCHv4yeyyJNSlRKsHy58S8kjjjAi1KScvs0dD551spdlMZcy1UvipWF4 6trxM+SUGCxOY7oBLYiPrvw/3ZS7WbDB/hi2Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690929949; x=1691534749; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vKU4HSGhzFpeOn6YqjR6/XZq8imNwHdmdaMLnbkHroU=; b=I8w7QtrwllR1LtjgcBEHrZmmf0Z9VDrvrN33MoCKr/aaIcs3sKHNCC3xhBcK0NUBJi IjKUNqO1EOExntv00Noyusch4tgn+n905rvES/lKRPBta4wjFlp9g3Ry98BfNaQpvT/D tZv2Xp+RIPBGCChAbaJeifhFV4pMQB8opy7PlFXNtA/dZD6uHxLa6QhOt0eUoyTOY42R S2dSmSa8v2xlAWx51vq3ENLIv7RGwA1lO8b/FNsRnysJpNzgbCjs35w/dXtd0rfZ8o6T PxRhUHxmxBSnT/yld+Y4xPgHb5dfZLlz15XbblBrCvy1pwOhlat/78egDD3pGE7t2WCe C3Iw== X-Gm-Message-State: ABy/qLb3wHFNDE2Aw8ffdTBIuT25glUswyGMiGaQOwTcEhhGp6NnfY5y wFV26cGVH5MYIyUKhI4HtFT/GA== X-Google-Smtp-Source: APBJJlFQsWYz6DzaDxCuKdjjorroG5N0WLlLOdStnT1eeNg0AbpCTiOhRojPalK2oz7Q8yN2kHQphg== X-Received: by 2002:a17:903:230b:b0:1bc:10cf:50d8 with SMTP id d11-20020a170903230b00b001bc10cf50d8mr6892674plh.23.1690929948801; Tue, 01 Aug 2023 15:45:48 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id 6-20020a170902ee4600b001b8a3a0c928sm10965253plo.181.2023.08.01.15.45.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Aug 2023 15:45:48 -0700 (PDT) Date: Tue, 1 Aug 2023 15:45:47 -0700 From: Kees Cook To: Qing Zhao Cc: Siddhesh Poyarekar , "joseph@codesourcery.com" , "richard.guenther@gmail.com" , "jakub@redhat.com" , "gcc-patches@gcc.gnu.org" , "uecker@tugraz.at" , "isanbard@gmail.com" Subject: Re: [V1][PATCH 0/3] New attribute "element_count" to annotate bounds for C99 FAM(PR108896) Message-ID: <202308011538.90858F8D2@keescook> References: <20230525161450.3704901-1-qing.zhao@oracle.com> <202305261218.2420AB8E0@keescook> <202307131311.1F30C4357@keescook> <202307171612.406D82C39@keescook> <72AF1253-564C-46C1-9FBC-5A53871CB701@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <72AF1253-564C-46C1-9FBC-5A53871CB701@oracle.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,JMQ_SPF_NEUTRAL,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Mon, Jul 31, 2023 at 08:14:42PM +0000, Qing Zhao wrote: > /* In general, Due to type casting, the type for the pointee of a pointer > does not say anything about the object it points to, > So, __builtin_object_size can not directly use the type of the pointee > to decide the size of the object the pointer points to. > > there are only two reliable ways: > A. observed allocations (call to the allocation functions in the routine) > B. observed accesses (read or write access to the location of the > pointer points to) > > that provide information about the type/existence of an object at > the corresponding address. > > for A, we use the "alloc_size" attribute for the corresponding allocation > functions to determine the object size; > > For B, we use the SIZE info of the TYPE attached to the corresponding access. > (We treat counted_by attribute as a complement to the SIZE info of the TYPE > for FMA) > > The only other way in C which ensures that a pointer actually points > to an object of the correct type is 'static': > > void foo(struct P *p[static 1]); > > See https://gcc.gnu.org/pipermail/gcc-patches/2023-July/624814.html > for more details. */ This is a great explanation; thank you! In the future I might want to have a new builtin that will allow a program to query a pointer when neither A nor B have happened. But for the first version of the __counted_by infrastructure, the above limitations seen fine. For example, maybe __builtin_counted_size(p) (which returns sizeof(*p) + sizeof(*p->flex_array_member) * p->counted_by_member). Though since there might be multiple flex array members, maybe this can't work. :) -Kees -- Kees Cook