From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 108862 invoked by alias); 14 Dec 2018 00:25:00 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 108699 invoked by uid 89); 14 Dec 2018 00:24:43 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,TIME_LIMIT_EXCEEDED autolearn=unavailable version=3.3.2 spammy=PS, only, PM, adverse X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 14 Dec 2018 00:24:21 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 44317307D844; Fri, 14 Dec 2018 00:24:07 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-24.rdu2.redhat.com [10.10.112.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id CC74E6B8ED; Fri, 14 Dec 2018 00:24:05 +0000 (UTC) Subject: Re: [PATCH] handle function pointers in __builtin_object_size (PR 88372) To: Martin Sebor , Jakub Jelinek , Richard Biener Cc: Gcc Patch List References: <20181206212626.GY12380@tucnak> <4f4099a7-5763-bdf7-2183-24451ef83b02@gmail.com> From: Jeff Law Openpgp: preference=signencrypt Message-ID: <62a0e8ea-c024-99db-08d3-74f4c20697c7@redhat.com> Date: Fri, 14 Dec 2018 00:25:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: <4f4099a7-5763-bdf7-2183-24451ef83b02@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-IsSubscribed: yes X-SW-Source: 2018-12/txt/msg01006.txt.bz2 On 12/6/18 4:01 PM, Martin Sebor wrote: > On 12/6/18 2:26 PM, Jakub Jelinek wrote: >> On Thu, Dec 06, 2018 at 01:21:58PM -0700, Martin Sebor wrote: >>> Bug 88372 - alloc_size attribute is ignored on function pointers >>> points out that even though the alloc_size attribute is accepted >>> on function pointers it doesn't have any effect on Object Size >>> Checking.  The reporter, who is implementing the feature in Clang, >>> wants to know if by exposing it under the same name they won't be >>> causing incompatibilities with GCC. >>> >>> I don't think it's intentional that GCC doesn't take advantage of >>> the attribute for Object Size Checking, and certainly not to detect >>> the same kinds of issues as with other allocation functions (such >>> as excessive or negative size arguments).  Rather, it's almost >>> certainly an oversight since GCC does make use of function pointer >>> attributes in other contexts (e.g., attributes alloc_align and >>> noreturn). >>> >>> As an oversight, I think it's fair to consider it a bug rather >>> than a request for an enhancement.  Since not handling >>> the attribute in Object Size Checking has adverse security >>> implications, I also think this bug should be addressed in GCC >>> 9.  With that, I submit the attached patch to resolve both >>> aspects of the problem. >> >> This is because alloc_object_size has been written before we had attributes >> >> like alloc_size.  The only thing I'm unsure about is whether we should >> prefer gimple_call_fntype or TREE_TYPE (gimple_call_fndecl ()) if it is a >> direct call or if we should try to look for alloc_size attribute on both >> of those if they are different types.  E.g. if somebody does >> >> #include  >> >> typedef void *(*allocfn) (size_t); >> >> static inline void * >> foo (allocfn fn, size_t sz) >> { >>    return fn (sz); >> } >> >> static inline void * >> bar (size_t sz) >> { >>    return foo (malloc, sz); >> } >> >> then I think this patch would no longer treat it as malloc. >> >> As this is security relevant, I'd probably look for alloc_size >> attribute in both gimple_call_fntype and, if gimple_call_fndecl is non-NULL, >> >> its TREE_TYPE. > > Thanks for the test case!  I wondered if using fntype would > always work but couldn't think of when it wouldn't.  I've > adjusted the function to use both and added the test case. > > While thinking about this it occurred to me that alloc_size > is only documented as a function attribute but not one that > applies to pointers or types.  I added documentation for > these uses to the Common Type and Common Variable sections. > > Martin > > PS Other function attributes that also apply to types and > variables are only documented in the function section.  They > should also be mentioned in the other sections.  Which, if > done in the established style, will result in duplicating > a lot of text in three places.  I think that suggests that > we might want to think about structuring these sections of > the manual differently to avoid the duplication. > > gcc-88372.diff > > PR tree-optimization/88372 - alloc_size attribute is ignored on function pointers > > gcc/ChangeLog: > > PR tree-optimization/88372 > * calls.c (maybe_warn_alloc_args_overflow): Handle function pointers. > * tree-object-size.c (alloc_object_size): Same. Simplify. > * doc/extend.texi (Object Size Checking): Update. > (Other Builtins): Add __builtin_object_size. > (Common Type Attributes): Add alloc_size. > (Common Variable Attributes): Ditto. > > gcc/testsuite/ChangeLog: > > PR tree-optimization/88372 > * gcc.dg/Walloc-size-larger-than-18.c: New test. > * gcc.dg/builtin-object-size-19.c: Same. OK jeff