From: David Malcolm <dmalcolm@redhat.com>
To: gcc-patches@gcc.gnu.org
Subject: Re: [RFC] Add function attribute: null_terminated_string_arg(PARAM_IDX)
Date: Thu, 26 Oct 2023 16:04:28 -0400 [thread overview]
Message-ID: <d5d18f0828999dbdc389370821db326e040362d4.camel@redhat.com> (raw)
In-Reply-To: <20231019140257.360669-1-dmalcolm@redhat.com>
On Thu, 2023-10-19 at 10:02 -0400, David Malcolm wrote:
> This patch adds a new function attribute to GCC for marking that an
> argument is expected to be a null-terminated string.
>
> For example, consider:
>
> void test_a (const char *p)
> __attribute__((null_terminated_string_arg (1)));
>
> which would indicate to humans and compilers that argument 1 of
> "test_a"
> is expected to be a null-terminated string, with the idea:
>
> - we should complain if it's not valid to read from *p up to the
> first
> '\0' character in the buffer
>
> - we should complain if *p is not terminated, or if it's
> uninitialized
> before the first '\0' character
>
> This is independent of the nonnull-ness of the pointer: if you also
> want
> to express that the argument must be non-null, we already have
> __attribute__((nonnull (N))), so the user can write e.g.:
>
> void test_b (const char *p)
> __attribute__((null_terminated_string_arg (1))
> __attribute__((nonnull (1)));
>
> which can also be spelled as:
>
> void test_b (const char *p)
> __attribute__((null_terminated_string_arg (1),
> nonnull (1)));
>
> For a function similar to strncpy, we can use the "access" attribute
> to
> express a maximum size of the read:
>
> void test_c (const char *p, size_t sz)
> __attribute__((null_terminated_string_arg (1),
> nonnull (1),
> access (read_only, 1, 2)));
>
> The patch implements:
> (a) C/C++ frontends: recognition of this attribute
> (b) analyzer: usage of this attribute
>
> The name is rather long; a shorter name might be "c_string_arg".
>
> Does anything like this already exist in GCC, or in any other
> compilers or analysis tools?
>
> Thoughts?
>
> Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Given a week of no comments (apart from Andreas' typo fix), I've gone
ahead and pushed this to trunk as r14-4958-gcd7dadcd2759d1 (with the
typo fix).
I kept the rather long but explicit spelling
("null_terminated_string_arg") since projects tend to use macros for
function attributes rather than spelling them out each time, and so I
don't see the length being a problem to end-users.
Dave
prev parent reply other threads:[~2023-10-26 20:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-19 14:02 David Malcolm
2023-10-19 14:13 ` Andreas Schwab
2023-10-19 17:45 ` David Malcolm
2023-10-26 20:04 ` David Malcolm [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5d18f0828999dbdc389370821db326e040362d4.camel@redhat.com \
--to=dmalcolm@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).