From: Martin Uecker <uecker@tugraz.at>
To: Prathamesh Kulkarni <prathamesh.kulkarni@linaro.org>
Cc: gcc-patches@gcc.gnu.org, Joseph Myers <joseph@codesourcery.com>
Subject: Re: [C PATCH]: Add Walloc-type to warn about insufficient size in allocations
Date: Tue, 01 Aug 2023 09:51:11 +0200 [thread overview]
Message-ID: <f0bda7b6ba670bf2ae7d3e777ebe74c794f73497.camel@tugraz.at> (raw)
In-Reply-To: <CAAgBjMkx_6dOdSk4+ZcA_8g5pzV0X2MfndOrxK3sOS7=8CdAWQ@mail.gmail.com>
Am Dienstag, dem 01.08.2023 um 02:11 +0530 schrieb Prathamesh Kulkarni:
> On Fri, 21 Jul 2023 at 16:52, Martin Uecker via Gcc-patches
> <gcc-patches@gcc.gnu.org> wrote:
> >
> >
> >
> > This patch adds a warning for allocations with insufficient size
> > based on the "alloc_size" attribute and the type of the pointer
> > the result is assigned to. While it is theoretically legal to
> > assign to the wrong pointer type and cast it to the right type
> > later, this almost always indicates an error. Since this catches
> > common mistakes and is simple to diagnose, it is suggested to
> > add this warning.
> >
> >
> > Bootstrapped and regression tested on x86.
> >
> >
> > Martin
> >
> >
> >
> > Add option Walloc-type that warns about allocations that have
> > insufficient storage for the target type of the pointer the
> > storage is assigned to.
> >
> > gcc:
> > * doc/invoke.texi: Document -Wstrict-flex-arrays option.
> >
> > gcc/c-family:
> >
> > * c.opt (Walloc-type): New option.
> >
> > gcc/c:
> > * c-typeck.cc (convert_for_assignment): Add Walloc-type warning.
> >
> > gcc/testsuite:
> >
> > * gcc.dg/Walloc-type-1.c: New test.
> >
> >
> > diff --git a/gcc/c-family/c.opt b/gcc/c-family/c.opt
> > index 4abdc8d0e77..8b9d148582b 100644
> > --- a/gcc/c-family/c.opt
> > +++ b/gcc/c-family/c.opt
> > @@ -319,6 +319,10 @@ Walloca
> > C ObjC C++ ObjC++ Var(warn_alloca) Warning
> > Warn on any use of alloca.
> >
> > +Walloc-type
> > +C ObjC Var(warn_alloc_type) Warning
> > +Warn when allocating insufficient storage for the target type of the
> > assigned pointer.
> > +
> > Walloc-size-larger-than=
> > C ObjC C++ LTO ObjC++ Var(warn_alloc_size_limit) Joined Host_Wide_Int
> > ByteSize Warning Init(HOST_WIDE_INT_MAX)
> > -Walloc-size-larger-than=<bytes> Warn for calls to allocation
> > functions that
> > diff --git a/gcc/c/c-typeck.cc b/gcc/c/c-typeck.cc
> > index 7cf411155c6..2e392f9c952 100644
> > --- a/gcc/c/c-typeck.cc
> > +++ b/gcc/c/c-typeck.cc
> > @@ -7343,6 +7343,32 @@ convert_for_assignment (location_t location,
> > location_t expr_loc, tree type,
> > "request for implicit conversion "
> > "from %qT to %qT not permitted in C++", rhstype,
> > type);
> >
> > + /* Warn of new allocations are not big enough for the target
> > type. */
> > + tree fndecl;
> > + if (warn_alloc_type
> > + && TREE_CODE (rhs) == CALL_EXPR
> > + && (fndecl = get_callee_fndecl (rhs)) != NULL_TREE
> > + && DECL_IS_MALLOC (fndecl))
> > + {
> > + tree fntype = TREE_TYPE (fndecl);
> > + tree fntypeattrs = TYPE_ATTRIBUTES (fntype);
> > + tree alloc_size = lookup_attribute ("alloc_size",
> > fntypeattrs);
> > + if (alloc_size)
> > + {
> > + tree args = TREE_VALUE (alloc_size);
> > + int idx = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1;
> > + /* For calloc only use the second argument. */
> > + if (TREE_CHAIN (args))
> > + idx = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN
> > (args))) - 1;
> > + tree arg = CALL_EXPR_ARG (rhs, idx);
> > + if (TREE_CODE (arg) == INTEGER_CST
> > + && tree_int_cst_lt (arg, TYPE_SIZE_UNIT (ttl)))
> Hi Martin,
> Just wondering if it'd be a good idea perhaps to warn if alloc size is
> not a multiple of TYPE_SIZE_UNIT instead of just less-than ?
> So it can catch cases like:
> int *p = malloc (sizeof (int) + 2); // probably intended malloc
> (sizeof (int) * 2)
>
> FWIW, this is caught using -fanalyzer:
> f.c: In function 'f':
> f.c:3:12: warning: allocated buffer size is not a multiple of the
> pointee's size [CWE-131] [-Wanalyzer-allocation-size]
> 3 | int *p = __builtin_malloc (sizeof(int) + 2);
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Thanks,
> Prathamesh
Yes, this is probably a good idea. It might need special
logic for flexible array members then...
Martin
> > + warning_at (location, OPT_Walloc_type, "allocation of
> > "
> > + "insufficient size %qE for type %qT with
> > "
> > + "size %qE", arg, ttl, TYPE_SIZE_UNIT
> > (ttl));
> > + }
> > + }
> > +
> > /* See if the pointers point to incompatible address spaces. */
> > asl = TYPE_ADDR_SPACE (ttl);
> > asr = TYPE_ADDR_SPACE (ttr);
> > diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> > index 88e3c625030..6869bed64c3 100644
> > --- a/gcc/doc/invoke.texi
> > +++ b/gcc/doc/invoke.texi
> > @@ -8076,6 +8076,15 @@ always leads to a call to another @code{cold}
> > function such as wrappers of
> > C++ @code{throw} or fatal error reporting functions leading to
> > @code{abort}.
> > @end table
> >
> > +@opindex Wno-alloc-type
> > +@opindex Walloc-type
> > +@item -Walloc-type
> > +Warn about calls to allocation functions decorated with attribute
> > +@code{alloc_size} that specify insufficient size for the target type
> > of
> > +the pointer the result is assigned to, including those to the built-in
> > +forms of the functions @code{aligned_alloc}, @code{alloca},
> > @code{calloc},
> > +@code{malloc}, and @code{realloc}.
> > +
> > @opindex Wno-alloc-zero
> > @opindex Walloc-zero
> > @item -Walloc-zero
> > diff --git a/gcc/testsuite/gcc.dg/Walloc-type-1.c
> > b/gcc/testsuite/gcc.dg/Walloc-type-1.c
> > new file mode 100644
> > index 00000000000..bc62e5e9aa3
> > --- /dev/null
> > +++ b/gcc/testsuite/gcc.dg/Walloc-type-1.c
> > @@ -0,0 +1,37 @@
> > +/* Tests the warnings for insufficient allocation size.
> > + { dg-do compile }
> > + * { dg-options "-Walloc-type" }
> > + * */
> > +#include <stdlib.h>
> > +#include <alloca.h>
> > +
> > +struct b { int x[10]; };
> > +
> > +void fo0(void)
> > +{
> > + struct b *p = malloc(sizeof *p);
> > +}
> > +
> > +void fo1(void)
> > +{
> > + struct b *p = malloc(sizeof p); /* { dg-
> > warning "allocation of insufficient size" } */
> > +}
> > +
> > +void fo2(void)
> > +{
> > + struct b *p = alloca(sizeof p); /* { dg-
> > warning "allocation of insufficient size" } */
> > +}
> > +
> > +void fo3(void)
> > +{
> > + struct b *p = calloc(1, sizeof p); /* { dg-warning
> > "allocation of insufficient size" } */
> > +}
> > +
> > +void g(struct b* p);
> > +
> > +void fo4(void)
> > +{
> > + g(malloc(4)); /* { dg-warning "allocation of
> > insufficient size" } */
> > +}
> > +
> > +
> >
> >
> >
--
Univ.-Prof. Dr. rer. nat. Martin Uecker
Graz University of Technology
Institute of Biomedical Imaging
next prev parent reply other threads:[~2023-08-01 7:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-21 11:21 Martin Uecker
2023-07-21 20:55 ` Qing Zhao
2023-07-31 19:39 ` Siddhesh Poyarekar
2023-07-31 20:06 ` Martin Uecker
2023-07-31 20:41 ` Prathamesh Kulkarni
2023-08-01 7:51 ` Martin Uecker [this message]
2023-08-01 13:27 ` Qing Zhao
2023-08-01 14:31 ` Martin Uecker
2023-08-02 16:45 ` Qing Zhao
2023-08-02 17:55 ` Martin Uecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f0bda7b6ba670bf2ae7d3e777ebe74c794f73497.camel@tugraz.at \
--to=uecker@tugraz.at \
--cc=gcc-patches@gcc.gnu.org \
--cc=joseph@codesourcery.com \
--cc=prathamesh.kulkarni@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).