PR tree-optimization/88372 - alloc_size attribute is ignored on function pointers gcc/ChangeLog: PR tree-optimization/88372 * calls.c (maybe_warn_alloc_args_overflow): Handle function pointers. * tree-object-size.c (alloc_object_size): Same. Simplify. * doc/extend.texi (Object Size Checking): Update. (Other Builtins): Add __builtin_object_size. gcc/testsuite/ChangeLog: PR tree-optimization/88372 * gcc.dg/Walloc-size-larger-than-18.c: New test. * gcc.dg/builtin-object-size-19.c: Same. Index: gcc/calls.c =================================================================== --- gcc/calls.c (revision 266862) +++ gcc/calls.c (working copy) @@ -1342,9 +1342,10 @@ get_size_range (tree exp, tree range[2], bool allo /* Diagnose a call EXP to function FN decorated with attribute alloc_size whose argument numbers given by IDX with values given by ARGS exceed the maximum object size or cause an unsigned oveflow (wrapping) when - multiplied. When ARGS[0] is null the function does nothing. ARGS[1] - may be null for functions like malloc, and non-null for those like - calloc that are decorated with a two-argument attribute alloc_size. */ + multiplied. FN is null when EXP is a call via a function pointer. + When ARGS[0] is null the function does nothing. ARGS[1] may be null + for functions like malloc, and non-null for those like calloc that + are decorated with a two-argument attribute alloc_size. */ void maybe_warn_alloc_args_overflow (tree fn, tree exp, tree args[2], int idx[2]) @@ -1357,6 +1358,8 @@ maybe_warn_alloc_args_overflow (tree fn, tree exp, location_t loc = EXPR_LOCATION (exp); + tree fntype = fn ? TREE_TYPE (fn) : TREE_TYPE (TREE_TYPE (exp)); + built_in_function fncode = fn ? DECL_FUNCTION_CODE (fn) : BUILT_IN_NONE; bool warned = false; /* Validate each argument individually. */ @@ -1382,11 +1385,11 @@ maybe_warn_alloc_args_overflow (tree fn, tree exp, friends. Also avoid issuing the warning for calls to function named "alloca". */ - if ((DECL_FUNCTION_CODE (fn) == BUILT_IN_ALLOCA + if ((fncode == BUILT_IN_ALLOCA && IDENTIFIER_LENGTH (DECL_NAME (fn)) != 6) - || (DECL_FUNCTION_CODE (fn) != BUILT_IN_ALLOCA + || (fncode != BUILT_IN_ALLOCA && !lookup_attribute ("returns_nonnull", - TYPE_ATTRIBUTES (TREE_TYPE (fn))))) + TYPE_ATTRIBUTES (fntype)))) warned = warning_at (loc, OPT_Walloc_zero, "%Kargument %i value is zero", exp, idx[i] + 1); @@ -1398,6 +1401,7 @@ maybe_warn_alloc_args_overflow (tree fn, tree exp, size overflow. There's no good way to detect C++98 here so avoid diagnosing these calls for all C++ modes. */ if (i == 0 + && fn && !args[1] && lang_GNU_CXX () && DECL_IS_OPERATOR_NEW (fn) @@ -1481,7 +1485,7 @@ maybe_warn_alloc_args_overflow (tree fn, tree exp, } } - if (warned) + if (warned && fn) { location_t fnloc = DECL_SOURCE_LOCATION (fn); @@ -1933,14 +1937,13 @@ initialize_argument_information (int num_actuals A bitmap_obstack_release (NULL); - /* Extract attribute alloc_size and if set, store the indices of - the corresponding arguments in ALLOC_IDX, and then the actual - argument(s) at those indices in ALLOC_ARGS. */ + /* Extract attribute alloc_size from the type of the called expression + (which could be a function or a function pointer) and if set, store + the indices of the corresponding arguments in ALLOC_IDX, and then + the actual argument(s) at those indices in ALLOC_ARGS. */ int alloc_idx[2] = { -1, -1 }; - if (tree alloc_size - = (fndecl ? lookup_attribute ("alloc_size", - TYPE_ATTRIBUTES (TREE_TYPE (fndecl))) - : NULL_TREE)) + if (tree alloc_size = lookup_attribute ("alloc_size", + TYPE_ATTRIBUTES (fntype))) { tree args = TREE_VALUE (alloc_size); alloc_idx[0] = TREE_INT_CST_LOW (TREE_VALUE (args)) - 1; Index: gcc/tree-object-size.c =================================================================== --- gcc/tree-object-size.c (revision 266862) +++ gcc/tree-object-size.c (working copy) @@ -401,25 +401,23 @@ addr_object_size (struct object_size_info *osi, co /* Compute __builtin_object_size for CALL, which is a GIMPLE_CALL. - Handles various allocation calls. OBJECT_SIZE_TYPE is the second - argument from __builtin_object_size. If unknown, return - unknown[object_size_type]. */ + Handles calls to functions declared with attribute alloc_size. + OBJECT_SIZE_TYPE is the second argument from __builtin_object_size. + If unknown, return unknown[object_size_type]. */ static unsigned HOST_WIDE_INT alloc_object_size (const gcall *call, int object_size_type) { - tree callee, bytes = NULL_TREE; - tree alloc_size; - int arg1 = -1, arg2 = -1; - gcc_assert (is_gimple_call (call)); - callee = gimple_call_fndecl (call); - if (!callee) + tree calltype = gimple_call_fntype (call); + if (!calltype) return unknown[object_size_type]; - alloc_size = lookup_attribute ("alloc_size", - TYPE_ATTRIBUTES (TREE_TYPE (callee))); + /* Set to positions of alloc_size arguments. */ + int arg1 = -1, arg2 = -1; + tree alloc_size = lookup_attribute ("alloc_size", + TYPE_ATTRIBUTES (calltype)); if (alloc_size && TREE_VALUE (alloc_size)) { tree p = TREE_VALUE (alloc_size); @@ -429,19 +427,6 @@ alloc_object_size (const gcall *call, int object_s arg2 = TREE_INT_CST_LOW (TREE_VALUE (TREE_CHAIN (p)))-1; } - if (DECL_BUILT_IN_CLASS (callee) == BUILT_IN_NORMAL) - switch (DECL_FUNCTION_CODE (callee)) - { - case BUILT_IN_CALLOC: - arg2 = 1; - /* fall through */ - case BUILT_IN_MALLOC: - CASE_BUILT_IN_ALLOCA: - arg1 = 0; - default: - break; - } - if (arg1 < 0 || arg1 >= (int)gimple_call_num_args (call) || TREE_CODE (gimple_call_arg (call, arg1)) != INTEGER_CST || (arg2 >= 0 @@ -449,6 +434,7 @@ alloc_object_size (const gcall *call, int object_s || TREE_CODE (gimple_call_arg (call, arg2)) != INTEGER_CST))) return unknown[object_size_type]; + tree bytes = NULL_TREE; if (arg2 >= 0) bytes = size_binop (MULT_EXPR, fold_convert (sizetype, gimple_call_arg (call, arg1)), Index: gcc/doc/extend.texi =================================================================== --- gcc/doc/extend.texi (revision 266862) +++ gcc/doc/extend.texi (working copy) @@ -11124,7 +11124,10 @@ a limited extent, they can be used without optimiz @deftypefn {Built-in Function} {size_t} __builtin_object_size (const void * @var{ptr}, int @var{type}) is a built-in construct that returns a constant number of bytes from @var{ptr} to the end of the object @var{ptr} pointer points to -(if known at compile time). @code{__builtin_object_size} never evaluates +(if known at compile time). To determine the sizes of dynamically allocated +objects the function relies on the allocation functions called to obtain +the storage to be declared with the @code{alloc_size} attribute (@xref{Common +Function Attributes}). @code{__builtin_object_size} never evaluates its arguments for side effects. If there are any side effects in them, it returns @code{(size_t) -1} for @var{type} 0 or 1 and @code{(size_t) 0} for @var{type} 2 or 3. If there are multiple objects @var{ptr} can @@ -11249,6 +11252,7 @@ is called and the @var{flag} argument passed to it @findex __builtin_islessequal @findex __builtin_islessgreater @findex __builtin_isunordered +@findex __builtin_object_size @findex __builtin_powi @findex __builtin_powif @findex __builtin_powil @@ -12492,6 +12496,10 @@ is evaluated if it includes side effects but no ot and GCC does not issue a warning. @end deftypefn +@deftypefn {Built-in Function}{size_t} __builtin_object_size (const void * @var{ptr}, int @var{type}) +Returns the size of an object pointed to by @var{ptr}. @xref{Object Size Checking} for a detailed description of the function. +@end deftypefn + @deftypefn {Built-in Function} double __builtin_huge_val (void) Returns a positive infinity, if supported by the floating-point format, else @code{DBL_MAX}. This function is suitable for implementing the Index: gcc/testsuite/gcc.dg/Walloc-size-larger-than-18.c =================================================================== --- gcc/testsuite/gcc.dg/Walloc-size-larger-than-18.c (nonexistent) +++ gcc/testsuite/gcc.dg/Walloc-size-larger-than-18.c (working copy) @@ -0,0 +1,93 @@ +/* PR tree-optimization/88372 - alloc_size attribute is ignored + on function pointers + Verify that calls via function pointers declared alloc_size + with zero or excessive size trigger either -Walloc-zero or + -Walloc-size-larger-than warnings. + { dg-do compile } + { dg-options "-O2 -Wall -Walloc-zero -ftrack-macro-expansion=0" } */ + +#define ATTR(...) __attribute__ ((__VA_ARGS__)) + +typedef __SIZE_TYPE__ size_t; + + +void sink (void*); + +#define T(call) sink (call) + +ATTR (alloc_size (1)) void* (*ai1)(int, int); +ATTR (alloc_size (2)) void* (*ai2)(int, int); +ATTR (alloc_size (1, 2)) void* (*ai1_2)(int, int); + +ATTR (alloc_size (1)) void* (*asz1)(size_t, size_t); +ATTR (alloc_size (2)) void* (*asz2)(size_t, size_t); +ATTR (alloc_size (1, 2)) void* (*asz1_2)(size_t, size_t); + + +void test_alloc_ptr_zero (void) +{ + T (asz1 (0, 0)); /* { dg-warning "argument 1 value is zero" } */ + T (asz1 (0, 1)); /* { dg-warning "argument 1 value is zero" } */ + T (asz1 (1, 0)); + T (asz1 (1, 1)); + + T (asz2 (0, 0)); /* { dg-warning "argument 2 value is zero" } */ + T (asz2 (0, 1)); + T (asz2 (1, 0)); /* { dg-warning "argument 2 value is zero" } */ + T (asz2 (1, 1)); + + T (asz1_2 (0, 0)); /* { dg-warning "argument \[12\] value is zero" } */ + T (asz1_2 (1, 0)); /* { dg-warning "argument 2 value is zero" } */ + T (asz1_2 (0, 1)); /* { dg-warning "argument 1 value is zero" } */ + T (asz1_2 (1, 1)); +} + + +void test_alloc_ptr_negative (int n) +{ + T (ai1 (-1, -1)); /* { dg-warning "argument 1 value .-1. is negative" } */ + T (ai1 (-2, 1)); /* { dg-warning "argument 1 value .-2. is negative" } */ + T (ai1 ( 1, -1)); + T (ai1 ( 1, 1)); + + T (ai2 (-1, -3)); /* { dg-warning "argument 2 value .-3. is negative" } */ + T (ai2 (-1, 1)); + T (ai2 ( 1, -4)); /* { dg-warning "argument 2 value .-4. is negative" } */ + T (ai2 ( 1, 1)); + + T (ai1_2 (-5, -6)); /* { dg-warning "argument \[12\] value .-\[56\]. is negative" } */ + T (ai1_2 ( 1, -7)); /* { dg-warning "argument 2 value .-7. is negative" } */ + T (ai1_2 (-8, 1)); /* { dg-warning "argument 1 value .-8. is negative" } */ + T (ai1_2 ( 1, 1)); + + if (n > -1) + n = -1; + + /* Also verify a simple range. */ + T (ai1_2 ( 1, n)); /* { dg-warning "argument 2 range \\\[-\[0-9\]+, -1] is negative" } */ + T (ai1_2 ( n, 1)); /* { dg-warning "argument 1 range \\\[-\[0-9\]+, -1] is negative" } */ +} + +void test_alloc_ptr_too_big (void) +{ + size_t x = (__SIZE_MAX__ >> 1) + 1; + size_t y = __SIZE_MAX__ / 5; + + T (asz1 (x, x)); /* { dg-warning "argument 1 value .\[0-9\]+. exceeds" } */ + T (asz1 (x, 1)); /* { dg-warning "argument 1 value .\[0-9\]+. exceeds" } */ + T (asz1 (1, x)); + T (asz1 (1, 1)); + + T (asz2 (x, x)); /* { dg-warning "argument 2 value .\[0-9\]+. exceeds" } */ + T (asz2 (x, 1)); + T (asz2 (1, x)); /* { dg-warning "argument 2 value .\[0-9\]+. exceeds" } */ + T (asz2 (1, 1)); + + T (asz1_2 (x, x)); /* { dg-warning "argument \[12\] value .\[0-9\]+. exceeds" } */ + T (asz1_2 (y, 3)); /* { dg-warning "product .\[0-9\]+ \\\* 3. of arguments 1 and 2 exceeds" } */ + T (asz1_2 (y, y)); /* { dg-warning "product .\[0-9\]+ \\\* \[0-9\]+. of arguments 1 and 2 exceeds" } */ + T (asz1_2 (1, x)); /* { dg-warning "argument 2 value .\[0-9\]+. exceeds" } */ + T (asz1_2 (x, 1)); /* { dg-warning "argument 1 value .\[0-9\]+. exceeds" } */ + T (asz1_2 (1, 1)); + +} Index: gcc/testsuite/gcc.dg/builtin-object-size-19.c =================================================================== --- gcc/testsuite/gcc.dg/builtin-object-size-19.c (nonexistent) +++ gcc/testsuite/gcc.dg/builtin-object-size-19.c (working copy) @@ -0,0 +1,58 @@ +/* PR tree-optimization/88372 - alloc_size attribute is ignored + on function pointers { dg-do compile } + { dg-options "-O2 -fdump-tree-optimized" } */ + +#define ATTR(...) __attribute__ ((__VA_ARGS__)) +#define CONCAT(x, y) x ## y +#define CAT(x, y) CONCAT (x, y) +#define FAILNAME(name) CAT (call_ ## name ##_on_line_, __LINE__) + +#define FAIL(name) do { \ + extern void FAILNAME (name) (void); \ + FAILNAME (name)(); \ + } while (0) + +/* Macro to emit a call to function named + call_in_true_branch_not_eliminated_on_line_NNN() + for each call that's expected to be eliminated. The dg-final + scan-tree-dump-time directive at the bottom of the test verifies + that no such call appears in output. */ +#define ELIM(expr) \ + if (!(expr)) FAIL (in_true_branch_not_eliminated); else (void)0 + +void sink (void*); + +#define T1(alloc, n) do { \ + void *p = alloc; \ + sink (p); \ + ELIM (n == __builtin_object_size (p, 0)); \ + ELIM (n == __builtin_object_size (p, 1)); \ + ELIM (n == __builtin_object_size (p, 2)); \ + ELIM (n == __builtin_object_size (p, 3)); \ + } while (0) + + +ATTR (alloc_size (1)) void* (*alloc_1)(int, int); +ATTR (alloc_size (2)) void* (*alloc_2)(int, int); +ATTR (alloc_size (1, 2)) void* (*alloc_1_2)(int, int); + + +void test_alloc_ptr (void) +{ + T1 (alloc_1 (0, 0), 0); + T1 (alloc_1 (1, 0), 1); + T1 (alloc_1 (3, 0), 3); + T1 (alloc_1 (9, 5), 9); + + T1 (alloc_2 (0, 0), 0); + T1 (alloc_2 (1, 0), 0); + T1 (alloc_2 (0, 1), 1); + T1 (alloc_2 (9, 5), 5); + + T1 (alloc_1_2 (0, 0), 0); + T1 (alloc_1_2 (1, 0), 0); + T1 (alloc_1_2 (0, 1), 0); + T1 (alloc_1_2 (9, 5), 45); +} + +/* { dg-final { scan-tree-dump-not "not_eliminated" "optimized" } } */