From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jwakely.gcc@gmail.com>
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com
 [IPv6:2a00:1450:4864:20::333])
 by sourceware.org (Postfix) with ESMTPS id 94CB03857B8F
 for <gcc@gcc.gnu.org>; Tue, 21 Jun 2022 10:44:06 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 94CB03857B8F
Received: by mail-wm1-x333.google.com with SMTP id
 m39-20020a05600c3b2700b0039c511ebbacso9087689wms.3
 for <gcc@gcc.gnu.org>; Tue, 21 Jun 2022 03:44:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=jjoRfhwANcuEWYQxeLQLZNrmiUqS6tkDirpWIvcx/W4=;
 b=3DqAGTxrrw9JSL1eJlYajn8/+oPJt7zfQPNvolFpNP6EAXae7vdTmbnj8sal+Y2G8u
 P3F3xtUdwJhklq9yEdojIn36vcPg8kvp2ZBK0RTAhx3CQpC9Mmwvy3X9gldglpOl0rYZ
 GOsUL5Izb3ZQOEGdLdTp4IvsI/BIf7DuPxkF4pv7YfsRTSi6trOV3VvhnKr+Fn03gosH
 bxT12kC9130miRqW/bit1iCWkS0wvKJSdjdWsNx34IuZxfdvH3/b4FeZUglgpIRjt65k
 ii5IcScro8rDeL5MOhY8YmZoMql3QYv2t3f3jE9vPSrpR+mixfD/OAdNQ7OTssmCq5xY
 tLwg==
X-Gm-Message-State: AJIora+EPV81GOMmqXs9wwB2boRnTFr6wk+jeCnosCW07IPuJhgoTcs6
 37xaynbLrk/1vjqXLTw6GR869UVIkLVQ9ItOgsw9WwpV
X-Google-Smtp-Source: AGRyM1tyv8mRBxS18di0xp9i2sG1m17QpCrERNTKVjN/5R4qqq9Omkqbr8cEx+vrSRgx2CDBhb5CAefzJmAfvUnEIEg=
X-Received: by 2002:a7b:c755:0:b0:39c:3beb:32aa with SMTP id
 w21-20020a7bc755000000b0039c3beb32aamr29925972wmk.30.1655808245265; Tue, 21
 Jun 2022 03:44:05 -0700 (PDT)
MIME-Version: 1.0
References: <17F275A7-BDEC-46F3-A6E3-4EBE354771A9@gmail.com>
In-Reply-To: <17F275A7-BDEC-46F3-A6E3-4EBE354771A9@gmail.com>
From: Jonathan Wakely <jwakely.gcc@gmail.com>
Date: Tue, 21 Jun 2022 11:43:54 +0100
Message-ID: <CAH6eHdQNBeaR=Tc6XKD2c8K3QGRGPh4OmoEXshnLpRm95bN-kw@mail.gmail.com>
Subject: Re: Safer vararg calls
To: Yair Lenga <yair.lenga@gmail.com>
Cc: "gcc@gcc.gnu.org" <gcc@gcc.gnu.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc mailing list <gcc.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <mailto:gcc-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc>,
 <mailto:gcc-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 10:44:09 -0000

On Tue, 21 Jun 2022 at 11:17, Yair Lenga via Gcc <gcc@gcc.gnu.org> wrote:
>
> Hi,
>
> Looking for feedback on the adding new attribute to function calls that w=
ill help create safer vararg functions.
>
> Consider the case where a vararg function takes list of arguments of the =
same type. In my case, there are terminated with a sentinel of null.
>
> Char *result =3D delimitedstr(=E2=80=98:=E2=80=99 =E2=80=9Cfoo=E2=80=9D, =
=E2=80=9Cbar=E2=80=9D, =E2=80=9Czoo=E2=80=9D, NULL) ;
>
> The standard prototype
> is char * delimitedstr(char delim, char *p1=E2=80=A6) ;
>
> Which will currently allow many incorrect calls:
>  delimitedstr(=E2=80=98:=E2=80=99, =E2=80=9Cfoo=E2=80=9D, 5, 7.3, =E2=80=
=98a=E2=80=99) ;    // bad types + missing sentinel.
>
> The __attribute__((sentinel)) can force the last arg to be null.
>
> My proposal is to add new attribute ((va_vector)) that will add a check t=
hat all parameters in a vararg list match the typeof the last parameter. So=
 that:

"va_vector" is a bad name IMHO. It tells me nothing about what it
means. Does it have something to do with SIMD vectors?

>
> __attribute__ ((va_typed)) delimitedstr(char delim, char *p1=E2=80=A6) ;

"va_typed" at least suggests something to do with types, but it
doesn't tell me they have to be the same type.

>
> Will flag a call where any of the parameter after p1, is not a string.

In your example NULL does not have the same type as the earlier
arguments. You would have to write (char*)NULL to suppress a
diagnostic.

I also wonder how a mixture of char* and const char* arguments would
be handled in your example.


>
> This can result in cleaner, safer code, without making the calling sequen=
ce more difficult, or modifying the behavior of the call.
>
> For Java developers, this is basically the same type checking provided by=
 the as =E2=80=98datatype =E2=80=A6=E2=80=99 (without the conversion into a=
rray).
>
> I am Looking for feedback, Pointers on how to implement, as I do not have=
 experience with extending gcc.
>
> Yair