From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by sourceware.org (Postfix) with ESMTPS id C85063857731 for ; Fri, 26 Jan 2024 18:23:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C85063857731 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=kernel.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C85063857731 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=145.40.73.55 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706293438; cv=none; b=n5nx8xwrrszvDP//u6ZjBKaM16y95TO9EBdsmXAkrKJ0EVha3U5w+4YZHT0RrGuX0E3Xv4Pe1m6ANLRxqc+Q7yP9dUafG3s7VIrIgFAM9kG3kY4w5f2D2TVMN7gD/8c017uMKACjlvjOVy7EUCdI6UXAlWHJdF48I0U/LsTLz0Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706293438; c=relaxed/simple; bh=Hnk+WJbVzeMWVEAOrIP2E8jbsjvpnZP5cpwDXyc/YiA=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=MUrHHC9aU1COfpQXi+Wy8djGRo7mHedvWC2ObL25tB3O5a1X3bMOT5jmWsnlnif1Wg9SfQMZhY7OzuRE3R9KJGWlrpacmxSdCDx8O+daVBpFNXY/CM8xdlPZ9FrN2Nh4EaltmdiUm1BYbbUMaws8SDmRtQZO+Sg+oFTI0mxFaU4= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 58C8ACE353C; Fri, 26 Jan 2024 18:23:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF447C433F1; Fri, 26 Jan 2024 18:23:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706293432; bh=Hnk+WJbVzeMWVEAOrIP2E8jbsjvpnZP5cpwDXyc/YiA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=l8O5whcyIVp35jljMaSAZp+8smF16rGESiwHgeY6u+fo45tKulmpnz0j9UpkLOtT/ sOtxOBfw0EOB29FGj6XyCkfTlKxpJ5drGaQtlDpqerVtwX8zj9VEoehfLb1rFxBskQ cBOq9p4BdNMrhZuMrUImrpqX9D9gKvp8EEhzwY/rKfWFpSXIXrXQHieRYUKdULJ38d ySukQsqI1hGzbAsM7Z4qGGTN3MJqvSDYAAzb8G4mLEYM4eUbK0+nhM7ATRZTAYmC3u l0TIQ0nDg5+65QgwGJ4BshlgkhCfv0GwghoH8hZp1GldSjmE6y9B0C4EU5CHGJ6L68 YUknnmVFrLbrg== Date: Fri, 26 Jan 2024 19:23:40 +0100 From: Alejandro Colomar To: Russ Allbery Cc: libc-alpha@sourceware.org Subject: Re: free(3) const void * Message-ID: References: <87y1ccq84g.fsf@hope.eyrie.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NdIV/nL2CAtKB+mm" Content-Disposition: inline In-Reply-To: <87y1ccq84g.fsf@hope.eyrie.org> X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --NdIV/nL2CAtKB+mm Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Date: Fri, 26 Jan 2024 19:23:40 +0100 From: Alejandro Colomar To: Russ Allbery Cc: libc-alpha@sourceware.org Subject: Re: free(3) const void * Hi Russ, On Fri, Jan 26, 2024 at 10:09:35AM -0800, Russ Allbery wrote: > Maybe this way of explaining the objection will help. Right now, if you > pass a const pointer into a function, you have some assurance from that > prototype (assisted by compiler diagnostics) that this function will not > modify *or invalidate* that pointer and you can continue using that > pointer after that call. In other words, while C does not have full > Rust-style lifetime tracking, the const marker on a function approximately > indicates that the caller is not passing ownership of the pointer to that > function and the function call will not affect the pointer. >=20 > With this prototype, I believe you will create a situation where someone > could write a function that takes a const pointer and then calls free() at > the end of that function call on this passed parameter, and there would be > no warning from the compiler either when compiling that function or when > compiling a function that calls it and then uses the pointer afterwards > (at least unless there is enough inlining that a compiler can put all the > pieces together). Unless I'm missing something, you wouldn't get a warning either if you use a pointer after free(3), if that free() is hidden in a function call. extern void my_free(void *p); my_free(p); my_free(p); `const` doesn't make a difference there, regarding diagnostics about use-after-free. > Unless I'm missing something, the more specific annotation indicating that > free() is a deallocator doesn't help because it doesn't propagate up the > call stack. It will catch use after free within the same function, but it > won't catch the case where someone passes a const pointer down a whole > chain of functions that take const pointers, and then the function at the > bottom of that call stack frees the pointer, unless someone carefully > annotates every function in that call stack with that annotation. When > this is done in error, someone obviously wouldn't do that. You must propagate the annotation yourself (I don't remember from the top of my head if there's any way to remind you if you firgot to propagate it. [[gnu::access(none)]] extern void my_free_const(const void *p); [[gnu::malloc(my_free_const)]] extern void *my_malloc(size_t bytes); p =3D my_malloc(1); my_free_const(p); my_free_const(p); // Warning: use-after-free So, after Xi's reminder, I'll reformulate my suggestion to [[gnu::access(none)]] void free(const void *p); (or for compatibility reasons, do the const thing via a macro.) Have a lovely night, Alex --=20 Looking for a remote C programming job at the moment. --NdIV/nL2CAtKB+mm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmWz+KwACgkQnowa+77/ 2zITDw//SJdurWY5IOF6o0PBotAlcj4Yjsr0Rao+LRdNUK8dKH03JqI97t+IQHz7 VqJKucXH7X7XtU80gYiasM4/QMqWmBu4/6MvnC7qLsKTZsAQJUzIBX6VGBS/IEOX A+WwkcTwsDx4i7b2RVex+YOoOYgHUhFZd5bBpLc2Gsx4ApTSALbVZCetaP7u4oG0 se3Y38c+dm7ni6o5tEDP9p9u5HqC2MvT/6a76pti2mygEpCH6ZnsqwRoKwHd13ow 69FqdzzBMJvWrvWb2qeLs8VR8Z+A3QMnWh6WTDlT6xMfKHeYmspmSJl7H2DXxgy4 SLQPKzzuRAeqPCH/nfykxg970Xc49BVoMQrSUOdVw5pxefBhZoRtJcCpo/rmi+s8 D3zooC1Kr3xn3d7wcGJHwRjCSktokfXq9U/Pzb2Iy1IP4Fl+s1m+cRCTxqpDU5RS rPk0Fe9HQK4QLkT1KQ1tuSv7vTZYtXMeSjP6ZNMzTS15rbYDyr5DLD9bUZe0sVTB Kq645mjy/b1oWfYwz2cH7Tv+19v10sYcBqchlKX0mrsAe65adwExStyWi09KWxYw sJhZv43sllvpZszgjGMNJrixB6TEd1xH/iwhuLFAHD/2IrMYxc7YKbwxVhO1lsN+ ZC295DxX2M3hQzB44lli2j+cNcvqBYP/xkTzGYUocTLU26a4elc= =w9VG -----END PGP SIGNATURE----- --NdIV/nL2CAtKB+mm--