https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83859
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |msebor at gcc dot gnu.org
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Created attachment 43140
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=43140&action=edit
Slies from Cauldron 2017 presentation.
Thanks for the suggestion. Let me confirm this as a useful enhancement.
I have a patch with three such attributes that I was hoping to submit for GCC 8
but I didn't resolve all the design issues with it. The current solution
provides four attributes:
read_only (ptr-arg, size-arg)
write_only (ptr-arg, size-arg)
read_write (ptr-arg, size-arg)
no_side_effect
They let GCC know at the call site not just the size of the array the pointer
points to but also how the function accesses the contents of the array. The
last one means that a function has no side effects except as annotated by the
other attributes (which is a superset of what attributes const and pure do).
Together they not only enable all sorts of diagnostics but can also improve the
emitted code. Attached are a few slides from my presentation on this project
at GNU Tools Cauldron 2017.
Some of the open design questions I have with this solution are:
1) How to annotate constant size buffers. I'd like to be able to express that
a function requires a buffer of at least N elements without making N an
argument to the function. E.g., annotate the declaration 'void f (int[2])' to
let GCC understand that it requires an array of at least 2 ints.
2) Can partial writes for attribute write_only functions be handled? I.e.,
would it be worthwhile to provide an annotation to let GCC know at the call
site where to look for the number of elements written into an write_only or
read_write buffer.
3) How to annotate strings (i.e., sequences of elements terminated by a
sentinel element). E.g., in my_strcpy(char *d, const char *s), what should the
attribute syntax look like to tell GCC that d and s are nul-terminated strings.
As a separate question, is it worthwhile to also provide annotation to express
a relationship between d and s (e.g., that they have to have the same number of
elements).
