On 11/19/2016 05:55 PM, Martin Sebor wrote:
gcc-78284.diff
PR c/77531 - __attribute__((alloc_size(1,2))) could also warn on multiplication
overflow
PR c/78284 - warn on malloc with very large arguments
gcc/c-family/ChangeLog:
PR c/77531
PR c/78284
* c.opt (-Walloc-zero, -Walloc-size-larger-than): New options.
gcc/ChangeLog:
PR c/77531
PR c/78284
* builtin-attrs.def (ATTR_ALLOC_SIZE, ATTR_RETURNS_NONNULL): New
identifier tree nodes.
(ATTR_ALLOCA_SIZE_1_NOTHROW_LEAF_LIST): New attribute list.
(ATTR_MALLOC_SIZE_1_NOTHROW_LIST): Same.
(ATTR_MALLOC_SIZE_1_NOTHROW_LEAF_LIST): Same.
(ATTR_MALLOC_SIZE_1_2_NOTHROW_LEAF_LIST): Same.
(ATTR_ALLOC_SIZE_2_NOTHROW_LEAF_LIST): Same.
* builtins.c (expand_builtin_alloca): Call
maybe_warn_alloc_args_overflow.
* builtins.def (aligned_alloc, calloc, malloc, realloc):
Add attribute alloc_size.
(alloca): Add attribute alloc_size and returns_nonnull.
* calls.h (maybe_warn_alloc_args_overflow): Declare.
* calls.c (alloc_max_size, operand_signed_p): New functions.
(maybe_warn_alloc_args_overflow): Define.
(initialize_argument_information): Diagnose overflow in functions
declared with attaribute alloc_size.
* doc/invoke.texi (Warning Options): Document -Walloc-zero and
-Walloc-size-larger-than.
gcc/testsuite/ChangeLog:
PR c/77531
PR c/78284
* gcc.dg/attr-alloc_size-3.c: New test.
* gcc.dg/attr-alloc_size-4.c: New test.
* gcc.dg/attr-alloc_size-5.c: New test.
* gcc.dg/attr-alloc_size-6.c: New test.
* gcc.dg/attr-alloc_size-7.c: New test.
* gcc.dg/attr-alloc_size-8.c: New test.
* gcc.dg/attr-alloc_size-9.c: New test.
* gcc/testsuite/gcc.dg/errno-1.c: Adjust.
diff --git a/gcc/calls.c b/gcc/calls.c
index c916e07..05e6e09 100644
--- a/gcc/calls.c
+++ b/gcc/calls.c
@@ -1181,6 +1183,310 @@ store_unaligned_arguments_into_pseudos (struct arg_data
*args, int num_actuals)
}
}
+static tree alloc_object_size_limit;
Is this object live across GCC passes (I think it is)? If so, then it
needs a GTY marker.
+ /* G++ emits calls to ::operator new[](SIZE_MAX) in C++98
+ mode and with -fno-exceptions as a way to indicate array
+ size overflow. There's no good way to detect C++98 here
+ so avoid diagnosing these calls for all C++ modes. */
How unfortunate :(
+ else if (range_type == VR_ANTI_RANGE)
+ {
+ /* For an anti-range, if the type of the formal argument
+ is unsigned and the bounds of the range are of opposite
+ signs when interpreted as signed, check to see if the
+ type of the actual argument is signed. If so, the lower
+ bound must be taken to be zero (rather than a large
+ positive value corresonding to the actual lower bound
+ interpreted as unsigned) and there is nothing else that
+ can be inferred from it. */
s/corresonding/corresponding/
+@item -Walloc-zero
+@opindex Wno-alloc-zero
+@opindex Walloc-zero
+Warn about calls to allocation functions decorated with attribute
+@code{alloc_size} that specify zero bytes, including those to the built-in
+forms of the functions @code{aligned_alloc}, @code{alloca}, @code{calloc},
+@code{malloc}, and @code{realloc}. Because the behavior of these functions
+when called with a zero size differs among implementations relying on it may
+result in subtle portability bugs and should be avoided. This option is
+enabled with @option{-Wextra}.
So I think we should in the immediate term not enable this in Wextra.
However, I think for gcc-8 we should revisit after fixing GCC to be
cleaner WRT alloc-zero.
So disable alloc-zero by default, comment typo and potentially adding
the GTY marker to alloc_object_size_limit and this is OK.
Jeff
