On Mon, Jul 31, 2023 at 08:14:42PM +0000, Qing Zhao wrote: > /* In general, Due to type casting, the type for the pointee of a pointer > does not say anything about the object it points to, > So, __builtin_object_size can not directly use the type of the pointee > to decide the size of the object the pointer points to. > > there are only two reliable ways: > A. observed allocations (call to the allocation functions in the routine) > B. observed accesses (read or write access to the location of the > pointer points to) > > that provide information about the type/existence of an object at > the corresponding address. > > for A, we use the "alloc_size" attribute for the corresponding allocation > functions to determine the object size; > > For B, we use the SIZE info of the TYPE attached to the corresponding > access. > (We treat counted_by attribute as a complement to the SIZE info of the TYPE > for FMA) > > The only other way in C which ensures that a pointer actually points > to an object of the correct type is 'static': > > void foo(struct P *p[static 1]); > > See https://gcc.gnu.org/pipermail/gcc-patches/2023-July/624814.html > for more details. */
This is a great explanation; thank you! In the future I might want to have a new builtin that will allow a program to query a pointer when neither A nor B have happened. But for the first version of the __counted_by infrastructure, the above limitations seen fine. For example, maybe __builtin_counted_size(p) (which returns sizeof(*p) + sizeof(*p->flex_array_member) * p->counted_by_member). Though since there might be multiple flex array members, maybe this can't work. :) -Kees -- Kees Cook
