> On Aug 1, 2023, at 6:45 PM, Kees Cook <keesc...@chromium.org> wrote:
>
> On Mon, Jul 31, 2023 at 08:14:42PM +0000, Qing Zhao wrote:
>> /* In general, Due to type casting, the type for the pointee of a pointer
>> does not say anything about the object it points to,
>> So, __builtin_object_size can not directly use the type of the pointee
>> to decide the size of the object the pointer points to.
>>
>> there are only two reliable ways:
>> A. observed allocations (call to the allocation functions in the routine)
>> B. observed accesses (read or write access to the location of the
>> pointer points to)
>>
>> that provide information about the type/existence of an object at
>> the corresponding address.
>>
>> for A, we use the "alloc_size" attribute for the corresponding allocation
>> functions to determine the object size;
>>
>> For B, we use the SIZE info of the TYPE attached to the corresponding
>> access.
>> (We treat counted_by attribute as a complement to the SIZE info of the TYPE
>> for FMA)
>>
>> The only other way in C which ensures that a pointer actually points
>> to an object of the correct type is 'static':
>>
>> void foo(struct P *p[static 1]);
>>
>> See https://gcc.gnu.org/pipermail/gcc-patches/2023-July/624814.html
>> for more details. */
>
> This is a great explanation; thank you!
>
> In the future I might want to have a new builtin that will allow
> a program to query a pointer when neither A nor B have happened. But
> for the first version of the __counted_by infrastructure, the above
> limitations seen fine.
>
> For example, maybe __builtin_counted_size(p) (which returns sizeof(*p) +
> sizeof(*p->flex_array_member) * p->counted_by_member). Though since
> there might be multiple flex array members, maybe this can't work. :)
What do you mean by “there might be multiple flex array members”?
Do you mean the following example:
struct annotated {
size_t foo;
int array[] __attribute__((counted_by (foo)));
};
static struct annotated * noinline alloc_buf (int index)
{
struct annotated *p;
p = malloc(sizeof (*p) + (index) * sizeof (int));
p->foo = index;
return p;
}
Int main ()
{
struct annotated *p1, *p2;
p1 = alloc_buf (10);
p2 = alloc_buf (20);
__builtin_counted_size(p1)???
__builtin_counted_size(p2)???
}
Or something else?
Qing
>
> -Kees
>
> --
> Kees Cook
