> On Nov 19, 2024, at 10:47, Marek Polacek <pola...@redhat.com> wrote:
>
> On Mon, Nov 18, 2024 at 07:10:35PM +0100, Martin Uecker wrote:
>> Am Montag, dem 18.11.2024 um 17:55 +0000 schrieb Qing Zhao:
>>> Hi,
>>>
>>> I am working on extending “counted_by” attribute to pointers inside a
>>> structure per our previous discussion.
>>>
>>> I need advice on the following question:
>>>
>>> Should -fsantize=bounds support array reference that was referenced through
>>> a pointer that has counted_by attribute?
>
> I don't see why it couldn't,
Okay, based on our discussion so far, looks like we all agree that it’s
reasonable to extend the sanitizer to support the detection of out-of-bounds
array reference that was referenced through a pointer field with counted_by
attribute.
Yes, I will implement this.
> perhaps as part of -fsanitize=bounds-strict.
> Someone has to implement it, though.
Per the current documentations:
-fsanitize=bounds
This option enables instrumentation of array bounds. Various out of bounds
accesses are detected. Flexible array members, flexible array member-like
arrays, and initializers of variables with static storage are not instrumented,
with the exception of flexible array member-like arrays for which
-fstrict-flex-arrays or -fstrict-flex-arrays= options or strict_flex_array
attributes say they shouldn’t be treated like flexible array member-like arrays.
-fsanitize=bounds-strict
This option enables strict instrumentation of array bounds. Most out of bounds
accesses are detected, including flexible array member-like arrays.
Initializers of variables with static storage are not instrumented.
Looks like that the only difference between -fsanitize=bounds and
-fsanitize=bounds-strict is: -fsanitize=bounds-strict instruments more
flexible array member-like arrays.
When the flexible array member is attached with “counted-by” attribute,
-fsanitize=bounds will instrument the corresponding reference.
Per our discussion so far, if treating the following
struct foo {
int n;
char *p __attribute__ ((counted_by (n)));
};
as an array with upper-bounds being “n” is reasonable.
Then, it’s reasonable to extend -fsanitize=bounds to instrument the
corresponding reference for the pointer with
Counted-by attribute.
What do you think?
Qing
>
>> I think the question is what -fsanitize=bounds is meant to be.
>>
>> I am a bit frustrated about the sanitizer. On the
>> one hand, it is not doing enough to get spatial memory
>> safety even where this would be easily possible, on the
>> other hand, is pedantic about things which are technically
>> UB but not problematic and then one is prevented from
>> using it
>>
>> When used in default mode, where execution continues, it
>> also does not mix well with many warning, creates more code,
>> and pulls in a libary dependency (and the library also depends
>> on upstream choices / progress which seems a limitation for
>> extensions).
>>
>> What IMHO would be ideal is a protection mode for spatial
>> memory safety that simply adds traps (which then requires
>> no library, has no issues with other warnings, and could
>> evolve independently from clang)
>>
>> So shouldn't we just add a -fboundscheck (which would
>> be like -fsanitize=bounds -fsanitize-trap=bounds just with
>> more checking) and make it really good? I think many people
>> would be very happy about this.
>
> That's a separate concern. We already have the -fbounds-check option,
> currently only used in Fortran (and D?), so perhaps we could make
> that option a shorthand for -fsanitize=bounds -fsanitize-trap=bounds.
>
> Marek
>
