Am Dienstag, dem 12.11.2024 um 07:51 +0100 schrieb Martin Uecker: > Am Montag, dem 07.10.2024 um 15:14 +0000 schrieb Qing Zhao: > > > > > On Oct 7, 2024, at 10:13, Jakub Jelinek via Gcc <gcc@gcc.gnu.org> wrote: > > > > > > On Fri, Oct 04, 2024 at 12:42:24AM +0200, Florian Weimer wrote: > > > > * Joseph Myers: > > > > > > > > > The real question is how to achieve optimal warnings in the absence > > > > > of the > > > > > attribute. Should we have a variant of the nonnull attribute that > > > > > warns > > > > > for NULL arguments but without optimizing based on them? > > > > > > > > I think attribute access already covers part of it: > > > > > > > > #include <stddef.h> > > > > void read_array (void *, size_t) __attribute__ ((access (read_only, 1, > > > > 2))); > > > > void > > > > f (void) > > > > { > > > > read_array (NULL, 0); // No warning. > > > > read_array (NULL, 1); // Warning. > > > > } > > > > > > > > It does not work for functions like strndup that support both string > > > > arguments (of any length) and array arguments of a specified size. > > > > The read_only variant requires an initialized array of the specified > > > > length. > > > > > > access attribute can't deal with various other things. > > > > > > Consider the qsort case. My understanding was that the paper is making > > > typedef int (*cmpfn) (const void *, const void *); > > > qsort (NULL, 0, 1, (cmpfn) NULL); > > > valid (but is > > > qsort (NULL, 1, 0, (cmpfn) NULL); > > > still invalid?). > > > How do you express that with access attribute, which can only have 1 size > > > argument? The accessed memory for the read/write pointee of the first > > > argument has nmemb * size parameter bytes size. > > > > For the other attribute “alloc_size”, we have two forms, > > A. alloc_size (position) > > and > > B. alloc_size (position-1, position-2) > > > > The 2nd form is used to represent nmemb * size. > > > > Is it possible that we extend the attribute “access” similarly? > > > > Then we can use the attribute “access” consistently for this purpose? > > We also miss sanitizer support. > > How about letting "access" only be about access range > and instead have separate attribute that can be used to > express more complicated preconditions? > > void* foo(void *p, size_t mmemb, size_t size) > [[precondition((p == NULL) == (mmemb * size == 0)]]; > > (not saying this is the right condition for any function > in the standard library)
And the condition should avoid wraparound. Martin > > Martin > > > > > Qing > > > > > And using access attribute for function pointers doesn't work, there is > > > no data to be read/written there, just code. > > > > > > Guess some of the nonnull cases could be replaced by access attribute > > > if we clarify the documentation that if SIZE_INDEX is specified and that > > > argument is non-zero then the pointer has to be non-NULL, and teach > > > sanitizers etc. to sanitize those. > > > > > > For the rest, perhaps we need some nonnull_if_nonzero argument > > > which requires that the parameter identified by the first attribute > > > argument must be pointer which is non-NULL if the parameter identified > > > by the second attribute argument is non-zero. > > > And get clarified the qsort/bsearch cases whether it is about just > > > nmemb == 0 or nmemb * size == 0. > > > > > > Jakub > > > > > >