[clang] [BoundsSafety] Allow 'counted_by' attribute on pointers in structs in C (PR #90786)

Fri, 10 May 2024 14:50:26 -0700 

bwendling wrote:

@apple-fcloutier:

> think that there's room to allow `__counted_by` on incomplete types so that a 
> TU where it's complete could use it (and we have use cases where that would 
> be handy), but our implementation doesn't support it at this time. This can 
> be added without disruptions at a later time. FWIW, the point of 
> bounds-checking an index is moot at least while the type is incomplete, since 
> it's an error to dereference a pointer to an incomplete type. Aside from 
> indexing, operations that would cast the pointer (such as `memset(x->foo, 0, 
> some_value)`, assuming `memset(void *__sized_by(n), int, size_t n)`) would 
> still have to be illegal when `struct foo` is incomplete because there's no 
> way to know how many bytes we have at x->foo without `sizeof(struct foo)`.

What I'm thinking is something like:

```c
a.c:
struct foo;

struct bar {
  size_t count;
  struct foo *ptr __counted_by(count);
};

struct bar *alloc_bar(size_t num_elems) {
  struct bar *p = malloc(sizeof(bar));

  p->count = num_elems;
  p->ptr = malloc(sizeof(struct foo *) * num_elems);
  return p;
}

/* later on, or in another TU */

struct foo {
  /* fields */
};

void bork(size_t num_elems) {
  struct bar *p = alloc_bar(num_elems);

  for (size_t i = 0; i < num_elems; ++i) {
    p->ptr[i] = alloc_foo();
  }

  /* some use of p */
}
}
```

I was incorrect about `void *`. It's valid to cast any pointer to `void *` and 
back to the original type.

> For structs with a flexible array member, the reason is that sizeof(struct 
> bar) is a lie. How would we reconcile, for instance, a count of 1 (implying 
> there's like 4 bytes at x->bar) with a x->bar->a of 10 (implying that 
> x->bar->fam[8] is in bounds)? How do we feel that x->bar[0]->fam[0] aliases 
> with x->bar[1]->a?

It's not a lie, because the contents of a pointer don't contribute to the size 
of the struct containing that pointer.

https://github.com/llvm/llvm-project/pull/90786
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to