> I think there may be a misunderstanding by what you mean by "extend this > to user-space." I agree that the vararg checking and the address space > qualifiers are not the same exact topic, although the latter could be > used to augment the former. > > Not everyone has looked at your code, so they may not even be aware of > what kinds of problems you were looking for in the use of the PHP > interpreter API varargs functions. My understanding you were looking at > internal consistency within the interpreter codebase of how these > functions were used; from this perspective, I'm not certain what you mean > by "user-space." That term is often overloaded; to an OS person the > world is often divided into the "kernel" and "user" address spaces, and > user-space pointers should never be directly dereferenced within the > kernel (this can happen when arguments passed from system calls, etc., > are not properly handled in the kernel).
I think I didn't explain myself well, sorry. The PHP interpreter has the following function: int zend_parse_parameters(int num_args, char *type_spec, ...); it is usually used like this: zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &str, &str_len, &number); The problem is that the number and type of arguments depend on the format string. In this case it receives a string (str + length) and a long (optional). No compiler is currently able (AFAIK) to check if the function is called correctly. Also, 'number' might not be initialized, while str and str_len do (if the function doesn't return FAILURE). I implemented a simple checker with clang to verify the parameter types. I mentioned that I need to port it to the liveness analyzer because I want to check if the parameters after the '|' are used before initialization and if the ones before are not initialized unnecessarily. I doubt that anytime soon compilers will be able to analyze these varargs functions automatically (well, you could try to do use some heuristics, like searching for a switch, but..), so my idea was to expose some kind of API to the programmers to allow them to specify some arbitrary function to validate the arguments. GCC supports the following: void my_printf(const char *format, ...) __attribute__((format(printf, 1, 2))); but GCC only supports the printf and scanf functions. My idea was to generalize this, by allowing the user to specify some function (without touching in the compiler's code). While the idea seems fairly acceptable, I don't have any syntax proposal. Reference: http://gcc.gnu.org/ml/gcc/2006-11/msg00331.html Any thoughts? :) Nuno _______________________________________________ cfe-dev mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
