On 2023-08-08 20:14, enh wrote:
(bionic maintainer here, mostly by accident...)
yeah, we tried the GCC attributes once before with _disastrous_
results (because GCC saw it as an excuse to delete explicit null
checks, it broke all kinds of things). the clang attributes are
AFAICT based on earlier discussions around this patch, the NULL check
deletion anomalies in gcc seem to have been fixed recently.
"better" in that they don't confuse two entirely separate notions ...
but they're not "good" because the analysis is so limited. i think we
were hoping for something more like the "used but not set" kind of
diagnostic, but afaict it really only catches _direct_ use of a
literal nullptr. so:
foo(nullptr); // caught
void* p = nullptr;
foo(p); // not caught
without getting on to anything fancy like:
void* p;
if (a) p = bar();
foo(p);
we've done all the annotations anyway, but we're not expecting to
actually catch many bugs with them, and in fact did not catch any real
bugs in AOSP while adding the annotations. (though we did find several
"you're not _wrong_, but ..." bits of code :-) )
I believe it did catch a few issues in the glibc test cases when we
enabled fortification internally in addition to flagging several "you're
not _wrong_, but..." bits. In any case, it's only enabled with
fortification since we use that as a hint for wanting safer code.
what i really want for christmas is the annotation that lets me say
"this size_t argument tells you the size of this array argument" and
actually does something usefully fortify-like with that. i've seen
proposals like
https://discourse.llvm.org/t/rfc-enforcing-bounds-safety-in-c-fbounds-safety/70854/
but i haven't seen anything i can use yet, so you -- who do use GCC
which aiui has something along these lines already -- will find out
what's good/bad about it before i do...
I think a lot of this is covered by __access__, __alloc_size__ and the
upcoming __counted_by__ attributes. There are still gaps that something
like -fbounds-safety would cover (I think -fsanitize=bounds and
-fsanitize=object-size further cover some of those gaps but there's a
general lack of confidence in using them in production due to
performance concerns; fbounds-safety has those concerns too AFAICT) but
that gap is getting narrower.
Thanks,
Sid
