Am Montag, dem 18.11.2024 um 17:55 +0000 schrieb Qing Zhao:
> Hi,
>
> I am working on extending “counted_by” attribute to pointers inside a
> structure per our previous discussion.
>
> I need advice on the following question:
>
> Should -fsantize=bounds support array reference that was referenced through a
> pointer that has counted_by attribute?
I think the question is what -fsanitize=bounds is meant to be.
I am a bit frustrated about the sanitizer. On the
one hand, it is not doing enough to get spatial memory
safety even where this would be easily possible, on the
other hand, is pedantic about things which are technically
UB but not problematic and then one is prevented from
using it
When used in default mode, where execution continues, it
also does not mix well with many warning, creates more code,
and pulls in a libary dependency (and the library also depends
on upstream choices / progress which seems a limitation for
extensions).
What IMHO would be ideal is a protection mode for spatial
memory safety that simply adds traps (which then requires
no library, has no issues with other warnings, and could
evolve independently from clang)
So shouldn't we just add a -fboundscheck (which would
be like -fsanitize=bounds -fsanitize-trap=bounds just with
more checking) and make it really good? I think many people
would be very happy about this.
Martin
>
> For the following small example:
>
> #include <stdlib.h>
>
> struct annotated {
> int b;
> int *c __attribute__ ((counted_by (b)));
> } *p_array_annotated;
>
> void __attribute__((__noinline__)) setup (int annotated_count)
> {
> p_array_annotated
> = (struct annotated *)malloc (sizeof (struct annotated));
> p_array_annotated->c = (int *) malloc (annotated_count * sizeof (int));
> p_array_annotated->b = annotated_count;
>
> return;
> }
>
> int main(int argc, char *argv[])
> {
> setup (10);
> p_array_annotated->c[11] = 2;
> return 0;
> }
>
> Should ubsan add instrumentation to the above reference
> p_array_annoated->c[11] inside routine “main”?
>
> From my understanding, ubsan does not add bound checking for any pointer
> reference now, however, when the “counted_by” attribute is attached to a
> pointer field inside a structure, the “bound” information for this pointer is
> known, should we enhance the ubsan to instrument such reference?
>
> If Yes, then should we add the following limitation to the end user:
>
> When the counted_by attribute is attached to a pointer field, the
> -fsantize=bounds only work for such reference when the pointer is NOT casted
> to another type other than the original target type?
>
> Thanks for any comments and suggestions.
>
> Qing
