On 28/01/2021 22:27, David Malcolm wrote:
On Thu, 2021-01-28 at 22:06 +0100, David Brown wrote:
On 28/01/2021 21:23, David Malcolm via Gcc wrote:
I wrote a blog post covering what I've been working on in the
analyzer
in this release:
https://developers.redhat.com/blog/2021/01/28/static-analysis-updates-in-gcc-11/
As a gcc user, I am always glad to hear of more static analysis and
static warning work. My own work is mostly on small embedded
systems,
where "malloc" and friends are severely frowned upon in any case and
there is no file system, so most of the gcc 10 -fanalyzer warnings
are
of no direct use to me. (I still think they are great ideas - even
if
/I/ don't write much PC code, everyone benefits if there are fewer
bugs
in programs.) I will get more use for the new warnings you've added
for
gcc 11.
I wrote a feature request for gcc a while back, involving adding tag
attributes to functions in order to ensure that certain classes of
functions are only used from specific allowed functions. The feature
request attracted only a little interest at the time. But I suspect
it
could work far better along with the kind of analysis you are doing
with
-fanalyzer than with the normal syntactical analyser in gcc.
<https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88391>
Interesting. The attribute ideas seem designed to work with the
callgraph: partitioning the callgraph into families of functions for
which certain kinds of inter-partition edges are disallowed. Can a
function change its tag internally, or is it assumed that a function
has a single tag throughout its whole body? I see that you have a case
in example 3 where a compound statement is marked with an attribute
(which may be an extension of our syntax).
One thing I forgot to mention in the blog post is that the analyzer now
supports plugins; there's an example of a mutex-checking plugin here:
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=66dde7bc64b75d4a338266333c9c490b12d49825
which is similar to your examples 1 and 3. Your example 2 is also
reminiscent of the async-signal-unsafe checking that the analyzer has
(where it detects code paths that are called within a signal handler
and complains about bad calls within them). Many of the existing
checks in the analyzer are modelled as state machines (either global
state for things like "are we in a signal handler", or per-value state
for things like "has this pointer been freed"), and your examples could
be modelled that way too (e.g. "what sections are in RAM" could be a
global state) - so maybe it could all be done as analyzer plugins, in
lieu of implementing the RFE you posted.
Hope this is constructive
Dave
Thanks for the feedback.
Just to be clear, I am not particularly tied to the syntax I suggested
in the bugzilla suggestion - it is merely a starting point for ideas.
"caller_tag" and "callee_tag", for example, are probably too similar and
easily mixed up by people using the attributes. "needs_tag" and
"limit_to_tag" might be a better second suggestion. Or perhaps someone
else will think of a completely different arrangement to get a similar
end result.
Yes, I believe tying an attribute to a compound statement might be a new
idea, but that could just be because the only "statement attribute"
currently in gcc (AFAIK, from reading the manual) is "fallthrough" - and
it is generally applied to a null statement.
I suggested the possibility of attaching attributes to statements within
a function, so that the developer can make it clear when the tag is
acquired and released. But it is not essential - it would be fine to
simply say that the whole function is tagged, if that makes an
implementation simpler.
At least some of the potential uses here could be handled by C++ strong
typing and tag structs (carrying no data, but with restrictions on how
they can be created and copied around). But tag attributes, or an
equivalent mechanism, would let you do this in C as well, and it would
be less strict and structured - and thus easier to add to existing code.
