On 29/01/2021 01:03, Martin Sebor wrote:
On 1/28/21 2:27 PM, David Malcolm via Gcc wrote:
On Thu, 2021-01-28 at 22:06 +0100, David Brown wrote:
I wrote a feature request for gcc a while back, involving adding tag
attributes to functions in order to ensure that certain classes of
functions are only used from specific allowed functions. The feature
request attracted only a little interest at the time. But I suspect
it
could work far better along with the kind of analysis you are doing
with
-fanalyzer than with the normal syntactical analyser in gcc.
<https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88391>
Interesting. The attribute ideas seem designed to work with the
callgraph: partitioning the callgraph into families of functions for
which certain kinds of inter-partition edges are disallowed. Can a
function change its tag internally, or is it assumed that a function
has a single tag throughout its whole body? I see that you have a case
in example 3 where a compound statement is marked with an attribute
(which may be an extension of our syntax).
Florian suggested a similar approach (tags) as an enhancement to
the malloc attribute extension we've just added, to avoid having
to exhaustively associate every allocator with every deallocator.
That could be nice - and it could be useful for all sorts of other
resource management, not just memory pools and allocators.
One thing that always concerns me about the "malloc" attribute and
memory pools is that the source of the pool has to come from somewhere
(such as an OS memory allocation, or perhaps statically memory blocks)
and your allocator will generally have pointers to keep track of it.
That means the pointer given out by the malloc-type function /is/
aliased to existing memory theoretically accessible via other methods.
I've never felt entirely comfortable that home-made allocators are
actually completely safe and correct for all possible alias analysis.
(And I suspect the move towards provenance based alias tracking will not
make this easier.)
Perhaps if there are tags for malloc-like function attributes, there
could be attributes that use the same tags to mark data blocks or
pointers as being the source for the allocator pools.
