Re: [PATCH] warn for integer overflow in allocation calls (PR 96838)

Mon, 23 Nov 2020 13:38:26 -0800 

On 11/21/20 6:26 AM, Andrew MacLeod wrote:

On 11/21/20 12:07 AM, Jeff Law wrote:


On 11/9/20 9:00 AM, Martin Sebor wrote:

Ping:
https://gcc.gnu.org/pipermail/gcc-patches/2020-September/554000.html

Jeff, I don't expect to have the cycles to reimplement this patch
using the Ranger APIs before stage 1 closes.  I'm open to giving
it a try in stage 3 if it's still in scope for GCC 11.  Otherwise,
is this patch okay to commit?

So all we're going to get from the ranger is ranges of operands, right?
Meaning that we still need to either roll our own evaluator
(eval_size_vflow) or overload range_for_stmt with our own, which likely
looks like eval_size_vflow anyway, right?

My hope was to avoid the roll our own evaluator, but that doesn't look
like it's in the cards in the reasonably near future.


Is there a PR open showing what exactly you are looking for?

I'm using open PRs to track enhancement requests, and they will all feed 
back into the development roadmap  I am working on.


Not that I know of.  The background is upthread, in particular in
Aldy's response here:
https://gcc.gnu.org/pipermail/gcc-patches/2020-September/554242.html

I like the suggestion and if/when I have the time I'd like to give
it a try.  Until then, I think the patch is useful on its own so
I'll go with it for now.

Longer term, I do hope we can revisit the idea of computing either
mathematically correct ranges alongside those required by the language
semantics, or tracking signed overflow or unsigned wraparound.  E.g.,
in:

  void* f (int n)
  {
    if (n < INT_MAX / 3)
      n = INT_MAX / 3;

    n *= sizeof (int);
    // n is [(INT_MAX / 3) * 4, INF] mathematically
    // undefined due to overflow in C
    // but [INT_MIN, INT_MAX] according to VRP

    return malloc (n);
  }

and in

  void* g (unsigned n)
  {
    if (n < UINT_MAX / 3)
      n = UINT_MAX / 3;

    n *= sizeof (int);
    // n is [(UINT_MAX / 3) * 4, INF] mathematically
    // but [0, UINT_MAX] in C

    return malloc (n);
  }

In neither case is the overflow (or wraparound) easy to detect
without the Ranger's help.

Martin


If my summary of the current state is correct, then I'd suggest we go
with the patch as-is.  If we want to override eval_size_vflow in the
future, we can still do that.  And if we want to replace the call to
determine_value_range with a ranger API, that seems like a fairly
straightforward change to make in gcc-12.



Jeff



























					Reply via email to