Re: [RFA] [PATCH] Add a warning for invalid function casts
On Fri, Oct 6, 2017 at 2:06 PM, Bernd Edlingerwrote: > On 10/06/17 17:43, Martin Sebor wrote: >> On 10/06/2017 07:25 AM, Bernd Edlinger wrote: >>> On 10/05/17 18:16, Martin Sebor wrote: In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f;// -Wincompatible-pointer-types F* pf2 = (F*)f;// -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f;// -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. >>> >>> Well, while the first example should be safe, >>> the second one is probably not safe: >>> >>> Because the signed and unsigned char are promoted to int, >>> by the ABI but one is in the range -128..127 while the >>> other is in the range 0..255, right? >> >> Right. The cast is always safe but whether or not a call to such >> a function through the incompatible pointer is also safe depends >> on the definition of the function (and on the caller). If the >> function uses just the low bits of the argument then it's most >> likely fine for any argument. If the caller only calls it with >> values in the 7-bit range (e.g., the ASCII subset) then it's also >> fine. Otherwise there's the potential for the problem you pointed >> out. (Similarly, if in the first example I gave the cast added >> constness to the argument rather than removing it and the function >> modified the pointed-to object calling it through the incompatible >> pointer on a constant object would also be unsafe.) >> >> Another class of cases to consider are casts between functions >> taking pointers to different but related structs. Code like this >> could be written to mimic C++ calling a base class function on >> a derived object. >> >>struct Base { ... }; >>struct Derived { Base b; ... }; >> >>typedef void F (Derived*); >> >>void foo (Base*); >> >>F* pf = (F*)foo; >> > > Hmm, yes. > > I start to believe, that this warning should treat all pointers > as equivalent, but everything else need to be of the same type. > That would at least cover the majority of all "safe" use cases. > > And I need a way to by-pass the warning with a generic function > pointer type. uintptr_t is not the right choice, as you pointed > out already. > > But I also see problems with "int (*) ()" as a escape mechanism > because this declaration creates a warning in C with > -Wstrict-prototypes, and in C++ this syntax means "int (*) (void)" > while the C++ type "int (*) (...)" is rejected by the C front end. > Note also that besides -Wstrict-prototypes, there's also a warning from -Wold-style-definition if using it for a definition instead of a declaration. Also, if unprototyped functions are completely removed from C as Joseph mentioned in another branch of this thread, the code would be completely invalid: https://gcc.gnu.org/ml/gcc-patches/2017-10/msg00257.html > I start to believe that the type "void (*) (void)" is better suited for > this purpose, and it is already used in many programs as a type-less > wildcard function type. I see examples in libgo and libffi at least. > > > > Bernd.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Fri, Oct 6, 2017 at 4:37 PM, Martin Seborwrote: > On 10/06/2017 12:06 PM, Bernd Edlinger wrote: >> >> On 10/06/17 17:43, Martin Sebor wrote: >>> >>> On 10/06/2017 07:25 AM, Bernd Edlinger wrote: On 10/05/17 18:16, Martin Sebor wrote: > > In my (very quick) tests the warning appears to trigger on all > strictly incompatible conversions, even if they are otherwise > benign, such as: > >int f (const int*); >typedef int F (int*); > >F* pf1 = f;// -Wincompatible-pointer-types >F* pf2 = (F*)f;// -Wcast-function-type > > Likewise by: > >int f (signed char); >typedef int F (unsigned char); > >F* pf = (F*)f;// -Wcast-function-type > > I'd expect these conversions to be useful and would view warning > for them with -Wextra as excessive. In fact, I'm not sure I see > the benefit of warning on these casts under any circumstances. > Well, while the first example should be safe, the second one is probably not safe: Because the signed and unsigned char are promoted to int, by the ABI but one is in the range -128..127 while the other is in the range 0..255, right? >>> >>> >>> Right. The cast is always safe but whether or not a call to such >>> a function through the incompatible pointer is also safe depends >>> on the definition of the function (and on the caller). If the >>> function uses just the low bits of the argument then it's most >>> likely fine for any argument. If the caller only calls it with >>> values in the 7-bit range (e.g., the ASCII subset) then it's also >>> fine. Otherwise there's the potential for the problem you pointed >>> out. (Similarly, if in the first example I gave the cast added >>> constness to the argument rather than removing it and the function >>> modified the pointed-to object calling it through the incompatible >>> pointer on a constant object would also be unsafe.) >>> >>> Another class of cases to consider are casts between functions >>> taking pointers to different but related structs. Code like this >>> could be written to mimic C++ calling a base class function on >>> a derived object. >>> >>>struct Base { ... }; >>>struct Derived { Base b; ... }; >>> >>>typedef void F (Derived*); >>> >>>void foo (Base*); >>> >>>F* pf = (F*)foo; >>> >> >> Hmm, yes. >> >> I start to believe, that this warning should treat all pointers >> as equivalent, but everything else need to be of the same type. >> That would at least cover the majority of all "safe" use cases. > > > Perhaps basing the warning on some form of structural equivalence > between function arguments might be useful. For instance, in > ILP32, casting between 'int foo (int)' and 'long foo (long)' and > calling the function is probably generally considered safe (even > though it's undefined by the language) and works as people expect > so avoiding the warning there would help keep the false positive > rate down. (Something like this might also work for the kernel > alias macros.) > > Similarly, casting between a function that returns a scalar smaller > than int and int and then calling it is probably safe (or maybe > even long, depending on the ABI). > > Casting a function returning a value to one returning void and > calling it through the result should always be safe. > > I would also suggest to consider disregarding qualifiers as those > are often among the reasons for intentional casts (e.g., when > mixing a legacy API and a more modern const-correct one). > > Casts are also not uncommon between variadic and ordinary function > types so some heuristic might be appropriate there. > >> >> And I need a way to by-pass the warning with a generic function >> pointer type. uintptr_t is not the right choice, as you pointed >> out already. >> >> But I also see problems with "int (*) ()" as a escape mechanism >> because this declaration creates a warning in C with >> -Wstrict-prototypes, and in C++ this syntax means "int (*) (void)" >> while the C++ type "int (*) (...)" is rejected by the C front end. > > > I wouldn't consider it a problem if the suppression mechanism were > different between languages. Most such casts are going to be in > source files (as opposed to C headers) so it should be fine to use > each language's unique form of function without a prototype. > > Martin Some codebases attempt to be compilable as both C and C++, whether it be by using -Wc++-compat, or having options to compile with either the C compiler or C++ compiler. In such cases, I'd prefer to keep the amounts of "#ifdef __cplusplus" required to a minimum; a suppression mechanic that works the same between languages would be much preferred.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/06/17 22:50, Jeff Law wrote: > On 10/06/2017 09:43 AM, Martin Sebor wrote: >> On 10/06/2017 07:25 AM, Bernd Edlinger wrote: >>> On 10/05/17 18:16, Martin Sebor wrote: In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f; // -Wincompatible-pointer-types F* pf2 = (F*)f; // -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f; // -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. >>> >>> Well, while the first example should be safe, >>> the second one is probably not safe: >>> >>> Because the signed and unsigned char are promoted to int, >>> by the ABI but one is in the range -128..127 while the >>> other is in the range 0..255, right? >> >> Right. The cast is always safe but whether or not a call to such >> a function through the incompatible pointer is also safe depends >> on the definition of the function (and on the caller). If the >> function uses just the low bits of the argument then it's most >> likely fine for any argument. If the caller only calls it with >> values in the 7-bit range (e.g., the ASCII subset) then it's also >> fine. Otherwise there's the potential for the problem you pointed >> out. (Similarly, if in the first example I gave the cast added >> constness to the argument rather than removing it and the function >> modified the pointed-to object calling it through the incompatible >> pointer on a constant object would also be unsafe.) >> >> Another class of cases to consider are casts between functions >> taking pointers to different but related structs. Code like this >> could be written to mimic C++ calling a base class function on >> a derived object. >> >> struct Base { ... }; >> struct Derived { Base b; ... }; >> >> typedef void F (Derived*); >> >> void foo (Base*); >> >> F* pf = (F*)foo; > Yea. And one might even find such code in BFD. It certainly mimicks > C++ base and derived classes using C, so it has significant potential to > have this kind of code. > jeff > Yes, absolutely. This use case makes up 99% of all places where I saw the warning until now. I will try to ignore all pointer types and see how that works out on some code bases I have access to. When that works as expected we should be able to see what heuristics need to be added next. FYI I have attached what I am currently bootstrapping. Bernd. gcc: 2017-10-06 Bernd Edlinger* doc/invoke.texi: Document -Wcast-function-type. * recog.h (stored_funcptr): Change signature. * tree-dump.c (dump_node): Avoid warning. * typed-splay-tree.h (typed_splay_tree): Avoid warning. libcpp: 2017-10-06 Bernd Edlinger * internal.h (maybe_print_line): Change signature. c-family: 2017-10-06 Bernd Edlinger * c.opt (Wcast-function-type): New warning option. * c-lex.c (get_fileinfo): Avoid warning. * c-ppoutput.c (scan_translation_unit_directives_only): Remove cast. c: 2017-10-06 Bernd Edlinger * c-typeck.c (c_safe_function_type_cast_p): New helper function. (build_c_cast): Implement -Wcast_function_type. cp: 2017-10-06 Bernd Edlinger * decl2.c (start_static_storage_duration_function): Aboid warning. * typeck.c (+cxx_safe_function_type_cast_p): New helper function. (build_reinterpret_cast_1): Implement -Wcast_function_type. testsuite: 2017-10-06 Bernd Edlinger * c-c++-common/Wcast-function-type.c: New test. Index: gcc/c/c-typeck.c === --- gcc/c/c-typeck.c (revision 253493) +++ gcc/c/c-typeck.c (working copy) @@ -5474,6 +5474,36 @@ handle_warn_cast_qual (location_t loc, tree type, while (TREE_CODE (in_type) == POINTER_TYPE); } +/* Check if a type cast between two function types can be considered safe. */ + +static bool +c_safe_function_type_cast_p (tree t1, tree t2) +{ + if (TREE_TYPE (t1) == void_type_node && + TYPE_ARG_TYPES (t1) == void_list_node) +return true; + + if (TREE_TYPE (t2) == void_type_node && + TYPE_ARG_TYPES (t2) == void_list_node) +return true; + + if (!comptypes (TREE_TYPE (t1), TREE_TYPE (t2))) +return false; + + for (t1 = TYPE_ARG_TYPES (t1), t2 = TYPE_ARG_TYPES (t2); + t1 && t2; + t1 = TREE_CHAIN (t1), t2 = TREE_CHAIN (t2)) +{ + if (TREE_CODE (TREE_VALUE (t1)) == POINTER_TYPE +
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/06/2017 09:43 AM, Martin Sebor wrote: > On 10/06/2017 07:25 AM, Bernd Edlinger wrote: >> On 10/05/17 18:16, Martin Sebor wrote: >>> In my (very quick) tests the warning appears to trigger on all >>> strictly incompatible conversions, even if they are otherwise >>> benign, such as: >>> >>> int f (const int*); >>> typedef int F (int*); >>> >>> F* pf1 = f; // -Wincompatible-pointer-types >>> F* pf2 = (F*)f; // -Wcast-function-type >>> >>> Likewise by: >>> >>> int f (signed char); >>> typedef int F (unsigned char); >>> >>> F* pf = (F*)f; // -Wcast-function-type >>> >>> I'd expect these conversions to be useful and would view warning >>> for them with -Wextra as excessive. In fact, I'm not sure I see >>> the benefit of warning on these casts under any circumstances. >>> >> >> Well, while the first example should be safe, >> the second one is probably not safe: >> >> Because the signed and unsigned char are promoted to int, >> by the ABI but one is in the range -128..127 while the >> other is in the range 0..255, right? > > Right. The cast is always safe but whether or not a call to such > a function through the incompatible pointer is also safe depends > on the definition of the function (and on the caller). If the > function uses just the low bits of the argument then it's most > likely fine for any argument. If the caller only calls it with > values in the 7-bit range (e.g., the ASCII subset) then it's also > fine. Otherwise there's the potential for the problem you pointed > out. (Similarly, if in the first example I gave the cast added > constness to the argument rather than removing it and the function > modified the pointed-to object calling it through the incompatible > pointer on a constant object would also be unsafe.) > > Another class of cases to consider are casts between functions > taking pointers to different but related structs. Code like this > could be written to mimic C++ calling a base class function on > a derived object. > > struct Base { ... }; > struct Derived { Base b; ... }; > > typedef void F (Derived*); > > void foo (Base*); > > F* pf = (F*)foo; Yea. And one might even find such code in BFD. It certainly mimicks C++ base and derived classes using C, so it has significant potential to have this kind of code. jeff
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/05/2017 03:47 PM, Joseph Myers wrote: > On Thu, 5 Oct 2017, Bernd Edlinger wrote: > >> Maybe it would be good to not warn in type-casts, when they can be >> assumed to be safe, for instance >> void* <-> any pointer (parameter or result), >> uintptr_t <-> any int, any pointer (parameter or result), >> void (*) (void) and void (*) (...) <-> any function pointer. > > Well, void * and uintptr_t aren't necessarily interchangable at the ABI > level. At least, the m68k ABI returns integers in %d0 and pointers in > %a0; I don't know if any other ABIs have that peculiarity. > The mn103 (live) and mn102 (dead) probably do. But my memory is getting fuzzy on those. jeff
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/06/2017 12:06 PM, Bernd Edlinger wrote: On 10/06/17 17:43, Martin Sebor wrote: On 10/06/2017 07:25 AM, Bernd Edlinger wrote: On 10/05/17 18:16, Martin Sebor wrote: In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f;// -Wincompatible-pointer-types F* pf2 = (F*)f;// -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f;// -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. Well, while the first example should be safe, the second one is probably not safe: Because the signed and unsigned char are promoted to int, by the ABI but one is in the range -128..127 while the other is in the range 0..255, right? Right. The cast is always safe but whether or not a call to such a function through the incompatible pointer is also safe depends on the definition of the function (and on the caller). If the function uses just the low bits of the argument then it's most likely fine for any argument. If the caller only calls it with values in the 7-bit range (e.g., the ASCII subset) then it's also fine. Otherwise there's the potential for the problem you pointed out. (Similarly, if in the first example I gave the cast added constness to the argument rather than removing it and the function modified the pointed-to object calling it through the incompatible pointer on a constant object would also be unsafe.) Another class of cases to consider are casts between functions taking pointers to different but related structs. Code like this could be written to mimic C++ calling a base class function on a derived object. struct Base { ... }; struct Derived { Base b; ... }; typedef void F (Derived*); void foo (Base*); F* pf = (F*)foo; Hmm, yes. I start to believe, that this warning should treat all pointers as equivalent, but everything else need to be of the same type. That would at least cover the majority of all "safe" use cases. Perhaps basing the warning on some form of structural equivalence between function arguments might be useful. For instance, in ILP32, casting between 'int foo (int)' and 'long foo (long)' and calling the function is probably generally considered safe (even though it's undefined by the language) and works as people expect so avoiding the warning there would help keep the false positive rate down. (Something like this might also work for the kernel alias macros.) Similarly, casting between a function that returns a scalar smaller than int and int and then calling it is probably safe (or maybe even long, depending on the ABI). Casting a function returning a value to one returning void and calling it through the result should always be safe. I would also suggest to consider disregarding qualifiers as those are often among the reasons for intentional casts (e.g., when mixing a legacy API and a more modern const-correct one). Casts are also not uncommon between variadic and ordinary function types so some heuristic might be appropriate there. And I need a way to by-pass the warning with a generic function pointer type. uintptr_t is not the right choice, as you pointed out already. But I also see problems with "int (*) ()" as a escape mechanism because this declaration creates a warning in C with -Wstrict-prototypes, and in C++ this syntax means "int (*) (void)" while the C++ type "int (*) (...)" is rejected by the C front end. I wouldn't consider it a problem if the suppression mechanism were different between languages. Most such casts are going to be in source files (as opposed to C headers) so it should be fine to use each language's unique form of function without a prototype. Martin
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/06/17 17:43, Martin Sebor wrote: > On 10/06/2017 07:25 AM, Bernd Edlinger wrote: >> On 10/05/17 18:16, Martin Sebor wrote: >>> In my (very quick) tests the warning appears to trigger on all >>> strictly incompatible conversions, even if they are otherwise >>> benign, such as: >>> >>> int f (const int*); >>> typedef int F (int*); >>> >>> F* pf1 = f; // -Wincompatible-pointer-types >>> F* pf2 = (F*)f; // -Wcast-function-type >>> >>> Likewise by: >>> >>> int f (signed char); >>> typedef int F (unsigned char); >>> >>> F* pf = (F*)f; // -Wcast-function-type >>> >>> I'd expect these conversions to be useful and would view warning >>> for them with -Wextra as excessive. In fact, I'm not sure I see >>> the benefit of warning on these casts under any circumstances. >>> >> >> Well, while the first example should be safe, >> the second one is probably not safe: >> >> Because the signed and unsigned char are promoted to int, >> by the ABI but one is in the range -128..127 while the >> other is in the range 0..255, right? > > Right. The cast is always safe but whether or not a call to such > a function through the incompatible pointer is also safe depends > on the definition of the function (and on the caller). If the > function uses just the low bits of the argument then it's most > likely fine for any argument. If the caller only calls it with > values in the 7-bit range (e.g., the ASCII subset) then it's also > fine. Otherwise there's the potential for the problem you pointed > out. (Similarly, if in the first example I gave the cast added > constness to the argument rather than removing it and the function > modified the pointed-to object calling it through the incompatible > pointer on a constant object would also be unsafe.) > > Another class of cases to consider are casts between functions > taking pointers to different but related structs. Code like this > could be written to mimic C++ calling a base class function on > a derived object. > > struct Base { ... }; > struct Derived { Base b; ... }; > > typedef void F (Derived*); > > void foo (Base*); > > F* pf = (F*)foo; > Hmm, yes. I start to believe, that this warning should treat all pointers as equivalent, but everything else need to be of the same type. That would at least cover the majority of all "safe" use cases. And I need a way to by-pass the warning with a generic function pointer type. uintptr_t is not the right choice, as you pointed out already. But I also see problems with "int (*) ()" as a escape mechanism because this declaration creates a warning in C with -Wstrict-prototypes, and in C++ this syntax means "int (*) (void)" while the C++ type "int (*) (...)" is rejected by the C front end. I start to believe that the type "void (*) (void)" is better suited for this purpose, and it is already used in many programs as a type-less wildcard function type. I see examples in libgo and libffi at least. Bernd.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/06/2017 07:25 AM, Bernd Edlinger wrote: On 10/05/17 18:16, Martin Sebor wrote: In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f;// -Wincompatible-pointer-types F* pf2 = (F*)f;// -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f;// -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. Well, while the first example should be safe, the second one is probably not safe: Because the signed and unsigned char are promoted to int, by the ABI but one is in the range -128..127 while the other is in the range 0..255, right? Right. The cast is always safe but whether or not a call to such a function through the incompatible pointer is also safe depends on the definition of the function (and on the caller). If the function uses just the low bits of the argument then it's most likely fine for any argument. If the caller only calls it with values in the 7-bit range (e.g., the ASCII subset) then it's also fine. Otherwise there's the potential for the problem you pointed out. (Similarly, if in the first example I gave the cast added constness to the argument rather than removing it and the function modified the pointed-to object calling it through the incompatible pointer on a constant object would also be unsafe.) Another class of cases to consider are casts between functions taking pointers to different but related structs. Code like this could be written to mimic C++ calling a base class function on a derived object. struct Base { ... }; struct Derived { Base b; ... }; typedef void F (Derived*); void foo (Base*); F* pf = (F*)foo; Martin
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/05/17 18:16, Martin Sebor wrote: > In my (very quick) tests the warning appears to trigger on all > strictly incompatible conversions, even if they are otherwise > benign, such as: > > int f (const int*); > typedef int F (int*); > > F* pf1 = f; // -Wincompatible-pointer-types > F* pf2 = (F*)f; // -Wcast-function-type > > Likewise by: > > int f (signed char); > typedef int F (unsigned char); > > F* pf = (F*)f; // -Wcast-function-type > > I'd expect these conversions to be useful and would view warning > for them with -Wextra as excessive. In fact, I'm not sure I see > the benefit of warning on these casts under any circumstances. > Well, while the first example should be safe, the second one is probably not safe: Because the signed and unsigned char are promoted to int, by the ABI but one is in the range -128..127 while the other is in the range 0..255, right? Bernd.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/05/2017 03:04 PM, Bernd Edlinger wrote: On 10/05/17 18:16, Martin Sebor wrote: On 10/03/2017 01:33 PM, Bernd Edlinger wrote: I'm not sure if this warning may be a bit too strict, but I think so far it just triggered on rather questionable code. Thoughts? My initial thought is that although casts between incompatible function types undoubtedly mask bugs, the purpose of such casts is to make such conversions possible. Indiscriminately diagnosing them would essentially eliminate this feature of the type system. Having to add another cast to a different type(*) to suppress the warning when such a conversion is intended doesn't seem like a good solution (the next logical step to find bugs in those conversions would then be to add another warning to see through those additional casts, and so on). With that, my question is: under what circumstances does the warning not trigger on a cast to a function of an incompatible type? In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f;// -Wincompatible-pointer-types F* pf2 = (F*)f;// -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f;// -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. Similarly, for casts between pointers to the same integer type with a different sign, or those involving ILP32/LP64 portability issues I'd expect the warning not to trigger unless requested (e.g., by some other option targeting those issues). So based on these initial observations and despite the bugs it may have uncovered, I share your concern that the warning in its present form is too strict to be suitable for -Wextra, or possibly even too noisy to be of practical use on its own and outside of -Wextra. Out of curiosity, have you done any tests on other code bases besides GCC to see how many issues (true and false positives) it finds? Martin [*] Strictly speaking, the semantics of casting a function pointer to intptr_t aren't necessarily well-defined. Only void* can be portably converted to intptr_t and back, and only object pointers are required to be convertible to void* and back. And although GCC defines the semantics of these conversions, forcing programs to abandon a well defined language feature in favor of one that's not as cleanly specified would undermine the goal the warning is meant to achieve. Thanks for your advice. I did look into openssl and linux, both have plenty of -Wcast-function-type warnings. In the case of openssl it is lots of similar stuff crypto/aes/aes_cfb.c:25:27: warning: cast between incompatible function types from 'void (*)(const unsigned char *, unsigned char *, const AES_KEY *) {aka void (*)(const unsigned char *, unsigned char *, const struct aes_key_st *)}' to 'void (*)(const unsigned char *, unsigned char *, const void *)' [-Wcast-function-type] (block128_f) AES_encrypt); The problem is the function is of course called with a different signature than what is declared. They take it somehow for granted, that "void*" or "const void*" parameter are an alias for any pointer or any const pointer. Either as parameter or as return code. I would believe this is not well-defined by the c-standard. But it makes the warning less useful because it would be impossible to spot the few places where the call will actually abort at runtime. Then I tried to compile linux, I noticed that there is a new warning for the alias to incompatible function. I saw it very often, and it is always when a system call is defined: ./include/linux/compat.h:50:18: Warnung: »compat_sys_ptrace« alias between functions of incompatible types »long int(compat_long_t, compat_long_t, compat_long_t, compat_long_t) {alias long int(int, int, int, int)}« and »long int(long int, long int, long int, long int)« [-Wattributes] asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__))\ ./include/linux/syscalls.h:211:18: Warnung: »sys_rt_sigprocmask« alias between functions of incompatible types »long int(int, sigset_t *, sigset_t *, size_t) {alias long int(int, struct *, struct *, long unsigned int)}« and »long int(long int, long int, long int, long int)« [-Wattributes] asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ Needless to say that even more Wcast-function-type warning happen. ./include/linux/timer.h:178:23: Warnung: cast between incompatible function types from »void (*)(struct timer_list *)« to »void (*)(long unsigned int)« [-Wcast-function-type] __setup_timer(timer, (TIMER_FUNC_TYPE)callback, So they assume obviously that any int / long / pointer value are compatible with uintptr_t and intptr_t.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Thu, 5 Oct 2017, Bernd Edlinger wrote: > Maybe it would be good to not warn in type-casts, when they can be > assumed to be safe, for instance > void* <-> any pointer (parameter or result), > uintptr_t <-> any int, any pointer (parameter or result), > void (*) (void) and void (*) (...) <-> any function pointer. Well, void * and uintptr_t aren't necessarily interchangable at the ABI level. At least, the m68k ABI returns integers in %d0 and pointers in %a0; I don't know if any other ABIs have that peculiarity. -- Joseph S. Myers jos...@codesourcery.com
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/05/17 18:16, Martin Sebor wrote: > On 10/03/2017 01:33 PM, Bernd Edlinger wrote: >> >> I'm not sure if this warning may be a bit too strict, but I think >> so far it just triggered on rather questionable code. >> >> Thoughts? > > My initial thought is that although casts between incompatible > function types undoubtedly mask bugs, the purpose of such casts > is to make such conversions possible. Indiscriminately diagnosing > them would essentially eliminate this feature of the type system. > Having to add another cast to a different type(*) to suppress > the warning when such a conversion is intended doesn't seem like > a good solution (the next logical step to find bugs in those > conversions would then be to add another warning to see through > those additional casts, and so on). > > With that, my question is: under what circumstances does the > warning not trigger on a cast to a function of an incompatible > type? > > In my (very quick) tests the warning appears to trigger on all > strictly incompatible conversions, even if they are otherwise > benign, such as: > > int f (const int*); > typedef int F (int*); > > F* pf1 = f; // -Wincompatible-pointer-types > F* pf2 = (F*)f; // -Wcast-function-type > > Likewise by: > > int f (signed char); > typedef int F (unsigned char); > > F* pf = (F*)f; // -Wcast-function-type > > I'd expect these conversions to be useful and would view warning > for them with -Wextra as excessive. In fact, I'm not sure I see > the benefit of warning on these casts under any circumstances. > > Similarly, for casts between pointers to the same integer type > with a different sign, or those involving ILP32/LP64 portability > issues I'd expect the warning not to trigger unless requested > (e.g., by some other option targeting those issues). > > So based on these initial observations and despite the bugs it > may have uncovered, I share your concern that the warning in > its present form is too strict to be suitable for -Wextra, or > possibly even too noisy to be of practical use on its own and > outside of -Wextra. > > Out of curiosity, have you done any tests on other code bases > besides GCC to see how many issues (true and false positives) > it finds? > > Martin > > [*] Strictly speaking, the semantics of casting a function > pointer to intptr_t aren't necessarily well-defined. Only void* > can be portably converted to intptr_t and back, and only object > pointers are required to be convertible to void* and back. And > although GCC defines the semantics of these conversions, forcing > programs to abandon a well defined language feature in favor of > one that's not as cleanly specified would undermine the goal > the warning is meant to achieve. Thanks for your advice. I did look into openssl and linux, both have plenty of -Wcast-function-type warnings. In the case of openssl it is lots of similar stuff crypto/aes/aes_cfb.c:25:27: warning: cast between incompatible function types from 'void (*)(const unsigned char *, unsigned char *, const AES_KEY *) {aka void (*)(const unsigned char *, unsigned char *, const struct aes_key_st *)}' to 'void (*)(const unsigned char *, unsigned char *, const void *)' [-Wcast-function-type] (block128_f) AES_encrypt); The problem is the function is of course called with a different signature than what is declared. They take it somehow for granted, that "void*" or "const void*" parameter are an alias for any pointer or any const pointer. Either as parameter or as return code. I would believe this is not well-defined by the c-standard. But it makes the warning less useful because it would be impossible to spot the few places where the call will actually abort at runtime. Then I tried to compile linux, I noticed that there is a new warning for the alias to incompatible function. I saw it very often, and it is always when a system call is defined: ./include/linux/compat.h:50:18: Warnung: »compat_sys_ptrace« alias between functions of incompatible types »long int(compat_long_t, compat_long_t, compat_long_t, compat_long_t) {alias long int(int, int, int, int)}« and »long int(long int, long int, long int, long int)« [-Wattributes] asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__))\ ./include/linux/syscalls.h:211:18: Warnung: »sys_rt_sigprocmask« alias between functions of incompatible types »long int(int, sigset_t *, sigset_t *, size_t) {alias long int(int, struct *, struct *, long unsigned int)}« and »long int(long int, long int, long int, long int)« [-Wattributes] asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ Needless to say that even more Wcast-function-type warning happen. ./include/linux/timer.h:178:23: Warnung: cast between incompatible function types from »void (*)(struct timer_list *)« to »void (*)(long unsigned int)« [-Wcast-function-type] __setup_timer(timer, (TIMER_FUNC_TYPE)callback, So they
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/5/17, Bernd Edlingerwrote: > On 10/05/17 02:24, Eric Gallager wrote: >> Sorry if this is a stupid question, but could you explain how this >> warning is different from -Wbad-function-cast? Something about direct >> calls to functions vs. passing them as function pointers? > > No, it is not :) > > -Wbad-function-cast is IMHO a strange legacy warning. > > It is C-only, and it triggers only if the result of a function call > is cast to a type with a different TREE_CODE, so for instance > int <-> float <-> pointer. > > It would trigger for perfectly valid code like this: > > i = (int) floor (f); > > while we have no warning for > > i = floor (f); > > What I want to diagnose is assigning a function pointer via an explicit > type cast to another function pointer, when there is no possible > implicit conversion between the two function pointer types. > Thus the cast was used to silence a warning/error in the first place. OK, thanks for explaining! I kinda worry about warning on code that was added to silence other warnings in the first place, as it can lead to frustration when making a fix expecting the number of warnings when compiling to decrease, but then they don't actually decrease. But as long as there's a simple way to fix the warned-on code that silences both the original warning being avoided, and this new one, I see how it'll be useful. > > The idea for this warning came up when someone spotted a place in > openssl, where a type cast was used to change the return value of a > callback function from long to int: > > https://github.com/openssl/openssl/issues/4413 > > But due to the type cast there was never ever any warning from this > invalid type cast. > > > Bernd. > Thanks for working on this! Eric
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/03/2017 01:33 PM, Bernd Edlinger wrote: Hi! I have implemented a warning -Wcast-function-type that analyzes type casts which change the function signatures. I would consider function pointers with different result type invalid, also if both function types have a non-null TYPE_ARG_TYPES I would say this deserves a warning. As an exception I have used for instance in recog.h, the warning allows casting a function with the type typedef rtx (*stored_funcptr) (...); to any function with the same result type. I would think a warning like that should be enabled with -Wextra. Attached is a first version of the patch and as you can see the warning found already lots of suspicious type casts. The worst is the splay-tree which always calls functions with uintptr_t instead of the correct parameter type. I was unable to find a solution for this, and just silenced the warning with a second type-cast. Note that I also changed one line in libgo, but that is only a quick hack which I only did to make the boot-strap with all languages succeed. I'm not sure if this warning may be a bit too strict, but I think so far it just triggered on rather questionable code. Thoughts? My initial thought is that although casts between incompatible function types undoubtedly mask bugs, the purpose of such casts is to make such conversions possible. Indiscriminately diagnosing them would essentially eliminate this feature of the type system. Having to add another cast to a different type(*) to suppress the warning when such a conversion is intended doesn't seem like a good solution (the next logical step to find bugs in those conversions would then be to add another warning to see through those additional casts, and so on). With that, my question is: under what circumstances does the warning not trigger on a cast to a function of an incompatible type? In my (very quick) tests the warning appears to trigger on all strictly incompatible conversions, even if they are otherwise benign, such as: int f (const int*); typedef int F (int*); F* pf1 = f;// -Wincompatible-pointer-types F* pf2 = (F*)f;// -Wcast-function-type Likewise by: int f (signed char); typedef int F (unsigned char); F* pf = (F*)f;// -Wcast-function-type I'd expect these conversions to be useful and would view warning for them with -Wextra as excessive. In fact, I'm not sure I see the benefit of warning on these casts under any circumstances. Similarly, for casts between pointers to the same integer type with a different sign, or those involving ILP32/LP64 portability issues I'd expect the warning not to trigger unless requested (e.g., by some other option targeting those issues). So based on these initial observations and despite the bugs it may have uncovered, I share your concern that the warning in its present form is too strict to be suitable for -Wextra, or possibly even too noisy to be of practical use on its own and outside of -Wextra. Out of curiosity, have you done any tests on other code bases besides GCC to see how many issues (true and false positives) it finds? Martin [*] Strictly speaking, the semantics of casting a function pointer to intptr_t aren't necessarily well-defined. Only void* can be portably converted to intptr_t and back, and only object pointers are required to be convertible to void* and back. And although GCC defines the semantics of these conversions, forcing programs to abandon a well defined language feature in favor of one that's not as cleanly specified would undermine the goal the warning is meant to achieve.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Thu, 5 Oct 2017, Bernd Edlinger wrote: > But why is int(*)(int) compatible to (int)(*)() but not > to int(*)(int,...) ? I think it's a matter of what function types were possible in K C. variadic types weren't (there was an older ), and neither were types with arguments of type float or narrower-than-int integers (because those always got promoted to a wider type when passed as function arguments to an unprototyped function). And those types that were impossible in K C always require function prototypes. (The possibility of function types without a prototype is a legacy feature. There was some suggestion of removing it for C11, but no-one ever produced a paper for WG14 proposing the actual wording changes that would have been needed.) -- Joseph S. Myers jos...@codesourcery.com
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Okt 05 2017, Bernd Edlingerwrote: > The idea for this warning came up when someone spotted a place in > openssl, where a type cast was used to change the return value of a > callback function from long to int: > > https://github.com/openssl/openssl/issues/4413 > > But due to the type cast there was never ever any warning from this > invalid type cast. Note that the type cast itself is perfectly valid (all function pointers are alike), but it's the call site that is problematic: unless it casts back to the real type of the function before the call it is causing undefined behviour. Andreas. -- Andreas Schwab, SUSE Labs, sch...@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/03/17 23:34, Joseph Myers wrote: > On Tue, 3 Oct 2017, Bernd Edlinger wrote: > >> invalid, also if both function types have a non-null TYPE_ARG_TYPES >> I would say this deserves a warning. As an exception I have > > I'm not convinced by the TYPE_ARG_TYPES check, at least for C. > I will drop that, for C and C++, and try to get it working without that kludge. > In C, unprototyped function types are not compatible with variadic > function types or functions with argument types changed by default > argument promotions (that is, int () and int (char) and int (int, ...) are > all incompatible). I'd think it appropriate to warn about such > conversions, given that they are cases where calling the converted > function has undefined behavior. > Right, interesting is that this does not produce a warning, int test(int); int foo() { int (*x)(); x = test; return x(1); } while the following example produces a warning: int test(int,...); int foo() { int (*x)(int); x = test; return x(1); } gcc -Wall -W -S t1.c t1.c: In function 'foo': t1.c:6:5: warning: assignment to 'int (*)(int)' from incompatible pointer type 'int (*)(int)' [-Wincompatible-pointer-types] x = test; ^ I will send a patch that adds ", ..." to the parameter list in the diagnostics... But why is int(*)(int) compatible to (int)(*)() but not to int(*)(int,...) ? > There may well be cases of interfaces where void (*) (void) is used as a > generic function pointer type (always converted to / from the actual type > of the function in question), for which this warning would not be > suitable. > Yes, those would get a warning, or have to add a cast to uintptr_t, if it is not possible to fix the code otherwise. libffi does this... Bernd.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On 10/05/17 02:24, Eric Gallager wrote: > Sorry if this is a stupid question, but could you explain how this > warning is different from -Wbad-function-cast? Something about direct > calls to functions vs. passing them as function pointers? No, it is not :) -Wbad-function-cast is IMHO a strange legacy warning. It is C-only, and it triggers only if the result of a function call is cast to a type with a different TREE_CODE, so for instance int <-> float <-> pointer. It would trigger for perfectly valid code like this: i = (int) floor (f); while we have no warning for i = floor (f); What I want to diagnose is assigning a function pointer via an explicit type cast to another function pointer, when there is no possible implicit conversion between the two function pointer types. Thus the cast was used to silence a warning/error in the first place. The idea for this warning came up when someone spotted a place in openssl, where a type cast was used to change the return value of a callback function from long to int: https://github.com/openssl/openssl/issues/4413 But due to the type cast there was never ever any warning from this invalid type cast. Bernd.
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Tue, Oct 3, 2017 at 3:33 PM, Bernd Edlingerwrote: > Hi! > > I have implemented a warning -Wcast-function-type that analyzes > type casts which change the function signatures. > > I would consider function pointers with different result type > invalid, also if both function types have a non-null TYPE_ARG_TYPES > I would say this deserves a warning. As an exception I have > used for instance in recog.h, the warning allows casting > a function with the type typedef rtx (*stored_funcptr) (...); > to any function with the same result type. > > I would think a warning like that should be enabled with -Wextra. > > Attached is a first version of the patch and as you can see > the warning found already lots of suspicious type casts. The worst > is the splay-tree which always calls functions with uintptr_t > instead of the correct parameter type. I was unable to find > a solution for this, and just silenced the warning with a > second type-cast. > > Note that I also changed one line in libgo, but that is only > a quick hack which I only did to make the boot-strap with > all languages succeed. > > I'm not sure if this warning may be a bit too strict, but I think > so far it just triggered on rather questionable code. > > Thoughts? > > > Bernd. Sorry if this is a stupid question, but could you explain how this warning is different from -Wbad-function-cast? Something about direct calls to functions vs. passing them as function pointers?
Re: [RFA] [PATCH] Add a warning for invalid function casts
On Tue, 3 Oct 2017, Bernd Edlinger wrote: > invalid, also if both function types have a non-null TYPE_ARG_TYPES > I would say this deserves a warning. As an exception I have I'm not convinced by the TYPE_ARG_TYPES check, at least for C. In C, unprototyped function types are not compatible with variadic function types or functions with argument types changed by default argument promotions (that is, int () and int (char) and int (int, ...) are all incompatible). I'd think it appropriate to warn about such conversions, given that they are cases where calling the converted function has undefined behavior. There may well be cases of interfaces where void (*) (void) is used as a generic function pointer type (always converted to / from the actual type of the function in question), for which this warning would not be suitable. -- Joseph S. Myers jos...@codesourcery.com
[RFA] [PATCH] Add a warning for invalid function casts
Hi! I have implemented a warning -Wcast-function-type that analyzes type casts which change the function signatures. I would consider function pointers with different result type invalid, also if both function types have a non-null TYPE_ARG_TYPES I would say this deserves a warning. As an exception I have used for instance in recog.h, the warning allows casting a function with the type typedef rtx (*stored_funcptr) (...); to any function with the same result type. I would think a warning like that should be enabled with -Wextra. Attached is a first version of the patch and as you can see the warning found already lots of suspicious type casts. The worst is the splay-tree which always calls functions with uintptr_t instead of the correct parameter type. I was unable to find a solution for this, and just silenced the warning with a second type-cast. Note that I also changed one line in libgo, but that is only a quick hack which I only did to make the boot-strap with all languages succeed. I'm not sure if this warning may be a bit too strict, but I think so far it just triggered on rather questionable code. Thoughts? Bernd. gcc: 2017-10-03 Bernd Edlinger* doc/invoke.texi: Document -Wcast-function-type. * gengtype.c (write_root): Remove cast. * ggc.h (gt_pch_n_S_nonconst, gt_ggc_m_S_nonconst): Declare. * ggc-page.c (gt_ggc_m_S_nonconst): New function. * stringpool.c (gt_pch_n_S_nonconst): New function. * tree-pass.h (do_per_function_toporder): Adjust header. * passes.c (do_per_function_toporder): Change signature. (execute_ipa_pass_list): Remove cast. * recog.h (f0..f15): Fix return types. (stored_funcptr): Use variadic parameter list. * tree-dump.c (dump_node): Avoid warning. * typed-splay-tree.h (typed_splay_tree): Avoid warning. libcpp: 2017-10-03 Bernd Edlinger * include/symtab.h (ht_forall_internal): Declare. * symtab.c (ht_forall_internal): New function. * internal.h (maybe_print_line): Change signature. c-family: 2017-10-03 Bernd Edlinger * c.opt (Wcast-function-type): New warning option. * c-lex.c (get_fileinfo): Avoid warning. * c-ppoutput.c (scan_translation_unit_directives_only): Remove cast. c: 2017-10-03 Bernd Edlinger * c-typeck.c (build_c_cast): Implement -Wcast_function_type. cp: 2017-10-03 Bernd Edlinger * cxx-pretty-print.c (pp_c_type_specifier_seq, pp_c_parameter_declaration_clause): New wrapper functions. (cxx_pretty_printer::cxx_pretty_printer): Remove cast. * decl2.c (start_static_storage_duration_function): Aboid warning. * typeck.c (build_reinterpret_cast_1): Implement -Wcast_function_type. testsuite: 2017-10-03 Bernd Edlinger * c-c++-common/Wcast-function-type.c: New test. Index: gcc/c/c-typeck.c === --- gcc/c/c-typeck.c (revision 253328) +++ gcc/c/c-typeck.c (working copy) @@ -5667,6 +5667,20 @@ build_c_cast (location_t loc, tree type, tree expr pedwarn (loc, OPT_Wpedantic, "ISO C forbids " "conversion of object pointer to function pointer type"); + if (TREE_CODE (type) == POINTER_TYPE + && TREE_CODE (otype) == POINTER_TYPE + && TREE_CODE (TREE_TYPE (type)) == FUNCTION_TYPE + && TREE_CODE (TREE_TYPE (otype)) == FUNCTION_TYPE + && (TYPE_ARG_TYPES (TREE_TYPE (type)) + && TYPE_ARG_TYPES (TREE_TYPE (otype)) + ? !comptypes (TREE_TYPE (type), + TREE_TYPE (otype)) + : !comptypes (TREE_TYPE (TREE_TYPE (type)), + TREE_TYPE (TREE_TYPE (otype) + warning_at (loc, OPT_Wcast_function_type, + "cast between incompatible function types" + " from %qT to %qT", otype, type); + ovalue = value; value = convert (type, value); Index: gcc/c-family/c-lex.c === --- gcc/c-family/c-lex.c (revision 253328) +++ gcc/c-family/c-lex.c (working copy) @@ -101,9 +101,11 @@ get_fileinfo (const char *name) struct c_fileinfo *fi; if (!file_info_tree) -file_info_tree = splay_tree_new ((splay_tree_compare_fn) strcmp, +file_info_tree = splay_tree_new ((splay_tree_compare_fn) + (uintptr_t) strcmp, 0, - (splay_tree_delete_value_fn) free); + (splay_tree_delete_value_fn) + (uintptr_t) free); n = splay_tree_lookup (file_info_tree, (splay_tree_key) name); if (n) Index: gcc/c-family/c-ppoutput.c === --- gcc/c-family/c-ppoutput.c (revision 253328) +++ gcc/c-family/c-ppoutput.c (working copy) @@ -299,7 +299,7 @@ scan_translation_unit_directives_only (cpp_reader struct _cpp_dir_only_callbacks cb;