This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: C provenance semantics proposal
- From: "Uecker, Martin" <Martin dot Uecker at med dot uni-goettingen dot de>
- To: "richard dot guenther at gmail dot com" <richard dot guenther at gmail dot com>
- Cc: "gcc at gcc dot gnu dot org" <gcc at gcc dot gnu dot org>, "Peter dot Sewell at cl dot cam dot ac dot uk" <Peter dot Sewell at cl dot cam dot ac dot uk>, "law at redhat dot com" <law at redhat dot com>, "cl-c-memory-object-model at lists dot cam dot ac dot uk" <cl-c-memory-object-model at lists dot cam dot ac dot uk>
- Date: Wed, 17 Apr 2019 12:56:19 +0000
- Subject: Re: C provenance semantics proposal
- References: <CAHWkzRTd-AsOxOckRaDAbyqWQf_tytFACubN9wpi=NG6=ha_jA@mail.gmail.com> <ddf469fd-685c-8f99-9164-bb62ec435685@redhat.com> <CAHWkzRTp8fFqXo7M5U5idHubxg3Q7rJ6GCqkG+o1-T8V8vCaYg@mail.gmail.com> <CAFiYyc0Tc4Et8ND73Zb14goRs95ZwuCE48wrGB=JXjSTTjgwcA@mail.gmail.com> <CAHWkzRTU_qoKe375UrOb9eej757XHGq4TkdF7vuCzFp=T4wqqg@mail.gmail.com> <CAFiYyc3Ri_U5Sqsv1gm6JhsOv=DYLB6LxtSLy7smP9sr-g+LWA@mail.gmail.com> <1555502021.4884.1.camel@med.uni-goettingen.de> <CAFiYyc0qeqcRgV7aFQSRwhief4_e3_wVC=b-xQfXTc-+YjG4yQ@mail.gmail.com>
Am Mittwoch, den 17.04.2019, 14:41 +0200 schrieb Richard Biener:
> On Wed, Apr 17, 2019 at 1:53 PM Uecker, Martin
> <Martin.Uecker@med.uni-goettingen.de> wrote:
> >
> > > Since
> > > your proposal is based on an abstract machine there isn't anything
> > > like a pointer with multiple provenances (which "anything" is), just
> > > pointers with no provenance (pointing outside of any object), right?
> >
> > This is correct. What the proposal does though is put a limit
> > on where pointers obtained from integers are allowed to point
> > to: They cannot point to non-exposed objects. I assume GCC
> > "anything" provenances also cannot point to all possible
> > objects.
>
> Yes. We exclude objects that do not have their address taken
> though (so somewhat similar to your "exposed").
Also if the address never escapes?
Using address-taken as the criterion is one option we considered,
but we felt this exposes too many objects, like automatic
arrays or locally used malloced/alloced data etc.
Using integer-casts as criterion means that all
objects whose address is taken but where (a) it is not
seen that the pointer is cast to an integer and
where (b) the pointer never escapes can be assumed safe.
Best,
Martin