C runtime checking for assigment of VM types, v3

Martin Uecker uecker@tugraz.at
Mon Jul 15 21:41:25 GMT 2024 

Am Montag, dem 15.07.2024 um 21:26 +0000 schrieb Qing Zhao:
> Hi,  Martin,
> I didn’t see your v3 patches attached to the email, did you miss them? 
> (I really want to see them -:). 

Sorry, I should have CCed you. It was sent as a series of patches:

https://gcc.gnu.org/pipermail/gcc-patches/2024-July/657254.html

> 
> > On Jul 15, 2024, at 16:58, Martin Uecker <uecker@tugraz.at> wrote:
> > 
> > Am Montag, dem 15.07.2024 um 13:05 -0700 schrieb Kees Cook:
> > > On Mon, Jul 15, 2024 at 07:20:31PM +0200, Martin Uecker wrote:
> > > > No, there are still two many missing pieces. The following
> > > > works already
> > > > 
> > > > int h(int n, int buf[n])
> > > > {
> > > >    return __builtin_dynamic_object_size(buf, 1);
> > > > }
> > > 
> > > Yeah, this is nice.
> > > 
> > > There are some interesting things happening around this general
> > > idea. Clang has the rather limited attributes "pass_object_size" and
> > > "pass_dynamic_object_size" that will work on function prototypes that
> > > will inform a _bos or _bdos internally, but you can only choose _one_
> > > type to apply to a given function parameter:
> > > 
> > > size_t h(char * const __attribute__((pass_dynamic_object_size(1))) buf)
> > > {
> > > return __builtin_dynamic_object_size(buf, 1);
> > > }
> > > 
> > > https://clang.llvm.org/docs/AttributeReference.html#pass-object-size-pass-dynamic-object-size
> > > 
> > > I have found it easier to just make wrapper macros, as that can allow
> > > both size types:
> > > 
> > > size_t h(char *buf, const size_t p_max, const size_t p_min);
> > > 
> > > #define h(p) \
> > > ({ \
> > > const size_t __p_max = __builtin_dynamic_object_size(p, 0); \
> > > const size_t __p_min = __builtin_dynamic_object_size(p, 1); \
> > > __h(p, __p_max, __p_min); \
> > > })
> > > 
> > > 
> > > But best is that it just gets handled automatically, which will be the
> > > goals of the more generalized "counted_by" (and "sized_by") attributes
> > > that will provide similar coverage as your example:
> > > 
> > > size_t h(int * __attribute__((sized_by(bytes))) buf, int bytes)
> > > {
> > > return __builtin_dynamic_object_size(buf, 1);
> > > }
> > > 
> > > https://discourse.llvm.org/t/rfc-enforcing-bounds-safety-in-c-fbounds-safety/
> > 
> > Indeed, I already complained a lot to them about that design ;-)
> > > 
> > > Those attributes end up being similar to what you have 
> > 
> > Well, the syntax is from C99, we just have to make it work.
> > 
> > > only the explicit
> > > predeclaration isn't needed. i.e. to put "int n" in your example after
> > > "buf", it needs predeclaration:
> > > 
> > > int h(int n; int buf[n], int n)
> > > {
> > > ...
> > > }
> > > 
> > > (But Clang doesn't appear to support predeclarations.)
> > 
> > And isn't this a lot nicer? It also follows the exact same
> > scoping rules of the language as everything else.
> > 
> > In GCC the example above works also with this:
> > 
> > int h(int n; char buf[n], int n)
> > {
> > return __builtin_dynamic_object_size(buf, 1);
> > }
> > https://godbolt.org/z/vfqoKaq7e
> > 
> > and one can hide it with a macro if necessary
> > I hope we will get the syntax with C2Y and also:
> > 
> > struct { int n; char buf[.n]; };
> 
> Yes, this is definitely great if we can get this into the C standard. 
> Do you have any idea on when that might be possible? 

Hard to tell, but it is being worked on. Implementation
experience in GCC would help.

Martin

> > 
> > In any case, I hope we get proper language integration and
> > not a soup of attributes (although the attributes are a step
> > up from not having bounds checking at all.).
> 
> agreed.
> > 
> > 
> > The problem in GCC is that the code for the access attributes
> > that are internally used also for parameters with variably
> > modified types is rather complicated and fragile, which makes
> > it harder than necessary to add the missing pieces. I will
> > probably try to simply add the .ACCESS_WITH_SIZE builtin
> > in the FE to function parameters just like for 'counted_by'.
> > Maybe this is already sufficient to make it work.
> 
> As we discussed previously for .ACCESS_WITH_SIZE, IIRC, 
> for those current available attributes, “access”, and “alloc_size”, 
> if we implement them with .ACCESS_WITH_SIZE, we can make 
> them more robust. 
> 
> I remembered that there were some PRs filed to those issues,
> Will find those PRs. 
> 
> Maybe it’s time to resolve this PRs as well. I will take a look here.

> > 
> > In general I have the vague idea that at any point where an
> > array decays or is adjusted into a pointer and size is then
> > lost from the type, we could insert this builtin to make 
> > the size discoverable by BDOS later. A seamless handover
> > from types to BDOS magic...
> 
> Yeah, sounds reasonable to me. 





>

More information about the Gcc-patches mailing list