New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[clang] Ignore GCC 11 [[malloc(x)]]
attribute
#68059
base: main
Are you sure you want to change the base?
Conversation
@@ -4122,6 +4122,9 @@ def RestrictDocs : Documentation { | |||
The ``malloc`` attribute indicates that the function acts like a system memory | |||
allocation function, returning a pointer to allocated storage disjoint from the | |||
storage for any other object accessible to the caller. | |||
|
|||
The form of ``malloc`` with one or two arguments (supported by GCC 11) is | |||
currently ignored by Clang. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really ignored or is it just treated as if it had no arguments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this PR, it's completely ignored, it's not even added to the Clang AST.
It just reaches the end of this function where nothing happens (let me know if I can improve the comment!):
We can't treat it as if has no arguments because in GCC it means two different things:
__attribute__((malloc))
with no args means the return value is guaranteed not to alias to any other pointer (aka like__declspec(restrict)
in MSVC) and that the function will normally return non-NULL
, allowing optimizations,__attribute__((malloc(deallocator)))
instead says the returned pointer should be deallocated by the specified deallocator, allowing a static analyzer to print warnings.
See the malloc
section of https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html for more info.
To be honest, I feel like GCC should have given the one/two argument form a different attribute name to make things less confusing, but GCC 11 has already been out for years unfortunately.
clang/lib/Sema/SemaDeclAttr.cpp
Outdated
return; | ||
} | ||
|
||
// FIXME: GCC uses [[malloc(my_func)]] to specify a deallocator for the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd like this to be diagnosed. We shouldn't be silently ignoring the attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I slightly disagree, since even if we do add support for this attribute, only the Clang analyzer would use it, but I've added a 'malloc' attribute ignored because Clang does not support the one/two argument form
warning in commit a76561f.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the fix!
We generally want ignored attributes to be diagnosed as being ignored; otherwise users have a much harder time determining whether the attribute is working or not. I think we should issue an "attribute ignored" warning when we're dropping the attribute in the AST.
Also, the changes should come with a release note so that users know about the bug fix.
Ignore the `[[malloc(x)]]` or `[[malloc(x, 1)]]` function attribute syntax added in [GCC 11][1] and print a warning instead of an error. Unlike `[[malloc]]` with no arguments (which is supported by Clang), GCC uses the one or two argument form to specify a deallocator for GCC's static analyzer. Code currently compiled with `[[malloc(x)]]` or `__attribute((malloc(x)))` fails with the following error: `'malloc' attribute takes no arguments`. [1]: https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;f=gcc/doc/extend.texi;h=dce6c58db87ebf7f4477bd3126228e73e4eeee97#patch6 Fixes: llvm#51607 Partial-Bug: llvm#53152
f9c9147
to
a76561f
Compare
Personally, I think there shouldn't be a warning, because even if we add the attribute to the AST, Clang will do nothing with it; the attribute would only be used by Clang's static analyzer. But I've added a warning anyway in a76561f. I think a generic
👍 That makes sense! I've added a note in the Bug Fixes to Attribute Support section in a76561f. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a nit
clang/include/clang/Basic/Attr.td
Outdated
let Args = [IdentifierArgument<"Deallocator", /*opt*/ 1>, | ||
ParamIdxArgument<"DeallocatorPtrArgIndex", /*opt*/ 1>]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let Args = [IdentifierArgument<"Deallocator", /*opt*/ 1>, | |
ParamIdxArgument<"DeallocatorPtrArgIndex", /*opt*/ 1>]; | |
let Args = [IdentifierArgument<"Deallocator", /*opt=*/1>, | |
ParamIdxArgument<"DeallocatorPtrArgIndex", /*opt=*/ 1>]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Unfortunately we have not been consistent through our codebase in argument comment format but e should strive to be consistent with bugprone-argument-comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Fixed in b7e1258
clang/docs/ReleaseNotes.rst
Outdated
- Clang now emits a warning instead of an error when using the one or two | ||
argument form of GCC 11's ``__attribute__((malloc(deallocator)))`` | ||
or ``__attribute__((malloc(deallocator, ptr-index)))`` | ||
(`#51607 <https://github.com/llvm/llvm-project/issues/51607>`). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(`#51607 <https://github.com/llvm/llvm-project/issues/51607>`). | |
(`#51607 <https://github.com/llvm/llvm-project/issues/51607>`_). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry! That's my fault for being lazy and skipping build the docs! Fixed in 5f6f893
def warn_multiarg_malloc_attribute_ignored: Warning< | ||
"'malloc' attribute ignored because" | ||
" Clang does not support the one/two argument form">, | ||
InGroup<IgnoredAttributes>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
def warn_multiarg_malloc_attribute_ignored: Warning< | |
"'malloc' attribute ignored because" | |
" Clang does not support the one/two argument form">, | |
InGroup<IgnoredAttributes>; | |
def warn_attribute_form_ignored : Warning< | |
"%0 attribute ignored; Clang does not yet support this attribute signature">, | |
InGroup<IgnoredAttributes>; |
If we generalize the wording a bit, we can reuse this diagnostic for other circumstances where we don't yet support a particular signature.
Also, this diagnostic should be moved to DiagnosticSemaKinds.td (it's only diagnosed from clang/lib/Sema
, so no need for it to be in the "common" diagnostics file for cross-lib diagnostics).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 02a153d, although I've very slightly changed the wording to match other warnings by using because
instead of the ;
.
I've also added a couple of other error diagnostics in other commit, so please let me know if you think it's worth generalizing them too.
clang/test/Sema/attr-args.c
Outdated
inline __attribute__((malloc(a))) void *f5(void); // expected-error {{'malloc' attribute takes no arguments}} | ||
inline __declspec(restrict(a)) void *f6_a(void); // expected-error {{'restrict' attribute takes no arguments}} | ||
inline __attribute__((malloc(a, 1, a))) void *f6_b(void); // expected-error {{'malloc' attribute takes no more than 2 arguments}} | ||
inline __attribute__((malloc(a, 1))) void *f6_c(void); // expected-warning {{'malloc' attribute ignored because Clang does not support the one/two argument form}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more test I'd like to see is:
inline __attribute__((malloc(1))) void *func(void) // error: '1' does not name a function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 0659620, although with a different error diagnostic. I've also added a bunch more error checking (adapting the code from handleCleanupAttr
), so now we should even be stricter than GCC on what args we accept:
llvm-project/clang/test/Sema/attr-args.c
Lines 2 to 6 in 0659620
int a; | |
void func_a(void * ptr, int a); | |
void func_b(int a); | |
void __attribute__((overloadable)) ambigious_func(void *); // expected-note {{candidate function}} | |
void __attribute__((overloadable)) ambigious_func(void *, int); // expected-note {{candidate function}} |
llvm-project/clang/test/Sema/attr-args.c
Lines 13 to 21 in 0659620
inline __declspec(restrict(a)) void *f6_a(void); // expected-error {{'restrict' attribute takes no arguments}} | |
inline __attribute__((malloc(func_a, 1, a))) void *f6_b(void); // expected-error {{'malloc' attribute takes no more than 2 arguments}} | |
inline __attribute__((malloc(func_a, 1))) void *f6_c(void); // expected-warning {{'malloc' attribute ignored because Clang does not yet support this attribute signature}} | |
inline __attribute__((malloc(1234))) void *f6_d(void); // expected-error {{'malloc' argument for deallocator is not a function}} | |
inline __attribute__((malloc(a))) void *f6_e(void); // expected-error {{'malloc' argument 'a' is not a function}} | |
inline __attribute__((malloc(ambigious_func))) void *f6_f(void); // expected-error {{'malloc' argument 'ambigious_func' is not a single function}} | |
inline __attribute__((malloc(func_b))) void *f6_g(void); // expected-error {{'malloc' argument 'func_b' must take a pointer type as its first argument}} | |
inline __attribute__((malloc(func_a, 3))) void *f6_h(void); // expected-error {{'malloc' attribute parameter 2 is out of bounds}} | |
inline __attribute__((malloc(func_a, 2))) void *f6_i(void); // expected-error {{'malloc' argument '2' refers to non-pointer type 'int' of 'func_a'}} |
Move diag::warn_multiarg_malloc_attribute_ignored to `DiagnosticSemaKinds.td` and make it generic so we can use it for other attributes. Fixes llvm#68059 (comment)
I see that the fix is almost ready, good. But generally it would also have helped if the |
Yeah, our current default behavior is that we use the value |
I'd actually been thinking about this all morning, and I don't see how we could do it in a way that wouldn't make the world a worse place. The reason feature-test-macros work is because there is an agreed upon 'source' of those values, without Clang and GCC agreeing on a value here (which we do in C++ via SD10), anything we do is going to be no better than just compiler version checks unfortunately. |
Hi,
yes the really bad choice here is by gcc to have the same name for basically two different attributes.
For the value, they also missed the opportunity to do something sensible when moving to C++ attributes, what a pitty.
For a concrete guideline in that jungle, when (= which version) do you expect this patch to hit distribution? Will it be in clang-18 once that is released?
Can we expect a similar feature, let's Call it clang::deallocator_function in a future version?
Thanks
Jens
--
Jens Gustedt - INRIA & ICube, Strasbourg, France
|
It does appear that this is on track for clang 18, but it hasn't finished review yet, so I cannot promise that of course. At the moment, nothing like a |
Support bugprone-argument-comment format. Co-authored-by: Shafik Yaghmour <shafik@users.noreply.github.com>
Fix incorrect RST link syntax. Co-authored-by: Aaron Ballman <aaron@aaronballman.com>
Error if `deallocator` and `ptrIdx` to `[[malloc(deallocator, ptrIdx)]]` have invalid types.
I've fixed reviewer comments! Sorry for the delay! I didn't have much time, and my PC isn't the fastest, so building Clang + regression tests takes a while! As recommended by #68059 (comment), I added type checking for the attribute arguments so that we should throw an error on any invalid args that GCC throws an error (or even a warning on). Since this is a pretty substantial change, I made it all as
I agree, it's not ideal! Having a separate name for this attribute (e.g. |
Ignore the
[[malloc(x)]]
or[[malloc(x, 1)]]
function attribute syntax added in GCC 11.Unlike
[[malloc]]
with no arguments (which is supported by Clang), GCC uses the one or two argument form to specify a deallocator for GCC's static analyzer.Code currently compiled with
[[malloc(x)]]
or__attribute__((malloc(x)))
fails with the following error:'malloc' attribute takes no arguments
.Fixes: #51607
Partial-Bug: #53152 (this PR only ignores
__attribute__((malloc(x)))
and allows it to compile, so only partially fixes the problem).In the future, we can add this attribute to the AST as well. This will let us improve the clang static analyzer's
unix.MismatchedDeallocator
checker.