[Libguestfs] [libnbd PATCH] RFC: generator: Mark APIs with allocator/deallocator semantics
Eric Blake
eblake at redhat.com
Fri Sep 30 18:55:21 UTC 2022
On Fri, Sep 30, 2022 at 05:27:00PM +0100, Richard W.M. Jones wrote:
> On Fri, Sep 30, 2022 at 10:42:01AM -0500, Eric Blake wrote:
> > Modern GCC has two related attributes for functions returning a
> > pointer:
> >
> > __attribute__((__malloc__)) - this function returns a new pointer, not
> > aliased to any existing pointer
> >
> > __attribute__((__malloc__(fn,1))) - call fn(return_value) to avoid
> > leaking memory allocated by this function
> >
> > With those attributes, static analyzers can better detect when we pass
> > the resulting pointer to the wrong deallocator, deallocate more than
> > once, have a use after free, or otherwise leak the memory. (Sadly, as
> > of gcc 12.2.1, -fanalyzer still has a LOT of false positives, such as:
> > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107100; since our code
> > base triggers some of these, we can't quite rely on it yet).
> > ---
> > lib/internal.h | 4 +++-
> > generator/C.ml | 24 +++++++++++++++++++++---
> > 2 files changed, 24 insertions(+), 4 deletions(-)
> >
>
> ACK - worth a go, if it causes too many problems we can always
> back it out later!
In as 7e329735. The output of 'make CFLAGS="-fanalyzer -O2"' are
verbose enough that I'm not sure if gcc 12.2.1 itself found any real
issues, but maybe clang or Coverity, or even a future gcc, will better
be able to help use these attributes to our benefit.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
More information about the Libguestfs
mailing list