[PATCH v2 0/3] system: Forbid alloca()

[PATCH v2 0/3] system: Forbid alloca()

[Philippe Mathieu-Daudé]

Eradicate alloca() uses on system code, then enable
-Walloca to prevent new ones to creep back in.

Since v1:
- Convert KVM/PPC (Peter)
- Update doc (Alex)

Philippe Mathieu-Daudé (3):
  target/ppc/kvm: Avoid using alloca()
  buildsys: Prohibit alloca() use on system code
  docs/devel/style: Mention alloca() family API is forbidden

 docs/devel/style.rst | 4 ++--
 meson.build          | 4 ++++
 target/ppc/kvm.c     | 3 +--
 3 files changed, 7 insertions(+), 4 deletions(-)

-- 
2.51.0

[PATCH v2 1/3] target/ppc/kvm: Avoid using alloca()

[Philippe Mathieu-Daudé]

kvmppc_load_htab_chunk() is used for migration, thus is not
a hot path. Use the heap instead of the stack, removing the
alloca() call.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/ppc/kvm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index d145774b09a..937b9ee986d 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -2760,11 +2760,10 @@ int kvmppc_save_htab(QEMUFile *f, int fd, size_t bufsize, int64_t max_ns)
 int kvmppc_load_htab_chunk(QEMUFile *f, int fd, uint32_t index,
                            uint16_t n_valid, uint16_t n_invalid, Error **errp)
 {
-    struct kvm_get_htab_header *buf;
     size_t chunksize = sizeof(*buf) + n_valid * HASH_PTE_SIZE_64;
+    g_autofree struct kvm_get_htab_header *buf = g_malloc(chunksize);
     ssize_t rc;
 
-    buf = alloca(chunksize);
     buf->index = index;
     buf->n_valid = n_valid;
     buf->n_invalid = n_invalid;
-- 
2.51.0

[PATCH v2 2/3] buildsys: Prohibit alloca() use on system code

[Philippe Mathieu-Daudé]

Similarly to commit 64c1a544352 ("meson: Enable -Wvla") with
variable length arrays, forbid alloca() uses on system code.

There are few uses on ancient linux-user code, do not bother
there.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 meson.build | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meson.build b/meson.build
index 0d42de61ae6..3d1dc2e9e26 100644
--- a/meson.build
+++ b/meson.build
@@ -775,6 +775,10 @@ if host_os != 'darwin'
   endif
 endif
 
+if have_system
+  warn_flags += ['-Walloca']
+endif
+
 # Set up C++ compiler flags
 qemu_cxxflags = []
 if 'cpp' in all_languages
-- 
2.51.0

[PATCH v2 3/3] docs/devel/style: Mention alloca() family API is forbidden

[Philippe Mathieu-Daudé]

Suggested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 docs/devel/style.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/devel/style.rst b/docs/devel/style.rst
index d025933808e..941fe14bfd4 100644
--- a/docs/devel/style.rst
+++ b/docs/devel/style.rst
@@ -446,8 +446,8 @@ Low level memory management
 ===========================
 
 Use of the ``malloc/free/realloc/calloc/valloc/memalign/posix_memalign``
-APIs is not allowed in the QEMU codebase. Instead of these routines,
-use the GLib memory allocation routines
+or ``alloca/g_alloca/g_newa/g_newa0`` APIs is not allowed in the QEMU codebase.
+Instead of these routines, use the GLib memory allocation routines
 ``g_malloc/g_malloc0/g_new/g_new0/g_realloc/g_free``
 or QEMU's ``qemu_memalign/qemu_blockalign/qemu_vfree`` APIs.
 
-- 
2.51.0

Re: [PATCH v2 1/3] target/ppc/kvm: Avoid using alloca()

[Peter Maydell]

On Mon, 1 Sept 2025 at 14:26, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> kvmppc_load_htab_chunk() is used for migration, thus is not
> a hot path. Use the heap instead of the stack, removing the
> alloca() call.
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  target/ppc/kvm.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index d145774b09a..937b9ee986d 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2760,11 +2760,10 @@ int kvmppc_save_htab(QEMUFile *f, int fd, size_t bufsize, int64_t max_ns)
>  int kvmppc_load_htab_chunk(QEMUFile *f, int fd, uint32_t index,
>                             uint16_t n_valid, uint16_t n_invalid, Error **errp)
>  {
> -    struct kvm_get_htab_header *buf;
>      size_t chunksize = sizeof(*buf) + n_valid * HASH_PTE_SIZE_64;
> +    g_autofree struct kvm_get_htab_header *buf = g_malloc(chunksize);
>      ssize_t rc;
>
> -    buf = alloca(chunksize);
>      buf->index = index;
>      buf->n_valid = n_valid;
>      buf->n_invalid = n_invalid;

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

thanks
-- PMM

Re: [PATCH v2 2/3] buildsys: Prohibit alloca() use on system code

[Daniel P. Berrangé]

On Mon, Sep 01, 2025 at 03:26:25PM +0200, Philippe Mathieu-Daudé wrote:
> Similarly to commit 64c1a544352 ("meson: Enable -Wvla") with
> variable length arrays, forbid alloca() uses on system code.
> 
> There are few uses on ancient linux-user code, do not bother
> there.

This says you're not turning on -Walloca for linux-user, but....

> +if have_system
> +  warn_flags += ['-Walloca']
> +endif

...surely this still turns on -Walloca for linux-user, if the build has
enabled multiple targets covering both system & user mode. ie a default
qemu build ?

> +
>  # Set up C++ compiler flags
>  qemu_cxxflags = []
>  if 'cpp' in all_languages
> -- 
> 2.51.0
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH v2 3/3] docs/devel/style: Mention alloca() family API is forbidden

[Manos Pitsidianakis]

On Mon, Sep 1, 2025 at 4:27 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Suggested-by: Alex Bennée <alex.bennee@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---

Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

>  docs/devel/style.rst | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/docs/devel/style.rst b/docs/devel/style.rst
> index d025933808e..941fe14bfd4 100644
> --- a/docs/devel/style.rst
> +++ b/docs/devel/style.rst
> @@ -446,8 +446,8 @@ Low level memory management
>  ===========================
>
>  Use of the ``malloc/free/realloc/calloc/valloc/memalign/posix_memalign``
> -APIs is not allowed in the QEMU codebase. Instead of these routines,
> -use the GLib memory allocation routines
> +or ``alloca/g_alloca/g_newa/g_newa0`` APIs is not allowed in the QEMU codebase.
> +Instead of these routines, use the GLib memory allocation routines
>  ``g_malloc/g_malloc0/g_new/g_new0/g_realloc/g_free``
>  or QEMU's ``qemu_memalign/qemu_blockalign/qemu_vfree`` APIs.
>
> --

If you wanna dust off your perl, you could also add this to checkpatch.pl :)

Re: [PATCH v2 1/3] target/ppc/kvm: Avoid using alloca()

[Manos Pitsidianakis]

On Mon, Sep 1, 2025 at 4:27 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> kvmppc_load_htab_chunk() is used for migration, thus is not
> a hot path. Use the heap instead of the stack, removing the
> alloca() call.
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  target/ppc/kvm.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index d145774b09a..937b9ee986d 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2760,11 +2760,10 @@ int kvmppc_save_htab(QEMUFile *f, int fd, size_t bufsize, int64_t max_ns)
>  int kvmppc_load_htab_chunk(QEMUFile *f, int fd, uint32_t index,
>                             uint16_t n_valid, uint16_t n_invalid, Error **errp)
>  {
> -    struct kvm_get_htab_header *buf;
>      size_t chunksize = sizeof(*buf) + n_valid * HASH_PTE_SIZE_64;
> +    g_autofree struct kvm_get_htab_header *buf = g_malloc(chunksize);
>      ssize_t rc;
>
> -    buf = alloca(chunksize);
>      buf->index = index;
>      buf->n_valid = n_valid;
>      buf->n_invalid = n_invalid;
> --
> 2.51.0
>
>

Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

Re: [PATCH v2 3/3] docs/devel/style: Mention alloca() family API is forbidden

[Philippe Mathieu-Daudé]

On 1/9/25 16:05, Manos Pitsidianakis wrote:
> On Mon, Sep 1, 2025 at 4:27 PM Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>>
>> Suggested-by: Alex Bennée <alex.bennee@linaro.org>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>> ---
> 
> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
> 
>>   docs/devel/style.rst | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/docs/devel/style.rst b/docs/devel/style.rst
>> index d025933808e..941fe14bfd4 100644
>> --- a/docs/devel/style.rst
>> +++ b/docs/devel/style.rst
>> @@ -446,8 +446,8 @@ Low level memory management
>>   ===========================
>>
>>   Use of the ``malloc/free/realloc/calloc/valloc/memalign/posix_memalign``
>> -APIs is not allowed in the QEMU codebase. Instead of these routines,
>> -use the GLib memory allocation routines
>> +or ``alloca/g_alloca/g_newa/g_newa0`` APIs is not allowed in the QEMU codebase.
>> +Instead of these routines, use the GLib memory allocation routines
>>   ``g_malloc/g_malloc0/g_new/g_new0/g_realloc/g_free``
>>   or QEMU's ``qemu_memalign/qemu_blockalign/qemu_vfree`` APIs.
>>
>> --
> 
> If you wanna dust off your perl, you could also add this to checkpatch.pl :)

We expect contributors to test their patches before posting :P
(normally it shouldn't build due to -Walloca in the previous patch)

Thanks!

Re: [PATCH v2 1/3] target/ppc/kvm: Avoid using alloca()

[Harsh Prateek Bora]

On 9/1/25 18:56, Philippe Mathieu-Daudé wrote:
> kvmppc_load_htab_chunk() is used for migration, thus is not
> a hot path. Use the heap instead of the stack, removing the
> alloca() call.
> 
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>   target/ppc/kvm.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index d145774b09a..937b9ee986d 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -2760,11 +2760,10 @@ int kvmppc_save_htab(QEMUFile *f, int fd, size_t bufsize, int64_t max_ns)
>   int kvmppc_load_htab_chunk(QEMUFile *f, int fd, uint32_t index,
>                              uint16_t n_valid, uint16_t n_invalid, Error **errp)
>   {
> -    struct kvm_get_htab_header *buf;
>       size_t chunksize = sizeof(*buf) + n_valid * HASH_PTE_SIZE_64;
> +    g_autofree struct kvm_get_htab_header *buf = g_malloc(chunksize);
>       ssize_t rc;
>   
> -    buf = alloca(chunksize);
>       buf->index = index;
>       buf->n_valid = n_valid;
>       buf->n_invalid = n_invalid;

Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>

Re: [PATCH v2 0/3] system: Forbid alloca()

[Philippe Mathieu-Daudé]

On 1/9/25 15:26, Philippe Mathieu-Daudé wrote:

> Philippe Mathieu-Daudé (3):
>    target/ppc/kvm: Avoid using alloca()

>    docs/devel/style: Mention alloca() family API is forbidden

Patches 1 & 3 queued, thanks.

Re: [PATCH v2 3/3] docs/devel/style: Mention alloca() family API is forbidden

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 335 bytes --]

On Mon, Sep 01, 2025 at 03:26:26PM +0200, Philippe Mathieu-Daudé wrote:
> Suggested-by: Alex Bennée <alex.bennee@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  docs/devel/style.rst | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v2 1/3] target/ppc/kvm: Avoid using alloca()

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 480 bytes --]

On Mon, Sep 01, 2025 at 03:26:24PM +0200, Philippe Mathieu-Daudé wrote:
> kvmppc_load_htab_chunk() is used for migration, thus is not
> a hot path. Use the heap instead of the stack, removing the
> alloca() call.
> 
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  target/ppc/kvm.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]