From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 951ACC433F5 for ; Sun, 14 Nov 2021 13:54:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C9666112E for ; Sun, 14 Nov 2021 13:54:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230490AbhKNN5M (ORCPT ); Sun, 14 Nov 2021 08:57:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39856 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229959AbhKNN5K (ORCPT ); Sun, 14 Nov 2021 08:57:10 -0500 Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A0C3C061746 for ; Sun, 14 Nov 2021 05:54:15 -0800 (PST) Received: by mail-io1-xd33.google.com with SMTP id m9so17779244iop.0 for ; Sun, 14 Nov 2021 05:54:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SR6bYG0PctoF/TODgHIMcCeee0F0J3mU/Lw/SM4/hTQ=; b=F70ld84O2CU7rS74a/nM05p6iJNumH+SC9iJ6C2QKG/Pd3Q+GZRWjRztXmk3/wm5s7 5jxTkrrnyKomLlT58fWJi29rk5/SGmxQhTRIJb4MUvZd2AySc+ybWgkUUnBUaDF0Ldw+ zTYx+oX1aO6UAis1pLPbTJcZrMVGwjw5OLa1KI4c+XMVDac+76iYIV+s3x4q3k5dFRmH jz18s/ApIB2hzr2nooNrNMrYaRkXbfkWp8EEJ8Ig13j9XfVeyt6lQaeWOeB6Cp0Wu4Ul VqekQWUS+/jrkz99/WeMKCDCTNEKiuuCNlyX2JEakRzCZ8moNiWMcNEynphqB62a9wck B8eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SR6bYG0PctoF/TODgHIMcCeee0F0J3mU/Lw/SM4/hTQ=; b=65D3Ao7r+SvWg+hHJNx5xZbxbn0qPsXCMtIt5CxKr7hWWszggjx9Y12x/BN8EJmyjW aWoyI3qq1nkiysQNDUATDT4ZftAFcBI2/yzrN5ONywv9bUPio5mLUvUPd7oLZpTzO785 yqkUhJzNcSvzz0QTIy7D8cKVib9SmQcTuAtjux2bRnyEr+lN1gYAsT3Kbqxp5n1AROfw ZDwgF+5Pq81xhjW7B4vxqUDSrddeArb0iS5ZuBXbZNm0dyQkok8e6tl+yGcFF8aMFiLb wfp4EbeH/eRptUS0NnxBAJ6kXmv/CAW4Sdr4M0zY3HPQoTWtJE/6pMjhmrmFHp0KW9IM T3YQ== X-Gm-Message-State: AOAM530Lt8e5FU3/Zgz1B0hUgh9M9Lt3jrJEnp8F6lhBhgkT163VghRs 7FjYO89ztWXYkPEXKDfBm4NigAg7Vt4pOmpp8PrMy/Fsuoo= X-Google-Smtp-Source: ABdhPJygJVtpANnWJMpK+3C4dIlWCvTMdK27IOXFykwVzPcuzN1gr5Uq83bs3qZoyf/2ZsLYGD+xBlVOeow5LL6VAA4= X-Received: by 2002:a6b:b7c8:: with SMTP id h191mr19400085iof.155.1636898054873; Sun, 14 Nov 2021 05:54:14 -0800 (PST) MIME-Version: 1.0 References: <20211113203732.2098220-1-dmalcolm@redhat.com> In-Reply-To: <20211113203732.2098220-1-dmalcolm@redhat.com> From: Miguel Ojeda Date: Sun, 14 Nov 2021 14:54:03 +0100 Message-ID: Subject: Re: [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries To: David Malcolm Cc: gcc-patches@gcc.gnu.org, linux-toolchains@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-toolchains@vger.kernel.org On Sat, Nov 13, 2021 at 9:37 PM David Malcolm wrote: > > #define __user __attribute__((untrusted)) > > where my patched GCC treats > T * > vs > T __attribute__((untrusted)) * > as being different types and thus the C frontend can complain (even without > -fanalyzer) about e.g.: This one sounds similar to the `Untrusted` wrapper I suggested for the Rust side -- we would have a method to "extract and trust" the value (instead of a cast). > Patch 2 in the kit adds: > __attribute__((returns_zero_on_success)) > and > __attribute__((returns_nonzero_on_success)) > as hints to the analyzer that it's worth bifurcating the analysis of > such functions (to explore failure vs success, and thus to better > explore error-handling paths). It's also a hint to the human reader of > the source code. These two sound quite nice to have for most C projects. Would it be useful to generalize to different values than 0/non-0? e.g. `returns_on_success(0)` and `returns_on_failure(0)`. Cheers, Miguel