Sanitise unsafe functions, GNUC annotations
This is an attempt to sanitise unsafe functions in libknot API which allow easy out-of-bound reads or undefined return value. The other part is annotating most used functions with appropriate attributes.
Merge request reports
Merged by
(Apr 14, 2025 8:22am UTC)
Activity
I would prefer using the same annotation style as we do for
_public_(and_cleanup_in libdnssec).Edited by Jan VčelákAdded 1 commit:
- 9b31291e - libknot: added GNU C attribs for common functions
@jvcelak Are you ok with the new version? :-)
Looks better to me. Now we just have to make sure we keep the annotations up-to-date.
Edited by Jan VčelákWhich doesn't matter that much for these particular annotations. I think the conflict will be unlikely. And if there is a conflict, the semantics will hopefully by the same. I would just ignore that till somebody complains.
It's similar to
_tsuffix for typedefs. We should not use that, because is't reserved for POSIX.30 30 #define _public_ __attribute__((visibility("default"))) 31 31 #define _hidden_ __attribute__((visibility("hidden"))) 32 32 33 /*! \brief GNU C function attributes. */ 34 #if __GNUC__ >= 3 35 #define _pure_ __attribute__ ((pure)) 36 #define _const_ __attribute__ ((const)) 37 #define _noreturn_ __attribute__ ((noreturn)) 38 #define _malloc_ __attribute__ ((malloc)) 39 #define _mustcheck_ __attribute__ ((warn_unused_result)) 50 51 * \retval KNOT_EMALF 51 52 * \retval KNOT_ESPACE 52 53 */ 54 _pure_ _mustcheck_ 53 55 int knot_dname_wire_check(const uint8_t *name, const uint8_t *endp, https://lwn.net/Articles/285332/
A counter-example of a non-pure function is the strcpy() function. This function takes two pointers as parameters. It accesses the latter to read the source string, and the former to write to the destination string. As I said, the memory areas pointed to by the parameters are not parameters on their own, but are considered global memory and, in that function, global memory is not only accessed for reading, but also for writing. The return value derives directly from the parameters (it is the same as the first parameter), but global memory is affected by the side effect of strcpy(), making it not pure.```mentioned in commit 6369a2ed
