RFR: 8313396: Portable implementation of FORBID_C_FUNCTION and ALLOW_C_FUNCTION
Julian Waters
jwaters at openjdk.org
Sun Dec 29 08:47:34 UTC 2024
On Sun, 29 Dec 2024 08:11:07 GMT, Kim Barrett <kbarrett at openjdk.org> wrote:
> Please review this change to how HotSpot prevents the use of certain C library
> functions (e.g. poisons references to those functions), while permitting a
> subset to be used in restricted circumstances. Reasons for poisoning a
> function include it being considered obsolete, or a security concern, or there
> is a HotSpot function (typically in the os:: namespace) providing similar
> functionality that should be used instead.
>
> The old mechanism, based on -Wattribute-warning and the associated attribute,
> only worked for gcc. (Clang's implementation differs in an important way from
> gcc, which is the subject of a clang bug that has been open for years. MSVC
> doesn't provide a similar mechanism.) It also had problems with LTO, due to a
> gcc bug.
>
> The new mechanism is based on deprecation warnings, using [[deprecated]]
> attributes. We redeclare or forward declare the functions we want to prevent
> use of as being deprecated. This relies on deprecation warnings being
> enabled, which they already are in our build configuration. All of our
> supported compilers support the [[deprecated]] attribute.
>
> Another benefit of using deprecation warnings rather than warning attributes
> is the time when the check is performed. Warning attributes are checked only
> if the function is referenced after all optimizations have been performed.
> Deprecation is checked during initial semantic analysis. That's better for
> our purposes here. (This is also part of why gcc LTO has problems with the
> old mechanism, but not the new.)
>
> Adding these redeclarations or forward declarations isn't as simple as
> expected, due to differences between the various compilers. We hide the
> differences behind a set of macros, FORBID_C_FUNCTION and related macros. See
> the compiler-specific parts of those macros for details.
>
> In some situations we need to allow references to these poisoned functions.
>
> One common case is where our poisoning is visible to some 3rd party code we
> don't want to modify. This is typically 3rd party headers included in HotSpot
> code, such as from Google Test or the C++ Standard Library. For these the
> BEGIN/END_ALLOW_FORBIDDEN_FUNCTIONS pair of macros are used demark the context
> where such references are permitted.
>
> Some of the poisoned functions are needed to implement associated HotSpot os::
> functions, or in other similarly restricted contexts. For these, a wrapper
> function is provided that calls the poisoned function with the warning
> suppressed. These wrappers are defined in the permit_fo...
Overall nice change, my only complaint is that to know which FORBID macro to use (IMPORTED, NORETURN, etc), you have to delve into implementation details to select the right one. That quickly becomes confusing. But unfortunately all the other approaches thus far have failed, so there aren't really any alternatives that are any better than this approach
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22890#issuecomment-2564655329
More information about the graal-dev
mailing list