Ownership attribute for malloc etc. checking

This is a second try at some attributes that presently only enable the malloc checker to be smarter. Syntactically, however, the attributes are intended to be more generally useful.

The attributes are currently used like this:

void __attribute((ownership_takes(malloc, 1))) bar(char * it) {
free(it);
}

char * __attribute((ownership_returns(malloc, 1))) bar2(size_t i) {
return (char *) malloc(i);
}

There is a third called ownership_holds. The distinction is that ownership_takes does not allow the resource to be used after passing it in, while ownership_holds does.

The first argument is intended to be the name of a type of resource, in this case memory allocated through malloc. This is the only value currently checked, any other value is silently ignored.

The second argument is an index into the function’s argument list, for ownership_returns it is the size of the malloc region, for the others it is the pointer to check.

In this patch, only one argument per function can be annotated, that still has to be fixed.

Andrew

clang-ownership.patch (22.9 KB)

I'm not any sort of authority on the checker, so take this with a
grain of salt, but I had a comment on the syntax here.

Identifying a function argument by index is really error prone and
hard to use. In particular, you wind up having to tell people to use
different bases for member functions vs non-member functions, and fix
up the index when anything changes. It would be much nicer to attach
the attribute to the actual argument, like

void bar(char * it __attribute((ownership_takes(malloc)))) {
  free(it);
}

I don't know whether this placement is possible with clang's current
parser—gcc doesn't allow it—but I believe Sean's working on fixing
that over the summer.