Mark allocation functions with their deallocator

Mark allocation functions in C support libraries with their
corresponding deallocation functions so that GCC 11 and later can
diagnose memory deallocation bugs.

Author: rra

NEWS

@@ -21,6 +21,10 @@ rra-c-util 10.2 (unreleased)
     handles read-only directories correctly.  Optionally depend on
     Perl::Critic::Community instead of Perl::Critic::Freenode.
 
+    Mark allocation functions in C support libraries with their
+    corresponding deallocation functions so that GCC 11 and later can
+    diagnose memory deallocation bugs.
+
     Document the dependency some Autoconf macros have on the macros
     provided by pkg-config.
 

pam-util/vector.h

@@ -20,6 +20,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
+ * Copyright 2022 Russ Allbery <[email protected]>
  * Copyright 2010-2011, 2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -51,15 +52,18 @@ BEGIN_DECLS
 /* Default to a hidden visibility for all util functions. */
 #pragma GCC visibility push(hidden)
 
+/* Free the vector and all resources allocated for it. */
+void vector_free(struct vector *);
+
 /* Create a new, empty vector.  Returns NULL on memory allocation failure. */
-struct vector *vector_new(void) __attribute__((__malloc__));
+struct vector *vector_new(void) __attribute__((__malloc__(vector_free)));
 
 /*
  * Create a new vector that's a copy of an existing vector.  Returns NULL on
  * memory allocation failure.
  */
 struct vector *vector_copy(const struct vector *)
-    __attribute__((__malloc__, __nonnull__));
+    __attribute__((__malloc__(vector_free), __nonnull__));
 
 /*
  * Add a string to a vector.  Resizes the vector if necessary.  Returns false
@@ -82,9 +86,6 @@ bool vector_resize(struct vector *, size_t size) __attribute__((__nonnull__));
  */
 void vector_clear(struct vector *) __attribute__((__nonnull__));
 
-/* Free the vector and all resources allocated for it. */
-void vector_free(struct vector *);
-
 /*
  * Split functions build a vector from a string.  vector_split_multi splits on
  * a set of characters.  If the vector argument is NULL, a new vector is

portable/macros.h

@@ -5,7 +5,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2015 Russ Allbery <[email protected]>
+ * Copyright 2015, 2022 Russ Allbery <[email protected]>
  * Copyright 2008, 2011-2012
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -45,6 +45,16 @@
 #    endif
 #endif
 
+/*
+ * Suppress the argument to __malloc__ in Clang (not supported in at least
+ * version 13) and GCC versions prior to 11.
+ */
+#if !defined(__attribute__) && !defined(__malloc__)
+#    if defined(__clang__) || __GNUC__ < 11
+#        define __malloc__(dalloc) __malloc__
+#    endif
+#endif
+
 /*
  * LLVM and Clang pretend to be GCC but don't support all of the __attribute__
  * settings that GCC does.  For them, suppress warnings about unknown

tests/runtests.c

@@ -8,7 +8,7 @@
  * should be sent to the e-mail address below.  This program is part of C TAP
  * Harness <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
  *
- * Copyright 2000-2001, 2004, 2006-2019 Russ Allbery <[email protected]>
+ * Copyright 2000-2001, 2004, 2006-2019, 2022 Russ Allbery <[email protected]>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -280,6 +280,16 @@ Failed Set                 Fail/Total (%) Skip Stat  Failing Tests\n\
 #    endif
 #endif
 
+/*
+ * Suppress the argument to __malloc__ in Clang (not supported in at least
+ * version 13) and GCC versions prior to 11.
+ */
+#if !defined(__attribute__) && !defined(__malloc__)
+#    if defined(__clang__) || __GNUC__ < 11
+#        define __malloc__(dalloc) __malloc__
+#    endif
+#endif
+
 /*
  * LLVM and Clang pretend to be GCC but don't support all of the __attribute__
  * settings that GCC does.  For them, suppress warnings about unknown
@@ -296,15 +306,15 @@ static void die(const char *, ...)
 static void sysdie(const char *, ...)
     __attribute__((__nonnull__, __noreturn__, __format__(printf, 1, 2)));
 static void *x_calloc(size_t, size_t, const char *, int)
-    __attribute__((__alloc_size__(1, 2), __malloc__, __nonnull__));
+    __attribute__((__alloc_size__(1, 2), __malloc__(free), __nonnull__));
 static void *x_malloc(size_t, const char *, int)
-    __attribute__((__alloc_size__(1), __malloc__, __nonnull__));
+    __attribute__((__alloc_size__(1), __malloc__(free), __nonnull__));
 static void *x_reallocarray(void *, size_t, size_t, const char *, int)
-    __attribute__((__alloc_size__(2, 3), __malloc__, __nonnull__(4)));
+    __attribute__((__alloc_size__(2, 3), __malloc__(free), __nonnull__(4)));
 static char *x_strdup(const char *, const char *, int)
-    __attribute__((__malloc__, __nonnull__));
+    __attribute__((__malloc__(free), __nonnull__));
 static char *x_strndup(const char *, size_t, const char *, int)
-    __attribute__((__malloc__, __nonnull__));
+    __attribute__((__malloc__(free), __nonnull__));
 
 
 /*

tests/tap/basic.h

@@ -5,7 +5,7 @@
  * documentation is at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2009-2019 Russ Allbery <[email protected]>
+ * Copyright 2009-2019, 2022 Russ Allbery <[email protected]>
  * Copyright 2001-2002, 2004-2008, 2011-2012, 2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -129,17 +129,20 @@ void diag_file_remove(const char *file) __attribute__((__nonnull__));
 
 /* Allocate memory, reporting a fatal error with bail on failure. */
 void *bcalloc(size_t, size_t)
-    __attribute__((__alloc_size__(1, 2), __malloc__, __warn_unused_result__));
-void *bmalloc(size_t)
-    __attribute__((__alloc_size__(1), __malloc__, __warn_unused_result__));
+    __attribute__((__alloc_size__(1, 2), __malloc__(free),
+                   __warn_unused_result__));
+void *bmalloc(size_t) __attribute__((__alloc_size__(1), __malloc__(free),
+                                     __warn_unused_result__));
 void *breallocarray(void *, size_t, size_t)
-    __attribute__((__alloc_size__(2, 3), __malloc__, __warn_unused_result__));
+    __attribute__((__alloc_size__(2, 3), __malloc__(free),
+                   __warn_unused_result__));
 void *brealloc(void *, size_t)
-    __attribute__((__alloc_size__(2), __malloc__, __warn_unused_result__));
+    __attribute__((__alloc_size__(2), __malloc__(free),
+                   __warn_unused_result__));
 char *bstrdup(const char *)
-    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+    __attribute__((__malloc__(free), __nonnull__, __warn_unused_result__));
 char *bstrndup(const char *, size_t)
-    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+    __attribute__((__malloc__(free), __nonnull__, __warn_unused_result__));
 
 /*
  * Macros that cast the return value from b* memory functions, making them
@@ -153,16 +156,18 @@ char *bstrndup(const char *, size_t)
  * Find a test file under C_TAP_BUILD or C_TAP_SOURCE, returning the full
  * path.  The returned path should be freed with test_file_path_free().
  */
-char *test_file_path(const char *file)
-    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
 void test_file_path_free(char *path);
+char *test_file_path(const char *file)
+    __attribute__((__malloc__(test_file_path_free), __nonnull__,
+                   __warn_unused_result__));
 
 /*
  * Create a temporary directory relative to C_TAP_BUILD and return the path.
  * The returned path should be freed with test_tmpdir_free().
  */
-char *test_tmpdir(void) __attribute__((__malloc__, __warn_unused_result__));
 void test_tmpdir_free(char *path);
+char *test_tmpdir(void)
+    __attribute__((__malloc__(test_tmpdir_free), __warn_unused_result__));
 
 /*
  * Register a cleanup function that is called when testing ends.  All such

tests/tap/kerberos.c

@@ -15,7 +15,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2017 Russ Allbery <[email protected]>
+ * Copyright 2017, 2022 Russ Allbery <[email protected]>
  * Copyright 2006-2007, 2009-2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -211,9 +211,11 @@ kerberos_kinit(void)
  * process so that test programs that fork don't remove the ticket cache still
  * used by the main program.
  */
-static void
-kerberos_free(void)
+void
+kerberos_free(struct kerberos_config *config_arg)
 {
+    if (config_arg != config)
+        bail("invalid argument to kerberos_free");
     test_tmpdir_free(tmpdir_ticket);
     tmpdir_ticket = NULL;
     if (config != NULL) {
@@ -257,7 +259,7 @@ kerberos_cleanup(void)
         unlink(path);
         free(path);
     }
-    kerberos_free();
+    kerberos_free(config);
 }
 
 
@@ -273,7 +275,7 @@ kerberos_cleanup_handler(int success UNUSED, int primary)
     if (primary)
         kerberos_cleanup();
     else
-        kerberos_free();
+        kerberos_free(config);
 }
 
 

tests/tap/kerberos.h

@@ -5,7 +5,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2017, 2020 Russ Allbery <[email protected]>
+ * Copyright 2017, 2020, 2022 Russ Allbery <[email protected]>
  * Copyright 2006-2007, 2009, 2011-2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -76,6 +76,8 @@ BEGIN_DECLS
  * them in a Kerberos ticket cache, sets KRB5_KTNAME and KRB5CCNAME.  It also
  * loads the principal and password from config/password, if it exists, and
  * stores the principal, password, username, and realm in the returned struct.
+ * The returned struct is also saved statically to allow for easier cleanup
+ * and thus cleaner valgrind output in tests.
  *
  * If there is no config/keytab file, KRB5_KTNAME and KRB5CCNAME won't be set
  * and the keytab field will be NULL.  If there is no config/password file,
@@ -87,9 +89,14 @@ BEGIN_DECLS
  * however, be called directly if for some reason the caller needs to delete
  * the Kerberos environment again.  However, normally the caller can just call
  * kerberos_setup again.
+ *
+ * kerberos_free is an alternate way of calling kerberos_cleanup that
+ * satisfies the __malloc__ annotation requirements.  There is normally no
+ * need to call it.
  */
+void kerberos_free(struct kerberos_config *);
 struct kerberos_config *kerberos_setup(enum kerberos_needs)
-    __attribute__((__malloc__));
+    __attribute__((__malloc__(kerberos_free)));
 void kerberos_cleanup(void);
 
 /*

tests/tap/macros.h

@@ -8,7 +8,7 @@
  * This file is part of C TAP Harness.  The current version plus supporting
  * documentation is at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
  *
- * Copyright 2008, 2012-2013, 2015 Russ Allbery <[email protected]>
+ * Copyright 2008, 2012-2013, 2015, 2022 Russ Allbery <[email protected]>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -69,6 +69,16 @@
 #    endif
 #endif
 
+/*
+ * Suppress the argument to __malloc__ in Clang (not supported in at least
+ * version 13) and GCC versions prior to 11.
+ */
+#if !defined(__attribute__) && !defined(__malloc__)
+#    if defined(__clang__) || __GNUC__ < 11
+#        define __malloc__(dalloc) __malloc__
+#    endif
+#endif
+
 /*
  * LLVM and Clang pretend to be GCC but don't support all of the __attribute__
  * settings that GCC does.  For them, suppress warnings about unknown

util/buffer.h

@@ -16,7 +16,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2014-2015 Russ Allbery <[email protected]>
+ * Copyright 2014-2015, 2022 Russ Allbery <[email protected]>
  * Copyright 2011-2012
  *     The Board of Trustees of the Leland Stanford Junior University
  * Copyright 2004-2006 Internet Systems Consortium, Inc. ("ISC")
@@ -62,13 +62,13 @@ BEGIN_DECLS
 /* Default to a hidden visibility for all util functions. */
 #pragma GCC visibility push(hidden)
 
-/* Allocate a new buffer and initialize its contents. */
-struct buffer *buffer_new(void)
-    __attribute__((__warn_unused_result__, __malloc__));
-
 /* Free an allocated buffer. */
 void buffer_free(struct buffer *);
 
+/* Allocate a new buffer and initialize its contents. */
+struct buffer *buffer_new(void)
+    __attribute__((__warn_unused_result__, __malloc__(buffer_free)));
+
 /*
  * Resize a buffer to be at least as large as the provided size.  Invalidates
  * pointers into the buffer.

util/vector.h

@@ -12,7 +12,7 @@
  * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
  *
  * Written by Russ Allbery <[email protected]>
- * Copyright 2001-2006 Russ Allbery <[email protected]>
+ * Copyright 2001-2006, 2022 Russ Allbery <[email protected]>
  * Copyright 2005-2006, 2008-2011, 2013-2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
@@ -31,6 +31,7 @@
 #include <portable/macros.h>
 
 #include <stddef.h>
+#include <stdlib.h>
 
 struct vector {
     size_t count;
@@ -49,11 +50,18 @@ BEGIN_DECLS
 /* Default to a hidden visibility for all util functions. */
 #pragma GCC visibility push(hidden)
 
+/*
+ * Free the vector and all resources allocated for it.  NULL may be passed in
+ * safely and will be ignored.
+ */
+void vector_free(struct vector *);
+void cvector_free(struct cvector *);
+
 /* Create a new, empty vector. */
 struct vector *vector_new(void)
-    __attribute__((__warn_unused_result__, __malloc__));
+    __attribute__((__warn_unused_result__, __malloc__(vector_free)));
 struct cvector *cvector_new(void)
-    __attribute__((__warn_unused_result__, __malloc__));
+    __attribute__((__warn_unused_result__, __malloc__(cvector_free)));
 
 /* Add a string to a vector.  Resizes the vector if necessary. */
 void vector_add(struct vector *, const char *string)
@@ -81,13 +89,6 @@ void cvector_resize(struct cvector *, size_t size)
 void vector_clear(struct vector *) __attribute__((__nonnull__));
 void cvector_clear(struct cvector *) __attribute__((__nonnull__));
 
-/*
- * Free the vector and all resources allocated for it.  NULL may be passed in
- * safely and will be ignored.
- */
-void vector_free(struct vector *);
-void cvector_free(struct cvector *);
-
 /*
  * Split functions build a vector from a string.  vector_split splits on a
  * specified character, vector_split_multi splits on a set of characters, and
@@ -125,9 +126,9 @@ struct cvector *cvector_split_space(char *string, struct cvector *)
  * responsible for freeing.
  */
 char *vector_join(const struct vector *, const char *separator)
-    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+    __attribute__((__malloc__(free), __nonnull__, __warn_unused_result__));
 char *cvector_join(const struct cvector *, const char *separator)
-    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+    __attribute__((__malloc__(free), __nonnull__, __warn_unused_result__));
 
 /*
  * Exec the given program with the vector as its arguments.  Return behavior