This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/Sema/
-
lib/
-
Sema/
9
SemaChecking.cpp

Differential D133108

[clang] Rework IsTailPaddedMemberArray into isFlexibleArrayMemberExpr
ClosedPublic

Authored by serge-sans-paille on Sep 1 2022, 6:18 AM.

Download Raw Diff

Details

Reviewers

jyknight
aaron.ballman

Commits

rGdad36245a5c2: [clang] Rework IsTailPaddedMemberArray into isFlexibleArrayMemberExpr

Summary

This fixes a bunch of FIXME within IsTailPaddedMemberArray related code.

As a side effect, this now also triggers a warning when trying to access a
"struct hack" field with an index that cannot be represented in associated address space.

Diff Detail

Event Timeline

serge-sans-paille created this revision.Sep 1 2022, 6:18 AM

Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2022, 6:18 AM

serge-sans-paille requested review of this revision.Sep 1 2022, 6:18 AM

Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2022, 6:18 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B184562: Diff 457248.Sep 1 2022, 7:42 AM

serge-sans-paille added a reviewer: aaron.ballman.Sep 6 2022, 4:43 AM

msebor added a subscriber: msebor.Sep 13 2022, 9:39 AM

msebor added inline comments.

clang/lib/Sema/SemaChecking.cpp
15969	I'm not familiar with this code but I'm guessing that at most one of the `if` conditionals is true, and if it's the first one then the second `dyn_cast` will fail. Should the `if` guarding this assignment then be an `else if`?

aaron.ballman added inline comments.Sep 15 2022, 10:07 AM

clang/lib/Sema/SemaChecking.cpp
15881	depending on <ins>the value of</ins> -fstrict-flex-array <del>value</del><ins>.</ins> (Sorry, the Suggest Edits button seems to be unavailable)
15969	While this code is moving around from elsewhere, +1, this should use an `else if`. Also, you should use `const auto *` for the declarations since the type is explicitly spelled out in the initializers.
15974	You can drop the parens.

Take reviews into account

Harbormaster completed remote builds in B187107: Diff 460704.Sep 16 2022, 6:11 AM

Found a few more things while trying to convince myself this really is NFC, and I don't think it is. If you agree, then I think we should have some additional test coverage to show the behavioral changes.

clang/lib/Sema/SemaChecking.cpp
15977	Missed this before, but drop the top-level `const` or remove the local and just use the call directly in the one place the value is needed.
15989	This seems like a functional change....
15990–15991	I think the parens helped to add clarity here (also, there's probably a warning generated about mixed \|\| and && from this too, isn't there?)
16004	...because now we can get into this block...
16048	... which means we can now hit this diagnostic.

Address minor nits, plus add a test case that showcases the extra (legitimate!) warning we now get when accessing a "struct hack" field with an index that cannot be represented in associated address space.

Kudos to @aaron.ballman for spotting this one!

As a comparison, current behavior for the same test case: https://godbolt.org/z/86Wcbrz5q (only the flexible array member is flagged with a warning, the struct hacks are ignored)

Harbormaster completed remote builds in B187244: Diff 460899.Sep 16 2022, 4:16 PM

msebor added inline comments.Sep 20 2022, 2:20 PM

clang/test/Sema/unbounded-array-bounds.c
101 ↗	(On Diff #460899)	There's a difference between the sizes of `fam1` and `fam` that makes accesses to the four leading elements of `fam1.tail` strictly in bounds, while no access to either `fam.tail` or `fam0.tail` is (`sizeof fam` is the same as `sizeof int` while `sizeof fam1` is equal to `sizeof (int[2])` on common targets). It would be helpful to capture that difference in the tests, both for the warning and for `__builtin_object_size`. There should also be a difference between accessing elements of an object of an initialized struct with a flexible array member (i.e., one whose size is known) and those of an object that's only declared but that's defined in some other translation unit. Since the size of the object is determined by its initializer, it should be reflected in `__builtin_object_size` and accesses to it checked by `-Warray-bounds`. The size of the latter object is unknown it must be assumed to be `PTRDIFF_MAX - sizeof (int) - 1`. It would also be helpful to add tests for these cases. As far as I can see, none of these cases seems to be handled quite right on trunk. For example, the size of `s` below should be 8 but Clang evaluates `__builtin_object_size(&s, N)` to 4, without diagnosing any past-the-end accesses to `s.a`: struct S { int n; char a[]; } s = { 1, { 2, 3, 4, 5 } };

msebor added inline comments.Sep 20 2022, 3:37 PM

clang/test/Sema/unbounded-array-bounds.c
101 ↗	(On Diff #460899)	I opened PR #57860 to better show what I mean.

serge-sans-paille added inline comments.Sep 21 2022, 12:28 AM

clang/test/Sema/unbounded-array-bounds.c
101 ↗	(On Diff #460899)	Agreed. I suggest we discuss that in this PR, while me merge this "code cleanup with enhancement", if @aaron.ballman agrees :-)

LGTM, though this should probably have a release note for it (we can augment the release note when we make further changes in this area).

clang/test/Sema/unbounded-array-bounds.c
101 ↗	(On Diff #460899)	+1 -- there are bugs there to be fixed, but handling that separately from this cleanup seems like it will be easier to review and discuss.

This revision is now accepted and ready to land.Sep 21 2022, 9:55 AM

Closed by commit rGdad36245a5c2: [clang] Rework IsTailPaddedMemberArray into isFlexibleArrayMemberExpr (authored by serge-sans-paille). · Explain WhySep 22 2022, 5:04 AM

This revision was automatically updated to reflect the committed changes.

serge-sans-paille added a commit: rGdad36245a5c2: [clang] Rework IsTailPaddedMemberArray into isFlexibleArrayMemberExpr.

Revision Contents

Path

Size

clang/

lib/

Sema/

SemaChecking.cpp

53 lines

Diff 460704

clang/lib/Sema/SemaChecking.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 9,978 Lines • ▼ Show 20 Lines
	const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();			const PointerType *SrcPtr = Op->getType()->getAs<PointerType>();
	if (!SrcPtr) return;			if (!SrcPtr) return;
	QualType SrcPointee = SrcPtr->getPointeeType();			QualType SrcPointee = SrcPtr->getPointeeType();

	// Explicitly allow casts from cv void*. We already implicitly			// Explicitly allow casts from cv void*. We already implicitly
	// allowed casts to cv void*, since they have alignment 1.			// allowed casts to cv void*, since they have alignment 1.
	// Also allow casts involving incomplete types, which implicitly			// Also allow casts involving incomplete types, which implicitly
	// includes 'void'.			// includes 'void'.
	if (SrcPointee->isIncompleteType()) return;			if (SrcPointee->isIncompleteType()) return;
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions depending on <ins>the value of</ins> -fstrict-flex-array <del>value</del><ins>.</ins> (Sorry, the Suggest Edits button seems to be unavailable) aaron.ballman: depending on <ins>the value of</ins> -fstrict-flex-array <del>value</del><ins>.</ins> (Sorry…

	CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);			CharUnits SrcAlign = getPresumedAlignmentOfPointer(Op, *this);

	if (SrcAlign >= DestAlign) return;			if (SrcAlign >= DestAlign) return;

	Diag(TRange.getBegin(), diag::warn_cast_align)			Diag(TRange.getBegin(), diag::warn_cast_align)
	<< Op->getType() << T			<< Op->getType() << T
	<< static_cast<unsigned>(SrcAlign.getQuantity())			<< static_cast<unsigned>(SrcAlign.getQuantity())
	<< static_cast<unsigned>(DestAlign.getQuantity())			<< static_cast<unsigned>(DestAlign.getQuantity())
	<< TRange << Op->getSourceRange();			<< TRange << Op->getSourceRange();
	}			}

	/// Check whether this array fits the idiom of a size-one tail padded			/// Check whether this array fits the idiom of a flexible array member,
	/// array member of a struct.			/// depending on the value of -fstrict-flex-array.
	///			///
	/// We avoid emitting out-of-bounds access warnings for such arrays as they are			/// We avoid emitting out-of-bounds access warnings for such arrays.
	/// commonly used to emulate flexible arrays in C89 code.			static bool isFlexibleArrayMemberExpr(Sema &S, const Expr *E,
	static bool IsTailPaddedMemberArray(Sema &S, const llvm::APInt &Size,			const NamedDecl *ND,
	const NamedDecl *ND,			unsigned StrictFlexArraysLevel) {
	unsigned StrictFlexArraysLevel) {
	if (!ND)			if (!ND)
	return false;			return false;

				const ConstantArrayType *ArrayTy =
				S.Context.getAsConstantArrayType(E->getType());
				llvm::APInt Size = ArrayTy->getSize();

				if (Size == 0)
				return true;

	// FIXME: While the default -fstrict-flex-arrays=0 permits Size>1 trailing			// FIXME: While the default -fstrict-flex-arrays=0 permits Size>1 trailing
	// arrays to be treated as flexible-array-members, we still emit diagnostics			// arrays to be treated as flexible-array-members, we still emit diagnostics
	// as if they are not. Pending further discussion...			// as if they are not. Pending further discussion...
	if (StrictFlexArraysLevel >= 2 \|\| Size.uge(2))			if (StrictFlexArraysLevel >= 2 \|\| Size.uge(2))
	return false;			return false;

	const FieldDecl *FD = dyn_cast<FieldDecl>(ND);			const FieldDecl *FD = dyn_cast<FieldDecl>(ND);
	if (!FD)			if (!FD)
	▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Lines
	const ArraySubscriptExpr *ASE,			const ArraySubscriptExpr *ASE,
	bool AllowOnePastEnd, bool IndexNegated) {			bool AllowOnePastEnd, bool IndexNegated) {
	// Already diagnosed by the constant evaluator.			// Already diagnosed by the constant evaluator.
	if (isConstantEvaluated())			if (isConstantEvaluated())
	return;			return;

	IndexExpr = IndexExpr->IgnoreParenImpCasts();			IndexExpr = IndexExpr->IgnoreParenImpCasts();
	if (IndexExpr->isValueDependent())			if (IndexExpr->isValueDependent())
	return;			return;
				mseborUnsubmitted Not Done Reply Inline Actions I'm not familiar with this code but I'm guessing that at most one of the `if` conditionals is true, and if it's the first one then the second `dyn_cast` will fail. Should the `if` guarding this assignment then be an `else if`? msebor: I'm not familiar with this code but I'm guessing that at most one of the `if` conditionals is…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions While this code is moving around from elsewhere, +1, this should use an `else if`. Also, you should use `const auto ` for the declarations since the type is explicitly spelled out in the initializers. aaron.ballman:* While this code is moving around from elsewhere, +1, this should use an `else if`. Also, you…

	const Type *EffectiveType =			const Type *EffectiveType =
	BaseExpr->getType()->getPointeeOrArrayElementType();			BaseExpr->getType()->getPointeeOrArrayElementType();
	BaseExpr = BaseExpr->IgnoreParenCasts();			BaseExpr = BaseExpr->IgnoreParenCasts();
	const ConstantArrayType *ArrayTy =			const ConstantArrayType *ArrayTy =
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions You can drop the parens. aaron.ballman: You can drop the parens.
	Context.getAsConstantArrayType(BaseExpr->getType());			Context.getAsConstantArrayType(BaseExpr->getType());

				const unsigned StrictFlexArraysLevel = getLangOpts().StrictFlexArrays;
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Missed this before, but drop the top-level `const` or remove the local and just use the call directly in the one place the value is needed. aaron.ballman: Missed this before, but drop the top-level `const` or remove the local and just use the call…

				const NamedDecl *ND = nullptr;
				if (const auto *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
				ND = DRE->getDecl();
				else if (const auto *ME = dyn_cast<MemberExpr>(BaseExpr))
				ND = ME->getMemberDecl();

	const Type *BaseType =			const Type *BaseType =
	ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();			ArrayTy == nullptr ? nullptr : ArrayTy->getElementType().getTypePtr();
	bool IsUnboundedArray = (BaseType == nullptr);			bool IsUnboundedArray =
				BaseType == nullptr \|\|
				isFlexibleArrayMemberExpr(*this, BaseExpr, ND, StrictFlexArraysLevel);
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions This seems like a functional change.... aaron.ballman: This seems like a functional change....
	if (EffectiveType->isDependentType() \|\|			if (EffectiveType->isDependentType() \|\|
	(!IsUnboundedArray && BaseType->isDependentType()))			!IsUnboundedArray && BaseType->isDependentType())
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions I think the parens helped to add clarity here (also, there's probably a warning generated about mixed \|\| and && from this too, isn't there?) aaron.ballman: I think the parens helped to add clarity here (also, there's probably a warning generated about…
	return;			return;

	Expr::EvalResult Result;			Expr::EvalResult Result;
	if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))			if (!IndexExpr->EvaluateAsInt(Result, Context, Expr::SE_AllowSideEffects))
	return;			return;

	llvm::APSInt index = Result.Val.getInt();			llvm::APSInt index = Result.Val.getInt();
	if (IndexNegated) {			if (IndexNegated) {
	index.setIsUnsigned(false);			index.setIsUnsigned(false);
	index = -index;			index = -index;
	}			}

	const NamedDecl *ND = nullptr;
	if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(BaseExpr))
	ND = DRE->getDecl();
	if (const MemberExpr *ME = dyn_cast<MemberExpr>(BaseExpr))
	ND = ME->getMemberDecl();

	if (IsUnboundedArray) {			if (IsUnboundedArray) {
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions ...because now we can get into this block... aaron.ballman: ...because now we can get into this block...
	if (EffectiveType->isFunctionType())			if (EffectiveType->isFunctionType())
	return;			return;
	if (index.isUnsigned() \|\| !index.isNegative()) {			if (index.isUnsigned() \|\| !index.isNegative()) {
	const auto &ASTC = getASTContext();			const auto &ASTC = getASTContext();
	unsigned AddrBits =			unsigned AddrBits =
	ASTC.getTargetInfo().getPointerWidth(ASTC.getTargetAddressSpace(			ASTC.getTargetInfo().getPointerWidth(ASTC.getTargetAddressSpace(
	EffectiveType->getCanonicalTypeInternal()));			EffectiveType->getCanonicalTypeInternal()));
	if (index.getBitWidth() < AddrBits)			if (index.getBitWidth() < AddrBits)
	Show All 27 Lines
	MaxElems = MaxElems.udiv(ElemBytes);			MaxElems = MaxElems.udiv(ElemBytes);

	unsigned DiagID =			unsigned DiagID =
	ASE ? diag::warn_array_index_exceeds_max_addressable_bounds			ASE ? diag::warn_array_index_exceeds_max_addressable_bounds
	: diag::warn_ptr_arith_exceeds_max_addressable_bounds;			: diag::warn_ptr_arith_exceeds_max_addressable_bounds;

	// Diag message shows element size in bits and in "bytes" (platform-			// Diag message shows element size in bits and in "bytes" (platform-
	// dependent CharUnits)			// dependent CharUnits)
	DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,			DiagRuntimeBehavior(BaseExpr->getBeginLoc(), BaseExpr,
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions ... which means we can now hit this diagnostic. aaron.ballman: ... which means we can now hit this diagnostic.
	PDiag(DiagID)			PDiag(DiagID)
	<< toString(index, 10, true) << AddrBits			<< toString(index, 10, true) << AddrBits
	<< (unsigned)ASTC.toBits(*ElemCharUnits)			<< (unsigned)ASTC.toBits(*ElemCharUnits)
	<< toString(ElemBytes, 10, false)			<< toString(ElemBytes, 10, false)
	<< toString(MaxElems, 10, false)			<< toString(MaxElems, 10, false)
	<< (unsigned)MaxElems.getLimitedValue(~0U)			<< (unsigned)MaxElems.getLimitedValue(~0U)
	<< IndexExpr->getSourceRange());			<< IndexExpr->getSourceRange());

	Show All 16 Lines

	if (index.isUnsigned() \|\| !index.isNegative()) {			if (index.isUnsigned() \|\| !index.isNegative()) {
	// It is possible that the type of the base expression after			// It is possible that the type of the base expression after
	// IgnoreParenCasts is incomplete, even though the type of the base			// IgnoreParenCasts is incomplete, even though the type of the base
	// expression before IgnoreParenCasts is complete (see PR39746 for an			// expression before IgnoreParenCasts is complete (see PR39746 for an
	// example). In this case we have no information about whether the array			// example). In this case we have no information about whether the array
	// access exceeds the array bounds. However we can still diagnose an array			// access exceeds the array bounds. However we can still diagnose an array
	// access which precedes the array bounds.			// access which precedes the array bounds.
	//
	// FIXME: this check should be redundant with the IsUnboundedArray check
	// above.
	if (BaseType->isIncompleteType())			if (BaseType->isIncompleteType())
	return;			return;

	// FIXME: this check should be used to set IsUnboundedArray from the
	// beginning.
	llvm::APInt size = ArrayTy->getSize();			llvm::APInt size = ArrayTy->getSize();
	if (!size.isStrictlyPositive())
	return;

	if (BaseType != EffectiveType) {			if (BaseType != EffectiveType) {
	// Make sure we're comparing apples to apples when comparing index to size			// Make sure we're comparing apples to apples when comparing index to size
	uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);			uint64_t ptrarith_typesize = Context.getTypeSize(EffectiveType);
	uint64_t array_typesize = Context.getTypeSize(BaseType);			uint64_t array_typesize = Context.getTypeSize(BaseType);
	// Handle ptrarith_typesize being zero, such as when casting to void*			// Handle ptrarith_typesize being zero, such as when casting to void*
	if (!ptrarith_typesize) ptrarith_typesize = 1;			if (!ptrarith_typesize) ptrarith_typesize = 1;
	if (ptrarith_typesize != array_typesize) {			if (ptrarith_typesize != array_typesize) {
	Show All 13 Lines

	// For array subscripting the index must be less than size, but for pointer			// For array subscripting the index must be less than size, but for pointer
	// arithmetic also allow the index (offset) to be equal to size since			// arithmetic also allow the index (offset) to be equal to size since
	// computing the next address after the end of the array is legal and			// computing the next address after the end of the array is legal and
	// commonly done e.g. in C++ iterators and range-based for loops.			// commonly done e.g. in C++ iterators and range-based for loops.
	if (AllowOnePastEnd ? index.ule(size) : index.ult(size))			if (AllowOnePastEnd ? index.ule(size) : index.ult(size))
	return;			return;

	// Also don't warn for Flexible Array Member emulation.
	const unsigned StrictFlexArraysLevel = getLangOpts().StrictFlexArrays;
	if (IsTailPaddedMemberArray(*this, size, ND, StrictFlexArraysLevel))
	return;

	// Suppress the warning if the subscript expression (as identified by the			// Suppress the warning if the subscript expression (as identified by the
	// ']' location) and the index expression are both from macro expansions			// ']' location) and the index expression are both from macro expansions
	// within a system header.			// within a system header.
	if (ASE) {			if (ASE) {
	SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(			SourceLocation RBracketLoc = SourceMgr.getSpellingLoc(
	ASE->getRBracketLoc());			ASE->getRBracketLoc());
	if (SourceMgr.isInSystemHeader(RBracketLoc)) {			if (SourceMgr.isInSystemHeader(RBracketLoc)) {
	SourceLocation IndexLoc =			SourceLocation IndexLoc =
	▲ Show 20 Lines • Show All 1,827 Lines • Show Last 20 Lines