This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
1/1
ReleaseNotes.rst
-
include/clang/Basic/
-
clang/
-
Basic/
-
DiagnosticGroups.td
5/7
DiagnosticSemaKinds.td
-
lib/Sema/
-
Sema/
2/2
SemaCast.cpp
-
test/
-
Sema/
4/5
warn-cast-function-type-strict.c
-
warn-cast-function-type.c
-
SemaCXX/
3/3
warn-cast-function-type-strict.cpp
1/1
warn-cast-function-type.cpp

Differential D134831

[Clang][Sema] Add -Wcast-function-type-strict
ClosedPublic

Authored by samitolvanen on Sep 28 2022, 2:32 PM.

Download Raw Diff

Details

Reviewers

pcc
nickdesaulniers
kees
joaomoreira
aaron.ballman

Commits

rG1aad641c7930: [Clang][Sema] Add -Wcast-function-type-strict

Summary

Clang supports indirect call Control-Flow Integrity (CFI) sanitizers
(e.g. -fsanitize=cfi-icall), which enforce an exact type match between
a function pointer and the target function. Unfortunately, Clang
doesn't provide diagnostics that would help developers avoid function
type casts that lead to runtime CFI failures. -Wcast-function-type,
while helpful, only warns about ABI incompatibility, which isn't
sufficient with CFI.

Add -Wcast-function-type-strict, which checks for a strict type
compatibility in function type casts and helps warn about casts that
can potentially lead to CFI failures.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

samitolvanen created this revision.Sep 28 2022, 2:32 PM

Herald added a project: Restricted Project. · View Herald TranscriptSep 28 2022, 2:32 PM

samitolvanen requested review of this revision.Sep 28 2022, 2:32 PM

Herald added a project: Restricted Project. · View Herald TranscriptSep 28 2022, 2:32 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Any thoughts about adding a stricter version of -Wcast-function-type to make it easier to catch potential CFI issues? I also considered also gating this behind -fsanitize=cfi-icall/kcfi, but having a separate warning flag would be more consistent.

nickdesaulniers added a reviewer: joaomoreira.Sep 28 2022, 2:36 PM

SGTM; please make a note of this new diagnostic flag in clang/docs/ReleaseNotes.rst under Improvements to Clang's diagnostics.

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	I don't think we need a new group for a warning that only contains one diagnostic kind?

This revision now requires changes to proceed.Sep 28 2022, 2:49 PM

Harbormaster completed remote builds in B189256: Diff 463675.Sep 28 2022, 3:14 PM

Added a release note.

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	I don't think we need a new group for a warning that only contains one diagnostic kind? I might have misunderstood something, but we seem to have plenty of groups with only one diagnostic kind. Is there a way to add a new warning flag without adding a diagnostic group? Most users of `-Wcast-function-type` wouldn't want to enable the stricter version, so I would prefer to keep this separate. I did notice that some warnings don't define the group in DiagnosticGroups.td, but specify it directly here. For example, `InGroup<DiagGroup<"argument-outside-range">>`. I'm not sure if there are any benefits in doing so.

Harbormaster completed remote builds in B189273: Diff 463702.Sep 28 2022, 4:44 PM

aaron.ballman added a subscriber: aaron.ballman.Sep 29 2022, 8:01 AM

aaron.ballman added inline comments.

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	Typically we only define a group in DiagnosticGroups.td when the group is going to be used by more than one diagnostic, otherwise we prefer using `InGroup<DiagGroup<"whatever">>` to form one-off diagnostic groups. However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them?
clang/lib/Sema/SemaCast.cpp
1095–1097	Coding style nit.
1185–1186	Same elsewhere (the type isn't spelled out in the initialization, so we prefer using an explicit type).
clang/test/Sema/warn-cast-function-type-strict.c
2	Do we need to use the triple here, or can we make this test target agnostic?
clang/test/SemaCXX/warn-cast-function-type-strict.cpp
2	Same question about triples here.
33	You should use `//` style comments here, this is a C++ test file anyway.

kees added a subscriber: nathanchance.Sep 29 2022, 9:05 AM

kees added inline comments.

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them? I'd be for that. It'll be very noisy for the Linux kernel, but they are all instances we need to fix. cc @nathanchance

nathanchance added inline comments.Sep 29 2022, 9:48 AM

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them? I'd be for that. It'll be very noisy for the Linux kernel, but they are all instances we need to fix. cc @nathanchance Right, it would be quite noisy but we have already built an escape hatch for this type of scenario. We can just do what we have done for other warnings and disable it for "normal" builds to avoid disrupting the configurations with `-Werror` enabled (especially since we are not the only ones testing with tip of tree LLVM) then turn it on for `W=1` so that the build bots will catch new instances of the warnings while we clean up the other ones. I think such a diff would just look like: diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn index 6ae482158bc4..52bd7df84fd6 100644 --- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -64,6 +64,7 @@ KBUILD_CFLAGS += -Wno-sign-compare KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast) KBUILD_CFLAGS += -Wno-tautological-constant-out-of-range-compare KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access) +KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict) endif endif then that can just be reverted when we have all the instances cleaned up. It would be nice to get a game plan together for tackling all these because they appear to be quite numerous.

aaron.ballman added inline comments.Sep 29 2022, 11:15 AM

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	Do we think this will be onerously chatty for C code bases in general? My intuition is that it will be reasonable -- folks who have enabled this warning want to know when they're type casting function pointers in odd ways. Looking at some test cases, I actually think this will behave more like users expect. e.g., https://godbolt.org/z/cWGecK1KG
clang/test/Sema/warn-cast-function-type-strict.c
31	Some other test cases I think we should try out: typedef int (f8)(int ); typedef int (f9)(const int); typedef int (f10)(int); int foo(int array[static 12]); int bar(int i); const int baz(int i); f8 h = (f8 )foo; // Should be okay, types are the same after adjustment f9 i = (f9 )bar; // Should be okay, types are the same after adjustment f10 j = (f10 *)baz; // Should be okay, types are the same after adjustment

nickdesaulniers added a reviewer: aaron.ballman.Sep 29 2022, 11:18 AM

nickdesaulniers removed a subscriber: aaron.ballman.

Moved CastFunctionTypeStrict to a subgroup of CastFunctionType, addressed other feedback, and updated tests.

clang/include/clang/Basic/DiagnosticSemaKinds.td
8698	Do we think this will be onerously chatty for C code bases in general? My intuition is that it will be reasonable -- folks who have enabled this warning want to know when they're type casting function pointers in odd ways. This produces 1500+ new warnings in the kernel, but yes, I believe these are warnings we expected to see already with `-Wcast-function-type`. Nathan's suggestion to disable the strict warning without `W=1` sounds reasonable to me.
clang/test/Sema/warn-cast-function-type-strict.c
2	I don't think it's needed. This was copied from the `-Wcast-function-type` test.
31	The first two seem to be OK, the last one does produce a warning here: cast from 'const int ()(int)' to 'f10 ' (aka 'int (*)(int)') converts to incompatible function type

Harbormaster completed remote builds in B189533: Diff 464067.Sep 29 2022, 4:37 PM

aaron.ballman added inline comments.Sep 30 2022, 7:18 AM

clang/docs/ReleaseNotes.rst
311–313
clang/test/Sema/warn-cast-function-type-strict.c
31	Oh yeah, that's right, the C standard is pretty weird here. The return type is required to be compatible (aka same type in this case) per C2x 6.7.6.3p14, and `int` and `const int` are not compatible types (C2x 6.7.3p11). However, the qualifier on the return type is useless because it's stripped when the function is called (C2x 6.5.2.2p5, 6.8.6.4p3, 6.5.16p3, 6.3.2.1p2). Compilers are wildly inconsistent about this: https://godbolt.org/z/hc6ordGeM
clang/test/SemaCXX/warn-cast-function-type-strict.cpp
2	You should remove the `-x c++` from the RUN line still.
clang/test/SemaCXX/warn-cast-function-type.cpp
1

Addressed feedback.

LGTM assuming precommit CI doesn't find any surprises, thank you for this!

Please get the patch disabling this warning for the kernel in flight before landing this. It's going to make a lot of CI red due to kernel builds enabling -Werror.

This revision is now accepted and ready to land.Sep 30 2022, 11:00 AM

In D134831#3827730, @nickdesaulniers wrote:

Please get the patch disabling this warning for the kernel in flight before landing this.

Agreed. @nathanchance do you want to send the patch above to LKML?

In D134831#3827790, @samitolvanen wrote:

In D134831#3827730, @nickdesaulniers wrote:

Please get the patch disabling this warning for the kernel in flight before landing this.

Agreed. @nathanchance do you want to send the patch above to LKML?

I can send it on Monday, as I am offline today (or at least not at a computer lol). If you want to move on it quicker, feel free to draft a commit message and slap my Suggested-by on it.

Harbormaster completed remote builds in B189728: Diff 464326.Sep 30 2022, 11:39 AM

In D134831#3827861, @nathanchance wrote:

If you want to move on it quicker, feel free to draft a commit message and slap my Suggested-by on it.

https://lore.kernel.org/all/20220930203310.4010564-1-samitolvanen@google.com/

Please consider waiting until the warning flag has started propagating to branches of stable, at least to whatever branch -Werror is first enabled in.

In D134831#3838373, @nickdesaulniers wrote:

Please consider waiting until the warning flag has started propagating to branches of stable, at least to whatever branch -Werror is first enabled in.

Yes, I'm planning to wait until the kernel patch lands in stable branches. Greg picked up the patch this morning, so it should be in the next batch of stable releases.

The patch to disable this warning in Linux without W=1 is now in all supported stable kernels (https://lwn.net/Articles/912498/), so I'll commit this later today.

This revision was landed with ongoing or failed builds.Oct 26 2022, 1:50 PM

Closed by commit rG1aad641c7930: [Clang][Sema] Add -Wcast-function-type-strict (authored by samitolvanen). · Explain Why

This revision was automatically updated to reflect the committed changes.

samitolvanen added a commit: rG1aad641c7930: [Clang][Sema] Add -Wcast-function-type-strict.

samitolvanen mentioned this in D136790: [Clang][Sema] Add -Wincompatible-function-pointer-types-strict.Oct 26 2022, 2:13 PM

Is this intended to warn on code that casts a function taking a pointer to some non-void type to a function that takes a void*?

void set(void (*g)(int*)) {
  f = (void(*)(void*)) g;
}

gives me

warning: cast from 'void (*)(int *)' to 'void (*)(void *)' converts to incompatible function type [-Wcast-function-type-strict]

I didn't see this mentioned in the diff description, comments, or test. Is the behavior intentional? Are these types actually incompatible?

In D134831#4137408, @inglorion wrote:

Is this intended to warn on code that casts a function taking a pointer to some non-void type to a function that takes a void*?

Yes, this is intended to warn if the function types don't match.

I didn't see this mentioned in the diff description, comments, or test. Is the behavior intentional? Are these types actually incompatible?

As far as the language is concerned, the types are not incompatible, but calling the function pointer would trip -fsanitize=cfi checking, which this warning is meant to catch. If your program is not using CFI, you may want to consider disabling the -strict warning.

Thanks for the reply!

FWIW, this warning is triggered by code which uses glib, which contains a number of function(some_type*) to function(void*) casts, for example here: https://github.com/GNOME/glib/blob/339aaa3719757614af61f427b66a46893e6dc760/glib/glib-autocleanups.h#L47, which expands to function pointer casts here: https://github.com/GNOME/glib/blob/339aaa3719757614af61f427b66a46893e6dc760/glib/gmacros.h#L1360

I imagine glib is reasonably commonly used, so this might cause some build failures (we're seeing some in ChromiumOS). Not sure if that's enough to affect the choice of having this on or off by default when -Wcast-function-type is in effect, but I thought I would provide the data point.

In D134831#4141842, @samitolvanen wrote:

In D134831#4137408, @inglorion wrote:

Is this intended to warn on code that casts a function taking a pointer to some non-void type to a function that takes a void*?

Yes, this is intended to warn if the function types don't match.

I didn't see this mentioned in the diff description, comments, or test. Is the behavior intentional? Are these types actually incompatible?

As far as the language is concerned, the types are not incompatible, <snip>

As far as C and C++ are concerned, those types *are* incompatible.

C2x 6.7.6.3p14: For two function types to be compatible, both shall specify compatible return types. Moreover, the parameter type lists shall agree in the number of parameters and in use of the final ellipsis; corresponding parameters shall have compatible types. In the determination of type compatibility and of a composite type, each parameter declared with function or array type is taken as having the adjusted type and each parameter declared with qualified type is taken as having the unqualified version of its declared type.

6.7.6.1p2: For two pointer types to be compatible, both shall be identically qualified and both shall be pointers to compatible types.

6.2.7p1: Two types are compatible types if they are the same. Additional rules for determining whether two types are compatible are described in <snip>

void * and int * are not compatible types, so the function parameter lists are not compatible, so the function types are not compatible.

(Similar is in C++, though the specification mechanics are different.)

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

5 lines

include/

clang/

Basic/

DiagnosticGroups.td

3 lines

DiagnosticSemaKinds.td

2 lines

lib/

Sema/

SemaCast.cpp

54 lines

test/

Sema/

warn-cast-function-type-strict.c

43 lines

warn-cast-function-type.c

2 lines

SemaCXX/

warn-cast-function-type-strict.cpp

48 lines

warn-cast-function-type.cpp

16 lines

Diff 470924

clang/docs/ReleaseNotes.rst

Show First 20 Lines • Show All 302 Lines • ▼ Show 20 Lines

- Clang now correctly diagnoses index that refers past the last possible element

of FAM-like arrays.

- Clang now correctly diagnoses a warning when defercencing a void pointer in C mode.

This fixes `Issue 53631 <https://github.com/llvm/llvm-project/issues/53631>`_

- Clang will now diagnose an overload set where a candidate has a constraint that

refers to an expression with a previous error as nothing viable, so that it

doesn't generate strange cascading errors, particularly in cases where a

subsuming constraint fails, which would result in a less-specific overload to

be selected.

- Add a fix-it hint for the ``-Wdefaulted-function-deleted`` warning to

explicitly delete the function.

- Fixed an accidental duplicate diagnostic involving the declaration of a

aaron.ballmanUnsubmitted

Done

be selected.

- Introduced ``-Wcast-function-type-strict`` to warn about function type mismatches

in casts that may result in runtime indirect call `Control-Flow Integrity (CFI)

- <https://clang.llvm.org/docs/ControlFlowIntegrity.html>`_ failures.

+ <https://clang.llvm.org/docs/ControlFlowIntegrity.html>`_ failures. This diagnostic

+ is grouped under ``-Wcast-function-type`` as it identifies a more strict set of

+ potentially problematic function type casts.

Non-comprehensive list of changes in this release

aaron.ballman:

function definition without a prototype which is preceded by a static

declaration of the function with a prototype. Fixes

`Issue 58181 <https://github.com/llvm/llvm-project/issues/58181>`_.

- Copy-elided initialization of lock scopes is now handled differently in

``-Wthread-safety-analysis``: annotations on the move constructor are no

longer taken into account, in favor of annotations on the function returning

the lock scope by value. This could result in new warnings if code depended

on the previous undocumented behavior. As a side effect of this change,

constructor calls outside of initializer expressions are no longer ignored,

which can result in new warnings (or make existing warnings disappear).

- The wording of diagnostics regarding arithmetic on fixed-sized arrays and

pointers is improved to include the type of the array and whether it's cast

to another type. This should improve comprehension for why an index is

out-of-bounds.

- Clang now correctly points to the problematic parameter for the ``-Wnonnull``

warning. This fixes

`Issue 58273 <https://github.com/llvm/llvm-project/issues/58273>`_.

- Introduced ``-Wcast-function-type-strict`` to warn about function type mismatches

in casts that may result in runtime indirect call `Control-Flow Integrity (CFI)

<https://clang.llvm.org/docs/ControlFlowIntegrity.html>`_ failures. This diagnostic

is grouped under ``-Wcast-function-type`` as it identifies a more strict set of

potentially problematic function type casts.

Non-comprehensive list of changes in this release

-------------------------------------------------

- It's now possible to set the crash diagnostics directory through

the environment variable ``CLANG_CRASH_DIAGNOSTICS_DIR``.

The ``-fcrash-diagnostics-dir`` flag takes precedence.

- When using header modules, inclusion of a private header and violations of

the `use-declaration rules

▲ Show 20 Lines • Show All 384 Lines • Show Last 20 Lines

clang/include/clang/Basic/DiagnosticGroups.td

	Show First 20 Lines • Show All 532 Lines • ▼ Show 20 Lines
	def ObjCReceiver : DiagGroup<"receiver-expr">;			def ObjCReceiver : DiagGroup<"receiver-expr">;
	def OperatorNewReturnsNull : DiagGroup<"new-returns-null">;			def OperatorNewReturnsNull : DiagGroup<"new-returns-null">;
	def OverlengthStrings : DiagGroup<"overlength-strings">;			def OverlengthStrings : DiagGroup<"overlength-strings">;
	def OverloadedVirtual : DiagGroup<"overloaded-virtual">;			def OverloadedVirtual : DiagGroup<"overloaded-virtual">;
	def PrivateExtern : DiagGroup<"private-extern">;			def PrivateExtern : DiagGroup<"private-extern">;
	def SelTypeCast : DiagGroup<"cast-of-sel-type">;			def SelTypeCast : DiagGroup<"cast-of-sel-type">;
	def FunctionDefInObjCContainer : DiagGroup<"function-def-in-objc-container">;			def FunctionDefInObjCContainer : DiagGroup<"function-def-in-objc-container">;
	def BadFunctionCast : DiagGroup<"bad-function-cast">;			def BadFunctionCast : DiagGroup<"bad-function-cast">;
	def CastFunctionType : DiagGroup<"cast-function-type">;			def CastFunctionTypeStrict : DiagGroup<"cast-function-type-strict">;
				def CastFunctionType : DiagGroup<"cast-function-type", [CastFunctionTypeStrict]>;
	def ObjCPropertyImpl : DiagGroup<"objc-property-implementation">;			def ObjCPropertyImpl : DiagGroup<"objc-property-implementation">;
	def ObjCPropertyNoAttribute : DiagGroup<"objc-property-no-attribute">;			def ObjCPropertyNoAttribute : DiagGroup<"objc-property-no-attribute">;
	def ObjCPropertyAssignOnObjectType : DiagGroup<"objc-property-assign-on-object-type">;			def ObjCPropertyAssignOnObjectType : DiagGroup<"objc-property-assign-on-object-type">;
	def ObjCProtocolQualifiers : DiagGroup<"objc-protocol-qualifiers">;			def ObjCProtocolQualifiers : DiagGroup<"objc-protocol-qualifiers">;
	def ObjCMissingSuperCalls : DiagGroup<"objc-missing-super-calls">;			def ObjCMissingSuperCalls : DiagGroup<"objc-missing-super-calls">;
	def ObjCDesignatedInit : DiagGroup<"objc-designated-initializers">;			def ObjCDesignatedInit : DiagGroup<"objc-designated-initializers">;
	def ObjCRetainBlockProperty : DiagGroup<"objc-noncopy-retain-block-property">;			def ObjCRetainBlockProperty : DiagGroup<"objc-noncopy-retain-block-property">;
	def ObjCReadonlyPropertyHasSetter : DiagGroup<"objc-readonly-with-setter-property">;			def ObjCReadonlyPropertyHasSetter : DiagGroup<"objc-readonly-with-setter-property">;
	▲ Show 20 Lines • Show All 841 Lines • Show Last 20 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 8,688 Lines • ▼ Show 20 Lines
	def note_change_calling_conv_fixit : Note<			def note_change_calling_conv_fixit : Note<
	"consider defining %0 with the '%1' calling convention">;			"consider defining %0 with the '%1' calling convention">;
	def warn_bad_function_cast : Warning<			def warn_bad_function_cast : Warning<
	"cast from function call of type %0 to non-matching type %1">,			"cast from function call of type %0 to non-matching type %1">,
	InGroup<BadFunctionCast>, DefaultIgnore;			InGroup<BadFunctionCast>, DefaultIgnore;
	def warn_cast_function_type : Warning<			def warn_cast_function_type : Warning<
	"cast %diff{from $ to $ \|}0,1converts to incompatible function type">,			"cast %diff{from $ to $ \|}0,1converts to incompatible function type">,
	InGroup<CastFunctionType>, DefaultIgnore;			InGroup<CastFunctionType>, DefaultIgnore;
				def warn_cast_function_type_strict : Warning<warn_cast_function_type.Text>,
				InGroup<CastFunctionTypeStrict>, DefaultIgnore;
				nickdesaulniersUnsubmitted Done Reply Inline Actions I don't think we need a new group for a warning that only contains one diagnostic kind? nickdesaulniers: I don't think we need a new group for a warning that only contains one diagnostic kind?
				samitolvanenAuthorUnsubmitted Done Reply Inline Actions I don't think we need a new group for a warning that only contains one diagnostic kind? I might have misunderstood something, but we seem to have plenty of groups with only one diagnostic kind. Is there a way to add a new warning flag without adding a diagnostic group? Most users of `-Wcast-function-type` wouldn't want to enable the stricter version, so I would prefer to keep this separate. I did notice that some warnings don't define the group in DiagnosticGroups.td, but specify it directly here. For example, `InGroup<DiagGroup<"argument-outside-range">>`. I'm not sure if there are any benefits in doing so. samitolvanen: > I don't think we need a new group for a warning that only contains one diagnostic kind? I…
				aaron.ballmanUnsubmitted Done Reply Inline Actions Typically we only define a group in DiagnosticGroups.td when the group is going to be used by more than one diagnostic, otherwise we prefer using `InGroup<DiagGroup<"whatever">>` to form one-off diagnostic groups. However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them? aaron.ballman: Typically we only define a group in DiagnosticGroups.td when the group is going to be used by…
				keesUnsubmitted Done Reply Inline Actions However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them? I'd be for that. It'll be very noisy for the Linux kernel, but they are all instances we need to fix. cc @nathanchance kees: > However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a…
				nathanchanceUnsubmitted Not Done Reply Inline Actions However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a subgroup of `CastFunctionType` so that users who enable `-Wcast-function-type` get the stricter checking by default, but still have a way to disable the stricter checking if it's too noisy for them? I'd be for that. It'll be very noisy for the Linux kernel, but they are all instances we need to fix. cc @nathanchance Right, it would be quite noisy but we have already built an escape hatch for this type of scenario. We can just do what we have done for other warnings and disable it for "normal" builds to avoid disrupting the configurations with `-Werror` enabled (especially since we are not the only ones testing with tip of tree LLVM) then turn it on for `W=1` so that the build bots will catch new instances of the warnings while we clean up the other ones. I think such a diff would just look like: diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn index 6ae482158bc4..52bd7df84fd6 100644 --- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -64,6 +64,7 @@ KBUILD_CFLAGS += -Wno-sign-compare KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast) KBUILD_CFLAGS += -Wno-tautological-constant-out-of-range-compare KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access) +KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict) endif endif then that can just be reverted when we have all the instances cleaned up. It would be nice to get a game plan together for tackling all these because they appear to be quite numerous. nathanchance: > > However, in this case, I am wondering if we want to add `CastFunctionTypeStrict` to be a…
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Do we think this will be onerously chatty for C code bases in general? My intuition is that it will be reasonable -- folks who have enabled this warning want to know when they're type casting function pointers in odd ways. Looking at some test cases, I actually think this will behave more like users expect. e.g., https://godbolt.org/z/cWGecK1KG aaron.ballman: Do we think this will be onerously chatty for C code bases in general? My intuition is that it…
				samitolvanenAuthorUnsubmitted Done Reply Inline Actions Do we think this will be onerously chatty for C code bases in general? My intuition is that it will be reasonable -- folks who have enabled this warning want to know when they're type casting function pointers in odd ways. This produces 1500+ new warnings in the kernel, but yes, I believe these are warnings we expected to see already with `-Wcast-function-type`. Nathan's suggestion to disable the strict warning without `W=1` sounds reasonable to me. samitolvanen: > Do we think this will be onerously chatty for C code bases in general? My intuition is that…
	def err_cast_pointer_to_non_pointer_int : Error<			def err_cast_pointer_to_non_pointer_int : Error<
	"pointer cannot be cast to type %0">;			"pointer cannot be cast to type %0">;
	def err_nullptr_cast : Error<			def err_nullptr_cast : Error<
	"cannot cast an object of type %select{'nullptr_t' to %1\|%1 to 'nullptr_t'}0"			"cannot cast an object of type %select{'nullptr_t' to %1\|%1 to 'nullptr_t'}0"
	>;			>;
	def err_cast_to_bfloat16 : Error<"cannot type-cast to __bf16">;			def err_cast_to_bfloat16 : Error<"cannot type-cast to __bf16">;
	def err_cast_from_bfloat16 : Error<"cannot type-cast from __bf16">;			def err_cast_from_bfloat16 : Error<"cannot type-cast from __bf16">;
	def err_typecheck_expect_scalar_operand : Error<			def err_typecheck_expect_scalar_operand : Error<
	▲ Show 20 Lines • Show All 3,019 Lines • Show Last 20 Lines

clang/lib/Sema/SemaCast.cpp

Show First 20 Lines • Show All 1,053 Lines • ▼ Show 20 Lines

static bool argTypeIsABIEquivalent(QualType SrcType, QualType DestType,

if (SrcType->isIntegralType(Context) && DestType->isIntegralType(Context))

if (Context.getTypeInfoInChars(SrcType).Width ==

Context.getTypeInfoInChars(DestType).Width)

return true;

return Context.hasSameUnqualifiedType(SrcType, DestType);

}

static bool checkCastFunctionType(Sema &Self, const ExprResult &SrcExpr,

static unsigned int checkCastFunctionType(Sema &Self, const ExprResult &SrcExpr,

QualType DestType) {

if (Self.Diags.isIgnored(diag::warn_cast_function_type,

unsigned int DiagID = 0;

SrcExpr.get()->getExprLoc()))

const unsigned int DiagList[] = {diag::warn_cast_function_type_strict,

return true;

diag::warn_cast_function_type};

for (auto ID : DiagList) {

if (!Self.Diags.isIgnored(ID, SrcExpr.get()->getExprLoc())) {

DiagID = ID;

break;

}

if (!DiagID)

return 0;

QualType SrcType = SrcExpr.get()->getType();

const FunctionType *SrcFTy = nullptr;

const FunctionType *DstFTy = nullptr;

if (((SrcType->isBlockPointerType() || SrcType->isFunctionPointerType()) &&

DestType->isFunctionPointerType()) ||

(SrcType->isMemberFunctionPointerType() &&

DestType->isMemberFunctionPointerType())) {

SrcFTy = SrcType->getPointeeType()->castAs<FunctionType>();

DstFTy = DestType->getPointeeType()->castAs<FunctionType>();

} else if (SrcType->isFunctionType() && DestType->isFunctionReferenceType()) {

SrcFTy = SrcType->castAs<FunctionType>();

DstFTy = DestType.getNonReferenceType()->castAs<FunctionType>();

} else {

return true;

return 0;

}

assert(SrcFTy && DstFTy);

if (Self.Context.hasSameType(SrcFTy, DstFTy))

return 0;

// For strict checks, ensure we have an exact match.

if (DiagID == diag::warn_cast_function_type_strict)

aaron.ballmanUnsubmitted

Done

return 0;

// For strict checks, ensure we have an exact match.

- else if (DiagID == diag::warn_cast_function_type_strict)

+ if (DiagID == diag::warn_cast_function_type_strict)

return DiagID;

auto IsVoidVoid = [](const FunctionType *T) {

Coding style nit.

aaron.ballman: Coding style nit.

return DiagID;

auto IsVoidVoid = [](const FunctionType *T) {

if (!T->getReturnType()->isVoidType())

return false;

if (const auto *PT = T->getAs<FunctionProtoType>())

return !PT->isVariadic() && PT->getNumParams() == 0;

return false;

};

// Skip if either function type is void(*)(void)

if (IsVoidVoid(SrcFTy) || IsVoidVoid(DstFTy))

return true;

return 0;

// Check return type.

if (!argTypeIsABIEquivalent(SrcFTy->getReturnType(), DstFTy->getReturnType(),

Self.Context))

return false;

return DiagID;

// Check if either has unspecified number of parameters

if (SrcFTy->isFunctionNoProtoType() || DstFTy->isFunctionNoProtoType())

return true;

return 0;

// Check parameter types.

const auto *SrcFPTy = cast<FunctionProtoType>(SrcFTy);

const auto *DstFPTy = cast<FunctionProtoType>(DstFTy);

// In a cast involving function types with a variable argument list only the

// types of initial arguments that are provided are considered.

unsigned NumParams = SrcFPTy->getNumParams();

unsigned DstNumParams = DstFPTy->getNumParams();

if (NumParams > DstNumParams) {

if (!DstFPTy->isVariadic())

return false;

return DiagID;

NumParams = DstNumParams;

} else if (NumParams < DstNumParams) {

if (!SrcFPTy->isVariadic())

return false;

return DiagID;

}

for (unsigned i = 0; i < NumParams; ++i)

if (!argTypeIsABIEquivalent(SrcFPTy->getParamType(i),

DstFPTy->getParamType(i), Self.Context))

return false;

return DiagID;

return true;

return 0;

}

/// CheckReinterpretCast - Check that a reinterpret_cast\<DestType\>(SrcExpr) is

/// valid.

/// Refer to C++ 5.2.10 for details. reinterpret_cast is typically used in code

/// like this:

/// char *bytes = reinterpret_cast\<char*\>(int_ptr);

void CastOperation::CheckReinterpretCast() {

Show All 24 Lines

if (tcr != TC_Success && msg != 0) {

}

if (isValidCast(tcr)) {

if (Self.getLangOpts().allowsNonTrivialObjCLifetimeQualifiers())

checkObjCConversion(Sema::CCK_OtherCast);

DiagnoseReinterpretUpDownCast(Self, SrcExpr.get(), DestType, OpRange);

if (!checkCastFunctionType(Self, SrcExpr, DestType))

if (unsigned DiagID = checkCastFunctionType(Self, SrcExpr, DestType))

Self.Diag(OpRange.getBegin(), diag::warn_cast_function_type)

Self.Diag(OpRange.getBegin(), DiagID)

aaron.ballmanUnsubmitted

Done

DiagnoseReinterpretUpDownCast(Self, SrcExpr.get(), DestType, OpRange);

- if (auto DiagID = checkCastFunctionType(Self, SrcExpr, DestType))

+ if (unsigned DiagID = checkCastFunctionType(Self, SrcExpr, DestType))

Self.Diag(OpRange.getBegin(), DiagID)

Same elsewhere (the type isn't spelled out in the initialization, so we prefer using an explicit type).

aaron.ballman: Same elsewhere (the type isn't spelled out in the initialization, so we prefer using an…

<< SrcExpr.get()->getType() << DestType << OpRange;

} else {

SrcExpr = ExprError();

}

/// CheckStaticCast - Check that a static_cast\<DestType\>(SrcExpr) is valid.

▲ Show 20 Lines • Show All 1,612 Lines • ▼ Show 20 Lines

if (SrcExpr.get()->getType() == Self.Context.OverloadTy) {

OpRange, SrcExpr.get(), DestType, ListInitialization);

}

if (isValidCast(tcr)) {

if (Kind == CK_BitCast)

checkCastAlign();

if (!checkCastFunctionType(Self, SrcExpr, DestType))

if (unsigned DiagID = checkCastFunctionType(Self, SrcExpr, DestType))

Self.Diag(OpRange.getBegin(), diag::warn_cast_function_type)

Self.Diag(OpRange.getBegin(), DiagID)

<< SrcExpr.get()->getType() << DestType << OpRange;

} else {

SrcExpr = ExprError();

}

/// DiagnoseBadFunctionCast - Warn whenever a function call is cast to a

▲ Show 20 Lines • Show All 341 Lines • ▼ Show 20 Lines

else if (!Self.CheckObjCARCUnavailableWeakConversion(DestType, SrcType)) {

Self.Diag(SrcExpr.get()->getBeginLoc(),

diag::err_arc_convesion_of_weak_unavailable)

<< 1 << SrcType << DestType << SrcExpr.get()->getSourceRange();

SrcExpr = ExprError();

return;

}

if (!checkCastFunctionType(Self, SrcExpr, DestType))

if (unsigned DiagID = checkCastFunctionType(Self, SrcExpr, DestType))

Self.Diag(OpRange.getBegin(), diag::warn_cast_function_type)

Self.Diag(OpRange.getBegin(), DiagID) << SrcType << DestType << OpRange;

<< SrcType << DestType << OpRange;

if (isa<PointerType>(SrcType) && isa<PointerType>(DestType)) {

QualType SrcTy = cast<PointerType>(SrcType)->getPointeeType();

QualType DestTy = cast<PointerType>(DestType)->getPointeeType();

const RecordDecl *SrcRD = SrcTy->getAsRecordDecl();

const RecordDecl *DestRD = DestTy->getAsRecordDecl();

▲ Show 20 Lines • Show All 150 Lines • Show Last 20 Lines

clang/test/Sema/warn-cast-function-type-strict.c

This file was added.

// RUN: %clang_cc1 %s -fsyntax-only -Wcast-function-type -verify

// RUN: %clang_cc1 %s -fsyntax-only -Wcast-function-type-strict -verify

aaron.ballmanUnsubmitted

Done

- // RUN: %clang_cc1 -x c %s -fsyntax-only -Wcast-function-type-strict -triple x86_64-- -verify

+ // RUN: %clang_cc1 %s -fsyntax-only -Wcast-function-type-strict -triple x86_64-- -verify

int x(long);

Do we need to use the triple here, or can we make this test target agnostic?

aaron.ballman: Do we need to use the triple here, or can we make this test target agnostic?

samitolvanenAuthorUnsubmitted

Done

I don't think it's needed. This was copied from the -Wcast-function-type test.

samitolvanen: I don't think it's needed. This was copied from the `-Wcast-function-type` test.

int t(int array[static 12]);

int u(int i);

const int v(int i);

int x(long);

typedef int (f1)(long);

typedef int (f2)(void*);

typedef int (f3)();

typedef void (f4)();

typedef void (f5)(void);

typedef int (f6)(long, int);

typedef int (f7)(long,...);

typedef int (f8)(int *);

typedef int (f9)(const int);

typedef int (f10)(int);

f1 *a;

f2 *b;

f3 *c;

f4 *d;

f5 *e;

f6 *f;

f7 *g;

f8 *h;

f9 *i;

f10 *j;

aaron.ballmanUnsubmitted

Not Done

Some other test cases I think we should try out:

typedef int (f8)(int *);
typedef int (f9)(const int);
typedef int (f10)(int);

int foo(int array[static 12]);
int bar(int i);
const int baz(int i);

f8 *h = (f8 *)foo; // Should be okay, types are the same after adjustment
f9 *i = (f9 *)bar; // Should be okay, types are the same after adjustment
f10 *j = (f10 *)baz; // Should be okay, types are the same after adjustment

aaron.ballman: Some other test cases I think we should try out: ``` typedef int (f8)(int *); typedef int (f9)…

samitolvanenAuthorUnsubmitted

Done

The first two seem to be OK, the last one does produce a warning here:

cast from 'const int (*)(int)' to 'f10 *' (aka 'int (*)(int)') converts to incompatible function type

samitolvanen: The first two seem to be OK, the last one does produce a warning here: ``` cast from 'const int…

aaron.ballmanUnsubmitted

Done

Oh yeah, that's right, the C standard is pretty weird here. The return type is required to be compatible (aka same type in this case) per C2x 6.7.6.3p14, and int and const int are not compatible types (C2x 6.7.3p11). However, the qualifier on the return type is useless because it's stripped when the function is called (C2x 6.5.2.2p5, 6.8.6.4p3, 6.5.16p3, 6.3.2.1p2).

Compilers are wildly inconsistent about this: https://godbolt.org/z/hc6ordGeM

aaron.ballman: Oh yeah, that's right, the C standard is pretty weird here. The return type is required to be…

void foo(void) {

a = (f1 *)x;

b = (f2 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}} */

c = (f3 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f3 *' (aka 'int (*)()') converts to incompatible function type}} */

d = (f4 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f4 *' (aka 'void (*)()') converts to incompatible function type}} */

e = (f5 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f5 *' (aka 'void (*)(void)') converts to incompatible function type}} */

f = (f6 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}} */

g = (f7 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f7 *' (aka 'int (*)(long, ...)') converts to incompatible function type}} */

h = (f8 *)t;

i = (f9 *)u;

j = (f10 *)v; /* expected-warning {{cast from 'const int (*)(int)' to 'f10 *' (aka 'int (*)(int)') converts to incompatible function type}} */

}

clang/test/Sema/warn-cast-function-type.c

	// RUN: %clang_cc1 -x c %s -fsyntax-only -Wcast-function-type -triple x86_64-- -verify			// RUN: %clang_cc1 %s -fsyntax-only -Wcast-function-type -Wno-cast-function-type-strict -verify

	int x(long);			int x(long);

	typedef int (f1)(long);			typedef int (f1)(long);
	typedef int (f2)(void*);			typedef int (f2)(void*);
	typedef int (f3)();			typedef int (f3)();
	typedef void (f4)();			typedef void (f4)();
	typedef void (f5)(void);			typedef void (f5)(void);
	Show All 20 Lines

clang/test/SemaCXX/warn-cast-function-type-strict.cpp

This file was added.

// RUN: %clang_cc1 %s -fblocks -fsyntax-only -Wcast-function-type -verify

// RUN: %clang_cc1 %s -fblocks -fsyntax-only -Wcast-function-type-strict -verify

aaron.ballmanUnsubmitted

Done

- // RUN: %clang_cc1 -x c++ %s -fblocks -fsyntax-only -Wcast-function-type-strict -triple x86_64-- -verify

+ // RUN: %clang_cc1 %s -fblocks -fsyntax-only -Wcast-function-type-strict -triple x86_64-- -verify

int x(long);

Same question about triples here.

aaron.ballman: Same question about triples here.

aaron.ballmanUnsubmitted

Done

You should remove the -x c++ from the RUN line still.

aaron.ballman: You should remove the `-x c++` from the RUN line still.

int x(long);

typedef int (f1)(long);

typedef int (f2)(void*);

typedef int (f3)(...);

typedef void (f4)(...);

typedef void (f5)(void);

typedef int (f6)(long, int);

typedef int (f7)(long,...);

typedef int (&f8)(long, int);

f1 *a;

f2 *b;

f3 *c;

f4 *d;

f5 *e;

f6 *f;

f7 *g;

struct S

{

void foo (int*);

void bar (int);

};

typedef void (S::*mf)(int);

void foo() {

a = (f1 *)x;

b = (f2 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}}

aaron.ballmanUnsubmitted

Done

You should use // style comments here, this is a C++ test file anyway.

aaron.ballman: You should use `//` style comments here, this is a C++ test file anyway.

b = reinterpret_cast<f2 *>(x); // expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}}

c = (f3 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f3 *' (aka 'int (*)(...)') converts to incompatible function type}}

d = (f4 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f4 *' (aka 'void (*)(...)') converts to incompatible function type}}

e = (f5 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f5 *' (aka 'void (*)()') converts to incompatible function type}}

f = (f6 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}}

g = (f7 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f7 *' (aka 'int (*)(long, ...)') converts to incompatible function type}}

mf p1 = (mf)&S::foo; // expected-warning {{cast from 'void (S::*)(int *)' to 'mf' (aka 'void (S::*)(int)') converts to incompatible function type}}

f8 f2 = (f8)x; // expected-warning {{cast from 'int (long)' to 'f8' (aka 'int (&)(long, int)') converts to incompatible function type}}

(void)f2;

int (^y)(long);

f = (f6 *)y; // expected-warning {{cast from 'int (^)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}}

}

clang/test/SemaCXX/warn-cast-function-type.cpp

// RUN: %clang_cc1 -x c++ %s -fblocks -fsyntax-only -Wcast-function-type -triple x86_64-- -verify

// RUN: %clang_cc1 %s -fblocks -fsyntax-only -Wcast-function-type -Wno-cast-function-type-strict -verify

aaron.ballmanUnsubmitted

Done

- // RUN: %clang_cc1 -x c++ %s -fblocks -fsyntax-only -Wcast-function-type -Wno-cast-function-type-strict -verify

+ // RUN: %clang_cc1 %s -fblocks -fsyntax-only -Wcast-function-type -Wno-cast-function-type-strict -verify

int x(long);

aaron.ballman:

int x(long);

typedef int (f1)(long);

typedef int (f2)(void*);

typedef int (f3)(...);

typedef void (f4)(...);

typedef void (f5)(void);

Show All 14 Lines

struct S

void foo (int*);

void bar (int);

};

typedef void (S::*mf)(int);

void foo() {

a = (f1 *)x;

b = (f2 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}} */

b = (f2 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}}

b = reinterpret_cast<f2 *>(x); /* expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}} */

b = reinterpret_cast<f2 *>(x); // expected-warning {{cast from 'int (*)(long)' to 'f2 *' (aka 'int (*)(void *)') converts to incompatible function type}}

c = (f3 *)x;

d = (f4 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f4 *' (aka 'void (*)(...)') converts to incompatible function type}} */

d = (f4 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f4 *' (aka 'void (*)(...)') converts to incompatible function type}}

e = (f5 *)x;

f = (f6 *)x; /* expected-warning {{cast from 'int (*)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}} */

f = (f6 *)x; // expected-warning {{cast from 'int (*)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}}

g = (f7 *)x;

mf p1 = (mf)&S::foo; /* expected-warning {{cast from 'void (S::*)(int *)' to 'mf' (aka 'void (S::*)(int)') converts to incompatible function type}} */

mf p1 = (mf)&S::foo; // expected-warning {{cast from 'void (S::*)(int *)' to 'mf' (aka 'void (S::*)(int)') converts to incompatible function type}}

f8 f2 = (f8)x; /* expected-warning {{cast from 'int (long)' to 'f8' (aka 'int (&)(long, int)') converts to incompatible function type}} */

f8 f2 = (f8)x; // expected-warning {{cast from 'int (long)' to 'f8' (aka 'int (&)(long, int)') converts to incompatible function type}}

(void)f2;

int (^y)(long);

f = (f6 *)y; /* expected-warning {{cast from 'int (^)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}} */

f = (f6 *)y; // expected-warning {{cast from 'int (^)(long)' to 'f6 *' (aka 'int (*)(long, int)') converts to incompatible function type}}

}

This is an archive of the discontinued LLVM Phabricator instance.

[Clang][Sema] Add -Wcast-function-type-strictClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 470924

clang/docs/ReleaseNotes.rst

clang/include/clang/Basic/DiagnosticGroups.td

clang/include/clang/Basic/DiagnosticSemaKinds.td

clang/lib/Sema/SemaCast.cpp

clang/test/Sema/warn-cast-function-type-strict.c

clang/test/Sema/warn-cast-function-type.c

clang/test/SemaCXX/warn-cast-function-type-strict.cpp

clang/test/SemaCXX/warn-cast-function-type.cpp

[Clang][Sema] Add -Wcast-function-type-strict
ClosedPublic