Index: clang/include/clang/Basic/Attr.td =================================================================== --- clang/include/clang/Basic/Attr.td +++ clang/include/clang/Basic/Attr.td @@ -4093,3 +4093,8 @@ let Subjects = SubjectList<[Function]>; let Documentation = [FunctionReturnThunksDocs]; } +def ReadOnlyPlacement : InheritableAttr { + let Spellings = [Clang<"enforce_read_only_placement">]; + let Subjects = SubjectList<[Record]>; + let Documentation =[ReadOnlyPlacementDocs]; +} Index: clang/include/clang/Basic/AttrDocs.td =================================================================== --- clang/include/clang/Basic/AttrDocs.td +++ clang/include/clang/Basic/AttrDocs.td @@ -6688,3 +6688,36 @@ As such, this function attribute is currently only supported on X86 targets. }]; } + +def ReadOnlyPlacementDocs : Documentation { + let Category = DocCatType; + let Content = [{This attribute is attached to a record declaration or the + definition. When attached to a record declaration/definition, it checks + if all instances of this type can be placed in the read-only memory segment + of the program. If it finds an instance that can not be in read-only segment, + it geneattaches a warning at the corresponding program location. + + Examples: + * ``struct __attribute__(enforce_read_only_placement) Foo;`` + * ``struct __attribute__(enforce_read_only_placement) Bar { ... };`` + + Both ``Foo`` and ``Bar`` types have the ConstVarDecl attribute. + + The goal of introducing this attribute is to assist developers to write secure + code. A const qualified global is generally placed in the read-only section + of the memory that has additional safety protection from malicious writes. + Therefore, by attaching this attribute the developer can express the intent + of global variables of this type must be placed in read-only program segment. + + Note: Currently, clang only checks if all global declarations of a given type 'T' + are const qualified. In the next set of patches, we plan to generate warninig in the + following cases: + 1. An instance of type 'T' is allocated on the heap/stack. + 2. Type 'T' defines/inherits a mutable field. + 3. Type 'T' defines/inherits a constructor that overwrites it's fields. + 4. A field of type 'T' is defined by type 'Q', which does not bear the + 'enforce_read_only_placement' attribute. + 5. A type 'Q' inherits from type 'T' and it does not have the + 'enforce_read_only_placement' attribute. + }]; +} \ No newline at end of file Index: clang/include/clang/Basic/DiagnosticGroups.td =================================================================== --- clang/include/clang/Basic/DiagnosticGroups.td +++ clang/include/clang/Basic/DiagnosticGroups.td @@ -1381,3 +1381,6 @@ // HLSL diagnostic groups // Warnings for HLSL Clang extensions def HLSLExtension : DiagGroup<"hlsl-extensions">; + +// Warnings and notes related to const_var_decl_type attribute checks +def ReadOnlyPlacementChecks : DiagGroup<"read-only-types">; \ No newline at end of file Index: clang/include/clang/Basic/DiagnosticSemaKinds.td =================================================================== --- clang/include/clang/Basic/DiagnosticSemaKinds.td +++ clang/include/clang/Basic/DiagnosticSemaKinds.td @@ -5647,6 +5647,11 @@ def note_use_ifdef_guards : Note< "unguarded header; consider using #ifdef guards or #pragma once">; +def warn_var_decl_not_const : Warning<"Variable of type %0 will not be in read-only segment.">, + InGroup; +def note_all_var_decl_must_be_const : Note<"Type %0 was declared as a read-only type here.">; + + def note_deleted_dtor_no_operator_delete : Note< "virtual destructor requires an unambiguous, accessible 'operator delete'">; def note_deleted_special_member_class_subobject : Note< Index: clang/lib/Sema/SemaDecl.cpp =================================================================== --- clang/lib/Sema/SemaDecl.cpp +++ clang/lib/Sema/SemaDecl.cpp @@ -7297,6 +7297,50 @@ } } +/* + This function emits warning and a corresponding note based on the ReadOnlyPlacementAttr attribute. + The warning checks that all global variable declarations of an annotated type must be const + qualified. +*/ +void emitReadOnlyPlacementAttrWarning(Sema &S, const VarDecl* VD) { + // Ignore local declarations (for now) and those with const qualification. TODO: Local variables should + // not be allowed if their type declaration has ReadOnlyPlacementAttr attribute. To be handled in follow-up patch. + if(!VD || VD->isLocalVarDecl() || VD->getType().getCVRQualifiers()& (Qualifiers::Const)) + return; + + QualType type = VD->getType(); + if(const auto* carraytype = dyn_cast(type)) { + type = carraytype->getElementType(); + } + + if(const auto* arraytype = dyn_cast(type)) { + type = arraytype->getElementType(); + } else if (const auto* pointertype = dyn_cast(type)) { + // TODO: We should emit warning for pointers if the type declaration of the instance + // they point-to has ReadOnlyPlacementAttr attribute. + return; + } else if (const auto* eltype = dyn_cast(type)) { + type = eltype->getNamedType(); + } + + const clang::RecordDecl* RD = type->getAsRecordDecl(); + + // Check if the record declaration is present and if it has any attributes. + if (RD == nullptr || !RD->hasAttrs()) + return; + + for(auto a : RD->attrs()) { + // Check if the record declaration has the ReadOnlyPlacement attribute. + if (const auto *constdecl = dyn_cast(a)) { + // Warning attached to the varaibale declaration + S.Diag(VD->getLocation(), diag::warn_var_decl_not_const) << RD; + // Note attached to the record declaration. + S.Diag(((Attr*)constdecl)->getLocation(), diag::note_all_var_decl_must_be_const) << RD; + return; + } + } +} + NamedDecl *Sema::ActOnVariableDeclarator( Scope *S, Declarator &D, DeclContext *DC, TypeSourceInfo *TInfo, LookupResult &Previous, MultiTemplateParamsArg TemplateParamLists, @@ -7961,6 +8005,8 @@ if (IsMemberSpecialization && !NewVD->isInvalidDecl()) CompleteMemberSpecialization(NewVD, Previous); + emitReadOnlyPlacementAttrWarning(*this, NewVD); + return NewVD; } Index: clang/lib/Sema/SemaDeclAttr.cpp =================================================================== --- clang/lib/Sema/SemaDeclAttr.cpp +++ clang/lib/Sema/SemaDeclAttr.cpp @@ -7602,6 +7602,14 @@ D->addAttr(::new (S.Context) AMDGPUNumVGPRAttr(S.Context, AL, NumVGPR)); } +static void handleReadOnlyPlacementAttrs(Sema &S, Decl *D, + const ParsedAttr &AL) { + //TODO: Add a warning for atrribute added to non-record decls? + if(isa(D)) { + D->addAttr(::new (S.Context) ReadOnlyPlacementAttr(S.Context, AL)); + } +} + static void handleX86ForceAlignArgPointerAttr(Sema &S, Decl *D, const ParsedAttr &AL) { // If we try to apply it to a function pointer, don't warn, but don't @@ -8461,6 +8469,9 @@ case ParsedAttr::AT_X86ForceAlignArgPointer: handleX86ForceAlignArgPointerAttr(S, D, AL); break; + case ParsedAttr::AT_ReadOnlyPlacement: + handleReadOnlyPlacementAttrs(S, D, AL); + break; case ParsedAttr::AT_DLLExport: case ParsedAttr::AT_DLLImport: handleDLLAttr(S, D, AL); Index: clang/lib/Sema/SemaExpr.cpp =================================================================== --- clang/lib/Sema/SemaExpr.cpp +++ clang/lib/Sema/SemaExpr.cpp @@ -391,7 +391,6 @@ Diag(D->getLocation(), diag::note_entity_declared_at) << D; return true; } - return false; } Index: clang/test/Misc/pragma-attribute-supported-attributes-list.test =================================================================== --- clang/test/Misc/pragma-attribute-supported-attributes-list.test +++ clang/test/Misc/pragma-attribute-supported-attributes-list.test @@ -154,6 +154,7 @@ // CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method) // CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union) // CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record) +// CHECK-NEXT: ReadOnlyPlacement (SubjectMatchRule_record) // CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function) // CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function) Index: clang/test/Sema/attr-read-only-placement.cpp =================================================================== --- /dev/null +++ clang/test/Sema/attr-read-only-placement.cpp @@ -0,0 +1,78 @@ +// RUN: %clang_cc1 %s -verify -fsyntax-only -Wread-only-types + + +struct __attribute__((enforce_read_only_placement)) A { // expected-note 2 {{Type 'A' was declared as a read-only type here}} +}; + +A a1; // expected-warning {{Variable of type 'A' will not be in read-only segment.}} +const A a2[10]; // no-warning +A a3[20]; // expected-warning {{Variable of type 'A' will not be in read-only segment.}} + + + + +struct B; +struct __attribute__((enforce_read_only_placement)) B { // expected-note 3 {{Type 'B' w as declared as a read-only type here}} +}; + +B b1; // expected-warning {{Variable of type 'B' will not be in read-only segment.}} +const B b2; // no-warning +const B b3[4]; // no-warning +B b4[5]; // expected-warning {{Variable of type 'B' will not be in read-only segment.}} +B b5[5][5]; // expected-warning {{Variable of type 'B' will not be in read-only segment.}} + +void method1() { + B b1; // no-warning + const B b2; // no-warning +} + + +struct C; + +struct __attribute__((enforce_read_only_placement)) C; // expected-note {{Type 'C' was declared as a read-only type here}} +struct C { // no-note. The note should be attached to the definition/declaration bearing the attribute. + +}; + +C c1; // expected-warning {{Variable of type 'C' will not be in read-only segment.}} + +C *c2 = new C; + + + +// Un-supported cases. + +// Attaching and checking the attribute in reverse, where the attribute is attached after the +// type definition. +struct D; +struct D { //expected-note{{previous definition is here}} +}; +struct __attribute__((enforce_read_only_placement)) D; // expected-warning{{attribute declaration must precede definition}} + +D d1; // We do not emit a warning here, as there is another warning for declaring a type after the definition + + +// Cases where the attribute must be implicitly attached to another type. +// Case 1: Inheriting from a type that has the attribute. +struct E : C { // This should become a const decl only type. Yet to be handled. + +}; +// Case 2: Declaring a field of the type that has the attribute. +struct F { // Not yet handled + C c1; +}; + +// Cases where the const qualification doesn't ensure read-only memory placement of the instance. +// Case 1: The type defines mutable data members +struct S { + C c1; + mutable int x; // We need a new warning stating the type can not be const decl only type. +}; + +// Case 2: The type has a constructor that makes its fields modifiable. +struct S { + int b; + S(int val) { + b = val; + } +}; \ No newline at end of file