This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
-
ReleaseNotes.rst
-
include/clang/Basic/
-
clang/
-
Basic/
2/3
Attr.td
18/22
AttrDocs.td
-
DiagnosticGroups.td
5/5
DiagnosticSemaKinds.td
-
lib/Sema/
-
Sema/
28/28
SemaDecl.cpp
3/3
SemaDeclAttr.cpp
-
test/
-
Misc/
-
pragma-attribute-supported-attributes-list.test
-
Sema/
10/17
attr-read-only-placement.cpp

Differential D135851

[clang] Support for read-only types
ClosedPublic

Authored by malavikasamak on Oct 12 2022, 10:02 PM.

Download Raw Diff

Details

Reviewers

NoQ
jkorous
t-rasmud
ziqingluo-90
aaron.ballman
usama54321
xazax.hun
gribozavr
erichkeane

Commits

rG678ded017f21: [clang] Support for read-only types

Summary

Overview

The main goal of this work is to allow developers to express the need to place instances of a class or structure in the read-only part of the program memory. Such a placement is desirable to prevent any further modifications to the instances of a given structure, by leveraging the read-only run time protection.

To achieve this, we are introducing a new attribute that can be attached to any record definition or a declaration. The compiler enforces that every instance of this type can be placed in the read-only segment of the program memory, provided the target triplet supports such a placement. If an instance of a given type bearing this attribute doesn’t satisfy such a placement, the compiler attaches an appropriate warning at suitable program locations. In other words, adding this attribute to a type requires every instance of this type to be a global const, which are placed in the read-only segments for most target triplets. However, this is *not a language feature* and it *need not* be true for *all target triplets*.

Read-only placement of instances

In this subsection, we briefly discuss when an instance generally qualifies to be placed in the read-only part of the program memory.

The instance must satisfy the following:

The instance is globally declared and is not allocated on either the heap or stack.
The variable declaration is const-qualified.
No fields of the instance are mutable. This includes fields directly defined by the type and those inherited from other types.
The type defines no explicit non-constexpr constructor for initialization.
If another type defines an instance of the type bearing this attribute , then the owning instance should also be eligible to be placed in the read-only memory. In other words, the owning instance is const. qualified global, doesn’t define/inherit mutable fields and has no constructors that force the instance out of read-only memory.
Every other type that inherits from this type must also adheres to all the above listed requirements.

Plan

The goal is to build checkers/analyses that can detect the violations of above requirements for a given type and emit warning during compilation. We plan to roll out this features with multiple. In the current patch, we are adding support to attach attributes to record declarations and definitions. The clang semantic analysis checks that every global declaration of this record type is const qualified, otherwise it emits suitable warnings and notes. The current patch relies on the user to ensure the attribute is only attached to appropriate types that already satisfy requirements (1, 3, 4, 5 and 6). However, as stated above we will be adding additional support to ensure they are satisfied by a given type.

Introducing new Attribute: enforce_read_only_placement

The attribute can be attached to either a type declaration or the type definition

*Example usage:*

struct __*attribute__*(enforce_read_only_placement) Foo;
struct __*attribute__*(enforce_read_only_placement) Bar { ... };

Warning Messages and Notes emitted:

Current patch:
1. Global variable declaration site without const qualification: (Part of current patch): “Variable of type ‘T’ will not be in the read only program memory.”
2. Corresponding note attached to the type definition/declaration when a warning is emitted: “Type ‘T’ was declared as a read-only type here.”

Future patches:
1. Allocation on heap (stack): “Instance won't be placed in the read only program memory.”
2. Mutable field definition: “Instances of type ‘T’ will not be in the read only program memory.”
3. Explicit non-constexpr constructor definition: “Instances of type ‘T’ will not be in the read only program memory.”
4. Inheriting from a structure that defines mutable fields.: “Inheriting from a type that can not be in the read only program memory”
5. Type Q inherits from type T, but Q doesn’t define the attribute.: “‘Q’ not declared as a read-only program memory placeable type.”
6. Type Q defines a field of type T, but Q doesn’t define the attribute.: “‘Q’ not declared as a read-only program memory placeable type.”

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

malavikasamak created this revision.Oct 12 2022, 10:02 PM

Herald added a reviewer: aaron.ballman. · View Herald TranscriptOct 12 2022, 10:02 PM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added a subscriber: jdoerfert. · View Herald Transcript

malavikasamak requested review of this revision.Oct 12 2022, 10:02 PM

Harbormaster completed remote builds in B191893: Diff 467362.Oct 12 2022, 10:57 PM

Cosmetic changes.

Added new line at the end of 3 files.
Removed an extra space from a file.

malavikasamak added a reviewer: usama54321.Oct 13 2022, 11:01 AM

Harbormaster completed remote builds in B192005: Diff 467535.Oct 13 2022, 11:58 AM

malavikasamak added reviewers: xazax.hun, gribozavr.Oct 13 2022, 12:47 PM

Herald added a subscriber: rnkovacs. · View Herald TranscriptOct 13 2022, 12:47 PM

Added context.

Nice, I'm glad this is going!

A bit of motivation. The specific struct we really want to put this attribute on is struct IOExternalMethodDispatch that's present in a large portion of macOS drivers (and provided by the KDK). This struct is basically an array of function pointers, traditionally allocated globally, and these function pointers are invoked through interprocess communication (recall that mach is a microkernel). It is extremely important to prevent the attacker from being able to overwrite this struct. Simply putting a const qualifier on such global variable goes a long way as it puts the struct into read-only data segment which is protected at runtime from being overwritten even if undefined behavior occurs.

The problem seems general enough though, as most systems have read-only data segments and there's sometimes similar value in keeping certain data structures there, so I think generalizing it to an attribute is appropriate.

Harbormaster completed remote builds in B192036: Diff 467579.Oct 13 2022, 1:41 PM

NoQ added inline comments.Oct 13 2022, 1:44 PM

clang/include/clang/Basic/AttrDocs.td
6790	That's the official catchy term, I believe.
6792
6807–6808	This is documentation for the users, they don't usually think in terms of patches, they usually think in terms of versions. Maybe "The following conditions would also prevent the data to be put into read only segment, but the corresponding warnings are not implemented yet:"?
clang/lib/Sema/SemaDecl.cpp
7390–7391	Not sure about static locals, maybe `VD->hasLocalStorage()` is more appropriate?
7395	There's some unusual problems with dyn_cast-ing to array types, there's `ASTContext::getAsArrayType()` and related methods that IIUC should be used instead (they have some comments with respect to why but I don't fully understand them).
7405–7407	I think there are like fifteen different ways how a type needs to be unwrapped, and they can be stacked on top of each other, so it probably makes sense to cover them all at once with `type = type->getCanonicalType()` at the beginning.
7415–7417	I think this can be done in `O(1)` with `RD->hasAttr<ReadOnlyPlacementAttr>()` or something like that.

Hi!

I have some questions:

Does this affect codegen in any ways? I.e., I'd expect the compiler to already put such structs in read only segments when possible. So are there any scenarios when adding this attribute would affect the binary?
What do you mean by the type has no explicit constructor? Wouldn't a a type with a user-provided constexpr constructor be a viable candidate to be a read-only type?

Hi Gabor,

The attribute doesn't affect CodeGen. It is meant to be a support system to ensure instances of sensitive data types (identified by developer) always satisfy the requirement to be in read-only memory.
Yes. Instances created with constexpr constructors are viable to be in read-only memory. I meant non-constexpr constructors. I will clarify this in the summary.

In D135851#3857117, @malavikasamak wrote:

The attribute doesn't affect CodeGen. It is meant to be a support system to ensure instances of sensitive data types (identified by developer) always satisfy the requirement to be in read-only memory.

I think that's a great thing to put into user documentation. "The attribute doesn't guarantee that the object will be put into read-only data segment, and it does not instruct the compiler to put it there. It simply warns you if something in your code prevents it from being put there".

Addressed all the comments.

malavikasamak updated this revision to Diff 467935.Oct 14 2022, 2:58 PM

malavikasamak edited the summary of this revision. (Show Details)

malavikasamak added a reviewer: erichkeane.

malavikasamak updated this revision to Diff 467939.Oct 14 2022, 3:01 PM

Harbormaster completed remote builds in B192287: Diff 467939.Oct 14 2022, 3:01 PM

malavikasamak marked an inline comment as done.Oct 14 2022, 3:01 PM

malavikasamak updated this revision to Diff 467943.Oct 14 2022, 3:31 PM

Harbormaster completed remote builds in B192291: Diff 467943.Oct 14 2022, 3:32 PM

This seems like a good start, but I think the rest of the promised warnings would have to be in place before we should commit this. Additionally, we obviously need a slew of SEMA tests.

Additionally: This is intended to be used for the purposes of static-analysis, right? Do we have any static-analysis tools that have dedicated to using this attribute?

clang/lib/Sema/SemaDecl.cpp
328–329	Unrelated change?

You want to write an annotation on the *type* saying "instances of this should go into a read-only section", but that's not a property of the type, that's a property of a declaration involving that type. I can see the appeal to "if someone makes a declaration that can't be read-only, you should diagnose" but then I stop to consider all the places the type can be used and I'm not certain what should happen. Consider:

struct __attribute__((enforce_read_only_placement)) Foo {
  const int a, b;
};

void func(Foo f); // Do we diagnose this use?
void other(const Foo f); // This one?
Foo druther(); // This one?
constexpr void another(Foo f) {} // This one?
consteval void again(Foo f) {} // This one?

struct S {
  Foo f; // This one?
  int i = sizeof(Foo); // Surely not this one?
};

Would it make sense to use an annotation on the declaration to say "if this specific declaration can't be put in read-only memory, please diagnose" or does that not get you the properties you're looking for?

Apologies about the missing test cases. I had them in the first diff that I uploaded and somehow dropped the file in later diffs.

This diff now contains the test file from the first diff.

Harbormaster completed remote builds in B192860: Diff 468713.Oct 18 2022, 3:45 PM

Attempt to fix build failure.

malavikasamak marked an inline comment as done.Oct 19 2022, 11:36 AM

Harbormaster completed remote builds in B193045: Diff 468968.Oct 19 2022, 11:47 AM

In D135851#3862105, @erichkeane wrote:

I think the rest of the promised warnings would have to be in place before we should commit this.

Hmm, can you elaborate on that? What are the usual requirements for an initial commit of this sort?

Like, what I see is warnings of two different kinds:

"warning: you're misusing the attribute" (eg., the struct has a mutable field or a non-trivial constructor);
"warning: you're misusing the object that wears the attribute" (eg. about allocating object on stack or heap).

My impression so far was that the warnings of the first category are somewhat important to get right from the start (at least the most basic constraints) but if warnings from the second category aren't implemented, they simply turn into false negatives. False negatives don't actually hurt anybody, the attribute with false negatives is still more useful than lack of attribute. In many cases it's not even possible to address all false negatives. Wouldn't it make sense to interrupt the initial commit whenever it reaches the point of having no downsides, and address false negatives later?

I'd also like to add that Malavika is on our team, so we'll most likely continue to support the attribute for a while no matter what. I think she also plans to answer the other questions so I'll leave it up to her ^.^

In D135851#3868879, @malavikasamak wrote:

Attempt to fix build failure.

Ok this time it's in libfuzzer, that's clearly not your fault. I think you can ignore them until your patch is ready to commit, but then you can do a few more rebases until it gets green.

malavikasamak added a comment.Oct 19 2022, 3:31 PM

This comment was removed by malavikasamak.

Our plan is to first roll out the analysis in the following order:

Warn if the attribute is attached to type declarations that prevents read-only placements:
1. Defining/ inheriting mutable fields
2. Non-constexpr constructors
Warn when an instance will not be placed in read-only program memory:
1. Global variables and static variables within a method without const qualification (Rolling it out first as we have seen quite a few of such use cases)
2. Instances created on stack (see above comment for some examples) or allocated on the heap.
Warn about missing attribute on types:
1. Type Q inherits from type T (that bears the attribute), but Q doesn’t define the attribute.
2. Type Q defines a field of type T (that bear the attribute), but Q doesn’t define the attribute.

Thanks very much for the comment and a list of interesting use cases.

In D135851#3865289 https://reviews.llvm.org/D135851#3865289, @aaron.ballman wrote:

You want to write an annotation on the *type* saying "instances of this should go into a read-only section", but that's not a property of the type, that's a property of a declaration involving that type.

Thank you. Yes, this should be a declaration attribute.

I can see the appeal to "if someone makes a declaration that can't be read-only, you should diagnose" but then I stop to consider all the places the type can be used and I'm not certain what should happen. Consider:

Generally for method definitions, we plan to warn at the declaration site if a method clearly creates an instance on the stack that can be mis-used. If it is not clear whether an instance is created on the stack ( eg., a method bearing constexpr qualifier), we plan to warn at the method invocation sites that create instances on the stack.

struct __attribute__((enforce_read_only_placement)) Foo {
  const int a, b;
};

void func(Foo f); // Do we diagnose this use?

Yes. This always leads to an instance of Foo on the stack. Here, we can warn at the declaration.

void other(const Foo f); // This one?

Yes. This also creates an instance of Foo on the stack, where there is no run time protection. The instance can be modified after using const_cast to get a pointer.

Foo druther(); // This one?

Yes. This always creates a writable instance. So we issue a warning.

constexpr void another(Foo f) {} // This one?

This depends on the invocation. If the LHS of the method invocation is a constexpr then no, otherwise we need to warn at the invocation site.

consteval void again(Foo f) {} // This one?

As far as I understand, this doesn’t seem to create instances on stack. So no warning.

struct S {

Foo f; // This one?
int i = sizeof(Foo); // Surely not this one?

No, as this doesn't create an instance on the stack.

};

Gentle ping.

xazax.hun added inline comments.Oct 27 2022, 11:36 AM

clang/include/clang/Basic/Attr.td
4101	So as far as I understad, you don't want to support type aliases. I.e.: struct Foo {}; using ImmutableFoo = [[clang::enforce_read_only_placement]] Foo; is out of scope.
clang/lib/Sema/SemaDecl.cpp
7388	I'd prefer a local auto variable over a std::function. Also I think this could be moved closer to its use.
7390	Is this comment relevant?
7394	Do we need recursion? I'd prefer an iterative solution.
7404	Redundant parens?

Addressing comments from the review.

malavikasamak marked 3 inline comments as done.Nov 2 2022, 1:06 PM

malavikasamak marked an inline comment as done.Nov 2 2022, 1:15 PM

Harbormaster completed remote builds in B195787: Diff 472734.Nov 2 2022, 2:27 PM

@xazax.hun: Thanks very much for the comments. They are all addressed in the latest diff.

Regarding type aliases: We currently are planning to only allow adding the attribute to a record declaration.

clang/include/clang/Basic/Attr.td
4101	We currently are planning to only allow adding the attribute to a record declaration.

Start to look good, I still have a couple of questions/comments inline.

clang/include/clang/Basic/AttrDocs.td
6789	Since it can be attached to declaration, what would happen in the following scenario: struct MyType{ int x; }; void foo(MyType t); struct __attribute__(enforce_read_only_placement) MyType; Would we diagnose `foo` even though the attribute was added later? Or are we diagnosing mutable uses AFTER the attribute was introduced?
6798	What is the `ConstVarDecl` attribute? Are you referring to `enforce_read_only_placement`?
clang/include/clang/Basic/DiagnosticSemaKinds.td
5684	Other diagnostics in this file seem to start with lower case letters and do not have end of the sentence punctuations.
clang/lib/Sema/SemaDecl.cpp
7399	Could be moved into the `isArrayType` branch.

malavikasamak added inline comments.Nov 3 2022, 11:27 AM

clang/include/clang/Basic/AttrDocs.td
6798	Yes. Thank you for catching this! Will fix in the next diff.
clang/include/clang/Basic/DiagnosticSemaKinds.td
5684	Fixed in the new diff.

Addressed the recent comments.

malavikasamak marked 3 inline comments as done.Nov 4 2022, 10:39 AM

Harbormaster completed remote builds in B196184: Diff 473292.Nov 4 2022, 11:52 AM

Mostly looks good to me, but there still is a comment that is unaddressed.

clang/include/clang/Basic/AttrDocs.td
6789	I'd like to see a test case like this and in case it does not work I'd like to know whether it is in scope or not. If it is not, let's document this limitation.

You should also add a release note for the new functionality.

Foo druther(); // This one?

Yes. This always creates a writable instance. So we issue a warning.

Doesn't guaranteed RVO ensure that this doesn't always create a writeable instance (it might be the caller who creates the instance and druther() constructs into that space when returning?

clang/include/clang/Basic/Attr.td
4102
clang/include/clang/Basic/AttrDocs.td
6788–6789	A definition is a declaration, so I think we can make it less awkward by pulling that out. Also, I think "record" is more of an internal term and users are more used to thinking in terms of structures and unions.
6789	The way inheritable attributes work is to allow subsequent redeclarations to add additional information. So for that code example, I'd expect no diagnostic on `foo()`.
6791
6792

aaron.ballman added inline comments.Nov 7 2022, 12:08 PM

clang/include/clang/Basic/AttrDocs.td
6798
6800
6801
6803
6808	I'm trying to add some weasel words here to make it clear that a lack of a warning doesn't necessarily mean "everything marked will be in a read-only section".
6812
6815–6821
clang/include/clang/Basic/DiagnosticSemaKinds.td
5684–5686	I think the `%0` isn't needed in the note because that note is always attached to the declaration of the type and that should already clearly identify the name of the type.
clang/lib/Sema/SemaDecl.cpp
7381–7385
7392
7395–7396	This should probably move up above the check for local storage and const qualification. Also, `type` doesn't meet our usual naming conventions but `Type` is the name of a type. Can you go with something more like `VarTy` (I'm not tied to that name, just making sure it fits our usual coding style.)
7400
7404	Similar renaming (feel free to pick a better name).
7408–7409	I think this is dead code -- getting the canonical type should strip all sugar off the type, and elaboration is a type of sugar.
7414–7415	The check for `hasAttrs()` is redundant -- `getAttr()` already tests that property.
7418
7419–7421	I'm not certain these comments add much value -- the code is reasonably self-explanatory as is.
7422–7424	Shouldn't need to cast to `Attr ` because it inherits from `Attr ` already.

malavikasamak added inline comments.Nov 10 2022, 10:15 AM

clang/include/clang/Basic/AttrDocs.td
6789	Ideally, we would like to attach the warning to all locations that break the read-only memory placement. For the specific case you provided, clang already attaches the "attribute declaration must precede definition" warning (see test case in attr-read-only-placement.cpp, line 44-46), so it is not clear if we should consider cases where declarations follow the definition. Also, we do not yet handle problematic method declarations and I can add this case to the TODO test cases in attr-read-only-placement.cpp.

Addressing the comments in the new diff.

clang/lib/Sema/SemaDecl.cpp
7408–7409	Thank you for pointing this out.

malavikasamak updated this revision to Diff 474642.Nov 10 2022, 5:47 PM

malavikasamak marked an inline comment as done.

Harbormaster completed remote builds in B197149: Diff 474642.Nov 10 2022, 7:15 PM

Thanks, the latest version looks good to me.

clang/include/clang/Basic/AttrDocs.td
6789	Sorry, I somehow missed the tests at line 44-46.
clang/lib/Sema/SemaDeclAttr.cpp
7744	Typo.

This revision is now accepted and ready to land.Nov 11 2022, 8:34 AM

Just a few small nits and questions, but you should definitely write a release note for this before landing.

clang/include/clang/Basic/DiagnosticSemaKinds.td
5684–5685
clang/lib/Sema/SemaDecl.cpp
7386–7394	Simplification
clang/test/Sema/attr-read-only-placement.cpp
54	Wouldn't the warning be that `C` might not be placed in read-only memory because `E` is not also marked as requiring it?
68
71	Double-checking: the reason this can't be placed in read-only memory is because `G` can't be placed there due to a `mutable` member, right? If so, then would this be accepted: struct __attribute__((enforce_read_only_placement)) Base { int i; }; struct __attribute__((enforce_read_only_placement)) Derived : Base { int j; }; and similarly, is this accepted: struct __attribute__((enforce_read_only_placement)) Thing { int a; }; struct __attribute__((enforce_read_only_placement)) WrapperThing { Thing t; };

Addressed more comments.

Harbormaster completed remote builds in B197300: Diff 474852.Nov 11 2022, 2:40 PM

aaron.ballman added inline comments.Nov 14 2022, 9:24 AM

clang/lib/Sema/SemaDecl.cpp
7405
clang/lib/Sema/SemaDeclAttr.cpp
7746–7748	No need for that check -- the common attribute handling code will issue a diagnostic if the subject is incorrect.
clang/test/Sema/attr-read-only-placement.cpp
54	I'm still wondering which way this warnings -- is it never going to be possible to compose objects with this attribute together?
71	Still wondering about this as well.

malavikasamak updated this revision to Diff 475612.Nov 15 2022, 3:45 PM

malavikasamak marked 2 inline comments as done.

Harbormaster completed remote builds in B197858: Diff 475612.Nov 15 2022, 4:51 PM

malavikasamak updated this revision to Diff 475641.Nov 15 2022, 5:08 PM

Harbormaster completed remote builds in B197882: Diff 475641.Nov 15 2022, 6:06 PM

malavikasamak added inline comments.Nov 16 2022, 12:22 PM

clang/test/Sema/attr-read-only-placement.cpp
54	Looks like I accidentally missed the comments that were added with the in-line changes. Sorry about that. Compositions in some cases will be possible. For example, inheriting from a base class/struct without the attribute and attaching the attribute to the derived class/struct should be possible, as long as nothing in base class/struct prevents the read-only placement of the derived type. I have added some positive examples to clarify this.
71	Missed this too. Sorry again. Yes, the above two examples must be accepted. Added a few positive test cases for clarity.

aaron.ballman added inline comments.Nov 17 2022, 5:04 AM

clang/test/Sema/attr-read-only-placement.cpp
54	Looks like I accidentally missed the comments that were added with the in-line changes. Sorry about that. No worries, Phabricator is sometimes complex! :-) Compositions in some cases will be possible. For example, inheriting from a base class/struct without the attribute and attaching the attribute to the derived class/struct should be possible, as long as nothing in base class/struct prevents the read-only placement of the derived type. I have added some positive examples to clarify this. Thank you, but the comment on this particular case has me confused then. `C` has no members and `E` has no members, so there's nothing preventing either from being in read-only memory. So the comment sounds correct in general (we don't have any checking) but incorrect on this specific test case (because even if we had such checking, I'd expect we wouldn't diagnose that usage). I think we can update the comment here to say that this should NOT be diagnosed, and add `FIXME` to the comments on `struct H`.
60	Similar here as above. I think you can add a test case like `struct H` but which wraps `struct G` instead of inherits from it.
99
101–103	I think other test cases that would be useful are: struct __attribute__((enforce_read_only_placement)) ConstevalCtor { int b; consteval ConstevalCtor(int B) : b(B) {} // Fine, right? }; struct __attribute__((enforce_read_only_placement)) InClassInitializers { int b = 12; InClassInitializers() = default; // Fine, right? }; int foo(); struct __attribute__((enforce_read_only_placement)) InClassInitializersBad { int b = foo(); // Not fine, right? InClassInitializersBad() = default; };

malavikasamak added inline comments.Nov 18 2022, 3:08 PM

clang/test/Sema/attr-read-only-placement.cpp
54	You are right that there is nothing preventing E from being in read only memory. The question here we considered is should we even allow the absence of the attribute at the declaration of E? So we explored two design choices: a) Emit the warning at the object allocation site for E as C bears the attribute. b) Skip the diagnosis at the object allocation sites for E and only emit a warning at type E declaration site asking the user to attach the attribute to E. Here, we will require each type to explicitly attach the attribute at the type declaration site, so we can analyze the code for read-only placement violations. Let’s consider the below example: int foo(); struct __attribute__((enforce_read_only_placement)) T {int a;}; struct P : T { int b; mutable int c; }; struct Q : T { int d = foo(); }; struct R : T { }; T t1{10}; P p1{10, 20, 30}; Q q1{10}; struct A : P {}; struct B : A {}; A a1{1, 2, 3}; B b1{4, 5, 6}; Here, choice a will emit a warning at object allocation sites for p1, q1, a1 and b1 as they are not const qualified. In addition, it will also create a warning for type P for defining a mutable field and for type Q for field d initialization. In contrast, choice b will emit 3 warnings for type P, Q, and R at their type declaration sites warning the user about the missing explicit attribute. Once this attribute is explicitly attached to these types by the user, it will then analyze and warn about any problem in their object allocation sites, field declarations and constructor definitions etc,. Note that, here we also notify the user about type R which has no object instances. Overall, both approaches will eventually warn about all the code locations that push an object out of read-only memory. The only difference is, choice a presents them all in one step, whereas choice b presents them incrementally. There are pros and cons for both choices. Choice a Pro: Clean code as we can express the need for entire type hierarchy instances to be in read-only memory by simply attaching the attribute to a base type. Con: Can create warnings for many types at many locations at once, overwhelming/confusing the user. Especially, if the base type is part of a library. Choice b Pro: Fewer warnings in the code at each iteration and the warnings are only issued on types that developer explicitly requires to be in the read-only memory. Con: Every type that needs such protection must bear the attribute. This can make the code a bit cluttered.

aaron.ballman added inline comments.Nov 21 2022, 11:11 AM

clang/test/Sema/attr-read-only-placement.cpp

The question here we considered is should we even allow the absence of the attribute at the declaration of E?

That's a fantastic question to be asking! Thank you very much for the detailed explanation of what you considered, that really helps me as a reviewer. I still have a few code scenarios that may help me develop a better mental model for the design.

What about more complicated class hierarchies? e.g., mix-ins and "holes" in the hierarchy?

// Mix-in to cause a class hierarchy to become read-only
struct  __attribute__((enforce_read_only_placement)) make_type_read_only {};
struct base { int i; };
struct derived : base, make_type_read_only { int j; };

// Middle of the hierarchy missed the attribute.
struct __attribute__((enforce_read_only_placement)) another_base { int i; };
struct another_derived : another_base { int j; };
struct __attribute__((enforce_read_only_placement)) further_derived : another_derived { int k; };

// Bookends of the hierarchy missed the attribute.
struct yet_another_base { int i; };
struct __attribute__((enforce_read_only_placement)) yet_another_derived : yet_another_base { int j; };
struct yet_another_further_derived : yet_another_derived { int k; };

Thanks for the questions.

// Mix-in to cause a class hierarchy to become read-only
struct attribute((enforce_read_only_placement)) make_type_read_only {};
struct base { int i; };
struct derived : base, make_type_read_only { int j; };

We prefer to proceed with choice b, where we warn at the type declaration site. Where, if a base
type bears the attribute but its derived type doesn't, then we'd warn at the declaration site of the
derived type. So for the above example, we will warn at the declaration site for 'derived' type as it
inherits from 'make_type_read_only'.

// Middle of the hierarchy missed the attribute.
struct attribute((enforce_read_only_placement)) another_base { int i; };
struct another_derived : another_base { int j; };
struct attribute((enforce_read_only_placement)) further_derived : another_derived { int k; };

// Bookends of the hierarchy missed the attribute.
struct yet_another_base { int i; };
struct attribute((enforce_read_only_placement)) yet_another_derived : yet_another_base { int j; };
struct yet_another_further_derived : yet_another_derived { int k; };

Going by the same logic as stated above, we'd then warn at the 'another_derived' and 'yet_another_further_derived'
declaration sites, as they also inherit from a attribute bearing types.

In D135851#3955632, @malavikasamak wrote:

Thanks for the questions.

// Mix-in to cause a class hierarchy to become read-only
struct attribute((enforce_read_only_placement)) make_type_read_only {};
struct base { int i; };
struct derived : base, make_type_read_only { int j; };

We prefer to proceed with choice b, where we warn at the type declaration site. Where, if a base
type bears the attribute but its derived type doesn't, then we'd warn at the declaration site of the
derived type. So for the above example, we will warn at the declaration site for 'derived' type as it
inherits from 'make_type_read_only'.

// Middle of the hierarchy missed the attribute.
struct attribute((enforce_read_only_placement)) another_base { int i; };
struct another_derived : another_base { int j; };
struct attribute((enforce_read_only_placement)) further_derived : another_derived { int k; };

// Bookends of the hierarchy missed the attribute.
struct yet_another_base { int i; };
struct attribute((enforce_read_only_placement)) yet_another_derived : yet_another_base { int j; };
struct yet_another_further_derived : yet_another_derived { int k; };

Going by the same logic as stated above, we'd then warn at the 'another_derived' and 'yet_another_further_derived'
declaration sites, as they also inherit from a attribute bearing types.

Thank you for the discussion, I think that choice b makes sense to me -- it does mean more markings, but it's also more clear as to why you get a diagnostic and how to repair it. Maybe in a follow-up you can consider adding fix-its to add the attribute to an interface which needs it?

clang/test/Sema/attr-read-only-placement.cpp
54

Thank you for the discussion, I think that choice b makes sense to me -- it does mean more markings, but it's also more clear as to why you get a diagnostic and how to repair it.

Absolutely. This choice should be more intuitive to the users in general, as this also makes warnings added at object allocation sites easy to understand and reason about.

Maybe in a follow-up you can consider adding fix-its to add the attribute to an interface which needs it?

Yes, We can have a follow up patch that provides a fixit for the missing attribute warning.

Can I go ahead and land the current patch if there aren't any more questions/concerns?

malavikasamak updated this revision to Diff 478715.Nov 29 2022, 1:46 PM

malavikasamak marked an inline comment as done.

Harbormaster completed remote builds in B200109: Diff 478715.Nov 29 2022, 4:43 PM

Mostly just nits from me, but otherwise LG. I'll leave it to @erichkeane to make the final sign-off.

clang/include/clang/Basic/DiagnosticSemaKinds.td
5684–5685	Wrapped for the usual 80-col limit (clang-format usually botches .td files).
clang/test/Sema/attr-read-only-placement.cpp
7	If using bookmarks like this, it's better to put the `expected-note@#1` next to the diagnostic which generates the note instead of putting it up by where the note is issued. Examples below. Same applies elsewhere in the test.
10–13

Addressed comments on .td file width and placement of notes.

Harbormaster completed remote builds in B200391: Diff 479118.Nov 30 2022, 6:20 PM

LGTM, thank you for this!

@aaron.ballman: Thanks very much for all the detailed feedback over the past few weeks and for accepting the patch.

@erichkeane: Please let me know if you have any concerns/questions about this patch. If not, I can go ahead and commit this patch.

Hi @erichkeane,
I am sorry to bother you but in case you are ok with the patch could you please approve?
It sounds like you are taking a break from reviews starting later this week until January.
I'd appreciate if you could unblock us (unless you still have some comments).

A couple of minor nits, I think the code you have to do the checking is a little overly complex, but the checking itself is generallyf ine. Else, some nits.

clang/include/clang/Basic/AttrDocs.td
6795
6796
clang/lib/Sema/SemaDecl.cpp
126	extraneous change, please dont commit this.
7393	I'm about 95% sure that this whole section can be replaced by: `VarType = Context.getBaseElementType(VarType);` This would then allow you to handle arrays of pointers (which it seems like you don't do correctly with the 'else if' below. MIGHT also want a 'get canonical type' somewhere after that as well though.
7399	thinking about it, this whole branch is unnecessary, right? PointerType would just fail the RecordDecl type check below?
clang/lib/Sema/SemaDeclAttr.cpp
8602
clang/test/Sema/attr-read-only-placement.cpp
6	I typically prefer descriptive-ish bookmark names.

Addressed Erich's comments.

clang/lib/Sema/SemaDecl.cpp
7393	Updated the code and it seems to work fine (at least for the test cases) without a second invocation to getCanonicalType(). So, not adding a second invocation for ArrayType.
7399	Yes, you are right.

erichkeane accepted this revision.Dec 8 2022, 6:10 AM

Harbormaster completed remote builds in B201877: Diff 481148.Dec 8 2022, 7:08 AM

This revision was landed with ongoing or failed builds.Dec 15 2022, 12:09 PM

Closed by commit rG678ded017f21: [clang] Support for read-only types (authored by malavikasamak). · Explain Why

This revision was automatically updated to reflect the committed changes.

malavikasamak added a commit: rG678ded017f21: [clang] Support for read-only types.

Herald added a project: Restricted Project. · View Herald TranscriptDec 15 2022, 12:09 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

NoQ mentioned this in D138940: [-Wunsafe-buffer-usage] Introduce the `unsafe_buffer_usage` attribute.Jan 19 2023, 3:57 PM

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

5 lines

include/

clang/

Basic/

Attr.td

5 lines

AttrDocs.td

39 lines

DiagnosticGroups.td

3 lines

DiagnosticSemaKinds.td

6 lines

lib/

Sema/

SemaDecl.cpp

32 lines

SemaDeclAttr.cpp

3 lines

test/

Misc/

pragma-attribute-supported-attributes-list.test

1 line

Sema/

attr-read-only-placement.cpp

170 lines

Diff 483289

clang/docs/ReleaseNotes.rst

Show First 20 Lines • Show All 540 Lines • ▼ Show 20 Lines	- Updated the value returned by ``__has_c_attribute(nodiscard)`` to ``202003L``
supported the ability to specify a message in the attribute, so there were no		supported the ability to specify a message in the attribute, so there were no
changes to the attribute behavior.		changes to the attribute behavior.

- Updated the value returned by ``__has_c_attribute(fallthrough)`` to ``201910L``		- Updated the value returned by ``__has_c_attribute(fallthrough)`` to ``201910L``
based on the final date specified by the C2x committee draft. We previously		based on the final date specified by the C2x committee draft. We previously
used ``201904L`` (the date the proposal was seen by the committee) by mistake.		used ``201904L`` (the date the proposal was seen by the committee) by mistake.
There were no other changes to the attribute behavior.		There were no other changes to the attribute behavior.

		- Introduced a new record declaration attribute ``__attribute__((enforce_read_only_placement))``
		to support analysis of instances of a given type focused on read-only program
		memory placement. It emits a warning if something in the code provably prevents
		an instance from a read-only memory placement.

Windows Support		Windows Support
---------------		---------------
- For the MinGW driver, added the options ``-mguard=none``, ``-mguard=cf`` and		- For the MinGW driver, added the options ``-mguard=none``, ``-mguard=cf`` and
``-mguard=cf-nochecks`` (equivalent to ``/guard:cf-``, ``/guard:cf`` and		``-mguard=cf-nochecks`` (equivalent to ``/guard:cf-``, ``/guard:cf`` and
``/guard:cf,nochecks`` in clang-cl) for enabling Control Flow Guard checks		``/guard:cf,nochecks`` in clang-cl) for enabling Control Flow Guard checks
and generation of address-taken function table.		and generation of address-taken function table.

- Switched from SHA1 to BLAKE3 for PDB type hashing / ``-gcodeview-ghash``		- Switched from SHA1 to BLAKE3 for PDB type hashing / ``-gcodeview-ghash``
▲ Show 20 Lines • Show All 378 Lines • Show Last 20 Lines

clang/include/clang/Basic/Attr.td

Show First 20 Lines • Show All 4,090 Lines • ▼ Show 20 Lines

def FunctionReturnThunks : InheritableAttr,

let Spellings = [GCC<"function_return">];

let Args = [EnumArgument<"ThunkType", "Kind",

["keep", "thunk-extern"],

["Keep", "Extern"]

>];

let Subjects = SubjectList<[Function]>;

let Documentation = [FunctionReturnThunksDocs];

}

def ReadOnlyPlacement : InheritableAttr {

let Spellings = [Clang<"enforce_read_only_placement">];

let Subjects = SubjectList<[Record]>;

xazax.hunUnsubmitted

Not Done

So as far as I understad, you don't want to support type aliases. I.e.:

struct Foo {};

using ImmutableFoo = [[clang::enforce_read_only_placement]] Foo;

is out of scope.

xazax.hun: So as far as I understad, you don't want to support type aliases. I.e.: ``` struct Foo {}…

malavikasamakAuthorUnsubmitted

Done

We currently are planning to only allow adding the attribute to a record declaration.

malavikasamak: We currently are planning to only allow adding the attribute to a record declaration.

let Documentation = [ReadOnlyPlacementDocs];

aaron.ballmanUnsubmitted

Done

let Subjects = SubjectList<[Record]>;

- let Documentation =[ReadOnlyPlacementDocs];

+ let Documentation = [ReadOnlyPlacementDocs];

}

aaron.ballman:

}

clang/include/clang/Basic/AttrDocs.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 6,776 Lines • ▼ Show 20 Lines

The values ``thunk`` and ``thunk-inline`` from GCC are not supported. The values ``thunk`` and ``thunk-inline`` from GCC are not supported.

The symbol used for ``thunk-extern`` is target specific: The symbol used for ``thunk-extern`` is target specific:

* X86: ``__x86_return_thunk`` * X86: ``__x86_return_thunk``

As such, this function attribute is currently only supported on X86 targets. As such, this function attribute is currently only supported on X86 targets.

}]; }];

} }

def ReadOnlyPlacementDocs : Documentation {

let Category = DocCatType;

let Content = [{This attribute is attached to a structure, class or union declaration.

When attached to a record declaration/definition, it checks if all instances

xazax.hunUnsubmitted

Not Done

Since it can be attached to declaration, what would happen in the following scenario:

struct MyType{ int x; };

void foo(MyType t);

struct __attribute__(enforce_read_only_placement) MyType;

Would we diagnose foo even though the attribute was added later? Or are we diagnosing mutable uses AFTER the attribute was introduced?

xazax.hun: Since it can be attached to declaration, what would happen in the following scenario: ```…

xazax.hunUnsubmitted

Not Done

I'd like to see a test case like this and in case it does not work I'd like to know whether it is in scope or not. If it is not, let's document this limitation.

xazax.hun: I'd like to see a test case like this and in case it does not work I'd like to know whether it…

aaron.ballmanUnsubmitted

Not Done

The way inheritable attributes work is to allow subsequent redeclarations to add additional information. So for that code example, I'd expect no diagnostic on foo().

aaron.ballman: The way inheritable attributes work is to allow subsequent redeclarations to add additional…

malavikasamakAuthorUnsubmitted

Done

Ideally, we would like to attach the warning to all locations that break the read-only memory placement. For the specific case you provided, clang already attaches the "attribute declaration must precede definition" warning (see test case in attr-read-only-placement.cpp, line 44-46), so it is not clear if we should consider cases where declarations follow the definition. Also, we do not yet handle problematic method declarations and I can add this case to the TODO test cases in attr-read-only-placement.cpp.

malavikasamak: Ideally, we would like to attach the warning to all locations that break the read-only memory…

xazax.hunUnsubmitted

Not Done

Sorry, I somehow missed the tests at line 44-46.

xazax.hun: Sorry, I somehow missed the tests at line 44-46.

aaron.ballmanUnsubmitted

Done

let Category = DocCatType;

- let Content = [{This attribute is attached to a record declaration or the

- definition. When attached to a record declaration/definition, it checks

+ let Content = [{This attribute is attached to a structure or union declaration. When

+ attached to a record declaration/definition, it checks

if all instances of this type can be placed in the read-only data segment

A definition is a declaration, so I think we can make it less awkward by pulling that out. Also, I think "record" is more of an internal term and users are more used to thinking in terms of structures and unions.

aaron.ballman: A definition is a declaration, so I think we can make it less awkward by pulling that out. Also…

of this type can be placed in the read-only data segment of the program. If it

NoQUnsubmitted

Done

definition. When attached to a record declaration/definition, it checks

- if all instances of this type can be placed in the read-only memory segment

+ if all instances of this type can be placed in the read-only data segment

of the program. If it finds an instance that can not be in read-only segment,

That's the official catchy term, I believe.

NoQ: That's the official catchy term, I believe.

finds an instance that can not be placed in a read-only segment, the compiler

aaron.ballmanUnsubmitted

Done

if all instances of this type can be placed in the read-only data segment

- of the program. If it finds an instance that can not be in read-only segment,

+ of the program. If it finds an instance that can not be placed in a read-only segment,

the compiler emits a warning at the corresponding program location.

aaron.ballman:

emits a warning at the source location where the type was used.

NoQUnsubmitted

Done

of the program. If it finds an instance that can not be in read-only segment,

- it geneattaches a warning at the corresponding program location.

+ the compiler emits a warning at the allocation site.

Examples:

NoQ:

aaron.ballmanUnsubmitted

Done

of the program. If it finds an instance that can not be in read-only segment,

- the compiler emits a warning at the corresponding program location.

+ the compiler emits a warning at the source location where the type was used.

Examples:

aaron.ballman:

Examples:

* ``struct __attribute__((enforce_read_only_placement)) Foo;``

erichkeaneUnsubmitted

Done

Examples:

- * ``struct __attribute__(enforce_read_only_placement) Foo;``

+ * ``struct __attribute__((enforce_read_only_placement)) Foo;``

* ``struct __attribute__(enforce_read_only_placement) Bar { ... };``

erichkeane:

* ``struct __attribute__((enforce_read_only_placement)) Bar { ... };``

erichkeaneUnsubmitted

Done

* ``struct __attribute__(enforce_read_only_placement) Foo;``

- * ``struct __attribute__(enforce_read_only_placement) Bar { ... };``

+ * ``struct __attribute__((enforce_read_only_placement)) Bar { ... };``

Both ``Foo`` and ``Bar`` types have the ``enforce_read_only_placement`` attribute.

erichkeane:

Both ``Foo`` and ``Bar`` types have the ``enforce_read_only_placement`` attribute.

xazax.hunUnsubmitted

Done

What is the ConstVarDecl attribute? Are you referring to enforce_read_only_placement?

xazax.hun: What is the `ConstVarDecl` attribute? Are you referring to `enforce_read_only_placement`?

malavikasamakAuthorUnsubmitted

Done

Yes. Thank you for catching this! Will fix in the next diff.

malavikasamak: Yes. Thank you for catching this! Will fix in the next diff.

aaron.ballmanUnsubmitted

Done

* ``struct __attribute__(enforce_read_only_placement) Bar { ... };``

- Both ``Foo`` and ``Bar`` types have the enforce_read_only_placement attribute.

+ Both ``Foo`` and ``Bar`` types have the ``enforce_read_only_placement`` attribute.

The goal of introducing this attribute is to assist developers to write secure

aaron.ballman:

The goal of introducing this attribute is to assist developers with writing secure

aaron.ballmanUnsubmitted

Done

Both ``Foo`` and ``Bar`` types have the enforce_read_only_placement attribute.

- The goal of introducing this attribute is to assist developers to write secure

+ The goal of introducing this attribute is to assist developers with writing secure

code. A const qualified global is generally placed in the read-only section

aaron.ballman:

code. A ``const``-qualified global is generally placed in the read-only section

aaron.ballmanUnsubmitted

Done

The goal of introducing this attribute is to assist developers to write secure

- code. A const qualified global is generally placed in the read-only section

+ code. A ``const``-qualified global is generally placed in the read-only section

of the memory that has additional run time protection from malicious writes.

aaron.ballman:

of the memory that has additional run time protection from malicious writes. By

attaching this attribute to a declaration, the developer can express the intent

aaron.ballmanUnsubmitted

Done

of the memory that has additional run time protection from malicious writes.

- Therefore, by attaching this attribute the developer can express the intent

+ By attaching this attribute to a declaration, the developer can express the intent

to place all instances of the annotated type in the read-only program memory.

aaron.ballman:

to place all instances of the annotated type in the read-only program memory.

Note 1: The attribute doesn't guarantee that the object will be placed in the

read-only data segment as it does not instruct the compiler to ensure such

a placement. It emits a warning if something in the code can be proven to prevent

NoQUnsubmitted

Done

This is documentation for the users, they don't usually think in terms of patches, they usually think in terms of versions. Maybe "The following conditions would also prevent the data to be put into read only segment, but the corresponding warnings are not implemented yet:"?

NoQ: This is documentation for the users, they don't usually think in terms of patches, they usually…

aaron.ballmanUnsubmitted

Done

read-only data segment as it does not instruct the compiler to ensure such

- a placement. It simply emits a warning if something in the code prevents an

+ a placement. It emits a warning if something in the code can be proven to prevent an

instance from being placed in the read-only data segment.

I'm trying to add some weasel words here to make it clear that a lack of a warning doesn't necessarily mean "everything marked will be in a read-only section".

aaron.ballman: I'm trying to add some weasel words here to make it clear that a lack of a warning doesn't…

an instance from being placed in the read-only data segment.

Note 2: Currently, clang only checks if all global declarations of a given type 'T'

are ``const``-qualified. The following conditions would also prevent the data to be

aaron.ballmanUnsubmitted

Done

Note 2: Currently, clang only checks if all global declarations of a given type 'T'

- are const qualified. The following conditions would also prevent the data to be

+ are ``const``-qualified. The following conditions would also prevent the data to be

put into read only segment, but the corresponding warnings are not yet implemented.

aaron.ballman:

put into read only segment, but the corresponding warnings are not yet implemented.

1. An instance of type ``T`` is allocated on the heap/stack.

2. Type ``T`` defines/inherits a mutable field.

3. Type ``T`` defines/inherits non-constexpr constructor(s) for initialization.

4. A field of type ``T`` is defined by type ``Q``, which does not bear the

``enforce_read_only_placement`` attribute.

5. A type ``Q`` inherits from type ``T`` and it does not have the

``enforce_read_only_placement`` attribute.

aaron.ballmanUnsubmitted

Done

put into read only segment, but the corresponding warnings are not yet implemented.

- 1. An instance of type 'T' is allocated on the heap/stack.

- 2. Type 'T' defines/inherits a mutable field.

- 3. Type 'T' defines/inherits non-constexpr constructor(s) for initialization.

- 4. A field of type 'T' is defined by type 'Q', which does not bear the

- 'enforce_read_only_placement' attribute.

- 5. A type 'Q' inherits from type 'T' and it does not have the

- 'enforce_read_only_placement' attribute.

+ 1. An instance of type ``T`` is allocated on the heap/stack.

+ 2. Type ``T`` defines/inherits a mutable field.

+ 3. Type ``T`` defines/inherits non-constexpr constructor(s) for initialization.

+ 4. A field of type ``T`` is defined by type ``Q``, which does not bear the

+ ``enforce_read_only_placement`` attribute.

+ 5. A type ``Q`` inherits from type ``T`` and it does not have the

+ ``enforce_read_only_placement`` attribute.

}];

}

aaron.ballman:

}];

}

clang/include/clang/Basic/DiagnosticGroups.td

Show First 20 Lines • Show All 1,384 Lines • ▼ Show 20 Lines	def PedanticMacros : DiagGroup<"pedantic-macros",
RestrictExpansionMacro,		RestrictExpansionMacro,
FinalMacro]>;		FinalMacro]>;

def BranchProtection : DiagGroup<"branch-protection">;		def BranchProtection : DiagGroup<"branch-protection">;

// HLSL diagnostic groups		// HLSL diagnostic groups
// Warnings for HLSL Clang extensions		// Warnings for HLSL Clang extensions
def HLSLExtension : DiagGroup<"hlsl-extensions">;		def HLSLExtension : DiagGroup<"hlsl-extensions">;

		// Warnings and notes related to const_var_decl_type attribute checks
		def ReadOnlyPlacementChecks : DiagGroup<"read-only-types">;

clang/include/clang/Basic/DiagnosticSemaKinds.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 5,675 Lines • ▼ Show 20 Lines def warn_attr_abi_tag_namespace : Warning<

InGroup<IgnoredAttributes>; InGroup<IgnoredAttributes>;

def err_abi_tag_on_redeclaration : Error< def err_abi_tag_on_redeclaration : Error<

"cannot add 'abi_tag' attribute in a redeclaration">; "cannot add 'abi_tag' attribute in a redeclaration">;

def err_new_abi_tag_on_redeclaration : Error< def err_new_abi_tag_on_redeclaration : Error<

"'abi_tag' %0 missing in original declaration">; "'abi_tag' %0 missing in original declaration">;

def note_use_ifdef_guards : Note< def note_use_ifdef_guards : Note<

"unguarded header; consider using #ifdef guards or #pragma once">; "unguarded header; consider using #ifdef guards or #pragma once">;

def warn_var_decl_not_read_only : Warning<

xazax.hunUnsubmitted

Done

Other diagnostics in this file seem to start with lower case letters and do not have end of the sentence punctuations.

xazax.hun: Other diagnostics in this file seem to start with lower case letters and do not have end of the…

malavikasamakAuthorUnsubmitted

Done

Fixed in the new diff.

malavikasamak: Fixed in the new diff.

"object of type %0 cannot be placed in read-only memory">,

aaron.ballmanUnsubmitted

Done

"unguarded header; consider using #ifdef guards or #pragma once">;

- def warn_var_decl_not_read_only : Warning<"object of type %0 cannot be placed in read-only memory">,

- InGroup<ReadOnlyPlacementChecks>;

+ def warn_var_decl_not_read_only : Warning<

+ "object of type %0 cannot be placed in read-only memory">,

+ InGroup<ReadOnlyPlacementChecks>;

def note_enforce_read_only_placement : Note<"type was declared read-only here">;

aaron.ballman:

aaron.ballmanUnsubmitted

Done

"unguarded header; consider using #ifdef guards or #pragma once">;

- def warn_var_decl_not_read_only : Warning<"object of type %0 cannot be placed in read-only memory">,

- InGroup<ReadOnlyPlacementChecks>;

+ def warn_var_decl_not_read_only : Warning<

+ "object of type %0 cannot be placed in read-only memory">,

+ InGroup<ReadOnlyPlacementChecks>;

def note_enforce_read_only_placement : Note<"type was declared read-only here">;

Wrapped for the usual 80-col limit (clang-format usually botches .td files).

aaron.ballman: Wrapped for the usual 80-col limit (clang-format usually botches .td files).

InGroup<ReadOnlyPlacementChecks>;

aaron.ballmanUnsubmitted

Done

"unguarded header; consider using #ifdef guards or #pragma once">;

- def warn_var_decl_not_read_only : Warning<"variable of type %0 will not be in the read-only program memory.">,

- InGroup<ReadOnlyPlacementChecks>;

- def note_enforce_read_only_placement : Note<"type %0 was declared as a read-only type here.">;

+ def warn_var_decl_not_read_only : Warning<

+ "object of type %0 cannot be placed in read-only memory">,

+ InGroup<ReadOnlyPlacementChecks>;

+ def note_enforce_read_only_placement : Note<

+ "type was declared read-only here">;

def note_deleted_dtor_no_operator_delete : Note<

I think the %0 isn't needed in the note because that note is always attached to the declaration of the type and that should already clearly identify the name of the type.

aaron.ballman: I think the `%0` isn't needed in the note because that note is always attached to the…

def note_enforce_read_only_placement : Note<"type was declared read-only here">;

def note_deleted_dtor_no_operator_delete : Note< def note_deleted_dtor_no_operator_delete : Note<

"virtual destructor requires an unambiguous, accessible 'operator delete'">; "virtual destructor requires an unambiguous, accessible 'operator delete'">;

def note_deleted_special_member_class_subobject : Note< def note_deleted_special_member_class_subobject : Note<

"%select{default constructor of|copy constructor of|move constructor of|" "%select{default constructor of|copy constructor of|move constructor of|"

"constructor inherited by}0 " "constructor inherited by}0 "

"%1 is implicitly deleted because " "%1 is implicitly deleted because "

"%select{base class %3|%select{||||variant }4field %3}2 " "%select{base class %3|%select{||||variant }4field %3}2 "

▲ Show 20 Lines • Show All 6,065 Lines • Show Last 20 Lines

clang/lib/Sema/SemaDecl.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 117 Lines • ▼ Show 20 Lines private:

bool AllowInvalidDecl; bool AllowInvalidDecl;

bool WantClassName; bool WantClassName;

bool AllowTemplates; bool AllowTemplates;

bool AllowNonTemplates; bool AllowNonTemplates;

}; };

} // end anonymous namespace } // end anonymous namespace

/// Determine whether the token kind starts a simple-type-specifier. /// Determine whether the token kind starts a simple-type-specifier.

erichkeaneUnsubmitted

Done

extraneous change, please dont commit this.

erichkeane: extraneous change, please dont commit this.

bool Sema::isSimpleTypeSpecifier(tok::TokenKind Kind) const { bool Sema::isSimpleTypeSpecifier(tok::TokenKind Kind) const {

switch (Kind) { switch (Kind) {

// FIXME: Take into account the current language when deciding whether a // FIXME: Take into account the current language when deciding whether a

// token kind is a valid type specifier // token kind is a valid type specifier

case tok::kw_short: case tok::kw_short:

case tok::kw_long: case tok::kw_long:

case tok::kw___int64: case tok::kw___int64:

case tok::kw___int128: case tok::kw___int128:

▲ Show 20 Lines • Show All 185 Lines • ▼ Show 20 Lines

/// return the declaration of that type. /// return the declaration of that type.

/// ///

/// This routine performs ordinary name lookup of the identifier II /// This routine performs ordinary name lookup of the identifier II

/// within the given scope, with optional C++ scope specifier SS, to /// within the given scope, with optional C++ scope specifier SS, to

/// determine whether the name refers to a type. If so, returns an /// determine whether the name refers to a type. If so, returns an

/// opaque pointer (actually a QualType) corresponding to that /// opaque pointer (actually a QualType) corresponding to that

/// type. Otherwise, returns NULL. /// type. Otherwise, returns NULL.

ParsedType Sema::getTypeName(const IdentifierInfo &II, SourceLocation NameLoc, ParsedType Sema::getTypeName(const IdentifierInfo &II, SourceLocation NameLoc,

Scope *S, CXXScopeSpec *SS, bool isClassName, Scope *S, CXXScopeSpec *SS, bool isClassName,

bool HasTrailingDot, ParsedType ObjectTypePtr, bool HasTrailingDot, ParsedType ObjectTypePtr,

erichkeaneUnsubmitted

Done

Unrelated change?

erichkeane: Unrelated change?

bool IsCtorOrDtorName, bool IsCtorOrDtorName,

bool WantNontrivialTypeSourceInfo, bool WantNontrivialTypeSourceInfo,

bool IsClassTemplateDeductionContext, bool IsClassTemplateDeductionContext,

ImplicitTypenameContext AllowImplicitTypename, ImplicitTypenameContext AllowImplicitTypename,

IdentifierInfo **CorrectedII) { IdentifierInfo **CorrectedII) {

// FIXME: Consider allowing this outside C++1z mode as an extension. // FIXME: Consider allowing this outside C++1z mode as an extension.

bool AllowDeducedTemplate = IsClassTemplateDeductionContext && bool AllowDeducedTemplate = IsClassTemplateDeductionContext &&

getLangOpts().CPlusPlus17 && !IsCtorOrDtorName && getLangOpts().CPlusPlus17 && !IsCtorOrDtorName &&

▲ Show 20 Lines • Show All 7,035 Lines • ▼ Show 20 Lines static void copyAttrFromTypedefToDecl(Sema &S, Decl *D, const TypedefType *TT) {

const TypedefNameDecl *TND = TT->getDecl(); const TypedefNameDecl *TND = TT->getDecl();

if (const auto *Attribute = TND->getAttr<AttrTy>()) { if (const auto *Attribute = TND->getAttr<AttrTy>()) {

AttrTy *Clone = Attribute->clone(S.Context); AttrTy *Clone = Attribute->clone(S.Context);

Clone->setInherited(true); Clone->setInherited(true);

D->addAttr(Clone); D->addAttr(Clone);

} }

// This function emits warning and a corresponding note based on the

// ReadOnlyPlacementAttr attribute. The warning checks that all global variable

// declarations of an annotated type must be const qualified.

void emitReadOnlyPlacementAttrWarning(Sema &S, const VarDecl *VD) {

QualType VarType = VD->getType().getCanonicalType();

aaron.ballmanUnsubmitted

Done

}

- /*

- This function emits warning and a corresponding note based on the

- ReadOnlyPlacementAttr attribute. The warning checks that all global variable

- declarations of an annotated type must be const qualified.

- */

+ // This function emits warning and a corresponding note based on the

+ // ReadOnlyPlacementAttr attribute. The warning checks that all global variable

+ // declarations of an annotated type must be const qualified.

void emitReadOnlyPlacementAttrWarning(Sema &S, const VarDecl *VD) {

aaron.ballman:

// Ignore local declarations (for now) and those with const qualification.

// TODO: Local variables should not be allowed if their type declaration has

xazax.hunUnsubmitted

Done

I'd prefer a local auto variable over a std::function.

Also I think this could be moved closer to its use.

xazax.hun: I'd prefer a local auto variable over a std::function. Also I think this could be moved closer…

// ReadOnlyPlacementAttr attribute. To be handled in follow-up patch.

if (!VD || VD->hasLocalStorage() || VD->getType().isConstQualified())

xazax.hunUnsubmitted

Done

Is this comment relevant?

xazax.hun: Is this comment relevant?

return;

NoQUnsubmitted

Done

Not sure about static locals, maybe VD->hasLocalStorage() is more appropriate?

NoQ: Not sure about static locals, maybe `VD->hasLocalStorage()` is more appropriate?

aaron.ballmanUnsubmitted

Done

if (!VD || VD->hasLocalStorage() ||

- VD->getType().getCVRQualifiers() & Qualifiers::Const)

+ VD->getType().isConstQualified())

return;

aaron.ballman:

if (VarType->isArrayType()) {

erichkeaneUnsubmitted

Done

I'm about 95% sure that this whole section can be replaced by:

VarType = Context.getBaseElementType(VarType);

This would then allow you to handle arrays of pointers (which it seems like you don't do correctly with the 'else if' below.

MIGHT also want a 'get canonical type' somewhere after that as well though.

erichkeane: I'm about 95% sure that this whole section can be replaced by: `VarType = Context.

malavikasamakAuthorUnsubmitted

Done

Updated the code and it seems to work fine (at least for the test cases) without a second invocation to getCanonicalType(). So, not adding a second invocation for ArrayType.

malavikasamak: Updated the code and it seems to work fine (at least for the test cases) without a second…

// Retrieve element type for array declarations.

xazax.hunUnsubmitted

Done

Do we need recursion? I'd prefer an iterative solution.

xazax.hun: Do we need recursion? I'd prefer an iterative solution.

aaron.ballmanUnsubmitted

Done

void emitReadOnlyPlacementAttrWarning(Sema &S, const VarDecl *VD) {

- QualType VarType = VD->getType();

+ QualType VarType = VD->getType().getCanonicalType();

// Ignore local declarations (for now) and those with const qualification.

// TODO: Local variables should not be allowed if their type declaration has

// ReadOnlyPlacementAttr attribute. To be handled in follow-up patch.

if (!VD || VD->hasLocalStorage() || VD->getType().isConstQualified())

return;

- VarType = VarType.getCanonicalType();

if (VarType->isArrayType()) {

Simplification

aaron.ballman: Simplification

VarType = S.getASTContext().getBaseElementType(VarType);

NoQUnsubmitted

Done

There's some unusual problems with dyn_cast-ing to array types, there's ASTContext::getAsArrayType() and related methods that IIUC should be used instead (they have some comments with respect to why but I don't fully understand them).

NoQ: There's some unusual problems with dyn_cast-ing to array types, there's `ASTContext…

}

aaron.ballmanUnsubmitted

Done

This should probably move up above the check for local storage and const qualification. Also, type doesn't meet our usual naming conventions but Type is the name of a type. Can you go with something more like VarTy (I'm not tied to that name, just making sure it fits our usual coding style.)

aaron.ballman: This should probably move up above the check for local storage and const qualification. Also…

const RecordDecl *RD = VarType->getAsRecordDecl();

xazax.hunUnsubmitted

Done

Could be moved into the isArrayType branch.

xazax.hun: Could be moved into the `isArrayType` branch.

erichkeaneUnsubmitted

Done

thinking about it, this whole branch is unnecessary, right? PointerType would just fail the RecordDecl type check below?

erichkeane: thinking about it, this whole branch is unnecessary, right? PointerType would just fail the…

malavikasamakAuthorUnsubmitted

Done

Yes, you are right.

malavikasamak: Yes, you are right.

// Check if the record declaration is present and if it has any attributes.

aaron.ballmanUnsubmitted

Done

// Retrieve element type for array declarations.

- while(type->isArrayType()) {

+ while (type->isArrayType()) {

const ArrayType *AT = S.getASTContext().getAsArrayType(type);

aaron.ballman:

if (RD == nullptr)

return;

if (const auto *ConstDecl = RD->getAttr<ReadOnlyPlacementAttr>()) {

xazax.hunUnsubmitted

Done

Redundant parens?

xazax.hun: Redundant parens?

aaron.ballmanUnsubmitted

Done

type = AT->getElementType();

}

- } else if (const auto *pointertype = dyn_cast<PointerType>(type)) {

+ } else if (const auto *PtTy = dyn_cast<PointerType>(type)) {

// TODO: We should emit warning for pointers if the type declaration of the

Similar renaming (feel free to pick a better name).

aaron.ballman: Similar renaming (feel free to pick a better name).

S.Diag(VD->getLocation(), diag::warn_var_decl_not_read_only) << RD;

aaron.ballmanUnsubmitted

Done

return;

}

- const clang::RecordDecl *RD = VarType->getAsRecordDecl();

+ const RecordDecl *RD = VarType->getAsRecordDecl();

// Check if the record declaration is present and if it has any attributes.

aaron.ballman:

S.Diag(ConstDecl->getLocation(), diag::note_enforce_read_only_placement);

return;

NoQUnsubmitted

Done

I think there are like fifteen different ways how a type needs to be unwrapped, and they can be stacked on top of each other, so it probably makes sense to cover them all at once with type = type->getCanonicalType() at the beginning.

NoQ: I think there are like fifteen different ways how a type needs to be unwrapped, and they can be…

}

aaron.ballmanUnsubmitted

Done

I think this is dead code -- getting the canonical type should strip all sugar off the type, and elaboration is a type of sugar.

aaron.ballman: I think this is dead code -- getting the canonical type should strip all sugar off the type…

malavikasamakAuthorUnsubmitted

Done

Thank you for pointing this out.

malavikasamak: Thank you for pointing this out.

NamedDecl *Sema::ActOnVariableDeclarator( NamedDecl *Sema::ActOnVariableDeclarator(

Scope *S, Declarator &D, DeclContext *DC, TypeSourceInfo *TInfo, Scope *S, Declarator &D, DeclContext *DC, TypeSourceInfo *TInfo,

LookupResult &Previous, MultiTemplateParamsArg TemplateParamLists, LookupResult &Previous, MultiTemplateParamsArg TemplateParamLists,

bool &AddToScope, ArrayRef<BindingDecl *> Bindings) { bool &AddToScope, ArrayRef<BindingDecl *> Bindings) {

QualType R = TInfo->getType(); QualType R = TInfo->getType();

aaron.ballmanUnsubmitted

Done

The check for hasAttrs() is redundant -- getAttr() already tests that property.

aaron.ballman: The check for `hasAttrs()` is redundant -- `getAttr()` already tests that property.

DeclarationName Name = GetNameForDeclarator(D).getName(); DeclarationName Name = GetNameForDeclarator(D).getName();

NoQUnsubmitted

Done

I think this can be done in O(1) with RD->hasAttr<ReadOnlyPlacementAttr>() or something like that.

NoQ: I think this can be done in `O(1)` with `RD->hasAttr<ReadOnlyPlacementAttr>()` or something…

IdentifierInfo *II = Name.getAsIdentifierInfo(); IdentifierInfo *II = Name.getAsIdentifierInfo();

aaron.ballmanUnsubmitted

Done

return;

- if (const auto *constdecl = RD->getAttr<ReadOnlyPlacementAttr>()) {

+ if (const auto *ConstDecl = RD->getAttr<ReadOnlyPlacementAttr>()) {

// Warning attached to the varaibale declaration

aaron.ballman:

if (D.isDecompositionDeclarator()) { if (D.isDecompositionDeclarator()) {

// Take the name of the first declarator as our name for diagnostic // Take the name of the first declarator as our name for diagnostic

aaron.ballmanUnsubmitted

Done

if (const auto *constdecl = RD->getAttr<ReadOnlyPlacementAttr>()) {

- // Warning attached to the varaibale declaration

S.Diag(VD->getLocation(), diag::warn_var_decl_not_read_only) << RD;

- // Note attached to the record declaration.

S.Diag(((Attr *)constdecl)->getLocation(),

I'm not certain these comments add much value -- the code is reasonably self-explanatory as is.

aaron.ballman: I'm not certain these comments add much value -- the code is reasonably self-explanatory as is.

// purposes. // purposes.

auto &Decomp = D.getDecompositionDeclarator(); auto &Decomp = D.getDecompositionDeclarator();

if (!Decomp.bindings().empty()) { if (!Decomp.bindings().empty()) {

aaron.ballmanUnsubmitted

Done

// Note attached to the record declaration.

- S.Diag(((Attr *)constdecl)->getLocation(),

+ S.Diag(ConstDecl->getLocation(),

diag::note_enforce_read_only_placement)

<< RD;

return;

Shouldn't need to cast to Attr * because it inherits from Attr * already.

aaron.ballman: Shouldn't need to cast to `Attr *` because it inherits from `Attr *` already.

II = Decomp.bindings()[0].Name; II = Decomp.bindings()[0].Name;

Name = II; Name = II;

} }

} else if (!II) { } else if (!II) {

Diag(D.getIdentifierLoc(), diag::err_bad_variable_name) << Name; Diag(D.getIdentifierLoc(), diag::err_bad_variable_name) << Name;

return nullptr; return nullptr;

} }

▲ Show 20 Lines • Show All 634 Lines • ▼ Show 20 Lines if (NewVD->isInvalidDecl())

NewTemplate->setInvalidDecl(); NewTemplate->setInvalidDecl();

ActOnDocumentableDecl(NewTemplate); ActOnDocumentableDecl(NewTemplate);

return NewTemplate; return NewTemplate;

} }

if (IsMemberSpecialization && !NewVD->isInvalidDecl()) if (IsMemberSpecialization && !NewVD->isInvalidDecl())

CompleteMemberSpecialization(NewVD, Previous); CompleteMemberSpecialization(NewVD, Previous);

emitReadOnlyPlacementAttrWarning(*this, NewVD);

return NewVD; return NewVD;

} }

/// Enum describing the %select options in diag::warn_decl_shadow. /// Enum describing the %select options in diag::warn_decl_shadow.

enum ShadowedDeclKind { enum ShadowedDeclKind {

SDK_Local, SDK_Local,

SDK_Global, SDK_Global,

SDK_StaticMember, SDK_StaticMember,

▲ Show 20 Lines • Show All 11,666 Lines • Show Last 20 Lines

clang/lib/Sema/SemaDeclAttr.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 7,735 Lines • ▼ Show 20 Lines

static void handleAMDGPUNumVGPRAttr(Sema &S, Decl *D, const ParsedAttr &AL) {

if (!checkUInt32Argument(S, AL, NumVGPRExpr, NumVGPR))

return;

D->addAttr(::new (S.Context) AMDGPUNumVGPRAttr(S.Context, AL, NumVGPR));

}

static void handleX86ForceAlignArgPointerAttr(Sema &S, Decl *D,

const ParsedAttr &AL) {

// If we try to apply it to a function pointer, don't warn, but don't

xazax.hunUnsubmitted

Done

Typo.

xazax.hun: Typo.

// do anything, either. It doesn't matter anyway, because there's nothing

// special about calling a force_align_arg_pointer function.

const auto *VD = dyn_cast<ValueDecl>(D);

if (VD && VD->getType()->isFunctionPointerType())

aaron.ballmanUnsubmitted

Done

// in the read only program memory.

- if (isa<RecordDecl>(D)) {

- D->addAttr(::new (S.Context) ReadOnlyPlacementAttr(S.Context, AL));

- }

+ D->addAttr(::new (S.Context) ReadOnlyPlacementAttr(S.Context, AL));

+ }

static void handleX86ForceAlignArgPointerAttr(Sema &S, Decl *D,

No need for that check -- the common attribute handling code will issue a diagnostic if the subject is incorrect.

aaron.ballman: No need for that check -- the common attribute handling code will issue a diagnostic if the…

return;

// Also don't warn on function pointer typedefs.

const auto *TD = dyn_cast<TypedefNameDecl>(D);

if (TD && (TD->getUnderlyingType()->isFunctionPointerType() ||

TD->getUnderlyingType()->isFunctionType()))

return;

// Attribute can only be applied to function types.

if (!isa<FunctionDecl>(D)) {

▲ Show 20 Lines • Show All 836 Lines • ▼ Show 20 Lines

S.Diag(AL.getLoc(), diag::err_attribute_invalid_on_decl)

<< AL << D->getLocation();

break;

case ParsedAttr::AT_Interrupt:

handleInterruptAttr(S, D, AL);

break;

case ParsedAttr::AT_X86ForceAlignArgPointer:

handleX86ForceAlignArgPointerAttr(S, D, AL);

break;

case ParsedAttr::AT_ReadOnlyPlacement:

handleSimpleAttribute<ReadOnlyPlacementAttr>(S, D, AL);

erichkeaneUnsubmitted

Done

case ParsedAttr::AT_ReadOnlyPlacement:

- handleReadOnlyPlacementAttrs(S, D, AL);

+ handleSimpleAttr<ReadOnlyPlacementAttr>(S, D, AL);

break;

erichkeane:

break;

case ParsedAttr::AT_DLLExport:

case ParsedAttr::AT_DLLImport:

handleDLLAttr(S, D, AL);

break;

case ParsedAttr::AT_AMDGPUFlatWorkGroupSize:

handleAMDGPUFlatWorkGroupSizeAttr(S, D, AL);

break;

case ParsedAttr::AT_AMDGPUWavesPerEU:

▲ Show 20 Lines • Show All 1,050 Lines • Show Last 20 Lines

clang/test/Misc/pragma-attribute-supported-attributes-list.test

	Show First 20 Lines • Show All 148 Lines • ▼ Show 20 Lines
	// CHECK-NEXT: OptimizeNone (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: OptimizeNone (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: Overloadable (SubjectMatchRule_function)			// CHECK-NEXT: Overloadable (SubjectMatchRule_function)
	// CHECK-NEXT: Owner (SubjectMatchRule_record_not_is_union)			// CHECK-NEXT: Owner (SubjectMatchRule_record_not_is_union)
	// CHECK-NEXT: ParamTypestate (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ParamTypestate (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: PassObjectSize (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method)			// CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method)
	// CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union)			// CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union)
	// CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record)			// CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record)
				// CHECK-NEXT: ReadOnlyPlacement (SubjectMatchRule_record)
	// CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function)			// CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function)
	// CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function)			// CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function)
	// CHECK-NEXT: Restrict (SubjectMatchRule_function)			// CHECK-NEXT: Restrict (SubjectMatchRule_function)
	// CHECK-NEXT: ReturnTypestate (SubjectMatchRule_function, SubjectMatchRule_variable_is_parameter)			// CHECK-NEXT: ReturnTypestate (SubjectMatchRule_function, SubjectMatchRule_variable_is_parameter)
	// CHECK-NEXT: ReturnsNonNull (SubjectMatchRule_objc_method, SubjectMatchRule_function)			// CHECK-NEXT: ReturnsNonNull (SubjectMatchRule_objc_method, SubjectMatchRule_function)
	// CHECK-NEXT: ReturnsTwice (SubjectMatchRule_function)			// CHECK-NEXT: ReturnsTwice (SubjectMatchRule_function)
	// CHECK-NEXT: SYCLSpecialClass (SubjectMatchRule_record)			// CHECK-NEXT: SYCLSpecialClass (SubjectMatchRule_record)
	Show All 38 Lines

clang/test/Sema/attr-read-only-placement.cpp

This file was added.

// RUN: %clang_cc1 -Wread-only-types %s -verify -fsyntax-only

// RUN: %clang_cc1 -std=c++2a -Wread-only-types %s -verify -fsyntax-only

// RUN: %clang_cc1 -std=c++17 -Wread-only-types %s -verify -fsyntax-only

struct __attribute__((enforce_read_only_placement)) A { // #A_DECL

};

erichkeaneUnsubmitted

Done

// RUN: %clang_cc1 -std=c++17 -Wread-only-types %s -verify -fsyntax-only

- struct __attribute__((enforce_read_only_placement)) A { // #1

+ struct __attribute__((enforce_read_only_placement)) A { // #A_DECL

};

A a1; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}

I typically prefer descriptive-ish bookmark names.

erichkeane: I typically prefer descriptive-ish bookmark names.

aaron.ballmanUnsubmitted

Done

If using bookmarks like this, it's better to put the expected-note@#1 next to the diagnostic which generates the note instead of putting it up by where the note is issued. Examples below. Same applies elsewhere in the test.

aaron.ballman: If using bookmarks like this, it's better to put the `expected-note@#1` next to the diagnostic…

A a1; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}

// expected-note@#A_DECL {{type was declared read-only here}}

const A a2[10]; // no-warning

A a3[20]; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}

// expected-note@#A_DECL {{type was declared read-only here}}

aaron.ballmanUnsubmitted

Done

// expected-note@#1 2 {{type was declared read-only here}}

};

- A a1; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}

+ A a1; // expected-warning {{object of type 'A' cannot be placed in read-only memory}} \

+ expected-note@#1 {{type was declared read-only here}}

const A a2[10]; // no-warning

- A a3[20]; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}

+ A a3[20]; // expected-warning {{object of type 'A' cannot be placed in read-only memory}} \

+ expected-note@#1 {{type was declared read-only here}}

struct B;

aaron.ballman:

struct B;

struct __attribute__((enforce_read_only_placement)) B { //#B_DECL

};

B b1; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}

// expected-note@#B_DECL {{type was declared read-only here}}

const B b2; // no-warning

const B b3[4]; // no-warning

B b4[5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}

// expected-note@#B_DECL {{type was declared read-only here}}

B b5[5][5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}

// expected-note@#B_DECL {{type was declared read-only here}}

B b10[5][5][5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}

// expected-note@#B_DECL {{type was declared read-only here}}

void method1() {

static const B b6;

static B b7;// expected-warning {{object of type 'B' cannot be placed in read-only memory}}

// expected-note@#B_DECL {{type was declared read-only here}}

B b8; // no-warning

const B b9; // no-warning

}

struct C;

struct __attribute__((enforce_read_only_placement)) C; // expected-note {{type was declared read-only here}}

struct C { // no-note. The note should be attached to the definition/declaration bearing the attribute

};

C c1; // expected-warning {{object of type 'C' cannot be placed in read-only memory}}

// Cases to be handled by the follow-up patches.

// Attaching and checking the attribute in reverse, where the attribute is attached after the

// type definition

struct D;

struct D { //expected-note{{previous definition is here}}

};

struct __attribute__((enforce_read_only_placement)) D; // #3

// expected-warning@#3{{attribute declaration must precede definition}}

aaron.ballmanUnsubmitted

Done

// Case 1: Inheriting from a type that has the attribute.

- struct E : C { // Warn the user type `E` won't be checked for read only placement.

+ struct E : C { // FIXME: warn the user type `E` won't be checked for read only placement.

};

Wouldn't the warning be that C might not be placed in read-only memory because E is not also marked as requiring it?

aaron.ballman: Wouldn't the warning be that `C` might not be placed in read-only memory because `E` is not…

aaron.ballmanUnsubmitted

Not Done

I'm still wondering which way this warnings -- is it never going to be possible to compose objects with this attribute together?

aaron.ballman: I'm still wondering which way this warnings -- is it never going to be possible to compose…

malavikasamakAuthorUnsubmitted

Done

Looks like I accidentally missed the comments that were added with the in-line changes. Sorry about that.

Compositions in some cases will be possible. For example, inheriting from a base class/struct without the attribute and attaching the attribute to the derived class/struct should be possible, as long as nothing in base class/struct prevents the read-only placement of the derived type. I have added some positive examples to clarify this.

malavikasamak: Looks like I accidentally missed the comments that were added with the in-line changes. Sorry…

aaron.ballmanUnsubmitted

Not Done

Looks like I accidentally missed the comments that were added with the in-line changes. Sorry about that.

No worries, Phabricator is sometimes complex! :-)

Compositions in some cases will be possible. For example, inheriting from a base class/struct without the attribute and attaching the attribute to the derived class/struct should be possible, as long as nothing in base class/struct prevents the read-only placement of the derived type. I have added some positive examples to clarify this.

Thank you, but the comment on this particular case has me confused then. C has no members and E has no members, so there's nothing preventing either from being in read-only memory. So the comment sounds correct in general (we don't have any checking) but incorrect on this specific test case (because even if we had such checking, I'd expect we wouldn't diagnose *that* usage).

I think we can update the comment here to say that this should NOT be diagnosed, and add FIXME to the comments on struct H.

aaron.ballman: > Looks like I accidentally missed the comments that were added with the in-line changes. Sorry…

malavikasamakAuthorUnsubmitted

Done

You are right that there is nothing preventing E from being in read only memory. The question here we considered is should we even allow the absence of the attribute at the declaration of E?

So we explored two design choices:
a) Emit the warning at the object allocation site for E as C bears the attribute.
b) Skip the diagnosis at the object allocation sites for E and only emit a warning at type E declaration site asking the user to attach the attribute to E. Here, we will require each type to explicitly attach the attribute at the type declaration site, so we can analyze the code for read-only placement violations.

Let’s consider the below example:

int foo();

struct __attribute__((enforce_read_only_placement)) T {int a;};

struct P : T {
  int b; 
  mutable int c;
};

struct Q : T {
   int d = foo();
};

struct R : T {

}; 

T t1{10}; 
P p1{10, 20, 30};
Q q1{10};

struct A : P {};
struct B : A {};

A a1{1, 2, 3};
B b1{4, 5, 6};

Here, choice a will emit a warning at object allocation sites for p1, q1, a1 and b1 as they are not const qualified. In addition, it will also create a warning for type P for defining a mutable field and for type Q for field d initialization.

In contrast, choice b will emit 3 warnings for type P, Q, and R at their type declaration sites warning the user about the missing explicit attribute. Once this attribute is explicitly attached to these types by the user, it will then analyze and warn about any problem in their object allocation sites, field declarations and constructor definitions etc,. Note that, here we also notify the user about type R which has no object instances.

Overall, both approaches will eventually warn about all the code locations that push an object out of read-only memory. The only difference is, choice a presents them all in one step, whereas choice b presents them incrementally.

There are pros and cons for both choices.

Choice a
Pro: Clean code as we can express the need for entire type hierarchy instances to be in read-only memory by simply attaching the attribute to a base type.
Con: Can create warnings for many types at many locations at once, overwhelming/confusing the user. Especially, if the base type is part of a library.

Choice b
Pro: Fewer warnings in the code at each iteration and the warnings are only issued on types that developer explicitly requires to be in the read-only memory.
Con: Every type that needs such protection must bear the attribute. This can make the code a bit cluttered.

malavikasamak: You are right that there is nothing preventing E from being in read only memory. The question…

aaron.ballmanUnsubmitted

Not Done

The question here we considered is should we even allow the absence of the attribute at the declaration of E?

What about more complicated class hierarchies? e.g., mix-ins and "holes" in the hierarchy?

// Mix-in to cause a class hierarchy to become read-only
struct  __attribute__((enforce_read_only_placement)) make_type_read_only {};
struct base { int i; };
struct derived : base, make_type_read_only { int j; };

// Middle of the hierarchy missed the attribute.
struct __attribute__((enforce_read_only_placement)) another_base { int i; };
struct another_derived : another_base { int j; };
struct __attribute__((enforce_read_only_placement)) further_derived : another_derived { int k; };

// Bookends of the hierarchy missed the attribute.
struct yet_another_base { int i; };
struct __attribute__((enforce_read_only_placement)) yet_another_derived : yet_another_base { int j; };
struct yet_another_further_derived : yet_another_derived { int k; };

aaron.ballman: > The question here we considered is should we even allow the absence of the attribute at the…

aaron.ballmanUnsubmitted

Done

// Case 1: Inheriting from a type that has the attribute

- struct E : C { // FIXME: warn the user declarations of type `E`, that extneds `C` won't be checked for read only placement

+ struct E : C { // FIXME: warn the user declarations of type `E`, that extends `C`, won't be

+ // checked for read only placement because `E` is not marked as `C` is.

};

aaron.ballman:

D d1; // We do not emit a warning here, as there is another warning for declaring

// a type after the definition

// Cases where the attribute must be explicitly attached to another type

aaron.ballmanUnsubmitted

Not Done

Similar here as above. I think you can add a test case like struct H but which wraps struct G instead of inherits from it.

aaron.ballman: Similar here as above. I think you can add a test case like `struct H` but which wraps `struct…

// Case 1: Inheriting from a type that has the attribute

struct E : C { // FIXME: warn the user declarations of type `E`, that extends `C`, won't be

// checked for read only placement because `E` is not marked as `C` is.

};

// Case 2: Declaring a field of the type that has the attribute

struct F {

C c1; // FIXME: warn the user type `F` that wraps type `C` won't be checked for

aaron.ballmanUnsubmitted

Done

struct __attribute__((enforce_read_only_placement)) G {

- mutable int x; // Warn the user type `G` won't be placed in the read only program memory.

+ mutable int x; // FIXME: warn the user type `G` won't be placed in the read only program memory.

};

struct __attribute__((enforce_read_only_placement)) H : public G { // Warn the user type `H` won't be placed in the read only program memory.

aaron.ballman:

// read only placement

};

aaron.ballmanUnsubmitted

Done

mutable int x; // Warn the user type `G` won't be placed in the read only program memory.

};

- struct __attribute__((enforce_read_only_placement)) H : public G { // Warn the user type `H` won't be placed in the read only program memory.

+ struct __attribute__((enforce_read_only_placement)) H : public G { // FIXME: warn the user type `H` won't be placed in the read only program memory.

};

Double-checking: the reason this can't be placed in read-only memory is because G can't be placed there due to a mutable member, right? If so, then would this be accepted:

struct __attribute__((enforce_read_only_placement)) Base {
  int i;
};

struct __attribute__((enforce_read_only_placement)) Derived : Base {
  int j;
};

and similarly, is this accepted:

struct __attribute__((enforce_read_only_placement)) Thing {
  int a;
};

struct __attribute__((enforce_read_only_placement)) WrapperThing {
  Thing t;
};

aaron.ballman: Double-checking: the reason this can't be placed in read-only memory is because `G` can't be…

aaron.ballmanUnsubmitted

Not Done

Still wondering about this as well.

aaron.ballman: Still wondering about this as well.

malavikasamakAuthorUnsubmitted

Done

Missed this too. Sorry again.

Yes, the above two examples must be accepted. Added a few positive test cases for clarity.

malavikasamak: Missed this too. Sorry again. Yes, the above two examples must be accepted. Added a few…

struct BaseWithoutAttribute {

int a;

};

struct __attribute__((enforce_read_only_placement)) J : BaseWithoutAttribute { // no-warning

};

struct __attribute__((enforce_read_only_placement)) BaseWithAttribute {

int i;

};

struct __attribute__((enforce_read_only_placement)) Derived : BaseWithAttribute { // no-warning

int j;

};

struct __attribute__((enforce_read_only_placement)) WrapperToAttributeInstance { // no-warning

BaseWithAttribute b;

};

struct __attribute__((enforce_read_only_placement)) WrapperToNoAttributeInstance { // no-warning

BaseWithoutAttribute b;

};

// Cases where the const qualification doesn't ensure read-only memory placement

// of an instance.

// Case 1: The type defines/inherits mutable data members

struct __attribute__((enforce_read_only_placement)) G {

aaron.ballmanUnsubmitted

Not Done

// Case 2: The type has a constructor that makes its fields modifiable

- struct K {

+ struct __attribute__((enforce_read_only_placement)) K {

int b;

aaron.ballman:

mutable int x; // FIXME: warn the user type `G` won't be placed in the read only program memory

};

struct __attribute__((enforce_read_only_placement)) H : public G { // FIXME: Warn the user type `H`

aaron.ballmanUnsubmitted

Not Done

int b;

- K(int val) { // FIXME: warn the user type `J` won't be placed in the read only program memory

+ K(int val) { // FIXME: warn the user type `K` won't be placed in the read only program memory

b = val;

}

};

I think other test cases that would be useful are:

struct __attribute__((enforce_read_only_placement)) ConstevalCtor {
  int b;

  consteval ConstevalCtor(int B) : b(B) {} // Fine, right?
};

struct __attribute__((enforce_read_only_placement)) InClassInitializers {
  int b = 12;

  InClassInitializers() = default; // Fine, right?
};

int foo();
struct __attribute__((enforce_read_only_placement)) InClassInitializersBad {
  int b = foo(); // Not fine, right?

  InClassInitializersBad() = default;
};

aaron.ballman: I think other test cases that would be useful are: ``` struct __attribute__…

// won't be placed in the read only program memory

};

struct __attribute__((enforce_read_only_placement)) K { // FIXME : Warn the user type `K` w on't be

// placed in the read only program memory

G g;

};

// Case 2: The type has a constructor that makes its fields modifiable

struct __attribute__((enforce_read_only_placement)) L {

int b;

L(int val) { // FIXME: warn the user type `L` won't be placed in the read only program memory

b = val;

}

};

struct __attribute__((enforce_read_only_placement)) ConstInClassInitializers { // no-warning

int b = 12;

ConstInClassInitializers() = default;

};

int foo();

struct __attribute__((enforce_read_only_placement)) NonConstInClassInitializers {

int b = foo(); // FIXME: warn the user type `NonConstInClassInitializers` won't be placed

// in the read only program memory

NonConstInClassInitializers() = default;

};

#if (__cplusplus >= 202002L)

struct __attribute__((enforce_read_only_placement)) ConstevalCtor {

int b;

consteval ConstevalCtor(int B) : b(B) {} // no-warning

};

#endif

#if (__cplusplus >= 201103L)

struct __attribute__((enforce_read_only_placement)) ConstExprCtor { // no-warning

int b;

constexpr ConstExprCtor(int B) : b(B) {}

};

constexpr ConstExprCtor cec1(10); // no-warning

#endif

// Cases where an object is allocated on the heap or on the stack

C *c2 = new C; // FIXME: warn the user this instance of 'C' won't be placed in the read only program memory

void func1(C c); // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory

void func2(const C c); // FIXME: warn the user the instance of 'C' won't be placed in the read

// only program memory

C func3(); // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory

void func4() {

C c; // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory

}

#if (__cplusplus >= 202002L)

consteval void func4(C c); // no-warning

#endif

This is an archive of the discontinued LLVM Phabricator instance.

[clang] Support for read-only typesClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 483289

clang/docs/ReleaseNotes.rst

clang/include/clang/Basic/Attr.td

clang/include/clang/Basic/AttrDocs.td

clang/include/clang/Basic/DiagnosticGroups.td

clang/include/clang/Basic/DiagnosticSemaKinds.td

clang/lib/Sema/SemaDecl.cpp

clang/lib/Sema/SemaDeclAttr.cpp

clang/test/Misc/pragma-attribute-supported-attributes-list.test

clang/test/Sema/attr-read-only-placement.cpp

[clang] Support for read-only types
ClosedPublic