This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/Analysis/Analyses/
-
clang/
-
Analysis/
-
Analyses/
4/4
UnsafeBufferUsageGadgets.def
-
lib/Analysis/
-
Analysis/
30/31
UnsafeBufferUsage.cpp

Differential D137348

[-Wunsafe-buffer-usage] Introduce an abstraction for fixable code patterns.
ClosedPublic

Authored by NoQ on Nov 3 2022, 11:45 AM.

Download Raw Diff

Details

Reviewers

aaron.ballman
gribozavr2
xazax.hun
jkorous
t-rasmud
ziqingluo-90
malavikasamak

Commits

rG0d00a9722f3c: [-Wunsafe-buffer-usage] NFC: Introduce an abstraction for fixable code patterns.

Summary

This patch introduces a hierarchy of Gadget classes, which are going to be the core concept in our fixit machine.

A gadget is a rigid code pattern that constitutes an operation that the fixit machine "understands" well enough to work with. A gadget may be "unsafe" (i.e., constitute a raw buffer access) or "safe" (constitute a use of a pointer or array variable that isn't unsafe per se, but may need fixing if the participating variable changes type to a safe container/view).

By "rigid" I mean something like "matchable with a sequence of nested if-dyncast-statements or an ASTMatcher without forEachDescendant() or other non-trivial traversal, except maybe ignoringParenImpCasts() and such. The point is to make it very clear what the semantics of that code is.

We'll be able to make decisions about how to fix the code depending on the set of gadgets that we've enumerated. Basically, in order to fix a type of a variable, each use of that variable has to participate in a gadget, and each such gadget has to consent to fixing itself according to the variable's new type. More on that in follow-up patches!

Diff Detail

Event Timeline

NoQ created this revision.Nov 3 2022, 11:45 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 3 2022, 11:45 AM

Herald added subscribers: steakhal, martong, rnkovacs. · View Herald Transcript

NoQ requested review of this revision.Nov 3 2022, 11:45 AM

NoQ added a parent revision: D137346: [-Wunsafe-buffer-usage] Initial commit - Transition away from raw buffer accesses..

NoQ added inline comments.Nov 3 2022, 11:49 AM

clang/lib/Analysis/UnsafeBufferUsage.cpp
37	Whoops typo!

Harbormaster completed remote builds in B195972: Diff 472990.Nov 3 2022, 12:21 PM

NoQ mentioned this in D137379: [-Wunsafe-buffer-usage] Add warnings for unsafe buffer accesses by array subscript operations.Nov 3 2022, 6:59 PM

NoQ added a child revision: D137379: [-Wunsafe-buffer-usage] Add warnings for unsafe buffer accesses by array subscript operations.Nov 3 2022, 7:03 PM

NoQ mentioned this in D137346: [-Wunsafe-buffer-usage] Initial commit - Transition away from raw buffer accesses..Nov 15 2022, 3:50 PM

NoQ mentioned this in D138253: [-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming..Nov 17 2022, 7:13 PM

NoQ retitled this revision from -Wunsafe-buffer-usage: Introduce an abstraction for fixable code patterns. to [-Wunsafe-buffer-usage] Introduce an abstraction for fixable code patterns..Nov 17 2022, 8:00 PM

xazax.hun added inline comments.Nov 18 2022, 2:39 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
70
107	How deep will the `Gadget` Hierarchy be? Using inheritance only to classify safe and unsafe gadgets feels like a very heavy weight solution to a relatively simple problem.

aaron.ballman added inline comments.Nov 21 2022, 10:13 AM

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def
1	Is this file named properly if it is also going to handle `SAFE_GADGET`?
9	You have some comments below about what gadgets are and what makes one safe or unsafe; should those comments be hoisted into this .def file?
clang/lib/Analysis/UnsafeBufferUsage.cpp
17–21	Something to think about: ObjC pointers are pointer-like but not actual pointers; should those be covered as well (via `isAnyPointerType()`)?
37	We don't even need the `#undef` because the .def file already does that for us. Same observation applies below.
63	Should this be an explicit constructor? (Same question applies below to derived classes as well.)
113	Should we make a `static constexpr const char *` for these strings so we can give it a name and ensure it's used consistently?

steakhal added inline comments.Nov 22 2022, 6:57 AM

clang/lib/Analysis/UnsafeBufferUsage.cpp
40	We could have a `GADGET_RANGE(UnsafeGadgets, Increment, Decrement)`, which could expand to `BEGIN_##x = Increment, END_##x = Decrement,` when declaring the `Kind` enum, similarly how `SymExpr::Kind::Begin_BINARYSYMEXPRS` is defined. That way this code could look like: return !(Kind::Begin_UnsafeGadgets <= K && K <= Kind::End_UnsafeGadgets);
43–45	I'd advocate for using the same macro variable name here as an XMACRO argument as it's present in the definition as parameter. Same for the rest of the XMACRO expansions.
87
102
123	I thought this matcher was already bound as `"Increment"` by `x ## Gadget::matcher().bind(#x)` inside `GadgetFinderCallback::run()`
150	I'd advocate for covariant return types for such cases.
163	I wonder if we should assert that we only expect exactly one match (entry) inside `Result.Nodes`.
190–191	I was thinking of constructing a `std::vector<DynTypedMatcher>` of the matchers of the disjunction because the extra comma is allowed inside the initializer expression. After that, you could probably use `constructVariadic(VO_AnyOf, ...)` as demonstrated by the `TEST(ConstructVariadic, MismatchedTypes_Regression)` unit-test. But TBH, I don't think it's more readable than this :D

NoQ added inline comments.Nov 28 2022, 9:36 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
63	What's the value of making it `explicit` given that it's an abstract class that can't be constructed directly anyway?
113	I think it makes perfect sense to have different bind-names in different classes. They don't all correspond to the same role the bound expression plays.
123	Yeah it's a bit redundant but it makes the class properly incapsulated, not reliant on the external machine to use it in a certain way. A bit more resistant to renaming as well. And while this time these two bindings coincided, in the general case they can be different. So I wanted to establish an idiom that works in all cases. If we ever run into performance problems, I'm totally open to optimizing this.
163	You mean like, exactly one if-statement succeeds? That'd require us to run the entire list every time (at least in debug mode) but it's probably not too bad. I'll look for a clean solution^^
190–191	One way or another, D138253 cleans up this FIXME.

aaron.ballman added inline comments.Nov 29 2022, 8:35 AM

clang/lib/Analysis/UnsafeBufferUsage.cpp
63	None, I had missed that this was an abstract class and forgot to delete the comment here on the base class. It does apply to the (non-abstract) derived classes though.
113	Sorry, I was unclear. I meant a private data member of `IncrementGadget` so that the constructor and the `matcher()` functions use a named constant rather than a string literal.

NoQ added inline comments.Nov 29 2022, 2:22 PM

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def
1	UnsafeBufferUsage is the name of the analysis. It's somewhat valuable to keep this file next to `UnsafeBufferUsage.h` so that it was obvious at a glance that these two files work together. I'm open to renaming the entire analysis though, a non-judgemental "BufferUsage analysis" totally works for me, WDYT? Or I can make a folder. But I don't expect more than 2 files in this folder.
clang/lib/Analysis/UnsafeBufferUsage.cpp
17–21	Great question! Technically unsafe operations on ObjC pointers are not a compile error, but they never actually make sense because you can't have buffers of ObjC objects. Technically, you're not even supposed to know their size or layout until runtime (https://en.wikipedia.org/wiki/Objective-C#Non-fragile_instance_variables). So this is an insanely exotic situation that we most likely won't be covering.
37	Whoops right.
113	Oh, fair enough!

NoQ added inline comments.Nov 29 2022, 2:31 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
107	I'm expecting `UnsafeGadget` and `SafeGadget` to grow some common methods in the future. But I'm already second-guessing this decision (https://reviews.llvm.org/D137379?id=473092#inline-1340017) so I guess I'll ungrow these intermediate classes if things become too tedious.

Address review comments.

Harbormaster completed remote builds in B201271: Diff 480310.Dec 5 2022, 6:37 PM

NoQ marked an inline comment as done.Dec 5 2022, 6:37 PM

NoQ added inline comments.

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def
1	I expect @malavikasamak to do some renaming in a follow-up patch in the near future as she seeks to introduce more precise distinction between unsafe and safe gadgets.
clang/lib/Analysis/UnsafeBufferUsage.cpp
40	Nuked this entire facility. It's always possible to simply call `isSafe()`.
87	I love that!
107	To answer the original question, `SafeGadget` and `UnsafeGadget` are most likely going to be the only intermediate class. So, it'll be 2 abstract classes deep.
163	Ok I added this huge `#ifdef NDEBUG` thing. I agree that it's valuable but I'm also somewhat worried that it may diverge from the non-debug code.

A cleaner way to implement the debug facility.

Harbormaster completed remote builds in B201326: Diff 480396.Dec 6 2022, 2:10 AM

Because we're approaching a stack of ~15 patches and it's starting to become unmanageable, I'm really interested in landing these older patches quickly. I think I addressed the feedback, and I'm definitely committed to addressing more feedback as it comes in, but it's likely that I'd ask for a chance to address it in follow-up patches anyway. Because otherwise the rest of our team will have to undergo annoying rebases, and it's probably also super confusing to review when all patches in the stack are out of sync from each other. So I'll try to land this tomorrow.

I don't mind committing these patches, I have a high confidence in you going back and addressing feedback post-commit if something is coming up.

LGTM

This revision is now accepted and ready to land.Dec 16 2022, 9:43 AM

This revision was landed with ongoing or failed builds.Dec 16 2022, 3:02 PM

Closed by commit rG0d00a9722f3c: [-Wunsafe-buffer-usage] NFC: Introduce an abstraction for fixable code patterns. (authored by Artem Dergachev <adergachev@apple.com>). · Explain Why

This revision was automatically updated to reflect the committed changes.

Artem Dergachev <adergachev@apple.com> added a commit: rG0d00a9722f3c: [-Wunsafe-buffer-usage] NFC: Introduce an abstraction for fixable code patterns..

Herald added a project: Restricted Project. · View Herald TranscriptDec 16 2022, 3:02 PM

MaskRay added a subscriber: MaskRay.Dec 16 2022, 3:45 PM

MaskRay added inline comments.

clang/lib/Analysis/UnsafeBufferUsage.cpp
185	numFound was undefined in non-assertion builds. Fixed in 893a0ea948a65421013b62bd1855e430ca184739

Artem Dergachev <adergachev@apple.com> mentioned this in rG8086323a91b5: [-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming..Dec 16 2022, 6:48 PM

Revision Contents

Path

Size

clang/

include/

clang/

Analysis/

Analyses/

UnsafeBufferUsageGadgets.def

26 lines

lib/

Analysis/

UnsafeBufferUsage.cpp

202 lines

Diff 472990

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def

This file was added.

				//=- UnsafeBufferUsageGadgets.def - List of ways to use a buffer --- C++ --=//
				aaron.ballmanUnsubmitted Done Reply Inline Actions Is this file named properly if it is also going to handle `SAFE_GADGET`? aaron.ballman: Is this file named properly if it is also going to handle `SAFE_GADGET`?
				NoQAuthorUnsubmitted Done Reply Inline Actions UnsafeBufferUsage is the name of the analysis. It's somewhat valuable to keep this file next to `UnsafeBufferUsage.h` so that it was obvious at a glance that these two files work together. I'm open to renaming the entire analysis though, a non-judgemental "BufferUsage analysis" totally works for me, WDYT? Or I can make a folder. But I don't expect more than 2 files in this folder. NoQ: UnsafeBufferUsage is the name of the analysis. It's somewhat valuable to keep this file next to…
				NoQAuthorUnsubmitted Done Reply Inline Actions I expect @malavikasamak to do some renaming in a follow-up patch in the near future as she seeks to introduce more precise distinction between unsafe and safe gadgets. NoQ: I expect @malavikasamak to do some renaming in a follow-up patch in the near future as she…
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#ifndef GADGET
				aaron.ballmanUnsubmitted Done Reply Inline Actions You have some comments below about what gadgets are and what makes one safe or unsafe; should those comments be hoisted into this .def file? aaron.ballman: You have some comments below about what gadgets are and what makes one safe or unsafe; should…
				#define GADGET(name)
				#endif

				#ifndef UNSAFE_GADGET
				#define UNSAFE_GADGET(name) GADGET(name)
				#endif

				#ifndef SAFE_GADGET
				#define SAFE_GADGET(name) GADGET(name)
				#endif

				UNSAFE_GADGET(Increment)
				UNSAFE_GADGET(Decrement)

				#undef SAFE_GADGET
				#undef UNSAFE_GADGET
				#undef GADGET

clang/lib/Analysis/UnsafeBufferUsage.cpp

//===- UnsafeBufferUsage.cpp - Replace pointers with modern C++ -----------===// //===- UnsafeBufferUsage.cpp - Replace pointers with modern C++ -----------===//

// //

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

// //

//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//

#include "clang/Analysis/Analyses/UnsafeBufferUsage.h" #include "clang/Analysis/Analyses/UnsafeBufferUsage.h"

#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"

using namespace llvm; using namespace llvm;

using namespace clang; using namespace clang;

using namespace ast_matchers; using namespace ast_matchers;

// Because we're dealing with raw pointers, let's define what we mean by that.

static auto hasPointerType() {

return anyOf(hasType(pointerType()),

hasType(autoType(hasDeducedType(

hasUnqualifiedDesugaredType(pointerType())))));

}

aaron.ballmanUnsubmitted

Done

Something to think about: ObjC pointers are pointer-like but not actual pointers; should those be covered as well (via isAnyPointerType())?

aaron.ballman: Something to think about: ObjC pointers are pointer-like but not actual pointers; should those…

NoQAuthorUnsubmitted

Done

Great question! Technically unsafe operations on ObjC pointers are not a compile error, but they never actually make sense because you can't have buffers of ObjC objects. Technically, you're not even supposed to know their size or layout until runtime (https://en.wikipedia.org/wiki/Objective-C#Non-fragile_instance_variables). So this is an insanely exotic situation that we most likely won't be covering.

NoQ: Great question! Technically unsafe operations on ObjC pointers are not a compile error, but…

namespace { namespace {

// TODO: Better abstractions over gadgets. /// Gadget is an individual operation in the code that may be of interest to

using GadgetList = std::vector<const Stmt *>; /// this analysis. Each (non-abstract) subclass corresponds to a specific

/// rigid AST structure that constitutes an operation on a pointer-type object.

/// Discovery of a gadget in the code corresponds to claiming that we understand

/// what this part of code is doing well enough to potentially improve it.

/// Gadgets can be unsafe (immediately deserving a warning) or safe (not

/// deserving a warning per se, but affecting our decision-making process

/// nonetheless).

class Gadget {

public:

enum class Kind {

#define GADGET(x) x,

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

#undef GADGETS

NoQAuthorUnsubmitted

Done

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

- #undef GADGETS

+ #undef GADGET

};

/// Determine if a kind is a safe kind. Slower than calling isSafe().

Whoops typo!

NoQ: Whoops typo!

aaron.ballmanUnsubmitted

Done

We don't even need the #undef because the .def file already does that for us. Same observation applies below.

aaron.ballman: We don't even need the `#undef` because the .def file already does that for us. Same…

NoQAuthorUnsubmitted

Done

Whoops right.

NoQ: Whoops right.

};

/// Determine if a kind is a safe kind. Slower than calling isSafe().

steakhalUnsubmitted

Done

We could have a GADGET_RANGE(UnsafeGadgets, Increment, Decrement), which could expand to BEGIN_##x = Increment, END_##x = Decrement, when declaring the Kind enum, similarly how SymExpr::Kind::Begin_BINARYSYMEXPRS is defined.
That way this code could look like:

return !(Kind::Begin_UnsafeGadgets <= K && K <= Kind::End_UnsafeGadgets);

steakhal: We could have a `GADGET_RANGE(UnsafeGadgets, Increment, Decrement)`, which could expand to…

NoQAuthorUnsubmitted

Done

Nuked this entire facility. It's always possible to simply call isSafe().

NoQ: Nuked this entire facility. It's always possible to simply call `isSafe()`.

static bool isSafeKind(Kind K) {

switch (K) {

#define UNSAFE_GADGET(x) \

case Kind::x:

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

steakhalUnsubmitted

Done

switch (K) {

- #define UNSAFE_GADGET(x) \

- case Kind::x:

+ #define UNSAFE_GADGET(name) \

+ case Kind::name:

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

#undef UNSAFE_GADGET

I'd advocate for using the same macro variable name here as an XMACRO argument as it's present in the definition as parameter.
Same for the rest of the XMACRO expansions.

steakhal: I'd advocate for using the same macro variable name here as an XMACRO argument as it's present…

#undef UNSAFE_GADGET

return false;

#define SAFE_GADGET(x) \

case Kind::x:

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

#undef SAFE_GADGET

return true;

}

llvm_unreachable("Invalid gadget kind!");

}

/// Common type of ASTMatchers used for discovering gadgets.

/// Useful for implementing the static matcher() methods

/// that are expected from all non-abstract subclasses.

using Matcher = decltype(stmt());

Gadget(Kind K) : K(K) {}

aaron.ballmanUnsubmitted

Done

Should this be an explicit constructor? (Same question applies below to derived classes as well.)

aaron.ballman: Should this be an explicit constructor? (Same question applies below to derived classes as well.

NoQAuthorUnsubmitted

Done

What's the value of making it explicit given that it's an abstract class that can't be constructed directly anyway?

NoQ: What's the value of making it `explicit` given that it's an abstract class that can't be…

aaron.ballmanUnsubmitted

Done

None, I had missed that this was an abstract class and forgot to delete the comment here on the base class. It does apply to the (non-abstract) derived classes though.

aaron.ballman: None, I had missed that this was an abstract class and forgot to delete the comment here on the…

Kind getKind() const { return K; }

virtual bool isSafe() const = 0;

virtual const Stmt *getBaseStmt() const = 0;

virtual ~Gadget() {}

xazax.hunUnsubmitted

Done

virtual const Stmt *getBaseStmt() const = 0;

- virtual ~Gadget() {}

+ virtual ~Gadget() = default;

private:

xazax.hun:

private:

Kind K;

};

using GadgetList = std::vector<std::unique_ptr<Gadget>>;

/// Unsafe gadgets correspond to unsafe code patterns that warrants

/// an immediate warning.

class UnsafeGadget : public Gadget {

public:

UnsafeGadget(Kind K) : Gadget(K) {

assert(classof(this) && "Invalid unsafe gadget kind!");

}

static bool classof(const Gadget *G) { return !isSafeKind(G->getKind()); }

bool isSafe() const override { return false; }

steakhalUnsubmitted

Done

static bool classof(const Gadget *G) { return !isSafeKind(G->getKind()); }

- bool isSafe() const override { return false; }

+ bool isSafe() const final { return false; }

};

/// Safe gadgets correspond to code patterns that aren't unsafe but need to be

steakhal:

NoQAuthorUnsubmitted

Done

I love that!

NoQ: I love that!

};

/// Safe gadgets correspond to code patterns that aren't unsafe but need to be

/// properly recognized in order to emit correct warnings and fixes over unsafe

/// gadgets. For example, if a raw pointer-type variable is replaced by

/// a safe C++ container, every use of such variable may need to be

/// carefully considered and possibly updated.

class SafeGadget : public Gadget {

public:

SafeGadget(Kind K) : Gadget(K) {

assert(classof(this) && "Invalid safe gadget kind!");

}

static bool classof(const Gadget *G) { return isSafeKind(G->getKind()); }

bool isSafe() const override { return true; }

steakhalUnsubmitted

Done

static bool classof(const Gadget *G) { return isSafeKind(G->getKind()); }

- bool isSafe() const override { return true; }

+ bool isSafe() const final { return true; }

};

/// An increment of a pointer-type value is unsafe as it may run the pointer

steakhal:

};

/// An increment of a pointer-type value is unsafe as it may run the pointer

/// out of bounds.

class IncrementGadget : public UnsafeGadget {

xazax.hunUnsubmitted

Done

How deep will the Gadget Hierarchy be? Using inheritance only to classify safe and unsafe gadgets feels like a very heavy weight solution to a relatively simple problem.

xazax.hun: How deep will the `Gadget` Hierarchy be? Using inheritance only to classify safe and unsafe…

NoQAuthorUnsubmitted

Done

I'm expecting UnsafeGadget and SafeGadget to grow some common methods in the future. But I'm already second-guessing this decision (https://reviews.llvm.org/D137379?id=473092#inline-1340017) so I guess I'll ungrow these intermediate classes if things become too tedious.

NoQ: I'm expecting `UnsafeGadget` and `SafeGadget` to grow some common methods in the future. But…

NoQAuthorUnsubmitted

Done

To answer the original question, SafeGadget and UnsafeGadget are most likely going to be the only intermediate class. So, it'll be 2 abstract classes deep.

NoQ: To answer the original question, `SafeGadget` and `UnsafeGadget` are most likely going to be…

const UnaryOperator *Op;

public:

IncrementGadget(const MatchFinder::MatchResult &Result)

: UnsafeGadget(Kind::Increment),

Op(Result.Nodes.getNodeAs<UnaryOperator>("op")) {}

aaron.ballmanUnsubmitted

Done

Should we make a static constexpr const char * for these strings so we can give it a name and ensure it's used consistently?

aaron.ballman: Should we make a `static constexpr const char *` for these strings so we can give it a name and…

NoQAuthorUnsubmitted

Done

I think it makes perfect sense to have different bind-names in different classes. They don't all correspond to the same role the bound expression plays.

NoQ: I think it makes perfect sense to have different bind-names in different classes. They don't…

aaron.ballmanUnsubmitted

Done

Sorry, I was unclear. I meant a private data member of IncrementGadget so that the constructor and the matcher() functions use a named constant rather than a string literal.

aaron.ballman: Sorry, I was unclear. I meant a private data member of `IncrementGadget` so that the…

NoQAuthorUnsubmitted

Done

Oh, fair enough!

NoQ: Oh, fair enough!

static bool classof(const Gadget *G) {

return G->getKind() == Kind::Increment;

}

static Matcher matcher() {

return stmt(unaryOperator(

hasOperatorName("++"),

hasUnaryOperand(ignoringParenImpCasts(hasPointerType()))

).bind("op"));

steakhalUnsubmitted

Done

I thought this matcher was already bound as "Increment" by x ## Gadget::matcher().bind(#x) inside GadgetFinderCallback::run()

steakhal: I thought this matcher was already bound as `"Increment"` by `x ## Gadget::matcher().bind(#x)`…

NoQAuthorUnsubmitted

Done

Yeah it's a bit redundant but it makes the class properly incapsulated, not reliant on the external machine to use it in a certain way. A bit more resistant to renaming as well.

And while this time these two bindings coincided, in the general case they can be different. So I wanted to establish an idiom that works in all cases.

If we ever run into performance problems, I'm totally open to optimizing this.

NoQ: Yeah it's a bit redundant but it makes the class properly incapsulated, not reliant on the…

}

const Stmt *getBaseStmt() const override { return Op; }

};

/// A decrement of a pointer-type value is unsafe as it may run the pointer

/// out of bounds.

class DecrementGadget : public UnsafeGadget {

const UnaryOperator *Op;

public:

DecrementGadget(const MatchFinder::MatchResult &Result)

: UnsafeGadget(Kind::Decrement),

Op(Result.Nodes.getNodeAs<UnaryOperator>("op")) {}

static bool classof(const Gadget *G) {

return G->getKind() == Kind::Decrement;

} }

static Matcher matcher() {

return stmt(unaryOperator(

hasOperatorName("--"),

hasUnaryOperand(ignoringParenImpCasts(hasPointerType()))

).bind("op"));

}

const Stmt *getBaseStmt() const override { return Op; }

steakhalUnsubmitted

Done

).bind("op"));

}

- const Stmt *getBaseStmt() const override { return Op; }

+ const UnaryOperator *getBaseStmt() const override { return Op; }

};

} // namespace

I'd advocate for covariant return types for such cases.

steakhal: I'd advocate for covariant return types for such cases.

};

} // namespace

// Scan the function and return a list of gadgets found with provided kits. // Scan the function and return a list of gadgets found with provided kits.

static GadgetList findGadgets(const Decl *D) { static GadgetList findGadgets(const Decl *D) {

class GadgetFinderCallback : public MatchFinder::MatchCallback { class GadgetFinderCallback : public MatchFinder::MatchCallback {

GadgetList &Output; GadgetList &Output;

public: public:

GadgetFinderCallback(GadgetList &Output) : Output(Output) {} GadgetFinderCallback(GadgetList &Output) : Output(Output) {}

void run(const MatchFinder::MatchResult &Result) override { void run(const MatchFinder::MatchResult &Result) override {

steakhalUnsubmitted

Done

I wonder if we should assert that we only expect exactly one match (entry) inside Result.Nodes.

steakhal: I wonder if we should assert that we only expect exactly one match (entry) inside `Result.

NoQAuthorUnsubmitted

Done

You mean like, exactly one if-statement succeeds? That'd require us to run the entire list every time (at least in debug mode) but it's probably not too bad. I'll look for a clean solution^^

NoQ: You mean like, exactly one if-statement succeeds? That'd require us to run the entire list…

NoQAuthorUnsubmitted

Done

Ok I added this huge #ifdef NDEBUG thing. I agree that it's valuable but I'm also somewhat worried that it may diverge from the non-debug code.

NoQ: Ok I added this huge `#ifdef NDEBUG` thing. I agree that it's valuable but I'm also somewhat…

Output.push_back(Result.Nodes.getNodeAs<Stmt>("root_node")); // Figure out which matcher we've found, and call the appropriate

// subclass constructor.

// FIXME: Can we do this more logarithmically?

#define GADGET(x) \

if (Result.Nodes.getNodeAs<Stmt>(#x)) { \

Output.push_back(std::make_unique<x ## Gadget>(Result)); \

return; \

}

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

#undef GADGET

} }

}; };

GadgetList G; GadgetList G;

MatchFinder M; MatchFinder M;

auto IncrementMatcher = unaryOperator(

hasOperatorName("++"),

hasUnaryOperand(hasType(pointerType()))

);

auto DecrementMatcher = unaryOperator(

hasOperatorName("--"),

hasUnaryOperand(hasType(pointerType()))

);

GadgetFinderCallback CB(G); GadgetFinderCallback CB(G);

// clang-format off

M.addMatcher( M.addMatcher(

stmt(forEachDescendant( stmt(forEachDescendant(

stmt( stmt(anyOf(

anyOf( // Add Gadget::matcher() for every gadget in the registry.

MaskRayUnsubmitted

Not Done

numFound was undefined in non-assertion builds. Fixed in 893a0ea948a65421013b62bd1855e430ca184739

MaskRay: numFound was undefined in non-assertion builds. Fixed in…

IncrementMatcher, #define GADGET(x) \

DecrementMatcher x ## Gadget::matcher().bind(#x),

/* Fill me in! */ #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

) #undef GADGET

// FIXME: Is there a better way to avoid hanging comma?

unless(stmt())

steakhalUnsubmitted

Done

I was thinking of constructing a std::vector<DynTypedMatcher> of the matchers of the disjunction because the extra comma is allowed inside the initializer expression.
After that, you could probably use constructVariadic(VO_AnyOf, ...) as demonstrated by the TEST(ConstructVariadic, MismatchedTypes_Regression) unit-test. But TBH, I don't think it's more readable than this :D

steakhal: I was thinking of constructing a `std::vector<DynTypedMatcher>` of the matchers of the…

NoQAuthorUnsubmitted

Done

One way or another, D138253 cleans up this FIXME.

NoQ: One way or another, D138253 cleans up this FIXME.

))

// FIXME: Idiomatically there should be a forCallable(equalsNode(D)) // FIXME: Idiomatically there should be a forCallable(equalsNode(D))

// here, to make sure that the statement actually belongs to the // here, to make sure that the statement actually belongs to the

// function and not to a nested function. However, forCallable uses // function and not to a nested function. However, forCallable uses

// ParentMap which can't be used before the AST is fully constructed. // ParentMap which can't be used before the AST is fully constructed.

// The original problem doesn't sound like it needs ParentMap though, // The original problem doesn't sound like it needs ParentMap though,

// maybe there's a more direct solution? // maybe there's a more direct solution?

).bind("root_node") )),

)), &CB); &CB

);

// clang-format on

M.match(*D->getBody(), D->getASTContext()); M.match(*D->getBody(), D->getASTContext());

return G; // NRVO! return G; // NRVO!

} }

void clang::checkUnsafeBufferUsage(const Decl *D, void clang::checkUnsafeBufferUsage(const Decl *D,

UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {

assert(D && D->getBody()); assert(D && D->getBody());

GadgetList G = findGadgets(D); GadgetList Gadgets = findGadgets(D);

for (const Stmt *S : G) { for (const auto &G : Gadgets) {

Handler.handleUnsafeOperation(S); Handler.handleUnsafeOperation(G->getBaseStmt());

} }

This is an archive of the discontinued LLVM Phabricator instance.

[-Wunsafe-buffer-usage] Introduce an abstraction for fixable code patterns.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 472990

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def

clang/lib/Analysis/UnsafeBufferUsage.cpp

[-Wunsafe-buffer-usage] Introduce an abstraction for fixable code patterns.
ClosedPublic