This is an archive of the discontinued LLVM Phabricator instance.

Differential D138253

[-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming.
ClosedPublic

Authored by NoQ on Nov 17 2022, 7:13 PM.

Details

Reviewers
aaron.ballman
gribozavr2
xazax.hun
jkorous
t-rasmud
ziqingluo-90
malavikasamak
Commits
rG8086323a91b5: [-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming.
Summary

This patch adds more abstractions that we'll need later for emitting -Wunsafe-buffer-usage fixits. It doesn't emit any actual fixits, so no change is observed behavior, but it introduces a way to emit fixits, and existing tests now verify that the compiler still emits no fixits, despite knowing how to do so.

The purpose of our code transformation analysis is to fix variable types in the code from raw pointer types to C++ standard collection/view types.

The analysis has to decide on its own which specific type is the most appropriate for every variable. This patch introduces the Strategy class that maps variables to their most appropriate types.

In D137348 we've introduced the Gadget abstraction, which describes a rigid AST pattern that the analysis "fully understands" and may need to fix. Which specific fix is actually necessary for a given Gadget, and whether it's necessary at all, and whether it's possible in the first place, depends on the Strategy. So, this patch adds a virtual method which every gadget can implement in order to teach the analysis how to fix that gadget:

Gadget->getFixits(Strategy)

However, even if the analysis knows how to fix every Gadget, doesn't necessarily mean it can fix the variable. Some uses of the variable may have never been covered by Gadgets, which corresponds to the situation that the analysis doesn't fully understand how the variable is used. This patch introduces a Tracker class that tracks all variable uses (i.e. DeclRefExprs) in the function. Additionally, each Gadget now provides a new virtual method

Gadget->getClaimedVarUseSites()

that the Tracker can call to see which DeclRefExprs are "claimed" by the Gadget. In order to fix the variable with a certain Strategy, the Tracker needs to confirm that there are no unclaimed uses, and every Gadget has to provide a fix for that Strategy.

This "conservative" behavior guarantees that fixes emitted by our analysis are correct by construction. We can now be sure that the analysis won't attempt to emit a fix if it doesn't understand the code. Later, as we implement more getFixits() methods in individual Gadget classes, we'll start progressively emitting more and more fixits.

Diff Detail

Event Timeline

NoQ created this revision.Nov 17 2022, 7:13 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 17 2022, 7:13 PM
Herald added subscribers: steakhal, martong, rnkovacs. · View Herald Transcript
NoQ requested review of this revision.Nov 17 2022, 7:13 PM
Harbormaster completed remote builds in B198354: Diff 476316.Nov 17 2022, 7:14 PM
NoQ added a parent revision: D137379: [-Wunsafe-buffer-usage] Add warnings for unsafe buffer accesses by array subscript operations.Nov 17 2022, 7:19 PM
NoQ added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
218

This extra payload wasn't advertised but it's very useful because it's hard to jump from VarDecl to DeclStmt without it, and we need to do such jump because our analysis starts from unsafe *uses* of a variable, which only give us a VarDecl.

441–445

We're safe for now because none of the currently implemented Gadget classes "claim" more than one DeclRefExpr. We need to address this FIXME before we implement such gadgets.

NoQ added inline comments.Nov 17 2022, 8:00 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
218

Another way to look at this, is to notice that currently DeclStmt of the variable isn't a Gadget on its own, and ask whether it *should* be a Gadget.

I currently believe that yes, it should be a Gadget, because it can potentially be a "multi-variable" Gadget if, for example, the initializer-expression is itself another raw pointer DeclRefExpr. So there needs to be a way to communicate that the fix for the variable declaration may depend on Strategy for more than one variable, and that the Strategy itself should be chosen carefully, considering that choices for different variables may interact this way. And from the point of view of the *other* variable, this definitely needs to be a Gadget, it's no different from any other Gadget.

So, this part needs some more work.

ziqingluo-90 added a child revision: D138318: [-Wunsafe-buffer-usage] Improve pointer match pattern.Nov 18 2022, 12:10 PM
xazax.hun added inline comments.Nov 18 2022, 3:02 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
218

What about DeclStmts that declare multiple variables, some safe some unsafe. Do you plan to generate fixits in that case exploding the DeclStmt?

steakhal added inline comments.Nov 22 2022, 8:27 AM
clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h
31

Unless we have a well-formed idea of how many elements we are going to have, we should probably omit it.

clang/lib/Analysis/UnsafeBufferUsage.cpp
65
72

I wonder if we should prefer std::optional as we are c++17.
IDK if it was ever covered on the community forum.
I'm just leaving this here without expecting any action.

213–215
241–244

Maybe Uses should refer to the canonical decls. If that would be the case we could just call .contains(VD) here.

402–468
422–424
steakhal added inline comments.Nov 23 2022, 12:51 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
72

Per https://discourse.llvm.org/t/deprecating-llvm-optional-x-hasvalue-getvalue-getvalueor/63716/10, it seems like we should prefer std::optional.

NoQ added inline comments.Nov 28 2022, 1:46 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
72

Oooo nice.

218

Yes absolutely.

They're annoying because if the variable is in the middle, you'll get 3 DeclStmts instead of one, but yeah, we'll have to handle those.

241–244

That's up to the AST, not up to us. I'd rather be safe here, because such bugs are very hard to notice.

422–424

I can get used to that!

NoQ mentioned this in D137348: [-Wunsafe-buffer-usage] Introduce an abstraction for fixable code patterns..Nov 28 2022, 9:36 PM
aaron.ballman added inline comments.Nov 30 2022, 7:59 AM
clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h
31

Better yet, use a SmallVectorImpl (since this shows up in an interface)

clang/include/clang/Basic/DiagnosticSemaKinds.td
11761–11765
clang/lib/Analysis/UnsafeBufferUsage.cpp
18–20

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

248–253

Use a specific_decl_iterator<VarDecl> instead?

311–317
clang/lib/Sema/AnalysisBasedWarnings.cpp
2161–2163

Hmmm... llvm::for_each instead?

NoQ mentioned this in D137346: [-Wunsafe-buffer-usage] Initial commit - Transition away from raw buffer accesses..Nov 30 2022, 6:44 PM
NoQ updated this revision to Diff 480394.EditedDec 6 2022, 2:07 AM
NoQ marked 9 inline comments as done.

A cleaner way to implement the debug facility.

Harbormaster completed remote builds in B201325: Diff 480394.Dec 6 2022, 2:08 AM
NoQ updated this revision to Diff 480397.Dec 6 2022, 2:10 AM

Whoops, sorry, wrong patch. I was trying to say, "Address review comments".

clang/lib/Analysis/UnsafeBufferUsage.cpp
18–20

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Unlikely. Auto-fixing member variables without breaking source or binary compatibility is next to impossible.

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

This doesn't seem to work on return types, which is where these classes show up in my case (SmallVectorImpl has deleted copy-move constructors so it's only suitable for passing by reference).

248–253

Hmm DeclStmt doesn't seem to provide a neat accessor, would you like me to add it?

Harbormaster completed remote builds in B201327: Diff 480397.Dec 6 2022, 2:10 AM
aaron.ballman added inline comments.Dec 6 2022, 11:04 AM
clang/lib/Analysis/UnsafeBufferUsage.cpp
18–20

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Unlikely. Auto-fixing member variables without breaking source or binary compatibility is next to impossible.

Okie dokie!

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

This doesn't seem to work on return types, which is where these classes show up in my case (SmallVectorImpl has deleted copy-move constructors so it's only suitable for passing by reference).

Ahhh I had forgotten that we didn't allow it as a move-only type.

248–253

Eh, I don't insist. Feel free to do it as an NFC change after landing this patch, if you want to.

NoQ added a comment.Dec 15 2022, 7:09 PM

Because we're approaching a stack of ~15 patches and it's starting to become unmanageable, I'm really interested in landing these older patches quickly. I think I addressed the feedback, and I'm definitely committed to addressing more feedback as it comes in, but it's likely that I'd ask for a chance to address it in follow-up patches anyway. Because otherwise the rest of our team will have to undergo annoying rebases, and it's probably also super confusing to review when all patches in the stack are out of sync from each other. So I'll try to land this tomorrow.

jkorous accepted this revision.Dec 16 2022, 9:43 AM

LGTM

This revision is now accepted and ready to land.Dec 16 2022, 9:43 AM
This revision was landed with ongoing or failed builds.Dec 16 2022, 6:48 PM
Closed by commit rG8086323a91b5: [-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming. (authored by Artem Dergachev <adergachev@apple.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
Artem Dergachev <adergachev@apple.com> added a commit: rG8086323a91b5: [-Wunsafe-buffer-usage] NFC: Implement fix-strategies and variable-use-claiming..
Herald added a project: Restricted Project. · View Herald TranscriptDec 16 2022, 6:48 PM
uabelho added a subscriber: uabelho.Dec 19 2022, 6:59 AM

Hello,

I noticed that the following crashes with this patch:

clang -Weverything bbi-77071.c

Result:

clang-16: ../../clang/lib/Analysis/UnsafeBufferUsage.cpp:248: void (anonymous namespace)::DeclUseTracker::discoverDecl(const clang::DeclStmt *): Assertion `Defs.count(VD) == 0 && "Definition already discovered!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /repo/uabelho/main-github/llvm/build-all/bin/clang-16 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelax-all --mrelax-relocations -disable-free -clear-ast-before-backend -main-file-name bbi-77071.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -mllvm -treat-scalable-fixed-error-as-warning -debugger-tuning=gdb -fcoverage-compilation-dir=/repo/uabelho/llvm-dev2/llvm -resource-dir /repo/uabelho/main-github/llvm/build-all/lib/clang/16 -internal-isystem /repo/uabelho/main-github/llvm/build-all/lib/clang/16/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Weverything -fdebug-compilation-dir=/repo/uabelho/llvm-dev2/llvm -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/bbi-77071-6173ad.o -x c bbi-77071.c
1.	<eof> parser at end of file
2.	bbi-77071.c:5:9: parsing function body 'fn1'
 #0 0x0000000002fdf843 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x2fdf843)
 #1 0x0000000002fdd56e llvm::sys::RunSignalHandlers() (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x2fdd56e)
 #2 0x0000000002fdfbc6 SignalHandler(int) Signals.cpp:0:0
 #3 0x00007fcfa502a630 __restore_rt sigaction.c:0:0
 #4 0x00007fcfa2771387 raise (/lib64/libc.so.6+0x36387)
 #5 0x00007fcfa2772a78 abort (/lib64/libc.so.6+0x37a78)
 #6 0x00007fcfa276a1a6 __assert_fail_base (/lib64/libc.so.6+0x2f1a6)
 #7 0x00007fcfa276a252 (/lib64/libc.so.6+0x2f252)
 #8 0x0000000005520daf findGadgets(clang::Decl const*)::GadgetFinderCallback::run(clang::ast_matchers::MatchFinder::MatchResult const&) UnsafeBufferUsage.cpp:0:0
 #9 0x000000000554c862 clang::ast_matchers::internal::(anonymous namespace)::MatchASTVisitor::MatchVisitor::visitMatch(clang::ast_matchers::BoundNodes const&) ASTMatchFinder.cpp:0:0
#10 0x000000000557d27b clang::ast_matchers::internal::BoundNodesTreeBuilder::visitMatches(clang::ast_matchers::internal::BoundNodesTreeBuilder::Visitor*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x557d27b)
#11 0x000000000554be73 clang::ast_matchers::internal::(anonymous namespace)::MatchASTVisitor::matchWithFilter(clang::DynTypedNode const&) ASTMatchFinder.cpp:0:0
#12 0x0000000005524f9c clang::ast_matchers::MatchFinder::match(clang::DynTypedNode const&, clang::ASTContext&) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x5524f9c)
#13 0x000000000551eb53 clang::checkUnsafeBufferUsage(clang::Decl const*, clang::UnsafeBufferUsageHandler&) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x551eb53)
#14 0x00000000053f48e5 clang::sema::AnalysisBasedWarnings::IssueWarnings(clang::sema::AnalysisBasedWarnings::Policy, clang::sema::FunctionScopeInfo*, clang::Decl const*, clang::QualType) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x53f48e5)
#15 0x0000000004b91a53 clang::Sema::PopFunctionScopeInfo(clang::sema::AnalysisBasedWarnings::Policy const*, clang::Decl const*, clang::QualType) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4b91a53)
#16 0x0000000004d14f6f clang::Sema::ActOnFinishFunctionBody(clang::Decl*, clang::Stmt*, bool) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4d14f6f)
#17 0x0000000004b29135 clang::Parser::ParseFunctionStatementBody(clang::Decl*, clang::Parser::ParseScope&) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4b29135)
#18 0x0000000004a50d95 clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a50d95)
#19 0x0000000004a6d637 clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::ParsedAttributes&, clang::SourceLocation*, clang::Parser::ForRangeInit*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a6d637)
#20 0x0000000004a4f9a7 clang::Parser::ParseDeclOrFunctionDefInternal(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec&, clang::AccessSpecifier) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a4f9a7)
#21 0x0000000004a4f238 clang::Parser::ParseDeclarationOrFunctionDefinition(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*, clang::AccessSpecifier) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a4f238)
#22 0x0000000004a4e35e clang::Parser::ParseExternalDeclaration(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a4e35e)
#23 0x0000000004a4b973 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, clang::Sema::ModuleImportState&) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a4b973)
#24 0x0000000004a45da5 clang::ParseAST(clang::Sema&, bool, bool) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x4a45da5)
#25 0x0000000003acb486 clang::FrontendAction::Execute() (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x3acb486)
#26 0x0000000003a3d534 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x3a3d534)
#27 0x0000000003b8cd92 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x3b8cd92)
#28 0x00000000009f8516 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x9f8516)
#29 0x00000000009f53b0 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#30 0x00000000009f4e66 clang_main(int, char**) (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x9f4e66)
#31 0x00007fcfa275d555 __libc_start_main (/lib64/libc.so.6+0x22555)
#32 0x00000000009f0fbb _start (/repo/uabelho/main-github/llvm/build-all/bin/clang-16+0x9f0fbb)
clang-16: error: unable to execute command: Aborted (core dumped)
clang-16: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 16.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix

bbi-77071.c110 BDownload

NoQ added a comment.Dec 19 2022, 2:11 PM

Ooo thanks I'll fix asap.

NoQ added a comment.Dec 19 2022, 2:24 PM

Also if you're compiling your code with -Weverything by default, I do recommend explicitly disabling -Wunsafe-buffer-usage for at least a month or so, until we land all the basic functionality and you can make an informed decision whether you actually need it (more reading in https://discourse.llvm.org/t/rfc-c-buffer-hardening/65734 and D136811).

But, yeah, we still shouldn't break users who simply want to enable -Weverything temporarily just to see what warnings are there, that's really bad and I hope I'll patch this up today.

uabelho added a comment.Dec 19 2022, 10:19 PM
In D138253#4006197, @NoQ wrote:

Also if you're compiling your code with -Weverything by default, I do recommend explicitly disabling -Wunsafe-buffer-usage for at least a month or so, until we land all the basic functionality and you can make an informed decision whether you actually need it (more reading in https://discourse.llvm.org/t/rfc-c-buffer-hardening/65734 and D136811).

But, yeah, we still shouldn't break users who simply want to enable -Weverything temporarily just to see what warnings are there, that's really bad and I hope I'll patch this up today.

Thanks for the warning. In our fuzzy testing we sometimes randomly use -Weverything just to make sure it doesn't crash. And well, it did crash here, so I guess the testing was succesful :)
So it's no panic for us, but good to sort out the crash.

NoQ added a comment.Dec 20 2022, 4:06 PM

I suppressed the assertion in rG8fd62e7. It looks like we'll need a deeper investigation into this.

uabelho added a comment.Dec 21 2022, 5:39 AM

It crashes on this as well:

void f(int a[])
{
    int b = {a[1]};
}

with

clang -cc1 foo.c -Weverything

I get

clang: ../../clang/lib/Analysis/UnsafeBufferUsage.cpp:233: void (anonymous namespace)::DeclUseTracker::claimUse(const clang::DeclRefExpr *): Assertion `Uses->count(DRE) && "DRE not found or claimed by multiple matchers!"' failed.

But now I will indeed add -Wno-unsafe-buffer-usage. :)

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
Analyses/
8 lines
Basic/
3 lines
7 lines
lib/
Analysis/
265 lines
Sema/
14 lines

Diff 483705

clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h

Show All 20 Lines
/// The interface that lets the caller handle unsafe buffer usage analysis /// The interface that lets the caller handle unsafe buffer usage analysis
/// results by overriding this class's handle... methods. /// results by overriding this class's handle... methods.
class UnsafeBufferUsageHandler { class UnsafeBufferUsageHandler {
public: public:
UnsafeBufferUsageHandler() = default; UnsafeBufferUsageHandler() = default;
virtual ~UnsafeBufferUsageHandler() = default; virtual ~UnsafeBufferUsageHandler() = default;
/// This analyses produces large fixits that are organized into lists
/// of primitive fixits (individual insertions/removals/replacements).
using FixItList = llvm::SmallVectorImpl<FixItHint>;
steakhalUnsubmitted
Not Done
ReplyInline Actions
/// of primitive fixits (individual insertions/removals/replacements).
- using FixItList = llvm::SmallVector<FixItHint, 2>;
+ using FixItList = llvm::SmallVector<FixItHint>;
/// Invoked when an unsafe operation over raw pointers is found.

Unless we have a well-formed idea of how many elements we are going to have, we should probably omit it.

steakhal: Unless we have a well-formed idea of how many elements we are going to have, we should probably…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Better yet, use a SmallVectorImpl (since this shows up in an interface)

aaron.ballman: Better yet, use a `SmallVectorImpl` (since this shows up in an interface)
/// Invoked when an unsafe operation over raw pointers is found. /// Invoked when an unsafe operation over raw pointers is found.
virtual void handleUnsafeOperation(const Stmt *Operation) = 0; virtual void handleUnsafeOperation(const Stmt *Operation) = 0;
/// Invoked when a fix is suggested against a variable.
virtual void handleFixableVariable(const VarDecl *Variable,
FixItList &&List) = 0;
}; };
// This function invokes the analysis and allows the caller to react to it // This function invokes the analysis and allows the caller to react to it
// through the handler class. // through the handler class.
void checkUnsafeBufferUsage(const Decl *D, UnsafeBufferUsageHandler &Handler); void checkUnsafeBufferUsage(const Decl *D, UnsafeBufferUsageHandler &Handler);
} // end namespace clang } // end namespace clang
#endif /* LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H */ #endif /* LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H */

clang/include/clang/Basic/DiagnosticGroups.td

Show First 20 LinesShow All 1,387 Lines▼ Show 20 Lines
def BranchProtection : DiagGroup<"branch-protection">; def BranchProtection : DiagGroup<"branch-protection">;
// HLSL diagnostic groups // HLSL diagnostic groups
// Warnings for HLSL Clang extensions // Warnings for HLSL Clang extensions
def HLSLExtension : DiagGroup<"hlsl-extensions">; def HLSLExtension : DiagGroup<"hlsl-extensions">;
// Warnings and notes related to const_var_decl_type attribute checks // Warnings and notes related to const_var_decl_type attribute checks
def ReadOnlyPlacementChecks : DiagGroup<"read-only-types">; def ReadOnlyPlacementChecks : DiagGroup<"read-only-types">;
// Warnings and fixes to support the "safe buffers" programming model.
def UnsafeBufferUsage : DiagGroup<"unsafe-buffer-usage">;

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 11,750 Lines▼ Show 20 Lines
def err_cast_from_randomized_struct : Error< def err_cast_from_randomized_struct : Error<
"casting from randomized structure pointer type %0 to %1">; "casting from randomized structure pointer type %0 to %1">;
// LoongArch-specific Diagnostics // LoongArch-specific Diagnostics
def err_loongarch_builtin_requires_la64 : Error< def err_loongarch_builtin_requires_la64 : Error<
"this builtin requires target: loongarch64">; "this builtin requires target: loongarch64">;
// Unsafe buffer usage diagnostics. // Unsafe buffer usage diagnostics.
def warn_unsafe_buffer_usage : Warning< def warn_unsafe_buffer_expression : Warning<
"unchecked operation on raw buffer in expression">, "unchecked operation on raw buffer in expression">,
InGroup<DiagGroup<"unsafe-buffer-usage">>, DefaultIgnore; InGroup<UnsafeBufferUsage>, DefaultIgnore;
def warn_unsafe_buffer_variable : Warning<
"variable %0 participates in unchecked buffer operations">,
InGroup<UnsafeBufferUsage>, DefaultIgnore;
} // end of sema component. } // end of sema component.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
// Unsafe buffer usage diagnostics.
- def warn_unsafe_buffer_expression : Warning<"unchecked operation on raw buffer in expression">,
+ def warn_unsafe_buffer_expression : Warning<
+ "unchecked operation on raw buffer in expression">,
InGroup<UnsafeBufferUsage>, DefaultIgnore;
- def warn_unsafe_buffer_variable : Warning<"variable %0 participates in unchecked buffer operations">,
+ def warn_unsafe_buffer_variable : Warning<
+ "variable %0 participates in unchecked buffer operations">,
InGroup<UnsafeBufferUsage>, DefaultIgnore;
} // end of sema component.
aaron.ballman:

clang/lib/Analysis/UnsafeBufferUsage.cpp

//===- UnsafeBufferUsage.cpp - Replace pointers with modern C++ -----------===// //===- UnsafeBufferUsage.cpp - Replace pointers with modern C++ -----------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Analysis/Analyses/UnsafeBufferUsage.h" #include "clang/Analysis/Analyses/UnsafeBufferUsage.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
using namespace ast_matchers; using namespace ast_matchers;
namespace {
// Because the analysis revolves around variables and their types, we'll need to
// track uses of variables (aka DeclRefExprs).
using DeclUseList = SmallVector<const DeclRefExpr *, 1>;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

aaron.ballman: Do we have to care about data member accesses (which would be a `MemberExpr` and not a…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Unlikely. Auto-fixing member variables without breaking source or binary compatibility is next to impossible.

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

This doesn't seem to work on return types, which is where these classes show up in my case (SmallVectorImpl has deleted copy-move constructors so it's only suitable for passing by reference).

NoQ: > Do we have to care about data member accesses (which would be a `MemberExpr` and not a…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Do we have to care about data member accesses (which would be a MemberExpr and not a DeclRefExpr)?

Unlikely. Auto-fixing member variables without breaking source or binary compatibility is next to impossible.

Okie dokie!

Also, because this shows up in interfaces, it should probably be a SmallVectorImpl so the size doesn't matter.

This doesn't seem to work on return types, which is where these classes show up in my case (SmallVectorImpl has deleted copy-move constructors so it's only suitable for passing by reference).

Ahhh I had forgotten that we didn't allow it as a move-only type.

aaron.ballman: >>Do we have to care about data member accesses (which would be a MemberExpr and not a…
// Convenience typedef.
using FixItList = SmallVector<FixItHint, 4>;
// Defined below.
class Strategy;
} // namespace
// Because we're dealing with raw pointers, let's define what we mean by that. // Because we're dealing with raw pointers, let's define what we mean by that.
static auto hasPointerType() { static auto hasPointerType() {
return anyOf(hasType(pointerType()), return anyOf(hasType(pointerType()),
hasType(autoType(hasDeducedType( hasType(autoType(hasDeducedType(
hasUnqualifiedDesugaredType(pointerType()))))); hasUnqualifiedDesugaredType(pointerType())))));
} }
namespace { namespace {
Show All 19 Lines#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"
Gadget(Kind K) : K(K) {} Gadget(Kind K) : K(K) {}
Kind getKind() const { return K; } Kind getKind() const { return K; }
virtual bool isSafe() const = 0; virtual bool isSafe() const = 0;
virtual const Stmt *getBaseStmt() const = 0; virtual const Stmt *getBaseStmt() const = 0;
/// Returns the list of pointer-type variables on which this gadget performs
/// its operation. Typically, there's only one variable. This isn't a list
steakhalUnsubmitted
Done
ReplyInline Actions
/// Returns the list of pointer-type variables on which this gadget performs
- /// its operation. Typically there's only one variable. This isn't a list
+ /// its operation. Typically, there's only one variable. This isn't a list
/// of all DeclRefExprs in the gadget's AST!
steakhal:
/// of all DeclRefExprs in the gadget's AST!
virtual DeclUseList getClaimedVarUseSites() const = 0;
/// Returns a fixit that would fix the current gadget according to
/// the current strategy. Returns None if the fix cannot be produced;
/// returns an empty list if no fixes are necessary.
virtual std::optional<FixItList> getFixits(const Strategy &) const {
steakhalUnsubmitted
Done
ReplyInline Actions

I wonder if we should prefer std::optional as we are c++17.
IDK if it was ever covered on the community forum.
I'm just leaving this here without expecting any action.

steakhal: I wonder if we should prefer `std::optional` as we are c++17. IDK if it was ever covered on the…
steakhalUnsubmitted
Done
ReplyInline Actions

Per https://discourse.llvm.org/t/deprecating-llvm-optional-x-hasvalue-getvalue-getvalueor/63716/10, it seems like we should prefer std::optional.

steakhal: Per https://discourse.llvm.org/t/deprecating-llvm-optional-x-hasvalue-getvalue…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Oooo nice.

NoQ: Oooo nice.
return std::nullopt;
}
virtual ~Gadget() = default; virtual ~Gadget() = default;
private: private:
Kind K; Kind K;
}; };
using GadgetList = std::vector<std::unique_ptr<Gadget>>; using GadgetList = std::vector<std::unique_ptr<Gadget>>;
Show All 38 Linespublic:
static Matcher matcher() { static Matcher matcher() {
return stmt(unaryOperator( return stmt(unaryOperator(
hasOperatorName("++"), hasOperatorName("++"),
hasUnaryOperand(ignoringParenImpCasts(hasPointerType())) hasUnaryOperand(ignoringParenImpCasts(hasPointerType()))
).bind(OpTag)); ).bind(OpTag));
} }
const UnaryOperator *getBaseStmt() const override { return Op; } const UnaryOperator *getBaseStmt() const override { return Op; }
DeclUseList getClaimedVarUseSites() const override {
SmallVector<const DeclRefExpr *, 2> Uses;
if (const auto *DRE =
dyn_cast<DeclRefExpr>(Op->getSubExpr()->IgnoreParenImpCasts())) {
Uses.push_back(DRE);
}
return std::move(Uses);
}
}; };
/// A decrement of a pointer-type value is unsafe as it may run the pointer /// A decrement of a pointer-type value is unsafe as it may run the pointer
/// out of bounds. /// out of bounds.
class DecrementGadget : public UnsafeGadget { class DecrementGadget : public UnsafeGadget {
static constexpr const char *const OpTag = "op"; static constexpr const char *const OpTag = "op";
const UnaryOperator *Op; const UnaryOperator *Op;
Show All 9 Linespublic:
static Matcher matcher() { static Matcher matcher() {
return stmt(unaryOperator( return stmt(unaryOperator(
hasOperatorName("--"), hasOperatorName("--"),
hasUnaryOperand(ignoringParenImpCasts(hasPointerType())) hasUnaryOperand(ignoringParenImpCasts(hasPointerType()))
).bind(OpTag)); ).bind(OpTag));
} }
const UnaryOperator *getBaseStmt() const override { return Op; } const UnaryOperator *getBaseStmt() const override { return Op; }
DeclUseList getClaimedVarUseSites() const override {
if (const auto *DRE =
dyn_cast<DeclRefExpr>(Op->getSubExpr()->IgnoreParenImpCasts())) {
return {DRE};
}
return {};
}
}; };
/// Array subscript expressions on raw pointers as if they're arrays. Unsafe as /// Array subscript expressions on raw pointers as if they're arrays. Unsafe as
/// it doesn't have any bounds checks for the array. /// it doesn't have any bounds checks for the array.
class ArraySubscriptGadget : public UnsafeGadget { class ArraySubscriptGadget : public UnsafeGadget {
static constexpr const char *const ArraySubscrTag = "arraySubscr"; static constexpr const char *const ArraySubscrTag = "arraySubscr";
const ArraySubscriptExpr *ASE; const ArraySubscriptExpr *ASE;
Show All 10 Lines static Matcher matcher() {
// FIXME: What if the index is integer literal 0? Should this be // FIXME: What if the index is integer literal 0? Should this be
// a safe gadget in this case? // a safe gadget in this case?
return stmt( return stmt(
arraySubscriptExpr(hasBase(ignoringParenImpCasts(hasPointerType()))) arraySubscriptExpr(hasBase(ignoringParenImpCasts(hasPointerType())))
.bind(ArraySubscrTag)); .bind(ArraySubscrTag));
} }
const ArraySubscriptExpr *getBaseStmt() const override { return ASE; } const ArraySubscriptExpr *getBaseStmt() const override { return ASE; }
DeclUseList getClaimedVarUseSites() const override {
if (const auto *DRE =
dyn_cast<DeclRefExpr>(ASE->getBase()->IgnoreParenImpCasts())) {
return {DRE};
}
return {};
}
}; };
} // namespace } // namespace
// Scan the function and return a list of gadgets found with provided kits. namespace {
static GadgetList findGadgets(const Decl *D) { // An auxiliary tracking facility for the fixit analysis. It helps connect
// declarations to its and make sure we've covered all uses with our analysis
// before we try to fix the declaration.
steakhalUnsubmitted
Not Done
ReplyInline Actions
namespace {
- // An auxiliary tracking facility for the fixit analysis. It helps connect
- // declarations to its and make sure we've covered all uses with our analysis
+ // An auxiliary tracking facility for the fixit analysis. It helps to connect
+ // declarations to its uses and makes sure we've covered all uses with our analysis
// before we try to fix the declaration.
class DeclUseTracker {
steakhal:
class DeclUseTracker {
using UseSetTy = SmallSet<const DeclRefExpr *, 16>;
using DefMapTy = DenseMap<const VarDecl *, const DeclStmt *>;
NoQAuthorUnsubmitted
Done
ReplyInline Actions

This extra payload wasn't advertised but it's very useful because it's hard to jump from VarDecl to DeclStmt without it, and we need to do such jump because our analysis starts from unsafe *uses* of a variable, which only give us a VarDecl.

NoQ: This extra payload wasn't advertised but it's very useful because it's hard to jump from…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Another way to look at this, is to notice that currently DeclStmt of the variable isn't a Gadget on its own, and ask whether it *should* be a Gadget.

I currently believe that yes, it should be a Gadget, because it can potentially be a "multi-variable" Gadget if, for example, the initializer-expression is itself another raw pointer DeclRefExpr. So there needs to be a way to communicate that the fix for the variable declaration may depend on Strategy for more than one variable, and that the Strategy itself should be chosen carefully, considering that choices for different variables may interact this way. And from the point of view of the *other* variable, this definitely needs to be a Gadget, it's no different from any other Gadget.

So, this part needs some more work.

NoQ: Another way to look at this, is to notice that currently `DeclStmt` of the variable isn't a…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

What about DeclStmts that declare multiple variables, some safe some unsafe. Do you plan to generate fixits in that case exploding the DeclStmt?

xazax.hun: What about `DeclStmt`s that declare multiple variables, some safe some unsafe. Do you plan to…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Yes absolutely.

They're annoying because if the variable is in the middle, you'll get 3 DeclStmts instead of one, but yeah, we'll have to handle those.

NoQ: Yes absolutely. They're annoying because if the variable is in the middle, you'll get 3…
// Allocate on the heap for easier move.
std::unique_ptr<UseSetTy> Uses{std::make_unique<UseSetTy>()};
DefMapTy Defs{};
public:
DeclUseTracker() = default;
DeclUseTracker(const DeclUseTracker &) = delete; // Let's avoid copies.
DeclUseTracker(DeclUseTracker &&) = default;
// Start tracking a freshly discovered DRE.
void discoverUse(const DeclRefExpr *DRE) { Uses->insert(DRE); }
// Stop tracking the DRE as it's been fully figured out.
void claimUse(const DeclRefExpr *DRE) {
assert(Uses->count(DRE) &&
"DRE not found or claimed by multiple matchers!");
Uses->erase(DRE);
}
// A variable is unclaimed if at least one use is unclaimed.
bool hasUnclaimedUses(const VarDecl *VD) const {
// FIXME: Can this be less linear? Maybe maintain a map from VDs to DREs?
return any_of(*Uses, [VD](const DeclRefExpr *DRE) {
return DRE->getDecl()->getCanonicalDecl() == VD->getCanonicalDecl();
});
steakhalUnsubmitted
Done
ReplyInline Actions

Maybe Uses should refer to the canonical decls. If that would be the case we could just call .contains(VD) here.

steakhal: Maybe `Uses` should refer to the canonical decls. If that would be the case we could just call…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

That's up to the AST, not up to us. I'd rather be safe here, because such bugs are very hard to notice.

NoQ: That's up to the AST, not up to us. I'd rather be safe here, because such bugs are very hard to…
}
void discoverDecl(const DeclStmt *DS) {
for (const Decl *D : DS->decls()) {
if (const auto *VD = dyn_cast<VarDecl>(D)) {
assert(Defs.count(VD) == 0 && "Definition already discovered!");
Defs[VD] = DS;
}
}
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Use a specific_decl_iterator<VarDecl> instead?

aaron.ballman: Use a `specific_decl_iterator<VarDecl>` instead?
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Hmm DeclStmt doesn't seem to provide a neat accessor, would you like me to add it?

NoQ: Hmm `DeclStmt` doesn't seem to provide a neat accessor, would you like me to add it?
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Eh, I don't insist. Feel free to do it as an NFC change after landing this patch, if you want to.

aaron.ballman: Eh, I don't insist. Feel free to do it as an NFC change after landing this patch, if you want…
}
const DeclStmt *lookupDecl(const VarDecl *VD) const {
auto It = Defs.find(VD);
assert(It != Defs.end() && "Definition never discovered!");
return It->second;
}
};
} // namespace
namespace {
// Strategy is a map from variables to the way we plan to emit fixes for
// these variables. It is figured out gradually by trying different fixes
// for different variables depending on gadgets in which these variables
// participate.
class Strategy {
public:
enum class Kind {
Wontfix, // We don't plan to emit a fixit for this variable.
Span, // We recommend replacing the variable with std::span.
Iterator, // We recommend replacing the variable with std::span::iterator.
Array, // We recommend replacing the variable with std::array.
Vector // We recommend replacing the variable with std::vector.
};
private:
using MapTy = llvm::DenseMap<const VarDecl *, Kind>;
class GadgetFinderCallback : public MatchFinder::MatchCallback { MapTy Map;
GadgetList &Output;
public: public:
GadgetFinderCallback(GadgetList &Output) : Output(Output) {} Strategy() = default;
Strategy(const Strategy &) = delete; // Let's avoid copies.
Strategy(Strategy &&) = default;
void set(const VarDecl *VD, Kind K) {
Map[VD] = K;
}
Kind lookup(const VarDecl *VD) const {
auto I = Map.find(VD);
if (I == Map.end())
return Kind::Wontfix;
return I->second;
}
};
} // namespace
/// Scan the function and return a list of gadgets found with provided kits.
static std::pair<GadgetList, DeclUseTracker> findGadgets(const Decl *D) {
struct GadgetFinderCallback : MatchFinder::MatchCallback {
GadgetList Gadgets;
DeclUseTracker Tracker;
void run(const MatchFinder::MatchResult &Result) override { void run(const MatchFinder::MatchResult &Result) override {
// In debug mode, assert that we've found exactly one gadget. // In debug mode, assert that we've found exactly one gadget.
// This helps us avoid conflicts in .bind() tags. // This helps us avoid conflicts in .bind() tags.
#if NDEBUG #if NDEBUG
#define NEXT return #define NEXT return
#else #else
[[maybe_unused]] int numFound = 0; [[maybe_unused]] int numFound = 0;
#define NEXT ++numFound #define NEXT ++numFound
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions
void run(const MatchFinder::MatchResult &Result) override {
- if (const auto *DRE = Result.Nodes.getNodeAs<DeclRefExpr>("any_dre")) {
+ if (const auto *DRE = Result.Nodes.getNodeAs<DeclRefExpr>("any_dre"))
Tracker.discoverUse(DRE);
- }
- if (const auto *DS = Result.Nodes.getNodeAs<DeclStmt>("any_ds")) {
+ if (const auto *DS = Result.Nodes.getNodeAs<DeclStmt>("any_ds"))
Tracker.discoverDecl(DS);
- }
// Figure out which matcher we've found, and call the appropriate
aaron.ballman:
#endif #endif
if (const auto *DRE = Result.Nodes.getNodeAs<DeclRefExpr>("any_dre")) {
Tracker.discoverUse(DRE);
NEXT;
}
if (const auto *DS = Result.Nodes.getNodeAs<DeclStmt>("any_ds")) {
Tracker.discoverDecl(DS);
NEXT;
}
// Figure out which matcher we've found, and call the appropriate // Figure out which matcher we've found, and call the appropriate
// subclass constructor. // subclass constructor.
// FIXME: Can we do this more logarithmically? // FIXME: Can we do this more logarithmically?
#define GADGET(name) \ #define GADGET(name) \
if (Result.Nodes.getNodeAs<Stmt>(#name)) { \ if (Result.Nodes.getNodeAs<Stmt>(#name)) { \
Output.push_back(std::make_unique<name ## Gadget>(Result)); \ Gadgets.push_back(std::make_unique<name ## Gadget>(Result)); \
NEXT; \ NEXT; \
} }
#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def" #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"
assert(numFound >= 1 && "Gadgets not found in match result!"); assert(numFound >= 1 && "Gadgets not found in match result!");
assert(numFound <= 1 && "Conflicting bind tags in gadgets!"); assert(numFound <= 1 && "Conflicting bind tags in gadgets!");
} }
}; };
GadgetList G;
MatchFinder M; MatchFinder M;
GadgetFinderCallback CB(G); GadgetFinderCallback CB;
// clang-format off // clang-format off
M.addMatcher( M.addMatcher(
stmt(forEachDescendant( stmt(forEachDescendant(
stmt(anyOf( stmt(anyOf(
// Add Gadget::matcher() for every gadget in the registry. // Add Gadget::matcher() for every gadget in the registry.
#define GADGET(x) \ #define GADGET(x) \
x ## Gadget::matcher().bind(#x), x ## Gadget::matcher().bind(#x),
#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def" #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"
// FIXME: Is there a better way to avoid hanging comma? // In parallel, match all DeclRefExprs so that to find out
unless(stmt()) // whether there are any uncovered by gadgets.
declRefExpr(hasPointerType(), to(varDecl())).bind("any_dre"),
// Also match DeclStmts because we'll need them when fixing
// their underlying VarDecls that otherwise don't have
// any backreferences to DeclStmts.
declStmt().bind("any_ds")
)) ))
// FIXME: Idiomatically there should be a forCallable(equalsNode(D)) // FIXME: Idiomatically there should be a forCallable(equalsNode(D))
// here, to make sure that the statement actually belongs to the // here, to make sure that the statement actually belongs to the
// function and not to a nested function. However, forCallable uses // function and not to a nested function. However, forCallable uses
// ParentMap which can't be used before the AST is fully constructed. // ParentMap which can't be used before the AST is fully constructed.
// The original problem doesn't sound like it needs ParentMap though, // The original problem doesn't sound like it needs ParentMap though,
// maybe there's a more direct solution? // maybe there's a more direct solution?
)), )),
&CB &CB
); );
// clang-format on // clang-format on
M.match(*D->getBody(), D->getASTContext()); M.match(*D->getBody(), D->getASTContext());
return G; // NRVO! // Gadgets "claim" variables they're responsible for. Once this loop finishes,
// the tracker will only track DREs that weren't claimed by any gadgets,
// i.e. not understood by the analysis.
for (const auto &G : CB.Gadgets) {
for (const auto *DRE : G->getClaimedVarUseSites()) {
CB.Tracker.claimUse(DRE);
}
}
return {std::move(CB.Gadgets), std::move(CB.Tracker)};
} }
void clang::checkUnsafeBufferUsage(const Decl *D, void clang::checkUnsafeBufferUsage(const Decl *D,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
assert(D && D->getBody()); assert(D && D->getBody());
GadgetList Gadgets = findGadgets(D); SmallSet<const VarDecl *, 8> WarnedDecls;
auto [Gadgets, Tracker] = findGadgets(D);
DenseMap<const VarDecl *, std::vector<const Gadget *>> Map;
// First, let's sort gadgets by variables. If some gadgets cover more than one
// variable, they'll appear more than once in the map.
for (const auto &G : Gadgets) { for (const auto &G : Gadgets) {
DeclUseList ClaimedVarUseSites = G->getClaimedVarUseSites();
// Populate the map.
bool Pushed = false;
for (const DeclRefExpr *DRE : ClaimedVarUseSites) {
if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
Map[VD].push_back(G.get());
Pushed = true;
}
}
if (!Pushed && !G->isSafe()) {
// We won't return to this gadget later. Emit the warning right away.
Handler.handleUnsafeOperation(G->getBaseStmt());
continue;
}
}
Strategy S;
for (const auto &[VD, VDGadgets] : Map) {
// If the variable has no unsafe gadgets, skip it entirely.
steakhalUnsubmitted
Done
ReplyInline Actions
Strategy S;
- for (const auto &Item : Map) {
- const VarDecl *VD = Item.first;
- const std::vector<const Gadget *> &VDGadgets = Item.second;
+ for (const auto &[VD, VDGadgets] : Map) {
// If the variable has no unsafe gadgets, skip it entirely.
steakhal:
NoQAuthorUnsubmitted
Done
ReplyInline Actions

I can get used to that!

NoQ: I can get used to that!
if (!any_of(VDGadgets, [](const Gadget *G) { return !G->isSafe(); }))
continue;
std::optional<FixItList> Fixes = std::nullopt;
// Avoid suggesting fixes if not all uses of the variable are identified
// as known gadgets.
// FIXME: Support parameter variables as well.
if (!Tracker.hasUnclaimedUses(VD) && VD->isLocalVarDecl()) {
// Choose the appropriate strategy. FIXME: We should try different
// strategies.
S.set(VD, Strategy::Kind::Span);
// Check if it works.
// FIXME: This isn't sufficient (or even correct) when a gadget has
// already produced a fixit for a different variable i.e. it was mentioned
// in the map twice (or more). In such case the correct thing to do is
// to undo the previous fix first, and then if we can't produce the new
// fix for both variables, revert to the old one.
Fixes = FixItList{};
for (const Gadget *G : VDGadgets) {
NoQAuthorUnsubmitted
Done
ReplyInline Actions

We're safe for now because none of the currently implemented Gadget classes "claim" more than one DeclRefExpr. We need to address this FIXME before we implement such gadgets.

NoQ: We're safe for now because none of the currently implemented `Gadget` classes "claim" more than…
std::optional<FixItList> F = G->getFixits(S);
if (!F) {
Fixes = std::nullopt;
break;
}
for (auto &&Fixit: *F)
Fixes->push_back(std::move(Fixit));
}
}
if (Fixes) {
// If we reach this point, the strategy is applicable.
Handler.handleFixableVariable(VD, std::move(*Fixes));
} else {
// The strategy has failed. Emit the warning without the fixit.
S.set(VD, Strategy::Kind::Wontfix);
for (const Gadget *G : VDGadgets) {
if (!G->isSafe()) {
Handler.handleUnsafeOperation(G->getBaseStmt()); Handler.handleUnsafeOperation(G->getBaseStmt());
} }
} }
}
steakhalUnsubmitted
Done
ReplyInline Actions
for (const auto &G : Gadgets) {
- DeclUseList DREs = G->getClaimedVarUseSites();
+ DeclUseList ClaimedVarUseSites = G->getClaimedVarUseSites();
// Populate the map.
steakhal:
}
}

clang/lib/Sema/AnalysisBasedWarnings.cpp

Show First 20 LinesShow All 2,144 Lines▼ Show 20 Lines
class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler { class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler {
Sema &S; Sema &S;
public: public:
UnsafeBufferUsageReporter(Sema &S) : S(S) {} UnsafeBufferUsageReporter(Sema &S) : S(S) {}
void handleUnsafeOperation(const Stmt *Operation) override { void handleUnsafeOperation(const Stmt *Operation) override {
S.Diag(Operation->getBeginLoc(), diag::warn_unsafe_buffer_usage) S.Diag(Operation->getBeginLoc(), diag::warn_unsafe_buffer_expression)
<< Operation->getSourceRange(); << Operation->getSourceRange();
} }
void handleFixableVariable(const VarDecl *Variable,
FixItList &&Fixes) override {
const auto &D =
S.Diag(Variable->getBeginLoc(), diag::warn_unsafe_buffer_variable);
D << Variable << Variable->getSourceRange();
for (const auto &F: Fixes)
D << F;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
D << Variable;
- for (const auto &F: Fixes) {
+ for (const auto &F: Fixes)
D << F;
- }
- }
+ }
};

Hmmm... llvm::for_each instead?

aaron.ballman: Hmmm... `llvm::for_each` instead?
}
}; };
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based // AnalysisBasedWarnings - Worker object used by Sema to execute analysis-based
// warnings on a function, method, or block. // warnings on a function, method, or block.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 280 Lines▼ Show 20 Linesvoid clang::sema::AnalysisBasedWarnings::IssueWarnings(
// Check for throw out of non-throwing function. // Check for throw out of non-throwing function.
if (!Diags.isIgnored(diag::warn_throw_in_noexcept_func, D->getBeginLoc())) if (!Diags.isIgnored(diag::warn_throw_in_noexcept_func, D->getBeginLoc()))
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
if (S.getLangOpts().CPlusPlus && isNoexcept(FD)) if (S.getLangOpts().CPlusPlus && isNoexcept(FD))
checkThrowInNonThrowingFunc(S, FD, AC); checkThrowInNonThrowingFunc(S, FD, AC);
// Emit unsafe buffer usage warnings and fixits. // Emit unsafe buffer usage warnings and fixits.
if (!Diags.isIgnored(diag::warn_unsafe_buffer_usage, D->getBeginLoc())) { if (!Diags.isIgnored(diag::warn_unsafe_buffer_expression, D->getBeginLoc()) ||
!Diags.isIgnored(diag::warn_unsafe_buffer_variable, D->getBeginLoc())) {
UnsafeBufferUsageReporter R(S); UnsafeBufferUsageReporter R(S);
checkUnsafeBufferUsage(D, R); checkUnsafeBufferUsage(D, R);
} }
// If none of the previous checks caused a CFG build, trigger one here // If none of the previous checks caused a CFG build, trigger one here
// for the logical error handler. // for the logical error handler.
if (LogicalErrorHandler::hasActiveDiagnostics(Diags, D->getBeginLoc())) { if (LogicalErrorHandler::hasActiveDiagnostics(Diags, D->getBeginLoc())) {
AC.getCFG(); AC.getCFG();
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines