I think that my current name of the Fixable is pretty bad - open to suggestions!

Nice! I have some nitpicks.

Looking over this patch, I'm a little concerned that you seem to have re-invented the infrastructure of RewriteRules from Transformer. Not the details of the patch itself, but the infrastructure its built on -- the FixableGadget and FixitLists all seem very similar. While you're welcome to do as you please, I imagine the project would be best off if there was a common infrastructure. Have you taken a look at clang::transformer? If so, is there a reason that it doesn't meet your needs? https://github.com/llvm/llvm-project/blob/main/clang/include/clang/Tooling/Transformer/RewriteRule.h is the starting point, if you're not familiar with it. The doc page is here: https://intel.github.io/llvm-docs/clang/ClangTransformerTutorial.html.

@ymandel I think we should definitely try it.

I don't think our FixableGadgets correspond nicely to RewriteRules. Our story is that we gather *global* understanding of the entire function by collecting gadgets inside it, which is then used for discovering the best "strategy" for transforming the function, which may activate certain (not necessarily all) fixable gadgets in a specific manner. For instance, once D143133 gets fully developed, it'll involve fixpoint iteration over all fixables to discover variables that need to be transformed simultaneously. So I suspect that RewriteRule is too high-level / restrictive for our purposes.

But I do think that we can use the EditGenerator infrastructure to greatly simplify fixit generation once we figure out the strategy. So we can have something like

class FixableGadget {
  virtual EditGenerator generator(Strategy &S) = 0;

  FixItList getFixits(Strategy &S) { // non-virtual!
    return generator(S)(MatchResult).somehowFlattenAllTheseFixits();
  }
};

class DerefSimplePtrArithFixableGadget : public FixableGadget {
  static constexpr const char *const AddOpTag = "AddOp";
  static constexpr const char *const OffsetTag = "Offset";

  static StmtMatcher matcher() { /* matcher that makes all these bindings */ }

  EditGenerator generator(Strategy &S) override {
    return changeTo(node(AddOpTag), cat(node(BaseDRETag), "[", node(OffsetTag), "]"));
  }
};

which is much simpler than what we have. So I agree that we should consider this, at least for new code.

Things I don't immediately understand, which we'll need to figure out:

• How do we preserve MatchResult long enough? It needs to be kept alive while we build the Strategy object, so that later we didn't have to rerun the matchers for fixit purposes.
• We're somewhat conscious about minimizing our fixit's source ranges. In particular, we really need the fixit replacement range to not overlap with the OffsetTag range in this example. This is because the offset may contain other fixable operations inside it! So we won't be happy if the fixit produced by the generator throws out the entire expression and replaces it with concatenated text, we need something more targeted.

How do we preserve MatchResult long enough?

(it looks easily copyable as it's basically a std::map<std::string, Stmt *>; but it also looks like nobody tried this before, so we'll have to define a copy constructor, or like a .clone() method if we're worried about accidental copies)

It also sounds like this is going to be the first use of libClangTransformers in clang proper, so we'll have to link the clang binary to it.

Also, @ymandel would you mind if we commit this patch as-is and experiment with Transformers in a follow-up patch? 'Cause we have like 6 patches waiting for this one to land, and we'd rather avoid large-scale rebasing as we fight to keep our backlogs short.

Very sorry for the delayed response! Also, feel free to move this discussion to some other forum. Responses inline:

In D142795#4148991, @NoQ wrote:

@ymandel I think we should definitely try it.

I don't think our FixableGadgets correspond nicely to RewriteRules. Our story is that we gather *global* understanding of the entire function by collecting gadgets inside it, which is then used for discovering the best "strategy" for transforming the function, which may activate certain (not necessarily all) fixable gadgets in a specific manner. For instance, once D143133 gets fully developed, it'll involve fixpoint iteration over all fixables to discover variables that need to be transformed simultaneously. So I suspect that RewriteRule is too high-level / restrictive for our purposes.

This makes a lot of sense. We've actually moved in the same direction ourself, away from one-shot rules (though we still use them for simpler tasks) towards analysis (or even, an analysis pipeline) followed by application of edits. I think the RewriteRule concept needs to expand to encompass this approach and would hope that feedback from your use case could help drive that. In the meantime, we've found taken two approaches:

1. Embed the analysis in the matchers and thread that state to the edit generator. So, the rule looks something like makeRule(matcherThatAnchorsAnalysis(SharedState), generatorFromState(SharedState)). Sometimes the generator is a custom function, but we can often use the standard combinators.
2. Generate _metadata_ from the rewrite rule, and don't generate edits. Then, followup passes can consume the metadata and turn them into edits (using EditGenerators or otherwise). The metadata can also just bundle edits directly, but in a form suited to followup processing rather than the standard output from rules that's intended for direct application.

Regardless, I'd love to work together to find a format that works for these use cases.

But I do think that we can use the EditGenerator infrastructure to greatly simplify fixit generation once we figure out the strategy. So we can have something like

class FixableGadget {
  virtual EditGenerator generator(Strategy &S) = 0;

  FixItList getFixits(Strategy &S) { // non-virtual!
    return generator(S)(MatchResult).somehowFlattenAllTheseFixits();
  }
};

class DerefSimplePtrArithFixableGadget : public FixableGadget {
  static constexpr const char *const AddOpTag = "AddOp";
  static constexpr const char *const OffsetTag = "Offset";

  static StmtMatcher matcher() { /* matcher that makes all these bindings */ }

  EditGenerator generator(Strategy &S) override {
    return changeTo(node(AddOpTag), cat(node(BaseDRETag), "[", node(OffsetTag), "]"));
  }
};

which is much simpler than what we have. So I agree that we should consider this, at least for new code.

Things I don't immediately understand, which we'll need to figure out:

• How do we preserve MatchResult long enough? It needs to be kept alive while we build the Strategy object, so that later we didn't have to rerun the matchers for fixit purposes.

I'm not sure I understand the issue, can you expand? I'd sooner expect that you would eagerly generate the Edits, rather than building up EditGenerators and then you don't need to keep around the MatchResult.

• We're somewhat conscious about minimizing our fixit's source ranges. In particular, we really need the fixit replacement range to not overlap with the OffsetTag range in this example. This is because the offset may contain other fixable operations inside it! So we won't be happy if the fixit produced by the generator throws out the entire expression and replaces it with concatenated text, we need something more targeted.

Yes, this is a common concern. We tend to apply targeted fixes where possible, using the combinators to correctly select the parts of the syntax to target. Ideally, the framework could do that for you -- that is, you could do larger edit for clarity and it would diff only produce the smaller edit -- but that's "future work" with no plans at this point.

In D142795#4165331, @ymandel wrote:

In D142795#4148991, @NoQ wrote:

@ymandel I think we should definitely try it.

I don't think our FixableGadgets correspond nicely to RewriteRules. Our story is that we gather *global* understanding of the entire function by collecting gadgets inside it, which is then used for discovering the best "strategy" for transforming the function, which may activate certain (not necessarily all) fixable gadgets in a specific manner. For instance, once D143133 gets fully developed, it'll involve fixpoint iteration over all fixables to discover variables that need to be transformed simultaneously. So I suspect that RewriteRule is too high-level / restrictive for our purposes.

This makes a lot of sense. We've actually moved in the same direction ourself, away from one-shot rules (though we still use them for simpler tasks) towards analysis (or even, an analysis pipeline) followed by application of edits. I think the RewriteRule concept needs to expand to encompass this approach and would hope that feedback from your use case could help drive that. In the meantime, we've found taken two approaches:

1. Embed the analysis in the matchers and thread that state to the edit generator. So, the rule looks something like makeRule(matcherThatAnchorsAnalysis(SharedState), generatorFromState(SharedState)). Sometimes the generator is a custom function, but we can often use the standard combinators.
2. Generate _metadata_ from the rewrite rule, and don't generate edits. Then, followup passes can consume the metadata and turn them into edits (using EditGenerators or otherwise). The metadata can also just bundle edits directly, but in a form suited to followup processing rather than the standard output from rules that's intended for direct application.

Regardless, I'd love to work together to find a format that works for these use cases.

Yeah this is a really interesting subject, I'd love to have a bigger conversation about it. We've got a lot of very interesting examples of after-the-fact interactions, and a lot of them seem to be specific to our work. A lot of them stem from the fact that we aren't settling for any fix that would compile and silence the warning, but we aspire to generate code with the maximum security benefit. And when we cannot, we find it better to abandon the entire fixit and recommend manual transformation, than to recommend a less-than-ideal automatic solution. Because the less-than-ideal solution would silence the warning, and the code won't be revisited for later security improvements or flagged for future security audit. So it's better to have our tool teach the developer by example how to write better code whenever it can, and offer the developer a chance to demonstrate what they learned when it cannot find a good solution automatically.

The ideal solution often involves substituting multiple variables at a time, so that, say, the span object didn't need to be unpacked and repacked. In fact, because span size is a thing (but pointer size isn't), there's no easy analysis that would help us eliminate span-repacking code after the fact! Partially spanified code is much harder to analyze than fully unspanified code because there's now this entire extra aspect of the program's behavior (span sizes) that we need to either preserve or prove away as irrelevant. Whereas in the original unspanified program it's obviously irrelevant from the start. So even though we want to successfully analyze partially spanified code in some cases, it's clearly a much harder problem and ideally we don't want to block the tool on solving it, so instead we're trying to make larger leaps from unspanified code directly to ideal code.

(This sounds as if it relates to our discussion in D143128 but it really doesn't, that patch's dilemma was about two fixes that are both equally (un-)ideal, and it's probably easy to transform one into another "after the fact".)

• How do we preserve MatchResult long enough? It needs to be kept alive while we build the Strategy object, so that later we didn't have to rerun the matchers for fixit purposes.

I'm not sure I understand the issue, can you expand? I'd sooner expect that you would eagerly generate the Edits, rather than building up EditGenerators and then you don't need to keep around the MatchResult.

I suspect that as our machine grows larger, that'd cause us to eagerly generate around 5-10x more edits than we ever emit. Just because a code pattern is fixable, doesn't mean we want to fix it. Even if we do, there's also like five different ways to fix it (encoded in our Strategy class, currently we implement just one way: "span"). And answers to these questions - whether we want to fix the pattern, and how - depend not only on this pattern, but also on properties of the space of all patterns discovered in the function. This isn't something we can decide upon in the constructor of the fixable pattern, when half of patterns aren't even constructed yet. We either need to see all MatchResults together before emitting any edits, or ~90% of our edits go to waste.

• We're somewhat conscious about minimizing our fixit's source ranges. In particular, we really need the fixit replacement range to not overlap with the OffsetTag range in this example. This is because the offset may contain other fixable operations inside it! So we won't be happy if the fixit produced by the generator throws out the entire expression and replaces it with concatenated text, we need something more targeted.

Yes, this is a common concern. We tend to apply targeted fixes where possible, using the combinators to correctly select the parts of the syntax to target. Ideally, the framework could do that for you -- that is, you could do larger edit for clarity and it would diff only produce the smaller edit -- but that's "future work" with no plans at this point.

That's another fascinating subject.

We have a weak signal that it might not even be the right thing to do. Say, if you're replacing a function call foo with foo2, it's arguably better to have the fixit look like this:

foo();
^~~
foo2

than to have it look like this:

foo();
   ^
   2

The second solution may be alright in some cases (especially when you hardcode the names of the function in the compiler, so you know for sure that "adding a suffix to the function" is an accurate way to describe the fix from user's point of view) but in the general case (say, when you discover functions through attributes) the second solution may be very surprising. But a purely textual "fixit minimizer" machine will not be able to tell the difference and recognize that the first approach is more appropriate in this case.

It could also be bad in the same way as the command-line diff tool sometimes completely misunderstands the nature of the diff (say, when it tells us that we've added } foo() { instead of foo() {}). So I think there's a few good reasons to retain full control over the shape of the edits.

We agreed with @ymandel to have a separate discussion about how can Safe Buffers Fix-Its benefit from using libClangTransformers .
Our tentative plan is to it for new code that we write and eventually change all our code to use it.

Other than the to(varDecl()) discussion, LGTM!