This is an archive of the discontinued LLVM Phabricator instance.

Differential D143048

[-Wunsafe-buffer-usage] Add T* -> span<T> Fix-Its for function parameters
ClosedPublic

Authored by ziqingluo-90 on Jan 31 2023, 11:35 PM.

Details

Reviewers
NoQ
malavikasamak
t-rasmud
jkorous
gribozavr2
aaron.ballman
xazax.hun
ymandel
sgatev
Commits
rG1e270be0886c: [-Wunsafe-buffer-usage] Add fix-its for function parameters using the `span`…
Summary

Generate fix-its for function parameters. Currently, the analyzer fixes one parameter at a time.
Fix-its for a function parameter includes:

  1. Fix the parameter declaration of the definition, result in a new overload of the function. We call the function with the original signature the old overload.
  2. For any other existing declaration of the old overload, mark it with the [[unsafe_buffer_usage]] attribute and generate a new overload declaration next to it.
  3. Creates a new definition for the old overload, which is simply defined by a call to the new overload.

Example,

void foo(int *p);

void foo(int *p) {
   int x = p[5];
}

will be like the following after applying fix-its

[[unsafe_buffer_usage]] void foo(int * p);
void foo(std::span<int> p);

void foo(std::span<int> p) {
...
}
[[unsafe_buffer_usage]] void foo(int * p) {
  return foo(std::span<int>{p, <# size #>});
}

Diff Detail

Event Timeline

jkorous created this revision.Jan 31 2023, 11:35 PM
Herald added a project: Restricted Project. · View Herald TranscriptJan 31 2023, 11:35 PM
jkorous requested review of this revision.Jan 31 2023, 11:35 PM
jkorous planned changes to this revision.
Harbormaster completed remote builds in B211152: Diff 493840.Jan 31 2023, 11:36 PM
jkorous added inline comments.Jan 31 2023, 11:50 PM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp
10

Oh, yes, this is fun. I hope I will eventually convince FileCheck this C++ attributes are not substitution blocks 😅

https://llvm.org/docs/CommandGuide/FileCheck.html#filecheck-string-substitution-blocks

jkorous updated this revision to Diff 494147.EditedFeb 1 2023, 7:36 PM
jkorous added a parent revision: D139737: [-Wunsafe-buffer-usage] Initiate Fix-it generation for local variable declarations.
  • rebased
  • moved compatibility decl/def below original

still see crash in tests

Harbormaster completed remote builds in B211372: Diff 494147.Feb 1 2023, 8:16 PM
jkorous retitled this revision from [-Wunsafe-buffer-usage][WIP] Fix-Its for T* -> std::span<T> function parameters to [-Wunsafe-buffer-usage][WIP] Add T* -> span<T> Fix-Its for function parameters.Feb 1 2023, 11:52 PM
jkorous updated this revision to Diff 494177.Feb 1 2023, 11:58 PM
  • fixed all crashes in our tests
  • added cases of functions where we should not emit Fix-Its for parameters
Harbormaster completed remote builds in B211393: Diff 494177.Feb 1 2023, 11:59 PM
jkorous updated this revision to Diff 496368.EditedFeb 10 2023, 1:18 AM

Started working on conflict detection for added compatibility overload.

Herald added a subscriber: ChuanqiXu. · View Herald TranscriptFeb 10 2023, 1:18 AM
jkorous added a comment.Feb 13 2023, 12:03 PM

Note: One thing that I have little confidence the current patch handles correctly would be qualified function names. Definitely need tests.

jkorous added inline comments.Feb 16 2023, 3:23 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
917

We should not use the attribute directly - instead we should have a macro that gates it with __has_cpp_attribute.
https://clang.llvm.org/docs/LanguageExtensions.html#has-cpp-attribute

jkorous marked an inline comment as not done.Feb 17 2023, 4:07 PM
jkorous added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
917

Also, we need to think about how do we vend the macro.

jkorous marked 2 inline comments as not done.Mar 1 2023, 3:39 PM
jkorous added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
898

Sorry, the example below is unrelated. What I meant is that we shouldn't for example use \n on Windows.
EDIT: We also realized during an offline discussion that we should have our tests reflect that (somehow).

jkorous added a comment.Mar 2 2023, 4:44 PM

As we discussed offline - we should add tests that our overload conflict detection would notice overloads that are declared below the function that's being analyzed.
Since our analysis callback is invoked after a body function has been parsed (but before the whole TU is parsed) it is not immediately clear if all function declarations in the TU will already be represented in the AST at that point.

ziqingluo-90 commandeered this revision.Mar 6 2023, 12:45 PM
ziqingluo-90 edited reviewers, added: jkorous; removed: ziqingluo-90.

Taking care of this patch on behalf of @jkorous

ziqingluo-90 updated this revision to Diff 502893.Mar 6 2023, 6:43 PM
ziqingluo-90 removed a subscriber: ChuanqiXu.

Still work in progress (but comments are very welcomed) ---there are several problems need to be solved:

  • To conservatively detect any overload of the function whose parameter is being fixed. Thus far, the analysis cannot see any overload declared after the analyzing function.
  • Fix-its conflict. Insertions of #include<span> and [[clang::unsafe_buffer_usage]] can conflict if both are inserted at the beginning of a file.
  • There are many unsupported cases.
  • Do we really want to fix parameters one at a time?
  • As the fix-its become more complicated, tests now are harder to read.
Harbormaster completed remote builds in B217779: Diff 502893.Mar 6 2023, 6:44 PM
jkorous added a parent revision: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.Mar 9 2023, 11:56 AM
jkorous added a comment.Mar 13 2023, 6:03 PM

I just discovered my original prototype had yet another bug - parameters that use "array syntax" would get spanified but their name would be missing.

E. g.
void foo(int param[]) {
would get transformed to (notice the missing param name:
[clang::unsafe_buffer_usage] void foo(std::span<int>) {

I am wondering what is the source range of the parameter type in this case - the original code likely expects parameter type to be left of parameter name which might or might not be true in case.

It is possible that @ziqingluo-90 has fixed the bug in the meantime but I don't see a test - can we add one just to be sure?

It is likely that Transformer might solve this problem out of the box - maybe we should use it for this patch after all.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-unsupported.cpp
63 ↗(On Diff #502893)

Since you mention main in the tests...
We can't change its signature. Not emitting Fix-Its (and not emitting the note to change param type) might be sufficient for now.
Long-term we might want a special Fix-It for argv - maybe construct std::span argv{argv_raw, argc}; local variable but that should be done in another patch.
Can you please add a test that we don't emit Fix-It for argv?

t-rasmud added a child revision: D145739: [-Wunsafe-buffer-usage] Group variables associated by pointer assignments.Mar 15 2023, 2:44 PM
jkorous added a comment.Mar 16 2023, 4:24 PM

I found one more bug.

The prototype mishandles const qualifier of the parameter type which means it transforms const int* to const span<const int> which is incorrect. That would correspond to const int* const.

Can we add a test for this case?

ziqingluo-90 added a parent revision: D146342: [-Wunsafe-buffer-usage] Move the whole analysis to the end of a translation unit.Mar 17 2023, 5:14 PM
ziqingluo-90 updated this revision to Diff 508798.Mar 27 2023, 2:40 PM
ziqingluo-90 marked an inline comment as done.

Fix issues in transforming parameter declarations of the form const T * var and T * var[].
Add test for overload declarations appearing after the analyzing function with unsafe parameters.
Add more tests for unsupported cases so that we don't forget.

Harbormaster completed remote builds in B222116: Diff 508798.Mar 27 2023, 2:41 PM
NoQ removed a parent revision: D139737: [-Wunsafe-buffer-usage] Initiate Fix-it generation for local variable declarations.Apr 7 2023, 2:53 PM
NoQ removed a parent revision: D146342: [-Wunsafe-buffer-usage] Move the whole analysis to the end of a translation unit.Apr 7 2023, 2:56 PM
jkorous added a comment.Apr 10 2023, 5:19 PM

I just realized one more problem we have to address with this patch - default arguments.
ParmVarDecl::getDefaultArg should be able to tell us if in any of the declarations of the function there is a default argument for the parameter we want to transform. Then we need to figure out if we can fix it/how do we fix it and we shouldn't emit the fixit if we can't fix the default argument. This problem is pretty similar to local variable initialization and we should try to reuse the solution.

clang/lib/Analysis/UnsafeBufferUsage.cpp
874

This TODO will hopefully no longer be true after we land.
https://reviews.llvm.org/D146342

882

IMO we should wrap this in some macro to make it user-friendlier.

Something like:

#ifndef UNSAFE_BUFFER_USAGE
#if __has_cpp_attribute(clang::unsafe_buffer_usage)
#define UNSAFE_BUFFER_USAGE [[clang::unsafe_buffer_usage]]
#else
#define UNSAFE_BUFFER_USAGE 
#endif
#endif

so the code (from our fix-its or written by the users) can look like this:

UNSAFE_BUFFER_USAGE void unsafe_foo(int* ptr, unsigned size);

...and we need to figure where exactly should the macro live (or if there should be multiple definitions, etc.).

I would love to hear @NoQ's thoughts on this topic.

ziqingluo-90 removed a child revision: D145739: [-Wunsafe-buffer-usage] Group variables associated by pointer assignments.Apr 14 2023, 11:11 AM
ziqingluo-90 edited parent revisions, added: D145739: [-Wunsafe-buffer-usage] Group variables associated by pointer assignments; removed: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.
NoQ added inline comments.Apr 18 2023, 1:22 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
882

That's, uh, interesting. We want users to use a macro of this kind and we need the macro to be defined, just like we want the users to use span and we want <span> to be included. But unlike #include <span>, we *really* don't want users to define the macro manually every time they need it. Instead we want it defined manually in some centralized place, and have the fixit machine pick it up from there.

So I think the fixit machine should never suggest *definining* the macro. That's the opposite of what we want.

On the other hand, there's a moderately famous precedent of compiler picking up an existing macro, namely the attribute [[fallthrough]]:

So I think we can try to build something similar.

NoQ added a comment.Apr 18 2023, 1:41 PM
In D143048#4256855, @jkorous wrote:

I just realized one more problem we have to address with this patch - default arguments.
ParmVarDecl::getDefaultArg should be able to tell us if in any of the declarations of the function there is a default argument for the parameter we want to transform. Then we need to figure out if we can fix it/how do we fix it and we shouldn't emit the fixit if we can't fix the default argument. This problem is pretty similar to local variable initialization and we should try to reuse the solution.

Oh right.

The problem with default arguments is that their AST lives outside of function body. It's the job of the *caller* to invoke this code. So that's a separate isolated piece of code that our matchers need to traverse together with the function's body.

I recommend giving up for the purposes of this patch (just make sure we don't try to fix such code) and see if we can address this later.

Which reminds me, we also need to handle CXXCtorInitializers correctly (or at least give up when we see them) - they're yet another piece of code that lives outside of function body, and they may access function parameters.

ziqingluo-90 updated this revision to Diff 515500.Apr 20 2023, 4:29 PM

To conservatively give up on fixing function parameters if they have default arguments.

The following improvement will be added by follow-up patches:

  • Improve the insertion of [[unsafe_buffer_usage]]
  • Fix function parameters with default arguments
  • Group fix-its of multiple parameters
Harbormaster completed remote builds in B227014: Diff 515500.Apr 20 2023, 4:30 PM
NoQ added inline comments.Apr 20 2023, 5:31 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
872–873

I suspect that it's always going to be "the whole TU", given that Sema is currently at the end of TU parsing (because that's where we put our analysis).

I recommend adding some tests with namespaces and other situations when functions are nested into something. Esp. when the out-of-line definition may be lexically available outside of the scope, eg.

namespace N {
  void foo();
}

void N::foo() {
  // implementation
}

where the compatibility overload has to go into the right namespace and the implementation of the compatibility overload has to be correctly prefixed with N::.

882

I think we have to go with raw [[clang::unsafe_buffer_usage]] for now. We can implement macro detection later, but we shouldn't insert preprocessor directives ourselves, because that's absolutely not how we want the final code to look.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span-overload.cpp
26 ↗(On Diff #515500)
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp
11

Is there a semicolon at the end?

Also, do we want to preserve the parameter name p here, given that it's available on the respective redeclaration?

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-unsupported.cpp
20 ↗(On Diff #515500)

Why, what's wrong with it?

ziqingluo-90 added inline comments.Apr 21 2023, 1:30 PM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp
11

No. There is no semicolon. The idea is that the fix-it tries to append a new function decl A; to a function decl B; but there is no obvious way to get the end location of B;. We only have the end location of B. So the fix-it inserts ;A to the end of B.

11

I did think about whether preserving the parameter name is necessary and didn't find a strong reason to do so.
A minor reason could be that if contracts are introduced in C++ one day, parameters in declarations need to have names so that contracts can refer to them.

I will add names to fix-its. Also I will be happy to hear any other benefits of doing that.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-unsupported.cpp
20 ↗(On Diff #515500)

For const int * const x (or int * const x), we transform it to const std::span<const int> x (or const std::span<int> x). The left-most const are missing in the fix-its.

ziqingluo-90 retitled this revision from [-Wunsafe-buffer-usage][WIP] Add T* -> span<T> Fix-Its for function parameters to [-Wunsafe-buffer-usage] Add T* -> span<T> Fix-Its for function parameters.Apr 27 2023, 3:59 PM
ziqingluo-90 added reviewers: gribozavr2, aaron.ballman, xazax.hun, ymandel, sgatev.
Herald added a subscriber: rnkovacs. · View Herald TranscriptApr 27 2023, 3:59 PM
ziqingluo-90 updated this revision to Diff 519699.May 4 2023, 5:16 PM

Fix issues in overload lookup. Thanks to @NoQ 's comment.
Fix issues in handling qualified function or parameter names.
Add parameter names back for inserted overload declarations if the names exist in the original function declaration.

Harbormaster completed remote builds in B230135: Diff 519699.May 4 2023, 5:18 PM
ziqingluo-90 marked 2 inline comments as done.May 4 2023, 5:18 PM
ziqingluo-90 added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
872–873

This is very valuable comment that points out a big hole in my patch. Now it should be fixed. Thank you.

ziqingluo-90 added a child revision: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.May 5 2023, 11:33 AM
ziqingluo-90 mentioned this in D150338: [-Wunsafe-buffer-usage] Improving insertion of the [[clang::unsafe_buffer_usage]] attribute .May 10 2023, 6:20 PM
ziqingluo-90 added a child revision: D150338: [-Wunsafe-buffer-usage] Improving insertion of the [[clang::unsafe_buffer_usage]] attribute .May 11 2023, 10:25 AM
ziqingluo-90 removed a child revision: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.
NoQ added inline comments.May 22 2023, 12:41 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
877–879

Wait, did we decide to emit the #if check at every function after all?

I'd much rather temporarily emit the raw attribute without the check, than temporarily emit an #if, because the raw attribute is desired at least in some cases, but #if next to the function is never desired.

890

Need to test this with various anonymous functions:

958–959

What happens if these are in different FileIDs? Do we end up with a pair of pointers into unrelated buffers? (Eg., macro expansions, or #include in the middle of the function declaration.)

1061

Does this work correctly if the pointee type is an anonymous struct? It probably does (given that anonymous structs can't be used directly, and typedefs aren't skipped here).

I suspect it's more reliable to copy-paste the original spelling of the type from the source code than to rely on pretty-printing, but it could have other problems (eg., there's a typedef that covers the *).

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp
11

Parameter name could be a valuable hint to the user about the purpose of the parameter. The user doesn't necessarily see the implementation, and it's not like we're copying over the comments before the function. So out of the few ways the caller can figure out what to put there, this could be the most important one.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-unsupported.cpp
20 ↗(On Diff #515500)

Oh, right, yes, makes sense in both cases!

This doesn't really lead to broken code and it doesn't really sacrifice much const-correctness because const in this position applies only to the parameter's stack storage, which people don't usually overwrite anyway, given that it reliably disappears at end of function. In particular, it's completely immaterial to the caller.

(It could matter when the class does something non-trivial, like have weird global side effects in overloaded assignment operator, so if it's const it could act as a guarantee that these side effects don't happen no matter what the function does; but nobody writes code like this, and std::span specifically is definitely not written like this.)

But I totally agree that in the spirit of preserving maximum similarity to the original code, it's valuable to preserve const here.

NoQ added inline comments.May 22 2023, 12:43 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
1061

We should definitely add a test for this even if it's already working correctly, because people love their .getCanonicalType() and I can easily see somebody adding it to the code later for some unrelated reason. They need to know that typedefs can't be dropped here.

ziqingluo-90 marked 2 inline comments as done.May 22 2023, 2:58 PM
ziqingluo-90 added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
877–879

oh yes, I should have made the raw attribute the default case here. More advanced cases of dealing with attributes are addressed in this patch.

890

These cases are not supported in this patch. (see the guard at lines 1358--1366).

958–959

This is a good point! I should have just obtained text representation of each part (i.e., return type and function name) separately.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-unsupported.cpp
20 ↗(On Diff #515500)

Yes and thanks for the extra note.

Do you think const could also matter for pass-by-reference parameters? e.g.,
void f(int * const &p) -> void f(const std::span<int> &p)

I will add some tests for such cases

ziqingluo-90 marked an inline comment as done.May 23 2023, 3:27 PM
ziqingluo-90 added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
1061

I hadn't thought of anonymous structs. They can be a problem.
But I think the problem is that we cannot getPointeeType() from a pointer-to an anonymous type.
For example,

typedef struct {int x;} * ANON_PTR;
void foo(ANON_PTR p) {
  ... p[5];
}

One of the generated fix-its looks like this
std::span<struct (unnamed struct at clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp:7:9)> q

Actually, getCanonicalType() is not a problem in the cases that we can handle. For example,

typedef struct {int x;} ANON_S;
typedef ANON_S * ANON_PTR;

void foo(ANON_PTR p) {  ... }

getCanonicalType() returns ANON_S for the pointee type of the type of p. If ANON_S is defined by a named struct, getCanonicalType() returns the named struct.

ziqingluo-90 updated this revision to Diff 528028.Jun 2 2023, 3:55 PM
Harbormaster completed remote builds in B236309: Diff 528028.Jun 2 2023, 3:56 PM
ziqingluo-90 added a comment.Jun 2 2023, 4:39 PM

Address comments and made the following changes to the patch:

  1. Stop using SourceManager::getCharacterData to obtain source file texts. Because it is possible that the start and end pointer point to different buffers. Instead, a helper function getRangeText is created.
  2. Stop using TypePrinter. Calling getAsString on a QualType uses the printer under the hood. The printer does not necessarily print a type t in the exact same text form as t appearing in the source file. Especially when macros or typedefs are used. We prefer to generate texts for types without any change to their original literal forms. A helper function getPointeeTypeText is created to generate text for types using TypeLocs to obtain source ranges of types. However, there are a few limitations:
    • TypeLoc does not provide source ranges of qualifiers. (There is a QualifiedTypeLoc that looks like an outlier to the rest of the TypeLoc sub-classes and seems fishy to me). We have to generate qualifier texts using a printer separately.
    • Currently, we cannot obtain the text of a pointee type from a parameter declaration, if the declarator is too complicated. It now only supports two forms of parameter declarations: T identifier or T identifier[], where T is any type.
    • If a pointee type is unnamed or has unnamed sub-types, we cannot guarantee that we can refer to that type. Although there are many cases where we still can refer to such an unnamed type, we give up for now.
ziqingluo-90 edited the summary of this revision. (Show Details)Jun 2 2023, 4:58 PM
NoQ accepted this revision.Jun 5 2023, 5:46 PM

Hi, looks great to me now. It looks like it's at a point where there could be more cornercases for us to tackle, but the rough idea looks correct and we can address the rest of them incrementally. Great job!!

A few microscopic nitpicks but generally I think this is ok to land.

clang/lib/Analysis/UnsafeBufferUsage.cpp
919

I'm a big fan of Present Simple all the way, unless there's a really good reason.

957–958

Slightly more C++-y this way.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp
47–49
This revision is now accepted and ready to land.Jun 5 2023, 5:46 PM
t-rasmud added a comment.Jun 9 2023, 11:59 AM

LGTM.

clang/lib/Analysis/UnsafeBufferUsage.cpp
1052

Minor nit: Changing function name to createOverloadsForFixedParams would need to reflect here as well.

ziqingluo-90 marked 3 inline comments as done.Jun 9 2023, 3:43 PM
This revision was landed with ongoing or failed builds.Jun 9 2023, 3:55 PM
Closed by commit rG1e270be0886c: [-Wunsafe-buffer-usage] Add fix-its for function parameters using the `span`… (authored by ziqingluo-90). · Explain Why
This revision was automatically updated to reflect the committed changes.
ziqingluo-90 added a commit: rG1e270be0886c: [-Wunsafe-buffer-usage] Add fix-its for function parameters using the `span`….
Herald added a project: Restricted Project. · View Herald TranscriptJun 9 2023, 3:55 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
lib/
Analysis/
146 lines
test/
SemaCXX/
19 lines

Diff 494147

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show First 20 LinesShow All 858 Lines▼ Show 20 Linesstatic FixItList fixVarDeclWithSpan(const VarDecl *D, const ASTContext &Ctx,
raw_svector_ostream OS(Replacement); raw_svector_ostream OS(Replacement);
OS << "std::span<" << SpanEltT.getAsString() << "> " << D->getName(); OS << "std::span<" << SpanEltT.getAsString() << "> " << D->getName();
FixIts.push_back(FixItHint::CreateReplacement( FixIts.push_back(FixItHint::CreateReplacement(
SourceRange{D->getBeginLoc(), ReplacementLastLoc}, OS.str())); SourceRange{D->getBeginLoc(), ReplacementLastLoc}, OS.str()));
return FixIts; return FixIts;
} }
static FixItList fixParamWithSpan(const ParmVarDecl *PVD,
const ASTContext &Ctx) {
// TODO detect and bail
// templates
// variadic functions
// default parameter values - in any redeclaration
// virtual method
NoQUnsubmitted
Done
ReplyInline Actions

I suspect that it's always going to be "the whole TU", given that Sema is currently at the end of TU parsing (because that's where we put our analysis).

I recommend adding some tests with namespaces and other situations when functions are nested into something. Esp. when the out-of-line definition may be lexically available outside of the scope, eg.

namespace N {
  void foo();
}

void N::foo() {
  // implementation
}

where the compatibility overload has to go into the right namespace and the implementation of the compatibility overload has to be correctly prefixed with N::.

NoQ: I suspect that it's always going to be "the whole TU", given that Sema is currently at the end…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

This is very valuable comment that points out a big hole in my patch. Now it should be fixed. Thank you.

ziqingluo-90: This is very valuable comment that points out a big hole in my patch. Now it should be fixed.
// any method (for now)
jkorousUnsubmitted
Not Done
ReplyInline Actions

This TODO will hopefully no longer be true after we land.
https://reviews.llvm.org/D146342

jkorous: This TODO will hopefully no longer be true after we land. https://reviews.llvm.org/D146342
// TODO can there be exception spec or some other block between signature and body that could refer to params?
FixItList FixIts{};
auto * FD = dyn_cast<clang::FunctionDecl>(PVD->getDeclContext());
if (!FD) {
NoQUnsubmitted
Not Done
ReplyInline Actions

Wait, did we decide to emit the #if check at every function after all?

I'd much rather temporarily emit the raw attribute without the check, than temporarily emit an #if, because the raw attribute is desired at least in some cases, but #if next to the function is never desired.

NoQ: Wait, did we decide to emit the `#if` check at every function after all? I'd much rather…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

oh yes, I should have made the raw attribute the default case here. More advanced cases of dealing with attributes are addressed in this patch.

ziqingluo-90: oh yes, I should have made the raw attribute the default case here. More advanced cases of…
// TODO error handling
return {};
}
jkorousUnsubmitted
Not Done
ReplyInline Actions

IMO we should wrap this in some macro to make it user-friendlier.

Something like:

#ifndef UNSAFE_BUFFER_USAGE
#if __has_cpp_attribute(clang::unsafe_buffer_usage)
#define UNSAFE_BUFFER_USAGE [[clang::unsafe_buffer_usage]]
#else
#define UNSAFE_BUFFER_USAGE 
#endif
#endif

so the code (from our fix-its or written by the users) can look like this:

UNSAFE_BUFFER_USAGE void unsafe_foo(int* ptr, unsigned size);

...and we need to figure where exactly should the macro live (or if there should be multiple definitions, etc.).

I would love to hear @NoQ's thoughts on this topic.

jkorous: IMO we should wrap this in some macro to make it user-friendlier. Something like: ``` #ifndef…
NoQUnsubmitted
Not Done
ReplyInline Actions

That's, uh, interesting. We want users to use a macro of this kind and we need the macro to be defined, just like we want the users to use span and we want <span> to be included. But unlike #include <span>, we *really* don't want users to define the macro manually every time they need it. Instead we want it defined manually in some centralized place, and have the fixit machine pick it up from there.

So I think the fixit machine should never suggest *definining* the macro. That's the opposite of what we want.

On the other hand, there's a moderately famous precedent of compiler picking up an existing macro, namely the attribute [[fallthrough]]:

So I think we can try to build something similar.

NoQ: That's, uh, interesting. We want users to use a macro of this kind and we need the macro to be…
NoQUnsubmitted
Not Done
ReplyInline Actions

I think we have to go with raw [[clang::unsafe_buffer_usage]] for now. We can implement macro detection later, but we shouldn't insert preprocessor directives ourselves, because that's absolutely not how we want the final code to look.

NoQ: I think we have to go with raw `[[clang::unsafe_buffer_usage]]` for now. We can implement macro…
// TODO assert param is a pointer
// TODO iterate all re-decls
// TODO respect indentation of the original code
// TODO don't hardcode line delimiter - follow what the source file uses
// example:
NoQUnsubmitted
Not Done
ReplyInline Actions

Need to test this with various anonymous functions:

NoQ: Need to test this with various anonymous functions: * constructors/destructors of anonymous…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

These cases are not supported in this patch. (see the guard at lines 1358--1366).

ziqingluo-90: These cases are not supported in this patch. (see the guard at lines 1358--1366).
// void foo(int* ptr) { ... }
// goal:
// [[clang::unsafe_buffer_usage]] void foo(int* ptr) { std::span(ptr, <# size #>) }
// void foo(int* ptr) { ... }
const SourceManager &SM = Ctx.getSourceManager();
// TODO desugaring might be undesirable in some cases
jkorousUnsubmitted
Not Done
ReplyInline Actions

Sorry, the example below is unrelated. What I meant is that we shouldn't for example use \n on Windows.
EDIT: We also realized during an offline discussion that we should have our tests reflect that (somehow).

jkorous: Sorry, the example below is unrelated. What I meant is that we shouldn't for example use `\n`…
// e.g. std::string -> std::basic_string<...>
// Maybe this is predominantly specific to std?
const std::string newSpanTypeSpelling = "std::span<" + PVD->getType().getDesugaredType(Ctx)->getPointeeType().getAsString() + ">";
const std::string compatOverloadNameAndSignature = [&]() -> std::string {
// TODO what about for example "static" - would it be included?
std::string result =
"[[clang::unsafe_buffer_usage]] "
+ std::string(
SM.getCharacterData(FD->getBeginLoc()),
SM.getCharacterData(FD->getBody()->getBeginLoc())
);
while(!result.empty()) {
// TODO don't hardcode - use the is horiz whitespace function
if (result.back() == ' ')
result.pop_back();
else
break;
}
jkorousUnsubmitted
Not Done
ReplyInline Actions

We should not use the attribute directly - instead we should have a macro that gates it with __has_cpp_attribute.
https://clang.llvm.org/docs/LanguageExtensions.html#has-cpp-attribute

jkorous: We should not use the attribute directly - instead we should have a macro that gates it with…
jkorousUnsubmitted
Not Done
ReplyInline Actions

Also, we need to think about how do we vend the macro.

jkorous: Also, we need to think about how do we vend the macro.
return result;
}();
NoQUnsubmitted
Done
ReplyInline Actions
static std::optional<FixItList>
- creatingOverloadsForFixedParams(unsigned ParmIdx, StringRef NewTyText,
+ createOverloadsForFixedParams(unsigned ParmIdx, StringRef NewTyText,
const FunctionDecl *FD, const ASTContext &Ctx,

I'm a big fan of Present Simple all the way, unless there's a really good reason.

NoQ: I'm a big fan of Present Simple all the way, unless there's a really good reason.
const std::string compatOverloadDef = [&]() -> std::string {
// create compat overload definition
std::string compatOverloadDef =
compatOverloadNameAndSignature + "\n" +
"{\n" +
" return " + FD->getNameInfo().getAsString() + "(";
for (ParmVarDecl * Param : FD->parameters()) {
// FIXME We currently don't support class methods (implicit this).
if (Param->isImplicit())
return std::string{}; // TODO error handling
// FIXME if a param doesn't have a name - add a name in the signature of compat overload and use it here to pass to the original overload
if (Param->getNameAsString().empty())
return std::string{}; // TODO error handling
if (Param == PVD) {
// This is our spanified paramter!
// TODO don't hardcode the placeholder
compatOverloadDef += newSpanTypeSpelling + "("+Param->getNameAsString() + ", <# size #>)";
} else {
// TODO some args need to be std::move()-ed - e. g. unique_ptr<T>
compatOverloadDef += Param->getNameAsString();
}
compatOverloadDef += ", ";
}
// remove the last ", "
compatOverloadDef.pop_back();
compatOverloadDef.pop_back();
// finish call
compatOverloadDef += ");\n";
// finish body
compatOverloadDef += "}\n";
// FIXME 80-char line formatting?
return compatOverloadDef;
}();
if (compatOverloadDef.empty())
NoQUnsubmitted
Done
ReplyInline Actions
// print parameter name if provided:
- if (Parm->getIdentifier())
- SS << " " << Parm->getIdentifier()->getName().str();
+ if (IdentifierInfo *II = Parm->getIdentifier())
+ SS << " " << II->getName().str();
} else if (auto ParmTypeText =

Slightly more C++-y this way.

NoQ: Slightly more C++-y this way.
return {}; // TODO error-handling
NoQUnsubmitted
Not Done
ReplyInline Actions

What happens if these are in different FileIDs? Do we end up with a pair of pointers into unrelated buffers? (Eg., macro expansions, or #include in the middle of the function declaration.)

NoQ: What happens if these are in different FileIDs? Do we end up with a pair of pointers into…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

This is a good point! I should have just obtained text representation of each part (i.e., return type and function name) separately.

ziqingluo-90: This is a good point! I should have just obtained text representation of each part (i.e.
for (FunctionDecl *FReDecl : FD->redecls()) {
if (FReDecl->isThisDeclarationADefinition()) {
// define compatibility overload
// We need to call the origin overload from the compatibility overload.
// Let's make sure it has been defined before the call-site by adding the definition
// below the definition of the original overload.
FixIts.emplace_back(
FixItHint::CreateInsertion(
FReDecl->getEndLoc().getLocWithOffset(1),
"\n" + compatOverloadDef)
);
} else {
// declare compatibility overload
// Declarations commonly have Doxygen comments or other similar form of documentation.
// In order to not break the documentation we'll add the compatibility overload below the orginal one.
// FIXME: I failed to get location of the ; after the declaration so I am adding one before the compatiblity overload.
FixIts.emplace_back(
FixItHint::CreateInsertion(FReDecl->getEndLoc().getLocWithOffset(1), ";\n" + compatOverloadNameAndSignature)
);
}
// get ParmVar redecl in current function redecl that corresponds to PVD
ParmVarDecl* const PVReDecl = FReDecl->getParamDecl(PVD->getFunctionScopeIndex());
// change parameter type in the original overload
FixIts.emplace_back(
FixItHint::CreateReplacement(
clang::CharSourceRange::getCharRange(
PVReDecl->getTypeSourceInfo()->getTypeLoc().getBeginLoc(),
PVReDecl->getTypeSourceInfo()->getTypeLoc().getEndLoc().getLocWithOffset(1)
),
newSpanTypeSpelling + " "
)
);
}
return FixIts;
}
static FixItList fixVariableWithSpan(const VarDecl *VD, static FixItList fixVariableWithSpan(const VarDecl *VD,
const DeclUseTracker &Tracker, const DeclUseTracker &Tracker,
const ASTContext &Ctx, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
const DeclStmt *DS = Tracker.lookupDecl(VD); const DeclStmt *DS = Tracker.lookupDecl(VD);
assert(DS && "Fixing non-local variables not implemented yet!"); assert(DS && "Fixing non-local variables not implemented yet!");
if (!DS->isSingleDecl()) { if (!DS->isSingleDecl()) {
// FIXME: to support handling multiple `VarDecl`s in a single `DeclStmt` // FIXME: to support handling multiple `VarDecl`s in a single `DeclStmt`
Show All 9 Lines
} }
static FixItList fixVariable(const VarDecl *VD, Strategy::Kind K, static FixItList fixVariable(const VarDecl *VD, Strategy::Kind K,
const DeclUseTracker &Tracker, const DeclUseTracker &Tracker,
const ASTContext &Ctx, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
switch (K) { switch (K) {
case Strategy::Kind::Span: { case Strategy::Kind::Span: {
if (VD->getType()->isPointerType()) if (VD->getType()->isPointerType()) {
if (const auto *PVD = dyn_cast<ParmVarDecl>(VD)) {
return fixParamWithSpan(PVD, Ctx);
}
return fixVariableWithSpan(VD, Tracker, Ctx, Handler); return fixVariableWithSpan(VD, Tracker, Ctx, Handler);
}
// TODO shouldn't we return std::nullopt instead?
return {}; return {};
} }
case Strategy::Kind::Iterator: case Strategy::Kind::Iterator:
case Strategy::Kind::Array: case Strategy::Kind::Array:
case Strategy::Kind::Vector: case Strategy::Kind::Vector:
llvm_unreachable("Strategy not implemented yet!"); llvm_unreachable("Strategy not implemented yet!");
case Strategy::Kind::Wontfix: case Strategy::Kind::Wontfix:
llvm_unreachable("Invalid strategy!"); llvm_unreachable("Invalid strategy!");
} }
} }
// Returns true iff there exists a `FixItHint` 'h' in `FixIts` such that the // Returns true iff there exists a `FixItHint` 'h' in `FixIts` such that the
// `RemoveRange` of 'h' overlaps with a macro use. // `RemoveRange` of 'h' overlaps with a macro use.
static bool overlapWithMacro(const FixItList &FixIts) { static bool overlapWithMacro(const FixItList &FixIts) {
// FIXME: For now we only check if the range (or the first token) is (part of) // FIXME: For now we only check if the range (or the first token) is (part of)
// a macro expansion. Ideally, we want to check for all tokens in the range. // a macro expansion. Ideally, we want to check for all tokens in the range.
return llvm::any_of(FixIts, [](const FixItHint &Hint) { return llvm::any_of(FixIts, [](const FixItHint &Hint) {
auto BeginLoc = Hint.RemoveRange.getBegin(); auto BeginLoc = Hint.RemoveRange.getBegin();
if (BeginLoc.isMacroID()) if (BeginLoc.isMacroID())
// If the range (or the first token) is (part of) a macro expansion: // If the range (or the first token) is (part of) a macro expansion:
t-rasmudUnsubmitted
Done
ReplyInline Actions

Minor nit: Changing function name to createOverloadsForFixedParams would need to reflect here as well.

t-rasmud: Minor nit: Changing function name to `createOverloadsForFixedParams` would need to reflect here…
return true; return true;
return false; return false;
}); });
} }
static std::map<const VarDecl *, FixItList> static std::map<const VarDecl *, FixItList>
getFixIts(FixableGadgetSets &FixablesForUnsafeVars, const Strategy &S, getFixIts(FixableGadgetSets &FixablesForUnsafeVars, const Strategy &S,
const DeclUseTracker &Tracker, const ASTContext &Ctx, const DeclUseTracker &Tracker, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
NoQUnsubmitted
Not Done
ReplyInline Actions

Does this work correctly if the pointee type is an anonymous struct? It probably does (given that anonymous structs can't be used directly, and typedefs aren't skipped here).

I suspect it's more reliable to copy-paste the original spelling of the type from the source code than to rely on pretty-printing, but it could have other problems (eg., there's a typedef that covers the *).

NoQ: Does this work correctly if the pointee type is an anonymous struct? It probably does (given…
NoQUnsubmitted
Not Done
ReplyInline Actions

We should definitely add a test for this even if it's already working correctly, because people love their .getCanonicalType() and I can easily see somebody adding it to the code later for some unrelated reason. They need to know that typedefs can't be dropped here.

NoQ: We should definitely add a test for this even if it's already working correctly, because people…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

I hadn't thought of anonymous structs. They can be a problem.
But I think the problem is that we cannot getPointeeType() from a pointer-to an anonymous type.
For example,

typedef struct {int x;} * ANON_PTR;
void foo(ANON_PTR p) {
  ... p[5];
}

One of the generated fix-its looks like this
std::span<struct (unnamed struct at clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp:7:9)> q

Actually, getCanonicalType() is not a problem in the cases that we can handle. For example,

typedef struct {int x;} ANON_S;
typedef ANON_S * ANON_PTR;

void foo(ANON_PTR p) {  ... }

getCanonicalType() returns ANON_S for the pointee type of the type of p. If ANON_S is defined by a named struct, getCanonicalType() returns the named struct.

ziqingluo-90: I hadn't thought of anonymous structs. They can be a problem. But I think the problem is that…
std::map<const VarDecl *, FixItList> FixItsForVariable; std::map<const VarDecl *, FixItList> FixItsForVariable;
for (const auto &[VD, Fixables] : FixablesForUnsafeVars.byVar) { for (const auto &[VD, Fixables] : FixablesForUnsafeVars.byVar) {
FixItsForVariable[VD] = fixVariable(VD, S.lookup(VD), Tracker, Ctx, Handler); FixItsForVariable[VD] = fixVariable(VD, S.lookup(VD), Tracker, Ctx, Handler);
// If we fail to produce Fix-It for the declaration we have to skip the // If we fail to produce Fix-It for the declaration we have to skip the
// variable entirely. // variable entirely.
if (FixItsForVariable[VD].empty()) { if (FixItsForVariable[VD].empty()) {
FixItsForVariable.erase(VD); FixItsForVariable.erase(VD);
continue; continue;
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Linesvoid clang::checkUnsafeBufferUsage(const Decl *D,
{ {
auto [FixableGadgets, WarningGadgets, TrackerRes] = findGadgets(D); auto [FixableGadgets, WarningGadgets, TrackerRes] = findGadgets(D);
UnsafeOps = groupWarningGadgetsByVar(std::move(WarningGadgets)); UnsafeOps = groupWarningGadgetsByVar(std::move(WarningGadgets));
FixablesForUnsafeVars = groupFixablesByVar(std::move(FixableGadgets)); FixablesForUnsafeVars = groupFixablesByVar(std::move(FixableGadgets));
Tracker = std::move(TrackerRes); Tracker = std::move(TrackerRes);
} }
// Filter out non-local vars and vars with unclaimed DeclRefExpr-s. // Filter out vars with unclaimed DeclRefExpr-s.
for (auto it = FixablesForUnsafeVars.byVar.cbegin(); for (auto it = FixablesForUnsafeVars.byVar.cbegin();
it != FixablesForUnsafeVars.byVar.cend();) { it != FixablesForUnsafeVars.byVar.cend();) {
// FIXME: Support ParmVarDecl as well. if (Tracker.hasUnclaimedUses(it->first)) {
if (!it->first->isLocalVarDecl() || Tracker.hasUnclaimedUses(it->first)) {
it = FixablesForUnsafeVars.byVar.erase(it); it = FixablesForUnsafeVars.byVar.erase(it);
} else { } else {
++it; ++it;
} }
} }
llvm::SmallVector<const VarDecl *, 16> UnsafeVars; llvm::SmallVector<const VarDecl *, 16> UnsafeVars;
for (const auto &[VD, ignore] : FixablesForUnsafeVars.byVar) for (const auto &[VD, ignore] : FixablesForUnsafeVars.byVar)
Show All 23 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits %s 2>&1 | FileCheck %s
// TODO test with #include-d file
// TODO test if there's not a single character in the file after a decl or def
void local_array_subscript_simple(int *p);
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:35-[[@LINE-1]]:40}:"std::span<int> "
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:42-[[@LINE-2]]:42}:";\n{{..}}clang::unsafe_buffer_usage{{..}} void local_array_subscript_simple(int *p)"
void local_array_subscript_simple(int *a);
jkorousUnsubmitted
Not Done
ReplyInline Actions

Oh, yes, this is fun. I hope I will eventually convince FileCheck this C++ attributes are not substitution blocks 😅

https://llvm.org/docs/CommandGuide/FileCheck.html#filecheck-string-substitution-blocks

jkorous: Oh, yes, this is fun. I hope I will eventually convince FileCheck this C++ attributes are not…
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:35-[[@LINE-1]]:40}:"std::span<int> "
NoQUnsubmitted
Done
ReplyInline Actions
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:1-[[@LINE-1]]:1}:"#if __has_cpp_attribute(clang::unsafe_buffer_usage)\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}}\n#endif\n"
- // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:20-[[@LINE-2]]:20}:";\nvoid simple(std::span<int>)"
+ // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:20-[[@LINE-2]]:20}:";\nvoid simple(std::span<int>);"
#else

Is there a semicolon at the end?

Also, do we want to preserve the parameter name p here, given that it's available on the respective redeclaration?

NoQ: Is there a semicolon at the end? Also, do we want to preserve the parameter name `p` here…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

No. There is no semicolon. The idea is that the fix-it tries to append a new function decl A; to a function decl B; but there is no obvious way to get the end location of B;. We only have the end location of B. So the fix-it inserts ;A to the end of B.

ziqingluo-90: No. There is no semicolon. The idea is that the fix-it tries to append a new function decl…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

I did think about whether preserving the parameter name is necessary and didn't find a strong reason to do so.
A minor reason could be that if contracts are introduced in C++ one day, parameters in declarations need to have names so that contracts can refer to them.

I will add names to fix-its. Also I will be happy to hear any other benefits of doing that.

ziqingluo-90: I did think about whether preserving the parameter name is necessary and didn't find a strong…
NoQUnsubmitted
Not Done
ReplyInline Actions

Parameter name could be a valuable hint to the user about the purpose of the parameter. The user doesn't necessarily see the implementation, and it's not like we're copying over the comments before the function. So out of the few ways the caller can figure out what to put there, this could be the most important one.

NoQ: Parameter name could be a valuable hint to the user about the purpose of the parameter. The…
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:42-[[@LINE-2]]:42}:";\n{{..}}clang::unsafe_buffer_usage{{..}} void local_array_subscript_simple(int *p)"
void local_array_subscript_simple(int *p) {
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:35-[[@LINE-1]]:40}:"std::span<int> "
int tmp;
tmp = p[5];
}
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{..}}clang::unsafe_buffer_usage{{..}} void local_array_subscript_simple(int *p)\n{\n return local_array_subscript_simple(std::span<int>(p, <# size #>));\n}\n"
NoQUnsubmitted
Not Done
ReplyInline Actions
#define FUN_NAME(x) _##x##_
- // The analyzer reads `void FUNNAME(macro_defined_name)(` from the
+ // The compiler reads `void FUN_NAME(macro_defined_name)(` from the
// source file. The MACRO and this source file have different
// FileIDs.
void FUN_NAME(macro_defined_name)(int * x) {
NoQ: