This is an archive of the discontinued LLVM Phabricator instance.

Differential D143133

[-Wunsafe-buffer-usage][WIP] Add fixit for variables that have an assignment from another spanified pointer
AbandonedPublic

Authored by t-rasmud on Feb 1 2023, 8:10 PM.

Details

Reviewers
jkorous
NoQ
ziqingluo-90
malavikasamak

Diff Detail

Event Timeline

t-rasmud created this revision.Feb 1 2023, 8:10 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 1 2023, 8:10 PM
t-rasmud requested review of this revision.Feb 1 2023, 8:10 PM
Harbormaster completed remote builds in B211375: Diff 494152.Feb 1 2023, 8:10 PM
NoQ added a comment.Feb 6 2023, 3:52 PM

Ooo, that's a big one. Our first fixable that can connect multiple variables together. IIUC this patch doesn't yet teach the strategy machine how to pick related strategies for related variables, it just teaches the fixit machine what to do when the strategy is already picked.

clang/lib/Analysis/UnsafeBufferUsage.cpp
463–465

Shouldn't it also claim the RHS? Otherwise, how would the machine know that it's covered?

761

I suspect you want to check the strategy for LHS here as well. Just because the method was called, doesn't mean we plan to use span over it specifically.

1046

Oh, that's probably why it worked without the other claim!

NoQ added a comment.Feb 7 2023, 3:53 PM

Wait, I completely misread, you *were* trying to mutate the strategy. I think it makes sense to split this work the way I thought it's already split: first get fixits when the strategy is already set (which this patch almost has), then try to figure out how to mutate and fixpoint-iterate-over the strategy.

t-rasmud updated this revision to Diff 495958.Feb 8 2023, 2:37 PM

WIP: Fixable for ptr1 = ptr2 when both LHS and RHS have their fixit strategies set as std::span.

Harbormaster completed remote builds in B212695: Diff 495958.Feb 8 2023, 2:38 PM
t-rasmud updated this revision to Diff 496243.Feb 9 2023, 2:41 PM
Harbormaster completed remote builds in B212897: Diff 496243.Feb 9 2023, 2:41 PM
t-rasmud updated this revision to Diff 496267.Feb 9 2023, 3:44 PM
  • Fixes crash caused by FixableGadgetSets and WarningGadgetSets being unique pointers in the context of multiple declaration gadgets.
Harbormaster completed remote builds in B212915: Diff 496267.Feb 9 2023, 3:45 PM
t-rasmud updated this revision to Diff 496269.Feb 9 2023, 3:47 PM
Harbormaster completed remote builds in B212916: Diff 496269.Feb 9 2023, 3:47 PM
NoQ added a comment.Feb 9 2023, 4:08 PM

Aha, great! Looks like our fancy ownership model couldn't handle shared ownership for multi-variable gadgets, so we're back to raw pointers. Works for me, it's not like they're buffers or something. I have minor nitpicks and then I think we can land!

clang/lib/Analysis/UnsafeBufferUsage.cpp
452–453

I think this overruns the 80-column limit.

463–464

I think these checks should be included in the matcher(). There could be a different Fixable that takes care of these non-variable cases, and if there indeed is one, we really don't want to it to overlap with this Fixable.

691

clang-format will probably recommend a space there.

1041

Now that they're in the same scope, the move doesn't really accomplish anything. You can probably drop the Tracker variable and rename TrackerRes to Tracker.

t-rasmud updated this revision to Diff 496282.Feb 9 2023, 4:37 PM
t-rasmud marked 3 inline comments as done.

Address feedback.

Harbormaster completed remote builds in B212930: Diff 496282.Feb 9 2023, 4:38 PM
ziqingluo-90 added inline comments.Feb 9 2023, 5:30 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
467

Since the matcher only requires PtrLHS (or PtrRHS) to be Expr instead of specifically DeclRefExpr, we could have LDRE (or RDRE respectively) be null here.

jkorous added inline comments.Feb 9 2023, 10:09 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
467

I am wondering if we should simply move the logic related to DeclRefExpr and IgnoreParenImpCasts to the matcher() method (expressed as AST matcher).

t-rasmud updated this revision to Diff 496613.Feb 10 2023, 3:16 PM
t-rasmud marked 4 inline comments as done.
t-rasmud marked 2 inline comments as done.Feb 13 2023, 9:08 AM

Friendly Ping @jkorous @ziqingluo-90 @NoQ

jkorous added inline comments.Feb 13 2023, 10:36 AM
clang/lib/Analysis/UnsafeBufferUsage.cpp
425

Nit: assignment seems to have only one form :)

758

Isn't LeftDRE identical to PtrLHS and RightDRE identical to PtrRHS?

NoQ added a comment.Feb 15 2023, 6:53 PM

We've noticed a subtle problem offline yesterday: sounds like if fixits for both sides are desired (like in the primary test case) but one of them can't be emitted (eg., due to unsupported variable use) then the other fixit alone will be incorrect: it'll act as if both p and q are spanified, so it'll emit no change for p = q. Also generally, we really don't want users to apply fixits for p and q independently; that won't lead to correct code. So it sounds like we cannot land this patch until we learn how to group related variables together.

NoQ mentioned this in D142795: [-Wunsafe-buffer-usage] Add Fixable for dereference of simple ptr arithmetic.Feb 23 2023, 4:54 PM
NoQ mentioned this in D145739: [-Wunsafe-buffer-usage] Group variables associated by pointer assignments.Mar 13 2023, 3:51 PM
t-rasmud abandoned this revision.Mar 14 2023, 11:42 AM

Abandoning patch in favor of D145739

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
Analyses/
1 line
lib/
Analysis/
88 lines
test/
SemaCXX/
43 lines

Diff 496613

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def

Show All 25 Lines
#endif #endif
WARNING_GADGET(Increment) WARNING_GADGET(Increment)
WARNING_GADGET(Decrement) WARNING_GADGET(Decrement)
WARNING_GADGET(ArraySubscript) WARNING_GADGET(ArraySubscript)
WARNING_GADGET(PointerArithmetic) WARNING_GADGET(PointerArithmetic)
WARNING_GADGET(UnsafeBufferUsageAttr) WARNING_GADGET(UnsafeBufferUsageAttr)
FIXABLE_GADGET(ULCArraySubscript) FIXABLE_GADGET(ULCArraySubscript)
FIXABLE_GADGET(PointerAssignment)
#undef FIXABLE_GADGET #undef FIXABLE_GADGET
#undef WARNING_GADGET #undef WARNING_GADGET
#undef GADGET #undef GADGET

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show First 20 LinesShow All 416 Lines▼ Show 20 Linespublic:
virtual DeclUseList getClaimedVarUseSites() const override { virtual DeclUseList getClaimedVarUseSites() const override {
if (const auto *DRE = dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts())) { if (const auto *DRE = dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts())) {
return {DRE}; return {DRE};
} }
return {}; return {};
} }
}; };
/// A pointer assignment expression of one of the forms:
jkorousUnsubmitted
Not Done
ReplyInline Actions

Nit: assignment seems to have only one form :)

jkorous: Nit: assignment seems to have only one form :)
/// \code
/// p = q;
/// \endcode
class PointerAssignmentGadget : public FixableGadget {
private:
static constexpr const char *const PointerAssignemntTag = "ptrAssign";
static constexpr const char *const PointerAssignLHSTag = "ptrLHS";
static constexpr const char *const PointerAssignRHSTag = "ptrRHS";
const BinaryOperator *PA; // pointer arithmetic expression
const DeclRefExpr * PtrLHS; // the LHS pointer expression in `PA`
const DeclRefExpr * PtrRHS; // the RHS pointer expression in `PA`
public:
PointerAssignmentGadget(const MatchFinder::MatchResult &Result)
: FixableGadget(Kind::PointerAssignment),
PA(Result.Nodes.getNodeAs<BinaryOperator>(PointerAssignemntTag)),
PtrLHS(Result.Nodes.getNodeAs<DeclRefExpr>(PointerAssignLHSTag)),
PtrRHS(Result.Nodes.getNodeAs<DeclRefExpr>(PointerAssignRHSTag)) {
assert(PA != nullptr && "Expecting a non-null matching result");
}
static bool classof(const Gadget *G) {
return G->getKind() == Kind::PointerAssignment;
}
static Matcher matcher() {
auto PtrAtRight = allOf(hasOperatorName("="),
hasRHS(ignoringParenImpCasts(declRefExpr(hasPointerType()).bind(PointerAssignRHSTag))));
NoQUnsubmitted
Done
ReplyInline Actions

I think this overruns the 80-column limit.

NoQ: I think this overruns the 80-column limit.
auto PtrAtLeft = allOf(hasOperatorName("="),
hasLHS(declRefExpr(hasPointerType()).bind(PointerAssignLHSTag)));
return stmt(binaryOperator(allOf(PtrAtLeft, PtrAtRight)).bind(PointerAssignemntTag));
}
virtual std::optional<FixItList> getFixits(const Strategy &S) const override;
virtual const Stmt *getBaseStmt() const override { return PA; }
virtual DeclUseList getClaimedVarUseSites() const override {
NoQUnsubmitted
Done
ReplyInline Actions

I think these checks should be included in the matcher(). There could be a different Fixable that takes care of these non-variable cases, and if there indeed is one, we really don't want to it to overlap with this Fixable.

NoQ: I think these checks should be included in the `matcher()`. There could be a different Fixable…
return DeclUseList{PtrLHS, PtrRHS};
NoQUnsubmitted
Done
ReplyInline Actions

Shouldn't it also claim the RHS? Otherwise, how would the machine know that it's covered?

NoQ: Shouldn't it also claim the RHS? Otherwise, how would the machine know that it's covered?
}
};
ziqingluo-90Unsubmitted
Done
ReplyInline Actions

Since the matcher only requires PtrLHS (or PtrRHS) to be Expr instead of specifically DeclRefExpr, we could have LDRE (or RDRE respectively) be null here.

ziqingluo-90: Since the matcher only requires `PtrLHS` (or `PtrRHS`) to be `Expr` instead of specifically…
jkorousUnsubmitted
Done
ReplyInline Actions

I am wondering if we should simply move the logic related to DeclRefExpr and IgnoreParenImpCasts to the matcher() method (expressed as AST matcher).

jkorous: I am wondering if we should simply move the logic related to `DeclRefExpr` and…
/// A call of a function or method that performs unchecked buffer operations /// A call of a function or method that performs unchecked buffer operations
/// over one of its pointer parameters. /// over one of its pointer parameters.
class UnsafeBufferUsageAttrGadget : public WarningGadget { class UnsafeBufferUsageAttrGadget : public WarningGadget {
constexpr static const char *const OpTag = "call_expr"; constexpr static const char *const OpTag = "call_expr";
const CallExpr *Op; const CallExpr *Op;
public: public:
▲ Show 20 LinesShow All 207 Lines▼ Show 20 Lines for (const auto *DRE : G->getClaimedVarUseSites()) {
CB.Tracker.claimUse(DRE); CB.Tracker.claimUse(DRE);
} }
} }
return {std::move(CB.FixableGadgets), std::move(CB.WarningGadgets), std::move(CB.Tracker)}; return {std::move(CB.FixableGadgets), std::move(CB.WarningGadgets), std::move(CB.Tracker)};
} }
struct WarningGadgetSets { struct WarningGadgetSets {
std::map<const VarDecl *, std::set<std::unique_ptr<WarningGadget>>> byVar; std::map<const VarDecl *, std::set<const WarningGadget *>> byVar;
NoQUnsubmitted
Done
ReplyInline Actions
struct WarningGadgetSets {
- std::map<const VarDecl *, std::set<const WarningGadget*>> byVar;
+ std::map<const VarDecl *, std::set<const WarningGadget *>> byVar;
// These Gadgets are not related to pointer variables (e. g. temporaries).

clang-format will probably recommend a space there.

NoQ: `clang-format` will probably recommend a space there.
// These Gadgets are not related to pointer variables (e. g. temporaries). // These Gadgets are not related to pointer variables (e. g. temporaries).
llvm::SmallVector<std::unique_ptr<WarningGadget>, 16> noVar; llvm::SmallVector<const WarningGadget *, 16> noVar;
}; };
static WarningGadgetSets static WarningGadgetSets
groupWarningGadgetsByVar(WarningGadgetList &&AllUnsafeOperations) { groupWarningGadgetsByVar(const WarningGadgetList &AllUnsafeOperations) {
WarningGadgetSets result; WarningGadgetSets result;
// If some gadgets cover more than one // If some gadgets cover more than one
// variable, they'll appear more than once in the map. // variable, they'll appear more than once in the map.
for (auto &G : AllUnsafeOperations) { for (auto &G : AllUnsafeOperations) {
DeclUseList ClaimedVarUseSites = G->getClaimedVarUseSites(); DeclUseList ClaimedVarUseSites = G->getClaimedVarUseSites();
bool AssociatedWithVarDecl = false; bool AssociatedWithVarDecl = false;
for (const DeclRefExpr *DRE : ClaimedVarUseSites) { for (const DeclRefExpr *DRE : ClaimedVarUseSites) {
if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) { if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
result.byVar[VD].emplace(std::move(G)); result.byVar[VD].insert(G.get());
AssociatedWithVarDecl = true; AssociatedWithVarDecl = true;
} }
} }
if (!AssociatedWithVarDecl) { if (!AssociatedWithVarDecl) {
result.noVar.emplace_back(std::move(G)); result.noVar.push_back(G.get());
continue; continue;
} }
} }
return result; return result;
} }
struct FixableGadgetSets { struct FixableGadgetSets {
std::map<const VarDecl *, std::set<std::unique_ptr<FixableGadget>>> byVar; std::map<const VarDecl *, std::set<const FixableGadget *>> byVar;
}; };
static FixableGadgetSets static FixableGadgetSets
groupFixablesByVar(FixableGadgetList &&AllFixableOperations) { groupFixablesByVar(FixableGadgetList &&AllFixableOperations) {
FixableGadgetSets FixablesForUnsafeVars; FixableGadgetSets FixablesForUnsafeVars;
for (auto &F : AllFixableOperations) { for (auto &F : AllFixableOperations) {
DeclUseList DREs = F->getClaimedVarUseSites(); DeclUseList DREs = F->getClaimedVarUseSites();
for (const DeclRefExpr *DRE : DREs) { for (const DeclRefExpr *DRE : DREs) {
if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) { if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
FixablesForUnsafeVars.byVar[VD].emplace(std::move(F)); FixablesForUnsafeVars.byVar[VD].insert(F.get());
} }
} }
} }
return FixablesForUnsafeVars; return FixablesForUnsafeVars;
} }
std::optional<FixItList> std::optional<FixItList>
ULCArraySubscriptGadget::getFixits(const Strategy &S) const { ULCArraySubscriptGadget::getFixits(const Strategy &S) const {
if (const auto *DRE = dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts())) if (const auto *DRE = dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts()))
if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) { if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
switch (S.lookup(VD)) { switch (S.lookup(VD)) {
case Strategy::Kind::Span: case Strategy::Kind::Span:
return FixItList{}; return FixItList{};
case Strategy::Kind::Wontfix: case Strategy::Kind::Wontfix:
case Strategy::Kind::Iterator: case Strategy::Kind::Iterator:
case Strategy::Kind::Array: case Strategy::Kind::Array:
case Strategy::Kind::Vector: case Strategy::Kind::Vector:
llvm_unreachable("unsupported strategies for FixableGadgets"); llvm_unreachable("unsupported strategies for FixableGadgets");
} }
} }
return std::nullopt; return std::nullopt;
} }
std::optional<FixItList>
PointerAssignmentGadget::getFixits(const Strategy &S) const {
if (const auto *LeftDRE = dyn_cast<DeclRefExpr>(PA->getLHS()->IgnoreImpCasts()))
jkorousUnsubmitted
Not Done
ReplyInline Actions

Isn't LeftDRE identical to PtrLHS and RightDRE identical to PtrRHS?

jkorous: Isn't `LeftDRE` identical to `PtrLHS` and `RightDRE` identical to `PtrRHS`?
if (const VarDecl *LeftVD = dyn_cast<VarDecl>(LeftDRE->getDecl()))
if (const auto *RightDRE = dyn_cast<DeclRefExpr>(PA->getRHS()->IgnoreImpCasts()))
if (const VarDecl *RightVD = dyn_cast<VarDecl>(RightDRE->getDecl())) {
NoQUnsubmitted
Done
ReplyInline Actions

I suspect you want to check the strategy for LHS here as well. Just because the method was called, doesn't mean we plan to use span over it specifically.

NoQ: I suspect you want to check the strategy for LHS here as well. Just because the method was…
switch (S.lookup(LeftVD)) {
case Strategy::Kind::Span:
if (S.lookup(RightVD) == Strategy::Kind::Span)
return FixItList{};
return std::nullopt;
case Strategy::Kind::Wontfix:
case Strategy::Kind::Iterator:
case Strategy::Kind::Array:
case Strategy::Kind::Vector:
llvm_unreachable("unsupported strategies for FixableGadgets");
}
}
return std::nullopt;
}
// Return the text representation of the given `APInt Val`: // Return the text representation of the given `APInt Val`:
static std::string getAPIntText(APInt Val) { static std::string getAPIntText(APInt Val) {
SmallVector<char> Txt; SmallVector<char> Txt;
Val.toString(Txt, 10, true); Val.toString(Txt, 10, true);
// APInt::toString does not add '\0' to the end of the string for us: // APInt::toString does not add '\0' to the end of the string for us:
Txt.push_back('\0'); Txt.push_back('\0');
return Txt.data(); return Txt.data();
} }
▲ Show 20 LinesShow All 244 Lines▼ Show 20 Lines
} }
void clang::checkUnsafeBufferUsage(const Decl *D, void clang::checkUnsafeBufferUsage(const Decl *D,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
assert(D && D->getBody()); assert(D && D->getBody());
WarningGadgetSets UnsafeOps; WarningGadgetSets UnsafeOps;
FixableGadgetSets FixablesForUnsafeVars; FixableGadgetSets FixablesForUnsafeVars;
DeclUseTracker Tracker;
{ auto [FixableGadgets, WarningGadgets, Tracker] = findGadgets(D);
auto [FixableGadgets, WarningGadgets, TrackerRes] = findGadgets(D);
UnsafeOps = groupWarningGadgetsByVar(std::move(WarningGadgets)); UnsafeOps = groupWarningGadgetsByVar(std::move(WarningGadgets));
FixablesForUnsafeVars = groupFixablesByVar(std::move(FixableGadgets)); FixablesForUnsafeVars = groupFixablesByVar(std::move(FixableGadgets));
Tracker = std::move(TrackerRes);
}
NoQUnsubmitted
Done
ReplyInline Actions

Now that they're in the same scope, the move doesn't really accomplish anything. You can probably drop the Tracker variable and rename TrackerRes to Tracker.

NoQ: Now that they're in the same scope, the move doesn't really accomplish anything. You can…
// Filter out non-local vars and vars with unclaimed DeclRefExpr-s. // Filter out non-local vars and vars with unclaimed DeclRefExpr-s.
for (auto it = FixablesForUnsafeVars.byVar.cbegin(); for (auto it = FixablesForUnsafeVars.byVar.cbegin();
it != FixablesForUnsafeVars.byVar.cend();) { it != FixablesForUnsafeVars.byVar.cend();) {
// FIXME: Support ParmVarDecl as well. // FIXME: Support ParmVarDecl as well.
if (!it->first->isLocalVarDecl() || Tracker.hasUnclaimedUses(it->first)) { if (!it->first->isLocalVarDecl() || Tracker.hasUnclaimedUses(it->first)) {
NoQUnsubmitted
Done
ReplyInline Actions

Oh, that's probably why it worked without the other claim!

NoQ: Oh, that's probably why it worked without the other claim!
it = FixablesForUnsafeVars.byVar.erase(it); it = FixablesForUnsafeVars.byVar.erase(it);
} else { } else {
++it; ++it;
} }
} }
llvm::SmallVector<const VarDecl *, 16> UnsafeVars; llvm::SmallVector<const VarDecl *, 16> UnsafeVars;
for (const auto &[VD, ignore] : FixablesForUnsafeVars.byVar) for (const auto &[VD, ignore] : FixablesForUnsafeVars.byVar)
Show All 23 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-multi-decl-fixits.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits %s 2>&1 | FileCheck %s
void local_assign_both_span() {
int tmp;
int* p = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
tmp = p[4];
int* q = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> q"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
tmp = q[4];
q = p;
}
void local_assign_rhs_span() {
int tmp;
int* p = new int[10];
int* q = new int[10];
tmp = q[4];
p = q;
}
void local_assign_no_span() {
int tmp;
int* p = new int[10];
int* q = new int[10];
p = q;
}
void local_assign_lhs_span() {
int tmp;
int* p = new int[10];
tmp = p[4];
int* q = new int[10];
p = q;
}