This is an archive of the discontinued LLVM Phabricator instance.

Differential D143206

[-Wunsafe-buffer-usage] Add Fixable for simple pointer dereference
ClosedPublic

Authored by malavikasamak on Feb 2 2023, 11:42 AM.

Details

Reviewers
NoQ
jkorous
t-rasmud
ziqingluo-90
xazax.hun
ymandel
aaron.ballman
sgatev
gribozavr
Commits
rGe7596a99fca6: [-Wunsafe-buffer-usage] Add Fixable for simple pointer dereference
Summary

This patch introduces PointerDereferenceGadget, a FixableGadget that emits fixits to handle cases where a pointer that is identified as unsafe is dereferenced. The current implementation only handles cases where the strategy is to change the type of the raw pointer to std::span. The fixit for this strategy is to fetch the first element from the corresponding span instance.

For example for the code below, the PointerDereferenceGadget emits a fixit for S3 (S1, S2 are to be handled by other gadgets): 
S1: int *ptr = new int[10];
S2: int val1 = ptr[k];  // Unsafe operation
S3: int val2 =  *ptr;  => Fixit: int val2 = ptr[0];

Diff Detail

Event Timeline

malavikasamak created this revision.Feb 2 2023, 11:42 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 2 2023, 11:42 AM
malavikasamak requested review of this revision.Feb 2 2023, 11:42 AM
malavikasamak added a parent revision: D142795: [-Wunsafe-buffer-usage] Add Fixable for dereference of simple ptr arithmetic.
Harbormaster completed remote builds in B211551: Diff 494390.Feb 2 2023, 11:43 AM
malavikasamak updated this revision to Diff 494691.Feb 3 2023, 11:01 AM

Changing the tests to new format

Harbormaster completed remote builds in B211768: Diff 494691.Feb 3 2023, 11:03 AM
ziqingluo-90 added a child revision: D143128: [-Wunsafe-buffer-usage] Fix-Its transforming `&DRE[any]` to `&DRE.data()[any]`.Feb 3 2023, 12:51 PM
jkorous added inline comments.Feb 6 2023, 12:09 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
471

FWIW other Fixables don't need it to keep result.

Also, I am not even entirely sure how does lifetime of Result passed to the constructor look like - since it isn't a smart pointer I'd be worried about the possibility of getting a dangling reference.

477

Nit: I think we don't want to hardcode tags ("op") but instead we should just add another tag like BaseDeclRefExprTag.

967

Ultimately we need to also handle the case when getEndCharLoc returns nullopt.

ziqingluo-90 added inline comments.Feb 9 2023, 5:14 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
972

Trying to make the same pitch as here https://reviews.llvm.org/D142795 :
why don't we replace *DRE with DRE[0] in one fix-it step? The benefit is that we can minimize the use these error-prone locations made from getLocWithOffset.

malavikasamak updated this revision to Diff 496557.Feb 10 2023, 11:01 AM

Addressing the recent comments.

malavikasamak marked 3 inline comments as done.Feb 10 2023, 11:01 AM
Harbormaster completed remote builds in B213118: Diff 496557.Feb 10 2023, 11:02 AM
jkorous added inline comments.Feb 13 2023, 10:37 AM
clang/lib/Analysis/UnsafeBufferUsage.cpp
471

Let's initialize Op to nullptr.

958

I don't think we should/need to do this - we already have the DeclRefExpr we need in BaseDeclRefExpr.

976

This unreachable is not in the if block that checks for strategy. This is likely incorrect for DeclRefExpr-s to non-VarDecl-s.

NoQ added inline comments.Feb 16 2023, 6:21 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
499–501

IIRC we wanted to move this method to WarningGadget right? So that we didn't need to implement it here? Or was there something that prevented us from doing that? In the latter case nullptr could be really bad.

959

This is another case where the check should probably be included in the matcher. There's no way we'll fix a non-variable, so it shouldn't be "fixable" (some discussion).

What are the other interesting cases that could be found here? I guess BindingDecl could be interesting. Not sure if lambda captures will show up here.

NoQ added inline comments.Feb 16 2023, 6:23 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
961

Clang-format might complain about this.

malavikasamak updated this revision to Diff 499276.Feb 21 2023, 1:25 PM
malavikasamak marked 5 inline comments as done.
malavikasamak added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
499–501

Thank you. Fixed!

958

Good catch! Thank you!

976

Fixed!

Harbormaster completed remote builds in B215096: Diff 499276.Feb 21 2023, 1:26 PM
NoQ added inline comments.Feb 21 2023, 1:48 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
958

Ok now if the Decl is not a VarDecl, the program will crash with one of the unreachables, because S.lookup(nullptr) won't find anything.

If we're sure it's always a VarDecl we should use cast<> (instead of dyn_cast<>) to crash immediately. Otherwise, we probably should check that it's a variable as part of the matcher.

Definitely worth a test.

malavikasamak updated this revision to Diff 499651.Feb 22 2023, 2:16 PM
malavikasamak added inline comments.
clang/lib/Analysis/UnsafeBufferUsage.cpp
958

Hmmm. I thought that this should always yield a VarDecl, but perhaps it's best to keep the check for it. Just in case.

Harbormaster completed remote builds in B215364: Diff 499651.Feb 22 2023, 2:18 PM
malavikasamak retitled this revision from [-Wunsafe-buffer-usage][WIP] Add Fixable for simple pointer dereference to [-Wunsafe-buffer-usage] Add Fixable for simple pointer dereference.Feb 22 2023, 2:21 PM
NoQ added inline comments.Feb 22 2023, 5:11 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
958

Yeah I think something along the lines of https://godbolt.org would have crashed it. Might be a good idea to add a test.

Another tiny nitpick, there appears to be a policy to favor early returns over nesting, this looks like a prime example of that.

malavikasamak edited the summary of this revision. (Show Details)Mar 2 2023, 11:19 AM
malavikasamak added reviewers: xazax.hun, ymandel, aaron.ballman, sgatev, gribozavr.
Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 2 2023, 11:19 AM
malavikasamak added inline comments.Mar 2 2023, 11:21 AM
clang/lib/Analysis/UnsafeBufferUsage.cpp
972

TODO: I am waiting for us to establish a standard for fixit format before addressing this comment.

NoQ added inline comments.Mar 16 2023, 2:54 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
958

Uh-oh, just noticed that godbolt link is broken. Made a new one: https://godbolt.org/z/1ahTx1E37

malavikasamak updated this revision to Diff 506798.Mar 20 2023, 5:32 PM
malavikasamak marked 2 inline comments as done.

Addressing comment on VarDecl checks in matcher and early returns.

Harbormaster completed remote builds in B220592: Diff 506798.Mar 20 2023, 5:33 PM
NoQ added a comment.Mar 21 2023, 2:27 PM

The early return appears to be missing in the final patch 🤔

NoQ accepted this revision.Mar 21 2023, 2:33 PM

Oh, wait, nvm, you did the matcher thing, nice! LGTM then!

clang/lib/Analysis/UnsafeBufferUsage.cpp
907

Now that this is a matcher, we no longer need the cast to be "dynamic".

This revision is now accepted and ready to land.Mar 21 2023, 2:33 PM
malavikasamak updated this revision to Diff 507463.Mar 22 2023, 11:56 AM
malavikasamak marked an inline comment as done.
Harbormaster completed remote builds in B221100: Diff 507463.Mar 22 2023, 11:57 AM
This revision was landed with ongoing or failed builds.Mar 22 2023, 3:38 PM
Closed by commit rGe7596a99fca6: [-Wunsafe-buffer-usage] Add Fixable for simple pointer dereference (authored by malavikasamak). · Explain Why
This revision was automatically updated to reflect the committed changes.
malavikasamak added a commit: rGe7596a99fca6: [-Wunsafe-buffer-usage] Add Fixable for simple pointer dereference.
Herald added a project: Restricted Project. · View Herald TranscriptMar 22 2023, 3:38 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
MaskRay mentioned this in rG45a0433b39ff: [-Wunsafe-buffer-usage] Add [[fallthrough]] after D143206.Mar 22 2023, 9:02 PM

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
Analyses/
1 line
lib/
Analysis/
70 lines
test/
SemaCXX/
55 lines

Diff 507529

clang/include/clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def

Show All 26 Lines
WARNING_GADGET(Increment) WARNING_GADGET(Increment)
WARNING_GADGET(Decrement) WARNING_GADGET(Decrement)
WARNING_GADGET(ArraySubscript) WARNING_GADGET(ArraySubscript)
WARNING_GADGET(PointerArithmetic) WARNING_GADGET(PointerArithmetic)
WARNING_GADGET(UnsafeBufferUsageAttr) WARNING_GADGET(UnsafeBufferUsageAttr)
FIXABLE_GADGET(ULCArraySubscript) FIXABLE_GADGET(ULCArraySubscript)
FIXABLE_GADGET(DerefSimplePtrArithFixable) FIXABLE_GADGET(DerefSimplePtrArithFixable)
FIXABLE_GADGET(PointerDereference)
#undef FIXABLE_GADGET #undef FIXABLE_GADGET
#undef WARNING_GADGET #undef WARNING_GADGET
#undef GADGET #undef GADGET

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show First 20 LinesShow All 457 Lines▼ Show 20 Linespublic:
virtual DeclUseList getClaimedVarUseSites() const override { virtual DeclUseList getClaimedVarUseSites() const override {
if (const auto *DRE = if (const auto *DRE =
dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts())) { dyn_cast<DeclRefExpr>(Node->getBase()->IgnoreImpCasts())) {
return {DRE}; return {DRE};
} }
return {}; return {};
} }
}; };
class PointerDereferenceGadget : public FixableGadget {
static constexpr const char *const BaseDeclRefExprTag = "BaseDRE";
static constexpr const char *const OperatorTag = "op";
const DeclRefExpr *BaseDeclRefExpr = nullptr;
jkorousUnsubmitted
Done
ReplyInline Actions

FWIW other Fixables don't need it to keep result.

Also, I am not even entirely sure how does lifetime of Result passed to the constructor look like - since it isn't a smart pointer I'd be worried about the possibility of getting a dangling reference.

jkorous: FWIW other Fixables don't need it to keep `result`. Also, I am not even entirely sure how does…
jkorousUnsubmitted
Done
ReplyInline Actions

Let's initialize Op to nullptr.

jkorous: Let's initialize `Op` to `nullptr`.
const UnaryOperator *Op = nullptr;
public:
PointerDereferenceGadget(const MatchFinder::MatchResult &Result)
: FixableGadget(Kind::PointerDereference),
BaseDeclRefExpr(
jkorousUnsubmitted
Done
ReplyInline Actions

Nit: I think we don't want to hardcode tags ("op") but instead we should just add another tag like BaseDeclRefExprTag.

jkorous: Nit: I think we don't want to hardcode tags ("op") but instead we should just add another tag…
Result.Nodes.getNodeAs<DeclRefExpr>(BaseDeclRefExprTag)),
Op(Result.Nodes.getNodeAs<UnaryOperator>(OperatorTag)) {}
static bool classof(const Gadget *G) {
return G->getKind() == Kind::PointerDereference;
}
static Matcher matcher() {
auto Target =
unaryOperator(
hasOperatorName("*"),
has(expr(ignoringParenImpCasts(
declRefExpr(to(varDecl())).bind(BaseDeclRefExprTag)))))
.bind(OperatorTag);
return expr(isInUnspecifiedLvalueContext(Target));
}
DeclUseList getClaimedVarUseSites() const override {
return {BaseDeclRefExpr};
}
virtual const Stmt *getBaseStmt() const final { return Op; }
NoQUnsubmitted
Done
ReplyInline Actions

IIRC we wanted to move this method to WarningGadget right? So that we didn't need to implement it here? Or was there something that prevented us from doing that? In the latter case nullptr could be really bad.

NoQ: IIRC we wanted to move this method to `WarningGadget` right? So that we didn't need to…
malavikasamakAuthorUnsubmitted
Done
ReplyInline Actions

Thank you. Fixed!

malavikasamak: Thank you. Fixed!
virtual std::optional<FixItList> getFixits(const Strategy &S) const override;
};
} // namespace } // namespace
namespace { namespace {
// An auxiliary tracking facility for the fixit analysis. It helps connect // An auxiliary tracking facility for the fixit analysis. It helps connect
// declarations to its and make sure we've covered all uses with our analysis // declarations to its and make sure we've covered all uses with our analysis
// before we try to fix the declaration. // before we try to fix the declaration.
class DeclUseTracker { class DeclUseTracker {
using UseSetTy = SmallSet<const DeclRefExpr *, 16>; using UseSetTy = SmallSet<const DeclRefExpr *, 16>;
▲ Show 20 LinesShow All 386 Lines▼ Show 20 Linesstatic StringRef getExprText(const Expr *E, const SourceManager &SM,
return Lexer::getSourceText( return Lexer::getSourceText(
CharSourceRange::getCharRange(E->getBeginLoc(), LastCharLoc), SM, CharSourceRange::getCharRange(E->getBeginLoc(), LastCharLoc), SM,
LangOpts); LangOpts);
} }
std::optional<FixItList> std::optional<FixItList>
DerefSimplePtrArithFixableGadget::getFixits(const Strategy &s) const { DerefSimplePtrArithFixableGadget::getFixits(const Strategy &s) const {
const VarDecl *VD = dyn_cast<VarDecl>(BaseDeclRefExpr->getDecl()); const VarDecl *VD = dyn_cast<VarDecl>(BaseDeclRefExpr->getDecl());
NoQUnsubmitted
Done
ReplyInline Actions
PointerDereferenceGadget::getFixits(const Strategy &S) const {
- const VarDecl *VD = dyn_cast<VarDecl>(BaseDeclRefExpr->getDecl());
+ const VarDecl *VD = cast<VarDecl>(BaseDeclRefExpr->getDecl());
switch (S.lookup(VD)) {

Now that this is a matcher, we no longer need the cast to be "dynamic".

NoQ: Now that this is a matcher, we no longer need the cast to be "dynamic".
if (VD && s.lookup(VD) == Strategy::Kind::Span) { if (VD && s.lookup(VD) == Strategy::Kind::Span) {
ASTContext &Ctx = VD->getASTContext(); ASTContext &Ctx = VD->getASTContext();
// std::span can't represent elements before its begin() // std::span can't represent elements before its begin()
if (auto ConstVal = Offset->getIntegerConstantExpr(Ctx)) if (auto ConstVal = Offset->getIntegerConstantExpr(Ctx))
if (ConstVal->isNegative()) if (ConstVal->isNegative())
return std::nullopt; return std::nullopt;
Show All 32 Lines if (VD && s.lookup(VD) == Strategy::Kind::Span) {
return FixItList{ return FixItList{
{FixItHint::CreateRemoval(StarWithTrailWhitespace), {FixItHint::CreateRemoval(StarWithTrailWhitespace),
FixItHint::CreateReplacement(PlusWithSurroundingWhitespace, "["), FixItHint::CreateReplacement(PlusWithSurroundingWhitespace, "["),
FixItHint::CreateReplacement(ClosingParenWithPrecWhitespace, "]")}}; FixItHint::CreateReplacement(ClosingParenWithPrecWhitespace, "]")}};
} }
return std::nullopt; // something wrong or unsupported, give up return std::nullopt; // something wrong or unsupported, give up
} }
std::optional<FixItList>
PointerDereferenceGadget::getFixits(const Strategy &S) const {
const VarDecl *VD = cast<VarDecl>(BaseDeclRefExpr->getDecl());
jkorousUnsubmitted
Done
ReplyInline Actions

I don't think we should/need to do this - we already have the DeclRefExpr we need in BaseDeclRefExpr.

jkorous: I don't think we should/need to do this - we already have the `DeclRefExpr` we need in…
malavikasamakAuthorUnsubmitted
Done
ReplyInline Actions

Good catch! Thank you!

malavikasamak: Good catch! Thank you!
NoQUnsubmitted
Not Done
ReplyInline Actions

Ok now if the Decl is not a VarDecl, the program will crash with one of the unreachables, because S.lookup(nullptr) won't find anything.

If we're sure it's always a VarDecl we should use cast<> (instead of dyn_cast<>) to crash immediately. Otherwise, we probably should check that it's a variable as part of the matcher.

Definitely worth a test.

NoQ: Ok now if the `Decl` is not a `VarDecl`, the program will crash with one of the unreachables…
malavikasamakAuthorUnsubmitted
Done
ReplyInline Actions

Hmmm. I thought that this should always yield a VarDecl, but perhaps it's best to keep the check for it. Just in case.

malavikasamak: Hmmm. I thought that this should always yield a VarDecl, but perhaps it's best to keep the…
NoQUnsubmitted
Done
ReplyInline Actions

Yeah I think something along the lines of https://godbolt.org would have crashed it. Might be a good idea to add a test.

Another tiny nitpick, there appears to be a policy to favor early returns over nesting, this looks like a prime example of that.

NoQ: Yeah I think something along the lines of https://godbolt.org would have crashed it. Might be a…
NoQUnsubmitted
Done
ReplyInline Actions

Uh-oh, just noticed that godbolt link is broken. Made a new one: https://godbolt.org/z/1ahTx1E37

NoQ: Uh-oh, just noticed that godbolt link is broken. Made a new one: https://godbolt.org/z/1ahTx1E37
switch (S.lookup(VD)) {
NoQUnsubmitted
Not Done
ReplyInline Actions

This is another case where the check should probably be included in the matcher. There's no way we'll fix a non-variable, so it shouldn't be "fixable" (some discussion).

What are the other interesting cases that could be found here? I guess BindingDecl could be interesting. Not sure if lambda captures will show up here.

NoQ: This is another case where the check should probably be included in the matcher. There's no way…
case Strategy::Kind::Span: {
ASTContext &Ctx = VD->getASTContext();
NoQUnsubmitted
Done
ReplyInline Actions
if (S.lookup(VD) == Strategy::Kind::Span) {
- ASTContext& Ctx = VD->getASTContext();
+ ASTContext &Ctx = VD->getASTContext();
SourceManager &SM = Ctx.getSourceManager();

Clang-format might complain about this.

NoQ: Clang-format might complain about this.
SourceManager &SM = Ctx.getSourceManager();
// Required changes: *(ptr); => (ptr[0]); and *ptr; => ptr[0]
// Deletes the *operand
CharSourceRange derefRange = clang::CharSourceRange::getCharRange(
Op->getBeginLoc(), Op->getBeginLoc().getLocWithOffset(1));
// Inserts the [0]
jkorousUnsubmitted
Done
ReplyInline Actions

Ultimately we need to also handle the case when getEndCharLoc returns nullopt.

jkorous: Ultimately we need to also handle the case when `getEndCharLoc` returns `nullopt`.
std::optional<SourceLocation> endOfOperand =
getEndCharLoc(BaseDeclRefExpr, SM, Ctx.getLangOpts());
if (endOfOperand) {
return FixItList{{FixItHint::CreateRemoval(derefRange),
FixItHint::CreateInsertion(
ziqingluo-90Unsubmitted
Not Done
ReplyInline Actions

Trying to make the same pitch as here https://reviews.llvm.org/D142795 :
why don't we replace *DRE with DRE[0] in one fix-it step? The benefit is that we can minimize the use these error-prone locations made from getLocWithOffset.

ziqingluo-90: Trying to make the same pitch as here [[ https://reviews.llvm.org/D142795#inline-1387715 |…
malavikasamakAuthorUnsubmitted
Done
ReplyInline Actions

TODO: I am waiting for us to establish a standard for fixit format before addressing this comment.

malavikasamak: TODO: I am waiting for us to establish a standard for fixit format before addressing this…
endOfOperand.value().getLocWithOffset(1), "[0]")}};
}
}
case Strategy::Kind::Iterator:
jkorousUnsubmitted
Done
ReplyInline Actions

This unreachable is not in the if block that checks for strategy. This is likely incorrect for DeclRefExpr-s to non-VarDecl-s.

jkorous: This unreachable is not in the if block that checks for strategy. This is likely incorrect for…
malavikasamakAuthorUnsubmitted
Done
ReplyInline Actions

Fixed!

malavikasamak: Fixed!
case Strategy::Kind::Array:
case Strategy::Kind::Vector:
llvm_unreachable("Strategy not implemented yet!");
case Strategy::Kind::Wontfix:
llvm_unreachable("Invalid strategy!");
}
return std::nullopt;
}
// For a non-null initializer `Init` of `T *` type, this function returns // For a non-null initializer `Init` of `T *` type, this function returns
// `FixItHint`s producing a list initializer `{Init, S}` as a part of a fix-it // `FixItHint`s producing a list initializer `{Init, S}` as a part of a fix-it
// to output stream. // to output stream.
// In many cases, this function cannot figure out the actual extent `S`. It // In many cases, this function cannot figure out the actual extent `S`. It
// then will use a place holder to replace `S` to ask users to fill `S` in. The // then will use a place holder to replace `S` to ask users to fill `S` in. The
// initializer shall be used to initialize a variable of type `std::span<T>`. // initializer shall be used to initialize a variable of type `std::span<T>`.
// //
// FIXME: Support multi-level pointers // FIXME: Support multi-level pointers
▲ Show 20 LinesShow All 263 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-pointer-deref.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits %s 2>&1 | FileCheck %s
void basic_dereference() {
int tmp;
auto p = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
tmp = p[5];
int val = *p;
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:13-[[@LINE-1]]:14}:""
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:15-[[@LINE-2]]:15}:"[0]"
}
int return_method() {
auto p = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
int tmp = p[5];
return *p;
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:10-[[@LINE-1]]:11}:""
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"[0]"
}
void foo(int v) {
}
void method_invocation() {
auto p = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
int tmp = p[5];
foo(*p);
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:7-[[@LINE-1]]:8}:""
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:9-[[@LINE-2]]:9}:"[0]"
}
void binary_operation() {
auto p = new int[10];
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"
int tmp = p[5];
int k = *p + 20;
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:11-[[@LINE-1]]:12}:""
// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:13-[[@LINE-2]]:13}:"[0]"
}