Download Raw Diff

Details

Reviewers

NoQ
jkorous
t-rasmud
ziqingluo-90
gribozavr
aaron.ballman
ymandel
xazax.hun

Commits

rG777eb4bcfc32: [-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer…

Summary

This patch handles unevaluated contexts to ensure no warnings are produced by the machinery for buffer access made within an unevaluated contexts. However, such accesses must be considered by a FixableGadget and produce the necessary fixits.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

malavikasamak created this revision.Feb 27 2023, 12:36 PM

Herald added a reviewer: NoQ. · View Herald TranscriptFeb 27 2023, 12:36 PM

Herald added a project: Restricted Project. · View Herald Transcript

malavikasamak requested review of this revision.Feb 27 2023, 12:36 PM

Harbormaster completed remote builds in B216284: Diff 500875.Feb 27 2023, 12:37 PM

malavikasamak added a parent revision: D144304: [-Wunsafe-buffer-usage] Add a Fixable for pointer pre-increment.Feb 27 2023, 12:39 PM

Rebased and removed spurious changes.

Harbormaster completed remote builds in B216359: Diff 500973.Feb 27 2023, 4:59 PM

malavikasamak added reviewers: jkorous, t-rasmud, ziqingluo-90.Feb 27 2023, 4:59 PM

NoQ added inline comments.Feb 27 2023, 6:08 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
75–76	We should still visit other subexpressions when `ignoreUnevaluatedContext` is false.

Addressing the comment on _Generic handling and fixing the machinery to correctly track all DREs.

malavikasamak marked an inline comment as done.Mar 1 2023, 4:04 PM

malavikasamak added inline comments.

clang/lib/Analysis/UnsafeBufferUsage.cpp
75–76	Fixed!

Harbormaster completed remote builds in B216855: Diff 501691.Mar 1 2023, 4:04 PM

Aha, looks correct now!

We probably want some more tests to demonstrate that even though warnings aren't emitted against evaluated code, fixits still are.

clang/lib/Analysis/UnsafeBufferUsage.cpp
39	Looks like some of these spaces are tabs.

(these tests can also demonstrate that your fix for _Generic is correct!)

@NoQ I don't want to be annoying but I think you meant "warnings aren't emitted against UNEVALUATED code", is that right?

In D144905#4179108, @jkorous wrote:

I think you meant "warnings aren't emitted against UNEVALUATED code"

💯

jkorous added inline comments.Mar 9 2023, 7:13 PM

clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp
104–105	Do we think splitting this off as a separate test would help make the tests better? I am somewhat worried that having many tests in a single file makes it harder to act on failures.

ziqingluo-90 accepted this revision.Mar 10 2023, 10:34 AM

ziqingluo-90 added inline comments.

clang/lib/Analysis/UnsafeBufferUsage.cpp
938	I like this idea: skipping unevaluated-contexts from the very beginning! A nitpick to this change is that now we traverse the function body twice (one for fixables and one for warnings). But I suspect if the overhead (if there is any) is ever gonna be visible.
clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp
104–105	I agree. Other than these, this patch LGTM so I'm going to accept it.

This revision is now accepted and ready to land.Mar 10 2023, 10:34 AM

malavikasamak added a child revision: D146450: [-Wunsafe-buffer-usage] Bug fix: Handles the assertion violations for code within macros..Mar 20 2023, 12:26 PM

ziqingluo-90 added inline comments.Mar 21 2023, 2:43 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	Just realized that `any_dre` and `PointerReferenceGadget` can match the same node.

NoQ added inline comments.Apr 4 2023, 1:23 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	Hmm but wouldn't `PointerReferenceGadget` include a UPC or something?
938	Warning gadgets can be found at arbitrary depths inside unevaluated contexts, so you can't simply whitelist a few patterns, you need to communicate with the traversal methods to properly ignore them. So another approach to this problem would be to maintain a count of reasons why current context is unevaluated in the visitor, and have the visitor accept two sub-matchers: one is invoked every time, the other is invoked only when the count is zero. That's very ugly but we can try that if we find it useful for performance. I also like the current approach because it maps nicely to what kinds of traversal matchers I'd like to have in clang-tidy. Namely, `forEveryDescendantEvaluatedStmt()` is what people actually want 90% of the time when they write `forEachDescendant()` and then hopefully deal with unintended consequences manually. (We still want to move these matchers to `ASTMatchers.h` right???)

NoQ added inline comments.Apr 4 2023, 1:31 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
168–181	While we're at it, maybe let's return to clang's existing naming convention now that the `Stmt` suffix makes it unambiguous?

ziqingluo-90 added inline comments.Apr 4 2023, 3:58 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	you are right, though I did encounter such a bug once. But I failed to reproduce it now. Let's not worry about this issue until it appears again.

ziqingluo-90 added inline comments.Apr 5 2023, 5:43 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	I have a reproducer now. Then I realized that it is not that `any_dre` and `PointerReferenceGadget` can race in `anyOf`. It is in fact `FixableGadget`s race in `anyOf`. So it is a bug but unrelated to this patch. I will explain and fix it in a separated patch.

Move tests to a different file.

Harbormaster completed remote builds in B224624: Diff 512225.Apr 10 2023, 12:34 PM

malavikasamak marked 2 inline comments as done.Apr 10 2023, 12:35 PM

malavikasamak updated this revision to Diff 512237.Apr 10 2023, 1:26 PM

malavikasamak marked an inline comment as done.

Harbormaster completed remote builds in B224635: Diff 512237.Apr 10 2023, 1:27 PM

malavikasamak added inline comments.Apr 10 2023, 2:22 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	@ziqingluo-90: Can you please add a link to the bug description?

ziqingluo-90 added inline comments.Apr 10 2023, 4:59 PM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	An example of two `FixableGadgets` race in `anyOf` is at a call statement `foo(++p, p)` where `p` is a raw pointer. The two `FixableGadgets` represent a pre-increment and a standalone pointer, respectively, in context of an unsafe call. The matcher representing the context is `callExpr(forEachArgumentWithParam(...`. The match succeeds as long as there is at least one parameter matches the sub-matcher (i.e., pre-increment or standalone pointer). Therefore, both `Gadgets` match the same call statement. A quick fix is to change `anyOf` to `eachOf` but maybe there are more efficient solutions.

malavikasamak added reviewers: gribozavr, aaron.ballman, ymandel, xazax.hun.Apr 11 2023, 2:31 PM

Herald added a subscriber: rnkovacs. · View Herald TranscriptApr 11 2023, 2:31 PM

malavikasamak added inline comments.Apr 13 2023, 11:32 AM

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	If I recall correctly, we discussed changing this from anyOf to eachOf offline and were concerned about potential clashes among the fixits. So, it was decided to leave it alone for now and handle this as a separate patch. But you are right, this can be a real pain point for us and we need to address this soonish. For your example, this may prevent us from generating any fixits as at least one of the of the DREs will never get claimed.

Code looks great now, and wow that's a lot of tests!

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	call statement `foo(++p, p)` Can we already add such test case? Regardless of whether it passes, it can help us confirm that we're not doing something terrible (eg. crashing) in such cases. At a glance, switching to `eachOf()` could totally crash us, so I'd rather document the potential problem in the form of a test while it's hot.

malavikasamak updated this revision to Diff 514690.Apr 18 2023, 10:52 AM

malavikasamak marked an inline comment as done.

Thanks! LGTM!

malavikasamak updated this revision to Diff 515092.Apr 19 2023, 2:27 PM

malavikasamak marked 5 inline comments as done.

malavikasamak added inline comments.

clang/lib/Analysis/UnsafeBufferUsage.cpp
930	So, it looks like this has already been changed to eachOf on the llvm main branch. Updating this to reflect the same.

malavikasamak updated this revision to Diff 515094.Apr 19 2023, 2:30 PM

Harbormaster completed remote builds in B226700: Diff 515094.Apr 19 2023, 2:32 PM

This revision was landed with ongoing or failed builds.Apr 19 2023, 3:53 PM

Closed by commit rG777eb4bcfc32: [-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer… (authored by malavikasamak). · Explain Why

This revision was automatically updated to reflect the committed changes.

malavikasamak added a commit: rG777eb4bcfc32: [-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer….

Herald added a project: Restricted Project. · View Herald TranscriptApr 19 2023, 3:53 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

malavikasamak added a reverting change: rG7bf5f4692ad6: Revert "[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe….Apr 19 2023, 4:09 PM

Diff 515114

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show All 29 Lines public:

typedef RecursiveASTVisitor<MatchDescendantVisitor> VisitorBase; typedef RecursiveASTVisitor<MatchDescendantVisitor> VisitorBase;

// Creates an AST visitor that matches `Matcher` on all // Creates an AST visitor that matches `Matcher` on all

// descendants of a given node "n" except for the ones // descendants of a given node "n" except for the ones

// belonging to a different callable of "n". // belonging to a different callable of "n".

MatchDescendantVisitor(const internal::DynTypedMatcher *Matcher, MatchDescendantVisitor(const internal::DynTypedMatcher *Matcher,

internal::ASTMatchFinder *Finder, internal::ASTMatchFinder *Finder,

internal::BoundNodesTreeBuilder *Builder, internal::BoundNodesTreeBuilder *Builder,

internal::ASTMatchFinder::BindKind Bind) internal::ASTMatchFinder::BindKind Bind,

const bool ignoreUnevaluatedContext)

NoQUnsubmitted

Done

internal::ASTMatchFinder::BindKind Bind,

- const bool ignoreUnevaluatedContext)

+ const bool ignoreUnevaluatedContext)

: Matcher(Matcher), Finder(Finder), Builder(Builder), Bind(Bind),

Looks like some of these spaces are tabs.

NoQ: Looks like some of these spaces are tabs.

: Matcher(Matcher), Finder(Finder), Builder(Builder), Bind(Bind), : Matcher(Matcher), Finder(Finder), Builder(Builder), Bind(Bind),

Matches(false) {} Matches(false), ignoreUnevaluatedContext(ignoreUnevaluatedContext) {}

// Returns true if a match is found in a subtree of `DynNode`, which belongs // Returns true if a match is found in a subtree of `DynNode`, which belongs

// to the same callable of `DynNode`. // to the same callable of `DynNode`.

bool findMatch(const DynTypedNode &DynNode) { bool findMatch(const DynTypedNode &DynNode) {

Matches = false; Matches = false;

if (const Stmt *StmtNode = DynNode.get<Stmt>()) { if (const Stmt *StmtNode = DynNode.get<Stmt>()) {

TraverseStmt(const_cast<Stmt *>(StmtNode)); TraverseStmt(const_cast<Stmt *>(StmtNode));

*Builder = ResultBindings; *Builder = ResultBindings;

Show All 16 Lines if (!match(*Node))

return false; return false;

// To skip callables: // To skip callables:

if (isa<FunctionDecl, BlockDecl, ObjCMethodDecl>(Node)) if (isa<FunctionDecl, BlockDecl, ObjCMethodDecl>(Node))

return true; return true;

// Traverse descendants // Traverse descendants

return VisitorBase::TraverseDecl(Node); return VisitorBase::TraverseDecl(Node);

} }

bool TraverseGenericSelectionExpr(GenericSelectionExpr *Node) {

// These are unevaluated, except the result expression.

if(ignoreUnevaluatedContext)

NoQUnsubmitted

Done

We should still visit other subexpressions when ignoreUnevaluatedContext is false.

NoQ: We should still visit other subexpressions when `ignoreUnevaluatedContext` is false.

malavikasamakAuthorUnsubmitted

Done

Fixed!

malavikasamak: Fixed!

return TraverseStmt(Node->getResultExpr());

return VisitorBase::TraverseGenericSelectionExpr(Node);

}

bool TraverseUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *Node) {

// Unevaluated context.

if(ignoreUnevaluatedContext)

return true;

return VisitorBase::TraverseUnaryExprOrTypeTraitExpr(Node);

}

bool TraverseTypeOfExprTypeLoc(TypeOfExprTypeLoc Node) {

// Unevaluated context.

if(ignoreUnevaluatedContext)

return true;

return VisitorBase::TraverseTypeOfExprTypeLoc(Node);

}

bool TraverseDecltypeTypeLoc(DecltypeTypeLoc Node) {

// Unevaluated context.

if(ignoreUnevaluatedContext)

return true;

return VisitorBase::TraverseDecltypeTypeLoc(Node);

}

bool TraverseCXXNoexceptExpr(CXXNoexceptExpr *Node) {

// Unevaluated context.

if(ignoreUnevaluatedContext)

return true;

return VisitorBase::TraverseCXXNoexceptExpr(Node);

}

bool TraverseCXXTypeidExpr(CXXTypeidExpr *Node) {

// Unevaluated context.

if(ignoreUnevaluatedContext)

return true;

return VisitorBase::TraverseCXXTypeidExpr(Node);

}

bool TraverseStmt(Stmt *Node, DataRecursionQueue *Queue = nullptr) { bool TraverseStmt(Stmt *Node, DataRecursionQueue *Queue = nullptr) {

if (!Node) if (!Node)

return true; return true;

if (!match(*Node)) if (!match(*Node))

return false; return false;

// To skip callables: // To skip callables:

if (isa<LambdaExpr>(Node)) if (isa<LambdaExpr>(Node))

return true; return true;

Show All 25 Lines private:

} }

const internal::DynTypedMatcher *const Matcher; const internal::DynTypedMatcher *const Matcher;

internal::ASTMatchFinder *const Finder; internal::ASTMatchFinder *const Finder;

internal::BoundNodesTreeBuilder *const Builder; internal::BoundNodesTreeBuilder *const Builder;

internal::BoundNodesTreeBuilder ResultBindings; internal::BoundNodesTreeBuilder ResultBindings;

const internal::ASTMatchFinder::BindKind Bind; const internal::ASTMatchFinder::BindKind Bind;

bool Matches; bool Matches;

bool ignoreUnevaluatedContext;

}; };

// Because we're dealing with raw pointers, let's define what we mean by that. // Because we're dealing with raw pointers, let's define what we mean by that.

static auto hasPointerType() { static auto hasPointerType() {

return hasType(hasCanonicalType(pointerType())); return hasType(hasCanonicalType(pointerType()));

} }

static auto hasArrayType() { static auto hasArrayType() {

return hasType(hasCanonicalType(arrayType())); return hasType(hasCanonicalType(arrayType()));

} }

AST_MATCHER_P(Stmt, forEveryDescendant, internal::Matcher<Stmt>, innerMatcher) { AST_MATCHER_P(Stmt, forEachDescendantEvaluatedStmt, internal::Matcher<Stmt>, innerMatcher) {

const DynTypedMatcher &DTM = static_cast<DynTypedMatcher>(innerMatcher);

MatchDescendantVisitor Visitor(&DTM, Finder, Builder, ASTMatchFinder::BK_All, true);

return Visitor.findMatch(DynTypedNode::create(Node));

}

AST_MATCHER_P(Stmt, forEachDescendantStmt, internal::Matcher<Stmt>, innerMatcher) {

const DynTypedMatcher &DTM = static_cast<DynTypedMatcher>(innerMatcher); const DynTypedMatcher &DTM = static_cast<DynTypedMatcher>(innerMatcher);

MatchDescendantVisitor Visitor(&DTM, Finder, Builder, ASTMatchFinder::BK_All); MatchDescendantVisitor Visitor(&DTM, Finder, Builder, ASTMatchFinder::BK_All, false);

return Visitor.findMatch(DynTypedNode::create(Node)); return Visitor.findMatch(DynTypedNode::create(Node));

} }

NoQUnsubmitted

Done

static auto hasArrayType() { return hasType(hasCanonicalType(arrayType())); }

- AST_MATCHER_P(Stmt, forEveryDescendantEvaluatedStmt, internal::Matcher<Stmt>, innerMatcher) {

+ AST_MATCHER_P(Stmt, forEachDescendantEvaluatedStmt, internal::Matcher<Stmt>, innerMatcher) {

const DynTypedMatcher &DTM = static_cast<DynTypedMatcher>(innerMatcher);

MatchDescendantVisitor Visitor(&DTM, Finder, Builder, ASTMatchFinder::BK_All, true);

return Visitor.findMatch(DynTypedNode::create(Node));

}

- AST_MATCHER_P(Stmt, forEveryDescendantStmt, internal::Matcher<Stmt>, innerMatcher) {

+ AST_MATCHER_P(Stmt, forEachDescendantStmt, internal::Matcher<Stmt>, innerMatcher) {

const DynTypedMatcher &DTM = static_cast<DynTypedMatcher>(innerMatcher);

MatchDescendantVisitor Visitor(&DTM, Finder, Builder, ASTMatchFinder::BK_All, false);

return Visitor.findMatch(DynTypedNode::create(Node));

}

// Matches a `Stmt` node iff the node is in a safe-buffer opt-out region

While we're at it, maybe let's return to clang's existing naming convention now that the Stmt suffix makes it unambiguous?

NoQ: While we're at it, maybe let's return to clang's existing naming convention now that the `Stmt`…

// Matches a `Stmt` node iff the node is in a safe-buffer opt-out region // Matches a `Stmt` node iff the node is in a safe-buffer opt-out region

AST_MATCHER_P(Stmt, notInSafeBufferOptOut, const UnsafeBufferUsageHandler *, AST_MATCHER_P(Stmt, notInSafeBufferOptOut, const UnsafeBufferUsageHandler *,

Handler) { Handler) {

return !Handler->isSafeBufferOptOut(Node.getBeginLoc()); return !Handler->isSafeBufferOptOut(Node.getBeginLoc());

} }

AST_MATCHER_P(CastExpr, castSubExpr, internal::Matcher<Expr>, innerMatcher) { AST_MATCHER_P(CastExpr, castSubExpr, internal::Matcher<Expr>, innerMatcher) {

▲ Show 20 Lines • Show All 726 Lines • ▼ Show 20 Lines #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

} }

}; };

MatchFinder M; MatchFinder M;

GadgetFinderCallback CB; GadgetFinderCallback CB;

// clang-format off // clang-format off

M.addMatcher( M.addMatcher(

stmt(forEveryDescendant( stmt(eachOf(

eachOf(

// A `FixableGadget` matcher and a `WarningGadget` matcher should not disable // A `FixableGadget` matcher and a `WarningGadget` matcher should not disable

// each other (they could if they were put in the same `anyOf` group). // each other (they could if they were put in the same `anyOf` group).

// We also should make sure no two `FixableGadget` (resp. `WarningGadget`) matchers // We also should make sure no two `FixableGadget` (resp. `WarningGadget`) matchers

// match for the same node, so that we can group them // match for the same node, so that we can group them

// in one `anyOf` group (for better performance via short-circuiting). // in one `anyOf` group (for better performance via short-circuiting).

stmt(eachOf( forEachDescendantStmt(stmt(eachOf(

ziqingluo-90Unsubmitted

Done

// in one `anyOf` group (for better performance via short-circuiting).

- forEveryDescendantStmt(stmt(anyOf(

+ forEveryDescendantStmt(stmt(eachOf(

#define FIXABLE_GADGET(x) \

Just realized that any_dre and PointerReferenceGadget can match the same node.

ziqingluo-90: Just realized that `any_dre` and `PointerReferenceGadget` can match the same node.

NoQUnsubmitted

Done

Hmm but wouldn't PointerReferenceGadget include a UPC or something?

NoQ: Hmm but wouldn't `PointerReferenceGadget` include a UPC or something?

ziqingluo-90Unsubmitted

Done

you are right, though I did encounter such a bug once. But I failed to reproduce it now. Let's not worry about this issue until it appears again.

ziqingluo-90: you are right, though I did encounter such a bug once. But I failed to reproduce it now.

ziqingluo-90Unsubmitted

Done

I have a reproducer now. Then I realized that it is not that any_dre and PointerReferenceGadget can race in anyOf. It is in fact FixableGadgets race in anyOf.
So it is a bug but unrelated to this patch. I will explain and fix it in a separated patch.

ziqingluo-90: I have a reproducer now. Then I realized that it is not that `any_dre` and…

malavikasamakAuthorUnsubmitted

Done

@ziqingluo-90: Can you please add a link to the bug description?

malavikasamak: @ziqingluo-90: Can you please add a link to the bug description?

ziqingluo-90Unsubmitted

Done

An example of two FixableGadgets race in anyOf is at a call statement foo(++p, p) where p is a raw pointer. The two FixableGadgets represent a pre-increment and a standalone pointer, respectively, in context of an unsafe call.

The matcher representing the context is callExpr(forEachArgumentWithParam(.... The match succeeds as long as there is at least one parameter matches the sub-matcher (i.e., pre-increment or standalone pointer). Therefore, both Gadgets match the same call statement.

A quick fix is to change anyOf to eachOf but maybe there are more efficient solutions.

ziqingluo-90: An example of two `FixableGadgets` race in `anyOf` is at a call statement `foo(++p, p)` where…

malavikasamakAuthorUnsubmitted

Done

If I recall correctly, we discussed changing this from anyOf to eachOf offline and were concerned about potential clashes among the fixits. So, it was decided to leave it alone for now and handle this as a separate patch.

But you are right, this can be a real pain point for us and we need to address this soonish. For your example, this may prevent us from generating any fixits as at least one of the of the DREs will never get claimed.

malavikasamak: If I recall correctly, we discussed changing this from anyOf to eachOf offline and were…

NoQUnsubmitted

Done

call statement foo(++p, p)

Can we already add such test case? Regardless of whether it passes, it can help us confirm that we're not doing something terrible (eg. crashing) in such cases. At a glance, switching to eachOf() could totally crash us, so I'd rather document the potential problem in the form of a test while it's hot.

NoQ: > call statement `foo(++p, p)` Can we already add such test case? Regardless of whether it…

malavikasamakAuthorUnsubmitted

Done

So, it looks like this has already been changed to eachOf on the llvm main branch. Updating this to reflect the same.

malavikasamak: So, it looks like this has already been changed to eachOf on the llvm main branch. Updating…

#define FIXABLE_GADGET(x) \ #define FIXABLE_GADGET(x) \

x ## Gadget::matcher().bind(#x), x ## Gadget::matcher().bind(#x),

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def" #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

// Also match DeclStmts because we'll need them when fixing // In parallel, match all DeclRefExprs so that to find out

// their underlying VarDecls that otherwise don't have // whether there are any uncovered by gadgets.

// any backreferences to DeclStmts. declRefExpr(anyOf(hasPointerType(), hasArrayType()), to(varDecl())).bind("any_dre")

declStmt().bind("any_ds") ))),

)), forEachDescendantEvaluatedStmt(stmt(anyOf(

ziqingluo-90Unsubmitted

Not Done

I like this idea: skipping unevaluated-contexts from the very beginning!

A nitpick to this change is that now we traverse the function body twice (one for fixables and one for warnings). But I suspect if the overhead (if there is any) is ever gonna be visible.

ziqingluo-90: I like this idea: skipping unevaluated-contexts from the very beginning! A nitpick to this…

NoQUnsubmitted

Not Done

Warning gadgets can be found at arbitrary depths inside unevaluated contexts, so you can't simply whitelist a few patterns, you need to communicate with the traversal methods to properly ignore them.

So another approach to this problem would be to maintain a count of reasons why current context is unevaluated in the visitor, and have the visitor accept two sub-matchers: one is invoked every time, the other is invoked only when the count is zero. That's very ugly but we can try that if we find it useful for performance.

I also like the current approach because it maps nicely to what kinds of traversal matchers I'd like to have in clang-tidy. Namely, forEveryDescendantEvaluatedStmt() is what people actually want 90% of the time when they write forEachDescendant() and then hopefully deal with unintended consequences manually. (We still want to move these matchers to ASTMatchers.h right???)

NoQ: Warning gadgets can be found at arbitrary depths inside unevaluated contexts, so you can't…

stmt(anyOf(

// Add Gadget::matcher() for every gadget in the registry. // Add Gadget::matcher() for every gadget in the registry.

#define WARNING_GADGET(x) \ #define WARNING_GADGET(x) \

allOf(x ## Gadget::matcher().bind(#x), notInSafeBufferOptOut(&Handler)), allOf(x ## Gadget::matcher().bind(#x), notInSafeBufferOptOut(&Handler)),

#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def" #include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"

// In parallel, match all DeclRefExprs so that to find out // Also match DeclStmts because we'll need them when fixing

// whether there are any uncovered by gadgets. // their underlying VarDecls that otherwise don't have

declRefExpr(anyOf(hasPointerType(), hasArrayType()), to(varDecl())).bind("any_dre") // any backreferences to DeclStmts.

))) declStmt().bind("any_ds")

)), ))

))),

&CB &CB

); );

// clang-format on // clang-format on

M.match(*D->getBody(), D->getASTContext()); M.match(*D->getBody(), D->getASTContext());

// Gadgets "claim" variables they're responsible for. Once this loop finishes, // Gadgets "claim" variables they're responsible for. Once this loop finishes,

// the tracker will only track DREs that weren't claimed by any gadgets, // the tracker will only track DREs that weren't claimed by any gadgets,

▲ Show 20 Lines • Show All 655 Lines • Show Last 20 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-unevaluated-context.cpp

This file was added.

				// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits -fsyntax-only %s 2>&1 \| FileCheck %s

				namespace std {
				class type_info;
				class bad_cast;
				class bad_typeid;
				}
				using size_t = __typeof(sizeof(int));
				void *malloc(size_t);

				void foo(...);
				int bar(int *ptr);

				void uneval_context_fix_pointer_dereference() {
				auto p = new int[10];
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"

				int tmp = p[5];
				typeid(foo(*p));
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:14-[[@LINE-1]]:15}:""
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:16-[[@LINE-2]]:16}:"[0]"
				_Generic(*p, int: 2, float: 3);
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:12-[[@LINE-1]]:13}:""
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:14-[[@LINE-2]]:14}:"[0]"
				}

				void uneval_context_fix_pointer_array_access() {
				auto p = new int[10];
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"

				int tmp = p[5];
				typeid(foo(p[5]));
				_Generic(p[2], int: 2, float: 3);
				}

				void uneval_context_fix_pointer_reference() {
				auto p = new int[10];
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:3-[[@LINE-1]]:11}:"std::span<int> p"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-2]]:12-[[@LINE-2]]:12}:"{"
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-3]]:23-[[@LINE-3]]:23}:", 10}"

				int tmp = p[5];
				typeid(bar(p));
				// CHECK-DAG: fix-it:"{{.*}}":{[[@LINE-1]]:15-[[@LINE-1]]:15}:".data()"
				}

				// The FixableGagdtes are not working in the following scenarios:
				// 1. sizeof(DRE)
				// 2. typeid(DRE)
				// 3. __typeof(DRE)
				// 4. _Generic(expr, type_1: DRE, type_2:)
				// 5. decltype(DRE) var = y;
				// 6. noexcept(DRE);
				// This is becauste the UPC and ULC context matchers do not handle these contexts
				// and almost all FixableGagdets currently depend on these matchers.

				// FIXME: Emit fixits for each of the below use.
				void uneval_context_fix_pointer_dereference_not_handled() {
				auto p = new int[10];
				int tmp = p[5];

				foo(sizeof(p), sizeof(decltype(p)));
				__typeof(*p) x;
				int q = (int )malloc(sizeof(*p));
				int y = sizeof(*p);
				__is_pod(__typeof(*p));
				__is_trivially_constructible(__typeof(p), decltype(p));
				_Generic(*p, int: 2, float: 3);
				_Generic(1, int: *p, float: 3);
				_Generic(1, int: 2, float: *p);
				decltype(*p) var = y;
				noexcept(*p);
				typeid(*p);
				}

clang/test/SemaCXX/warn-unsafe-buffer-usage-warning-unevaluated-context.cpp

This file was added.

				// RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage -fblocks -include %s -verify %s

				// RUN: %clang -x c++ -fsyntax-only -fblocks -include %s %s 2>&1 \| FileCheck --allow-empty %s
				// RUN: %clang_cc1 -std=c++11 -fblocks -include %s %s 2>&1 \| FileCheck --allow-empty %s
				// RUN: %clang_cc1 -std=c++20 -fblocks -include %s %s 2>&1 \| FileCheck --allow-empty %s
				// CHECK-NOT: [-Wunsafe-buffer-usage]

				#ifndef INCLUDED
				#define INCLUDED
				#pragma clang system_header

				// no spanification warnings for system headers
				void foo(...); // let arguments of `foo` to hold testing expressions
				#else

				namespace std {
				class type_info;
				class bad_cast;
				class bad_typeid;
				}
				using size_t = __typeof(sizeof(int));
				void *malloc(size_t);

				void foo(int v) {
				}

				void foo(int *p){}

				void uneval_context_fix() {
				auto p = new int[10]; // expected-warning{{'p' is an unsafe pointer used for buffer access}}

				// Warn on the following DREs
				_Generic(1, int: p[2], float: 3); // expected-note{{used in buffer access here}}

				// Do not warn for following DREs
				auto q = new int[10];
				foo(sizeof(q[1]), // no-note
				sizeof(decltype(q[1]))); // no-note
				__typeof(q[5]) x; // no-note
				int r = (int )malloc(sizeof(q[5])); // no-note
				int y = sizeof(q[5]); // no-note
				__is_pod(__typeof(q[5])); // no-note
				__is_trivially_constructible(__typeof(q[5]), decltype(q[5])); // no-note
				_Generic(q[1], int: 2, float: 3); // no-note
				_Generic(1, int: 2, float: q[3]); // no-note
				decltype(q[2]) var = y; // no-note
				noexcept(q[2]); // no-note
				typeid(q[3]); // no-note
				}
				#endif

clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp

Show First 20 Lines • Show All 95 Lines • ▼ Show 20 Lines	void testArraySubscriptsWithAuto(int p, int *pp) {
foo(ap3[1][1]); // expected-note{{used in buffer access here}}		foo(ap3[1][1]); // expected-note{{used in buffer access here}}
// expected-warning@-1{{unsafe buffer access}}		// expected-warning@-1{{unsafe buffer access}}

auto ap4 = *pp; // expected-warning{{'ap4' is an unsafe pointer used for buffer access}} \		auto ap4 = *pp; // expected-warning{{'ap4' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'ap4' to 'std::span' to preserve bounds information}}		expected-note{{change type of 'ap4' to 'std::span' to preserve bounds information}}

foo(ap4[1]); // expected-note{{used in buffer access here}}		foo(ap4[1]); // expected-note{{used in buffer access here}}
}		}

//TODO: do not warn for unevaluated context
void testUnevaluatedContext(int * p) {// expected-warning{{'p' is an unsafe pointer used for buffer access}}
foo(sizeof(p[1]), // expected-note{{used in buffer access here}}
sizeof(decltype(p[1]))); // expected-note{{used in buffer access here}}
}

void testQualifiedParameters(const int * p, const int * const q, const int a[10], const int b[10][10]) {		void testQualifiedParameters(const int * p, const int * const q, const int a[10], const int b[10][10]) {
		jkorousUnsubmitted Done Reply Inline Actions Do we think splitting this off as a separate test would help make the tests better? I am somewhat worried that having many tests in a single file makes it harder to act on failures. jkorous: Do we think splitting this off as a separate test would help make the tests better? I am…
		ziqingluo-90Unsubmitted Done Reply Inline Actions I agree. Other than these, this patch LGTM so I'm going to accept it. ziqingluo-90: I agree. Other than these, this patch LGTM so I'm going to accept it.
// expected-warning@-1{{'p' is an unsafe pointer used for buffer access}}		// expected-warning@-1{{'p' is an unsafe pointer used for buffer access}}
// expected-warning@-2{{'q' is an unsafe pointer used for buffer access}}		// expected-warning@-2{{'q' is an unsafe pointer used for buffer access}}
// expected-warning@-3{{'a' is an unsafe pointer used for buffer access}}		// expected-warning@-3{{'a' is an unsafe pointer used for buffer access}}
// expected-warning@-4{{'b' is an unsafe pointer used for buffer access}}		// expected-warning@-4{{'b' is an unsafe pointer used for buffer access}}

foo(p[1], 1[p], p[-1], // expected-note3{{used in buffer access here}}		foo(p[1], 1[p], p[-1], // expected-note3{{used in buffer access here}}
q[1], 1[q], q[-1], // expected-note3{{used in buffer access here}}		q[1], 1[q], q[-1], // expected-note3{{used in buffer access here}}
a[1], // expected-note{{used in buffer access here}} `a` is of pointer type		a[1], // expected-note{{used in buffer access here}} `a` is of pointer type
▲ Show 20 Lines • Show All 249 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 515114

clang/lib/Analysis/UnsafeBufferUsage.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-unevaluated-context.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage-warning-unevaluated-context.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp

This is an archive of the discontinued LLVM Phabricator instance.

[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usagesClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 515114

clang/lib/Analysis/UnsafeBufferUsage.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-unevaluated-context.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage-warning-unevaluated-context.cpp

clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp

[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages
ClosedPublic