This is an archive of the discontinued LLVM Phabricator instance.

Make dereferencing a void* a hard-error instead of warn-as-error
ClosedPublic

Authored by erichkeane on May 18 2023, 8:41 AM.

Details

Reviewers
aaron.ballman
Group Reviewers
Restricted Project
Restricted Project
Commits
rGfca4e2add0f8: Make dereferencing a void* a hard-error instead of warn-as-error
Summary

Clang 16 changed to consider dereferencing a void* to be a
warning-as-error, plus made this an error in SFINAE contexts, since this
resulted in incorrect template instantiation. When doing so, the Clang
16 documentation was updated to reflect that this was likely to change
again to a non-disablable error in the next version.

As there has been no response to changing from a warning to an error, I
believe this is a non-controversial change.

This patch changes this to be an Error, consistent with the standard and
other compilers.

This was discussed in this RFC:
https://discourse.llvm.org/t/rfc-can-we-stop-the-extension-to-allow-dereferencing-void-in-c/65708

Diff Detail

Event Timeline

erichkeane created this revision.May 18 2023, 8:41 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 18 2023, 8:41 AM
erichkeane requested review of this revision.May 18 2023, 8:41 AM
rnk added a subscriber: rnk.May 18 2023, 9:53 AM

Can you expand on the motivation for removing this extension? This doesn't seem to save a lot of code complexity, and it increases migration costs for our users. I'd like to have some motivation for putting them through the trouble of migrating.

Huh, that is an interesting use! I notice that he enables that for both GCC AND Clang, but probably doesn't notice because he disables Wpragma as well. So this change would change the legality of his program (potentially) for Clang (though, we ALREADY would have broken any SFINAE/concepts uses because of the SFINAE change in 16), but only to be what GCC gives him? I think we can be ok with that?

Can you expand on the motivation for removing this extension? This doesn't seem to save a lot of code complexity, and it increases migration costs for our users. I'd like to have some motivation for putting them through the trouble of migrating.

The motivation is essentially the same motivation for making this a SFINAE error: We are the only of the major compilers with this "extension" (I hesitate to call it that, as I'm not sure this FITS in the 'extension's permitted by standard), and we gave warning last release in the release notes that we'd be doing this. You're right there is no additional code complexity, but there IS standards compliance issues, as well as "do what everyone else does".

I WILL say the SFINAE change last release was more significant as a motivation, since it had the ability to change the overload set.

Can you expand on the motivation for removing this extension? This doesn't seem to save a lot of code complexity, and it increases migration costs for our users. I'd like to have some motivation for putting them through the trouble of migrating.

Note, there was an RFC: https://discourse.llvm.org/t/rfc-can-we-stop-the-extension-to-allow-dereferencing-void-in-c/65708

rnk added a comment.May 18 2023, 10:10 AM

Thanks, that addresses my concern. Please link to it from the commit message, it will help anyone bisecting the behavior change have context.

Thanks, that addresses my concern. Please link to it from the commit message, it will help anyone bisecting the behavior change have context.

Will do! I've put it in my local git, and will put it in phab as well.

erichkeane edited the summary of this revision. (Show Details)May 18 2023, 10:14 AM
jrtc27 added a subscriber: jrtc27.EditedMay 18 2023, 10:16 AM

We heavily rely on this extension in CheriBSD via __typeof__((*(p))) * __capability as we want to be able to take any pointer, including to an array or function that needs to undergo decay to be an actual pointer, and turn it into a __capability-qualified one. Presumably you're saying we should instead use __typeof__((0, (p))) __capability as an uglier alternative way to force decay?

We heavily rely on this extension in CheriBSD via __typeof__((*(p))) * __capability as we want to be able to take any pointer, including to an array or function that needs to undergo decay to be an actual pointer, and turn it into a __capability-qualified one. Presumably you're saying we should instead use __typeof__((0, (p))) __capability as an uglier alternative way to force decay?

Do you do that in C++, or just C? Note that this does NOT change the behavior in C. In C++ I'd probably just suggest using std::decay.

We heavily rely on this extension in CheriBSD via __typeof__((*(p))) * __capability as we want to be able to take any pointer, including to an array or function that needs to undergo decay to be an actual pointer, and turn it into a __capability-qualified one. Presumably you're saying we should instead use __typeof__((0, (p))) __capability as an uglier alternative way to force decay?

Do you do that in C++, or just C? Note that this does NOT change the behavior in C. In C++ I'd probably just suggest using std::decay.

In practice just C (kernel-only macro), though ideally the macro would still work in C++ (at least on CheriBSD; C++-based OSes will differ, but can of course do their own thing).

rsmith added a subscriber: rsmith.May 18 2023, 10:28 AM

We are the only of the major compilers with this "extension" (I hesitate to call it that, as I'm not sure this FITS in the 'extension's permitted by standard)

I'm not objecting to removing this extension, but... do you have reason to doubt that it's conforming, or just a lack of confidence that it is? (If the SFINAEFailure change wasn't enough, then it's not clear to me why this change would be. We use a SFINAEFailure diagnostic for other extensions, and if that's not sufficient for conformance then we probably have a lot of conformance gaps of this kind.)

clang/include/clang/Basic/DiagnosticSemaKinds.td
6985

We normally only use this "ISO C++ does not allow" phrasing for extensions (with the implication being that ISO C++ doesn't allow it, but Clang does). Can you rephrase the diagnostic too, to remove those unnecessary words?

We are the only of the major compilers with this "extension" (I hesitate to call it that, as I'm not sure this FITS in the 'extension's permitted by standard)

I'm not objecting to removing this extension, but... do you have reason to doubt that it's conforming, or just a lack of confidence that it is? (If the SFINAEFailure change wasn't enough, then it's not clear to me why this change would be. We use a SFINAEFailure diagnostic for other extensions, and if that's not sufficient for conformance then we probably have a lot of conformance gaps of this kind.)

No, just lack of confidence. I guess if it is supposed to be ill-formed, we can permit it (except in SFINAE?), right? The intent here is mostly just for 'cleanup' as we see it.

clang/include/clang/Basic/DiagnosticSemaKinds.td
6985

I definitely can. Though, I wonder if we can just use the err_typecheck_indirection_requires_pointer above instead and remove this diagnostic? We might need to change that to indirection requires non-void pointer operand (%0 invalid). WDYT?

Ok, so I was curious why this was an extension. This is the original patch: https://github.com/llvm/llvm-project/commit/80877c228d019e9cdca6295f3197867cc86e1720 where @rsmith mentions there is no good reason for this limitation, then mentions a core issue having been filed. I found CWG1923 (https://open-std.org/JTC1/SC22/WG21/docs/cwg_closed.html#1923), which is said issue. The resolution is "Needs an EWG Paper", which seems to be the end of the line, as I see no such paper?

Ok, so I was curious why this was an extension. This is the original patch: https://github.com/llvm/llvm-project/commit/80877c228d019e9cdca6295f3197867cc86e1720 where @rsmith mentions there is no good reason for this limitation, then mentions a core issue having been filed. I found CWG1923 (https://open-std.org/JTC1/SC22/WG21/docs/cwg_closed.html#1923), which is said issue. The resolution is "Needs an EWG Paper", which seems to be the end of the line, as I see no such paper?

Because the Core issue ended up in extension territory and no extension paper came out, and because we don't know there's evidence of a significant user community, I think it's reasonable to remove this extension (it doesn't match our usual requirements for adding extensions). However, if @rsmith is planning to write such a paper (or if there is a paper and we just haven't spotted it), then that's a different story.

MaskRay added inline comments.
clang/docs/ReleaseNotes.rst
59

Mention -Wvoid-ptr-dereference?

Clang 16 converted this to a default-error -Wvoid-ptr-dereference as well as a SFINAE error.

Does this patch intentionally keep -Wvoid-ptr-dereference (which is a no-op now)?

erichkeane added inline comments.May 19 2023, 5:50 AM
clang/docs/ReleaseNotes.rst
59

Good suggestions!

Yes, Clang keeps Wvoid-ptr-dereference because it is still a valid flag for C.

Update release note per @MaskRay , change error message per @rsmith

Precommit CI found various failures that need to be addressed. Also, have you tested to see what breaks in llvm-test-suite?

clang/docs/ReleaseNotes.rst
58
erichkeane marked an inline comment as done.May 22 2023, 2:51 PM

Precommit CI found various failures that need to be addressed. Also, have you tested to see what breaks in llvm-test-suite?

Woops! I must have forgotten to re-make my diff before submitting. I fixed those in the patch earlier.

I have not tested this against the llvm-test-suite as I'm not thrilled having to figure out how to build that again :) But I guess I should make a companion patch ahead of time. Last time however I don't recall us needing to add the flag for the warning however.

Fix tests + Aaron's formatting request. Guess I forgot to upload this last night!

I did the llvm-test-suite build, and have a handful of linker issues (because I've not built libclang, and don't have some newer GCC library for some float16 commands), but everythign builds at least. If necessary, I can try to make sure it all builds, but I hope/suspect this is sufficient.

aaron.ballman accepted this revision.May 23 2023, 6:34 AM

Fantastic! Presuming precommit CI comes back green this time, LGTM.

This revision is now accepted and ready to land.May 23 2023, 6:34 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2023, 11:27 AM