This is an archive of the discontinued LLVM Phabricator instance.

Differential D153059

[-Wunsafe-buffer-usage] Group parameter fix-its
ClosedPublic

Authored by ziqingluo-90 on Jun 15 2023, 11:30 AM.

Details

Reviewers
NoQ
t-rasmud
jkorous
malavikasamak
Commits
rG33f6161d9eaa: [-Wunsafe-buffer-usage] Group parameter fix-its
Summary

For a function F whose parameters need to be fixed, we group fix-its of its' parameters together so that either all of the parameters get fixed or none of them gets fixed.

The reason for doing so is to avoid generating low-quality fix-its. For example,

void f(int * p, int * q) {
   int i = p[5];
   int j = q[5];
}

We would like to fix both parameters p and q with std::span. If we do not group them together, they will be fixed in two steps: 1) fixing p first; and then 2) fixing q. Step 1 yields a new overload of f:

void f(std::span<int> p, int *q) {  ...  }
[[unsafe_buffer_usage]] void f(int *p, int *q) {return f(std::span(p, <# size #>), q);}
}

The new overload of f is, however, still an unsafe function. Then we apply step 2 and have:

void f(std::span<int> p, std::span<int> q) {  ...  }
[[unsafe_buffer_usage]] void f(int *p, int *q) {return f(std::span<int>(p, <# size #>), q);}
[[unsafe_buffer_usage]] void f(std::span<int> p, int *q) {return f(p, std::span<int>(q, <# size #>));}

The "intermediate" overload void f(std::span<int>, int *) stays there but usually is not useful. If there are more than two parameters need to be fixed, there will be more such useless "intermediate" overloads.

With this patch, p and q will be fixed together: either selecting p or q to fix will result in a safe function void f(std::span<int> p, std::span<int> q in one step.

Diff Detail

Event Timeline

ziqingluo-90 created this revision.Jun 15 2023, 11:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2023, 11:30 AM
ziqingluo-90 requested review of this revision.Jun 15 2023, 11:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2023, 11:30 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
ziqingluo-90 added inline comments.Jun 15 2023, 1:10 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2374–2375

I changed the rest of this function drastically so let me explain what I did.

The table FixItsForVariable is initiated with variables whose declarations and associated Fixables can be fixed. So if a variable is not in the table, either 1) its declaration cannot be fixed or 2) one of its Fixables cannot be fixed. Then, the table is further reduced by removing elements such that at least one of its' group members satisfies 1) or 2).
Eventually, the table FixItsForVariable can be used to determine if a variable is ImpossibleToFix (so we no longer need this flag). FixItsForVariable[V], if V exists there, is a collection of fix-its for V's declaration and all Fixables associated to V.

With parameters being fixed, we also generate function overloads as fix-its for the parameters. These overload fix-its are "shared" by the parameters. It means that these fix-its will be added for the group where the parameters belong to, instead of being added to FixItsForVariable[PV] for each such parameter PV.

So finally, for a variable V, FinalFixItsForVariable[V] is a collection of fix-its for the whole group where V is at.

2615–2622

How about changing the variable name to PtrImplicationGraph? For two variables V and W, if W is in PtrImplicationGraph[V], it means fixing V implicates fixing W, right?

ziqingluo-90 added inline comments.Jun 15 2023, 2:44 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2615–2622

@t-rasmud what do you think?

t-rasmud added inline comments.Jun 15 2023, 2:54 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2615–2622

Sounds good! PtrImplicationGraph conveys the same meaning as PtrAssignmentGraph and is more generic.

Harbormaster completed remote builds in B239196: Diff 531834.Jun 15 2023, 3:20 PM
ziqingluo-90 added a parent revision: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.Jun 16 2023, 11:31 AM
ziqingluo-90 edited parent revisions, added: D150489: [-Wunsafe-buffer-usage] Handle pointer initializations for grouping related variables; removed: D143628: [-Wunsafe-buffer-usage][PoC][WIP] Add #include <span> to emitted Fix-Its.
ziqingluo-90 retitled this revision from [-Wunsafe-buffer-usage][WIP] Group parameter fix-its to [-Wunsafe-buffer-usage] Group parameter fix-its.Jun 20 2023, 4:23 PM
NoQ added a comment.Jun 20 2023, 5:14 PM

I'll just leave this tiny bit of analysis here, that we did on the whiteboard a while ago.

The "intermediate" overload void f(std::span<int>, int *) stays there but usually is not useful. If there are more than two parameters need to be fixed, there will be more such useless "intermediate" overloads.

This isn't even the biggest problem. The bigger problem is that the process doesn't actually stop at Step 2.

Let me rewrite this more slowly.

Step 0 - the initial code:

// original body, original signature
void foo(int *p, int *q, size_t sz) {
   int i = p[5]; // warning: unsafe buffer usage over 'p'
   int j = q[5]; // warning: unsafe buffer usage over 'q'
}

Step 1 - fix parameter p:

// FIXED: original body, new signature
void foo(span<int> p, int *q, size_t sz) {
   int i = p[5];
   int j = q[5]; // warning: unsafe buffer usage over 'q'
}

// NEW: compatibility overload from step 1 - original signature
[[unsafe_buffer_usage]]
void f(int *p, int *q, size_t sz) {
   foo(span<int>(p, <#size#>), q, sz);
}

Step 2 - fix parameter q as well:

// FIXED: original code, even newer signature
void foo(span<int> p, span<int> q, size_t sz) {
   int i = p[5];
   int j = q[5];
}

// NEW: compatibility overload from step 2
[[unsafe_buffer_usage]]
void foo(span<int> p, int *q, size_t sz) {
   foo(p, span<int>(q, <#size#>), sz);
}

// UNCHANGED: compatibility overload from step 1 - still carries original signature
[[unsafe_buffer_usage]]
void foo(int *p, int *q, size_t sz) {
   foo(span<int>(p, sz), q, sz); // warning: unsafe buffer usage over 'q'
}

Step 3 - now we have a warning inside the overload from step 1 because it's no longer calling the newest safe function, but it's now calling the compatibility overload from step 2. So we need to change the parameter q of the bottom-most function to span.

// UNCHANGED: original code, even newer signature - unchanged
void foo(span<int> p, span<int> q, size_t sz) {
   int i = p[5];
   int j = q[5];
}

// UNCHANGED: compatibility overload from step 2
[[unsafe_buffer_usage]]
void foo(span<int> p, int *q, size_t sz) {
   foo(p, span<int>(q, sz), sz);
}

// FIXED: compatibility overload from step 1 - new safe signature
[[unsafe_buffer_usage]]
void foo(int *p, span<int> q, size_t sz) {
   foo(span<int>(p, sz), q, sz);
}

// NEW: compatibility overload from step 3 - original signature of the overload from step 1, aka simply original signature
[[unsafe_buffer_usage]]
[[unsafe_buffer_usage]] // sic!
void foo(int *p, int *q, size_t sz) {
   foo(p, span<int>(q, <#size#>), sz); // warning: unsafe buffer usage over 'p'
}

There are a few things that look wrong here.

The set of overloads still makes sense; we get ourselves 4 overloads in all combinations of spans and raw pointers. This on its own makes sense.

We've also somehow got the new raw overload (with two raw pointers) carry two instances of [[unsafe_buffer_usage]]. It lowkey makes sense because the function is unsafe with respect to both parameters, but we probably don't want people to write such code.

Now, here's where it gets really weird. You'd probably expect that new raw overload to call foo(span<int>(p, sz), span<int>(q, sz), sz). If it just did that, it'd be perfectly reasonable code. But it doesn't do that! Indeed, by design the autogenerated compatibility overload calls the freshly-fixed function. Which in case of Step 3 was foo(int *p, span<int> q, size_t sz).

Also, the new raw overload already has a warning in it! This is completely unacceptable. This happened because the function under fix was already annotated as [[unsafe_buffer_usage]]. The autofix wouldn't remove the attribute; the attribute is still completely appropriate there.

Finally, because there's a new warning, the process doesn't stop after Step 3 either. I'll leave imagining what Step 4 would look like as an easy exercise to the reader ^.^

So one way or another, we really don't want to be in the business of incrementally fixing parameters one-by-one. Fixing all parameters at once is much easier than fixing them incrementally and discarding all analysis state on each step. Analysis of "partially spanified" code is much harder than analysis of raw C-style code, so we prefer single-step transformation in most cases.

Another direction that we can explore is to avoid auto-fixing functions that already carry [[unsafe_buffer_usage]]. Indeed, it's already a compatibility overload and we know it; it's not *supposed* to be safe! This will prevent Step 3 from breaking things, so it'll leave us with 3 overloads - not ideal, but not incorrect either. It'll also eliminate the "double attribute" problem.

And we ultimately need to explore this direction because no matter how hard we avoid automatic partial transformations, people will still do manual partial transformations! And when they do, we need to demonstrate some reasonable behavior.

But for now let's focus on the basic use case.

NoQ added inline comments.Jun 20 2023, 6:27 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2362–2366

There's a bug in variable naming: FixablesForUnsafeVarsactually contains fixables for *all* variables. Rashmi correctly renames it in D150489 to reflect its actual behavior. So IIUC you're generating fixits for all variables here, which is probably not what you want.

2636–2639

Does this really go in both directions? Shouldn't it be just one direction?

void foo(int *p) {
  int *q = new int[10];
  p = q;
  q[5] = 7;
}

In this case q is an unsafe local buffer, but p is a (mostly) safe single-object pointer that doesn't need fixing, despite implication from q to p. Of course this example is somewhat unrealistic (people don't usually overwrite their parameters), but it is also the only situation where the other direction matters.

2651

What about the situation where params aren't seen as unsafe yet, but they're discovered to be unsafe later? Eg.

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
  q2[5] = 7;
}

Will we notice that p and q need to be fixed simultaneously?

I suspect that the problem of parameter grouping can't be solved by pre-populating strategy implications between all parameters. It'll either cause you to implicate all parameters (even the ones that will never need fixing), or cause you to miss connections between parameters that do need fixing (as the connection is discovered later).

Connection between parameters needs to be added *after* the implications algorithm has finished. And once it's there (might be already there if I missed something), then this part of code probably becomes unnecessary.

2742–2748

Note: This is why FixablesForUnsafeVars is actually FixablesForAllVars.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
14–16

QoL thing: "to propagate bounds information between them" isn't the correct reason in this case. Bounds information doesn't propagate between p and q and a. Each of them carries its own, completely unrelated bounds information.

We need to come up with a different reason. Or it might be better to combine the warnings into one warning here, so that we didn't need a reason:

warning: 'p', 'q' and 'a' are unsafe pointers used for buffer access
note: change type of 'p', 'q' and 'a' to 'std::span' to preserve bounds information

This gets a bit worse when parameters are implicated indirectly, but it still mostly works fine, for example:

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
  q2[5] = 7;
}

would produce:

warning: 'p2' and 'q2' are unsafe pointers used for buffer access
note: change type of 'p2' and 'q2' to 'std::span' to preserve bounds information, and
      change 'p' and 'q' to 'std::span' to propagate bounds information between them

In any case, this shows that the relationship between parameters (grouped together simply for being parameters) is very different from the relationship within groups of variables implicated by assignments (even if two or more of them are parameters). All the way down to the warning/note printer, we probably need to continue giving the parameter relationship a special treatment.

NoQ added a comment.Jun 20 2023, 6:29 PM

Ok whew that's a big patch! I *think* I found a couple of bugs. In any case, this code is quickly becoming very complicated, and the functions we're editing are rapidly growing out of control. Chopping them up into smaller functions with clear separation of concerns would probably help the reader a lot 😅

ziqingluo-90 added inline comments.Jun 21 2023, 12:57 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2362–2366

Thanks for pointing out the incorrectness of the variable name. Actually, whether a variable is unsafe is irrelevant to this function. The function only cares about all variables that need fixes. So I think the incorrect name of the variable does not affect the functionality of my changes here.

2636–2639

You are right! It should be one-direction.

2651

Yes. They will be noticed. Here is why:

The code here first forms a ring over p and q in the assignment (directed) graph:

p <--> q

Then the two initialization statements (implemented in D150489) add two more edges to the graph:

p2 --> p <--> q <-- q2

The algorithm later searches the graph starting from unsafe variables p2 and q2, respectively, Starting from p2, the algorithm discovers that p2 and p, as well as p and q depend on each other. Starting from q2, the algorithm discovers that q2 and q, as well as p and q depend on each other. The dependency graph is sort of undirected. So eventually, the four variables p2, p, q, q2 are in the same group.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
14–16

This is a good argument! An edge from p to q in an assignment graph stands for not only that fixing p implicates fixing q but also that the bounds information is propagated from q to p. In this sense, the way I connect parameters is inappropriate.

But my concern is that although treating parameters specially could improve the quality of the diagnostic messages, the code may be more complex and less re-used.

ziqingluo-90 added inline comments.Jun 22 2023, 11:45 AM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
14–16

So for such an example

int f(int *p, int *q) {
int * a = p;
int * b = q;

a[5] = 0;
b[5] = 0;
}

We will fix all four variables a, b, p, q together. But bounds information propagation only happens between a and p, and b and q, respectively.
Then what should the diagnostic message be? How about something like

change type of 'a' to 'std::span' to preserve bounds information, and change 'p' to propagate bounds information between them. 
To ensure parameters are changed together, also
change type of 'b' to 'std::span' to preserve bounds information, and change 'q' to propagate bounds information between them;
...

for variable a.

NoQ added inline comments.Jun 22 2023, 12:22 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2651

The code here first forms a ring over p and q in the assignment (directed) graph

I don't think it does. The ring is formed over the ParamsNeedFix list, which is empty because none of these parameters are listed in UnsafeOps.byVar.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
14–16

I think the ideal narrative is to emit a single warning against the entire function, which covers all parameters at once, together with all related variables.

int f(int *p, int *q) {  // warning: function 'f' performs unsafe buffer access over parameters 'p' and 'q'
                         // note: change type of 'p' and 'q' to 'std::span' to receive bounds information from the call site,
                         //       and change local variables 'a' and 'b' to 'std::span' to propagate it to the access site

  int * a = p;           // note: bounds information needs to propagate from 'p' to 'a' here
  int * b = q;           // note: bounds information needs to propagate from 'q' to 'b' here

  a[5] = 0;              // note: used in buffer access here
  b[5] = 0;              // note: used in buffer access here
}

This makes a lot of sense given that we're fixing the entire function. This is quite a major change though, we need to think this through.

ziqingluo-90 added inline comments.Jun 22 2023, 5:58 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2651

Actually p and q will be in ParamsNeedFix. Because they are implicated by p2 and q2, who are unsafe variables. ParamsNeedFix include parameters that need fix, either because they are used in unsafe operations or they are implicated by some Gadgets.

But anyway, I now think it's not a good idea to lump parameters with variables grouped by implication, as you pointed out that variable implication also implies bounds propagation.

Instead, I think it might be more appropriate to make a variable group structured:

  • Let's call it a connected components for a set of variables that need to be fixed together and sharing bounds information. (The term connected components has been used in the code to refer to a group of variables. It keeps its meaning here.)
  • Let's redefine a Variable Group to be a set of mutually disjoint connected componentss (CCs). If there are more than one CCs in a variable group, each of the CCs contains at least one parameter.

For generating fix-its for a variable group, this patch still works as it only requires that variables in a variable group are either all fixed or given up as a whole.
For generating diagnostic messages, we now have more information about relations among grouped variables.

NoQ added inline comments.Jun 22 2023, 6:48 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2651

Actually p and q will be in ParamsNeedFix. Because they are implicated by p2 and q2, who are unsafe variables. ParamsNeedFix include parameters that need fix, either because they are used in unsafe operations or they are implicated by some Gadgets.

Ohh, right, it's populated twice, I even commented on the other part but didn't notice it populates the same list!

But in this case you'll probably join p and q in

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
}

right? (In this case q is implicated by q2 so it gets added to the list, but q2 itself isn't unsafe or implicated by anything, so it doesn't need fixing, but connecting it to p would cause it to be fixed unnecessarily). So I still think this can't be correct unless you do it after the crawler finishes.

But anyway, I now think it's not a good idea to lump parameters with variables grouped by implication, as you pointed out that variable implication also implies bounds propagation.

Yeah, I think it makes a lot more sense. Just look at variable groups already built by the existing crawler, and if more than one of them contains parameters, report all groups that contain parameters through one combined warning.

ziqingluo-90 added inline comments.Jun 23 2023, 3:33 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2651

Though I'm going to remove this part, achieving some agreement on this algorithm may help me understand the problem better.

right? (In this case q is implicated by q2 so it gets added to the list, but q2 itself isn't unsafe or implicated by anything, so it doesn't need fixing, but connecting it to p would cause it to be fixed unnecessarily)

Right. the code in this patch does not form ParmsNeedFix correctly. ParmsNeedFix should be the set of parameters that are either unsafe or being implicated (transitively) by unsafe variables. Then the group would be "correct" I think.

t-rasmud added inline comments.Jun 29 2023, 11:49 AM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
6

I have used a workaround for non-determinism by using regular expressions to match on the expected-note. See https://github.com/llvm/llvm-project/commit/db3dcedb9cedcec4a9570fda7406490c642df8ae#diff-8486f0b4ae37871fc0a186f40a41adbc70e5a0ca0134dc9bba762e1f17994460R176.
This is definitely a temporary fix (but helps with passing llvm builedbot tests upon landing on llvm-project\main) and we should probably discuss and put in a more reliable fix (say, using ordered sets) in the future.

t-rasmud added inline comments.Jun 29 2023, 1:03 PM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
252

Does this patch handle virtual methods? Ideally we'd like the fixed methods to have the same subtyping relations as the original method. Does it make sense to have test cases with virtual methods as part of this patch?

NoQ added inline comments.Jun 29 2023, 2:04 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2651

Aha ok, whew, gotcha, makes sense then!

ziqingluo-90 updated this revision to Diff 539720.Jul 12 2023, 2:06 PM
Harbormaster completed remote builds in B244899: Diff 539720.Jul 12 2023, 2:07 PM
ziqingluo-90 added a comment.Jul 12 2023, 2:49 PM
  • a major change to the patch: Parameters are now grouped after the grouping of all variables. The groups that contain parameters of the function will form a union group.
  • changes to the grouping algorithm: Groups will reside in the vector Groups and being accessed through their indexes so that we do not have to copy groups. The GrpsUnionForParms is the union group over groups containing parameters. It holds a separate copy. These data structures are wrapped in VariableGroupsManager, which returns the proper group given any variable that needs fix.
  • add a new diagnostic note kind: diag::note_unsafe_buffer_variable_fixit_together. It will replace diag::note_unsafe_buffer_variable_fixit_group when we do not want to explain how a group of variables gets formed.
  • add a "Comparator" to FixableGadgetSets and replace some std::sets with llvm::SetVectors for deterministic diagnostic messages.
clang/lib/Sema/AnalysisBasedWarnings.cpp
2180

The printing process was extracted as a method with some refactoring.

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
252

Sorry for the late response.
That's a good point. Virtual methods could get things more complicated. This is one of the reasons that we do not fix any member functions at this point.

t-rasmud added inline comments.Jul 18 2023, 5:08 PM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
307

Can we have a test case with qualifiers on parameters and maybe another with a qualifier on the function itself?

NoQ added a comment.Jul 19 2023, 6:33 PM

Alright, I think I managed to fully chew through this patch and I think it's beautiful and everything makes sense to me!

I have a tiny complaint though: It is very large though, 500 lines of code is very hard to digest all at once. Because we aren't coming in with all the context you had when you wrote this code, it's often very hard for us readers to guess the intention behind every section of the diff, and how they are supposed to work together.

In this patch there are a few refactoring steps that weren't responsible for any change in behavior:

  • Introduce the VariableGroupsManager abstraction;
  • Extract eraseVarsForUnfixableGroupMates() into a function;
  • Extract listVariableGroupAsString into a function;

But because I didn't know that at first, I had to carefully look at every line of code to confirm that it actually doesn't change anything.

So it'd help tremendously if these refactorings were extracted into a parallel "no functional change" ("NFC") patch (with zero tests: no failures on existing tests => the patch is indeed NFC) that doesn't do anything other than "prepare the codebase" for this patch. Then in the NFC patch we'd discuss architecture and confirm that it truly doesn't change anything, whereas in this patch every line of code would be filled with meaning and purpose! ^.^

I'm not sure it makes sense split it up now, probably depends on whether Jan and Rashmi have the same troubles as me ^.^

I also has nitpicks.

clang/lib/Analysis/UnsafeBufferUsage.cpp
2307–2308

(.contains() is unfortunately C++20)

2326–2327

Would it make sense to make createFunctionOverloadsForParms accept a FunctionDecl *D from the start?

2332–2333

Another good use for .count().

2424
2674

Why SetVector? Do we care about order? Maybe just SmallSet?

clang/lib/Sema/AnalysisBasedWarnings.cpp
2183

Does the empty string actually ever make sense for the caller? Maybe just assert that this never happens, and force the caller to check that?

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
38–40

The fix is emitted 3 times right? Once for each warning?

Would it make sense to duplicate the three CHECK: lines three times to confirm that?

t-rasmud added a comment.Jul 20 2023, 9:01 AM

I'm not sure it makes sense split it up now, probably depends on whether Jan and Rashmi have the same troubles as me ^.^

I have to admit it is a difficult patch to follow. It also has a lot of clever ideas that deserve attention but might be lost because of the complexity of the patch. I would really appreciate if this I can be refactored and split up!

NoQ added a comment.Jul 20 2023, 6:26 PM

I just want to add to this, that the NFC part is actually insanely valuable (despite technically not doing anything). This patch is so complex primarily because UnsafeBufferUsage.cpp already has 1300 lines of code in unstructured static functions - that's more than half of our code! I really appreciate every bit of effort to separate it into components with clear boundaries and contracts, and even the new comments really help 🥺

jkorous added a comment.Jul 20 2023, 9:06 PM

I vote for splitting the patch to make both the review and any future debugging or git archeology easier.

ziqingluo-90 added a comment.Jul 27 2023, 12:28 PM

Thanks for the suggestion of splitting this patch to smaller ones.

I have one such smaller patch ready here: https://reviews.llvm.org/D156474. It does make it easier in describing and discussing about the changes.

clang/lib/Analysis/UnsafeBufferUsage.cpp
2674

We'd like to keep the order of elements in this container deterministic. Otherwise, the diagnostic message that lists those elements could be non-deterministic.

clang/lib/Sema/AnalysisBasedWarnings.cpp
2183

The branch deals with the case where the group has only one member, which is the VD. In that case, we do not list group mates of VD as there is none.
This case is actually possible and conforms to the contract of this method.

The case where the group is empty is not suppose to happen.

ziqingluo-90 added a parent revision: D156474: [-Wunsafe-buffer-usage][NFC] Slightly refactor and optimize the code.Jul 31 2023, 12:16 PM
ziqingluo-90 removed a parent revision: D150489: [-Wunsafe-buffer-usage] Handle pointer initializations for grouping related variables.
ziqingluo-90 added a parent revision: D156762: [-Wunsafe-buffer-usage][NFC] Refactor `getFixIts`---where fix-its are generated.Jul 31 2023, 4:24 PM
ziqingluo-90 removed a parent revision: D156474: [-Wunsafe-buffer-usage][NFC] Slightly refactor and optimize the code.
ziqingluo-90 updated this revision to Diff 545872.Jul 31 2023, 5:17 PM
ziqingluo-90 marked 4 inline comments as done.

Carved out NFC changes from the original diff.

Harbormaster completed remote builds in B249360: Diff 545872.Jul 31 2023, 5:17 PM
ziqingluo-90 added inline comments.Jul 31 2023, 5:25 PM
clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp
38–40

I wish there are better ways to test this. I tried CHECK-COUNT-3 but it doesn't work because it expects each line repeats 3 times consecutively.

307

good point. I recently added such tests for parameters and local variables in following open patches:

NoQ added a comment.Aug 1 2023, 5:50 PM

OOo down to ±300, I love this!! I'll take a closer look tomorrow.

clang/lib/Analysis/UnsafeBufferUsage.cpp
2004–2005

Speaking of my comment on the other patch.

Can we simply ask Strategy about the strategy for FD->getParamDecl(i) instead of passing a mask?

Eventually we'll have to do that anyway, given how different parameters can be assigned different strategies.

2048–2052

Arguably not a great use of auto, because the return type isn't literally Identifier *.

2674

Ooo right gotcha!

clang/lib/Sema/AnalysisBasedWarnings.cpp
2183

Gotcha, nice!

ziqingluo-90 updated this revision to Diff 547422.Aug 4 2023, 5:36 PM
ziqingluo-90 marked an inline comment as done.

Address comments.

Harbormaster completed remote builds in B250485: Diff 547422.Aug 4 2023, 5:36 PM
ziqingluo-90 updated this revision to Diff 547425.Aug 4 2023, 5:41 PM
Harbormaster completed remote builds in B250487: Diff 547425.Aug 4 2023, 5:41 PM
ziqingluo-90 added inline comments.Aug 4 2023, 5:53 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2004–2005

Yes. I think using Strategy is the correct way to do it.

Can I make it a follow-up patch? I noticed that this line needs to be fixed:

Strategy NaiveStrategy = getNaiveStrategy(UnsafeVars);

The UnsafeVars is the set of variables associated to all matched FixableGadgets. There can be variables that is safe and do not need fix. Their strategy is set to std::span currently which is not correct. With this line being fixed, we can have examples like

void f(int * p) {
  int * q;
   q = p;
   p[5] = 5;
}

where q's strategy is WONTFIX and p's strategy is std::span. The expression q = p can be fixed to q = p.data(). It currently has an empty fix-it, which is incorrect.

ziqingluo-90 added a child revision: D157441: [-Wunsafe-buffer-usage] Use `Strategy` to determine whether to fix a parameter.Aug 8 2023, 2:37 PM
NoQ added a comment.Aug 8 2023, 4:55 PM

Ok I think this looks great and almost good to go. I love how the core change in the grouping algorithm is actually tiny and simple!

clang/lib/Analysis/UnsafeBufferUsage.cpp
2004–2005

Yes sure!

2498–2500

The usual idiom to avoid double lookup: use find() to extract an iterator, compare it to end() to see if the item was found, and if it was then dereference the iterator.

I wouldn't use at() given that the whole point of .at() is to throw exceptions, while LLVM is compiled with -fno-exceptions.

clang/lib/Sema/AnalysisBasedWarnings.cpp
2293

IIRC we're supposed to stuff ND directly into the stream and it'll figure out on its own how to name it, or how to put quotes around it. See how there's no quotes around %2!

ziqingluo-90 updated this revision to Diff 553285.Aug 24 2023, 3:49 PM
ziqingluo-90 marked 2 inline comments as done.

Address comments

Harbormaster completed remote builds in B254742: Diff 553285.Aug 24 2023, 4:53 PM
NoQ accepted this revision.Sep 20 2023, 2:12 PM

Everything looks great now, let's commit!

Again, thank you Ziqing for simplifying and splitting up the patch. It looks like we're able to keep code complexity from exploding. That makes me feel very optimistic about the future of -Wunsafe-buffer-usage!

clang/lib/Analysis/UnsafeBufferUsage.cpp
1447

Formatting is a bit off (clang-format probably needed some human help here).

This revision is now accepted and ready to land.Sep 20 2023, 2:12 PM
This revision was landed with ongoing or failed builds.Sep 21 2023, 12:45 PM
Closed by commit rG33f6161d9eaa: [-Wunsafe-buffer-usage] Group parameter fix-its (authored by ziqingluo-90). · Explain Why
This revision was automatically updated to reflect the committed changes.
ziqingluo-90 added a commit: rG33f6161d9eaa: [-Wunsafe-buffer-usage] Group parameter fix-its.
ziqingluo-90 edited the summary of this revision. (Show Details)Sep 21 2023, 1:28 PM

Revision Contents

Diff 557194

clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h

Show All 25 Lines
class VariableGroupsManager { class VariableGroupsManager {
public: public:
VariableGroupsManager() = default; VariableGroupsManager() = default;
virtual ~VariableGroupsManager() = default; virtual ~VariableGroupsManager() = default;
/// Returns the set of variables (including `Var`) that need to be fixed /// Returns the set of variables (including `Var`) that need to be fixed
/// together in one step. /// together in one step.
/// ///
/// `Var` must be a variable that needs fix (so it must be in a group). /// `Var` must be a variable that needs fix (so it must be in a group).
virtual VarGrpRef getGroupOfVar(const VarDecl *Var) const =0; /// `HasParm` is an optional argument that will be set to true if the set of
/// variables, where `Var` is in, contains parameters.
virtual VarGrpRef getGroupOfVar(const VarDecl *Var,
bool *HasParm = nullptr) const =0;
}; };
/// The interface that lets the caller handle unsafe buffer usage analysis /// The interface that lets the caller handle unsafe buffer usage analysis
/// results by overriding this class's handle... methods. /// results by overriding this class's handle... methods.
class UnsafeBufferUsageHandler { class UnsafeBufferUsageHandler {
#ifndef NDEBUG #ifndef NDEBUG
public: public:
// A self-debugging facility that you can use to notify the user when // A self-debugging facility that you can use to notify the user when
Show All 14 Linespublic:
/// of primitive fixits (individual insertions/removals/replacements). /// of primitive fixits (individual insertions/removals/replacements).
using FixItList = llvm::SmallVectorImpl<FixItHint>; using FixItList = llvm::SmallVectorImpl<FixItHint>;
/// Invoked when an unsafe operation over raw pointers is found. /// Invoked when an unsafe operation over raw pointers is found.
virtual void handleUnsafeOperation(const Stmt *Operation, virtual void handleUnsafeOperation(const Stmt *Operation,
bool IsRelatedToDecl) = 0; bool IsRelatedToDecl) = 0;
/// Invoked when a fix is suggested against a variable. This function groups /// Invoked when a fix is suggested against a variable. This function groups
/// all variables that must be fixed together (i.e their types must be changed to the /// all variables that must be fixed together (i.e their types must be changed
/// same target type to prevent type mismatches) into a single fixit. /// to the same target type to prevent type mismatches) into a single fixit.
///
/// `D` is the declaration of the callable under analysis that owns `Variable`
/// and all of its group mates.
virtual void handleUnsafeVariableGroup(const VarDecl *Variable, virtual void handleUnsafeVariableGroup(const VarDecl *Variable,
const VariableGroupsManager &VarGrpMgr, const VariableGroupsManager &VarGrpMgr,
FixItList &&Fixes) = 0; FixItList &&Fixes, const Decl *D) = 0;
#ifndef NDEBUG #ifndef NDEBUG
public: public:
bool areDebugNotesRequested() { bool areDebugNotesRequested() {
DEBUG_WITH_TYPE("SafeBuffers", return true); DEBUG_WITH_TYPE("SafeBuffers", return true);
return false; return false;
} }
Show All 35 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 11,910 Lines▼ Show 20 Lines
def warn_unsafe_buffer_operation : Warning< def warn_unsafe_buffer_operation : Warning<
"%select{unsafe pointer operation|unsafe pointer arithmetic|" "%select{unsafe pointer operation|unsafe pointer arithmetic|"
"unsafe buffer access|function introduces unsafe buffer manipulation}0">, "unsafe buffer access|function introduces unsafe buffer manipulation}0">,
InGroup<UnsafeBufferUsage>, DefaultIgnore; InGroup<UnsafeBufferUsage>, DefaultIgnore;
def note_unsafe_buffer_operation : Note< def note_unsafe_buffer_operation : Note<
"used%select{| in pointer arithmetic| in buffer access}0 here">; "used%select{| in pointer arithmetic| in buffer access}0 here">;
def note_unsafe_buffer_variable_fixit_group : Note< def note_unsafe_buffer_variable_fixit_group : Note<
"change type of %0 to '%select{std::span|std::array|std::span::iterator}1' to preserve bounds information%select{|, and change %2 to '%select{std::span|std::array|std::span::iterator}1' to propagate bounds information between them}3">; "change type of %0 to '%select{std::span|std::array|std::span::iterator}1' to preserve bounds information%select{|, and change %2 to '%select{std::span|std::array|std::span::iterator}1' to propagate bounds information between them}3">;
def note_unsafe_buffer_variable_fixit_together : Note<
"change type of %0 to '%select{std::span|std::array|std::span::iterator}1' to preserve bounds information"
"%select{|, and change %2 to safe types to make function %4 bounds-safe}3">;
def note_safe_buffer_usage_suggestions_disabled : Note< def note_safe_buffer_usage_suggestions_disabled : Note<
"pass -fsafe-buffer-usage-suggestions to receive code hardening suggestions">; "pass -fsafe-buffer-usage-suggestions to receive code hardening suggestions">;
#ifndef NDEBUG #ifndef NDEBUG
// Not a user-facing diagnostic. Useful for debugging false negatives in // Not a user-facing diagnostic. Useful for debugging false negatives in
// -fsafe-buffer-usage-suggestions (i.e. lack of -Wunsafe-buffer-usage fixits). // -fsafe-buffer-usage-suggestions (i.e. lack of -Wunsafe-buffer-usage fixits).
def note_safe_buffer_debug_mode : Note<"safe buffers debug: %0">; def note_safe_buffer_debug_mode : Note<"safe buffers debug: %0">;
#endif #endif
▲ Show 20 LinesShow All 42 LinesShow Last 20 Lines

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show First 20 LinesShow All 1,428 Lines▼ Show 20 Lines return !(SM.isBeforeInTranslationUnit(At->getRange().getEnd(),
!(SM.isBeforeInTranslationUnit(VD->getEndLoc(), !(SM.isBeforeInTranslationUnit(VD->getEndLoc(),
At->getRange().getBegin())); At->getRange().getBegin()));
}); });
return VD->isInlineSpecified() || VD->isConstexpr() || return VD->isInlineSpecified() || VD->isConstexpr() ||
VD->hasConstantInitialization() || !VD->hasLocalStorage() || VD->hasConstantInitialization() || !VD->hasLocalStorage() ||
AttrRangeOverlapping; AttrRangeOverlapping;
} }
// Returns the `SourceRange` of `D`. The reason why this function exists is
// that `D->getSourceRange()` may return a range where the end location is the
// starting location of the last token. The end location of the source range
// returned by this function is the last location of the last token.
static SourceRange getSourceRangeToTokenEnd(const Decl *D,
const SourceManager &SM,
LangOptions LangOpts) {
SourceLocation Begin = D->getBeginLoc();
SourceLocation
End = // `D->getEndLoc` should always return the starting location of the
// last token, so we should get the end of the token
NoQUnsubmitted
Not Done
ReplyInline Actions

Formatting is a bit off (clang-format probably needed some human help here).

NoQ: Formatting is a bit off (clang-format probably needed some human help here).
Lexer::getLocForEndOfToken(D->getEndLoc(), 0, SM, LangOpts);
return SourceRange(Begin, End);
}
// Returns the text of the pointee type of `T` from a `VarDecl` of a pointer // Returns the text of the pointee type of `T` from a `VarDecl` of a pointer
// type. The text is obtained through from `TypeLoc`s. Since `TypeLoc` does not // type. The text is obtained through from `TypeLoc`s. Since `TypeLoc` does not
// have source ranges of qualifiers ( The `QualifiedTypeLoc` looks hacky too me // have source ranges of qualifiers ( The `QualifiedTypeLoc` looks hacky too me
// :( ), `Qualifiers` of the pointee type is returned separately through the // :( ), `Qualifiers` of the pointee type is returned separately through the
// output parameter `QualifiersToAppend`. // output parameter `QualifiersToAppend`.
static std::optional<std::string> static std::optional<std::string>
getPointeeTypeText(const VarDecl *VD, const SourceManager &SM, getPointeeTypeText(const VarDecl *VD, const SourceManager &SM,
const LangOptions &LangOpts, const LangOptions &LangOpts,
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Linesstatic std::optional<StringRef> getFunNameText(const FunctionDecl *FD,
// last token: // last token:
SourceLocation EndLoc = Lexer::getLocForEndOfToken( SourceLocation EndLoc = Lexer::getLocForEndOfToken(
FD->getNameInfo().getEndLoc(), 0, SM, LangOpts); FD->getNameInfo().getEndLoc(), 0, SM, LangOpts);
SourceRange NameRange{BeginLoc, EndLoc}; SourceRange NameRange{BeginLoc, EndLoc};
return getRangeText(NameRange, SM, LangOpts); return getRangeText(NameRange, SM, LangOpts);
} }
// Returns the text representing a `std::span` type where the element type is
// represented by `EltTyText`.
//
// Note the optional parameter `Qualifiers`: one needs to pass qualifiers
// explicitly if the element type needs to be qualified.
static std::string
getSpanTypeText(StringRef EltTyText,
std::optional<Qualifiers> Quals = std::nullopt) {
const char *const SpanOpen = "std::span<";
if (Quals)
return SpanOpen + EltTyText.str() + ' ' + Quals->getAsString() + '>';
return SpanOpen + EltTyText.str() + '>';
}
std::optional<FixItList> std::optional<FixItList>
DerefSimplePtrArithFixableGadget::getFixits(const Strategy &s) const { DerefSimplePtrArithFixableGadget::getFixits(const Strategy &s) const {
const VarDecl *VD = dyn_cast<VarDecl>(BaseDeclRefExpr->getDecl()); const VarDecl *VD = dyn_cast<VarDecl>(BaseDeclRefExpr->getDecl());
if (VD && s.lookup(VD) == Strategy::Kind::Span) { if (VD && s.lookup(VD) == Strategy::Kind::Span) {
ASTContext &Ctx = VD->getASTContext(); ASTContext &Ctx = VD->getASTContext();
// std::span can't represent elements before its begin() // std::span can't represent elements before its begin()
if (auto ConstVal = Offset->getIntegerConstantExpr(Ctx)) if (auto ConstVal = Offset->getIntegerConstantExpr(Ctx))
▲ Show 20 LinesShow All 372 Lines▼ Show 20 Lines FixIts.push_back(FixItHint::CreateReplacement(
SourceRange(D->getBeginLoc(), EndLocForReplacement), SS.str())); SourceRange(D->getBeginLoc(), EndLocForReplacement), SS.str()));
return FixIts; return FixIts;
} }
static bool hasConflictingOverload(const FunctionDecl *FD) { static bool hasConflictingOverload(const FunctionDecl *FD) {
return !FD->getDeclContext()->lookup(FD->getDeclName()).isSingleResult(); return !FD->getDeclContext()->lookup(FD->getDeclName()).isSingleResult();
} }
// For a `FunDecl`, one of whose `ParmVarDecl`s is being changed to have a new // For a `FunctionDecl`, whose `ParmVarDecl`s are being changed to have new
// type, this function produces fix-its to make the change self-contained. Let // types, this function produces fix-its to make the change self-contained. Let
// 'F' be the entity defined by the original `FunDecl` and "NewF" be the entity // 'F' be the entity defined by the original `FunctionDecl` and "NewF" be the
// defined by the `FunDecl` after the change to the parameter. Fix-its produced // entity defined by the `FunctionDecl` after the change to the parameters.
// by this function are // Fix-its produced by this function are
// 1. Add the `[[clang::unsafe_buffer_usage]]` attribute to each declaration // 1. Add the `[[clang::unsafe_buffer_usage]]` attribute to each declaration
// of 'F'; // of 'F';
// 2. Create a declaration of "NewF" next to each declaration of `F`; // 2. Create a declaration of "NewF" next to each declaration of `F`;
// 3. Create a definition of "F" (as its' original definition is now belongs // 3. Create a definition of "F" (as its' original definition is now belongs
// to "NewF") next to its original definition. The body of the creating // to "NewF") next to its original definition. The body of the creating
// definition calls to "NewF". // definition calls to "NewF".
// //
// Example: // Example:
Show All 16 Lines
// } // }
// //
// The actual fix-its may contain more details, e.g., the attribute may be guard // The actual fix-its may contain more details, e.g., the attribute may be guard
// by a macro // by a macro
// #if __has_cpp_attribute(clang::unsafe_buffer_usage) // #if __has_cpp_attribute(clang::unsafe_buffer_usage)
// [[clang::unsafe_buffer_usage]] // [[clang::unsafe_buffer_usage]]
// #endif // #endif
// //
// `NewTypeText` is the string representation of the new type, to which the // `ParmsMask` is an array of size of `FD->getNumParams()` such
// parameter indexed by `ParmIdx` is being changed. // that `ParmsMask[i]` is true iff the `i`-th parameter will be fixed with some
// strategy.
static std::optional<FixItList> static std::optional<FixItList>
createOverloadsForFixedParams(unsigned ParmIdx, StringRef NewTyText, createOverloadsForFixedParams(const std::vector<bool> &ParmsMask, const Strategy &S,
const FunctionDecl *FD, const ASTContext &Ctx, const FunctionDecl *FD, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
// FIXME: need to make this conflict checking better: // FIXME: need to make this conflict checking better:
if (hasConflictingOverload(FD)) if (hasConflictingOverload(FD))
return std::nullopt; return std::nullopt;
const SourceManager &SM = Ctx.getSourceManager(); const SourceManager &SM = Ctx.getSourceManager();
const LangOptions &LangOpts = Ctx.getLangOpts(); const LangOptions &LangOpts = Ctx.getLangOpts();
const unsigned NumParms = FD->getNumParams();
std::vector<std::string> NewTysTexts(NumParms);
for (unsigned i = 0; i < NumParms; i++) {
if (!ParmsMask[i])
continue;
NoQUnsubmitted
Not Done
ReplyInline Actions

Speaking of my comment on the other patch.

Can we simply ask Strategy about the strategy for FD->getParamDecl(i) instead of passing a mask?

Eventually we'll have to do that anyway, given how different parameters can be assigned different strategies.

NoQ: Speaking of [[ https://reviews.llvm.org/D156762#inline-1517322 |my comment on the other patch]].
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Yes. I think using Strategy is the correct way to do it.

Can I make it a follow-up patch? I noticed that this line needs to be fixed:

Strategy NaiveStrategy = getNaiveStrategy(UnsafeVars);

The UnsafeVars is the set of variables associated to all matched FixableGadgets. There can be variables that is safe and do not need fix. Their strategy is set to std::span currently which is not correct. With this line being fixed, we can have examples like

void f(int * p) {
  int * q;
   q = p;
   p[5] = 5;
}

where q's strategy is WONTFIX and p's strategy is std::span. The expression q = p can be fixed to q = p.data(). It currently has an empty fix-it, which is incorrect.

ziqingluo-90: Yes. I think using `Strategy` is the correct way to do it. Can I make it a follow-up patch?
NoQUnsubmitted
Not Done
ReplyInline Actions

Yes sure!

NoQ: Yes sure!
std::optional<Qualifiers> PteTyQuals = std::nullopt;
std::optional<std::string> PteTyText =
getPointeeTypeText(FD->getParamDecl(i), SM, LangOpts, &PteTyQuals);
if (!PteTyText)
// something wrong in obtaining the text of the pointee type, give up
return std::nullopt;
// FIXME: whether we should create std::span type depends on the Strategy.
NewTysTexts[i] = getSpanTypeText(*PteTyText, PteTyQuals);
}
// FIXME Respect indentation of the original code. // FIXME Respect indentation of the original code.
// A lambda that creates the text representation of a function declaration // A lambda that creates the text representation of a function declaration
// with the new type signature: // with the new type signatures:
const auto NewOverloadSignatureCreator = const auto NewOverloadSignatureCreator =
[&SM, &LangOpts](const FunctionDecl *FD, unsigned ParmIdx, [&SM, &LangOpts, &NewTysTexts,
StringRef NewTypeText) -> std::optional<std::string> { &ParmsMask](const FunctionDecl *FD) -> std::optional<std::string> {
std::stringstream SS; std::stringstream SS;
SS << ";"; SS << ";";
SS << getEndOfLine().str(); SS << getEndOfLine().str();
// Append: ret-type func-name "(" // Append: ret-type func-name "("
if (auto Prefix = getRangeText( if (auto Prefix = getRangeText(
SourceRange(FD->getBeginLoc(), (*FD->param_begin())->getBeginLoc()), SourceRange(FD->getBeginLoc(), (*FD->param_begin())->getBeginLoc()),
SM, LangOpts)) SM, LangOpts))
SS << Prefix->str(); SS << Prefix->str();
else else
return std::nullopt; // give up return std::nullopt; // give up
// Append: parameter-type-list // Append: parameter-type-list
const unsigned NumParms = FD->getNumParams(); const unsigned NumParms = FD->getNumParams();
for (unsigned i = 0; i < NumParms; i++) { for (unsigned i = 0; i < NumParms; i++) {
const ParmVarDecl *Parm = FD->getParamDecl(i); const ParmVarDecl *Parm = FD->getParamDecl(i);
if (Parm->isImplicit()) if (Parm->isImplicit())
continue; continue;
if (i == ParmIdx) { if (ParmsMask[i]) {
SS << NewTypeText.str(); // This `i`-th parameter will be fixed with `NewTysTexts[i]` being its
// new type:
SS << NewTysTexts[i];
// print parameter name if provided: // print parameter name if provided:
if (IdentifierInfo * II = Parm->getIdentifier()) if (IdentifierInfo *II = Parm->getIdentifier())
SS << " " << II->getName().str(); SS << ' ' << II->getName().str();
} else if (auto ParmTypeText = } else if (auto ParmTypeText = getRangeText(
getRangeText(Parm->getSourceRange(), SM, LangOpts)) { getSourceRangeToTokenEnd(Parm, SM, LangOpts),
SM, LangOpts)) {
NoQUnsubmitted
Done
ReplyInline Actions
// print parameter name if provided:
- if (auto II = Parm->getIdentifier())
+ if (auto *II = Parm->getIdentifier())
SS << ' ' << II->getName().str();

Arguably not a great use of auto, because the return type isn't literally Identifier *.

NoQ: Arguably not a great use of `auto`, because the return type isn't literally `Identifier *`.
// print the whole `Parm` without modification: // print the whole `Parm` without modification:
SS << ParmTypeText->str(); SS << ParmTypeText->str();
} else } else
return std::nullopt; // something wrong, give up return std::nullopt; // something wrong, give up
if (i != NumParms - 1) if (i != NumParms - 1)
SS << ", "; SS << ", ";
} }
SS << ")"; SS << ")";
return SS.str(); return SS.str();
}; };
// A lambda that creates the text representation of a function definition with // A lambda that creates the text representation of a function definition with
// the original signature: // the original signature:
const auto OldOverloadDefCreator = const auto OldOverloadDefCreator =
[&SM, &Handler, [&Handler, &SM, &LangOpts, &NewTysTexts,
&LangOpts](const FunctionDecl *FD, unsigned ParmIdx, &ParmsMask](const FunctionDecl *FD) -> std::optional<std::string> {
StringRef NewTypeText) -> std::optional<std::string> {
std::stringstream SS; std::stringstream SS;
SS << getEndOfLine().str(); SS << getEndOfLine().str();
// Append: attr-name ret-type func-name "(" param-list ")" "{" // Append: attr-name ret-type func-name "(" param-list ")" "{"
if (auto FDPrefix = getRangeText( if (auto FDPrefix = getRangeText(
SourceRange(FD->getBeginLoc(), FD->getBody()->getBeginLoc()), SM, SourceRange(FD->getBeginLoc(), FD->getBody()->getBeginLoc()), SM,
LangOpts)) LangOpts))
SS << Handler.getUnsafeBufferUsageAttributeTextAt(FD->getBeginLoc(), " ") SS << Handler.getUnsafeBufferUsageAttributeTextAt(FD->getBeginLoc(), " ")
Show All 13 Lines for (unsigned i = 0; i < NumParms; i++) {
if (Parm->isImplicit()) if (Parm->isImplicit())
continue; continue;
// FIXME: If a parameter has no name, it is unused in the // FIXME: If a parameter has no name, it is unused in the
// definition. So we could just leave it as it is. // definition. So we could just leave it as it is.
if (!Parm->getIdentifier()) if (!Parm->getIdentifier())
// If a parameter of a function definition has no name: // If a parameter of a function definition has no name:
return std::nullopt; return std::nullopt;
if (i == ParmIdx) if (ParmsMask[i])
// This is our spanified paramter! // This is our spanified paramter!
SS << NewTypeText.str() << "(" << Parm->getIdentifier()->getName().str() << ", " SS << NewTysTexts[i] << "(" << Parm->getIdentifier()->getName().str()
<< getUserFillPlaceHolder("size") << ")"; << ", " << getUserFillPlaceHolder("size") << ")";
else else
SS << Parm->getIdentifier()->getName().str(); SS << Parm->getIdentifier()->getName().str();
if (i != NumParms - 1) if (i != NumParms - 1)
SS << ", "; SS << ", ";
} }
// finish call and the body // finish call and the body
SS << ");}" << getEndOfLine().str(); SS << ");}" << getEndOfLine().str();
// FIXME: 80-char line formatting? // FIXME: 80-char line formatting?
return SS.str(); return SS.str();
}; };
FixItList FixIts{}; FixItList FixIts{};
for (FunctionDecl *FReDecl : FD->redecls()) { for (FunctionDecl *FReDecl : FD->redecls()) {
std::optional<SourceLocation> Loc = getPastLoc(FReDecl, SM, LangOpts); std::optional<SourceLocation> Loc = getPastLoc(FReDecl, SM, LangOpts);
if (!Loc) if (!Loc)
return {}; return {};
if (FReDecl->isThisDeclarationADefinition()) { if (FReDecl->isThisDeclarationADefinition()) {
assert(FReDecl == FD && "inconsistent function definition"); assert(FReDecl == FD && "inconsistent function definition");
// Inserts a definition with the old signature to the end of // Inserts a definition with the old signature to the end of
// `FReDecl`: // `FReDecl`:
if (auto OldOverloadDef = if (auto OldOverloadDef = OldOverloadDefCreator(FReDecl))
OldOverloadDefCreator(FReDecl, ParmIdx, NewTyText))
FixIts.emplace_back(FixItHint::CreateInsertion(*Loc, *OldOverloadDef)); FixIts.emplace_back(FixItHint::CreateInsertion(*Loc, *OldOverloadDef));
else else
return {}; // give up return {}; // give up
} else { } else {
// Adds the unsafe-buffer attribute (if not already there) to `FReDecl`: // Adds the unsafe-buffer attribute (if not already there) to `FReDecl`:
if (!FReDecl->hasAttr<UnsafeBufferUsageAttr>()) { if (!FReDecl->hasAttr<UnsafeBufferUsageAttr>()) {
FixIts.emplace_back(FixItHint::CreateInsertion( FixIts.emplace_back(FixItHint::CreateInsertion(
FReDecl->getBeginLoc(), Handler.getUnsafeBufferUsageAttributeTextAt( FReDecl->getBeginLoc(), Handler.getUnsafeBufferUsageAttributeTextAt(
FReDecl->getBeginLoc(), " "))); FReDecl->getBeginLoc(), " ")));
} }
// Inserts a declaration with the new signature to the end of `FReDecl`: // Inserts a declaration with the new signature to the end of `FReDecl`:
if (auto NewOverloadDecl = if (auto NewOverloadDecl = NewOverloadSignatureCreator(FReDecl))
NewOverloadSignatureCreator(FReDecl, ParmIdx, NewTyText))
FixIts.emplace_back(FixItHint::CreateInsertion(*Loc, *NewOverloadDecl)); FixIts.emplace_back(FixItHint::CreateInsertion(*Loc, *NewOverloadDecl));
else else
return {}; return {};
} }
} }
return FixIts; return FixIts;
} }
// To fix a `ParmVarDecl` to be of `std::span` type. In addition, creating a // To fix a `ParmVarDecl` to be of `std::span` type.
// new overload of the function so that the change is self-contained (see
// `createOverloadsForFixedParams`).
static FixItList fixParamWithSpan(const ParmVarDecl *PVD, const ASTContext &Ctx, static FixItList fixParamWithSpan(const ParmVarDecl *PVD, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
if (hasUnsupportedSpecifiers(PVD, Ctx.getSourceManager())) { if (hasUnsupportedSpecifiers(PVD, Ctx.getSourceManager())) {
DEBUG_NOTE_DECL_FAIL(PVD, " : has unsupport specifier(s)"); DEBUG_NOTE_DECL_FAIL(PVD, " : has unsupport specifier(s)");
return {}; return {};
} }
if (PVD->hasDefaultArg()) { if (PVD->hasDefaultArg()) {
// FIXME: generate fix-its for default values: // FIXME: generate fix-its for default values:
DEBUG_NOTE_DECL_FAIL(PVD, " : has default arg"); DEBUG_NOTE_DECL_FAIL(PVD, " : has default arg");
return {}; return {};
} }
assert(PVD->getType()->isPointerType()); std::optional<Qualifiers> PteTyQualifiers = std::nullopt;
auto *FD = dyn_cast<FunctionDecl>(PVD->getDeclContext()); std::optional<std::string> PteTyText = getPointeeTypeText(
PVD, Ctx.getSourceManager(), Ctx.getLangOpts(), &PteTyQualifiers);
if (!PteTyText) {
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid pointee type");
return {};
}
std::optional<StringRef> PVDNameText = PVD->getIdentifier()->getName();
if (!FD) { if (!PVDNameText) {
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid func decl"); DEBUG_NOTE_DECL_FAIL(PVD, " : invalid identifier name");
return {}; return {};
} }
std::stringstream SS; std::stringstream SS;
std::optional<std::string> SpanTyText = createSpanTypeForVarDecl(PVD, Ctx); std::optional<std::string> SpanTyText = createSpanTypeForVarDecl(PVD, Ctx);
std::optional<StringRef> ParmIdentText;
if (!SpanTyText) if (PteTyQualifiers)
return {}; // Append qualifiers if they exist:
SS << *SpanTyText; SS << getSpanTypeText(*PteTyText, PteTyQualifiers);
else
SS << getSpanTypeText(*PteTyText);
// Append qualifiers to the type of the parameter: // Append qualifiers to the type of the parameter:
if (PVD->getType().hasQualifiers()) if (PVD->getType().hasQualifiers())
SS << " " << PVD->getType().getQualifiers().getAsString(); SS << ' ' << PVD->getType().getQualifiers().getAsString();
ParmIdentText =
getVarDeclIdentifierText(PVD, Ctx.getSourceManager(), Ctx.getLangOpts());
if (!ParmIdentText)
return {};
// Append parameter's name: // Append parameter's name:
SS << " " << ParmIdentText->str(); SS << ' ' << PVDNameText->str();
// Add replacement fix-it:
FixItList Fixes; return {FixItHint::CreateReplacement(PVD->getSourceRange(), SS.str())};
unsigned ParmIdx = 0;
Fixes.push_back(
FixItHint::CreateReplacement(PVD->getSourceRange(), SS.str()));
for (auto *ParmIter : FD->parameters()) {
if (PVD == ParmIter)
break;
ParmIdx++;
}
if (ParmIdx < FD->getNumParams())
if (auto OverloadFix = createOverloadsForFixedParams(ParmIdx, *SpanTyText,
FD, Ctx, Handler)) {
Fixes.append(*OverloadFix);
return Fixes;
}
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid number of parameters");
return {};
} }
static FixItList fixVariableWithSpan(const VarDecl *VD, static FixItList fixVariableWithSpan(const VarDecl *VD,
const DeclUseTracker &Tracker, const DeclUseTracker &Tracker,
ASTContext &Ctx, ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
const DeclStmt *DS = Tracker.lookupDecl(VD); const DeclStmt *DS = Tracker.lookupDecl(VD);
if (!DS) { if (!DS) {
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines return llvm::any_of(FixIts, [](const FixItHint &Hint) {
auto Range = Hint.RemoveRange; auto Range = Hint.RemoveRange;
if (Range.getBegin().isMacroID() || Range.getEnd().isMacroID()) if (Range.getBegin().isMacroID() || Range.getEnd().isMacroID())
// If the range (or the first token) is (part of) a macro expansion: // If the range (or the first token) is (part of) a macro expansion:
return true; return true;
return false; return false;
}); });
} }
// Returns true iff `VD` is a parameter of the declaration `D`:
static bool isParameterOf(const VarDecl *VD, const Decl *D) {
return isa<ParmVarDecl>(VD) &&
VD->getDeclContext() == dyn_cast<DeclContext>(D);
}
// Erases variables in `FixItsForVariable`, if such a variable has an unfixable // Erases variables in `FixItsForVariable`, if such a variable has an unfixable
// group mate. A variable `v` is unfixable iff `FixItsForVariable` does not // group mate. A variable `v` is unfixable iff `FixItsForVariable` does not
// contain `v`. // contain `v`.
static void eraseVarsForUnfixableGroupMates( static void eraseVarsForUnfixableGroupMates(
std::map<const VarDecl *, FixItList> &FixItsForVariable, std::map<const VarDecl *, FixItList> &FixItsForVariable,
const VariableGroupsManager &VarGrpMgr) { const VariableGroupsManager &VarGrpMgr) {
// Variables will be removed from `FixItsForVariable`: // Variables will be removed from `FixItsForVariable`:
SmallVector<const VarDecl *, 8> ToErase; SmallVector<const VarDecl *, 8> ToErase;
for (auto [VD, Ignore] : FixItsForVariable) { for (auto [VD, Ignore] : FixItsForVariable) {
VarGrpRef Grp = VarGrpMgr.getGroupOfVar(VD); VarGrpRef Grp = VarGrpMgr.getGroupOfVar(VD);
if (llvm::any_of(Grp, if (llvm::any_of(Grp,
[&FixItsForVariable](const VarDecl *GrpMember) -> bool { [&FixItsForVariable](const VarDecl *GrpMember) -> bool {
return FixItsForVariable.find(GrpMember) == return !FixItsForVariable.count(GrpMember);
FixItsForVariable.end();
})) { })) {
// At least one group member cannot be fixed, so we have to erase the // At least one group member cannot be fixed, so we have to erase the
// whole group: // whole group:
for (const VarDecl *Member : Grp) for (const VarDecl *Member : Grp)
ToErase.push_back(Member); ToErase.push_back(Member);
} }
} }
NoQUnsubmitted
Done
ReplyInline Actions
[&FixItsForVariable](const VarDecl *GrpMember) -> bool {
- return FixItsForVariable.find(GrpMember) ==
- FixItsForVariable.end();
+ return FixItsForVariable.count(GrpMember);
})) {

(.contains() is unfortunately C++20)

NoQ: (`.contains()` is unfortunately C++20)
for (auto *VarToErase : ToErase) for (auto *VarToErase : ToErase)
FixItsForVariable.erase(VarToErase); FixItsForVariable.erase(VarToErase);
} }
// Returns the fix-its that create bounds-safe function overloads for the
// function `D`, if `D`'s parameters will be changed to safe-types through
// fix-its in `FixItsForVariable`.
//
// NOTE: In case `D`'s parameters will be changed but bounds-safe function
// overloads cannot created, the whole group that contains the parameters will
// be erased from `FixItsForVariable`.
static FixItList createFunctionOverloadsForParms(
std::map<const VarDecl *, FixItList> &FixItsForVariable /* mutable */,
const VariableGroupsManager &VarGrpMgr, const FunctionDecl *FD,
const Strategy &S, ASTContext &Ctx, UnsafeBufferUsageHandler &Handler) {
FixItList FixItsSharedByParms{};
std::vector<bool> ParmsNeedFixMask(FD->getNumParams(), false);
const VarDecl *FirstParmNeedsFix = nullptr;
NoQUnsubmitted
Done
ReplyInline Actions

Would it make sense to make createFunctionOverloadsForParms accept a FunctionDecl *D from the start?

NoQ: Would it make sense to make `createFunctionOverloadsForParms` accept a `FunctionDecl *D` from…
for (unsigned i = 0; i < FD->getNumParams(); i++)
if (FixItsForVariable.count(FD->getParamDecl(i))) {
ParmsNeedFixMask[i] = true;
FirstParmNeedsFix = FD->getParamDecl(i);
}
if (FirstParmNeedsFix) {
NoQUnsubmitted
Done
ReplyInline Actions

Another good use for .count().

NoQ: Another good use for `.count()`.
// In case at least one parameter needs to be fixed:
std::optional<FixItList> OverloadFixes =
createOverloadsForFixedParams(ParmsNeedFixMask, S, FD, Ctx, Handler);
if (OverloadFixes) {
FixItsSharedByParms.append(*OverloadFixes);
} else {
// Something wrong in generating `OverloadFixes`, need to remove the
// whole group, where parameters are in, from `FixItsForVariable` (Note
// that all parameters should be in the same group):
for (auto *Member : VarGrpMgr.getGroupOfVar(FirstParmNeedsFix))
FixItsForVariable.erase(Member);
}
}
return FixItsSharedByParms;
}
// Constructs self-contained fix-its for each variable in `FixablesForAllVars`.
static std::map<const VarDecl *, FixItList> static std::map<const VarDecl *, FixItList>
getFixIts(FixableGadgetSets &FixablesForAllVars, const Strategy &S, getFixIts(FixableGadgetSets &FixablesForAllVars, const Strategy &S,
ASTContext &Ctx, ASTContext &Ctx,
/* The function decl under analysis */ const Decl *D, /* The function decl under analysis */ const Decl *D,
const DeclUseTracker &Tracker, UnsafeBufferUsageHandler &Handler, const DeclUseTracker &Tracker, UnsafeBufferUsageHandler &Handler,
const VariableGroupsManager &VarGrpMgr) { const VariableGroupsManager &VarGrpMgr) {
// `FixItsForVariable` will map each variable to a set of fix-its directly // `FixItsForVariable` will map each variable to a set of fix-its directly
// associated to the variable itself. Fix-its of distinct variables in // associated to the variable itself. Fix-its of distinct variables in
// `FixItsForVariable` are disjoint. // `FixItsForVariable` are disjoint.
std::map<const VarDecl *, FixItList> FixItsForVariable; std::map<const VarDecl *, FixItList> FixItsForVariable;
// Populate `FixItsForVariable` with fix-its directly associated with each // Populate `FixItsForVariable` with fix-its directly associated with each
// variable. Fix-its directly associated to a variable 'v' are the ones // variable. Fix-its directly associated to a variable 'v' are the ones
// produced by the `FixableGadget`s whose claimed variable is 'v'. // produced by the `FixableGadget`s whose claimed variable is 'v'.
for (const auto &[VD, Fixables] : FixablesForAllVars.byVar) { for (const auto &[VD, Fixables] : FixablesForAllVars.byVar) {
NoQUnsubmitted
Not Done
ReplyInline Actions

There's a bug in variable naming: FixablesForUnsafeVarsactually contains fixables for *all* variables. Rashmi correctly renames it in D150489 to reflect its actual behavior. So IIUC you're generating fixits for all variables here, which is probably not what you want.

NoQ: There's a bug in variable naming: `FixablesForUnsafeVars`actually contains fixables for *all*…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Thanks for pointing out the incorrectness of the variable name. Actually, whether a variable is unsafe is irrelevant to this function. The function only cares about all variables that need fixes. So I think the incorrect name of the variable does not affect the functionality of my changes here.

ziqingluo-90: Thanks for pointing out the incorrectness of the variable name. Actually, whether a variable…
FixItsForVariable[VD] = FixItsForVariable[VD] =
fixVariable(VD, S.lookup(VD), D, Tracker, Ctx, Handler); fixVariable(VD, S.lookup(VD), D, Tracker, Ctx, Handler);
// If we fail to produce Fix-It for the declaration we have to skip the // If we fail to produce Fix-It for the declaration we have to skip the
// variable entirely. // variable entirely.
if (FixItsForVariable[VD].empty()) { if (FixItsForVariable[VD].empty()) {
FixItsForVariable.erase(VD); FixItsForVariable.erase(VD);
continue; continue;
} }
for (const auto &F : Fixables) { for (const auto &F : Fixables) {
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

I changed the rest of this function drastically so let me explain what I did.

The table FixItsForVariable is initiated with variables whose declarations and associated Fixables can be fixed. So if a variable is not in the table, either 1) its declaration cannot be fixed or 2) one of its Fixables cannot be fixed. Then, the table is further reduced by removing elements such that at least one of its' group members satisfies 1) or 2).
Eventually, the table FixItsForVariable can be used to determine if a variable is ImpossibleToFix (so we no longer need this flag). FixItsForVariable[V], if V exists there, is a collection of fix-its for V's declaration and all Fixables associated to V.

With parameters being fixed, we also generate function overloads as fix-its for the parameters. These overload fix-its are "shared" by the parameters. It means that these fix-its will be added for the group where the parameters belong to, instead of being added to FixItsForVariable[PV] for each such parameter PV.

So finally, for a variable V, FinalFixItsForVariable[V] is a collection of fix-its for the whole group where V is at.

ziqingluo-90: I changed the rest of this function drastically so let me explain what I did. The table…
std::optional<FixItList> Fixits = F->getFixits(S); std::optional<FixItList> Fixits = F->getFixits(S);
if (Fixits) { if (Fixits) {
FixItsForVariable[VD].insert(FixItsForVariable[VD].end(), FixItsForVariable[VD].insert(FixItsForVariable[VD].end(),
Fixits->begin(), Fixits->end()); Fixits->begin(), Fixits->end());
continue; continue;
} }
#ifndef NDEBUG #ifndef NDEBUG
Show All 13 Lines#endif
// To further remove from `FixItsForVariable` variables whose group mates // To further remove from `FixItsForVariable` variables whose group mates
// cannot be fixed... // cannot be fixed...
eraseVarsForUnfixableGroupMates(FixItsForVariable, VarGrpMgr); eraseVarsForUnfixableGroupMates(FixItsForVariable, VarGrpMgr);
// Now `FixItsForVariable` gets further reduced: a variable is in // Now `FixItsForVariable` gets further reduced: a variable is in
// `FixItsForVariable` iff it can be fixed and all its group mates can be // `FixItsForVariable` iff it can be fixed and all its group mates can be
// fixed. // fixed.
// Fix-its of bounds-safe overloads of `D` are shared by parameters of `D`.
// That is, when fixing multiple parameters in one step, these fix-its will
// be applied only once (instead of being applied per parameter).
FixItList FixItsSharedByParms{};
if (auto *FD = dyn_cast<FunctionDecl>(D))
FixItsSharedByParms = createFunctionOverloadsForParms(
FixItsForVariable, VarGrpMgr, FD, S, Ctx, Handler);
// The map that maps each variable `v` to fix-its for the whole group where // The map that maps each variable `v` to fix-its for the whole group where
// `v` is in: // `v` is in:
std::map<const VarDecl *, FixItList> FinalFixItsForVariable{ std::map<const VarDecl *, FixItList> FinalFixItsForVariable{
FixItsForVariable}; FixItsForVariable};
for (auto &[Var, Ignore] : FixItsForVariable) { for (auto &[Var, Ignore] : FixItsForVariable) {
const auto VarGroupForVD = VarGrpMgr.getGroupOfVar(Var); bool AnyParm = false;
const auto VarGroupForVD = VarGrpMgr.getGroupOfVar(Var, &AnyParm);
for (const VarDecl *GrpMate : VarGroupForVD) { for (const VarDecl *GrpMate : VarGroupForVD) {
if (Var == GrpMate) if (Var == GrpMate)
NoQUnsubmitted
Not Done
ReplyInline Actions
// `FixItsForVariable` now contains only variables that can be
- // fixed. A variable can be fixed if its' declaration and all Fixables
+ // fixed. A variable can be fixed if its declaration and all Fixables
// associated to it can all be fixed.
NoQ:
continue; continue;
if (FixItsForVariable.count(GrpMate)) if (FixItsForVariable.count(GrpMate))
FinalFixItsForVariable[Var].insert(FinalFixItsForVariable[Var].end(), FinalFixItsForVariable[Var].append(FixItsForVariable[GrpMate]);
FixItsForVariable[GrpMate].begin(), }
FixItsForVariable[GrpMate].end()); if (AnyParm) {
// This assertion should never fail. Otherwise we have a bug.
assert(!FixItsSharedByParms.empty() &&
"Should not try to fix a parameter that does not belong to a "
"FunctionDecl");
FinalFixItsForVariable[Var].append(FixItsSharedByParms);
} }
} }
// Fix-its that will be applied in one step shall NOT: // Fix-its that will be applied in one step shall NOT:
// 1. overlap with macros or/and templates; or // 1. overlap with macros or/and templates; or
// 2. conflict with each other. // 2. conflict with each other.
// Otherwise, the fix-its will be dropped. // Otherwise, the fix-its will be dropped.
for (auto Iter = FinalFixItsForVariable.begin(); for (auto Iter = FinalFixItsForVariable.begin();
Iter != FinalFixItsForVariable.end();) Iter != FinalFixItsForVariable.end();)
Show All 13 LinesgetNaiveStrategy(const llvm::SmallVectorImpl<const VarDecl *> &UnsafeVars) {
} }
return S; return S;
} }
// Manages variable groups: // Manages variable groups:
class VariableGroupsManagerImpl : public VariableGroupsManager { class VariableGroupsManagerImpl : public VariableGroupsManager {
const std::vector<VarGrpTy> Groups; const std::vector<VarGrpTy> Groups;
const std::map<const VarDecl *, unsigned> &VarGrpMap; const std::map<const VarDecl *, unsigned> &VarGrpMap;
const llvm::SetVector<const VarDecl *> &GrpsUnionForParms;
public: public:
VariableGroupsManagerImpl( VariableGroupsManagerImpl(
const std::vector<VarGrpTy> &Groups, const std::vector<VarGrpTy> &Groups,
const std::map<const VarDecl *, unsigned> &VarGrpMap) const std::map<const VarDecl *, unsigned> &VarGrpMap,
: Groups(Groups), VarGrpMap(VarGrpMap) {} const llvm::SetVector<const VarDecl *> &GrpsUnionForParms)
: Groups(Groups), VarGrpMap(VarGrpMap),
GrpsUnionForParms(GrpsUnionForParms) {}
VarGrpRef getGroupOfVar(const VarDecl *Var, bool *HasParm) const override {
if (GrpsUnionForParms.contains(Var)) {
if (HasParm)
*HasParm = true;
return GrpsUnionForParms.getArrayRef();
}
if (HasParm)
*HasParm = false;
VarGrpRef getGroupOfVar(const VarDecl *Var) const override { auto It = VarGrpMap.find(Var);
auto I = VarGrpMap.find(Var);
assert(I != VarGrpMap.end()); if (It == VarGrpMap.end())
return Groups[I->second]; return std::nullopt;
return Groups[It->second];
} }
}; };
void clang::checkUnsafeBufferUsage(const Decl *D, void clang::checkUnsafeBufferUsage(const Decl *D,
UnsafeBufferUsageHandler &Handler, UnsafeBufferUsageHandler &Handler,
bool EmitSuggestions) { bool EmitSuggestions) {
#ifndef NDEBUG #ifndef NDEBUG
Handler.clearDebugNotes(); Handler.clearDebugNotes();
#endif #endif
assert(D && D->getBody()); assert(D && D->getBody());
// We do not want to visit a Lambda expression defined inside a method independently. // We do not want to visit a Lambda expression defined inside a method independently.
// Instead, it should be visited along with the outer method. // Instead, it should be visited along with the outer method.
NoQUnsubmitted
Done
ReplyInline Actions

The usual idiom to avoid double lookup: use find() to extract an iterator, compare it to end() to see if the item was found, and if it was then dereference the iterator.

I wouldn't use at() given that the whole point of .at() is to throw exceptions, while LLVM is compiled with -fno-exceptions.

NoQ: The usual idiom to avoid double lookup: use `find()` to extract an iterator, compare it to `end…
// FIXME: do we want to do the same thing for `BlockDecl`s? // FIXME: do we want to do the same thing for `BlockDecl`s?
if (const auto *fd = dyn_cast<CXXMethodDecl>(D)) { if (const auto *fd = dyn_cast<CXXMethodDecl>(D)) {
if (fd->getParent()->isLambda() && fd->getParent()->isLocalClass()) if (fd->getParent()->isLambda() && fd->getParent()->isLocalClass())
return; return;
} }
// Do not emit fixit suggestions for functions declared in an // Do not emit fixit suggestions for functions declared in an
// extern "C" block. // extern "C" block.
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines#endif
llvm::SmallVector<const VarDecl *, 16> UnsafeVars; llvm::SmallVector<const VarDecl *, 16> UnsafeVars;
for (const auto &[VD, ignore] : FixablesForAllVars.byVar) for (const auto &[VD, ignore] : FixablesForAllVars.byVar)
UnsafeVars.push_back(VD); UnsafeVars.push_back(VD);
// Fixpoint iteration for pointer assignments // Fixpoint iteration for pointer assignments
using DepMapTy = DenseMap<const VarDecl *, llvm::SetVector<const VarDecl *>>; using DepMapTy = DenseMap<const VarDecl *, llvm::SetVector<const VarDecl *>>;
DepMapTy DependenciesMap{}; DepMapTy DependenciesMap{};
DepMapTy PtrAssignmentGraph{}; DepMapTy PtrAssignmentGraph{};
for (auto it : FixablesForAllVars.byVar) { for (auto it : FixablesForAllVars.byVar) {
for (const FixableGadget *fixable : it.second) { for (const FixableGadget *fixable : it.second) {
std::optional<std::pair<const VarDecl *, const VarDecl *>> ImplPair = std::optional<std::pair<const VarDecl *, const VarDecl *>> ImplPair =
fixable->getStrategyImplications(); fixable->getStrategyImplications();
if (ImplPair) { if (ImplPair) {
std::pair<const VarDecl *, const VarDecl *> Impl = std::move(*ImplPair); std::pair<const VarDecl *, const VarDecl *> Impl = std::move(*ImplPair);
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

How about changing the variable name to PtrImplicationGraph? For two variables V and W, if W is in PtrImplicationGraph[V], it means fixing V implicates fixing W, right?

ziqingluo-90: How about changing the variable name to `PtrImplicationGraph`? For two variables `V` and `W`…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

@t-rasmud what do you think?

ziqingluo-90: @t-rasmud what do you think?
t-rasmudUnsubmitted
Done
ReplyInline Actions

Sounds good! PtrImplicationGraph conveys the same meaning as PtrAssignmentGraph and is more generic.

t-rasmud: Sounds good! `PtrImplicationGraph ` conveys the same meaning as `PtrAssignmentGraph ` and is…
PtrAssignmentGraph[Impl.first].insert(Impl.second); PtrAssignmentGraph[Impl.first].insert(Impl.second);
} }
} }
} }
/* /*
The following code does a BFS traversal of the `PtrAssignmentGraph` The following code does a BFS traversal of the `PtrAssignmentGraph`
considering all unsafe vars as starting nodes and constructs an undirected considering all unsafe vars as starting nodes and constructs an undirected
graph `DependenciesMap`. Constructing the `DependenciesMap` in this manner graph `DependenciesMap`. Constructing the `DependenciesMap` in this manner
elimiates all variables that are unreachable from any unsafe var. In other elimiates all variables that are unreachable from any unsafe var. In other
words, this removes all dependencies that don't include any unsafe variable words, this removes all dependencies that don't include any unsafe variable
and consequently don't need any fixit generation. and consequently don't need any fixit generation.
Note: A careful reader would observe that the code traverses Note: A careful reader would observe that the code traverses
`PtrAssignmentGraph` using `CurrentVar` but adds edges between `Var` and `PtrAssignmentGraph` using `CurrentVar` but adds edges between `Var` and
`Adj` and not between `CurrentVar` and `Adj`. Both approaches would `Adj` and not between `CurrentVar` and `Adj`. Both approaches would
achieve the same result but the one used here dramatically cuts the achieve the same result but the one used here dramatically cuts the
amount of hoops the second part of the algorithm needs to jump, given that amount of hoops the second part of the algorithm needs to jump, given that
NoQUnsubmitted
Not Done
ReplyInline Actions

Does this really go in both directions? Shouldn't it be just one direction?

void foo(int *p) {
  int *q = new int[10];
  p = q;
  q[5] = 7;
}

In this case q is an unsafe local buffer, but p is a (mostly) safe single-object pointer that doesn't need fixing, despite implication from q to p. Of course this example is somewhat unrealistic (people don't usually overwrite their parameters), but it is also the only situation where the other direction matters.

NoQ: Does this really go in both directions? Shouldn't it be just one direction? ```lang=c++ void…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

You are right! It should be one-direction.

ziqingluo-90: You are right! It should be one-direction.
a lot of these connections become "direct". The reader is advised not to a lot of these connections become "direct". The reader is advised not to
imagine how the graph is transformed because of using `Var` instead of imagine how the graph is transformed because of using `Var` instead of
`CurrentVar`. The reader can continue reading as if `CurrentVar` was used, `CurrentVar`. The reader can continue reading as if `CurrentVar` was used,
and think about why it's equivalent later. and think about why it's equivalent later.
*/ */
std::set<const VarDecl *> VisitedVarsDirected{}; std::set<const VarDecl *> VisitedVarsDirected{};
for (const auto &[Var, ignore] : UnsafeOps.byVar) { for (const auto &[Var, ignore] : UnsafeOps.byVar) {
if (VisitedVarsDirected.find(Var) == VisitedVarsDirected.end()) { if (VisitedVarsDirected.find(Var) == VisitedVarsDirected.end()) {
std::queue<const VarDecl*> QueueDirected{}; std::queue<const VarDecl*> QueueDirected{};
QueueDirected.push(Var); QueueDirected.push(Var);
while(!QueueDirected.empty()) { while(!QueueDirected.empty()) {
NoQUnsubmitted
Not Done
ReplyInline Actions

What about the situation where params aren't seen as unsafe yet, but they're discovered to be unsafe later? Eg.

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
  q2[5] = 7;
}

Will we notice that p and q need to be fixed simultaneously?

I suspect that the problem of parameter grouping can't be solved by pre-populating strategy implications between all parameters. It'll either cause you to implicate all parameters (even the ones that will never need fixing), or cause you to miss connections between parameters that do need fixing (as the connection is discovered later).

Connection between parameters needs to be added *after* the implications algorithm has finished. And once it's there (might be already there if I missed something), then this part of code probably becomes unnecessary.

NoQ: What about the situation where params aren't seen as unsafe yet, but they're discovered to be…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Yes. They will be noticed. Here is why:

The code here first forms a ring over p and q in the assignment (directed) graph:

p <--> q

Then the two initialization statements (implemented in D150489) add two more edges to the graph:

p2 --> p <--> q <-- q2

The algorithm later searches the graph starting from unsafe variables p2 and q2, respectively, Starting from p2, the algorithm discovers that p2 and p, as well as p and q depend on each other. Starting from q2, the algorithm discovers that q2 and q, as well as p and q depend on each other. The dependency graph is sort of undirected. So eventually, the four variables p2, p, q, q2 are in the same group.

ziqingluo-90: Yes. They will be noticed. Here is why: The code here first forms a ring over `p` and `q`…
NoQUnsubmitted
Not Done
ReplyInline Actions

The code here first forms a ring over p and q in the assignment (directed) graph

I don't think it does. The ring is formed over the ParamsNeedFix list, which is empty because none of these parameters are listed in UnsafeOps.byVar.

NoQ: > The code here first forms a ring over `p` and `q` in the assignment (directed) graph I…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Actually p and q will be in ParamsNeedFix. Because they are implicated by p2 and q2, who are unsafe variables. ParamsNeedFix include parameters that need fix, either because they are used in unsafe operations or they are implicated by some Gadgets.

But anyway, I now think it's not a good idea to lump parameters with variables grouped by implication, as you pointed out that variable implication also implies bounds propagation.

Instead, I think it might be more appropriate to make a variable group structured:

  • Let's call it a connected components for a set of variables that need to be fixed together and sharing bounds information. (The term connected components has been used in the code to refer to a group of variables. It keeps its meaning here.)
  • Let's redefine a Variable Group to be a set of mutually disjoint connected componentss (CCs). If there are more than one CCs in a variable group, each of the CCs contains at least one parameter.

For generating fix-its for a variable group, this patch still works as it only requires that variables in a variable group are either all fixed or given up as a whole.
For generating diagnostic messages, we now have more information about relations among grouped variables.

ziqingluo-90: Actually `p` and `q` will be in `ParamsNeedFix`. Because they are implicated by `p2` and `q2`…
NoQUnsubmitted
Not Done
ReplyInline Actions

Actually p and q will be in ParamsNeedFix. Because they are implicated by p2 and q2, who are unsafe variables. ParamsNeedFix include parameters that need fix, either because they are used in unsafe operations or they are implicated by some Gadgets.

Ohh, right, it's populated twice, I even commented on the other part but didn't notice it populates the same list!

But in this case you'll probably join p and q in

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
}

right? (In this case q is implicated by q2 so it gets added to the list, but q2 itself isn't unsafe or implicated by anything, so it doesn't need fixing, but connecting it to p would cause it to be fixed unnecessarily). So I still think this can't be correct unless you do it after the crawler finishes.

But anyway, I now think it's not a good idea to lump parameters with variables grouped by implication, as you pointed out that variable implication also implies bounds propagation.

Yeah, I think it makes a lot more sense. Just look at variable groups already built by the existing crawler, and if more than one of them contains parameters, report all groups that contain parameters through one combined warning.

NoQ: > Actually `p` and `q` will be in ParamsNeedFix. Because they are implicated by `p2` and `q2`…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Though I'm going to remove this part, achieving some agreement on this algorithm may help me understand the problem better.

right? (In this case q is implicated by q2 so it gets added to the list, but q2 itself isn't unsafe or implicated by anything, so it doesn't need fixing, but connecting it to p would cause it to be fixed unnecessarily)

Right. the code in this patch does not form ParmsNeedFix correctly. ParmsNeedFix should be the set of parameters that are either unsafe or being implicated (transitively) by unsafe variables. Then the group would be "correct" I think.

ziqingluo-90: Though I'm going to remove this part, achieving some agreement on this algorithm may help me…
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha ok, whew, gotcha, makes sense then!

NoQ: Aha ok, whew, gotcha, makes sense then!
const VarDecl* CurrentVar = QueueDirected.front(); const VarDecl* CurrentVar = QueueDirected.front();
QueueDirected.pop(); QueueDirected.pop();
VisitedVarsDirected.insert(CurrentVar); VisitedVarsDirected.insert(CurrentVar);
auto AdjacentNodes = PtrAssignmentGraph[CurrentVar]; auto AdjacentNodes = PtrAssignmentGraph[CurrentVar];
for (const VarDecl *Adj : AdjacentNodes) { for (const VarDecl *Adj : AdjacentNodes) {
if (VisitedVarsDirected.find(Adj) == VisitedVarsDirected.end()) { if (VisitedVarsDirected.find(Adj) == VisitedVarsDirected.end()) {
QueueDirected.push(Adj); QueueDirected.push(Adj);
} }
DependenciesMap[Var].insert(Adj); DependenciesMap[Var].insert(Adj);
DependenciesMap[Adj].insert(Var); DependenciesMap[Adj].insert(Var);
} }
} }
} }
} }
// `Groups` stores the set of Connected Components in the graph. // `Groups` stores the set of Connected Components in the graph.
std::vector<VarGrpTy> Groups; std::vector<VarGrpTy> Groups;
// `VarGrpMap` maps variables that need fix to the groups (indexes) that the // `VarGrpMap` maps variables that need fix to the groups (indexes) that the
// variables belong to. Group indexes refer to the elements in `Groups`. // variables belong to. Group indexes refer to the elements in `Groups`.
// `VarGrpMap` is complete in that every variable that needs fix is in it. // `VarGrpMap` is complete in that every variable that needs fix is in it.
std::map<const VarDecl *, unsigned> VarGrpMap; std::map<const VarDecl *, unsigned> VarGrpMap;
// The union group over the ones in "Groups" that contain parameters of `D`:
llvm::SetVector<const VarDecl *>
NoQUnsubmitted
Not Done
ReplyInline Actions

Why SetVector? Do we care about order? Maybe just SmallSet?

NoQ: Why `SetVector`? Do we care about order? Maybe just `SmallSet`?
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

We'd like to keep the order of elements in this container deterministic. Otherwise, the diagnostic message that lists those elements could be non-deterministic.

ziqingluo-90: We'd like to keep the order of elements in this container deterministic. Otherwise, the…
NoQUnsubmitted
Not Done
ReplyInline Actions

Ooo right gotcha!

NoQ: Ooo right gotcha!
GrpsUnionForParms; // these variables need to be fixed in one step
// Group Connected Components for Unsafe Vars // Group Connected Components for Unsafe Vars
// (Dependencies based on pointer assignments) // (Dependencies based on pointer assignments)
std::set<const VarDecl *> VisitedVars{}; std::set<const VarDecl *> VisitedVars{};
for (const auto &[Var, ignore] : UnsafeOps.byVar) { for (const auto &[Var, ignore] : UnsafeOps.byVar) {
if (VisitedVars.find(Var) == VisitedVars.end()) { if (VisitedVars.find(Var) == VisitedVars.end()) {
VarGrpTy &VarGroup = Groups.emplace_back(); VarGrpTy &VarGroup = Groups.emplace_back();
std::queue<const VarDecl*> Queue{}; std::queue<const VarDecl*> Queue{};
Queue.push(Var); Queue.push(Var);
while(!Queue.empty()) { while(!Queue.empty()) {
const VarDecl* CurrentVar = Queue.front(); const VarDecl* CurrentVar = Queue.front();
Queue.pop(); Queue.pop();
VisitedVars.insert(CurrentVar); VisitedVars.insert(CurrentVar);
VarGroup.push_back(CurrentVar); VarGroup.push_back(CurrentVar);
auto AdjacentNodes = DependenciesMap[CurrentVar]; auto AdjacentNodes = DependenciesMap[CurrentVar];
for (const VarDecl *Adj : AdjacentNodes) { for (const VarDecl *Adj : AdjacentNodes) {
if (VisitedVars.find(Adj) == VisitedVars.end()) { if (VisitedVars.find(Adj) == VisitedVars.end()) {
Queue.push(Adj); Queue.push(Adj);
} }
} }
} }
bool HasParm = false;
unsigned GrpIdx = Groups.size() - 1; unsigned GrpIdx = Groups.size() - 1;
for (const VarDecl *V : VarGroup) { for (const VarDecl *V : VarGroup) {
VarGrpMap[V] = GrpIdx; VarGrpMap[V] = GrpIdx;
if (!HasParm && isParameterOf(V, D))
HasParm = true;
} }
if (HasParm)
GrpsUnionForParms.insert(VarGroup.begin(), VarGroup.end());
} }
} }
// Remove a `FixableGadget` if the associated variable is not in the graph // Remove a `FixableGadget` if the associated variable is not in the graph
// computed above. We do not want to generate fix-its for such variables, // computed above. We do not want to generate fix-its for such variables,
// since they are neither warned nor reachable from a warned one. // since they are neither warned nor reachable from a warned one.
// //
// Note a variable is not warned if it is not directly used in any unsafe // Note a variable is not warned if it is not directly used in any unsafe
// operation. A variable `v` is NOT reachable from an unsafe variable, if it // operation. A variable `v` is NOT reachable from an unsafe variable, if it
// does not exist another variable `u` such that `u` is warned and fixing `u` // does not exist another variable `u` such that `u` is warned and fixing `u`
// (transitively) implicates fixing `v`. // (transitively) implicates fixing `v`.
// //
// For example, // For example,
// ``` // ```
// void f(int * p) { // void f(int * p) {
// int * a = p; *p = 0; // int * a = p; *p = 0;
// } // }
// ``` // ```
// `*p = 0` is a fixable gadget associated with a variable `p` that is neither // `*p = 0` is a fixable gadget associated with a variable `p` that is neither
// warned nor reachable from a warned one. If we add `a[5] = 0` to the end of // warned nor reachable from a warned one. If we add `a[5] = 0` to the end of
// the function above, `p` becomes reachable from a warned variable. // the function above, `p` becomes reachable from a warned variable.
for (auto I = FixablesForAllVars.byVar.begin(); for (auto I = FixablesForAllVars.byVar.begin();
I != FixablesForAllVars.byVar.end();) { I != FixablesForAllVars.byVar.end();) {
// Note `VisitedVars` contain all the variables in the graph: // Note `VisitedVars` contain all the variables in the graph:
if (VisitedVars.find((*I).first) == VisitedVars.end()) { if (!VisitedVars.count((*I).first)) {
// no such var in graph: // no such var in graph:
I = FixablesForAllVars.byVar.erase(I); I = FixablesForAllVars.byVar.erase(I);
} else } else
++I; ++I;
} }
Strategy NaiveStrategy = getNaiveStrategy(UnsafeVars); Strategy NaiveStrategy = getNaiveStrategy(UnsafeVars);
VariableGroupsManagerImpl VarGrpMgr(Groups, VarGrpMap); VariableGroupsManagerImpl VarGrpMgr(Groups, VarGrpMap, GrpsUnionForParms);
if (isa<NamedDecl>(D))
// The only case where `D` is not a `NamedDecl` is when `D` is a
// `BlockDecl`. Let's not fix variables in blocks for now
FixItsForVariableGroup = FixItsForVariableGroup =
getFixIts(FixablesForAllVars, NaiveStrategy, D->getASTContext(), D, getFixIts(FixablesForAllVars, NaiveStrategy, D->getASTContext(), D,
Tracker, Handler, VarGrpMgr); Tracker, Handler, VarGrpMgr);
NoQUnsubmitted
Not Done
ReplyInline Actions

Note: This is why FixablesForUnsafeVars is actually FixablesForAllVars.

NoQ: Note: This is why `FixablesForUnsafeVars` is actually `FixablesForAllVars`.
for (const auto &G : UnsafeOps.noVar) { for (const auto &G : UnsafeOps.noVar) {
Handler.handleUnsafeOperation(G->getBaseStmt(), /*IsRelatedToDecl=*/false); Handler.handleUnsafeOperation(G->getBaseStmt(), /*IsRelatedToDecl=*/false);
} }
for (const auto &[VD, WarningGadgets] : UnsafeOps.byVar) { for (const auto &[VD, WarningGadgets] : UnsafeOps.byVar) {
auto FixItsIt = FixItsForVariableGroup.find(VD); auto FixItsIt = FixItsForVariableGroup.find(VD);
Handler.handleUnsafeVariableGroup(VD, VarGrpMgr, Handler.handleUnsafeVariableGroup(VD, VarGrpMgr,
FixItsIt != FixItsForVariableGroup.end() FixItsIt != FixItsForVariableGroup.end()
? std::move(FixItsIt->second) ? std::move(FixItsIt->second)
: FixItList{}); : FixItList{},
D);
for (const auto &G : WarningGadgets) { for (const auto &G : WarningGadgets) {
Handler.handleUnsafeOperation(G->getBaseStmt(), /*IsRelatedToDecl=*/true); Handler.handleUnsafeOperation(G->getBaseStmt(), /*IsRelatedToDecl=*/true);
} }
} }
} }

clang/lib/Sema/AnalysisBasedWarnings.cpp

Show First 20 LinesShow All 2,171 Lines▼ Show 20 Lines
namespace { namespace {
class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler { class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler {
Sema &S; Sema &S;
bool SuggestSuggestions; // Recommend -fsafe-buffer-usage-suggestions? bool SuggestSuggestions; // Recommend -fsafe-buffer-usage-suggestions?
// Lists as a string the names of variables in `VarGroupForVD` except for `VD` // Lists as a string the names of variables in `VarGroupForVD` except for `VD`
// itself: // itself:
std::string listVariableGroupAsString( std::string listVariableGroupAsString(
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

The printing process was extracted as a method with some refactoring.

ziqingluo-90: The printing process was extracted as a method with some refactoring.
const VarDecl *VD, const ArrayRef<const VarDecl *> &VarGroupForVD) const { const VarDecl *VD, const ArrayRef<const VarDecl *> &VarGroupForVD) const {
if (VarGroupForVD.size() <= 1) if (VarGroupForVD.size() <= 1)
return ""; return "";
NoQUnsubmitted
Not Done
ReplyInline Actions

Does the empty string actually ever make sense for the caller? Maybe just assert that this never happens, and force the caller to check that?

NoQ: Does the empty string actually ever make sense for the caller? Maybe just assert that this…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

The branch deals with the case where the group has only one member, which is the VD. In that case, we do not list group mates of VD as there is none.
This case is actually possible and conforms to the contract of this method.

The case where the group is empty is not suppose to happen.

ziqingluo-90: The branch deals with the case where the group has only one member, which is the `VD`. In that…
NoQUnsubmitted
Not Done
ReplyInline Actions

Gotcha, nice!

NoQ: Gotcha, nice!
std::vector<StringRef> VarNames; std::vector<StringRef> VarNames;
auto PutInQuotes = [](StringRef S) -> std::string { auto PutInQuotes = [](StringRef S) -> std::string {
return "'" + S.str() + "'"; return "'" + S.str() + "'";
}; };
for (auto *V : VarGroupForVD) { for (auto *V : VarGroupForVD) {
if (V == VD) if (V == VD)
▲ Show 20 LinesShow All 70 Lines▼ Show 20 Lines if (IsRelatedToDecl) {
if (SuggestSuggestions) { if (SuggestSuggestions) {
S.Diag(Loc, diag::note_safe_buffer_usage_suggestions_disabled); S.Diag(Loc, diag::note_safe_buffer_usage_suggestions_disabled);
} }
} }
} }
void handleUnsafeVariableGroup(const VarDecl *Variable, void handleUnsafeVariableGroup(const VarDecl *Variable,
const VariableGroupsManager &VarGrpMgr, const VariableGroupsManager &VarGrpMgr,
FixItList &&Fixes) override { FixItList &&Fixes, const Decl *D) override {
assert(!SuggestSuggestions && assert(!SuggestSuggestions &&
"Unsafe buffer usage fixits displayed without suggestions!"); "Unsafe buffer usage fixits displayed without suggestions!");
S.Diag(Variable->getLocation(), diag::warn_unsafe_buffer_variable) S.Diag(Variable->getLocation(), diag::warn_unsafe_buffer_variable)
<< Variable << (Variable->getType()->isPointerType() ? 0 : 1) << Variable << (Variable->getType()->isPointerType() ? 0 : 1)
<< Variable->getSourceRange(); << Variable->getSourceRange();
if (!Fixes.empty()) { if (!Fixes.empty()) {
const auto VarGroupForVD = VarGrpMgr.getGroupOfVar(Variable); assert(isa<NamedDecl>(D) &&
"Fix-its are generated only for `NamedDecl`s");
const NamedDecl *ND = cast<NamedDecl>(D);
bool BriefMsg = false;
// If the variable group involves parameters, the diagnostic message will
// NOT explain how the variables are grouped as the reason is non-trivial
// and irrelavant to users' experience:
const auto VarGroupForVD = VarGrpMgr.getGroupOfVar(Variable, &BriefMsg);
unsigned FixItStrategy = 0; // For now we only have 'std::span' strategy unsigned FixItStrategy = 0; // For now we only have 'std::span' strategy
const auto &FD = S.Diag(Variable->getLocation(), const auto &FD =
diag::note_unsafe_buffer_variable_fixit_group); S.Diag(Variable->getLocation(),
BriefMsg ? diag::note_unsafe_buffer_variable_fixit_together
: diag::note_unsafe_buffer_variable_fixit_group);
FD << Variable << FixItStrategy; FD << Variable << FixItStrategy;
FD << listVariableGroupAsString(Variable, VarGroupForVD) FD << listVariableGroupAsString(Variable, VarGroupForVD)
<< (VarGroupForVD.size() > 1); << (VarGroupForVD.size() > 1) << ND;
NoQUnsubmitted
Done
ReplyInline Actions

IIRC we're supposed to stuff ND directly into the stream and it'll figure out on its own how to name it, or how to put quotes around it. See how there's no quotes around %2!

NoQ: IIRC we're supposed to stuff `ND` directly into the stream and it'll figure out on its own how…
for (const auto &F : Fixes) { for (const auto &F : Fixes) {
FD << F; FD << F;
} }
} }
#ifndef NDEBUG #ifndef NDEBUG
if (areDebugNotesRequested()) if (areDebugNotesRequested())
for (const DebugNote &Note: DebugNotesByVar[Variable]) for (const DebugNote &Note: DebugNotesByVar[Variable])
▲ Show 20 LinesShow All 467 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-multi-parm-span.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits -fblocks -fsafe-buffer-usage-suggestions -verify %s
// RUN: %clang_cc1 -std=c++20 -Wunsafe-buffer-usage -fdiagnostics-parseable-fixits -fblocks -fsafe-buffer-usage-suggestions \
// RUN: %s 2>&1 | FileCheck %s
// FIXME: what about possible diagnostic message non-determinism?
t-rasmudUnsubmitted
Not Done
ReplyInline Actions

I have used a workaround for non-determinism by using regular expressions to match on the expected-note. See https://github.com/llvm/llvm-project/commit/db3dcedb9cedcec4a9570fda7406490c642df8ae#diff-8486f0b4ae37871fc0a186f40a41adbc70e5a0ca0134dc9bba762e1f17994460R176.
This is definitely a temporary fix (but helps with passing llvm builedbot tests upon landing on llvm-project\main) and we should probably discuss and put in a more reliable fix (say, using ordered sets) in the future.

t-rasmud: I have used a workaround for non-determinism by using regular expressions to match on the…
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]:
void parmsNoFix(int *p, int *q) {
int * a = new int[10];
int * b = new int[10]; //expected-warning{{'b' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'b' to 'std::span' to preserve bounds information}}
a = p;
a = q;
b[5] = 5; // expected-note{{used in buffer access here}}
}
NoQUnsubmitted
Not Done
ReplyInline Actions

QoL thing: "to propagate bounds information between them" isn't the correct reason in this case. Bounds information doesn't propagate between p and q and a. Each of them carries its own, completely unrelated bounds information.

We need to come up with a different reason. Or it might be better to combine the warnings into one warning here, so that we didn't need a reason:

warning: 'p', 'q' and 'a' are unsafe pointers used for buffer access
note: change type of 'p', 'q' and 'a' to 'std::span' to preserve bounds information

This gets a bit worse when parameters are implicated indirectly, but it still mostly works fine, for example:

void foo(int *p, int *q) {
  int *p2 = p;
  p2[5] = 7;
  int *q2 = q;
  q2[5] = 7;
}

would produce:

warning: 'p2' and 'q2' are unsafe pointers used for buffer access
note: change type of 'p2' and 'q2' to 'std::span' to preserve bounds information, and
      change 'p' and 'q' to 'std::span' to propagate bounds information between them

In any case, this shows that the relationship between parameters (grouped together simply for being parameters) is very different from the relationship within groups of variables implicated by assignments (even if two or more of them are parameters). All the way down to the warning/note printer, we probably need to continue giving the parameter relationship a special treatment.

NoQ: QoL thing: //"to propagate bounds information between them"// isn't the correct reason in this…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

This is a good argument! An edge from p to q in an assignment graph stands for not only that fixing p implicates fixing q but also that the bounds information is propagated from q to p. In this sense, the way I connect parameters is inappropriate.

But my concern is that although treating parameters specially could improve the quality of the diagnostic messages, the code may be more complex and less re-used.

ziqingluo-90: This is a good argument! An edge from `p` to `q` in an assignment graph stands for not only…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

So for such an example

int f(int *p, int *q) {
int * a = p;
int * b = q;

a[5] = 0;
b[5] = 0;
}

We will fix all four variables a, b, p, q together. But bounds information propagation only happens between a and p, and b and q, respectively.
Then what should the diagnostic message be? How about something like

change type of 'a' to 'std::span' to preserve bounds information, and change 'p' to propagate bounds information between them. 
To ensure parameters are changed together, also
change type of 'b' to 'std::span' to preserve bounds information, and change 'q' to propagate bounds information between them;
...

for variable a.

ziqingluo-90: So for such an example ``` int f(int *p, int *q) { int * a = p; int * b = q; a[5] = 0; b[5] =…
NoQUnsubmitted
Not Done
ReplyInline Actions

I think the ideal narrative is to emit a single warning against the entire function, which covers all parameters at once, together with all related variables.

int f(int *p, int *q) {  // warning: function 'f' performs unsafe buffer access over parameters 'p' and 'q'
                         // note: change type of 'p' and 'q' to 'std::span' to receive bounds information from the call site,
                         //       and change local variables 'a' and 'b' to 'std::span' to propagate it to the access site

  int * a = p;           // note: bounds information needs to propagate from 'p' to 'a' here
  int * b = q;           // note: bounds information needs to propagate from 'q' to 'b' here

  a[5] = 0;              // note: used in buffer access here
  b[5] = 0;              // note: used in buffer access here
}

This makes a lot of sense given that we're fixing the entire function. This is quite a major change though, we need to think this through.

NoQ: I think the ideal narrative is to emit a single warning against the entire function, which…
// CHECK: fix-it:{{.*}}:{[[@LINE+2]]:21-[[@LINE+2]]:27}:"std::span<int> p"
// CHECK: fix-it:{{.*}}:{[[@LINE+14]]:2-[[@LINE+14]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void parmsSingleton(int *p) {return parmsSingleton(std::span<int>(p, <# size #>));}\n"
void parmsSingleton(int *p) { //expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information}}
// CHECK: fix-it:{{.*}}:{[[@LINE+3]]:3-[[@LINE+3]]:12}:"std::span<int> a"
// CHECK: fix-it:{{.*}}:{[[@LINE+2]]:13-[[@LINE+2]]:13}:"{"
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:24-[[@LINE+1]]:24}:", 10}"
int * a = new int[10];
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> b"
int * b; //expected-warning{{'b' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'b' to 'std::span' to preserve bounds information, and change 'a' to 'std::span' to propagate bounds information between them}}
b = a;
b[5] = 5; // expected-note{{used in buffer access here}}
p[5] = 5; // expected-note{{used in buffer access here}}
}
// Parameters other than `r` all will be fixed
// CHECK: fix-it:{{.*}}:{[[@LINE+15]]:24-[[@LINE+15]]:30}:"std::span<int> p"
// CHECK fix-it:{{.*}}:{[[@LINE+14]]:32-[[@LINE+14]]:39}:"std::span<int *> q"
// CHECK: fix-it:{{.*}}:{[[@LINE+13]]:41-[[@LINE+13]]:48}:"std::span<int> a"
// CHECK: fix-it:{{.*}}:{[[@LINE+23]]:2-[[@LINE+23]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void * multiParmAllFix(int *p, int **q, int a[], int * r) {return multiParmAllFix(std::span<int>(p, <# size #>), std::span<int *>(q, <# size #>), std::span<int>(a, <# size #>), r);}\n"
NoQUnsubmitted
Done
ReplyInline Actions

The fix is emitted 3 times right? Once for each warning?

Would it make sense to duplicate the three CHECK: lines three times to confirm that?

NoQ: The fix is emitted 3 times right? Once for each warning? Would it make sense to duplicate the…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

I wish there are better ways to test this. I tried CHECK-COUNT-3 but it doesn't work because it expects each line repeats 3 times consecutively.

ziqingluo-90: I wish there are better ways to test this. I tried `CHECK-COUNT-3` but it doesn't work because…
// repeat 2 more times as each of the 3 fixing parameters generates the set of fix-its above.
// CHECK: fix-it:{{.*}}:{[[@LINE+8]]:24-[[@LINE+8]]:30}:"std::span<int> p"
// CHECK fix-it:{{.*}}:{[[@LINE+7]]:32-[[@LINE+7]]:39}:"std::span<int *> q"
// CHECK: fix-it:{{.*}}:{[[@LINE+6]]:41-[[@LINE+6]]:48}:"std::span<int> a"
// CHECK: fix-it:{{.*}}:{[[@LINE+16]]:2-[[@LINE+16]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void * multiParmAllFix(int *p, int **q, int a[], int * r) {return multiParmAllFix(std::span<int>(p, <# size #>), std::span<int *>(q, <# size #>), std::span<int>(a, <# size #>), r);}\n"
// CHECK: fix-it:{{.*}}:{[[@LINE+4]]:24-[[@LINE+4]]:30}:"std::span<int> p"
// CHECK fix-it:{{.*}}:{[[@LINE+3]]:32-[[@LINE+3]]:39}:"std::span<int *> q"
// CHECK: fix-it:{{.*}}:{[[@LINE+2]]:41-[[@LINE+2]]:48}:"std::span<int> a"
// CHECK: fix-it:{{.*}}:{[[@LINE+12]]:2-[[@LINE+12]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void * multiParmAllFix(int *p, int **q, int a[], int * r) {return multiParmAllFix(std::span<int>(p, <# size #>), std::span<int *>(q, <# size #>), std::span<int>(a, <# size #>), r);}\n"
void * multiParmAllFix(int *p, int **q, int a[], int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'a' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'q' and 'a' to safe types to make function 'multiParmAllFix' bounds-safe}} \
expected-note{{change type of 'q' to 'std::span' to preserve bounds information, and change 'p' and 'a' to safe types to make function 'multiParmAllFix' bounds-safe}} \
expected-note{{change type of 'a' to 'std::span' to preserve bounds information, and change 'p' and 'q' to safe types to make function 'multiParmAllFix' bounds-safe}}
int tmp;
tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = a[5]; // expected-note{{used in buffer access here}}
if (++q) {} // expected-note{{used in pointer arithmetic here}}
return r;
}
void * multiParmAllFix(int *p, int **q, int a[], int * r);
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:1-[[@LINE-1]]:1}:"{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} "
// CHECK: fix-it:{{.*}}:{[[@LINE-2]]:58-[[@LINE-2]]:58}:";\nvoid * multiParmAllFix(std::span<int> p, std::span<int *> q, std::span<int> a, int * r)"
// Fixing local variables implicates fixing parameters
void multiParmLocalAllFix(int *p, int * r) {
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:28-[[@LINE-1]]:34}:"std::span<int> p"
// CHECK: fix-it:{{.*}}:{[[@LINE-2]]:36-[[@LINE-2]]:43}:"std::span<int> r"
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> x"
int * x; // expected-warning{{'x' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'x' to 'std::span' to preserve bounds information, and change 'p', 'z', and 'r' to safe types to make function 'multiParmLocalAllFix' bounds-safe}}
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> z"
int * z; // expected-warning{{'z' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'z' to 'std::span' to preserve bounds information, and change 'x', 'p', and 'r' to safe types to make function 'multiParmLocalAllFix' bounds-safe}}
int * y;
x = p;
y = x;
// `x` needs to be fixed so does the pointer assigned to `x`, i.e.,`p`
x[5] = 5; // expected-note{{used in buffer access here}}
z = r;
// `z` needs to be fixed so does the pointer assigned to `z`, i.e.,`r`
z[5] = 5; // expected-note{{used in buffer access here}}
// Since `p` and `r` are parameters need to be fixed together,
// fixing `x` involves fixing all `p`, `r` and `z`. Similar for
// fixing `z`.
}
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void multiParmLocalAllFix(int *p, int * r) {return multiParmLocalAllFix(std::span<int>(p, <# size #>), std::span<int>(r, <# size #>));}\n"
// Fixing parameters implicates fixing local variables
// CHECK: fix-it:{{.*}}:{[[@LINE+2]]:29-[[@LINE+2]]:35}:"std::span<int> p"
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:37-[[@LINE+1]]:44}:"std::span<int> r"
void multiParmLocalAllFix2(int *p, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'x', 'r', and 'z' to safe types to make function 'multiParmLocalAllFix2' bounds-safe}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'r' to 'std::span' to preserve bounds information, and change 'p', 'x', and 'z' to safe types to make function 'multiParmLocalAllFix2' bounds-safe}}
int * x = new int[10];
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:3-[[@LINE-1]]:12}:"std::span<int> x"
// CHECK: fix-it:{{.*}}:{[[@LINE-2]]:13-[[@LINE-2]]:13}:"{"
// CHECK: fix-it:{{.*}}:{[[@LINE-3]]:24-[[@LINE-3]]:24}:", 10}"
int * z = new int[10];
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:3-[[@LINE-1]]:12}:"std::span<int> z"
// CHECK: fix-it:{{.*}}:{[[@LINE-2]]:13-[[@LINE-2]]:13}:"{"
// CHECK: fix-it:{{.*}}:{[[@LINE-3]]:24-[[@LINE-3]]:24}:", 10}"
int * y;
p = x;
y = x;
p[5] = 5; // expected-note{{used in buffer access here}}
r = z;
r[5] = 5; // expected-note{{used in buffer access here}}
}
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void multiParmLocalAllFix2(int *p, int * r) {return multiParmLocalAllFix2(std::span<int>(p, <# size #>), std::span<int>(r, <# size #>));}\n"
// No fix emitted for any of the parameter since parameter `r` cannot be fixed
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]
void noneParmFix(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
r++; // expected-note{{used in pointer arithmetic here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
}
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE-1]]
// To show what if the `r` in `noneParmFix` can be fixed:
void noneParmFix_control(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'q' and 'r' to safe types to make function 'noneParmFix_control' bounds-safe}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'q' to 'std::span' to preserve bounds information, and change 'p' and 'r' to safe types to make function 'noneParmFix_control' bounds-safe}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'r' to 'std::span' to preserve bounds information, and change 'p' and 'q' to safe types to make function 'noneParmFix_control' bounds-safe}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
if (++r) {} // expected-note{{used in pointer arithmetic here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
}
// No fix emitted for any of the parameter since local variable `l` cannot be fixed.
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]
void noneParmOrLocalFix(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
// `l` and `r` must be fixed together while all parameters must be fixed together as well:
int * l; l = r; // expected-warning{{'l' is an unsafe pointer used for buffer access}}
l++; // expected-note{{used in pointer arithmetic here}}
}
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE-1]]
// To show what if the `l` can be fixed in `noneParmOrLocalFix`:
void noneParmOrLocalFix_control(int * p, int * q, int * r) {// \
expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'q', 'r', and 'l' to safe types to make function 'noneParmOrLocalFix_control' bounds-safe}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'q' to 'std::span' to preserve bounds information, and change 'p', 'r', and 'l' to safe types to make function 'noneParmOrLocalFix_control' bounds-safe}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'r' to 'std::span' to preserve bounds information, and change 'p', 'q', and 'l' to safe types to make function 'noneParmOrLocalFix_control' bounds-safe}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * l; // expected-warning{{'l' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'l' to 'std::span' to preserve bounds information, and change 'p', 'q', and 'r' to safe types to make function 'noneParmOrLocalFix_control' bounds-safe}}
l = r;
if (++l){}; // expected-note{{used in pointer arithmetic here}}
}
// No fix emitted for any of the parameter since local variable `l` cannot be fixed.
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]
void noneParmOrLocalFix2(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * a; a = r;
int * b; b = a;
int * l; l = b; // expected-warning{{'l' is an unsafe pointer used for buffer access}}
// `a, b, l` and parameters must be fixed together but `l` can't be fixed:
l++; // expected-note{{used in pointer arithmetic here}}
}
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE-1]]
// To show what if the `l` can be fixed in `noneParmOrLocalFix2`:
void noneParmOrLocalFix2_control(int * p, int * q, int * r) { // \
expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'q', 'r', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix2_control' bounds-safe}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'q' to 'std::span' to preserve bounds information, and change 'p', 'r', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix2_control' bounds-safe}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'r' to 'std::span' to preserve bounds information, and change 'p', 'q', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix2_control' bounds-safe}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * a; a = r;
int * b; b = a;
int * l; // expected-warning{{'l' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'l' to 'std::span' to preserve bounds information, and change 'p', 'q', 'r', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix2_control' bounds-safe}}
l = b;
if(++l){} // expected-note{{used in pointer arithmetic here}}
}
// No fix emitted for any of the parameter since local variable `l` cannot be fixed
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]
void noneParmOrLocalFix3(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * a; a = r;
int * b; b = a;
int * l; l = b; // expected-warning{{'l' is an unsafe pointer used for buffer access}}
l++; // expected-note{{used in pointer arithmetic here}}
int * x; x = p; // expected-warning{{'x' is an unsafe pointer used for buffer access}}
tmp = x[5]; // expected-note{{used in buffer access here}}
}
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE-1]]
void noneParmOrLocalFix3_control(int * p, int * q, int * r) { // \
expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'p' to 'std::span' to preserve bounds information, and change 'x', 'q', 'r', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix3_control' bounds-safe}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'q' to 'std::span' to preserve bounds information, and change 'p', 'x', 'r', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix3_control' bounds-safe}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'r' to 'std::span' to preserve bounds information, and change 'p', 'x', 'q', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix3_control' bounds-safe}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * a; a = r;
int * b; b = a;
int * l; // expected-warning{{'l' is an unsafe pointer used for buffer access}} \
t-rasmudUnsubmitted
Not Done
ReplyInline Actions

Does this patch handle virtual methods? Ideally we'd like the fixed methods to have the same subtyping relations as the original method. Does it make sense to have test cases with virtual methods as part of this patch?

t-rasmud: Does this patch handle virtual methods? Ideally we'd like the fixed methods to have the same…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

Sorry for the late response.
That's a good point. Virtual methods could get things more complicated. This is one of the reasons that we do not fix any member functions at this point.

ziqingluo-90: Sorry for the late response. That's a good point. Virtual methods could get things more…
expected-note{{change type of 'l' to 'std::span' to preserve bounds information, and change 'p', 'x', 'q', 'r', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix3_control' bounds-safe}}
l = b;
if (++l){}; // expected-note{{used in pointer arithmetic here}}
int * x; // expected-warning{{'x' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'x' to 'std::span' to preserve bounds information, and change 'p', 'q', 'r', 'l', 'b', and 'a' to safe types to make function 'noneParmOrLocalFix3_control' bounds-safe}}
x = p;
tmp = x[5]; // expected-note{{used in buffer access here}}
}
// No fix emitted for any of the parameter but some local variables will get fixed
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE+1]]
void noneParmSomeLocalFix(int * p, int * q, int * r) { // expected-warning{{'p' is an unsafe pointer used for buffer access}} \
expected-warning{{'q' is an unsafe pointer used for buffer access}} \
expected-warning{{'r' is an unsafe pointer used for buffer access}}
int tmp = p[5]; // expected-note{{used in buffer access here}}
tmp = q[5]; // expected-note{{used in buffer access here}}
tmp = r[5]; // expected-note{{used in buffer access here}}
int * a; a = r;
int * b; b = a;
int * l; l = b; // expected-warning{{'l' is an unsafe pointer used for buffer access}}
l++; // expected-note{{used in pointer arithmetic here}}
//`x` and `y` can be fixed
int * x = new int[10];
// CHECK: fix-it:{{.*}}:{[[@LINE-1]]:3-[[@LINE-1]]:12}:"std::span<int> x"
// CHECK: fix-it:{{.*}}:{[[@LINE-2]]:13-[[@LINE-2]]:13}:"{"
// CHECK: fix-it:{{.*}}:{[[@LINE-3]]:24-[[@LINE-3]]:24}:", 10}"
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> y"
int * y; // expected-warning{{'y' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'y' to 'std::span' to preserve bounds information, and change 'x' to 'std::span' to propagate bounds information between them}}
y = x;
tmp = y[5]; // expected-note{{used in buffer access here}}
}
// CHECK-NOT: fix-it:{{.*}}:{[[@LINE-1]]
// Test that other parameters of (lambdas and blocks) do not interfere
// the grouping of variables of the function.
// CHECK: fix-it:{{.*}}:{[[@LINE+3]]:30-[[@LINE+3]]:37}:"std::span<int> p"
// CHECK: fix-it:{{.*}}:{[[@LINE+2]]:39-[[@LINE+2]]:46}:"std::span<int> q"
// CHECK: fix-it:{{.*}}:{[[@LINE+20]]:2-[[@LINE+20]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void parmsFromLambdaAndBlock(int * p, int * q) {return parmsFromLambdaAndBlock(std::span<int>(p, <# size #>), std::span<int>(q, <# size #>));}\n"
void parmsFromLambdaAndBlock(int * p, int * q) {
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> a"
int * a; // expected-warning{{'a' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'a' to 'std::span' to preserve bounds information, and change 'p', 'b', and 'q' to safe types to make function 'parmsFromLambdaAndBlock' bounds-safe}}
// CHECK: fix-it:{{.*}}:{[[@LINE+1]]:3-[[@LINE+1]]:10}:"std::span<int> b"
int * b; // expected-warning{{'b' is an unsafe pointer used for buffer access}} \
expected-note{{change type of 'b' to 'std::span' to preserve bounds information, and change 'a', 'p', and 'q' to safe types to make function 'parmsFromLambdaAndBlock' bounds-safe}}
auto Lamb = [](int * x) -> void { // expected-warning{{'x' is an unsafe pointer used for buffer access}}
x[5] = 5; // expected-note{{used in buffer access here}}
};
t-rasmudUnsubmitted
Not Done
ReplyInline Actions

Can we have a test case with qualifiers on parameters and maybe another with a qualifier on the function itself?

t-rasmud: Can we have a test case with qualifiers on parameters and maybe another with a qualifier on the…
ziqingluo-90AuthorUnsubmitted
Done
ReplyInline Actions

good point. I recently added such tests for parameters and local variables in following open patches:

ziqingluo-90: good point. I recently added such tests for parameters and local variables in following open…
void (^Blk)(int*) = ^(int * y) { // expected-warning{{'y' is an unsafe pointer used for buffer access}}
y[5] = 5; // expected-note{{used in buffer access here}}
};
a = p;
b = q;
a[5] = 5; // expected-note{{used in buffer access here}}
b[5] = 5; // expected-note{{used in buffer access here}}
}

clang/test/SemaCXX/warn-unsafe-buffer-usage-fixits-parm-span.cpp

Show All 23 Lines
void twoParms(int *p, int * q) { void twoParms(int *p, int * q) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:15-[[@LINE-1]]:21}:"std::span<int> p" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:15-[[@LINE-1]]:21}:"std::span<int> p"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:23-[[@LINE-2]]:30}:"std::span<int> q" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:23-[[@LINE-2]]:30}:"std::span<int> q"
int tmp; int tmp;
tmp = p[5] + q[5]; tmp = p[5] + q[5];
} }
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void twoParms(int *p, int * q) {return twoParms(std::span<int>(p, <# size #>), q);}\n" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void twoParms(int *p, int * q) {return twoParms(std::span<int>(p, <# size #>), std::span<int>(q, <# size #>));}\n"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:2-[[@LINE-2]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void twoParms(int *p, int * q) {return twoParms(p, std::span<int>(q, <# size #>));}\n"
void ptrToConst(const int * x) { void ptrToConst(const int * x) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:17-[[@LINE-1]]:30}:"std::span<int const> x" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:17-[[@LINE-1]]:30}:"std::span<int const> x"
int tmp = x[5]; int tmp = x[5];
} }
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void ptrToConst(const int * x) {return ptrToConst(std::span<int const>(x, <# size #>));}\n" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:2-[[@LINE-1]]:2}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void ptrToConst(const int * x) {return ptrToConst(std::span<int const>(x, <# size #>));}\n"
// The followings test cases where multiple FileIDs maybe involved // The followings test cases where multiple FileIDs maybe involved
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Linesnamespace {
struct { struct {
// anon // anon
} ANON_S; } ANON_S;
struct MyStruct { struct MyStruct {
// namned // namned
} NAMED_S; } NAMED_S;
// FIXME: `decltype(ANON_S)` represents an unnamed type but it can // FIXME: `decltype(ANON_S)` represents an unnamed type but it can
// be referred as "`decltype(ANON_S)`", so the analysis should // be referred as "`decltype(ANON_S)`", so the analysis should
// fix-it. // fix-it.
void decltypeSpecifier(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r, // As parameter `q` cannot be fixed, fixes to parameters are all being given up.
void decltypeSpecifierAnon(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r,
decltype(NAMED_S) ** rr) { decltype(NAMED_S) ** rr) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:26-[[@LINE-2]]:41}:"std::span<decltype(C)> p" // CHECK: fix-it:{{.*}}:{[[@LINE-2]]:30-[[@LINE-2]]:45}:"std::span<decltype(C)> p"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-3]]:65-[[@LINE-3]]:86}:"std::span<decltype(NAMED_S)> r" // CHECK: fix-it:{{.*}}:{[[@LINE-3]]:47-[[@LINE-3]]:67}:"std::span<decltype(ANON_S)> q"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-3]]:26-[[@LINE-3]]:49}:"std::span<decltype(NAMED_S) *> rr" // CHECK: fix-it:{{.*}}:{[[@LINE-4]]:69-[[@LINE-4]]:90}:"std::span<decltype(NAMED_S)> r"
// CHECK: fix-it:{{.*}}:{[[@LINE-4]]:30-[[@LINE-4]]:53}:"std::span<decltype(NAMED_S) *> rr"
if (++p) {} if (++p) {}
if (++q) {} if (++q) {}
if (++r) {} if (++r) {}
if (++rr) {} if (++rr) {}
} }
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:4-[[@LINE-1]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void decltypeSpecifier(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r,\n{{.*}}decltype(NAMED_S) ** rr) {return decltypeSpecifier(std::span<decltype(C)>(p, <# size #>), q, r, rr);}\n // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:4-[[@LINE-1]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void decltypeSpecifierAnon(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r,\n decltype(NAMED_S) ** rr) {return decltypeSpecifierAnon(std::span<decltype(C)>(p, <# size #>), std::span<decltype(ANON_S)>(q, <# size #>), std::span<decltype(NAMED_S)>(r, <# size #>), std::span<decltype(NAMED_S) *>(rr, <# size #>));}\n
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:4-[[@LINE-2]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void decltypeSpecifier(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r,\n{{.*}}decltype(NAMED_S) ** rr) {return decltypeSpecifier(p, q, std::span<decltype(NAMED_S)>(r, <# size #>), rr);}\n"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-3]]:4-[[@LINE-3]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void decltypeSpecifier(decltype(C) * p, decltype(ANON_S) * q, decltype(NAMED_S) * r,\n{{.*}}decltype(NAMED_S) ** rr) {return decltypeSpecifier(p, q, r, std::span<decltype(NAMED_S) *>(rr, <# size #>));}\n" void decltypeSpecifier(decltype(C) * p, decltype(NAMED_S) * r, decltype(NAMED_S) ** rr) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:26-[[@LINE-1]]:41}:"std::span<decltype(C)> p"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:43-[[@LINE-2]]:64}:"std::span<decltype(NAMED_S)> r"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-3]]:66-[[@LINE-3]]:89}:"std::span<decltype(NAMED_S) *> rr"
if (++p) {}
if (++r) {}
if (++rr) {}
}
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:4-[[@LINE-1]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void decltypeSpecifier(decltype(C) * p, decltype(NAMED_S) * r, decltype(NAMED_S) ** rr) {return decltypeSpecifier(std::span<decltype(C)>(p, <# size #>), std::span<decltype(NAMED_S)>(r, <# size #>), std::span<decltype(NAMED_S) *>(rr, <# size #>));}\n
#define MACRO_TYPE(T) long T #define MACRO_TYPE(T) long T
void macroType(unsigned MACRO_TYPE(int) * p, unsigned MACRO_TYPE(long) * q) { void macroType(unsigned MACRO_TYPE(int) * p, unsigned MACRO_TYPE(long) * q) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:18-[[@LINE-1]]:46}:"std::span<unsigned MACRO_TYPE(int)> p" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:18-[[@LINE-1]]:46}:"std::span<unsigned MACRO_TYPE(int)> p"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:48-[[@LINE-2]]:77}:"std::span<unsigned MACRO_TYPE(long)> q" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:48-[[@LINE-2]]:77}:"std::span<unsigned MACRO_TYPE(long)> q"
int tmp = p[5]; int tmp = p[5];
tmp = q[5]; tmp = q[5];
} }
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:4-[[@LINE-1]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void macroType(unsigned MACRO_TYPE(int) * p, unsigned MACRO_TYPE(long) * q) {return macroType(std::span<unsigned MACRO_TYPE(int)>(p, <# size #>), q);}\n" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:4-[[@LINE-1]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void macroType(unsigned MACRO_TYPE(int) * p, unsigned MACRO_TYPE(long) * q) {return macroType(std::span<unsigned MACRO_TYPE(int)>(p, <# size #>), std::span<unsigned MACRO_TYPE(long)>(q, <# size #>));}\n"
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-2]]:4-[[@LINE-2]]:4}:"\n{{\[}}{{\[}}clang::unsafe_buffer_usage{{\]}}{{\]}} void macroType(unsigned MACRO_TYPE(int) * p, unsigned MACRO_TYPE(long) * q) {return macroType(p, std::span<unsigned MACRO_TYPE(long)>(q, <# size #>));}\n"
} }
// The followings test various declarators: // The followings test various declarators:
void decayedArray(int a[]) { void decayedArray(int a[]) {
// CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:19-[[@LINE-1]]:26}:"std::span<int> a" // CHECK-DAG: fix-it:{{.*}}:{[[@LINE-1]]:19-[[@LINE-1]]:26}:"std::span<int> a"
int tmp; int tmp;
tmp = a[5]; tmp = a[5];
} }
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage.cpp

Show All 30 Linesvoid testIncrement(char *p) { // expected-warning{{'p' is an unsafe pointer used for buffer access}}
p++; // expected-note{{used in pointer arithmetic here}} p++; // expected-note{{used in pointer arithmetic here}}
--p; // expected-note{{used in pointer arithmetic here}} --p; // expected-note{{used in pointer arithmetic here}}
p--; // expected-note{{used in pointer arithmetic here}} p--; // expected-note{{used in pointer arithmetic here}}
} }
void * voidPtrCall(void); void * voidPtrCall(void);
char * charPtrCall(void); char * charPtrCall(void);
void testArraySubscripts(int *p, int **pp) { // expected-note{{change type of 'pp' to 'std::span' to preserve bounds information}} void testArraySubscripts(int *p, int **pp) {
// expected-warning@-1{{'p' is an unsafe pointer used for buffer access}} // expected-warning@-1{{'p' is an unsafe pointer used for buffer access}}
// expected-warning@-2{{'pp' is an unsafe pointer used for buffer access}} // expected-warning@-2{{'pp' is an unsafe pointer used for buffer access}}
foo(p[1], // expected-note{{used in buffer access here}} foo(p[1], // expected-note{{used in buffer access here}}
pp[1][1], // expected-note{{used in buffer access here}} pp[1][1], // expected-note{{used in buffer access here}}
// expected-warning@-1{{unsafe buffer access}} // expected-warning@-1{{unsafe buffer access}}
1[1[pp]], // expected-note{{used in buffer access here}} 1[1[pp]], // expected-note{{used in buffer access here}}
// expected-warning@-1{{unsafe buffer access}} // expected-warning@-1{{unsafe buffer access}}
1[pp][1] // expected-note{{used in buffer access here}} 1[pp][1] // expected-note{{used in buffer access here}}
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesvoid testArraySubscriptsWithAuto() {
foo(ap2[1]); // expected-note{{used in buffer access here}} foo(ap2[1]); // expected-note{{used in buffer access here}}
} }
void testUnevaluatedContext(int * p) {// no-warning void testUnevaluatedContext(int * p) {// no-warning
foo(sizeof(p[1]), // no-warning foo(sizeof(p[1]), // no-warning
sizeof(decltype(p[1]))); // no-warning sizeof(decltype(p[1]))); // no-warning
} }
// expected-note@+1{{change type of 'a' to 'std::span' to preserve bounds information}}
void testQualifiedParameters(const int * p, const int * const q, const int a[10], const int b[10][10]) { void testQualifiedParameters(const int * p, const int * const q, const int a[10], const int b[10][10]) {
// expected-warning@-1{{'p' is an unsafe pointer used for buffer access}} // expected-warning@-1{{'p' is an unsafe pointer used for buffer access}}
// expected-warning@-2{{'q' is an unsafe pointer used for buffer access}} // expected-warning@-2{{'q' is an unsafe pointer used for buffer access}}
// expected-warning@-3{{'a' is an unsafe pointer used for buffer access}} // expected-warning@-3{{'a' is an unsafe pointer used for buffer access}}
// expected-warning@-4{{'b' is an unsafe pointer used for buffer access}} // expected-warning@-4{{'b' is an unsafe pointer used for buffer access}}
foo(p[1], 1[p], p[-1], // expected-note3{{used in buffer access here}} foo(p[1], 1[p], p[-1], // expected-note3{{used in buffer access here}}
q[1], 1[q], q[-1], // expected-note3{{used in buffer access here}} q[1], 1[q], q[-1], // expected-note3{{used in buffer access here}}
▲ Show 20 LinesShow All 288 LinesShow Last 20 Lines