This is an archive of the discontinued LLVM Phabricator instance.

Differential D154880

[-Wunsafe-buffer-usage] Add a facility for debugging low fixit coverage.
ClosedPublic

Authored by t-rasmud on Jul 10 2023, 12:53 PM.

Details

Reviewers
jkorous
ziqingluo-90
malavikasamak
NoQ
Commits
rGa6ae740e743a: [-Wunsafe-buffer-usage] Add a facility for debugging low fixit coverage
Summary

This patch adds extra notes to -Wunsafe-buffer-usage warnings, which explain why a fixit wasn't produced. When applied to a large body of real-world code, it'll help us gather statistics that will help us figure out which fixable gadgets (or other features of the fixit machine) to "invest" into.

This is a debugging facility intended for developer use only; it is activated by passing -mllvm -debug-only=SafeBuffers to clang, so it's carefully hidden and undiscoverable, and it's only available in builds with assertions.

Offline we've identified the following sources of false negatives which these notes can help us categorize:

  1. unsafe operation not performed on a supported kind of variable (eg. member variable);
  2. use site of the unsafe variable not claimed by any fixable gadgets (so we need to cover it with a new fixable);
  3. one of the "implicated" variables has unclaimed uses (so we can't build the implication graph);
  4. fixit generation for the declaration of the variable has failed (eg. declaration is in a macro);
  5. fixit generation for one of the fixable gadgets has failed (eg. the use is in a macro).

Currently this patch covers #5; it probably makes sense to cover all of these except maybe #1 (this one's usually obvious).

Diff Detail

Event Timeline

NoQ created this revision.Jul 10 2023, 12:53 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 10 2023, 12:54 PM
Herald added subscribers: steakhal, martong. · View Herald Transcript
NoQ requested review of this revision.Jul 10 2023, 12:54 PM
Herald added a subscriber: wangpc. · View Herald TranscriptJul 10 2023, 12:54 PM
NoQ added inline comments.Jul 10 2023, 1:03 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
577–581

I changed this to make F->getBaseStmt() available more often, but ran into more problems of this kind that were much more strange than this one. I'll probably investigate more.

Harbormaster completed remote builds in B244247: Diff 538776.Jul 10 2023, 2:38 PM
NoQ updated this revision to Diff 538852.Jul 10 2023, 3:28 PM

private: => public:

(for some reason it didn't complain until I did a full rebuild)

NoQ updated this revision to Diff 538862.Jul 10 2023, 3:54 PM

Add the other missing base statement. Debugger was acting weirdly so I thought we had bigger problems, but it's just the other thing missing. It's likely that we ultimately want a better interface for that anyway.

Harbormaster completed remote builds in B244307: Diff 538862.Jul 10 2023, 7:17 PM
t-rasmud commandeered this revision.Jul 17 2023, 11:01 AM
t-rasmud edited reviewers, added: NoQ; removed: t-rasmud.

I will add debug notes for the rest of the cases not addressed in this patch.

t-rasmud updated this revision to Diff 541745.Jul 18 2023, 2:47 PM

This patch addresses cases 2, 3, and 4 described in the summary (i.e) adds debug notes for unclaimed uses of variables and for failed fixit generation of variable declarations.

Harbormaster completed remote builds in B246360: Diff 541745.Jul 18 2023, 2:48 PM
NoQ added a comment.Jul 18 2023, 3:59 PM

Awesome!!

Did you try running it on some real code? Does this actually cover most cases? (I suspect that (1.) is going to be the most popular case, but that's also the easiest case to diagnose visually. We might still want a note if we wanted to prioritize among non-variables, but that's some work, maybe we can get back to this later.)

I have a few minor nitpicks, but generally LGTM!

clang/lib/Analysis/UnsafeBufferUsage.cpp
1755–1756

We might want to silence -Wunused-parameter in release builds.

Maybe it's better to put the entire parameter under #ifndef NDEBUG, but it's definitely more clumsy.

There's also __attribute__((unused)) aka [[maybe_unused]] but it looks like we're not supposed to use it in LLVM for variables:

173 // Some compilers warn about unused functions. When a function is sometimes
174 // used or not depending on build settings (e.g. a function only called from
175 // within "assert"), this attribute can be used to suppress such warnings.
176 //
177 // However, it shouldn't be used for unused *variables*, as those have a much
178 // more portable solution:
179 //   (void)unused_var_name;
180 // Prefer cast-to-void wherever it is sufficient.
181 #if __has_attribute(unused)
182 #define LLVM_ATTRIBUTE_UNUSED __attribute__((__unused__))
183 #else
184 #define LLVM_ATTRIBUTE_UNUSED
185 #endif
1771–1772

This comment is probably duplicated everywhere by accident; it doesn't make much sense in most of these places.

1796
2353

getName() crashes on various anonymous variables, whereas getNameAsString() always gives an answer (even if it's not always a "good" answer), which is more suitable for diagnostics.

2354

Do you want to include a "failde to produce fixit..." text in this message and the next message, for consistency?

NoQ added inline comments.Jul 18 2023, 4:01 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
2174–2175

This is my original comment right? It's actually also outdated and should be removed, I already erased the runtime check, and I already moved the architectural recommendation to implementation of getBaseStmt() in individual gadgets for which it doesn't make sense.

ziqingluo-90 added a comment.Jul 25 2023, 1:01 PM

This is a lot of work, thank you @t-rasmud & @NoQ !

I have a minor suggestion: can we use some macros to make the debug stub even shorter?
The prefix "failed to produce fixit for declaration" is used in many places so probably we do not have to repeat it everywhere. And, maybe some prefixes could be a bit more blurry so that they can be shared. For example, we can just replace "failed to produce fixit for parm var decl" with "failed to produce fixit for declaration". We have source location and more specific message attached to the note so we are not losing information I think.

I'm imagining something like this:

#define DEBUG_NOTE_DECL_FAIL(D, Msg)  \
Handler.addDebugNoteForVar((D), (D)->getBeginLoc(),  "failed to produce fixit for declaration "##Msg)

#define DEBUG_NOTE_GADGET_FAIL(Gadget, Msg)  ...

Does it make sense to you?

t-rasmud updated this revision to Diff 544510.Jul 26 2023, 2:08 PM
t-rasmud retitled this revision from [-Wunsafe-buffer-usage][WIP] Add a facility for debugging low fixit coverage. to [-Wunsafe-buffer-usage] Add a facility for debugging low fixit coverage..
Harbormaster completed remote builds in B248365: Diff 544510.Jul 26 2023, 2:08 PM
t-rasmud marked 6 inline comments as done.Jul 26 2023, 2:09 PM
In D154880#4533035, @ziqingluo-90 wrote:

This is a lot of work, thank you @t-rasmud & @NoQ !

I have a minor suggestion: can we use some macros to make the debug stub even shorter?
The prefix "failed to produce fixit for declaration" is used in many places so probably we do not have to repeat it everywhere. And, maybe some prefixes could be a bit more blurry so that they can be shared. For example, we can just replace "failed to produce fixit for parm var decl" with "failed to produce fixit for declaration". We have source location and more specific message attached to the note so we are not losing information I think.

I'm imagining something like this:

#define DEBUG_NOTE_DECL_FAIL(D, Msg)  \
Handler.addDebugNoteForVar((D), (D)->getBeginLoc(),  "failed to produce fixit for declaration "##Msg)

#define DEBUG_NOTE_GADGET_FAIL(Gadget, Msg)  ...

Does it make sense to you?

I like this suggestion. I've made changes to replace Handler.addDebugNoteForVar for declarations. The Gadget case appears just once as of now, so I've left it as is.

NoQ added inline comments.Jul 26 2023, 2:17 PM
clang/lib/Analysis/UnsafeBufferUsage.cpp
1733–1734

Ooo that's actually really nice! Maybe you can go even further and add this extra harness, so that to eliminate the need for #ifndef NDEBUG at every use.

t-rasmud updated this revision to Diff 544521.Jul 26 2023, 2:40 PM
t-rasmud marked an inline comment as done.
Harbormaster completed remote builds in B248374: Diff 544521.Jul 26 2023, 2:40 PM
NoQ accepted this revision.Jul 26 2023, 3:35 PM

LGTM! I'm excited to learn what this new facility discovers!

clang/lib/Analysis/UnsafeBufferUsage.cpp
1733–1738

An extra bit of paranoia.

This revision is now accepted and ready to land.Jul 26 2023, 3:35 PM
t-rasmud updated this revision to Diff 544547.Jul 26 2023, 4:00 PM
t-rasmud marked an inline comment as done.
Harbormaster completed remote builds in B248396: Diff 544547.Jul 26 2023, 4:01 PM
This revision was landed with ongoing or failed builds.Jul 26 2023, 5:08 PM
Closed by commit rGa6ae740e743a: [-Wunsafe-buffer-usage] Add a facility for debugging low fixit coverage (authored by t-rasmud). · Explain Why
This revision was automatically updated to reflect the committed changes.
t-rasmud added a commit: rGa6ae740e743a: [-Wunsafe-buffer-usage] Add a facility for debugging low fixit coverage.
Herald added a project: Restricted Project. · View Herald TranscriptJul 26 2023, 5:08 PM

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
Analyses/
33 lines
Basic/
6 lines
lib/
Analysis/
123 lines
Sema/
6 lines
test/
SemaCXX/
68 lines

Diff 544561

clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H #ifndef LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H
#define LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H #define LLVM_CLANG_ANALYSIS_ANALYSES_UNSAFEBUFFERUSAGE_H
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "llvm/Support/Debug.h"
namespace clang { namespace clang {
using DefMapTy = llvm::DenseMap<const VarDecl *, std::vector<const VarDecl *>>; using DefMapTy = llvm::DenseMap<const VarDecl *, std::vector<const VarDecl *>>;
/// The interface that lets the caller handle unsafe buffer usage analysis /// The interface that lets the caller handle unsafe buffer usage analysis
/// results by overriding this class's handle... methods. /// results by overriding this class's handle... methods.
class UnsafeBufferUsageHandler { class UnsafeBufferUsageHandler {
#ifndef NDEBUG
public:
// A self-debugging facility that you can use to notify the user when
// suggestions or fixits are incomplete.
// Uses std::function to avoid computing the message when it won't
// actually be displayed.
using DebugNote = std::pair<SourceLocation, std::string>;
using DebugNoteList = std::vector<DebugNote>;
using DebugNoteByVar = std::map<const VarDecl *, DebugNoteList>;
DebugNoteByVar DebugNotesByVar;
#endif
public: public:
UnsafeBufferUsageHandler() = default; UnsafeBufferUsageHandler() = default;
virtual ~UnsafeBufferUsageHandler() = default; virtual ~UnsafeBufferUsageHandler() = default;
/// This analyses produces large fixits that are organized into lists /// This analyses produces large fixits that are organized into lists
/// of primitive fixits (individual insertions/removals/replacements). /// of primitive fixits (individual insertions/removals/replacements).
using FixItList = llvm::SmallVectorImpl<FixItHint>; using FixItList = llvm::SmallVectorImpl<FixItHint>;
/// Invoked when an unsafe operation over raw pointers is found. /// Invoked when an unsafe operation over raw pointers is found.
virtual void handleUnsafeOperation(const Stmt *Operation, virtual void handleUnsafeOperation(const Stmt *Operation,
bool IsRelatedToDecl) = 0; bool IsRelatedToDecl) = 0;
/// Invoked when a fix is suggested against a variable. This function groups /// Invoked when a fix is suggested against a variable. This function groups
/// all variables that must be fixed together (i.e their types must be changed to the /// all variables that must be fixed together (i.e their types must be changed to the
/// same target type to prevent type mismatches) into a single fixit. /// same target type to prevent type mismatches) into a single fixit.
virtual void handleUnsafeVariableGroup(const VarDecl *Variable, virtual void handleUnsafeVariableGroup(const VarDecl *Variable,
const DefMapTy &VarGrpMap, const DefMapTy &VarGrpMap,
FixItList &&Fixes) = 0; FixItList &&Fixes) = 0;
#ifndef NDEBUG
public:
bool areDebugNotesRequested() {
DEBUG_WITH_TYPE("SafeBuffers", return true);
return false;
}
void addDebugNoteForVar(const VarDecl *VD, SourceLocation Loc,
std::string Text) {
if (areDebugNotesRequested())
DebugNotesByVar[VD].push_back(std::make_pair(Loc, Text));
}
void clearDebugNotes() {
if (areDebugNotesRequested())
DebugNotesByVar.clear();
}
#endif
public:
/// Returns a reference to the `Preprocessor`: /// Returns a reference to the `Preprocessor`:
virtual bool isSafeBufferOptOut(const SourceLocation &Loc) const = 0; virtual bool isSafeBufferOptOut(const SourceLocation &Loc) const = 0;
virtual std::string virtual std::string
getUnsafeBufferUsageAttributeTextAt(SourceLocation Loc, getUnsafeBufferUsageAttributeTextAt(SourceLocation Loc,
StringRef WSSuffix = "") const = 0; StringRef WSSuffix = "") const = 0;
}; };
Show All 14 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 11,866 Lines▼ Show 20 Linesdef warn_unsafe_buffer_operation : Warning<
"unsafe buffer access|function introduces unsafe buffer manipulation}0">, "unsafe buffer access|function introduces unsafe buffer manipulation}0">,
InGroup<UnsafeBufferUsage>, DefaultIgnore; InGroup<UnsafeBufferUsage>, DefaultIgnore;
def note_unsafe_buffer_operation : Note< def note_unsafe_buffer_operation : Note<
"used%select{| in pointer arithmetic| in buffer access}0 here">; "used%select{| in pointer arithmetic| in buffer access}0 here">;
def note_unsafe_buffer_variable_fixit_group : Note< def note_unsafe_buffer_variable_fixit_group : Note<
"change type of %0 to '%select{std::span|std::array|std::span::iterator}1' to preserve bounds information%select{|, and change %2 to '%select{std::span|std::array|std::span::iterator}1' to propagate bounds information between them}3">; "change type of %0 to '%select{std::span|std::array|std::span::iterator}1' to preserve bounds information%select{|, and change %2 to '%select{std::span|std::array|std::span::iterator}1' to propagate bounds information between them}3">;
def note_safe_buffer_usage_suggestions_disabled : Note< def note_safe_buffer_usage_suggestions_disabled : Note<
"pass -fsafe-buffer-usage-suggestions to receive code hardening suggestions">; "pass -fsafe-buffer-usage-suggestions to receive code hardening suggestions">;
#ifndef NDEBUG
// Not a user-facing diagnostic. Useful for debugging false negatives in
// -fsafe-buffer-usage-suggestions (i.e. lack of -Wunsafe-buffer-usage fixits).
def note_safe_buffer_debug_mode : Note<"safe buffers debug: %0">;
#endif
def err_loongarch_builtin_requires_la32 : Error< def err_loongarch_builtin_requires_la32 : Error<
"this builtin requires target: loongarch32">; "this builtin requires target: loongarch32">;
def err_builtin_pass_in_regs_non_class : Error< def err_builtin_pass_in_regs_non_class : Error<
"argument %0 is not an unqualified class type">; "argument %0 is not an unqualified class type">;
// WebAssembly reference type and table diagnostics. // WebAssembly reference type and table diagnostics.
Show All 37 Lines

clang/lib/Analysis/UnsafeBufferUsage.cpp

Show First 20 LinesShow All 310 Lines▼ Show 20 Lines#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"
/// Useful for implementing the static matcher() methods /// Useful for implementing the static matcher() methods
/// that are expected from all non-abstract subclasses. /// that are expected from all non-abstract subclasses.
using Matcher = decltype(stmt()); using Matcher = decltype(stmt());
Gadget(Kind K) : K(K) {} Gadget(Kind K) : K(K) {}
Kind getKind() const { return K; } Kind getKind() const { return K; }
#ifndef NDEBUG
StringRef getDebugName() const {
switch (K) {
#define GADGET(x) case Kind::x: return #x;
#include "clang/Analysis/Analyses/UnsafeBufferUsageGadgets.def"
}
}
#endif
virtual bool isWarningGadget() const = 0; virtual bool isWarningGadget() const = 0;
virtual const Stmt *getBaseStmt() const = 0; virtual const Stmt *getBaseStmt() const = 0;
/// Returns the list of pointer-type variables on which this gadget performs /// Returns the list of pointer-type variables on which this gadget performs
/// its operation. Typically, there's only one variable. This isn't a list /// its operation. Typically, there's only one variable. This isn't a list
/// of all DeclRefExprs in the gadget's AST! /// of all DeclRefExprs in the gadget's AST!
virtual DeclUseList getClaimedVarUseSites() const = 0; virtual DeclUseList getClaimedVarUseSites() const = 0;
▲ Show 20 LinesShow All 233 Lines▼ Show 20 Lines auto PtrInitStmt = declStmt(hasSingleDecl(varDecl(
bind(PointerInitRHSTag)))). bind(PointerInitRHSTag)))).
bind(PointerInitLHSTag))); bind(PointerInitLHSTag)));
return stmt(PtrInitStmt); return stmt(PtrInitStmt);
} }
virtual std::optional<FixItList> getFixits(const Strategy &S) const override; virtual std::optional<FixItList> getFixits(const Strategy &S) const override;
virtual const Stmt *getBaseStmt() const override { return nullptr; } virtual const Stmt *getBaseStmt() const override {
// FIXME: This needs to be the entire DeclStmt, assuming that this method
// makes sense at all on a FixableGadget.
return PtrInitRHS;
}
NoQUnsubmitted
Done
ReplyInline Actions

I changed this to make F->getBaseStmt() available more often, but ran into more problems of this kind that were much more strange than this one. I'll probably investigate more.

NoQ: I changed this to make `F->getBaseStmt()` available more often, but ran into more problems of…
virtual DeclUseList getClaimedVarUseSites() const override { virtual DeclUseList getClaimedVarUseSites() const override {
return DeclUseList{PtrInitRHS}; return DeclUseList{PtrInitRHS};
} }
virtual std::optional<std::pair<const VarDecl *, const VarDecl *>> virtual std::optional<std::pair<const VarDecl *, const VarDecl *>>
getStrategyImplications() const override { getStrategyImplications() const override {
return std::make_pair(PtrInitLHS, return std::make_pair(PtrInitLHS,
Show All 31 Lines auto PtrAssignExpr = binaryOperator(allOf(hasOperatorName("="),
to(varDecl())). to(varDecl())).
bind(PointerAssignLHSTag)))); bind(PointerAssignLHSTag))));
return stmt(isInUnspecifiedUntypedContext(PtrAssignExpr)); return stmt(isInUnspecifiedUntypedContext(PtrAssignExpr));
} }
virtual std::optional<FixItList> getFixits(const Strategy &S) const override; virtual std::optional<FixItList> getFixits(const Strategy &S) const override;
virtual const Stmt *getBaseStmt() const override { return nullptr; } virtual const Stmt *getBaseStmt() const override {
// FIXME: This should be the binary operator, assuming that this method
// makes sense at all on a FixableGadget.
return PtrLHS;
}
virtual DeclUseList getClaimedVarUseSites() const override { virtual DeclUseList getClaimedVarUseSites() const override {
return DeclUseList{PtrLHS, PtrRHS}; return DeclUseList{PtrLHS, PtrRHS};
} }
virtual std::optional<std::pair<const VarDecl *, const VarDecl *>> virtual std::optional<std::pair<const VarDecl *, const VarDecl *>>
getStrategyImplications() const override { getStrategyImplications() const override {
return std::make_pair(cast<VarDecl>(PtrLHS->getDecl()), return std::make_pair(cast<VarDecl>(PtrLHS->getDecl()),
▲ Show 20 LinesShow All 215 Lines▼ Show 20 Linespublic:
// A variable is unclaimed if at least one use is unclaimed. // A variable is unclaimed if at least one use is unclaimed.
bool hasUnclaimedUses(const VarDecl *VD) const { bool hasUnclaimedUses(const VarDecl *VD) const {
// FIXME: Can this be less linear? Maybe maintain a map from VDs to DREs? // FIXME: Can this be less linear? Maybe maintain a map from VDs to DREs?
return any_of(*Uses, [VD](const DeclRefExpr *DRE) { return any_of(*Uses, [VD](const DeclRefExpr *DRE) {
return DRE->getDecl()->getCanonicalDecl() == VD->getCanonicalDecl(); return DRE->getDecl()->getCanonicalDecl() == VD->getCanonicalDecl();
}); });
} }
UseSetTy getUnclaimedUses(const VarDecl *VD) const {
UseSetTy ReturnSet;
for (auto use : *Uses) {
if (use->getDecl()->getCanonicalDecl() == VD->getCanonicalDecl()) {
ReturnSet.insert(use);
}
}
return ReturnSet;
}
void discoverDecl(const DeclStmt *DS) { void discoverDecl(const DeclStmt *DS) {
for (const Decl *D : DS->decls()) { for (const Decl *D : DS->decls()) {
if (const auto *VD = dyn_cast<VarDecl>(D)) { if (const auto *VD = dyn_cast<VarDecl>(D)) {
// FIXME: Assertion temporarily disabled due to a bug in // FIXME: Assertion temporarily disabled due to a bug in
// ASTMatcher internal behavior in presence of GNU // ASTMatcher internal behavior in presence of GNU
// statement-expressions. We need to properly investigate this // statement-expressions. We need to properly investigate this
// because it can screw up our algorithm in other ways. // because it can screw up our algorithm in other ways.
// assert(Defs.count(VD) == 0 && "Definition already discovered!"); // assert(Defs.count(VD) == 0 && "Definition already discovered!");
▲ Show 20 LinesShow All 842 Lines▼ Show 20 LinespopulateInitializerFixItWithSpan(const Expr *Init, ASTContext &Ctx,
StrBuffer.append(", "); StrBuffer.append(", ");
StrBuffer.append(ExtentText); StrBuffer.append(ExtentText);
StrBuffer.append("}"); StrBuffer.append("}");
FixIts.push_back(FixItHint::CreateInsertion(*LocPassInit, StrBuffer.str())); FixIts.push_back(FixItHint::CreateInsertion(*LocPassInit, StrBuffer.str()));
return FixIts; return FixIts;
} }
#ifndef NDEBUG
#define DEBUG_NOTE_DECL_FAIL(D, Msg) \
NoQUnsubmitted
Done
ReplyInline Actions
return FixIts;
}
+ #ifndef NDEBUG
#define DEBUG_NOTE_DECL_FAIL(D, Msg) \
Handler.addDebugNoteForVar((D), (D)->getBeginLoc(), "failed to produce fixit for declaration '" + D->getNameAsString() + "'" + Msg)
+ #else
+ #define DEBUG_NOTE_DECL_FAIL(D, Msg)
+ #endif
// For a `VarDecl` of the form `T * var (= Init)?`, this

Ooo that's actually really nice! Maybe you can go even further and add this extra harness, so that to eliminate the need for #ifndef NDEBUG at every use.

NoQ: Ooo that's actually really nice! Maybe you can go even further and add this extra harness, so…
Handler.addDebugNoteForVar((D), (D)->getBeginLoc(), "failed to produce fixit for declaration '" + (D)->getNameAsString() + "'" + (Msg))
#else
#define DEBUG_NOTE_DECL_FAIL(D, Msg)
#endif
NoQUnsubmitted
Done
ReplyInline Actions
return FixIts;
}
#ifndef NDEBUG
#define DEBUG_NOTE_DECL_FAIL(D, Msg) \
- Handler.addDebugNoteForVar((D), (D)->getBeginLoc(), "failed to produce fixit for declaration '" + D->getNameAsString() + "'" + Msg)
+ Handler.addDebugNoteForVar((D), (D)->getBeginLoc(), "failed to produce fixit for declaration '" + (D)->getNameAsString() + "'" + (Msg))
#else
#define DEBUG_NOTE_DECL_FAIL(D, Msg)
#endif
// For a `VarDecl` of the form `T * var (= Init)?`, this

An extra bit of paranoia.

NoQ: An extra bit of paranoia.
// For a `VarDecl` of the form `T * var (= Init)?`, this // For a `VarDecl` of the form `T * var (= Init)?`, this
// function generates a fix-it for the declaration, which re-declares `var` to // function generates a fix-it for the declaration, which re-declares `var` to
// be of `span<T>` type and transforms the initializer, if present, to a span // be of `span<T>` type and transforms the initializer, if present, to a span
// constructor---`span<T> var {Init, Extent}`, where `Extent` may need the user // constructor---`span<T> var {Init, Extent}`, where `Extent` may need the user
// to fill in. // to fill in.
// //
// FIXME: support Multi-level pointers // FIXME: support Multi-level pointers
// //
// Parameters: // Parameters:
// `D` a pointer the variable declaration node // `D` a pointer the variable declaration node
// `Ctx` a reference to the ASTContext // `Ctx` a reference to the ASTContext
// Returns: // Returns:
// the generated fix-it // the generated fix-it
static FixItList fixVarDeclWithSpan(const VarDecl *D, ASTContext &Ctx, static FixItList fixVarDeclWithSpan(const VarDecl *D, ASTContext &Ctx,
const StringRef UserFillPlaceHolder) { const StringRef UserFillPlaceHolder,
UnsafeBufferUsageHandler &Handler) {
(void)Handler; // Suppress unused variable warning in release builds.
NoQUnsubmitted
Done
ReplyInline Actions
const StringRef UserFillPlaceHolder,
UnsafeBufferUsageHandler &Handler) {
+ (void)Handler; // Suppress unused variable warning in release builds.
+
const QualType &SpanEltT = D->getType()->getPointeeType();
assert(!SpanEltT.isNull() && "Trying to fix a non-pointer type variable!");

We might want to silence -Wunused-parameter in release builds.

Maybe it's better to put the entire parameter under #ifndef NDEBUG, but it's definitely more clumsy.

There's also __attribute__((unused)) aka [[maybe_unused]] but it looks like we're not supposed to use it in LLVM for variables:

173 // Some compilers warn about unused functions. When a function is sometimes
174 // used or not depending on build settings (e.g. a function only called from
175 // within "assert"), this attribute can be used to suppress such warnings.
176 //
177 // However, it shouldn't be used for unused *variables*, as those have a much
178 // more portable solution:
179 //   (void)unused_var_name;
180 // Prefer cast-to-void wherever it is sufficient.
181 #if __has_attribute(unused)
182 #define LLVM_ATTRIBUTE_UNUSED __attribute__((__unused__))
183 #else
184 #define LLVM_ATTRIBUTE_UNUSED
185 #endif
NoQ: We might want to silence `-Wunused-parameter` in release builds. Maybe it's better to put the…
const QualType &SpanEltT = D->getType()->getPointeeType(); const QualType &SpanEltT = D->getType()->getPointeeType();
assert(!SpanEltT.isNull() && "Trying to fix a non-pointer type variable!"); assert(!SpanEltT.isNull() && "Trying to fix a non-pointer type variable!");
FixItList FixIts{}; FixItList FixIts{};
std::optional<SourceLocation> std::optional<SourceLocation>
ReplacementLastLoc; // the inclusive end location of the replacement ReplacementLastLoc; // the inclusive end location of the replacement
const SourceManager &SM = Ctx.getSourceManager(); const SourceManager &SM = Ctx.getSourceManager();
if (const Expr *Init = D->getInit()) { if (const Expr *Init = D->getInit()) {
FixItList InitFixIts = FixItList InitFixIts =
populateInitializerFixItWithSpan(Init, Ctx, UserFillPlaceHolder); populateInitializerFixItWithSpan(Init, Ctx, UserFillPlaceHolder);
if (InitFixIts.empty()) if (InitFixIts.empty()) {
DEBUG_NOTE_DECL_FAIL(D, " : empty initializer");
return {}; return {};
}
NoQUnsubmitted
Done
ReplyInline Actions

This comment is probably duplicated everywhere by accident; it doesn't make much sense in most of these places.

NoQ: This comment is probably duplicated everywhere by accident; it doesn't make much sense in most…
// The loc right before the initializer: // The loc right before the initializer:
ReplacementLastLoc = Init->getBeginLoc().getLocWithOffset(-1); ReplacementLastLoc = Init->getBeginLoc().getLocWithOffset(-1);
FixIts.insert(FixIts.end(), std::make_move_iterator(InitFixIts.begin()), FixIts.insert(FixIts.end(), std::make_move_iterator(InitFixIts.begin()),
std::make_move_iterator(InitFixIts.end())); std::make_move_iterator(InitFixIts.end()));
} else } else
ReplacementLastLoc = getEndCharLoc(D, SM, Ctx.getLangOpts()); ReplacementLastLoc = getEndCharLoc(D, SM, Ctx.getLangOpts());
// Producing fix-it for variable declaration---make `D` to be of span type: // Producing fix-it for variable declaration---make `D` to be of span type:
SmallString<32> Replacement; SmallString<32> Replacement;
raw_svector_ostream OS(Replacement); raw_svector_ostream OS(Replacement);
OS << "std::span<" << SpanEltT.getAsString() << "> " << D->getName(); OS << "std::span<" << SpanEltT.getAsString() << "> " << D->getName();
if (!ReplacementLastLoc) if (!ReplacementLastLoc) {
DEBUG_NOTE_DECL_FAIL(D, " : failed to get end char loc (macro)");
return {}; return {};
}
FixIts.push_back(FixItHint::CreateReplacement( FixIts.push_back(FixItHint::CreateReplacement(
SourceRange{D->getBeginLoc(), *ReplacementLastLoc}, OS.str())); SourceRange{D->getBeginLoc(), *ReplacementLastLoc}, OS.str()));
return FixIts; return FixIts;
} }
NoQUnsubmitted
Done
ReplyInline Actions
("failed to produce fixit for declaration '" + D->getName()
- + "' : fale dto get end char loc (macro)").str());
+ + "' : failed to get end char loc (macro)").str());
#endif
NoQ:
static bool hasConflictingOverload(const FunctionDecl *FD) { static bool hasConflictingOverload(const FunctionDecl *FD) {
return !FD->getDeclContext()->lookup(FD->getDeclName()).isSingleResult(); return !FD->getDeclContext()->lookup(FD->getDeclName()).isSingleResult();
} }
// For a `FunDecl`, one of whose `ParmVarDecl`s is being changed to have a new // For a `FunDecl`, one of whose `ParmVarDecl`s is being changed to have a new
// type, this function produces fix-its to make the change self-contained. Let // type, this function produces fix-its to make the change self-contained. Let
// 'F' be the entity defined by the original `FunDecl` and "NewF" be the entity // 'F' be the entity defined by the original `FunDecl` and "NewF" be the entity
// defined by the `FunDecl` after the change to the parameter. Fix-its produced // defined by the `FunDecl` after the change to the parameter. Fix-its produced
▲ Show 20 LinesShow All 169 Lines▼ Show 20 LinescreateOverloadsForFixedParams(unsigned ParmIdx, StringRef NewTyText,
return FixIts; return FixIts;
} }
// To fix a `ParmVarDecl` to be of `std::span` type. In addition, creating a // To fix a `ParmVarDecl` to be of `std::span` type. In addition, creating a
// new overload of the function so that the change is self-contained (see // new overload of the function so that the change is self-contained (see
// `createOverloadsForFixedParams`). // `createOverloadsForFixedParams`).
static FixItList fixParamWithSpan(const ParmVarDecl *PVD, const ASTContext &Ctx, static FixItList fixParamWithSpan(const ParmVarDecl *PVD, const ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
if (PVD->hasDefaultArg()) if (PVD->hasDefaultArg()) {
// FIXME: generate fix-its for default values: // FIXME: generate fix-its for default values:
DEBUG_NOTE_DECL_FAIL(PVD, " : has default arg");
return {}; return {};
}
assert(PVD->getType()->isPointerType()); assert(PVD->getType()->isPointerType());
auto *FD = dyn_cast<FunctionDecl>(PVD->getDeclContext()); auto *FD = dyn_cast<FunctionDecl>(PVD->getDeclContext());
if (!FD) if (!FD) {
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid func decl");
return {}; return {};
}
std::optional<Qualifiers> PteTyQualifiers = std::nullopt; std::optional<Qualifiers> PteTyQualifiers = std::nullopt;
std::optional<std::string> PteTyText = getPointeeTypeText( std::optional<std::string> PteTyText = getPointeeTypeText(
PVD, Ctx.getSourceManager(), Ctx.getLangOpts(), &PteTyQualifiers); PVD, Ctx.getSourceManager(), Ctx.getLangOpts(), &PteTyQualifiers);
if (!PteTyText) if (!PteTyText) {
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid pointee type");
return {}; return {};
}
std::optional<StringRef> PVDNameText = PVD->getIdentifier()->getName(); std::optional<StringRef> PVDNameText = PVD->getIdentifier()->getName();
if (!PVDNameText) if (!PVDNameText) {
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid identifier name");
return {}; return {};
}
std::string SpanOpen = "std::span<"; std::string SpanOpen = "std::span<";
std::string SpanClose = ">"; std::string SpanClose = ">";
std::string SpanTyText; std::string SpanTyText;
std::stringstream SS; std::stringstream SS;
SS << SpanOpen << *PteTyText; SS << SpanOpen << *PteTyText;
// Append qualifiers to span element type: // Append qualifiers to span element type:
Show All 19 Lines for (auto *ParmIter : FD->parameters()) {
ParmIdx++; ParmIdx++;
} }
if (ParmIdx < FD->getNumParams()) if (ParmIdx < FD->getNumParams())
if (auto OverloadFix = createOverloadsForFixedParams(ParmIdx, SpanTyText, if (auto OverloadFix = createOverloadsForFixedParams(ParmIdx, SpanTyText,
FD, Ctx, Handler)) { FD, Ctx, Handler)) {
Fixes.append(*OverloadFix); Fixes.append(*OverloadFix);
return Fixes; return Fixes;
} }
DEBUG_NOTE_DECL_FAIL(PVD, " : invalid number of parameters");
return {}; return {};
} }
static FixItList fixVariableWithSpan(const VarDecl *VD, static FixItList fixVariableWithSpan(const VarDecl *VD,
const DeclUseTracker &Tracker, const DeclUseTracker &Tracker,
ASTContext &Ctx, ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
const DeclStmt *DS = Tracker.lookupDecl(VD); const DeclStmt *DS = Tracker.lookupDecl(VD);
assert(DS && "Fixing non-local variables not implemented yet!"); assert(DS && "Fixing non-local variables not implemented yet!");
if (!DS->isSingleDecl()) { if (!DS->isSingleDecl()) {
// FIXME: to support handling multiple `VarDecl`s in a single `DeclStmt` // FIXME: to support handling multiple `VarDecl`s in a single `DeclStmt`
DEBUG_NOTE_DECL_FAIL(VD, " : multiple VarDecls");
return {}; return {};
} }
// Currently DS is an unused variable but we'll need it when // Currently DS is an unused variable but we'll need it when
// non-single decls are implemented, where the pointee type name // non-single decls are implemented, where the pointee type name
// and the '*' are spread around the place. // and the '*' are spread around the place.
(void)DS; (void)DS;
// FIXME: handle cases where DS has multiple declarations // FIXME: handle cases where DS has multiple declarations
return fixVarDeclWithSpan(VD, Ctx, getUserFillPlaceHolder()); return fixVarDeclWithSpan(VD, Ctx, getUserFillPlaceHolder(),
Handler);
} }
// TODO: we should be consistent to use `std::nullopt` to represent no-fix due // TODO: we should be consistent to use `std::nullopt` to represent no-fix due
// to any unexpected problem. // to any unexpected problem.
static FixItList static FixItList
fixVariable(const VarDecl *VD, Strategy::Kind K, fixVariable(const VarDecl *VD, Strategy::Kind K,
/* The function decl under analysis */ const Decl *D, /* The function decl under analysis */ const Decl *D,
const DeclUseTracker &Tracker, ASTContext &Ctx, const DeclUseTracker &Tracker, ASTContext &Ctx,
UnsafeBufferUsageHandler &Handler) { UnsafeBufferUsageHandler &Handler) {
if (const auto *PVD = dyn_cast<ParmVarDecl>(VD)) { if (const auto *PVD = dyn_cast<ParmVarDecl>(VD)) {
auto *FD = dyn_cast<clang::FunctionDecl>(PVD->getDeclContext()); auto *FD = dyn_cast<clang::FunctionDecl>(PVD->getDeclContext());
if (!FD || FD != D) if (!FD || FD != D) {
// `FD != D` means that `PVD` belongs to a function that is not being // `FD != D` means that `PVD` belongs to a function that is not being
// analyzed currently. Thus `FD` may not be complete. // analyzed currently. Thus `FD` may not be complete.
DEBUG_NOTE_DECL_FAIL(VD, " : function not currently analyzed");
return {}; return {};
}
// TODO If function has a try block we can't change params unless we check // TODO If function has a try block we can't change params unless we check
// also its catch block for their use. // also its catch block for their use.
// FIXME We might support static class methods, some select methods, // FIXME We might support static class methods, some select methods,
// operators and possibly lamdas. // operators and possibly lamdas.
if (FD->isMain() || FD->isConstexpr() || if (FD->isMain() || FD->isConstexpr() ||
FD->getTemplatedKind() != FunctionDecl::TemplatedKind::TK_NonTemplate || FD->getTemplatedKind() != FunctionDecl::TemplatedKind::TK_NonTemplate ||
FD->isVariadic() || FD->isVariadic() ||
// also covers call-operator of lamdas // also covers call-operator of lamdas
isa<CXXMethodDecl>(FD) || isa<CXXMethodDecl>(FD) ||
// skip when the function body is a try-block // skip when the function body is a try-block
(FD->hasBody() && isa<CXXTryStmt>(FD->getBody())) || (FD->hasBody() && isa<CXXTryStmt>(FD->getBody())) ||
FD->isOverloadedOperator()) FD->isOverloadedOperator()) {
DEBUG_NOTE_DECL_FAIL(VD, " : unsupported function decl");
return {}; // TODO test all these cases return {}; // TODO test all these cases
} }
}
switch (K) { switch (K) {
case Strategy::Kind::Span: { case Strategy::Kind::Span: {
if (VD->getType()->isPointerType()) { if (VD->getType()->isPointerType()) {
if (const auto *PVD = dyn_cast<ParmVarDecl>(VD)) if (const auto *PVD = dyn_cast<ParmVarDecl>(VD))
return fixParamWithSpan(PVD, Ctx, Handler); return fixParamWithSpan(PVD, Ctx, Handler);
if (VD->isLocalVarDecl()) if (VD->isLocalVarDecl())
return fixVariableWithSpan(VD, Tracker, Ctx, Handler); return fixVariableWithSpan(VD, Tracker, Ctx, Handler);
} }
DEBUG_NOTE_DECL_FAIL(VD, " : not a pointer");
return {}; return {};
} }
case Strategy::Kind::Iterator: case Strategy::Kind::Iterator:
case Strategy::Kind::Array: case Strategy::Kind::Array:
case Strategy::Kind::Vector: case Strategy::Kind::Vector:
llvm_unreachable("Strategy not implemented yet!"); llvm_unreachable("Strategy not implemented yet!");
case Strategy::Kind::Wontfix: case Strategy::Kind::Wontfix:
llvm_unreachable("Invalid strategy!"); llvm_unreachable("Invalid strategy!");
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (FixItsForVariable[VD].empty()) {
FixItsForVariable.erase(VD); FixItsForVariable.erase(VD);
continue; continue;
} }
bool ImpossibleToFix = false; bool ImpossibleToFix = false;
llvm::SmallVector<FixItHint, 16> FixItsForVD; llvm::SmallVector<FixItHint, 16> FixItsForVD;
for (const auto &F : Fixables) { for (const auto &F : Fixables) {
std::optional<FixItList> Fixits = F->getFixits(S); std::optional<FixItList> Fixits = F->getFixits(S);
if (!Fixits) { if (!Fixits) {
#ifndef NDEBUG
Handler.addDebugNoteForVar(
VD, F->getBaseStmt()->getBeginLoc(),
NoQUnsubmitted
Done
ReplyInline Actions

This is my original comment right? It's actually also outdated and should be removed, I already erased the runtime check, and I already moved the architectural recommendation to implementation of getBaseStmt() in individual gadgets for which it doesn't make sense.

NoQ: This is my original comment right? It's actually also outdated and should be removed, I already…
("gadget '" + F->getDebugName() + "' refused to produce a fix")
.str());
#endif
ImpossibleToFix = true; ImpossibleToFix = true;
break; break;
} else { } else {
const FixItList CorrectFixes = Fixits.value(); const FixItList CorrectFixes = Fixits.value();
FixItsForVD.insert(FixItsForVD.end(), CorrectFixes.begin(), FixItsForVD.insert(FixItsForVD.end(), CorrectFixes.begin(),
CorrectFixes.end()); CorrectFixes.end());
} }
} }
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines for (const VarDecl *VD : UnsafeVars) {
S.set(VD, Strategy::Kind::Span); S.set(VD, Strategy::Kind::Span);
} }
return S; return S;
} }
void clang::checkUnsafeBufferUsage(const Decl *D, void clang::checkUnsafeBufferUsage(const Decl *D,
UnsafeBufferUsageHandler &Handler, UnsafeBufferUsageHandler &Handler,
bool EmitSuggestions) { bool EmitSuggestions) {
#ifndef NDEBUG
Handler.clearDebugNotes();
#endif
assert(D && D->getBody()); assert(D && D->getBody());
// We do not want to visit a Lambda expression defined inside a method independently. // We do not want to visit a Lambda expression defined inside a method independently.
// Instead, it should be visited along with the outer method. // Instead, it should be visited along with the outer method.
if (const auto *fd = dyn_cast<CXXMethodDecl>(D)) { if (const auto *fd = dyn_cast<CXXMethodDecl>(D)) {
if (fd->getParent()->isLambda() && fd->getParent()->isLocalClass()) if (fd->getParent()->isLambda() && fd->getParent()->isLocalClass())
return; return;
} }
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Lines#endif
std::map<const VarDecl *, FixItList> FixItsForVariableGroup; std::map<const VarDecl *, FixItList> FixItsForVariableGroup;
DefMapTy VariableGroupsMap{}; DefMapTy VariableGroupsMap{};
// Filter out non-local vars and vars with unclaimed DeclRefExpr-s. // Filter out non-local vars and vars with unclaimed DeclRefExpr-s.
for (auto it = FixablesForAllVars.byVar.cbegin(); for (auto it = FixablesForAllVars.byVar.cbegin();
it != FixablesForAllVars.byVar.cend();) { it != FixablesForAllVars.byVar.cend();) {
// FIXME: need to deal with global variables later // FIXME: need to deal with global variables later
if ((!it->first->isLocalVarDecl() && !isa<ParmVarDecl>(it->first)) || if ((!it->first->isLocalVarDecl() && !isa<ParmVarDecl>(it->first))) {
Tracker.hasUnclaimedUses(it->first) || it->first->isInitCapture()) { #ifndef NDEBUG
Handler.addDebugNoteForVar(
it->first, it->first->getBeginLoc(),
("failed to produce fixit for '" + it->first->getNameAsString() +
"' : neither local nor a parameter"));
#endif
NoQUnsubmitted
Done
ReplyInline Actions
it->first, it->first->getBeginLoc(),
- ("'" + it->first->getName() +
+ ("'" + it->first->getNameAsString() +
"' is neither local nor a parameter").str());

getName() crashes on various anonymous variables, whereas getNameAsString() always gives an answer (even if it's not always a "good" answer), which is more suitable for diagnostics.

NoQ: `getName()` crashes on various anonymous variables, whereas `getNameAsString()` always gives an…
it = FixablesForAllVars.byVar.erase(it);
NoQUnsubmitted
Done
ReplyInline Actions

Do you want to include a "failde to produce fixit..." text in this message and the next message, for consistency?

NoQ: Do you want to include a "failde to produce fixit..." text in this message and the next message…
} else if (Tracker.hasUnclaimedUses(it->first)) {
#ifndef NDEBUG
auto AllUnclaimed = Tracker.getUnclaimedUses(it->first);
for (auto UnclaimedDRE : AllUnclaimed) {
Handler.addDebugNoteForVar(
it->first, UnclaimedDRE->getBeginLoc(),
("failed to produce fixit for '" + it->first->getNameAsString() +
"' : has an unclaimed use"));
}
#endif
it = FixablesForAllVars.byVar.erase(it);
} else if (it->first->isInitCapture()) {
#ifndef NDEBUG
Handler.addDebugNoteForVar(
it->first, it->first->getBeginLoc(),
("failed to produce fixit for '" + it->first->getNameAsString() +
"' : init capture"));
#endif
it = FixablesForAllVars.byVar.erase(it); it = FixablesForAllVars.byVar.erase(it);
} else { }else {
++it; ++it;
} }
} }
llvm::SmallVector<const VarDecl *, 16> UnsafeVars; llvm::SmallVector<const VarDecl *, 16> UnsafeVars;
for (const auto &[VD, ignore] : FixablesForAllVars.byVar) for (const auto &[VD, ignore] : FixablesForAllVars.byVar)
UnsafeVars.push_back(VD); UnsafeVars.push_back(VD);
▲ Show 20 LinesShow All 135 LinesShow Last 20 Lines

clang/lib/Sema/AnalysisBasedWarnings.cpp

Show First 20 LinesShow All 2,270 Lines▼ Show 20 Lines if (!Fixes.empty()) {
FD << AllVars << 1; FD << AllVars << 1;
} else { } else {
FD << "" << 0; FD << "" << 0;
} }
for (const auto &F : Fixes) for (const auto &F : Fixes)
FD << F; FD << F;
} }
#ifndef NDEBUG
if (areDebugNotesRequested())
for (const DebugNote &Note: DebugNotesByVar[Variable])
S.Diag(Note.first, diag::note_safe_buffer_debug_mode) << Note.second;
#endif
} }
bool isSafeBufferOptOut(const SourceLocation &Loc) const override { bool isSafeBufferOptOut(const SourceLocation &Loc) const override {
return S.PP.isSafeBufferOptOut(S.getSourceManager(), Loc); return S.PP.isSafeBufferOptOut(S.getSourceManager(), Loc);
} }
// Returns the text representation of clang::unsafe_buffer_usage attribute. // Returns the text representation of clang::unsafe_buffer_usage attribute.
// `WSSuffix` holds customized "white-space"s, e.g., newline or whilespace // `WSSuffix` holds customized "white-space"s, e.g., newline or whilespace
▲ Show 20 LinesShow All 457 LinesShow Last 20 Lines

clang/test/SemaCXX/warn-unsafe-buffer-usage-debug.cpp

  • This file was added.
// RUN: %clang_cc1 -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions \
// RUN: -std=c++20 -verify=expected %s
// RUN: %clang_cc1 -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions \
// RUN: -mllvm -debug-only=SafeBuffers \
// RUN: -std=c++20 -verify=expected,debug %s
// A generic -debug would also enable our notes. This is probably fine.
//
// RUN: %clang_cc1 -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions \
// RUN: -std=c++20 -mllvm -debug \
// RUN: -verify=expected,debug %s
// This test file checks the behavior under the assumption that no fixits
// were emitted for the test cases. If -Wunsafe-buffer-usage is improved
// to support these cases (thus failing the test), the test should be changed
// to showcase a different unsupported example.
//
// RUN: %clang_cc1 -Wunsafe-buffer-usage -fsafe-buffer-usage-suggestions \
// RUN: -mllvm -debug-only=SafeBuffers \
// RUN: -std=c++20 -fdiagnostics-parseable-fixits %s \
// RUN: 2>&1 | FileCheck %s
// CHECK-NOT: fix-it:
// This debugging facility is only available in debug builds.
//
// REQUIRES: asserts
void foo() {
int *x = new int[10]; // expected-warning{{'x' is an unsafe pointer used for buffer access}}
x[5] = 10; // expected-note{{used in buffer access here}}
int z = x[-1]; // expected-note{{used in buffer access here}} \
// debug-note{{safe buffers debug: gadget 'ULCArraySubscript' refused to produce a fix}}
}
void failed_decl() {
int a[10]; // expected-warning{{'a' is an unsafe buffer that does not perform bounds checks}} \
// debug-note{{safe buffers debug: failed to produce fixit for declaration 'a' : not a pointer}}
for (int i = 0; i < 10; i++) {
a[i] = i; // expected-note{{used in buffer access here}}
}
}
void failed_multiple_decl() {
int *a = new int[4], b; // expected-warning{{'a' is an unsafe pointer used for buffer access}} \
// debug-note{{safe buffers debug: failed to produce fixit for declaration 'a' : multiple VarDecls}}
a[4] = 3; // expected-note{{used in buffer access here}}
}
void failed_param_var_decl(int *a =new int[3]) { // expected-warning{{'a' is an unsafe pointer used for buffer access}} \
// debug-note{{safe buffers debug: failed to produce fixit for declaration 'a' : has default arg}}
a[4] = 6; // expected-note{{used in buffer access here}}
}
void unclaimed_use() {
int *a = new int[3]; // expected-warning{{'a' is an unsafe pointer used for buffer access}}
a[2] = 9; // expected-note{{used in buffer access here}}
int *b = a++; // expected-note{{used in pointer arithmetic here}} \
// debug-note{{safe buffers debug: failed to produce fixit for 'a' : has an unclaimed use}}
}
void implied_unclaimed_var(int *b) { // expected-warning{{'b' is an unsafe pointer used for buffer access}}
int *a = new int[3]; // expected-warning{{'a' is an unsafe pointer used for buffer access}}
a[4] = 7; // expected-note{{used in buffer access here}}
a = b; // debug-note{{safe buffers debug: gadget 'PointerAssignment' refused to produce a fix}}
b++; // expected-note{{used in pointer arithmetic here}} \
// debug-note{{safe buffers debug: failed to produce fixit for 'b' : has an unclaimed use}}
}