This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/
-
clang/
-
Basic/
1/1
DiagnosticSemaKinds.td
-
Sema/
1/1
Sema.h
-
lib/Sema/
-
Sema/
2/2
SemaChecking.cpp
-
test/Sema/
-
Sema/
2/3
error-type-safety.cpp

Differential D40574

Bounds check argument_with_type_tag attribute.
ClosedPublic

Authored by mattd on Nov 28 2017, 12:44 PM.

Download Raw Diff

Details

Reviewers

gribozavr
aaron.ballman

Summary

Fixes: PR28520

Perform a bounds check on a function's argument list, before accessing any index value specified by an 'argument_with_type_tag' attribute.

Diff Detail

Event Timeline

mattd created this revision.Nov 28 2017, 12:44 PM

aaron.ballman added inline comments.Nov 29 2017, 8:30 AM

include/clang/Basic/DiagnosticSemaKinds.td
7922–7925	These should be combined into a single diagnostic: `%select{type\|argument}0 tag index %1 is greater than the number of arguments specified`
include/clang/Sema/Sema.h
10458	`const Expr ` (space before the ``). Same below in the definition.
lib/Sema/SemaChecking.cpp
12345	Spurious newline?
12366	Spurious newline?
test/Sema/error-type-safety.cpp
3–4	Is this declaration necessary?
16	Can you also add a test for a boundary case so we can be sure there are no off-by-one errors introduced later?

Removed the new lines.
Added white space between the data type and pointer character.
Updated the test to check the exact bounds, and over-bounds cases
Combined the diagnostic messages into one via 'select'

mattd marked 6 inline comments as done.Nov 29 2017, 11:26 AM

mattd added inline comments.

test/Sema/error-type-safety.cpp
3–4	Hi Aaron, thanks for the input. Yes, defining the tag is necessary in order to test the argument index. If the type tag is not satisfied, the code path checking argument tag index will never be reached. My update will test the bounds and is a little more comprehensive.

Thanks, LGTM!

This revision is now accepted and ready to land.Nov 29 2017, 1:23 PM

Thanks for the approval Aaron. I do not have commit access, would you mind submitting this on my behalf?

In D40574#939693, @mattd wrote:

Thanks for the approval Aaron. I do not have commit access, would you mind submitting this on my behalf?

Happy to do so -- I've commit in r319383, thank you for the patch!

Revision Contents

Path

Size

include/

clang/

Basic/

DiagnosticSemaKinds.td

4 lines

Sema/

Sema.h

3 lines

lib/

Sema/

SemaChecking.cpp

21 lines

test/

Sema/

error-type-safety.cpp

16 lines

Diff 124606

include/clang/Basic/DiagnosticSemaKinds.td

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 7,913 Lines • ▼ Show 20 Lines
	// Type safety attributes			// Type safety attributes
	def err_type_tag_for_datatype_not_ice : Error<			def err_type_tag_for_datatype_not_ice : Error<
	"'type_tag_for_datatype' attribute requires the initializer to be "			"'type_tag_for_datatype' attribute requires the initializer to be "
	"an %select{integer\|integral}0 constant expression">;			"an %select{integer\|integral}0 constant expression">;
	def err_type_tag_for_datatype_too_large : Error<			def err_type_tag_for_datatype_too_large : Error<
	"'type_tag_for_datatype' attribute requires the initializer to be "			"'type_tag_for_datatype' attribute requires the initializer to be "
	"an %select{integer\|integral}0 constant expression "			"an %select{integer\|integral}0 constant expression "
	"that can be represented by a 64 bit integer">;			"that can be represented by a 64 bit integer">;
				def err_type_tag_out_of_range : Error<
				"type tag index %0 is greater than the number of arguments specified">;
				def err_arg_tag_out_of_range : Error<
				"argument tag index %0 is greater than the number of arguments specified">;
				aaron.ballmanUnsubmitted Done Reply Inline Actions These should be combined into a single diagnostic: `%select{type\|argument}0 tag index %1 is greater than the number of arguments specified` aaron.ballman: These should be combined into a single diagnostic: `%select{type\|argument}0 tag index %1 is…
	def warn_type_tag_for_datatype_wrong_kind : Warning<			def warn_type_tag_for_datatype_wrong_kind : Warning<
	"this type tag was not designed to be used with this function">,			"this type tag was not designed to be used with this function">,
	InGroup<TypeSafety>;			InGroup<TypeSafety>;
	def warn_type_safety_type_mismatch : Warning<			def warn_type_safety_type_mismatch : Warning<
	"argument type %0 doesn't match specified %1 type tag "			"argument type %0 doesn't match specified %1 type tag "
	"%select{that requires %3\|}2">, InGroup<TypeSafety>;			"%select{that requires %3\|}2">, InGroup<TypeSafety>;
	def warn_type_safety_null_pointer_required : Warning<			def warn_type_safety_null_pointer_required : Warning<
	"specified %0 type tag requires a null pointer">, InGroup<TypeSafety>;			"specified %0 type tag requires a null pointer">, InGroup<TypeSafety>;
	▲ Show 20 Lines • Show All 1,383 Lines • Show Last 20 Lines

include/clang/Sema/Sema.h

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 10,449 Lines • ▼ Show 20 Lines
	private:			private:
	/// \brief A map from magic value to type information.			/// \brief A map from magic value to type information.
	std::unique_ptr<llvm::DenseMap<TypeTagMagicValue, TypeTagData>>			std::unique_ptr<llvm::DenseMap<TypeTagMagicValue, TypeTagData>>
	TypeTagForDatatypeMagicValues;			TypeTagForDatatypeMagicValues;

	/// \brief Peform checks on a call of a function with argument_with_type_tag			/// \brief Peform checks on a call of a function with argument_with_type_tag
	/// or pointer_with_type_tag attributes.			/// or pointer_with_type_tag attributes.
	void CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,			void CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
	const Expr * const *ExprArgs);			const ArrayRef<const Expr*> ExprArgs,
				aaron.ballmanUnsubmitted Done Reply Inline Actions `const Expr ` (space before the ``). Same below in the definition. aaron.ballman: `const Expr ` (space before the ``). Same below in the definition.
				SourceLocation CallSiteLoc);

	/// \brief Check if we are taking the address of a packed field			/// \brief Check if we are taking the address of a packed field
	/// as this may be a problem if the pointer value is dereferenced.			/// as this may be a problem if the pointer value is dereferenced.
	void CheckAddressOfPackedMember(Expr *rhs);			void CheckAddressOfPackedMember(Expr *rhs);

	/// \brief The parser's current scope.			/// \brief The parser's current scope.
	///			///
	/// The parser maintains this state here.			/// The parser maintains this state here.
	▲ Show 20 Lines • Show All 249 Lines • Show Last 20 Lines

lib/Sema/SemaChecking.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 2,748 Lines • ▼ Show 20 Lines	void Sema::checkCall(NamedDecl FDecl, const FunctionProtoType Proto,
}		}

if (FDecl \|\| Proto) {		if (FDecl \|\| Proto) {
CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);		CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);

// Type safety checking.		// Type safety checking.
if (FDecl) {		if (FDecl) {
for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())		for (const auto *I : FDecl->specific_attrs<ArgumentWithTypeTagAttr>())
CheckArgumentWithTypeTag(I, Args.data());		CheckArgumentWithTypeTag(I, Args, Loc);
}		}
}		}

if (FD)		if (FD)
diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);		diagnoseArgDependentDiagnoseIfAttrs(FD, ThisArg, Args, Loc);
}		}

/// CheckConstructorCall - Check a constructor call for correctness and safety		/// CheckConstructorCall - Check a constructor call for correctness and safety
▲ Show 20 Lines • Show All 9,558 Lines • ▼ Show 20 Lines	static bool IsSameCharType(QualType T1, QualType T2) {

return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) \|\|		return (T1Kind == BuiltinType::SChar && T2Kind == BuiltinType::Char_S) \|\|
(T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) \|\|		(T1Kind == BuiltinType::UChar && T2Kind == BuiltinType::Char_U) \|\|
(T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) \|\|		(T1Kind == BuiltinType::Char_U && T2Kind == BuiltinType::UChar) \|\|
(T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);		(T1Kind == BuiltinType::Char_S && T2Kind == BuiltinType::SChar);
}		}

void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,		void Sema::CheckArgumentWithTypeTag(const ArgumentWithTypeTagAttr *Attr,
const Expr * const *ExprArgs) {		const ArrayRef<const Expr*> ExprArgs,
		SourceLocation CallSiteLoc) {
const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();		const IdentifierInfo *ArgumentKind = Attr->getArgumentKind();
bool IsPointerAttr = Attr->getIsPointer();		bool IsPointerAttr = Attr->getIsPointer();

		// Retrieve the argument representing the 'type_tag'.
		if (Attr->getTypeTagIdx() >= ExprArgs.size()) {
		// Add 1 to display the user's specified value.
		Diag(CallSiteLoc, diag::err_type_tag_out_of_range)
		<< Attr->getTypeTagIdx() + 1;
		return;
		}
const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()];		const Expr *TypeTagExpr = ExprArgs[Attr->getTypeTagIdx()];

		aaron.ballmanUnsubmitted Done Reply Inline Actions Spurious newline? aaron.ballman: Spurious newline?
bool FoundWrongKind;		bool FoundWrongKind;
TypeTagData TypeInfo;		TypeTagData TypeInfo;
if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,		if (!GetMatchingCType(ArgumentKind, TypeTagExpr, Context,
TypeTagForDatatypeMagicValues.get(),		TypeTagForDatatypeMagicValues.get(),
FoundWrongKind, TypeInfo)) {		FoundWrongKind, TypeInfo)) {
if (FoundWrongKind)		if (FoundWrongKind)
Diag(TypeTagExpr->getExprLoc(),		Diag(TypeTagExpr->getExprLoc(),
diag::warn_type_tag_for_datatype_wrong_kind)		diag::warn_type_tag_for_datatype_wrong_kind)
<< TypeTagExpr->getSourceRange();		<< TypeTagExpr->getSourceRange();
return;		return;
}		}

		// Retrieve the argument representing the 'arg_idx'.
		if (Attr->getArgumentIdx() >= ExprArgs.size()) {
		// Add 1 to display the user's specified value.
		Diag(CallSiteLoc, diag::err_arg_tag_out_of_range)
		<< Attr->getArgumentIdx() + 1;
		return;
		}
const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()];		const Expr *ArgumentExpr = ExprArgs[Attr->getArgumentIdx()];

		aaron.ballmanUnsubmitted Done Reply Inline Actions Spurious newline? aaron.ballman: Spurious newline?
if (IsPointerAttr) {		if (IsPointerAttr) {
// Skip implicit cast of pointer to `void *' (as a function argument).		// Skip implicit cast of pointer to `void *' (as a function argument).
if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))		if (const ImplicitCastExpr *ICE = dyn_cast<ImplicitCastExpr>(ArgumentExpr))
if (ICE->getType()->isVoidPointerType() &&		if (ICE->getType()->isVoidPointerType() &&
ICE->getCastKind() == CK_BitCast)		ICE->getCastKind() == CK_BitCast)
ArgumentExpr = ICE->getSubExpr();		ArgumentExpr = ICE->getSubExpr();
}		}
QualType ArgumentType = ArgumentExpr->getType();		QualType ArgumentType = ArgumentExpr->getType();
▲ Show 20 Lines • Show All 205 Lines • Show Last 20 Lines

test/Sema/error-type-safety.cpp

				// RUN: %clang_cc1 -fsyntax-only -verify %s

				static const int test_void
				__attribute__((type_tag_for_datatype(test, void))) = 0;
				aaron.ballmanUnsubmitted Done Reply Inline Actions Is this declaration necessary? aaron.ballman: Is this declaration necessary?
				mattdAuthorUnsubmitted Not Done Reply Inline Actions Hi Aaron, thanks for the input. Yes, defining the tag is necessary in order to test the argument index. If the type tag is not satisfied, the code path checking argument tag index will never be reached. My update will test the bounds and is a little more comprehensive. mattd: Hi Aaron, thanks for the input. Yes, defining the tag is necessary in order to test the…

				void test_invalid_type_tag_index(int datatype, ...)
				__attribute__((argument_with_type_tag(test,1,99)));

				void test_invalid_arg_index(int datatype, ...)
				__attribute__((argument_with_type_tag(test,99,1)));

				void test_bounds()
				{
				test_invalid_type_tag_index(0); // expected-error {{type tag index 99 is greater than the number of arguments specified}}
				test_invalid_arg_index(0); // expected-error {{argument tag index 99 is greater than the number of arguments specified}}
				}
				aaron.ballmanUnsubmitted Done Reply Inline Actions Can you also add a test for a boundary case so we can be sure there are no off-by-one errors introduced later? aaron.ballman: Can you also add a test for a boundary case so we can be sure there are no off-by-one errors…

This is an archive of the discontinued LLVM Phabricator instance.

Bounds check argument_with_type_tag attribute.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 124606

include/clang/Basic/DiagnosticSemaKinds.td

include/clang/Sema/Sema.h

lib/Sema/SemaChecking.cpp

test/Sema/error-type-safety.cpp

Bounds check argument_with_type_tag attribute.
ClosedPublic