This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/Basic/
-
clang/
-
Basic/
3
DiagnosticSemaKinds.td
-
lib/Sema/
-
Sema/
4
SemaChecking.cpp
-
test/SemaCXX/
-
SemaCXX/
1
warn-bool-ptr-to-bool.cpp

Differential D45601

Warn on bool* to bool conversion
AbandonedPublic

Authored by hiraditya on Apr 12 2018, 4:23 PM.

Download Raw Diff

Details

Reviewers

Eugene.Zelenko
rsmith
lebedev.ri
rjmccall
aaron.ballman

Summary

We found conversion from bool* to bool to be a common source of bug, so we have implemented this warning. Sample use case:

int bar(bool b) {
  return b;
}

int baz() {
  bool *b; 
  bar(b);
  return 0;
}

Typically, there would be a function which takes a bool, which gets a pointer to boolean at the call site. The compiler currently does not warn which results
in a difficult to debug runtime failure.

Diff Detail

Event Timeline

hiraditya created this revision.Apr 12 2018, 4:23 PM

smeenai added reviewers: lebedev.ri, rjmccall.Apr 12 2018, 4:38 PM

smeenai added a subscriber: smeenai.

There is Clang-tidy's readability-implicit-bool-conversion check.

It may be reasonable to check pointers to integers too, since integers are often implicitly converted to bools.

Please mention new warning in Release Notes.

• Quuxplusone added a subscriber: • Quuxplusone.Apr 12 2018, 5:18 PM

• Quuxplusone added inline comments.

test/CXX/expr/expr.unary/expr.unary.op/p6.cpp
18 ↗	(On Diff #142295)	This is not "comparing" anything, so the warning seems inappropriate here. Maybe "implicitly converting 'bool *' to 'bool' in operand of '!'` would be more appropriate? Please add test cases for `operator!`, `operator&&`, `operator\|\|`, and `operator?`.
test/Sema/static-init.c
10 ↗	(On Diff #142295)	Again, not "comparing" anything. Incidentally, do you know why this line fails to produce an "address of 't' will always evaluate to 'true'" warning?
test/SemaCXX/warn-bool-ptr-to-bool.cpp
6	Please add a test case template<class T> T foo(T ptr) { return ptr ? ptr : T{}; } bool bar(bool *ptr) { return foo(ptr); } and make sure the warning does not trigger in this case. (It would be OK to trigger a clang-tidy check in this case, but IMHO not a `-W -Wall -Wextra` warning.)

@hiraditya I personally don't like when i'm being told so, but i'd like to see some numbers...
Please run this on some big C++ project (LLVM (but you'll have to enable this diag specifically), google chrome, ???), and analyse the results.

In D45601#1066572, @Eugene.Zelenko wrote:

There is Clang-tidy's readability-implicit-bool-conversion check.

It may be reasonable to check pointers to integers too, since integers are often implicitly converted to bools.

While warning on bool*->bool *might* be ok, also warning for all inttype*->bool will likely be *too* noisy for clang diagnostic.

lebedev.ri added inline comments.Apr 13 2018, 4:50 AM

include/clang/Basic/DiagnosticSemaKinds.td
7806	Also, this really really should be under it's own flag, which in turn may be under `Extra`.

I'd also be interested to see the number of false positives and true positives when run over some large code bases (both C and C++). For instance, I would imagine code like this to be somewhat common and very reasonable:

void some_func(int someArg, bool *someResult) {
  if (someResult)
    *someResult = false;
}

Especially in C code where references are not available. This makes me wary of making this a compiler diagnostic, but clang-tidy may still be a reasonable place for this functionality to live.

In D45601#1067057, @aaron.ballman wrote:

...
This makes me wary of making this a compiler diagnostic, but clang-tidy may still be a reasonable place for this functionality to live.

In D45601#1066572, @Eugene.Zelenko wrote:

There is Clang-tidy's readability-implicit-bool-conversion check.

I'll probably make this warning for function arguments only (when bool* is passed to a function accepting bool). Many conditionals use bool* -> bool conversion as pointed out by @Quuxplusone and @aaron.ballman

A random data point from trying this patch on the LibreOffice code base:

a little over 100 cases that are easily identified as false positives (many of the form "if (p) *p = ...")

two or three cases that looked suspicious on first glance but turned out to be false positives too (but where the code apparently benefits from cleaning up)

two cases of false positives that are awkward to silence (via "!= nullptr") in a way compatible with older C++ standards, as they are of the form "if (bool * p = ...)", and can be rewritten to "if (bool * p = ...; p != nullptr)" only for recent C++

one false positive in system-provided /usr/include/qt5/QtCore/qstring.h

no true positives found

Note that we recently relaxed a similar diagnostic for NSNumber * in the static analyzer. Such code is semantically similar to inttype *.
https://reviews.llvm.org/D44044

thakis added a subscriber: thakis.Apr 17 2018, 5:03 AM

thakis added inline comments.

include/clang/Basic/DiagnosticSemaKinds.td
7806	The guideline is actually "most warnings should be high-value and have next to no false positives", and because of that most warnings should be default-on. We don't have a clear guideline when to put warnings under `-Wall` instead of making them default-on, but sometimes "does the warning need to build a CFG?" is used for that. Almost nothing should be in Extra but not in All.

lebedev.ri added inline comments.Apr 17 2018, 5:25 AM

include/clang/Basic/DiagnosticSemaKinds.td
7806	The point i was trying to make: if the warning is under a global umbrella flag only (All, Extra), it can't be selectively disabled. And that is not good regardless.

Warn on bool* to bool conversion during a call only.

efriedma added a subscriber: efriedma.Apr 17 2018, 10:37 AM

efriedma added inline comments.

lib/Sema/SemaChecking.cpp
2623	Have you considered skipping the isBooleanType() check? Passing any pointer to a function which expects a boolean parameter seems fundamentally suspicious.

• Quuxplusone added inline comments.Apr 17 2018, 10:50 AM

lib/Sema/SemaChecking.cpp
2623	We already know that LLVM itself passes pointers to functions in many places, and they're not bugs. I mean, this isn't the first time someone's proposed that pointer->bool conversions are evil. :) I know this just came up on a mailing list somewhere recently (rsmith was involved in the rebuttal, as was I), but all I can find on Google is: https://groups.google.com/a/isocpp.org/d/msg/std-proposals/a3g9qXFVGCs/Wj40qj48H3wJ Anyway, the punch line I'm thinking of is something like FooBar *FB = ...; LLVMAssert(FB, "expected fb to be set"); but with whatever the real names are. Found a bunch of those when I wrote the diagnostic. And they're fairly solidly in the "not bugs" category.

The thing about the bool*-only version is that bool pointers are rare in C++, so I'm not sure we're gaining much. But if we can't do something more general, there's still some benefit.

I see your point about false positives for the more general version. I was sort of considering an attribute to allow implicit conversions to bool for a specific function (like an assertion), and then we could ban implicit conversions to bool for parameters to other functions. But that's probably overkill.

• Quuxplusone added inline comments.Apr 17 2018, 11:23 AM

lib/Sema/SemaChecking.cpp
2623	The thing about the bool*-only version is that bool pointers are rare in C++, so I'm not sure we're gaining much. But if we can't do something more general, there's still some benefit. I see your point about false positives for the more general version. I was sort of considering an attribute to allow implicit conversions to bool for a specific function (like an assertion), and then we could ban implicit conversions to bool for parameters to other functions. But that's probably overkill. Based on @sberg's feedback that this warning found no true positives, and @Eugene.Zelenko's feedback that this warning already exists in clang-tidy today, personally I favor the resolution of "leave this warning in clang-tidy and abandon the attempt to move it into clang".

aaron.ballman added inline comments.Apr 17 2018, 11:27 AM

lib/Sema/SemaChecking.cpp
2623	... personally I favor the resolution of "leave this warning in clang-tidy and abandon the attempt to move it into clang". This is my view as well.

The bug which motivated this warning is: https://github.com/jemalloc/jemalloc/commit/4df483f0fd76a64e116b1c4f316f8b941078114d#diff-7b26b977303fe92c093a2245b0eaf255

I agree that this is one of those warnings that just can't be done in any reasonable way.

It appears this warning may not be always useful because there will be false positives.

Revision Contents

Path

Size

include/

clang/

Basic/

DiagnosticSemaKinds.td

3 lines

lib/

Sema/

SemaChecking.cpp

64 lines

test/

SemaCXX/

warn-bool-ptr-to-bool.cpp

28 lines

Diff 142776

include/clang/Basic/DiagnosticSemaKinds.td

Context not available.
	"format specifies type %0 but the argument has "	"format specifies type %0 but the argument has "
	"%select{type\|underlying type}2 %1">,	"%select{type\|underlying type}2 %1">,
	InGroup<FormatPedantic>;	InGroup<FormatPedantic>;
		def warn_pointer_to_bool : Warning<
		"passing %0 as a boolean">,
		InGroup<PointerBoolConversion>;
	def warn_format_argument_needs_cast : Warning<	def warn_format_argument_needs_cast : Warning<
	"%select{values of type\|enum values with underlying type}2 '%0' should not "	"%select{values of type\|enum values with underlying type}2 '%0' should not "
	"be used as format arguments; add an explicit cast to %1 instead">,	"be used as format arguments; add an explicit cast to %1 instead">,
Context not available.
		lebedev.riUnsubmitted Not Done Reply Inline Actions Also, this really really should be under it's own flag, which in turn may be under `Extra`. lebedev.ri: Also, this really really should be under it's own flag, which in turn may be under `Extra`.
		thakisUnsubmitted Not Done Reply Inline Actions The guideline is actually "most warnings should be high-value and have next to no false positives", and because of that most warnings should be default-on. We don't have a clear guideline when to put warnings under `-Wall` instead of making them default-on, but sometimes "does the warning need to build a CFG?" is used for that. Almost nothing should be in Extra but not in All. thakis: The guideline is actually "most warnings should be high-value and have next to no false…
		lebedev.riUnsubmitted Not Done Reply Inline Actions The point i was trying to make: if the warning is under a global umbrella flag only (All, Extra), it can't be selectively disabled. And that is not good regardless. lebedev.ri: The point i was trying to make: if the warning is under a global umbrella flag only (All…

lib/Sema/SemaChecking.cpp

Context not available.
	}	}
	}	}

		/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
		void DiagnoseImpCast(Sema &S, const Expr *E, QualType SourceType, QualType T,
		SourceLocation CContext, unsigned diag,
		bool pruneControlFlow = false) {
		if (pruneControlFlow) {
		S.DiagRuntimeBehavior(E->getExprLoc(), E,
		S.PDiag(diag)
		<< SourceType << T << E->getSourceRange()
		<< SourceRange(CContext));
		return;
		}
		S.Diag(E->getExprLoc(), diag)
		<< SourceType << T << E->getSourceRange() << SourceRange(CContext);
		}

		/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
		void DiagnoseImpCast(Sema &S, const Expr *E, QualType T, SourceLocation CContext,
		unsigned diag, bool pruneControlFlow = false) {
		DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow);
		}

	/// Handles the checks for format strings, non-POD arguments to vararg	/// Handles the checks for format strings, non-POD arguments to vararg
	/// functions, NULL arguments passed to non-NULL parameters, and diagnose_if	/// functions, NULL arguments passed to non-NULL parameters, and diagnose_if
	/// attributes.	/// attributes.
Context not available.
	}	}
	}	}

		if (FD) {
		for (unsigned ArgIdx = 0; ArgIdx < Args.size(); ++ArgIdx) {
		// Args[ArgIdx] can be null in malformed code.
		if (const Expr *Arg = Args[ArgIdx]) {
		if (auto C = dyn_cast<ImplicitCastExpr>(Arg)) {
		if (C->getCastKind() == CK_PointerToBoolean) {
		if (auto ICast = dyn_cast<ImplicitCastExpr>(C->getSubExpr())) {
		if (ICast->getCastKind() == CK_LValueToRValue) {
		const Expr *Pointer = ICast->getSubExpr();
		QualType QT = Pointer->getType()->getPointeeType();
		if (!QT.isNull() && QT->isBooleanType())
		efriedmaUnsubmitted Not Done Reply Inline Actions Have you considered skipping the isBooleanType() check? Passing any pointer to a function which expects a boolean parameter seems fundamentally suspicious. efriedma: Have you considered skipping the isBooleanType() check? Passing any pointer to a function…
		QuuxplusoneUnsubmitted Not Done Reply Inline Actions We already know that LLVM itself passes pointers to functions in many places, and they're not bugs. I mean, this isn't the first time someone's proposed that pointer->bool conversions are evil. :) I know this just came up on a mailing list somewhere recently (rsmith was involved in the rebuttal, as was I), but all I can find on Google is: https://groups.google.com/a/isocpp.org/d/msg/std-proposals/a3g9qXFVGCs/Wj40qj48H3wJ Anyway, the punch line I'm thinking of is something like FooBar FB = ...; LLVMAssert(FB, "expected fb to be set"); but with whatever the real names are. Found a bunch of those when I wrote the diagnostic. And they're fairly solidly in the "not bugs" category. Quuxplusone:* We already know that LLVM itself passes pointers to functions in many places, and they're not…
		QuuxplusoneUnsubmitted Not Done Reply Inline Actions The thing about the bool-only version is that bool pointers are rare in C++, so I'm not sure we're gaining much. But if we can't do something more general, there's still some benefit. I see your point about false positives for the more general version. I was sort of considering an attribute to allow implicit conversions to bool for a specific function (like an assertion), and then we could ban implicit conversions to bool for parameters to other functions. But that's probably overkill. Based on @sberg's feedback that this warning found no true positives, and @Eugene.Zelenko's feedback that this warning already exists in clang-tidy today, personally I favor the resolution of "leave this warning in clang-tidy and abandon the attempt to move it into clang". Quuxplusone:* > The thing about the bool*-only version is that bool pointers are rare in C++, so I'm not sure…
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions ... personally I favor the resolution of "leave this warning in clang-tidy and abandon the attempt to move it into clang". This is my view as well. aaron.ballman: > ... personally I favor the resolution of "leave this warning in clang-tidy and abandon the…
		// Warn on bool* to bool conversion.
		DiagnoseImpCast(*this, Pointer, QT, Arg->getLocStart(),
		diag::warn_pointer_to_bool);
		}
		}
		}
		}
		}
		}
		}

	if (FDecl \|\| Proto) {	if (FDecl \|\| Proto) {
	CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);	CheckNonNullArguments(*this, FDecl, Proto, Args, Loc);

Context not available.
	AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());	AnalyzeImplicitConversions(S, E->getRHS(), E->getOperatorLoc());
	}	}

	/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
	void DiagnoseImpCast(Sema &S, Expr *E, QualType SourceType, QualType T,
	SourceLocation CContext, unsigned diag,
	bool pruneControlFlow = false) {
	if (pruneControlFlow) {
	S.DiagRuntimeBehavior(E->getExprLoc(), E,
	S.PDiag(diag)
	<< SourceType << T << E->getSourceRange()
	<< SourceRange(CContext));
	return;
	}
	S.Diag(E->getExprLoc(), diag)
	<< SourceType << T << E->getSourceRange() << SourceRange(CContext);
	}

	/// Diagnose an implicit cast; purely a helper for CheckImplicitConversion.
	void DiagnoseImpCast(Sema &S, Expr *E, QualType T, SourceLocation CContext,
	unsigned diag, bool pruneControlFlow = false) {
	DiagnoseImpCast(S, E, E->getType(), T, CContext, diag, pruneControlFlow);
	}


	/// Diagnose an implicit cast from a floating point value to an integer value.	/// Diagnose an implicit cast from a floating point value to an integer value.
	void DiagnoseFloatingImpCast(Sema &S, Expr *E, QualType T,	void DiagnoseFloatingImpCast(Sema &S, Expr *E, QualType T,
Context not available.

test/SemaCXX/warn-bool-ptr-to-bool.cpp

This file was added.

				// RUN: %clang_cc1 -fsyntax-only -verify %s

				int foo(bool *b) {
				if (b) // no-warning
				return 10;
				return 0;
				QuuxplusoneUnsubmitted Not Done Reply Inline Actions Please add a test case template<class T> T foo(T ptr) { return ptr ? ptr : T{}; } bool bar(bool ptr) { return foo(ptr); } and make sure the warning does not trigger in this case. (It would be OK to trigger a clang-tidy check in this case, but IMHO not a `-W -Wall -Wextra` warning.) Quuxplusone:* Please add a test case ``` template<class T> T foo(T ptr) { return ptr ? ptr : T{}; }…
				}

				int bar(bool b) {
				return b;
				}

				int baz() {
				bool *b;
				bar(b);
				// expected-warning@-1 {{passing 'bool *' as a boolean}}
				return 0;
				}

				template<class T>
				T foo1(T *ptr) {
				return ptr ? *ptr : T{}; // no-warning
				}

				bool bar1(bool *ptr) {
				return foo1(ptr);
				}