[-Wunsafe-buffer-usage] Suppress warning for multi-dimensional constant arrays (#118249)

Do not warn about unsafe buffer access, when multi-dimensional constant
arrays are accessed and their indice

[-Wunsafe-buffer-usage] Suppress warning for multi-dimensional constant arrays (#118249)

Do not warn about unsafe buffer access, when multi-dimensional constant
arrays are accessed and their indices are within the bounds of the
buffer. Warning in such cases would be a false positive. Such a
suppression already exists for 1-d
arrays and it is now extended to multi-dimensional arrays.

(rdar://137926311)
(rdar://140320139)

Co-authored-by: MalavikaSamak <malavika2@apple.com>

show more ...

[-Wunsafe-buffer-usage] Ignore constant safe indices in array subscripts (#80504)

[-Wunsafe-buffer-usage] Ignore safe array subscripts
Don't emit warnings for array subscripts on constant size arra

[-Wunsafe-buffer-usage] Ignore constant safe indices in array subscripts (#80504)

[-Wunsafe-buffer-usage] Ignore safe array subscripts
Don't emit warnings for array subscripts on constant size arrays where the index is constant and within bounds.

Example:
int arr[10];
arr[5] = 0; //safe, no warning

This patch recognizes only array indices that are integer literals - it doesn't understand more complex expressions (arithmetic on constants, etc.).

-Warray-bounds implemented in Sema::CheckArrayAccess() already solves a similar
(opposite) problem, handles complex expressions and is battle-tested.

Adding -Wunsafe-buffer-usage diagnostics to Sema is a non-starter as we need to emit
both the warnings and fixits and the performance impact of the fixit machine is
unacceptable for Sema.

CheckArrayAccess() as is doesn't distinguish between "safe" and "unknown" array
accesses. It also mixes the analysis that decides if an index is out of bounds
with crafting the diagnostics.

A refactor of CheckArrayAccess() might serve both the original purpose
and help us avoid false-positive with -Wunsafe-buffer-usage on constant
size arrrays.

show more ...

[-Wunsafe-buffer-usage] Introduce std::array fixits (#80084)

Array subscript on a const size array is not bounds-checked. The idiomatic
replacement is std::array which is bounds-safe in hardened mo

[-Wunsafe-buffer-usage] Introduce std::array fixits (#80084)

Array subscript on a const size array is not bounds-checked. The idiomatic
replacement is std::array which is bounds-safe in hardened mode of libc++.

This commit extends the fixit-producing machine to consider std::array as a
transformation target type and teaches it to handle the array subscript on const
size arrays with a trivial (empty) fixit.

show more ...

[-Wunsafe-buffer-usage] Group parameter fix-its

For a function `F` whose parameters need to be fixed, we group fix-its
of F's parameters together so that either all of the parameters get
fixed or no

[-Wunsafe-buffer-usage] Group parameter fix-its

For a function `F` whose parameters need to be fixed, we group fix-its
of F's parameters together so that either all of the parameters get
fixed or none of them gets fixed.

Reviewed by: NoQ (Artem Dergachev), t-rasmud (Rashmi Mudduluru), jkorous (Jan Korous)

Differential revision: https://reviews.llvm.org/D153059

show more ...

[-Wunsafe-buffer-usage] Refactor to let local variable fix-its and parameter fix-its share common code

Refactor the code for local variable fix-its so that it reuses the
code for parameter fix-its,

[-Wunsafe-buffer-usage] Refactor to let local variable fix-its and parameter fix-its share common code

Refactor the code for local variable fix-its so that it reuses the
code for parameter fix-its, which is in general better. For example,
cv-qualifiers are supported.

Reviewed by: NoQ (Artem Dergachev), t-rasmud (Rashmi Mudduluru)

Differential revision: https://reviews.llvm.org/D156189

show more ...

[WIP][-Wunsafe-buffer-usage] Handle lambda expressions within a method.

Differential Revision: https://reviews.llvm.org/D150386

[-Wunsafe-buffer-usage] Add fix-its for function parameters using the `span` strategy

Generate fix-its for function parameters that are raw pointers used
unsafely. Currently, the analyzer fixes one

[-Wunsafe-buffer-usage] Add fix-its for function parameters using the `span` strategy

Generate fix-its for function parameters that are raw pointers used
unsafely. Currently, the analyzer fixes one parameter at a time.

Fix-its for a function parameter includes:

- Fix the parameter declaration of the definition, result in a new
overload of the function. We call the function with the original
signature the old overload.
- For any other existing declaration of the old overload, mark it with
the [[unsafe_buffer_usage]] attribute and generate a new overload
declaration next to it.
- Creates a new definition for the old overload, which is simply
defined by a call to the new overload.

Reviewed by: NoQ (Artem Dergachev), t-rasmud (Rashmi Mudduluru), and
jkorous (Jan Korous)

Differential revision: https://reviews.llvm.org/D143048

show more ...

[-Wunsafe-buffer-usage] Hide fixits/suggestions behind an extra flag.

This patch implements a new clang driver flag -fsafe-buffer-usage-suggestions
which allows turning the smart suggestion machine

[-Wunsafe-buffer-usage] Hide fixits/suggestions behind an extra flag.

This patch implements a new clang driver flag -fsafe-buffer-usage-suggestions
which allows turning the smart suggestion machine on and off (defaults to off).
This is valuable for stability reasons, as the machine is being rapidly improved\
and we don't want accidental breakages to ruin the build for innocent users.
It is also arguably useful in general because it enables separation of concerns
between project contributors: some users will actively update the code to
conform to the programming model, while others simply want to make sure that
they aren't regressing it. Finally, there could be other valid reasons to
opt out of suggestions entirely on some codebases (while continuing to enforce
-Wunsafe-buffer-usage warnings), such as lack of access to hardened libc++
(or even to the C++ standard library in general) on the target platform.

When the flag is disabled, the unsafe buffer usage analysis is reduced to
an extremely minimal mode of operation that contains virtually no smarts:
not only it doesn't offer automatic fixits, but also textual suggestions
such as "change the type of this variable to std::span to preserve bounds
information" are not displayed, and in fact the machine doesn't even try
to blame specific variables in the first place, it simply warns on
the operations and leaves everything else to the user. So this flag turns off
a lot more of our complex machinery than what we already turn off in presence
of say -fno-diagnostic-fixit-info.

The flag is discoverable: when it's off, the warnings are accompanied by a note:
telling the user that there's a flag they can use.

Differential Revision: https://reviews.llvm.org/D146669

show more ...

[-Wunsafe-buffer-usage] Move the whole analysis to the end of a translation unit

The unsafe-buffer analysis requires a complete view of the translation
unit (TU) to be conservative. So the analysis

[-Wunsafe-buffer-usage] Move the whole analysis to the end of a translation unit

The unsafe-buffer analysis requires a complete view of the translation
unit (TU) to be conservative. So the analysis is moved to the end of a
TU.

A summary of changes made: add a new `IssueWarnings` function in
`AnalysisBasedWarnings.cpp` for TU-based analyses. So far
[-Wunsafe-buffer-usage] is the only analysis using it but there could
be more. `Sema` will call the new `IssueWarnings` function at the end
of parsing a TU.

Reviewed by: NoQ (Artem Dergachev)

Differential revision: https://reviews.llvm.org/D146342

show more ...

Revert "Revert "[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages""

This reverts commit 7bf5f4692ad6f9ba2d5c155f6b630049bb59876f and adding -frtti flag to support

Revert "Revert "[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages""

This reverts commit 7bf5f4692ad6f9ba2d5c155f6b630049bb59876f and adding -frtti flag to support PS4/PS5 builds.

show more ...

Revert "[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages"

This reverts commit 777eb4bcfc3265359edb7c979d3e5ac699ad4641.

[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages

This patch handles unevaluated contexts to ensure no warnings are produced by the machinery
for buffer access ma

[-Wunsafe-buffer-usage] Handle unevaluated contexts that contain unsafe buffer usages

This patch handles unevaluated contexts to ensure no warnings are produced by the machinery
for buffer access made within an unevaluated contexts. However, such accesses must be
considered by a FixableGadget and produce the necessary fixits.

Reviewed by: NoQ, ziqingluo-90, jkorous

Differential revision: https://reviews.llvm.org/D144905

show more ...

[-Wunsafe-buffer-usage] Generate fix-it for local variable declarations

Use clang fix-its to transform declarations of local variables, which
are used for buffer access , to be of std::span type.

W

[-Wunsafe-buffer-usage] Generate fix-it for local variable declarations

Use clang fix-its to transform declarations of local variables, which
are used for buffer access , to be of std::span type.

We placed a few limitations to keep the solution simple:
- it only transforms local variable declarations (no parameter declaration);
- it only considers single level pointers, i.e., pointers of type T * regardless of whether T is again a pointer;
- it only transforms to std::span types (no std::array, or std::span::iterator, or ...);
- it can only transform a VarDecl that belongs to a DeclStmt whose has a single child.

One of the purposes of keeping this patch simple enough is to first
evaluate if fix-it is an appropriate approach to do the
transformation.

This commit was reverted by 622be09c815266632e204eaf1c7a35f050220459
for a compilation warning and now it is fixed.

Reviewed by: NoQ, jkorous

Differential revision: https://reviews.llvm.org/D139737

show more ...

Revert "[-Wunsafe-buffer-usage] Generate fix-it for local variable declarations"

This reverts commit a29e67614c3b7018287e5f68c57bba7618aa880e.

[-Wunsafe-buffer-usage] Generate fix-it for local variable declarations

Use clang fix-its to transform declarations of local variables, which are used for buffer access , to be of std::span type.

W

[-Wunsafe-buffer-usage] Generate fix-it for local variable declarations

Use clang fix-its to transform declarations of local variables, which are used for buffer access , to be of std::span type.

We placed a few limitations to keep the solution simple:
- it only transforms local variable declarations (no parameter declaration);
- it only considers single level pointers, i.e., pointers of type T * regardless of whether T is again a pointer;
- it only transforms to std::span types (no std::array, or std::span::iterator, or ...);
- it can only transform a VarDecl that belongs to a DeclStmt whose has a single child.

One of the purposes of keeping this patch simple enough is to first
evaluate if fix-it is an appropriate approach to do the
transformation.

Reviewed by: NoQ, jkorous

Differential revision: https://reviews.llvm.org/D139737

show more ...

[-Wunsafe-buffer-usage] Group diagnostics by variable

Differential Revision: https://reviews.llvm.org/D141356

[-Wunsafe-buffer-usage] Emit warnings about unsafe operations on arrays

Differential Revision: https://reviews.llvm.org/D141725/new/

Re-land "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations"

This reverts commit 22df4549a3718dcd8b387ba8246978349e4be50c.

After a quick investigation, r

Re-land "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations"

This reverts commit 22df4549a3718dcd8b387ba8246978349e4be50c.

After a quick investigation, realizing that the Sanitizer test
failures caused by this patch is not likely to block other
contributors. I re-land this patch before taking a closer look at
those tests so that it won't block the [-Wunsafe-buffer-usage]
development.

show more ...

Revert "[Fix]"[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations""

This reverts commit ef47a0a711f12add401394f7af07a0b4d1635b56.

Revert "[-Wunsafe-buffer

Revert "[Fix]"[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations""

This reverts commit ef47a0a711f12add401394f7af07a0b4d1635b56.

Revert "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations"

This reverts commit b2ac5fd724c44cf662caed84bd8f84af574b981d.

This patch is causing failure in some Sanitizer tests
(https://lab.llvm.org/buildbot/#/builders/5/builds/30522/steps/13/logs/stdio). Reverting the patch and its' fix.

show more ...

Revert "Revert "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations""

This reverts commit f58b025354ee2d3bcd7ab2399a11429ec940c1e0.

The previous revert r

Revert "Revert "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations""

This reverts commit f58b025354ee2d3bcd7ab2399a11429ec940c1e0.

The previous revert reverts a patch that causes compilation problem on
windows which can be reproduced using `-fdelayed-template-parsing`.
I'm now to revert the patch back and commit a fix next.

show more ...

Revert "[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations"

This reverts commit b2ac5fd724c44cf662caed84bd8f84af574b981d.

[-Wunsafe-buffer-usage] Add an unsafe gadget for pointer-arithmetic operations

For -Wunsafe-buffer-usage diagnostics, we want to warn about pointer
arithmetics since resulting pointers can be used t

[-Wunsafe-buffer-usage] Add an unsafe gadget for pointer-arithmetic operations

For -Wunsafe-buffer-usage diagnostics, we want to warn about pointer
arithmetics since resulting pointers can be used to access buffers.
Therefore, I add an `UnsafeGadget` representing general pointer
arithmetic operations.

Reviewed by: NoQ
Differential revision: https://reviews.llvm.org/D139233

show more ...

[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations

Note this is a change local to -Wunsafe-buffer-usage checks.

Add a new matcher `forEveryDescendant` th

[-Wunsafe-buffer-usage] Add a new `forEachDescendant` matcher that skips callable declarations

Note this is a change local to -Wunsafe-buffer-usage checks.

Add a new matcher `forEveryDescendant` that recursively matches
descendants of a `Stmt` but skips nested callable definitions. This
matcher has same effect as using `forEachDescendant` and skipping
`forCallable` explicitly but does not require the AST construction to be
complete.

Reviewed by: NoQ, xazax.hun

Differential revision: https://reviews.llvm.org/D138329

show more ...

[-Wunsafe-buffer-usage] Ignore array subscript on literal zero

Unsafe Buffer Usage analysis only warns unsafe buffer accesses but not
pointer dereferences. An array subscript on a literal zero is
e

[-Wunsafe-buffer-usage] Ignore array subscript on literal zero

Unsafe Buffer Usage analysis only warns unsafe buffer accesses but not
pointer dereferences. An array subscript on a literal zero is
equivalent to dereference a pointer thus we do not want to warn it.

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D138321

show more ...

[-Wunsafe-buffer-usage] Improve pointer matching pattern

Generalize the pointer expression AST matcher in Unsafe Buffer Usage analysis.
Add test cases for various kinds of pointer usages.

Reviewed

[-Wunsafe-buffer-usage] Improve pointer matching pattern

Generalize the pointer expression AST matcher in Unsafe Buffer Usage analysis.
Add test cases for various kinds of pointer usages.

Reviewed By: NoQ, aaron.ballman, xazax.hun

Differential Revision: https://reviews.llvm.org/D138318

show more ...