[all-commits] [llvm/llvm-project] 7f93ae: [clang] Implement -fstrict-flex-arrays=3

Bill Wendling via All-commits all-commits at lists.llvm.org
Thu Oct 27 10:50:25 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 7f93ae808634e33e4dc9bce753c909aa5f9a6eb4
      https://github.com/llvm/llvm-project/commit/7f93ae808634e33e4dc9bce753c909aa5f9a6eb4
  Author: Bill Wendling <morbo at google.com>
  Date:   2022-10-27 (Thu, 27 Oct 2022)

  Changed paths:
    M clang/docs/ReleaseNotes.rst
    M clang/include/clang/Basic/LangOptions.h
    M clang/include/clang/Driver/Options.td
    M clang/lib/AST/Expr.cpp
    M clang/lib/AST/ExprConstant.cpp
    M clang/lib/StaticAnalyzer/Core/MemRegion.cpp
    M clang/test/CodeGen/bounds-checking-fam.c
    M clang/test/CodeGen/object-size-flex-array.c
    M clang/test/Sema/array-bounds-ptr-arith.c
    M clang/test/SemaCXX/array-bounds-strict-flex-arrays.cpp

  Log Message:
  -----------
  [clang] Implement -fstrict-flex-arrays=3

The -fstrict-flex-arrays=3 is the most restrictive type of flex arrays.
No number, including 0, is allowed in the FAM. In the cases where a "0"
is used, the resulting size is the same as if a zero-sized object were
substituted.

This is needed for proper _FORTIFY_SOURCE coverage in the Linux kernel,
among other reasons. So while the only reason for specifying a
zero-length array at the end of a structure is for specify a FAM,
treating it as such will cause _FORTIFY_SOURCE not to work correctly;
__builtin_object_size will report -1 instead of 0 for a destination
buffer size to keep any kernel internals from using the deprecated
members as fake FAMs.

For example:

  struct broken {
      int foo;
      int fake_fam[0];
      struct something oops;
  };

There have been bugs where the above struct was created because "oops"
was added after "fake_fam" by someone not realizing. Under
__FORTIFY_SOURCE, doing:

  memcpy(p->fake_fam, src, len);

raises no warnings when __builtin_object_size(p->fake_fam, 1) returns -1
and may stomp on "oops."

Omitting a warning when using the (invalid) zero-length array is how GCC
treats -fstrict-flex-arrays=3. A warning in that situation is likely an
irritant, because requesting this option level is explicitly requesting
this behavior.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836

Differential Revision: https://reviews.llvm.org/D134902

More information about the All-commits mailing list