[PATCH] D136790: [Clang][Sema] Add -Wincompatible-function-pointer-types-strict

Aaron Ballman via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Wed Nov 2 11:15:19 PDT 2022 

aaron.ballman added inline comments.


================
Comment at: clang/include/clang/Basic/DiagnosticSemaKinds.td:8217
+  err_typecheck_convert_incompatible_function_pointer.Text>,
+  InGroup<DiagGroup<"incompatible-function-pointer-types-strict">>, DefaultIgnore;
 def ext_typecheck_convert_discards_qualifiers : ExtWarn<
----------------
samitolvanen wrote:
> nathanchance wrote:
> > aaron.ballman wrote:
> > > samitolvanen wrote:
> > > > aaron.ballman wrote:
> > > > > We don't typically add new off-by-default warnings because we have evidence that users don't enable them enough to be worth adding them. Is there a way we can enable this warning by default for CFI compilation units (or when the cfi sanitizer is enabled) so that it's only off by default for non-CFI users? I don't think we have any examples of doing this in the code base, so I believe this would be breaking new ground (and thus is worth thinking about more, perhaps it's a bad idea for some reason).
> > > > > Is there a way we can enable this warning by default for CFI compilation units (or when the cfi sanitizer is enabled) so that it's only off by default for non-CFI users?
> > > > 
> > > > I can look into it, but I'm not sure if there's a convenient way to do that. An alternative to this could be to enable the warning by default, but only actually perform the check if CFI is enabled. This way non-CFI users would never see the warning because this really isn't a concern for them, but CFI users would still get the warning without explicitly enabling it. Or do you think this behavior would be confusing?
> > > Heh, sorry for not being clear, that's actually somewhat along the lines of how I envisioned you'd implement it (we don't have a way in tablegen to tie `DefaultIgnore` to some language options or a target).
> > > 
> > > I was thinking the diagnostic would be left as `DefaultIgnore` in the .td file, but we'd take note in the driver that CFI was enabled and pass `-Wincompatible-function-pointer-types-strict` to the `-cc1` invocation. If the user wrote `-Wno-incompatible-function-pointer-types-strict` at the driver level, that would come *after* the automatically generated flag for cc1 and would still disable the diagnostic in the cc1 invocation (because the last flag wins). WDYT?
> > I do not think that is unreasonable behavior in the generic case but specifically for the Linux kernel, kCFI is disabled by default (`CONFIG_CFI_CLANG` has to be specifically enabled) but we want to see this warning regardless of the value of that configuration so that driver authors who test with clang and automated testers are more likely to find them. As a result, if the warning is not going to be default on, we would still need to specifically enable it in our CFLAGS. I suppose your suggestion would help out folks using CFI in production though so maybe it is still worth considering doing?
> > I was thinking the diagnostic would be left as `DefaultIgnore` in the .td file, but we'd take note in the driver that CFI was enabled and pass `-Wincompatible-function-pointer-types-strict` to the `-cc1` invocation.
> 
> Thanks for clarifying, that sounds reasonable. Of course, enabling it by default with CFI would still mean that we'll have to either explicitly disable this in the kernel (or fix all the existing warnings) before submitting the Clang change.
> As a result, if the warning is not going to be default on, we would still need to specifically enable it in our CFLAGS. I suppose your suggestion would help out folks using CFI in production though so maybe it is still worth considering doing?

It sounds like either approach will require you to specifically enable it in your CFLAGS, right? Either it's off-by-default for everyone, or it's only on-by-default for CFI enabled builds (which the Linux kernel disables by default).


================
Comment at: clang/include/clang/Basic/DiagnosticSemaKinds.td:8217
+  err_typecheck_convert_incompatible_function_pointer.Text>,
+  InGroup<DiagGroup<"incompatible-function-pointer-types-strict">>, DefaultIgnore;
 def ext_typecheck_convert_discards_qualifiers : ExtWarn<
----------------
aaron.ballman wrote:
> samitolvanen wrote:
> > nathanchance wrote:
> > > aaron.ballman wrote:
> > > > samitolvanen wrote:
> > > > > aaron.ballman wrote:
> > > > > > We don't typically add new off-by-default warnings because we have evidence that users don't enable them enough to be worth adding them. Is there a way we can enable this warning by default for CFI compilation units (or when the cfi sanitizer is enabled) so that it's only off by default for non-CFI users? I don't think we have any examples of doing this in the code base, so I believe this would be breaking new ground (and thus is worth thinking about more, perhaps it's a bad idea for some reason).
> > > > > > Is there a way we can enable this warning by default for CFI compilation units (or when the cfi sanitizer is enabled) so that it's only off by default for non-CFI users?
> > > > > 
> > > > > I can look into it, but I'm not sure if there's a convenient way to do that. An alternative to this could be to enable the warning by default, but only actually perform the check if CFI is enabled. This way non-CFI users would never see the warning because this really isn't a concern for them, but CFI users would still get the warning without explicitly enabling it. Or do you think this behavior would be confusing?
> > > > Heh, sorry for not being clear, that's actually somewhat along the lines of how I envisioned you'd implement it (we don't have a way in tablegen to tie `DefaultIgnore` to some language options or a target).
> > > > 
> > > > I was thinking the diagnostic would be left as `DefaultIgnore` in the .td file, but we'd take note in the driver that CFI was enabled and pass `-Wincompatible-function-pointer-types-strict` to the `-cc1` invocation. If the user wrote `-Wno-incompatible-function-pointer-types-strict` at the driver level, that would come *after* the automatically generated flag for cc1 and would still disable the diagnostic in the cc1 invocation (because the last flag wins). WDYT?
> > > I do not think that is unreasonable behavior in the generic case but specifically for the Linux kernel, kCFI is disabled by default (`CONFIG_CFI_CLANG` has to be specifically enabled) but we want to see this warning regardless of the value of that configuration so that driver authors who test with clang and automated testers are more likely to find them. As a result, if the warning is not going to be default on, we would still need to specifically enable it in our CFLAGS. I suppose your suggestion would help out folks using CFI in production though so maybe it is still worth considering doing?
> > > I was thinking the diagnostic would be left as `DefaultIgnore` in the .td file, but we'd take note in the driver that CFI was enabled and pass `-Wincompatible-function-pointer-types-strict` to the `-cc1` invocation.
> > 
> > Thanks for clarifying, that sounds reasonable. Of course, enabling it by default with CFI would still mean that we'll have to either explicitly disable this in the kernel (or fix all the existing warnings) before submitting the Clang change.
> > As a result, if the warning is not going to be default on, we would still need to specifically enable it in our CFLAGS. I suppose your suggestion would help out folks using CFI in production though so maybe it is still worth considering doing?
> 
> It sounds like either approach will require you to specifically enable it in your CFLAGS, right? Either it's off-by-default for everyone, or it's only on-by-default for CFI enabled builds (which the Linux kernel disables by default).
> Thanks for clarifying, that sounds reasonable. Of course, enabling it by default with CFI would still mean that we'll have to either explicitly disable this in the kernel (or fix all the existing warnings) before submitting the Clang change.

Er, is there a chicken and egg problem here? I was imagining that you could land the changes in Clang and disable the flag in the Linux kernel around roughly the same time (we can time when we land things to make life easier for you) so it wouldn't be particularly disruptive.

If it would be disruptive, another approach would be to leave it off by default everywhere, get the Linux kernel CFI warning free, then enable it for CFI builds by default. But that seems riskier to me (we are more likely to forget to come turn the warning on by default later).


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D136790/new/

https://reviews.llvm.org/D136790

More information about the cfe-commits mailing list