[PATCH] D140179: [WIP][-Wunsafe-buffer-usage] Add safe buffer opt-out pragma

Ziqing Luo via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Dec 15 16:59:14 PST 2022 

ziqingluo-90 created this revision.
ziqingluo-90 added reviewers: jkorous, NoQ, malavikasamak, t-rasmud.
Herald added a project: All.
ziqingluo-90 requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

Add a pair of clang pragmas:
`#pragma clang unsafe_buffer_usage begin`
`#pragma clang unsafe_buffer_usage end`,
which specify the start and end of a safe buffer opt-out region.

Behaviors of safe buffer opt-out regions conform to the following rules:

1. No nested nor overlapped opt-out regions are allowed.  One cannot start an opt-out region with `... unsafe_buffer_usage begin` but never close it with `... unsafe_buffer_usage end`.   Mis-use of the pragmas will be warned.
2. Warnings raised from unsafe buffer operations inside such an opt-out region will always be suppressed.  This behavior CANNOT be changed by `clang diagnostic` pragmas or command-line flags.
3. Warnings raised from unsafe operations outside of such opt-out regions may be reported on declarations inside opt-out regions.  These warnings are NOT suppressed.
4. An un-suppressed unsafe operation warning may be attached with notes.  These notes are NOT suppressed as well regardless of whether they are in opt-out regions.

The implementation maintains a separate sequence of location pairs representing opt-out regions in `DiagnosticsEngine`.
The `Preprocessor` recognizes those pragmas in order and adds opt-out regions to the sequence.  
The `UnsafeBufferUsage` analyzer reads the region sequence to check if an unsafe operation is in an opt-out region. If it is, discard the warning raised from the operation immediately.

Examples,

  void f() {
    int * p = new int [10];
  #pragma clang unsafe_buffer_usage begin
    p[5];
  #pragma clang unsafe_buffer_usage end
  }

Nothing will be warned in `f`  since the only unsafe operation `p[5]` is in an opt-out region.

  void f() {
  #pragma clang unsafe_buffer_usage begin
     int * p = new int [10];  // expect a warning on `p` for the unsafe operation below
  #pragma clang unsafe_buffer_usage end
     p[5]; // may have a note here which is an attachment of the warning above
  }

In this example, a warning triggered by `p[5]`, which is not in an opt-out region, will be reported on the declaration.  Although the declaration is in an opt-out region, the warning is NOT suppressed.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D140179

Files:
  clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h
  clang/include/clang/Basic/Diagnostic.h
  clang/include/clang/Basic/DiagnosticLexKinds.td
  clang/include/clang/Basic/DiagnosticSemaKinds.td
  clang/include/clang/Lex/Preprocessor.h
  clang/lib/Analysis/UnsafeBufferUsage.cpp
  clang/lib/Basic/Diagnostic.cpp
  clang/lib/Lex/PPLexerChange.cpp
  clang/lib/Lex/Pragma.cpp
  clang/lib/Lex/Preprocessor.cpp
  clang/lib/Sema/AnalysisBasedWarnings.cpp
  clang/test/SemaCXX/warn-unsafe-buffer-usage-pragma-misuse.cpp
  clang/test/SemaCXX/warn-unsafe-buffer-usage-pragma.cpp
  clang/test/SemaCXX/warn-unsafe-buffer-usage-pragma.h

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D140179.483332.patch
Type: text/x-patch
Size: 21545 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20221216/1524f0f2/attachment-0001.bin>

More information about the cfe-commits mailing list