[clang] [BoundsSafety] Add `-fexperimental-bounds-safety` CC1 and language option and use it to tweak `counted_by`'s semantics (PR #92623)
Dan Liew via cfe-commits
cfe-commits at lists.llvm.org
Fri May 17 17:28:40 PDT 2024
https://github.com/delcypher created https://github.com/llvm/llvm-project/pull/92623
This adds the `-fexperimental-bounds-safety` cc1 and corresponding language option. This language option enables "-fbounds-safety" which is a bounds-safety extension for C that is being incrementally upstreamed.
This cc1 flag is not exposed as a driver flag yet because most of the implementation isn't upstream yet.
The language option is used to make a small semantic change to how the `counted_by` attribute is treated. Without
`-fexperimental-bounds-safety` the attribute is allowed (but emits a warning) on a flexible array member where the element type is a struct with a flexible array member. With the flag this situation is an error.
E.g.
```
struct has_unannotated_FAM {
int count;
char buffer[];
};
struct buffer_of_structs_with_unnannotated_FAM {
int count;
// Forbidden with `-fexperimental-bounds-safety`
struct has_unannotated_FAM Arr[] __counted_by(count);
};
```
>From cc6adf2e6473ab1dc008ddad5d925cad5e6646cf Mon Sep 17 00:00:00 2001
From: Dan Liew <dan at su-root.co.uk>
Date: Fri, 17 May 2024 17:15:48 -0700
Subject: [PATCH] [BoundsSafety] Add `-fexperimental-bounds-safety` CC1 and
language option and use it to tweak `counted_by`'s semantics
This adds the `-fexperimental-bounds-safety` cc1 and corresponding
language option. This language option enables "-fbounds-safety" which
is a bounds-safety extension for C that is being incrementally
upstreamed.
This cc1 flag is not exposed as a driver flag yet because most of the
implementation isn't upstream yet.
The language option is used to make a small semantic change to how the
`counted_by` attribute is treated. Without
`-fexperimental-bounds-safety` the attribute is allowed (but emits a
warning) on a flexible array member where the element type is a struct
with a flexible array member. With the flag this situation is an error.
E.g.
```
struct has_unannotated_FAM {
int count;
char buffer[];
};
struct buffer_of_structs_with_unnannotated_FAM {
int count;
// Forbidden with `-fexperimental-bounds-safety`
struct has_unannotated_FAM Arr[] __counted_by(count);
};
```
---
clang/include/clang/Basic/LangOptions.def | 2 +
clang/include/clang/Driver/Options.td | 8 ++++
clang/lib/Sema/SemaDeclAttr.cpp | 2 +-
.../Sema/attr-counted-by-bounds-safety-vlas.c | 37 +++++++++++++++++++
4 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 clang/test/Sema/attr-counted-by-bounds-safety-vlas.c
diff --git a/clang/include/clang/Basic/LangOptions.def b/clang/include/clang/Basic/LangOptions.def
index 09eb92d6f10d2..77ac7cfbddfca 100644
--- a/clang/include/clang/Basic/LangOptions.def
+++ b/clang/include/clang/Basic/LangOptions.def
@@ -504,6 +504,8 @@ COMPATIBLE_LANGOPT(IncrementalExtensions, 1, 0, " True if we want to process sta
BENIGN_LANGOPT(CheckNew, 1, 0, "Do not assume C++ operator new may not return NULL")
+LANGOPT(BoundsSafety, 1, 0, "Bounds safety extension for C")
+
#undef LANGOPT
#undef COMPATIBLE_LANGOPT
#undef BENIGN_LANGOPT
diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td
index 7bb781667e926..798ccbe3b94d5 100644
--- a/clang/include/clang/Driver/Options.td
+++ b/clang/include/clang/Driver/Options.td
@@ -1871,6 +1871,14 @@ def fapinotes_swift_version : Joined<["-"], "fapinotes-swift-version=">,
MetaVarName<"<version>">,
HelpText<"Specify the Swift version to use when filtering API notes">;
+defm bounds_safety : BoolFOption<
+ "experimental-bounds-safety",
+ LangOpts<"BoundsSafety">, DefaultFalse,
+ PosFlag<SetTrue, [], [CC1Option], "Enable">,
+ NegFlag<SetFalse, [], [CC1Option], "Disable">,
+ BothFlags<[], [CC1Option],
+ " experimental bounds safety extension for C">>;
+
defm addrsig : BoolFOption<"addrsig",
CodeGenOpts<"Addrsig">, DefaultFalse,
PosFlag<SetTrue, [], [ClangOption, CC1Option], "Emit">,
diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp
index e816ea3647a7c..7eb29499dec7d 100644
--- a/clang/lib/Sema/SemaDeclAttr.cpp
+++ b/clang/lib/Sema/SemaDeclAttr.cpp
@@ -8695,7 +8695,7 @@ static bool CheckCountedByAttrOnField(
} else if (PointeeTy->isFunctionType()) {
InvalidTypeKind = CountedByInvalidPointeeTypeKind::FUNCTION;
} else if (PointeeTy->isStructureTypeWithFlexibleArrayMember()) {
- if (FieldTy->isArrayType()) {
+ if (FieldTy->isArrayType() && !S.getLangOpts().BoundsSafety) {
// This is a workaround for the Linux kernel that has already adopted
// `counted_by` on a FAM where the pointee is a struct with a FAM. This
// should be an error because computing the bounds of the array cannot be
diff --git a/clang/test/Sema/attr-counted-by-bounds-safety-vlas.c b/clang/test/Sema/attr-counted-by-bounds-safety-vlas.c
new file mode 100644
index 0000000000000..7d9c9a90880ff
--- /dev/null
+++ b/clang/test/Sema/attr-counted-by-bounds-safety-vlas.c
@@ -0,0 +1,37 @@
+// RUN: %clang_cc1 -fsyntax-only -fexperimental-bounds-safety -verify %s
+//
+// This is a portion of the `attr-counted-by-vla.c` test but is checked
+// under the semantics of `-fexperimental-bounds-safety` which has different
+// behavior.
+
+#define __counted_by(f) __attribute__((counted_by(f)))
+
+struct has_unannotated_VLA {
+ int count;
+ char buffer[];
+};
+
+struct has_annotated_VLA {
+ int count;
+ char buffer[] __counted_by(count);
+};
+
+struct buffer_of_structs_with_unnannotated_vla {
+ int count;
+ // expected-error at +1{{'counted_by' cannot be applied to an array with element of unknown size because 'struct has_unannotated_VLA' is a struct type with a flexible array member}}
+ struct has_unannotated_VLA Arr[] __counted_by(count);
+};
+
+
+struct buffer_of_structs_with_annotated_vla {
+ int count;
+ // expected-error at +1{{'counted_by' cannot be applied to an array with element of unknown size because 'struct has_annotated_VLA' is a struct type with a flexible array member}}
+ struct has_annotated_VLA Arr[] __counted_by(count);
+};
+
+struct buffer_of_const_structs_with_annotated_vla {
+ int count;
+ // Make sure the `const` qualifier is printed when printing the element type.
+ // expected-error at +1{{'counted_by' cannot be applied to an array with element of unknown size because 'const struct has_annotated_VLA' is a struct type with a flexible array member}}
+ const struct has_annotated_VLA Arr[] __counted_by(count);
+};
More information about the cfe-commits
mailing list