[clang] [-Wunsafe-buffer-usage] Fix a bug that wrongly assumed CXXMethodDecl always has an identifier (PR #137248)

Ziqing Luo via cfe-commits cfe-commits at lists.llvm.org
Thu Apr 24 15:27:01 PDT 2025 

https://github.com/ziqingluo-90 updated https://github.com/llvm/llvm-project/pull/137248

>From f9e68fd71677e047ee82992f2034bd62958ecbed Mon Sep 17 00:00:00 2001
From: Ziqing Luo <ziqing_luo at apple.com>
Date: Thu, 24 Apr 2025 13:29:24 -0700
Subject: [PATCH 1/3] [-Wunsafe-buffer-usage] Fix a bug that wrongly assumed
 CXXMethodDecl always has an identifier

Fix a bug in UnsafeBufferUsage.cpp that wrongly assumed CXXMethodDecl always has an identifier.

rdar://149071318
---
 clang/lib/Analysis/UnsafeBufferUsage.cpp |  2 +-
 clang/test/SemaCXX/bug149071318.cpp      | 25 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 clang/test/SemaCXX/bug149071318.cpp

diff --git a/clang/lib/Analysis/UnsafeBufferUsage.cpp b/clang/lib/Analysis/UnsafeBufferUsage.cpp
index 4eaf8ba61eaec..5b72382ca9772 100644
--- a/clang/lib/Analysis/UnsafeBufferUsage.cpp
+++ b/clang/lib/Analysis/UnsafeBufferUsage.cpp
@@ -675,7 +675,7 @@ static bool isNullTermPointer(const Expr *Ptr) {
     const CXXMethodDecl *MD = MCE->getMethodDecl();
     const CXXRecordDecl *RD = MCE->getRecordDecl()->getCanonicalDecl();
 
-    if (MD && RD && RD->isInStdNamespace())
+    if (MD && RD && RD->isInStdNamespace() && MD->getIdentifier())
       if (MD->getName() == "c_str" && RD->getName() == "basic_string")
         return true;
   }
diff --git a/clang/test/SemaCXX/bug149071318.cpp b/clang/test/SemaCXX/bug149071318.cpp
new file mode 100644
index 0000000000000..0dbe66f6e37a6
--- /dev/null
+++ b/clang/test/SemaCXX/bug149071318.cpp
@@ -0,0 +1,25 @@
+// RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage \
+// RUN:            -verify %s
+
+// This example uncovered a bug in UnsafeBufferUsage.cpp, where the
+// code assumed that a CXXMethodDecl always have an identifier.
+
+int printf( const char* format, char *); // <-- Fake decl of `printf`; to reproduce the bug, this example needs an implicit cast within a printf call.
+
+namespace std { // fake std namespace; to reproduce the bug, a CXXConversionDecl needs to be in std namespace.
+  class X {
+    char * p;
+  public:    
+    operator char*() {return p;}
+  };
+
+  class Y {
+  public:
+    X x;
+  };
+
+}
+
+void test(std::Y &y) {
+  printf("%s", y.x); // expected-warning{{function 'printf' is unsafe}} expected-note{{}}
+}

>From 62f606ac453796d5e857a88ea62187b56af6bedc Mon Sep 17 00:00:00 2001
From: Ziqing Luo <ziqing at udel.edu>
Date: Thu, 24 Apr 2025 13:41:08 -0700
Subject: [PATCH 2/3] Add more comments to the test

---
 clang/test/SemaCXX/bug149071318.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/clang/test/SemaCXX/bug149071318.cpp b/clang/test/SemaCXX/bug149071318.cpp
index 0dbe66f6e37a6..41c41a704104a 100644
--- a/clang/test/SemaCXX/bug149071318.cpp
+++ b/clang/test/SemaCXX/bug149071318.cpp
@@ -21,5 +21,6 @@ namespace std { // fake std namespace; to reproduce the bug, a CXXConversionDecl
 }
 
 void test(std::Y &y) {
+  // Here `y.x` involves an implicit cast and calls the conversion overloading, which has no identifier:
   printf("%s", y.x); // expected-warning{{function 'printf' is unsafe}} expected-note{{}}
 }

>From 26747459a2fd774a42d7a7ef7d4917daf5a1e970 Mon Sep 17 00:00:00 2001
From: Ziqing Luo <ziqing at udel.edu>
Date: Thu, 24 Apr 2025 15:26:52 -0700
Subject: [PATCH 3/3] Revise comments in the test

---
 clang/test/SemaCXX/bug149071318.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clang/test/SemaCXX/bug149071318.cpp b/clang/test/SemaCXX/bug149071318.cpp
index 41c41a704104a..596d0e238dfba 100644
--- a/clang/test/SemaCXX/bug149071318.cpp
+++ b/clang/test/SemaCXX/bug149071318.cpp
@@ -21,6 +21,6 @@ namespace std { // fake std namespace; to reproduce the bug, a CXXConversionDecl
 }
 
 void test(std::Y &y) {
-  // Here `y.x` involves an implicit cast and calls the conversion overloading, which has no identifier:
+  // Here `y.x` involves an implicit cast and calls the overloaded cast operator, which has no identifier:
   printf("%s", y.x); // expected-warning{{function 'printf' is unsafe}} expected-note{{}}
 }

More information about the cfe-commits mailing list