[clang] [WebKit checkers] Add an annotation for pointer conversion. (PR #141277)

Ryosuke Niwa via cfe-commits cfe-commits at lists.llvm.org
Fri Jun 6 13:42:11 PDT 2025 

https://github.com/rniwa updated https://github.com/llvm/llvm-project/pull/141277

>From b29b369a5b26869916101e45aa4580a5f7de3907 Mon Sep 17 00:00:00 2001
From: Ryosuke Niwa <rniwa at webkit.org>
Date: Fri, 23 May 2025 11:42:20 -0700
Subject: [PATCH 1/2] [WebKit checkers] Add an annotation for pointer
 conversion.

This PR adds the WebKit checker support for [[clang::annotate_type("webkit.pointerconversion")]].

When this attribute is set on the return value of a function, the function is treated as safe to
call anywhere and the return value's pointer origin is the argument.`
---
 .../Checkers/WebKit/PtrTypesSemantics.cpp            | 12 ++++++++++++
 .../Checkers/WebKit/call-args-safe-functions.cpp     | 10 +++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp b/clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp
index 4ddd11495f534..cd33476344a34 100644
--- a/clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/WebKit/PtrTypesSemantics.cpp
@@ -468,6 +468,18 @@ bool isPtrConversion(const FunctionDecl *F) {
       FunctionName == "checked_objc_cast")
     return true;
 
+  auto ReturnType = F->getReturnType();
+  if (auto *Type = ReturnType.getTypePtrOrNull()) {
+    if (auto *AttrType = dyn_cast<AttributedType>(Type)) {
+      if (auto *Attr = AttrType->getAttr()) {
+        if (auto *AnnotateType = dyn_cast<AnnotateTypeAttr>(Attr)) {
+          if (AnnotateType->getAnnotation() == "webkit.pointerconversion")
+            return true;
+        }
+      }
+    }
+  }
+
   return false;
 }
 
diff --git a/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp b/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
index a87446564870c..9f6dbade3c746 100644
--- a/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
+++ b/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
@@ -1,5 +1,4 @@
 // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.UncountedCallArgsChecker -verify %s
-// expected-no-diagnostics
 
 class Base {
 public:
@@ -44,6 +43,12 @@ inline Target* uncheckedDowncast(Source* source)
     return static_cast<Target*>(source);
 }
 
+template<typename Target, typename Source>
+Target* [[clang::annotate_type("webkit.pointerconversion")]] newCastFunction(Source*);
+
+template<typename Target, typename Source>
+Target* [[clang::annotate_type("unrelated-annotation")]] badCastFunction(Source*);
+
 template<typename... Types>
 String toString(const Types&... values);
 
@@ -52,5 +57,8 @@ void foo(OtherObject* other)
     dynamicDowncast<SubDerived>(other->obj());
     checkedDowncast<SubDerived>(other->obj());
     uncheckedDowncast<SubDerived>(other->obj());
+    newCastFunction<SubDerived>(other->obj());
+    badCastFunction<SubDerived>(other->obj());
+    // expected-warning at -1{{Call argument is uncounted and unsafe}}
     toString(other->obj());
 }

>From 6ab37e4229d618c58cc16f992028ed9d07cadb2b Mon Sep 17 00:00:00 2001
From: Ryosuke Niwa <rniwa at webkit.org>
Date: Fri, 6 Jun 2025 14:41:56 -0600
Subject: [PATCH 2/2] Add a test case where webkit.pointerconversion annotation
 is added on a class member function.

---
 .../WebKit/call-args-safe-functions.cpp         | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp b/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
index 9f6dbade3c746..5c540a58debaf 100644
--- a/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
+++ b/clang/test/Analysis/Checkers/WebKit/call-args-safe-functions.cpp
@@ -1,9 +1,12 @@
 // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.webkit.UncountedCallArgsChecker -verify %s
 
+#include "mock-types.h"
+
 class Base {
 public:
-    inline void ref();
-    inline void deref();
+    void ref();
+    void deref();
+    void doWork();
 };
 
 class Derived : public Base {
@@ -20,6 +23,7 @@ class SubDerived final : public Derived {
 class OtherObject {
 public:
     Derived* obj();
+    Base* base();
 };
 
 class String {
@@ -62,3 +66,12 @@ void foo(OtherObject* other)
     // expected-warning at -1{{Call argument is uncounted and unsafe}}
     toString(other->obj());
 }
+
+struct SomeStruct {
+  Derived* [[clang::annotate_type("webkit.pointerconversion")]] ptrConversion(Base*);
+
+  void foo(OtherObject& otherObj) {
+    RefPtr ptr = otherObj.base();
+    ptrConversion(ptr.get())->doWork();
+  }
+};

More information about the cfe-commits mailing list