[libcxx-commits] [libcxx] [libc++] Add unsafe-buffer-usage attributes to span, vector, string and string_view (PR #119603)

[via libcxx-commits]

================
@@ -0,0 +1,41 @@
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+// UNSUPPORTED: gcc
+
+// Make sure that std::string's operations produce unsafe buffer access warnings when
+// -Wunsafe-buffer-usage is used, when hardening is disabled.
+//
+// Note: We disable _LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER to ensure that the libc++
+//       headers are considered system headers, to validate that users would get
+//       those diagnostics.
+//
+// ADDITIONAL_COMPILE_FLAGS: -Wunsafe-buffer-usage -U_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER
+// REQUIRES: libcpp-hardening-mode=none
+
+#include <string>
+#include <cstddef>
+
+void f(std::string s, std::string const cs, std::size_t n) {
+  (void)s[n];       // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)cs[n];      // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)s.front();  // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)cs.front(); // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)s.back();   // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)cs.back();  // expected-warning {{function introduces unsafe buffer manipulation}}
+  s.pop_back();     // expected-warning {{function introduces unsafe buffer manipulation}}
+
+  auto it = s.begin();
+#if defined(_LIBCPP_ABI_BOUNDED_ITERATORS_IN_STRING)
+  (void)*it;   // nothing
+  (void)it[n]; // nothing
+#else
+  (void)*it;   // expected-warning {{function introduces unsafe buffer manipulation}}
+  (void)it[n]; // expected-warning {{function introduces unsafe buffer manipulation}}
+#endif
----------------
geoffreygaren wrote:

The overall approach here looks great to me from the perspective of WebKit programming. This would catch use of unsafe iterators in Darwin user space, and also just a misconfigured build that tried to enable the hardened C++ library but failed (which we've done before!).

I wonder if iterator `operator++` and `operator--` should also be marked with the unsafe annotation? Normally unsafe buffer usage warns when you adjust the pointer, not necessarily when you dereference it.

(You could argue that iterators, unlike pointers, should _also_ warn when you dereference, since `end()` is a valid iterator. But still valuable to warn when you adjust an iterator, since you may ultimately pass the result to code that doesn't enforce safety at time of dereference.)

https://github.com/llvm/llvm-project/pull/119603