[-Wunsafe-buffer-usage] Accept calls to some libc functions with annotated arguments #10088
Conversation
|
CC @dtarditi |
|
This PR depends on #10060 |
| @@ -747,7 +747,7 @@ const Expr *extractExtentFromSubviewDataCall(ASTContext &Context, | |||
| static bool hasIntegeralConstant(const Expr *E, uint64_t Val, ASTContext &Ctx) { | |||
| Expr::EvalResult ER; | |||
|
|
|||
| if (E->EvaluateAsConstantExpr(ER, Ctx)) { | |||
| if (E->EvaluateAsInt(ER, Ctx)) { | |||
There was a problem hiding this comment.
According to https://github.com/llvm/llvm-project/pull/124022/files, the result of EvaluateAsConstantExpr may not necessarily be able to getInt() later.
| @@ -23,7 +23,7 @@ namespace std { | |||
| T* p; | |||
| T *c_str(); | |||
| T *data(); | |||
| unsigned size_bytes(); | |||
There was a problem hiding this comment.
A mistake I made in the test---std::string has no size_bytes method.
There was a problem hiding this comment.
It's probably worth checking if basic_string<wchar_t> works as expected.
There was a problem hiding this comment.
✅ Added test cases for wide characters.
| @@ -366,6 +366,7 @@ isInUnspecifiedUntypedContext(internal::Matcher<Stmt> InnerMatcher) { | |||
|
|
|||
| namespace { | |||
|
|
|||
| /* TO_UPSTREAM(BoundsSafetyInterop) ON */ | |||
There was a problem hiding this comment.
I assume there is no problem in upstreaming the part of the interop in UnsafeBufferUsage.cpp? @patrykstefanski
|
add @jkorous-apple |
| snwprintf(safe_p, n, "%s", str); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}} | ||
|
|
||
| memcpy(safe_p, safe_p, n); // no warn | ||
| strlen(str); // expected-warning{{unsafe assignment to a parameter of '__null_terminated' type; only '__null_terminated' pointers, string literals, and 'std::string::c_str' calls are compatible with '__null_terminated' pointers}} |
There was a problem hiding this comment.
I'm not getting this warning here.
error: 'expected-warning' diagnostics expected but not seen:
File ./clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions-interop.cpp Line 36: unsafe assignment to a parameter of '__null_terminated' type; only '__null_terminated' pointers, string literals, and 'std::string::c_str' calls are compatible with '__null_terminated' pointers
There was a problem hiding this comment.
✅ It was not up to date to the dependent PR. Fixed.
| &*ValuesOpt, Context); | ||
| return isCountAttributedPointerArgumentSafeImpl( | ||
| Context, Arg, CountArg, CAT, CAT->getCountExpr(), CAT->isCountInBytes(), | ||
| CAT->isOrNull(), ValuesOpt ? &*ValuesOpt : nullptr); |
There was a problem hiding this comment.
Nit: IMHO we could be explicit to avoid any confusion: ValuesOpt.has_value() ? &*ValuesOpt : nullptr.
| assert(CountedByExpr || | ||
| !DependentValueMap && | ||
| "If the __counted_by information is hardcoded, there is no " | ||
| "dependent value map."); |
There was a problem hiding this comment.
Is the operator precedence in those 2 asserts correct? The bottom one is equivalent to:
CountedByExpr ||
(!DependentValueMap &&
"If the __counted_by information is hardcoded, there is no "
"dependent value map.")
Is this expected?
There was a problem hiding this comment.
The string literal is simply true so I think they are equivalent. But let's add parentheses to avoid confusion.
| auto ValuesOpt = getDependentValuesFromCall(CAT, Call); | ||
| if (!ValuesOpt.has_value()) | ||
| if (!DependentValueMap && CountedByExpr) | ||
| // Bail if the map is not available for case (a). Becuase |
| return false; | ||
|
|
||
| const Expr *ArgCount = nullptr; | ||
| // the acutal count of the pointer inferred through patterns below: |
|
|
||
| // expected-note@+2{{consider using a safe container and passing '.data()' to the parameter 'dst' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'dst'}} | ||
| // expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'src' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'src'}} | ||
| void memcpy(void * __sized_by(size) dst, const void * __sized_by(size) src, unsigned size); |
There was a problem hiding this comment.
memcpy returns void * and takes size_t size.
| void memcpy(void * __sized_by(size) dst, const void * __sized_by(size) src, unsigned size); | ||
| unsigned strlen( const char* __null_terminated str ); | ||
| // expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}} | ||
| int snprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); |
There was a problem hiding this comment.
Nit: Those printf functions take size_t.
| // expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}} | ||
| int snprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); | ||
| int snwprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); | ||
| int vsnprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); |
There was a problem hiding this comment.
Should take va_list vlist instead of ....
There was a problem hiding this comment.
hmm... then I need to define a va_list that accepts variant parameters.
There was a problem hiding this comment.
Could you elaborate? Is calling vsnprintf expected to be always unsafe? Cannot we declare this function with va_list and then pass an empty va_list on the call site?
| } | ||
| return true; // ptr and size are not in safe pattern | ||
| return !isHardcodedCountedByPointerArgumentSafe( | ||
| Finder->getASTContext(), Buf, Size, FirstParmTy.getTypePtr(), true, |
There was a problem hiding this comment.
Is true passed to isSizedBy correct here? I think the functions taking wchar_t would be annotated with __counted_by().
| @@ -23,7 +23,7 @@ namespace std { | |||
| T* p; | |||
| T *c_str(); | |||
| T *data(); | |||
| unsigned size_bytes(); | |||
There was a problem hiding this comment.
It's probably worth checking if basic_string<wchar_t> works as expected.
…tated arguments - `printf`, `fprintf` `snprintf` functions accept `__null_terminated` - `snprintf` function accepts `__counted_by/__sized_by` - functions consuming a single string pointer like `strlen` or `atoi` accept `__null_terminated` Generalized `isCountAttributedPointerArgumentSafe` so that it is shared by interoperation gadgets and the unsafe libc gadget. (A follow-up change to rdar://138798346)
ziqingluo-90
force-pushed
the
dev/ziqing/PR-138798346-followup
branch
from
306ea22 to
2678bd8
Compare
|
@patrykstefanski I have addressed your comments. Plz take another look. |
|
Also added the pattern--- |
| } else | ||
| // When there is no argument representing the count/size, it is safe iff | ||
| // the annotation is `__counted_by(1)`. | ||
| return !isSizedBy && hasIntegeralConstant(CountedByExpr, 1, Context); |
There was a problem hiding this comment.
If we have CountArg above, we support form 2 (&var, sizeof(var)) with this check:
// form 2:
if (auto TySize = Context.getTypeSizeInCharsIfKnown(DRE->getType()))
return hasIntegeralConstant(CountArg, TySize->getQuantity(), Context);In the else branch here, we don't check for the form 2, we only check form 1. Is this expected?
| } else | ||
| // When there is no argument representing the count/size, it is safe iff | ||
| // the annotation is `__counted_by(1)`. | ||
| return !isSizedBy && hasIntegeralConstant(CountedByExpr, 1, Context); | ||
| return false; | ||
| } |
| return (FName == "strlen" || FName == "wcslen") && | ||
| AreSameDRE(Arg0, CallArg); | ||
| } | ||
| } |
There was a problem hiding this comment.
Is the check for __null_terminated missing?
size_t strlen( const char* __null_terminated str );
size_t wcslen( const wchar_t* __null_terminated str );
void test_span_ctor_non_nt(char *p, const wchar_t *wp) {
std::span S{p, strlen(p)};
std::span S2{wp, wcslen(wp)};
}
It looks like we don't warn for this code. Not sure why it doesn't warn for the call strlen(p) though.
There was a problem hiding this comment.
hmm... yeah, I'll look into it.
There was a problem hiding this comment.
ok, it's because that test only has -Wunsafe-buffer-usage-in-container but no -Wunsafe-buffer-usage. This is expected.
There was a problem hiding this comment.
I have added a test for this.
| @@ -933,7 +1014,7 @@ bool isSinglePointerArgumentSafe(ASTContext &Context, const Expr *Arg) { | |||
| // 6. `std::span<T>{p, n}`, where `p` is a __counted_by(`n`)/__sized_by(`n`) | |||
| // pointer OR `std::span<char>{(char*)p, n}`, where `p` is a __sized_by(`n`) | |||
| // pointer. | |||
|
|
|||
| // 7. `std::span<char>{p, strlen(p)}` or `std::span<wchar_t>{p, wcslen(p)}` | |||
There was a problem hiding this comment.
I would add '... if p is __null_terminated`.
There was a problem hiding this comment.
Actually, whether p is __null_terminated is irrelevant here.
The analysis of std::span constructors only cares about if the two arguments are in the form p and strlen(p).
If p is not null-terminated, it's up to the type checking to complain about it. Just like we do not check that p is of pointer-to-char type here.
| T *c_str(); | ||
| T *data(); | ||
| unsigned size(); | ||
| }; |
There was a problem hiding this comment.
Can we match the interface to be the same as the types in std::? You can copy-paste from warn-unsafe-buffer-usage-count-attributed-pointer-argument.cpp.
| // expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}} | ||
| int snprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); | ||
| int snwprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); | ||
| int vsnprintf( char* __counted_by(buf_size) buffer, unsigned buf_size, const char* format, ... ); |
There was a problem hiding this comment.
Could you elaborate? Is calling vsnprintf expected to be always unsafe? Cannot we declare this function with va_list and then pass an empty va_list on the call site?
| } | ||
| } | ||
| if (auto NumChars = | ||
| Finder->getASTContext().getTypeSizeInCharsIfKnown(FirstPteTy)) { |
There was a problem hiding this comment.
Nit: auto and explicit optional:
std::optional<CharUnits> NumChars =
Finder->getASTContext().getTypeSizeInCharsIfKnown(FirstPteTy);
if (NumChars.has_value()) {
There was a problem hiding this comment.
isn't if (std::optional<CharUnits> NumChars = ...) better?
| // RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage -Wno-error=bounds-safety-strict-terminated-by-cast\ | ||
| // RUN: -verify -fexperimental-bounds-safety-attributes %s | ||
| #include <ptrcheck.h> | ||
| typedef unsigned size_t; |
There was a problem hiding this comment.
Cannot we include stddef.h? unsigned is not right type on most 64-bit platforms.
…tated arguments (#10088) * [-Wunsafe-buffer-usage] Accept calls to some libc functions with annotated arguments - `printf`, `fprintf` `snprintf` functions accept `__null_terminated` - `snprintf` function accepts `__counted_by/__sized_by` - functions consuming a single string pointer like `strlen` or `atoi` accept `__null_terminated` Generalized `isCountAttributedPointerArgumentSafe` so that it is shared by interoperation gadgets and the unsafe libc gadget. (A follow-up change to rdar://138798346)
…tated arguments & Let libc warnings yield to bounds attributes (#10182) Cherry-pick two commits: * [Upstream][C++ Safe Buffers] Let libc warnings yield to bounds attributes For a call to an unsafe libc function, do not warn about it if its callee function has any bounds attributes. Because we can verify the safety of the call using bounds attributes. (rdar://140138380) * [-Wunsafe-buffer-usage] Accept calls to some libc functions with annotated arguments (#10088) - `printf`, `fprintf` `snprintf` functions accept `__null_terminated` - `snprintf` function accepts `__counted_by/__sized_by` - functions consuming a single string pointer like `strlen` or `atoi` accept `__null_terminated` Generalized `isCountAttributedPointerArgumentSafe` so that it is shared by interoperation gadgets and the unsafe libc gadget. (A follow-up change to rdar://138798346)
printf,fprintfsnprintffunctions accept__null_terminatedsnprintffunction accepts__counted_by/__sized_bystrlenoratoiaccept__null_terminatedGeneralized
isCountAttributedPointerArgumentSafeso that it is shared by interoperation gadgets and the unsafe libc gadget.(A follow-up change to rdar://138798346)