Skip to content

[BoundsSafety] Allow 'counted_by' attribute on pointers in structs in C #90786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 17, 2024
Merged

[BoundsSafety] Allow 'counted_by' attribute on pointers in structs in C #90786

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion clang/docs/ReleaseNotes.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,8 @@ New Compiler Flags

- ``-fexperimental-late-parse-attributes`` enables an experimental feature to
allow late parsing certain attributes in specific contexts where they would
not normally be late parsed.
not normally be late parsed. Currently this allows late parsing the
`counted_by` attribute in C. See `Attribute Changes in Clang`_.

- ``-fseparate-named-sections`` uses separate unique sections for global
symbols in named special sections (i.e. symbols annotated with
Expand Down Expand Up @@ -406,6 +407,24 @@ Attribute Changes in Clang
- The ``clspv_libclc_builtin`` attribute has been added to allow clspv
(`OpenCL-C to Vulkan SPIR-V compiler <https://github.com/google/clspv>`_) to identify functions coming from libclc
(`OpenCL-C builtin library <https://libclc.llvm.org>`_).
- The ``counted_by`` attribute is now allowed on pointers that are members of a
struct in C.

- The ``counted_by`` attribute can now be late parsed in C when
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should mention that counted_by was extended to work with pointers in structs first. Otherwise, "last parsing" of the attribute doesn't make a lot of sense since a flexible array member is at the end of a struct.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can mention it but I'm wondering if it should be in the release notes at all because this patch only makes parsing work. I've not done anything on the codegen side to make use of the attribute on pointers.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it doesn't have a use yet, maybe you don't need to add it in the release notes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So to add some context here. The original reason there was a release note is because in #88596 (which this patch builds upon) @AaronBallman asked for there to be a release note about the new -fexperimental-late-parse-attributes flag. This patch means -fexperimental-late-parse-attributes actually does something now (before it did nothing) so I updated the release notes on that flag and it "felt" like it made sense to explain in the release notes the change on the attributes in relation to the flag.

I don't have strong opinions here. I'm ok to drop the changes to the release notes or keep them or something in between. @AaronBallman any opinions here?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong opinion either. :-) It's fine to keep the blurb in.

``-fexperimental-late-parse-attributes`` is passed but only when attribute is
used in the declaration attribute position. This allows using the
attribute on existing code where it previously impossible to do so without
re-ordering struct field declarations would break ABI as shown below.

.. code-block:: c

struct BufferTy {
/* Refering to `count` requires late parsing */
char* buffer __counted_by(count);
/* Swapping `buffer` and `count` to avoid late parsing would break ABI */
size_t count;
};


Improvements to Clang's diagnostics
-----------------------------------
Expand Down
1 change: 1 addition & 0 deletions clang/include/clang/AST/Type.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2515,6 +2515,7 @@ class alignas(TypeAlignment) Type : public ExtQualsTypeCommonBase {
bool isRecordType() const;
bool isClassType() const;
bool isStructureType() const;
bool isStructureTypeWithFlexibleArrayMember() const;
bool isObjCBoxableRecordType() const;
bool isInterfaceType() const;
bool isStructureOrClassType() const;
Expand Down
3 changes: 2 additions & 1 deletion clang/include/clang/Basic/Attr.td
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2229,7 +2229,8 @@ def TypeNullUnspecified : TypeAttr {
def CountedBy : DeclOrTypeAttr {
let Spellings = [Clang<"counted_by">];
let Subjects = SubjectList<[Field], ErrorDiag>;
let Args = [ExprArgument<"Count">, IntArgument<"NestedLevel">];
let Args = [ExprArgument<"Count">, IntArgument<"NestedLevel", 1>];
let LateParsed = LateAttrParseExperimentalExt;
let ParseArgumentsAsUnevaluated = 1;
let Documentation = [CountedByDocs];
let LangOpts = [COnly];
Expand Down
17 changes: 15 additions & 2 deletions clang/include/clang/Basic/DiagnosticSemaKinds.td
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6533,8 +6533,10 @@ def warn_superclass_variable_sized_type_not_at_end : Warning<

def err_flexible_array_count_not_in_same_struct : Error<
"'counted_by' field %0 isn't within the same struct as the flexible array">;
def err_counted_by_attr_not_on_flexible_array_member : Error<
"'counted_by' only applies to C99 flexible array members">;
def err_counted_by_attr_not_on_ptr_or_flexible_array_member : Error<
"'counted_by' only applies to pointers or C99 flexible array members">;
def err_counted_by_attr_on_array_not_flexible_array_member : Error<
"'counted_by' on arrays only applies to C99 flexible array members">;
def err_counted_by_attr_refer_to_itself : Error<
"'counted_by' cannot refer to the flexible array member %0">;
def err_counted_by_must_be_in_structure : Error<
Expand All @@ -6549,6 +6551,17 @@ def err_counted_by_attr_refer_to_union : Error<
"'counted_by' argument cannot refer to a union member">;
def note_flexible_array_counted_by_attr_field : Note<
"field %0 declared here">;
def err_counted_by_attr_pointee_unknown_size : Error<
"'counted_by' cannot be applied to %select{"
"a pointer with pointee|" // pointer
"an array with element}0" // array
" of unknown size because %1 is %select{"
"an incomplete type|" // CountedByInvalidPointeeTypeKind::INCOMPLETE
"a sizeless type|" // CountedByInvalidPointeeTypeKind::SIZELESS
"a function type|" // CountedByInvalidPointeeTypeKind::FUNCTION
Copy link
Collaborator

@bwendling bwendling May 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused why a function type is excluded. Isn't it just a pointer? @kees can correct me, but I think the point of counted_by on a pointer is that it could be a list of pointers, and we don't want to allow someone to access beyond that list:

struct s {
  int count;
  int *ptr __counted_by(count);
};

struct s *alloc(size_t num_elems) {
  struct s *p = malloc(sizeof(struct s));

  p->count = num_elems;
  p->ptr = calloc(num_elems, sizeof(int));
  return p;
}

If that's the case, then any pointer should be okay.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bwendling I was also confused by this initially. A "function type" and "function pointer type" are different. A function type doesn't have a size so we have to forbid it, but a function pointer does have a size (it's the size of a pointer).

Hopefully these examples illustrate the problem:

#define __counted_by(f)  __attribute__((counted_by(f)))

typedef void(fn_ty)(int);
typedef void(*fn_ptr_ty)(int);

struct a {
    int count;
    // Buffer of functions is invalid. A "function" has no size
    fn_ty* buffer __counted_by(count);
    fn_ptr_ty buffer2 __counted_by(count);
};

struct b {
    int count;
    // Valid: A buffer of function pointers is allowed
    fn_ty** buffer __counted_by(count);
    fn_ptr_ty* buffer2 __counted_by(count);
};

A similar thing exists for arrays. If you write this

struct c {
    fn_ty Arr[];
};

this produces the following error:

error: 'Arr' declared as array of functions of type 'fn_ty' (aka 'void (int)')
   22 |     fn_ty Arr[];
      |              ^

However these two struct definitions are allowed by clang:

struct d {
    fn_ty* Arr[];
};

struct e {
    fn_ptr_ty Arr2[];
};

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A "function type" and "function pointer type" are different.

Ah! my mistake. :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side note: Given the above I expected pointer arithmetic on a function pointer to be forbidden but it's not...

typedef void(fn_ty)(int);
typedef void(*fn_ptr_ty)(int);

void test(fn_ty* fn) {
    fn(5); // ok
    // WHAT!?: How can pointer arithmetic be possible when the size of
    // the function isn't a defined thing...
    //
    // Turns out clang codegens this as if `sizeof(*fn) == 1`
    _Static_assert(sizeof(*fn) == 1, "oh boy...we're in for a wild ride");
    ++fn;
    // Let's jump somewhere into the function that's 1 byte along from the start.
    // what could possibly go wrong!?
    fn(5); // CRASH
    return;
}

It's fine to do pointer arithmetic on an array of function pointers though

typedef void(fn_ty)(int);
typedef void(*fn_ptr_ty)(int);
void do_something(int i) { printf("hello %d\n", i);}
void do_something2(int i) { printf("hello2 %d\n", i);}

fn_ptr_ty Funcs[] = { do_something, do_something2};

void test2(fn_ty** fn) {
    // fn == do_something
    (*fn)(5);
    ++fn;
    // Now fn == do_something2
    (*fn)(5);
    return;
}

int main(void) {
    test2(Funcs);
    return 0;
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that as long as it's a pointer we're okay, at least w.r.t. the counted_by attribute. We know the size of pointers at least. :-)

// CountedByInvalidPointeeTypeKind::FLEXIBLE_ARRAY_MEMBER
"a struct type with a flexible array member"
"}2">;

let CategoryName = "ARC Semantic Issue" in {

Expand Down
7 changes: 6 additions & 1 deletion clang/include/clang/Parse/Parser.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1645,6 +1645,8 @@ class Parser : public CodeCompletionHandler {
bool EnterScope, bool OnDefinition);
void ParseLexedAttribute(LateParsedAttribute &LA,
bool EnterScope, bool OnDefinition);
void ParseLexedCAttribute(LateParsedAttribute &LA,
ParsedAttributes *OutAttrs = nullptr);
void ParseLexedMethodDeclarations(ParsingClass &Class);
void ParseLexedMethodDeclaration(LateParsedMethodDeclaration &LM);
void ParseLexedMethodDefs(ParsingClass &Class);
Expand Down Expand Up @@ -2531,7 +2533,8 @@ class Parser : public CodeCompletionHandler {

void ParseStructDeclaration(
ParsingDeclSpec &DS,
llvm::function_ref<void(ParsingFieldDeclarator &)> FieldsCallback);
llvm::function_ref<Decl *(ParsingFieldDeclarator &)> FieldsCallback,
LateParsedAttrList *LateFieldAttrs = nullptr);

DeclGroupPtrTy ParseTopLevelStmtDecl();

Expand Down Expand Up @@ -3109,6 +3112,8 @@ class Parser : public CodeCompletionHandler {
SourceLocation ScopeLoc,
ParsedAttr::Form Form);

void DistributeCLateParsedAttrs(Decl *Dcl, LateParsedAttrList *LateAttrs);

void ParseBoundsAttribute(IdentifierInfo &AttrName,
SourceLocation AttrNameLoc, ParsedAttributes &Attrs,
IdentifierInfo *ScopeName, SourceLocation ScopeLoc,
Expand Down
3 changes: 2 additions & 1 deletion clang/include/clang/Sema/Sema.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11396,7 +11396,8 @@ class Sema final : public SemaBase {
QualType BuildMatrixType(QualType T, Expr *NumRows, Expr *NumColumns,
SourceLocation AttrLoc);

QualType BuildCountAttributedArrayType(QualType WrappedTy, Expr *CountExpr);
QualType BuildCountAttributedArrayOrPointerType(QualType WrappedTy,
Expr *CountExpr);

QualType BuildAddressSpaceAttr(QualType &T, LangAS ASIdx, Expr *AddrSpace,
SourceLocation AttrLoc);
Expand Down
10 changes: 10 additions & 0 deletions clang/lib/AST/Type.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -632,6 +632,16 @@ bool Type::isStructureType() const {
return false;
}

bool Type::isStructureTypeWithFlexibleArrayMember() const {
const auto *RT = getAs<RecordType>();
if (!RT)
return false;
const auto *Decl = RT->getDecl();
if (!Decl->isStruct())
return false;
return Decl->hasFlexibleArrayMember();
}

bool Type::isObjCBoxableRecordType() const {
if (const auto *RT = getAs<RecordType>())
return RT->getDecl()->hasAttr<ObjCBoxableAttr>();
Expand Down
104 changes: 97 additions & 7 deletions clang/lib/Parse/ParseDecl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3288,6 +3288,19 @@ void Parser::ParseAlignmentSpecifier(ParsedAttributes &Attrs,
}
}

void Parser::DistributeCLateParsedAttrs(Decl *Dcl,
LateParsedAttrList *LateAttrs) {
assert(Dcl && "Dcl cannot be null");

if (!LateAttrs)
return;

for (auto *LateAttr : *LateAttrs) {
if (LateAttr->Decls.empty())
LateAttr->addDecl(Dcl);
}
}

/// Bounds attributes (e.g., counted_by):
/// AttrName '(' expression ')'
void Parser::ParseBoundsAttribute(IdentifierInfo &AttrName,
Expand Down Expand Up @@ -4825,13 +4838,14 @@ static void DiagnoseCountAttributedTypeInUnnamedAnon(ParsingDeclSpec &DS,
///
void Parser::ParseStructDeclaration(
ParsingDeclSpec &DS,
llvm::function_ref<void(ParsingFieldDeclarator &)> FieldsCallback) {
llvm::function_ref<Decl *(ParsingFieldDeclarator &)> FieldsCallback,
LateParsedAttrList *LateFieldAttrs) {

if (Tok.is(tok::kw___extension__)) {
// __extension__ silences extension warnings in the subexpression.
ExtensionRAIIObject O(Diags); // Use RAII to do this.
ConsumeToken();
return ParseStructDeclaration(DS, FieldsCallback);
return ParseStructDeclaration(DS, FieldsCallback, LateFieldAttrs);
}

// Parse leading attributes.
Expand Down Expand Up @@ -4896,10 +4910,12 @@ void Parser::ParseStructDeclaration(
}

// If attributes exist after the declarator, parse them.
MaybeParseGNUAttributes(DeclaratorInfo.D);
MaybeParseGNUAttributes(DeclaratorInfo.D, LateFieldAttrs);

// We're done with this declarator; invoke the callback.
FieldsCallback(DeclaratorInfo);
Decl *Field = FieldsCallback(DeclaratorInfo);
if (Field)
DistributeCLateParsedAttrs(Field, LateFieldAttrs);

// If we don't have a comma, it is either the end of the list (a ';')
// or an error, bail out.
Expand All @@ -4910,6 +4926,69 @@ void Parser::ParseStructDeclaration(
}
}

/// Finish parsing an attribute for which parsing was delayed.
/// This will be called at the end of parsing a class declaration
/// for each LateParsedAttribute. We consume the saved tokens and
/// create an attribute with the arguments filled in. We add this
/// to the Attribute list for the decl.
void Parser::ParseLexedCAttribute(LateParsedAttribute &LA,
ParsedAttributes *OutAttrs) {
// Create a fake EOF so that attribute parsing won't go off the end of the
// attribute.
Token AttrEnd;
AttrEnd.startToken();
AttrEnd.setKind(tok::eof);
AttrEnd.setLocation(Tok.getLocation());
AttrEnd.setEofData(LA.Toks.data());
LA.Toks.push_back(AttrEnd);

// Append the current token at the end of the new token stream so that it
// doesn't get lost.
LA.Toks.push_back(Tok);
PP.EnterTokenStream(LA.Toks, /*DisableMacroExpansion=*/true,
/*IsReinject=*/true);
// Drop the current token and bring the first cached one. It's the same token
// as when we entered this function.
ConsumeAnyToken(/*ConsumeCodeCompletionTok=*/true);

ParsedAttributes Attrs(AttrFactory);

assert(LA.Decls.size() <= 1 &&
"late field attribute expects to have at most one declaration.");

// Dispatch based on the attribute and parse it
const AttributeCommonInfo::Form ParsedForm = ParsedAttr::Form::GNU();
IdentifierInfo *ScopeName = nullptr;
const ParsedAttr::Kind AttrKind =
ParsedAttr::getParsedKind(&LA.AttrName, /*ScopeName=*/ScopeName,
/*SyntaxUsed=*/ParsedForm.getSyntax());
switch (AttrKind) {
case ParsedAttr::Kind::AT_CountedBy:
ParseBoundsAttribute(LA.AttrName, LA.AttrNameLoc, Attrs,
/*ScopeName=*/ScopeName, SourceLocation(),
/*Form=*/ParsedForm);
break;
default:
llvm_unreachable("Unhandled late parsed attribute");
}

for (auto *D : LA.Decls)
Actions.ActOnFinishDelayedAttribute(getCurScope(), D, Attrs);

// Due to a parsing error, we either went over the cached tokens or
// there are still cached tokens left, so we skip the leftover tokens.
while (Tok.isNot(tok::eof))
ConsumeAnyToken();

// Consume the fake EOF token if it's there
if (Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData())
ConsumeAnyToken();

if (OutAttrs) {
OutAttrs->takeAllFrom(Attrs);
}
}

/// ParseStructUnionBody
/// struct-contents:
/// struct-declaration-list
Expand All @@ -4933,6 +5012,11 @@ void Parser::ParseStructUnionBody(SourceLocation RecordLoc,
ParseScope StructScope(this, Scope::ClassScope|Scope::DeclScope);
Actions.ActOnTagStartDefinition(getCurScope(), TagDecl);

// `LateAttrParseExperimentalExtOnly=true` requests that only attributes
// marked with `LateAttrParseExperimentalExt` are late parsed.
LateParsedAttrList LateFieldAttrs(/*PSoon=*/false,
/*LateAttrParseExperimentalExtOnly=*/true);

// While we still have something to read, read the declarations in the struct.
while (!tryParseMisplacedModuleImport() && Tok.isNot(tok::r_brace) &&
Tok.isNot(tok::eof)) {
Expand Down Expand Up @@ -4983,18 +5067,19 @@ void Parser::ParseStructUnionBody(SourceLocation RecordLoc,
}

if (!Tok.is(tok::at)) {
auto CFieldCallback = [&](ParsingFieldDeclarator &FD) {
auto CFieldCallback = [&](ParsingFieldDeclarator &FD) -> Decl * {
// Install the declarator into the current TagDecl.
Decl *Field =
Actions.ActOnField(getCurScope(), TagDecl,
FD.D.getDeclSpec().getSourceRange().getBegin(),
FD.D, FD.BitfieldSize);
FD.complete(Field);
return Field;
};

// Parse all the comma separated declarators.
ParsingDeclSpec DS(*this);
ParseStructDeclaration(DS, CFieldCallback);
ParseStructDeclaration(DS, CFieldCallback, &LateFieldAttrs);
} else { // Handle @defs
ConsumeToken();
if (!Tok.isObjCAtKeyword(tok::objc_defs)) {
Expand Down Expand Up @@ -5035,7 +5120,12 @@ void Parser::ParseStructUnionBody(SourceLocation RecordLoc,

ParsedAttributes attrs(AttrFactory);
// If attributes exist after struct contents, parse them.
MaybeParseGNUAttributes(attrs);
MaybeParseGNUAttributes(attrs, &LateFieldAttrs);

// Late parse field attributes if necessary.
assert(!getLangOpts().CPlusPlus);
for (auto *LateAttr : LateFieldAttrs)
ParseLexedCAttribute(*LateAttr);

SmallVector<Decl *, 32> FieldDecls(TagDecl->fields());

Expand Down
10 changes: 6 additions & 4 deletions clang/lib/Parse/ParseObjc.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -780,16 +780,16 @@ void Parser::ParseObjCInterfaceDeclList(tok::ObjCKeywordKind contextKey,
}

bool addedToDeclSpec = false;
auto ObjCPropertyCallback = [&](ParsingFieldDeclarator &FD) {
auto ObjCPropertyCallback = [&](ParsingFieldDeclarator &FD) -> Decl * {
if (FD.D.getIdentifier() == nullptr) {
Diag(AtLoc, diag::err_objc_property_requires_field_name)
<< FD.D.getSourceRange();
return;
return nullptr;
}
if (FD.BitfieldSize) {
Diag(AtLoc, diag::err_objc_property_bitfield)
<< FD.D.getSourceRange();
return;
return nullptr;
}

// Map a nullability property attribute to a context-sensitive keyword
Expand Down Expand Up @@ -818,6 +818,7 @@ void Parser::ParseObjCInterfaceDeclList(tok::ObjCKeywordKind contextKey,
MethodImplKind);

FD.complete(Property);
return Property;
};

// Parse all the comma separated declarators.
Expand Down Expand Up @@ -2013,7 +2014,7 @@ void Parser::ParseObjCClassInstanceVariables(ObjCContainerDecl *interfaceDecl,
continue;
}

auto ObjCIvarCallback = [&](ParsingFieldDeclarator &FD) {
auto ObjCIvarCallback = [&](ParsingFieldDeclarator &FD) -> Decl * {
assert(getObjCDeclContext() == interfaceDecl &&
"Ivar should have interfaceDecl as its decl context");
// Install the declarator into the interface decl.
Expand All @@ -2024,6 +2025,7 @@ void Parser::ParseObjCClassInstanceVariables(ObjCContainerDecl *interfaceDecl,
if (Field)
AllIvarDecls.push_back(Field);
FD.complete(Field);
return Field;
};

// Parse all the comma separated declarators.
Expand Down
Loading