[BoundsSafety] Delay processing of bounds attrs in templates #9929
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hnrklssn
added
the
clang:bounds-safety
| @@ -3485,6 +3485,9 @@ namespace clang { | |||
|
|
|||
| void DynamicCountPointerAssignmentAnalysis::run() { | |||
| AnalysisDeclContext AC(/* AnalysisDeclContextManager */ nullptr, dcl); | |||
| if (isa<TemplateDecl>(dcl)) // delay processing until template has been | |||
| // instantiated | |||
| return; | |||
There was a problem hiding this comment.
How does it work? Will DynamicCountPointerAssignmentAnalysis::run be called again when dcl is instantiated?
There was a problem hiding this comment.
Yes, a new function decl will be created for the instantiated version and all the normal analyses will be run over it
There was a problem hiding this comment.
Is this sufficient? We could have dependent expressions when the declaration itself is not templated:
- Non-templated method of a templated struct referencing the template argument
- Lambda inside a templated function referencing the template argument
- Method of a non-templated struct nested inside a templated struct referencing the outer struct's template argument
There was a problem hiding this comment.
Changed to an isTemplated call instead
There was a problem hiding this comment.
Dumb question: what's the difference between using isTemplated and isDependentContext() to rule out templates?
There was a problem hiding this comment.
isTemplated covers some extra cases:
bool Decl::isTemplated() const {
// A declaration is templated if it is a template or a template pattern, or
// is within (lexcially for a friend or local function declaration,
// semantically otherwise) a dependent context.
if (auto *AsDC = dyn_cast<DeclContext>(this))
return AsDC->isDependentContext();
auto *DC = getFriendObjectKind() || isLocalExternDecl()
? getLexicalDeclContext() : getDeclContext();
return DC->isDependentContext() || isTemplateDecl() ||
getDescribedTemplateParams();
}
|
CC @ziqingluo-90 since we were discussing templates recently. |
|
@swift-ci please test |
|
@swift-ci please test llvm |
patrykstefanski
approved these changes
Feb 3, 2025
Xazax-hun
reviewed
Feb 5, 2025
| @@ -3485,6 +3485,9 @@ namespace clang { | |||
|
|
|||
| void DynamicCountPointerAssignmentAnalysis::run() { | |||
| AnalysisDeclContext AC(/* AnalysisDeclContextManager */ nullptr, dcl); | |||
| if (isa<TemplateDecl>(dcl)) // delay processing until template has been | |||
| // instantiated | |||
| return; | |||
There was a problem hiding this comment.
Is this sufficient? We could have dependent expressions when the declaration itself is not templated:
- Non-templated method of a templated struct referencing the template argument
- Lambda inside a templated function referencing the template argument
- Method of a non-templated struct nested inside a templated struct referencing the outer struct's template argument
clang/lib/Sema/SemaDeclAttr.cpp
Outdated
| static void handlePtrCountedByEndedByAttr(Sema &S, Decl *D, | ||
| const ParsedAttr &AL) { | ||
| unsigned Level; | ||
| if (!S.checkUInt32Argument(AL, AL.getArgAsExpr(1), Level)) | ||
| return; | ||
|
|
||
| if (D->getDescribedTemplate() || S.CurContext->isDependentContext()) { |
There was a problem hiding this comment.
Same question here, wondering if this is sufficient for non-templated entities nested in templates.
There was a problem hiding this comment.
Also replaced with a call to isTemplated
hnrklssn
force-pushed
the
bounds-safety-value-dependence
branch
from
427922f to
9858ef7
Compare
|
@swift-ci please test llvm |
|
@swift-ci please smoke test |
|
Just curious: will you allow |
This is currently ignored. I think it's related to how these attributes are completely ignored in casts, even C-style casts. I don't have any plans to fix this right now, but I do think that it would be good to get there eventually. |
|
@swift-ci please test llvm |
|
@swift-ci please smoke test |
Dynamic bounds attributes do not handle value dependent arguments. To enable wider interop with C++ code bases we delay the processing of these attributes inside templated contexts. Instead we apply the new type while instantiating the function. One issue with this approach is that instantiation happens after parsing is finished, and the Scope information we use to prevent attributes from referring to arguments from outer scopes is only available during parsing. These diagnostics were emitted at the end of the type processing. In templated contexts we instead perform that analysis during parsing, and delay the rest of the processing. To avoid churn in unrelated tests the rest of the attributes keep their processing as is, until we've investigated what impact hoisting it would have on the user experience.
This analysis is now done after inserting BoundsCheckExpr, so we need to peek through them to emit these warnings where we previously only had a BoundsSafetyPointerCast.
hnrklssn
force-pushed
the
bounds-safety-value-dependence
branch
from
6cabde8 to
8510657
Compare
|
@swift-ci please test |
|
windows failure seems unrelated |
|
@swift-ci please test llvm |
delcypher
pushed a commit
to delcypher/apple-llvm-project
that referenced
this pull request
May 22, 2025
This is a cherry-pick of change that was landed to `stable/20240723` (swiftlang#9929) but not landed on the `next` branch. Aside from resolving merge conflicts it was also necessary to modify the `clang/test/BoundsSafety/(AST|Sema)/value-dependence.cpp` tests because they fail to work when the new bounds checks are enabled (rdar://150044760). To workaround that the test has been made to disable the new `return_size` bounds check when `-fbounds-safety` is enabled with C++. --- * [BoundsSafety] Delay processing of bounds attrs in templates Dynamic bounds attributes do not handle value dependent arguments. To enable wider interop with C++ code bases we delay the processing of these attributes inside templated contexts. Instead we apply the new type while instantiating the function. One issue with this approach is that instantiation happens after parsing is finished, and the Scope information we use to prevent attributes from referring to arguments from outer scopes is only available during parsing. These diagnostics were emitted at the end of the type processing. In templated contexts we instead perform that analysis during parsing, and delay the rest of the processing. To avoid churn in unrelated tests the rest of the attributes keep their processing as is, until we've investigated what impact hoisting it would have on the user experience. Conflicts: clang/include/clang/Sema/Sema.h clang/lib/Sema/SemaDecl.cpp clang/lib/Sema/SemaTemplateInstantiateDecl.cpp clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-argument.cpp rdar://150694971 (cherry picked from commit c87bc75)
delcypher
pushed a commit
that referenced
this pull request
May 23, 2025
This is a cherry-pick of change that was landed to `stable/20240723` (#9929) but not landed on the `next` branch. Aside from resolving merge conflicts it was also necessary to modify the `clang/test/BoundsSafety/(AST|Sema)/value-dependence.cpp` tests because they fail to work when the new bounds checks are enabled (rdar://150044760). To workaround that the test has been made to disable the new `return_size` bounds check when `-fbounds-safety` is enabled with C++. --- * [BoundsSafety] Delay processing of bounds attrs in templates Dynamic bounds attributes do not handle value dependent arguments. To enable wider interop with C++ code bases we delay the processing of these attributes inside templated contexts. Instead we apply the new type while instantiating the function. One issue with this approach is that instantiation happens after parsing is finished, and the Scope information we use to prevent attributes from referring to arguments from outer scopes is only available during parsing. These diagnostics were emitted at the end of the type processing. In templated contexts we instead perform that analysis during parsing, and delay the rest of the processing. To avoid churn in unrelated tests the rest of the attributes keep their processing as is, until we've investigated what impact hoisting it would have on the user experience. Conflicts: clang/include/clang/Sema/Sema.h clang/lib/Sema/SemaDecl.cpp clang/lib/Sema/SemaTemplateInstantiateDecl.cpp clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-argument.cpp rdar://150694971 (cherry picked from commit c87bc75)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dynamic bounds attributes do not handle value dependent arguments. To enable wider interop with C++ code bases we delay the processing of these attributes inside templated contexts. Instead we apply the new type while instantiating the function.
One issue with this approach is that instantiation happens after parsing is finished, and the Scope information we use to prevent attributes from referring to arguments from outer scopes is only available during parsing. These diagnostics were emitted at the end of the type processing. In templated contexts we instead perform that analysis during parsing, and delay the rest of the processing. To avoid churn in unrelated tests the rest of the attributes keep their processing as is, until we've investigated what impact hoisting it would have on the user experience.