[-Wunsafe-buffer-usage] Fix false positive when assigning in C++ class

patrykstefanski · patrykstefanski · commit aa7bdeddbbcb · 2025-11-12T09:23:04.000-08:00
Fix false positive when assigning to __counted_by() that is a class member. The analysis fails to see through `CXXThisExpr` and thinks we are assigning 2 different groups. This is caused by me, failing to copy/paste the updated version of `isSameMemberBase()`. ``` struct cb { int *__counted_by(count) p; size_t count; }; class struct_test { cb cb_; void set_cb(std::span<int> sp) { cb_.p = sp.data(); // warning: missing assignment to count cb_.count = sp.size(); // warning: missing assignment to p } }; ``` rdar://164535516 (cherry picked from commit 3cd72d6)
diff --git a/clang/lib/Analysis/UnsafeBufferUsage.cpp b/clang/lib/Analysis/UnsafeBufferUsage.cpp
@@ -5385,8 +5385,10 @@ static bool isSameMemberBase(const Expr *Self, const Expr *Other) {
 
     const auto *SelfICE = dyn_cast<ImplicitCastExpr>(Self);
     const auto *OtherICE = dyn_cast<ImplicitCastExpr>(Other);
-    if (SelfICE && OtherICE && SelfICE->getCastKind() == CK_LValueToRValue &&
-        OtherICE->getCastKind() == CK_LValueToRValue) {
+    if (SelfICE && OtherICE &&
+        SelfICE->getCastKind() == OtherICE->getCastKind() &&
+        (SelfICE->getCastKind() == CK_LValueToRValue ||
+         SelfICE->getCastKind() == CK_UncheckedDerivedToBase)) {
       Self = SelfICE->getSubExpr();
       Other = OtherICE->getSubExpr();
     }
@@ -5396,6 +5398,12 @@ static bool isSameMemberBase(const Expr *Self, const Expr *Other) {
     if (SelfDRE && OtherDRE)
       return SelfDRE->getDecl() == OtherDRE->getDecl();
 
+    if (isa<CXXThisExpr>(Self) && isa<CXXThisExpr>(Other)) {
+      // `Self` and `Other` should be evaluated at the same state so `this` must
+      // mean the same thing for both:
+      return true;
+    }
+
     const auto *SelfME = dyn_cast<MemberExpr>(Self);
     const auto *OtherME = dyn_cast<MemberExpr>(Other);
     if (!SelfME || !OtherME ||
diff --git a/clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-assignment.cpp b/clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-assignment.cpp
@@ -2,6 +2,7 @@
 
 #include <ptrcheck.h>
 #include <stddef.h>
+#include <stdint.h>
 
 namespace std {
 template <typename T> struct span {
@@ -26,6 +27,10 @@ struct cb_multi {
   size_t n;
 };
 
+struct cb_nested {
+  cb nested;
+};
+
 // Simple pointer and count
 
 void good_null(int *__counted_by(count) p, int count) {
@@ -118,6 +123,16 @@ void good_null_loop_if(int *__counted_by(count) p, int count) {
   }
 }
 
+void good_size_bytes_char(char *__counted_by(count) p, size_t count, std::span<char> sp) {
+  p = sp.data();
+  count = sp.size_bytes();
+}
+
+void good_size_bytes_void(void *__sized_by(size) p, size_t size, std::span<uint8_t> sp) {
+  p = sp.data();
+  size = sp.size_bytes();
+}
+
 // Simple pointer and count in struct
 
 void good_struct_self(cb *c) {
@@ -167,6 +182,54 @@ void good_struct_self_loop(cb *c) {
   }
 }
 
+void good_struct_nested_span(cb_nested *n, std::span<int> sp) {
+  n->nested.p = sp.data();
+  n->nested.count = sp.size();
+}
+
+void bad_struct_nested_span(cb_nested *n, std::span<int> sp, size_t unrelated_size) {
+  n->nested.p = sp.data(); // expected-warning{{unsafe assignment to count-attributed pointer}}
+  n->nested.count = unrelated_size;
+}
+
+class struct_test {
+  int *__counted_by(count_) data_;
+  size_t count_;
+  cb cb_;
+  cb_nested nested_;
+  cb *p_cb_;
+
+  void set_data(std::span<int> sp) {
+    data_ = sp.data();
+    count_ = sp.size();
+  }
+
+  void bad_set_data(std::span<int> sp) {
+    data_ = sp.data(); // expected-warning{{unsafe assignment to count-attributed pointer}}
+    count_ = 42;
+  }
+
+  void set_cb(std::span<int> sp) {
+    cb_.p = sp.data();
+    cb_.count = sp.size();
+  }
+
+  void bad_set_cb(std::span<int> sp) {
+    cb_.p = sp.data(); // expected-warning{{unsafe assignment to count-attributed pointer}}
+    cb_.count = 42;
+  }
+
+  void set_nested(std::span<int> sp) {
+    nested_.nested.p = sp.data();
+    nested_.nested.count = sp.size();
+  }
+
+  void set_p_cb(std::span<int> sp) {
+    p_cb_->p = sp.data();
+    p_cb_->count = sp.size();
+  }
+};
+
 // Pointer with multiple counts
 
 void bad_multicounts_span(int *__counted_by(a + b) p, size_t a, size_t b, std::span<int> sp) {
@@ -249,6 +312,16 @@ bool good_multicount_struct_realistic(cb_multi *cbm, std::span<int> sp, size_t s
   return true;
 }
 
+struct multicount_struct_test {
+  cb_multi multi_;
+
+  void set_multi(std::span<int> sp, size_t a, size_t b) {
+    multi_.p = sp.first(a * b).data();
+    multi_.m = a;
+    multi_.n = b;
+  }
+};
+
 // Multiple pointers
 
 void good_multiptr_span(int *__counted_by(count) p, int *__counted_by(count) q, size_t count, std::span<int> sp) {
@@ -552,6 +625,37 @@ void missing_struct_unrelated(cb *c, cb *d) {
   d->count = 0;   // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
 }
 
+void missing_struct_nested_ptr(cb_nested *c) {
+  c->nested.count = 0; // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
+}
+
+void missing_struct_nested_unrelated(cb_nested *c, cb_nested *d) {
+  c->nested.p = nullptr; // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'count' missing}}
+  d->nested.count = 0;   // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
+}
+
+struct missing_struct_test {
+  cb cb_;
+  cb_nested nested_;
+
+  void set_cb_missing_ptr(std::span<int> sp) {
+    cb_.count = sp.size(); // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
+  }
+
+  void set_cb_missing_count(std::span<int> sp) {
+    cb_.p = sp.data(); // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'count' missing}}
+  }
+
+  void set_nested_missing_ptr(std::span<int> sp) {
+    nested_.nested.count = sp.size(); // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
+  }
+
+  void set_missing_unrelated(std::span<int> sp) {
+    cb_.p = sp.data();                // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'count' missing}}
+    nested_.nested.count = sp.size(); // expected-warning{{bounds-attributed group requires assigning 'count, p', assignments to 'p' missing}}
+  }
+};
+
 // Duplicated assignments
 
 void duplicated_ptr(int *__counted_by(count) p, int count) {
