[UnsafeBufferUsage] Merge commit '0abf4975bbf1' from llvm.org/main into next

Conflicts:
      clang/lib/Analysis/UnsafeBufferUsage.cpp

The upstream commit no longer matches libc functions in namespaces,
unless the namespace is `::std`. This splits part of the downstream
test case `warn-unsafe-buffer-usage-libc-functions-interop.cpp` to
`warn-unsafe-buffer-usage-libc-functions-interop-annotated.cpp`, to
avoid having to use namespaces to disambiguate the overlapping function
definitions. Also changes some of the code surrounding the merge
conflict to align closer to upstream, (with no change in functionality).

rdar://157725434

Author: hnrklssn

clang/lib/Analysis/UnsafeBufferUsage.cpp

@@ -2840,58 +2840,65 @@ class UnsafeLibcFunctionCallGadget : public WarningGadget {
         Handler->ignoreUnsafeBufferInLibcCall(Stmt->getBeginLoc()))
       return false;
 
-    const CallExpr *Call = dyn_cast<CallExpr>(Stmt);
-
-    if (!Call)
+    auto *CE = dyn_cast<CallExpr>(Stmt);
+    if (!CE || !CE->getDirectCallee())
+      return false;
+    const auto *FD = dyn_cast<FunctionDecl>(CE->getDirectCallee());
+    if (!FD)
       return false;
 
-    const FunctionDecl *CalleeDecl =
-        dyn_cast_or_null<FunctionDecl>(Call->getCalleeDecl());
+    bool IsGlobalAndNotInAnyNamespace =
+        FD->isGlobal() && !FD->getEnclosingNamespaceContext()->isNamespace();
 
-    if (!CalleeDecl)
+    // A libc function must either be in the std:: namespace or a global
+    // function that is not in any namespace:
+    if (!FD->isInStdNamespace() && !IsGlobalAndNotInAnyNamespace)
       return false;
+
+    // TO_UPSTREAM(BoundsSafety) ON
     // If the call has a sole null-terminated argument, e.g., strlen,
     //  printf, atoi, we consider it safe:
-    if (hasNumArgs(Call, 1) && isNullTermPointer(Call->getArg(0), Ctx))
+    if (hasNumArgs(CE, 1) && isNullTermPointer(CE->getArg(0), Ctx))
       return false;
-    if (!hasAnyBoundsAttributes(CalleeDecl)) {
+    if (!hasAnyBoundsAttributes(FD)) {
       // Match a predefined unsafe libc function:
-      if (libc_func_matchers::isPredefinedUnsafeLibcFunc(*CalleeDecl)) {
-        Result.addNode(Tag, DynTypedNode::create(*Call));
+      if (libc_func_matchers::isPredefinedUnsafeLibcFunc(*FD)) {
+        Result.addNode(Tag, DynTypedNode::create(*CE));
         return true;
       }
     } // v*printf and sprintf functions are always unsafe regardless of whether
       // they have bounds annotations
+    // TO_UPSTREAM(BoundsSafety) OFF
 
     // Match a call to one of the `v*printf` functions  taking va-list, which
     // cannot be checked at compile-time:
-    if (libc_func_matchers::isUnsafeVaListPrintfFunc(*CalleeDecl)) {
-      Result.addNode(UnsafeVaListTag, DynTypedNode::create(*CalleeDecl));
-      Result.addNode(Tag, DynTypedNode::create(*Call));
+    if (libc_func_matchers::isUnsafeVaListPrintfFunc(*FD)) {
+      Result.addNode(Tag, DynTypedNode::create(*CE));
+      Result.addNode(UnsafeVaListTag, DynTypedNode::create(*FD));
       return true;
     }
 
     // Match a call to a `sprintf` function, which is never safe:
-    if (libc_func_matchers::isUnsafeSprintfFunc(*CalleeDecl)) {
-      Result.addNode(UnsafeSprintfTag, DynTypedNode::create(*CalleeDecl));
-      Result.addNode(Tag, DynTypedNode::create(*Call));
+    if (libc_func_matchers::isUnsafeSprintfFunc(*FD)) {
+      Result.addNode(Tag, DynTypedNode::create(*CE));
+      Result.addNode(UnsafeSprintfTag, DynTypedNode::create(*FD));
       return true;
     }
 
-    if (libc_func_matchers::isNormalPrintfFunc(*CalleeDecl)) {
+    if (libc_func_matchers::isNormalPrintfFunc(*FD)) {
       // Match a call to an `snprintf` function. And first two arguments of the
       // call (that describe a buffer) are not in safe patterns:
-      if (!hasAnyBoundsAttributes(CalleeDecl) &&
-          libc_func_matchers::hasUnsafeSnprintfBuffer(*Call, Ctx)) {
-        Result.addNode(UnsafeSizedByTag, DynTypedNode::create(*Call));
-        Result.addNode(Tag, DynTypedNode::create(*Call));
+      if (!hasAnyBoundsAttributes(FD) &&
+          libc_func_matchers::hasUnsafeSnprintfBuffer(*CE, Ctx)) {
+        Result.addNode(Tag, DynTypedNode::create(*CE));
+        Result.addNode(UnsafeSizedByTag, DynTypedNode::create(*CE));
         return true;
       }
       // Match a call to a `printf` function, which can be safe if
       // all arguments are null-terminated:
-      if (libc_func_matchers::hasUnsafePrintfStringArg(*Call, Ctx, Result,
+      if (libc_func_matchers::hasUnsafePrintfStringArg(*CE, Ctx, Result,
                                                        UnsafeStringTag)) {
-        Result.addNode(Tag, DynTypedNode::create(*Call));
+        Result.addNode(Tag, DynTypedNode::create(*CE));
         return true;
       }
     }

clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions-interop-annotated.cpp

@@ -0,0 +1,94 @@
+// RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage -Wno-error=bounds-safety-strict-terminated-by-cast\
+// RUN:            -verify -fexperimental-bounds-safety-attributes %s
+#include <ptrcheck.h>
+#include <stddef.h>
+
+typedef struct {} FILE;
+typedef struct {} va_list;
+
+namespace std {
+  template <typename T>
+  struct span {
+    T *data() const noexcept;
+    size_t size() const noexcept;
+    size_t size_bytes() const noexcept;
+    span<T> first(size_t count) const noexcept;
+    span<T> last(size_t count) const noexcept;
+    span<T> subspan(size_t offset, size_t count) const noexcept;
+    const T &operator[](const size_t idx) const;
+  };
+
+  template <typename CharT>
+  struct basic_string {
+    const CharT *data() const noexcept;
+    CharT *data() noexcept;
+    const CharT *c_str() const noexcept;
+    size_t size() const noexcept;
+    size_t length() const noexcept;
+  };
+
+  typedef basic_string<char> string;
+  typedef basic_string<wchar_t> wstring;
+}
+
+// For libc functions that have annotations,
+// `-Wunsafe-buffer-usage-in-libc-call` yields to the interoperation
+// warnings.
+
+// expected-note@+2{{consider using a safe container and passing '.data()' to the parameter 'dst' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'dst'}}
+// expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'src' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'src'}}
+void *memcpy(void * __sized_by(size) dst, const void * __sized_by(size) src, size_t size);
+size_t strlen( const char* __null_terminated str );
+// expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}}
+int snprintf( char* __counted_by(buf_size) buffer, size_t buf_size, const char* format, ... );
+// expected-note@+1 2{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}}
+int snwprintf( wchar_t* __counted_by(buf_size) buffer, size_t buf_size, const wchar_t* format, ... );
+int vsnprintf( char* __counted_by(buf_size) buffer, size_t buf_size, const char* format, va_list va_args);
+
+// The '__counted_by(10)' is not a correct bounds annotation for
+// 'sprintf'. It is used to test that even if 'sprintf' has bounds
+// annotations, the function will still be warned against as 'sprintf'
+// can't be safe.
+int sprintf( char* __counted_by(10) buffer, const char* format, ... );
+
+void test(char * p, char * q, const char * str,
+	  const char * __null_terminated safe_str,
+	  char * __counted_by(n) safe_p,
+	  size_t n,
+	  char * __counted_by(10) safe_ten) {
+  memcpy(p, q, 10);                  // expected-warning2{{unsafe assignment to function parameter of count-attributed type}}
+  snprintf(p, 10, "%s", "hlo");      // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+
+  // We still warn about unsafe string pointer arguments to printfs:
+  snprintf(safe_p, n, "%s", str);  // expected-warning{{function 'snprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
+
+  memcpy(safe_p, safe_p, n);               // no warn
+  strlen(str);                             // expected-warning{{passing 'const char *' to parameter of incompatible type 'const char * __terminated_by(0)' (aka 'const char *') is an unsafe operation}}
+  snprintf(safe_p, n, "%s", "hlo");        // no warn
+  snprintf(safe_p, n, "%s", safe_str);     // no warn
+
+  // v-printf functions and sprintf are still warned about because
+  // they cannot be fully safe:
+  va_list vlist;
+  vsnprintf(safe_p, n, "%s", vlist); // expected-warning{{function 'vsnprintf' is unsafe}} expected-note{{'va_list' is unsafe}}
+  sprintf(safe_ten, "%s", safe_str);    // expected-warning{{function 'sprintf' is unsafe}} expected-note{{change to 'snprintf' for explicit bounds checking}}
+
+}
+
+void test_wchar(wchar_t * p, wchar_t * q, const wchar_t * wstr,
+	  const wchar_t * __null_terminated safe_wstr,
+	  wchar_t * __null_terminated nt_wstr,
+	  wchar_t * __counted_by(n) safe_p,
+	  wchar_t * __sized_by(n) sizedby_p,
+	  size_t n) {
+  std::wstring cxx_wstr;
+  std::span<wchar_t> cxx_wspan;
+
+  snwprintf(safe_p, n, L"%ls", safe_wstr);
+  snwprintf(cxx_wstr.data(), cxx_wstr.size(), cxx_wstr.c_str());
+  snwprintf(cxx_wspan.data(), cxx_wspan.size(), cxx_wspan.data()); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
+  snwprintf(p, n, L"%ls", safe_wstr); // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  snwprintf(sizedby_p, n, L"%ls", safe_wstr); // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  snwprintf(safe_p, n, L"%ls", wstr); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
+}
+

clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions-interop.cpp

@@ -31,80 +31,16 @@ namespace std {
   typedef basic_string<wchar_t> wstring;
 }
 
-namespace annotated_libc {
-  // For libc functions that have annotations,
-  // `-Wunsafe-buffer-usage-in-libc-call` yields to the interoperation
-  // warnings.
-
-// expected-note@+2{{consider using a safe container and passing '.data()' to the parameter 'dst' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'dst'}}
-// expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'src' and '.size()' to its dependent parameter 'size' or 'std::span' and passing '.first(...).data()' to the parameter 'src'}}
-void *memcpy(void * __sized_by(size) dst, const void * __sized_by(size) src, size_t size);
-size_t strlen( const char* __null_terminated str );
-// expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}}
-int snprintf( char* __counted_by(buf_size) buffer, size_t buf_size, const char* format, ... );
-// expected-note@+1 2{{consider using a safe container and passing '.data()' to the parameter 'buffer' and '.size()' to its dependent parameter 'buf_size' or 'std::span' and passing '.first(...).data()' to the parameter 'buffer'}}
-int snwprintf( wchar_t* __counted_by(buf_size) buffer, size_t buf_size, const wchar_t* format, ... );
-int vsnprintf( char* __counted_by(buf_size) buffer, size_t buf_size, const char* format, va_list va_args);
-
-// The '__counted_by(10)' is not a correct bounds annotation for
-// 'sprintf'. It is used to test that even if 'sprintf' has bounds
-// annotations, the function will still be warned against as 'sprintf'
-// can't be safe.
-int sprintf( char* __counted_by(10) buffer, const char* format, ... );
-
-void test(char * p, char * q, const char * str,
-	  const char * __null_terminated safe_str,
-	  char * __counted_by(n) safe_p,
-	  size_t n,
-	  char * __counted_by(10) safe_ten) {
-  memcpy(p, q, 10);                  // expected-warning2{{unsafe assignment to function parameter of count-attributed type}}
-  snprintf(p, 10, "%s", "hlo");      // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
-
-  // We still warn about unsafe string pointer arguments to printfs:
-  snprintf(safe_p, n, "%s", str);  // expected-warning{{function 'snprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
-
-  memcpy(safe_p, safe_p, n);               // no warn
-  strlen(str);                             // expected-warning{{passing 'const char *' to parameter of incompatible type 'const char * __terminated_by(0)' (aka 'const char *') is an unsafe operation}}
-  snprintf(safe_p, n, "%s", "hlo");        // no warn
-  snprintf(safe_p, n, "%s", safe_str);     // no warn
-
-  // v-printf functions and sprintf are still warned about because
-  // they cannot be fully safe:
-  va_list vlist;
-  vsnprintf(safe_p, n, "%s", vlist); // expected-warning{{function 'vsnprintf' is unsafe}} expected-note{{'va_list' is unsafe}}
-  sprintf(safe_ten, "%s", safe_str);    // expected-warning{{function 'sprintf' is unsafe}} expected-note{{change to 'snprintf' for explicit bounds checking}}
-
-}
-
-void test_wchar(wchar_t * p, wchar_t * q, const wchar_t * wstr,
-	  const wchar_t * __null_terminated safe_wstr,
-	  wchar_t * __null_terminated nt_wstr,
-	  wchar_t * __counted_by(n) safe_p,
-	  wchar_t * __sized_by(n) sizedby_p,
-	  size_t n) {
-  std::wstring cxx_wstr;
-  std::span<wchar_t> cxx_wspan;
-
-  snwprintf(safe_p, n, L"%ls", safe_wstr);
-  snwprintf(cxx_wstr.data(), cxx_wstr.size(), cxx_wstr.c_str());
-  snwprintf(cxx_wspan.data(), cxx_wspan.size(), cxx_wspan.data()); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
-  snwprintf(p, n, L"%ls", safe_wstr); // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
-  snwprintf(sizedby_p, n, L"%ls", safe_wstr); // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
-  snwprintf(safe_p, n, L"%ls", wstr); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
-}
-} // namespace annotated_libc
-
-namespace unannotated_libc {
-  // The -Wunsafe-buffer-usage analysis considers some printf
-  // functions safe, arguments are correctly annotated. Because these
-  // functions are harder to be changed to C++ equivalents.
+// The -Wunsafe-buffer-usage analysis considers some printf
+// functions safe, arguments are correctly annotated. Because these
+// functions are harder to be changed to C++ equivalents.
 int printf(const char*, ... );
 int fprintf (FILE*, const char*, ... );
 int snprintf( char*, size_t, const char*, ... );
 int snwprintf( wchar_t*, size_t, const wchar_t*, ... );
 int vsnprintf( char*, size_t, const char*, va_list va_args );
-  // It is convenient to accept functions like `strlen` or `atoi` when
-  // they take a __null_termianted argument.
+// It is convenient to accept functions like `strlen` or `atoi` when
+// they take a __null_termianted argument.
 size_t strlen( const char* );
 int atoi( const char* );
 
@@ -140,6 +76,5 @@ void test_wchar(const wchar_t * unsafe_wstr,
   snwprintf(cxx_wspan.data(), cxx_wspan.size(), cxx_wspan.data()); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
   snwprintf(sizedby_wp, n, safe_wstr); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{buffer pointer and size may not match}}
   snwprintf(safe_wp, n, unsafe_wstr); // expected-warning{{function 'snwprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
-
 }
-} // namespace unannotated_libc
+

clang/test/SemaCXX/warn-unsafe-buffer-usage-libc-functions.cpp

@@ -4,8 +4,16 @@
 // RUN:            -verify %s -x objective-c++
 // RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage-in-libc-call \
 // RUN:            -verify %s
+// RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage-in-libc-call \
+// RUN:            -verify %s -DTEST_STD_NS
 
 typedef struct {} FILE;
+typedef unsigned int size_t;
+
+#ifdef TEST_STD_NS
+namespace std {
+#endif
+
 void memcpy();
 void __asan_memcpy();
 void strcpy();
@@ -25,6 +33,11 @@ int sscanf(const char * buffer, const char * format, ... );
 int wprintf(const wchar_t* format, ... );
 int __asan_printf();
 
+#ifdef TEST_STD_NS
+} //namespace std
+using namespace std;
+#endif
+
 namespace std {
   template< class InputIt, class OutputIt >
   OutputIt copy( InputIt first, InputIt last,
@@ -64,10 +77,6 @@ namespace std {
 
   typedef basic_string_view<char> string_view;
   typedef basic_string_view<wchar_t> wstring_view;
-
-  // C function under std:
-  void memcpy();
-  void strcpy();
 }
 
 void f(char * p, char * q, std::span<char> s, std::span<char> s2) {
@@ -77,14 +86,16 @@ void f(char * p, char * q, std::span<char> s, std::span<char> s2) {
   aligned_char_ptr_t cp;
 
   memcpy();                   // expected-warning{{function 'memcpy' is unsafe}}
-  std::memcpy();              // expected-warning{{function 'memcpy' is unsafe}}
   __builtin_memcpy(p, q, 64); // expected-warning{{function '__builtin_memcpy' is unsafe}}
   __builtin___memcpy_chk(p, q, 8, 64);  // expected-warning{{function '__builtin___memcpy_chk' is unsafe}}
   __asan_memcpy();                      // expected-warning{{function '__asan_memcpy' is unsafe}}
   strcpy();                   // expected-warning{{function 'strcpy' is unsafe}}
-  std::strcpy();              // expected-warning{{function 'strcpy' is unsafe}}
   strcpy_s();                 // expected-warning{{function 'strcpy_s' is unsafe}}
   wcscpy_s();                 // expected-warning{{function 'wcscpy_s' is unsafe}}
+#ifdef TEST_STD_NS
+  std::strcpy();              // expected-warning{{function 'strcpy' is unsafe}}
+  std::memcpy();              // expected-warning{{function 'memcpy' is unsafe}}
+#endif
 
   /* Test printfs */
   fprintf((FILE*)p, "%s%d", p, *p);  // expected-warning{{function 'fprintf' is unsafe}} expected-note{{string argument is not guaranteed to be null-terminated}}
@@ -184,13 +195,59 @@ void ff(char * p, char * q, std::span<char> s, std::span<char> s2) {
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wunsafe-buffer-usage-in-libc-call"
   memcpy();
-  std::memcpy();
   __builtin_memcpy(p, q, 64);
   __builtin___memcpy_chk(p, q, 8, 64);
   __asan_memcpy();
   strcpy();
+#ifdef TEST_STD_NS
   std::strcpy();
+  std::memcpy();
+#endif
   strcpy_s();
   wcscpy_s();
 #pragma clang diagnostic pop
 }
+
+
+
+// functions not in global scope or std:: namespace are not libc
+// functions regardless of their names:
+struct StrBuff
+{
+  void strcpy();
+  void strcpy(char* dst);
+  void memcpy(void *dst, const void *src, size_t size);
+};
+
+namespace NS {
+  void strcpy();
+  void strcpy(char* dst);
+  void memcpy(void *dst, const void *src, size_t size);
+}
+
+namespace std {
+  // class methods even in std namespace cannot be libc functions:
+  struct LibC
+  {
+    void strcpy();
+    void strcpy(char* dst);
+    void memcpy(void *dst, const void *src, size_t size);
+  };
+}
+
+void test(StrBuff& str)
+{
+  char buff[64];
+  str.strcpy();
+  str.strcpy(buff);
+  str.memcpy(buff, buff, 64);
+  NS::strcpy();
+  NS::strcpy(buff);
+  NS::memcpy(buff, buff, 64);
+
+  std::LibC LibC;
+
+  LibC.strcpy();
+  LibC.strcpy(buff);
+  LibC.memcpy(buff, buff, 64);
+}