Correctly determine bounds for predefined literals (#673)

Mandeep Singh Grang · Mandeep Singh Grang · commit 3faed9fc620b · 2019-09-27T15:57:19.000-07:00
Cherry-picked from commit 6252abb Correctly determine bounds for predefined literals. Section 6.4.2.2 of the C11 Standard defines predefined identifiers: the special identifier __func__ evaluates to a string that is the name of the current function. In clang, predefined identifiers are represented using the PredefinedExpr class, which wraps a string literal. The PredefinedExpr class evaluates to an lvalue that is the address of the string literal. To represent bounds information, follow the same pattern that we use for string literals:. Bind the result of the PredefinedExpr class to a temporary and use the temporary in the bounds of the expression. We considered having the class wrap a temporary expression, but that causes existing tests of predefined literals to break and requires more changes to the compiler logic for predefined expressions.
diff --git a/clang/lib/Sema/Sema.cpp b/clang/lib/Sema/Sema.cpp
@@ -518,11 +518,12 @@ ExprResult Sema::ImpCastExprToType(Expr *E, QualType Ty,
     E = Materialized.get();
   }
 
-  // For Checked C, create a temporary for string literal or compound literals
-  // for use during bounds checking.
+  // For Checked C, create a temporary for string literal, compound literals or
+  // predefined literals for use during bounds checking.
   if (Kind == CK_ArrayToPointerDecay && getLangOpts().CheckedC) {
     Expr *S = E->IgnoreParens();
-    if (isa<StringLiteral>(S) || isa<CompoundLiteralExpr>(S))
+    if (isa<StringLiteral>(S) || isa<CompoundLiteralExpr>(S) ||
+        isa<PredefinedExpr>(S))
       E = new (Context) CHKCBindTemporaryExpr(E);
   }
 
diff --git a/clang/lib/Sema/SemaBounds.cpp b/clang/lib/Sema/SemaBounds.cpp
@@ -759,6 +759,36 @@ namespace {
       return ExpandToRange(Base, BE);
     }
 
+    // Infer bounds for string literals.
+    BoundsExpr *InferBoundsForStringLiteral(Expr *E, StringLiteral *SL,
+                                            CHKCBindTemporaryExpr *Binding) {
+      // Use the number of characters in the string (excluding the null
+      // terminator) to calcaulte size.  Don't use the array type of the
+      // literal.  In unchecked scopes, the array type is unchecked and its
+      // size includes the null terminator.  It converts to an ArrayPtr that
+      // could be used to overwrite the null terminator.  We need to prevent
+      // this because literal strings may be shared and writeable, depending on
+      // the C implementation.
+      auto *Size = CreateIntegerLiteral(llvm::APInt(64, SL->getLength()));
+      auto *CBE =
+        new (Context) CountBoundsExpr(BoundsExpr::Kind::ElementCount,
+                                      Size, SourceLocation(),
+                                      SourceLocation());
+
+      auto PtrType = Context.getDecayedType(E->getType());
+
+      // For a string literal expression, we always bind the result of the
+      // expression to a temporary. We then use this temporary in the bounds
+      // expression for the string literal expression. Otherwise, a runtime
+      // bounds check based on accessing the predefined expression could be
+      // incorrect: the base value could be different for the lower and upper
+      // bounds.
+      auto *ArrLValue = CreateTemporaryUse(Binding);
+      auto *Base = CreateImplicitCast(PtrType,
+                                      CastKind::CK_ArrayToPointerDecay,
+                                      ArrLValue);
+      return ExpandToRange(Base, CBE);
+    }
 
     // Infer bounds for an lvalue.  The bounds determine whether
     // it is valid to access memory using the lvalue.  The bounds
@@ -879,6 +909,7 @@ namespace {
       case Expr::CHKCBindTemporaryExprClass: {
         CHKCBindTemporaryExpr *Binding = cast<CHKCBindTemporaryExpr>(E);
         Expr *SE = Binding->getSubExpr()->IgnoreParens();
+
         if (isa<CompoundLiteralExpr>(SE)) {
           BoundsExpr *BE = CreateBoundsForArrayType(E->getType());
           QualType PtrType = Context.getDecayedType(E->getType());
@@ -887,27 +918,15 @@ namespace {
                                           CastKind::CK_ArrayToPointerDecay,
                                           ArrLValue);
           return ExpandToRange(Base, BE);
-        } else if (StringLiteral *SL = dyn_cast<StringLiteral>(SE)) {
-          // Use the number of characters in the string (excluding the
-          // null terminator) to calcaulte size.  Don't use the
-          // array type of the literal.  In unchecked scopes, the array type is
-          // unchecked and its size includes the null terminator.  It converts
-          // to an ArrayPtr that could be used to overwrite the null terminator.
-          // We need to prevent this because literal strings may be shared and
-          // writeable, depending on the C implementation.
-          IntegerLiteral *Size = CreateIntegerLiteral(llvm::APInt(64, SL->getLength()));
-          CountBoundsExpr *CBE =
-             new (Context) CountBoundsExpr(BoundsExpr::Kind::ElementCount,
-                                           Size, SourceLocation(),
-                                           SourceLocation());
-          QualType PtrType = Context.getDecayedType(E->getType());
-          Expr *ArrLValue = CreateTemporaryUse(Binding);
-          Expr *Base = CreateImplicitCast(PtrType,
-                                          CastKind::CK_ArrayToPointerDecay,
-                                          ArrLValue);
-          return ExpandToRange(Base, CBE);
-        } else
-          return CreateBoundsAlwaysUnknown();
+        }
+
+        if (auto *SL = dyn_cast<StringLiteral>(SE))
+          return InferBoundsForStringLiteral(E, SL, Binding);
+
+        if (auto *PE = dyn_cast<PredefinedExpr>(SE)) {
+          auto *SL = PE->getFunctionName();
+          return InferBoundsForStringLiteral(E, SL, Binding);
+        }
       }
       default:
         return CreateBoundsAlwaysUnknown();
@@ -3647,4 +3666,4 @@ void Sema::WarnDynamicCheckAlwaysFails(const Expr *Condition) {
         << Condition->getSourceRange();
     }
   }
-}
+}
diff --git a/clang/lib/Sema/SemaExpr.cpp b/clang/lib/Sema/SemaExpr.cpp
@@ -3264,25 +3264,29 @@ ExprResult Sema::BuildPredefinedExpr(SourceLocation Loc,
     unsigned Length = Str.length();
 
     llvm::APInt LengthI(32, Length + 1);
+    // Get an array type for the string, according to C99 6.4.5.
+    CheckedArrayKind ArrayKind = IsCheckedScope() ?
+      CheckedArrayKind::NtChecked : CheckedArrayKind::Unchecked;
+
     if (IK == PredefinedExpr::LFunction || IK == PredefinedExpr::LFuncSig) {
       ResTy =
           Context.adjustStringLiteralBaseType(Context.WideCharTy.withConst());
       SmallString<32> RawChars;
       ConvertUTF8ToWideString(Context.getTypeSizeInChars(ResTy).getQuantity(),
                               Str, RawChars);
+
       ResTy = Context.getConstantArrayType(ResTy, LengthI, ArrayType::Normal,
-                                           /*IndexTypeQuals*/ 0);
+                                           /*IndexTypeQuals*/ 0, ArrayKind);
       SL = StringLiteral::Create(Context, RawChars, StringLiteral::Wide,
                                  /*Pascal*/ false, ResTy, Loc);
     } else {
       ResTy = Context.adjustStringLiteralBaseType(Context.CharTy.withConst());
       ResTy = Context.getConstantArrayType(ResTy, LengthI, ArrayType::Normal,
-                                           /*IndexTypeQuals*/ 0);
+                                           /*IndexTypeQuals*/ 0, ArrayKind);
       SL = StringLiteral::Create(Context, Str, StringLiteral::Ascii,
                                  /*Pascal*/ false, ResTy, Loc);
     }
   }
-
   return PredefinedExpr::Create(Context, Loc, ResTy, IK, SL);
 }
 
diff --git a/clang/test/CheckedC/inferred-bounds/predefined-literals.c b/clang/test/CheckedC/inferred-bounds/predefined-literals.c
@@ -0,0 +1,93 @@
+// Tests of inferred bounds for predefined literals like __func__, etc.
+//
+// RUN: %clang_cc1 -fdump-inferred-bounds %s | FileCheck %s
+// expected-no-diagnostics
+
+void f1() {
+// CHECK:      ImplicitCastExpr {{0x[0-9a-f]+}} '_Ptr<const char>' <BitCast>
+// CHECK-NEXT: |-Inferred SubExpr Bounds
+// CHECK-NEXT: | `-RangeBoundsExpr {{0x[0-9a-f]+}} 'NULL TYPE'
+// CHECK-NEXT: |   |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |   | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |   `-BinaryOperator {{0x[0-9a-f]+}} 'const char *':'const char *' '+'
+// CHECK-NEXT: |     |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |     | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |     `-IntegerLiteral {{0x[0-9a-f]+}} 'int' 2
+// CHECK-NEXT: `-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT:   `-CHKCBindTemporaryExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue
+// CHECK-NEXT:     `-PredefinedExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue __func__
+// CHECK-NEXT:       `-StringLiteral {{0x[0-9a-f]+}} 'const char [3]' lvalue "f1"
+  _Ptr<const char> s1 = __func__;
+}
+
+void f2(_Ptr<const char> s2);
+void f3() {
+// CHECK:      ImplicitCastExpr {{0x[0-9a-f]+}} '_Ptr<const char>' <BitCast>
+// CHECK-NEXT: |-Inferred SubExpr Bounds
+// CHECK-NEXT: | `-RangeBoundsExpr {{0x[0-9a-f]+}} 'NULL TYPE'
+// CHECK-NEXT: |   |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |   | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |   `-BinaryOperator {{0x[0-9a-f]+}} 'const char *':'const char *' '+'
+// CHECK-NEXT: |     |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |     | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |     `-IntegerLiteral {{0x[0-9a-f]+}} 'int' 2
+// CHECK-NEXT: `-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT:   `-CHKCBindTemporaryExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue
+// CHECK-NEXT:     `-PredefinedExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue __func__
+// CHECK-NEXT:       `-StringLiteral {{0x[0-9a-f]+}} 'const char [3]' lvalue "f3"
+  f2(__func__);
+}
+
+void f4() {
+// CHECK:      ImplicitCastExpr {{0x[0-9a-f]+}} '_Ptr<const char>' <BitCast>
+// CHECK-NEXT: |-Inferred SubExpr Bounds
+// CHECK-NEXT: | `-RangeBoundsExpr {{0x[0-9a-f]+}} 'NULL TYPE'
+// CHECK-NEXT: |   |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |   | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |   `-BinaryOperator {{0x[0-9a-f]+}} 'const char *':'const char *' '+'
+// CHECK-NEXT: |     |-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *':'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT: |     | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT: |     `-IntegerLiteral {{0x[0-9a-f]+}} 'int' 2
+// CHECK-NEXT: `-ImplicitCastExpr {{0x[0-9a-f]+}} 'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT:   `-CHKCBindTemporaryExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue
+// CHECK-NEXT:     `-PredefinedExpr {{0x[0-9a-f]+}} 'const char [3]' lvalue __FUNCTION__
+// CHECK-NEXT:       `-StringLiteral {{0x[0-9a-f]+}} 'const char [3]' lvalue "f4"
+  _Ptr<const char> s4 = __FUNCTION__;
+}
+
+void f5() {
+// CHECK:      |-RangeBoundsExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}, col:{{[0-9]+}}> 'NULL TYPE'
+// CHECK-NEXT: | |-ImplicitCastExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> '_Array_ptr<const char>' <LValueToRValue>
+// CHECK-NEXT: | | `-DeclRefExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> '_Array_ptr<const char>' lvalue Var {{0x[0-9a-f]+}} 's5' '_Array_ptr<const char>'
+// CHECK-NEXT: | `-BinaryOperator {{0x[0-9a-f]+}} <col:{{[0-9]+}}, col:{{[0-9]+}}> '_Array_ptr<const char>' '+'
+// CHECK-NEXT: |   |-ImplicitCastExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> '_Array_ptr<const char>' <LValueToRValue>
+// CHECK-NEXT: |   | `-DeclRefExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> '_Array_ptr<const char>' lvalue Var {{0x[0-9a-f]+}} 's5' '_Array_ptr<const char>'
+// CHECK-NEXT: |   `-IntegerLiteral {{0x[0-9a-f]+}} <col:{{[0-9]+}}> 'int' 2
+// CHECK-NEXT: `-ImplicitCastExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> '_Array_ptr<const char>' <BitCast>
+// CHECK-NEXT:   `-ImplicitCastExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> 'const char *' <ArrayToPointerDecay>
+// CHECK-NEXT:     `-CHKCBindTemporaryExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> 'const char [3]' lvalue
+// CHECK-NEXT:       `-PredefinedExpr {{0x[0-9a-f]+}} <col:{{[0-9]+}}> 'const char [3]' lvalue __func__
+// CHECK-NEXT:         `-StringLiteral {{0x[0-9a-f]+}} <col:{{[0-9]+}}> 'const char [3]' lvalue "f5"
+  _Array_ptr<const char> s5 : bounds(s5, s5+ 2) = __func__;
+}
+
+char f6() {
+// CHECK:      ImplicitCastExpr {{0x[0-9a-f]+}} 'char' <LValueToRValue>
+// CHECK-NEXT: `-ArraySubscriptExpr {{0x[0-9a-f]+}} 'const char' lvalue
+// CHECK-NEXT:   |-Bounds Null-terminated read
+// CHECK-NEXT:   | `-RangeBoundsExpr {{0x[0-9a-f]+}} 'NULL TYPE'
+// CHECK-NEXT:   |   |-ImplicitCastExpr {{0x[0-9a-f]+}} '_Nt_array_ptr<const char>':'_Nt_array_ptr<const char>' <ArrayToPointerDecay>
+// CHECK-NEXT:   |   | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char _Nt_checked[3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT:   |   `-BinaryOperator {{0x[0-9a-f]+}} '_Nt_array_ptr<const char>':'_Nt_array_ptr<const char>' '+'
+// CHECK-NEXT:   |     |-ImplicitCastExpr {{0x[0-9a-f]+}} '_Nt_array_ptr<const char>':'_Nt_array_ptr<const char>' <ArrayToPointerDecay>
+// CHECK-NEXT:   |     | `-BoundsValueExpr {{0x[0-9a-f]+}} 'const char _Nt_checked[3]' lvalue _BoundTemporary {{0x[0-9a-f]+}}
+// CHECK-NEXT:   |     `-IntegerLiteral {{0x[0-9a-f]+}} 'int' 2
+// CHECK-NEXT:   |-ImplicitCastExpr {{0x[0-9a-f]+}} '_Nt_array_ptr<const char>' <ArrayToPointerDecay>
+// CHECK-NEXT:   | `-CHKCBindTemporaryExpr {{0x[0-9a-f]+}} 'const char _Nt_checked[3]' lvalue
+// CHECK-NEXT:   |   `-PredefinedExpr {{0x[0-9a-f]+}} 'const char _Nt_checked[3]' lvalue __func__
+// CHECK-NEXT:   |     `-StringLiteral {{0x[0-9a-f]+}} 'const char _Nt_checked[3]' lvalue "f6"
+// CHECK-NEXT:   `-IntegerLiteral {{0x[0-9a-f]+}} 'int' 100
+#pragma CHECKED_SCOPE ON
+  return __func__[100];
+#pragma CHECKED_SCOPE OFF
+}

Original file line number	Diff line number	Diff line change
`@@ -518,11 +518,12 @@ ExprResult Sema::ImpCastExprToType(Expr *E, QualType Ty,`
`518`	`518`	`E = Materialized.get();`
`519`	`519`	`}`
`520`	`520`
`521`		`- // For Checked C, create a temporary for string literal or compound literals`
`522`		`- // for use during bounds checking.`
	`521`	`+ // For Checked C, create a temporary for string literal, compound literals or`
	`522`	`+ // predefined literals for use during bounds checking.`
`523`	`523`	`if (Kind == CK_ArrayToPointerDecay && getLangOpts().CheckedC) {`
`524`	`524`	`Expr *S = E->IgnoreParens();`
`525`		`- if (isa<StringLiteral>(S) \|\| isa<CompoundLiteralExpr>(S))`
	`525`	`+ if (isa<StringLiteral>(S) \|\| isa<CompoundLiteralExpr>(S) \|\|`
	`526`	`+ isa<PredefinedExpr>(S))`
`526`	`527`	`E = new (Context) CHKCBindTemporaryExpr(E);`
`527`	`528`	`}`
`528`	`529`