Merge from Microsoft 2021-09-08 #700
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add FunctionDeclaration and ReturnVal members to CheckBoundsDeclarations, and set the ReturnBounds member to the expanded return bounds * Add ReturnStmt to the ProofStmtKind enum * Do not check for free variables if E1 or E2 is a _Return_value expression * Add ProveReturnBoundsValidity method * Add diagnostic note messages for declared and inferred return bounds * Add DiagnoseUnknownReturnBounds method * Add ValidateReturnBounds method * Validate the return value bounds in CheckReturnStmt * Change return values in bounds-decl-checking test to avoid return value bounds checking errors * Mark the 3C test files functionDeclEnd.c and itype_nt_arr_cast.c as XFAIL See checkedc-clang issue 1147. These tests should be updated to avoid the compiler errors that arise due to functions in these test files return expressions with unknown bounds. Once these test files are updated, they should no longer be marked as XFAIL. * Add return-bounds.c test file containing some initial tests for checking return value bounds * Change 2 return values in dump-dataflow-facts.c test in order to avoid return bounds checking compiler errors * Add bounds-safe interface test cases to return-bounds.c * Fix the logic for recording equality between RetExpr and ReturnVal by using the set of expressions that produce the same value as RetExpr * Add tests for bounds casts to return-bounds.c * Add tests for function calls to return-bounds.c * Add no warnings/errors test case for expanded declared return bounds * Skip checking return bounds in an unchecked scope, for functions with a bounds-safe interface, for return values that have not been implicitly converted to an unchecked pointer * Update return bounds tests (add more tests for bounds-safe interfaces) * Enable 3C/itype_nt_arr_cast.c test * Add checked/unchecked scope comments to 3C/functionDeclEnd.c test * Change test7 in functionDeclEnd.c to infer a valid bound The purpose of this function was to test function declaration rewriting for itype array pointers declared with bounds but without an explicit itype. This is equally well tested when a correct bound is inferred for the parameter array. (Matt: Remove the XFAIL now that the test is fixed.) (cherry picked from commit 57d31d2) Co-authored-by: John Kastner <[email protected]>
… unmodified (checkedc#1170) * Add FunctionDeclaration and ReturnVal members to CheckBoundsDeclarations, and set the ReturnBounds member to the expanded return bounds (cherry picked from commit ec74226) * Add error and note messages for checking parameters used in return bounds * Add UpdateReturnBoundsAfterAssignment method * Add tests for checking parameters used in return bounds * Remove unused Src parameter * Rename UpdateReturnBoundsAfterAssignment to CheckIfLValueIsUsedInReturnBounds
…1169) * Add LValuesAssignedChecked member to CheckedState LValuesAssignedChecked contains AbstractSets representing lvalues expressions that have unchecked pointer type that were assigned a checked pointer during the current top-level statement (if the statement is in an unchecked scope). AbstractSets in LValuesAssignedChecked should have their bounds validated after checking the current statement. * Add SkipBoundsValidation method * Remove expected error for lvalue with a bounds-safe interface in an unchecked scope * Put declaration of short int with declared bounds in a checked scope so it results in a warning * Update unchecked pointer inverse test so there is a checked pointer with declared bounds * Add tests for validating the bounds of an unchecked pointer with a bounds-safe interface * Add test for assigning a checked array to p * Add tests for an integer-typed variable with declared bounds * Fix expected warning to work on both Windows and Linux * Fix typo in comment
* Return the Bounds argument from ReplaceLValueInBounds if Bounds is unknown or any * Only store the first expression with unknown bounds assigned to an lvalue in A Only update BlameAssignments and UnknownSrcBounds if the assignment actually changed the bounds of LValueAbstractSet * Remove expected note about the expression 'b' with unknown bounds assigned to 'a' * Add test to bounds-decl-checking.c testing notes for multiple assignments * Add tests for bounds warnings
* Support variadic function calls in checked scope We add support for calling variadic functions in checked scope. These are functions like printf, scanf, etc that take a format string and have a variable number of arguments. We implement checking of arguments to these functions. Following is a list of some important checks that we implement in checked scope for these functions: - check that the argument corresponding to the %s format specifier is a null-terminated array. - all warnings emitted by the -Wformat family of flags have been converted to errors in checked scope. * Allow only certain printf/scanf like functions in checked scope
…tions (checkedc#1180) Some -Wformat error messages are different between linux and windows systems. We separate out the common tests in variadic-functions.c. The windows-specific tests are in variadic-functions-win.c and the non-windows tests are in variadic-functions-non-win.c.
…edc#1156) Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/jbgutierrez/path-parse/releases) - [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7) --- updated-dependencies: - dependency-name: path-parse dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…dc#1176) * Add TargetBounds argument to UpdateAfterAssignment * Update comments to include pointer dereferences and array subscripts * Add LValueAbstractSet argument to UpdateBoundsAfterAssignment * Use the AbstractSet's representative to record equality if LValue belongs to an AbstractSet * Add EmitDeclaredBoundsNote method * Remove requirement that A->GetDecl() must exist from validation methods * Update bounds widening warning comment * Add ExprUtil::IsDereferenceOrSubscript method * Visit pointer dereferences and array subscripts in FindLValueHelper * Visit pointer dereferences and array subscripts in LValueCountHelper * Transform pointer dereference and array subscripts in ReplaceLValueHelper * Update increment/decrement tests for pointer dereferences/array subscripts in bounds-context.c * Add initial test file pointer-dereference-bounds for bounds checking pointer dereferences and array subscripts * PreorderAST: the canonical form of e1[e2] is *(e1 + e2 + 0), not *(e1 + e2) * Add tests for updating dereference and array subscript expressions used in return bounds * Use ExprUtil::IsDereferenceOrSubscript to check for dereference/array subscript expressions in UpdateAfterAssignment * Add more tests to pointer-dereference-bounds.c * Synthesize member expressions that depend on lvalues that use a member expression to update memory * Add tests for synthesizing member expressions that depend on dereferenced member expressions to pointer-dereference-bounds.c * Add tests for synthesizing member expressions whose bounds depend on dereferenced/subscripted member expressions to synthesized-members.c * Add test for bounds-safe interface typed dereferences * Remove else before returns in ReplaceLValueHelper
…ge-from-microsoft-20210908
john-h-kastner
approved these changes
Sep 9, 2021
…nto merge-from-microsoft-20210908
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The important changes we want to start using or testing against:
Support for checking calls to
printf-like functions (Support variadic function calls in checked scope checkedc/checkedc-clang#1174). As Aaron said in yesterday's meeting, we should now change3c -addcrnot to treat those calls as unchecked, but we can do that later since the inconsistency won't actually break anything; I filed Update-addcrto allowprintf-like function calls in checked regions #701 for follow-up.Bounds enforcement for function return values (Check return value bounds checkedc/checkedc-clang#1150), except when returning an unchecked pointer and the return type has an itype (per our discussion).
Don't enforce bounds when assigning an unchecked pointer to a variable or struct field that has an itype rather than being fully checked (Bounds checking bounds-safe interfaces in unchecked scopes checkedc/checkedc-clang#1169). If I understand correctly that the problem John saw in our porting workflow was that accepting headers converted with
-itypes-for-externintroduced compile errors in other files that assigned unchecked pointers to struct fields with itypes, this should fix that. For example, the following code no longer produces a compile error on thes.p = x:The 3C regression tests pass. Do we care about running any other tests now, or can we just update them later as needed?