[BoundsSafety] Add warning diagnostics for uses of legacy bounds checks

delcypher · delcypher · commit 871ae815df44 · 2025-06-06T13:15:31.000-07:00
This adds warning diagnostics when any of the new bounds checks that can
be enabled with `-fbounds-safety-bringup-missing-checks=batch_0` are
disabled.

If all bounds checks in the batch are disabled a single diagnostic is
emitted. If only some of the bounds checks in the batch are disabled
then a diagnostic is emitted for each disabled bounds check.

The current implementation supports there being multple batches of
checks. However, there is currently only one batch (`batch_0`).

Unfortunately I've discovered these diagnostics don't respect `-Werror`
or `-Wno-bounds-safety-legacy-checks-enabled`. Fixing that is
out-of-scope for this patch and is tracked by rdar://152730261.

The intention is to make these warnings be errors eventually.

rdar://150805550
diff --git a/clang/include/clang/Basic/DiagnosticFrontendKinds.td b/clang/include/clang/Basic/DiagnosticFrontendKinds.td
@@ -402,6 +402,25 @@ def warn_bounds_safety_adoption_mode_ignored : Warning<
   "-fbounds-safety-adoption-mode without -fbounds-safety is "
   "ignored">,
   InGroup<BoundsSafetyAdoptionModeIgnored>;
+
+def warn_bounds_safety_new_checks_none : Warning<
+  "compiling with legacy -fbounds-safety bounds checks is deprecated;"
+  " compile with -fbounds-safety-bringup-missing-checks=%0 to use the "
+  "new bound checks">,
+  InGroup<BoundsSafetyLegacyChecksEnabled>;
+def warn_bounds_safety_new_checks_mixed : Warning<
+  "compiling with \"%select{"
+    "access_size|" // BS_CHK_AccessSize
+    "indirect_count_update|" // BS_CHK_IndirectCountUpdate
+    "return_size|" // BS_CHK_ReturnSize
+    "ended_by_lower_bound|" // BS_CHK_EndedByLowerBound
+    "compound_literal_init|" // BS_CHK_CompoundLiteralInit
+    "libc_attributes|" // BS_CHK_LibCAttributes
+    "array_subscript_agg" // BS_CHK_ArraySubscriptAgg
+  "}0\" bounds check disabled is deprecated;"
+  " compile with -fbounds-safety-bringup-missing-checks=%1 to enable the "
+  "new bound checks">,
+  InGroup<BoundsSafetyLegacyChecksEnabled>;
 // TO_UPSTREAM(BoundsSafety) OFF
 
 let CategoryName = "Instrumentation Issue" in {
diff --git a/clang/include/clang/Basic/DiagnosticGroups.td b/clang/include/clang/Basic/DiagnosticGroups.td
@@ -1670,6 +1670,8 @@ def BoundsSafetyStrictTerminatedByCast
     : DiagGroup<"bounds-safety-strict-terminated-by-cast">;
 def BoundsSafetyCountAttrArithConstantCount :
   DiagGroup<"bounds-safety-externally-counted-ptr-arith-constant-count">;
+def BoundsSafetyLegacyChecksEnabled :
+  DiagGroup<"bounds-safety-legacy-checks-enabled">;
 // TO_UPSTREAM(BoundsSafety) OFF
 
 // -fbounds-safety and bounds annotation related warnings
diff --git a/clang/include/clang/Basic/LangOptions.h b/clang/include/clang/Basic/LangOptions.h
@@ -454,6 +454,8 @@ class LangOptionsBase {
     BS_CHK_CompoundLiteralInit = 1 << 4, // rdar://110871666
     BS_CHK_LibCAttributes = 1 << 5,      // rdar://84733153
     BS_CHK_ArraySubscriptAgg = 1 << 6,   // rdar://145020583
+
+    BS_CHK_MaxMask = BS_CHK_ArraySubscriptAgg,
   };
   using BoundsSafetyNewChecksMaskIntTy =
       std::underlying_type_t<BoundsSafetyNewChecks>;
diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp
@@ -3961,6 +3961,78 @@ static StringRef GetInputKindName(InputKind IK) {
   llvm_unreachable("unknown input language");
 }
 
+/* TO_UPSTREAM(BoundsSafety) ON*/
+static void DiagnoseDisabledBoundsSafetyChecks(const LangOptions &Opts,
+                                               DiagnosticsEngine &Diags) {
+  struct BoundsCheckBatch {
+    const char *Name;
+    LangOptionsBase::BoundsSafetyNewChecksMaskIntTy Checks;
+  };
+
+  // Batches of checks should be ordered with newest first
+  BoundsCheckBatch Batches[] = {
+      // We deliberately don't include `all` here because that batch
+      // isn't stable over time (unlike batches like `batch_0`) so we
+      // don't want to suggest users start using it.
+      {"batch_0", LangOptions::getBoundsSafetyNewChecksMaskForGroup("batch_0")},
+      {"none", LangOptions::BS_CHK_None}};
+
+  ArrayRef<BoundsCheckBatch> BatchesAR(Batches);
+  LangOptionsBase::BoundsSafetyNewChecksMaskIntTy DiagnosedDisabledChecks =
+      LangOptions::BS_CHK_None;
+
+  // Loop over all batches except "none"
+  for (size_t BatchIdx = 0; BatchIdx < BatchesAR.size() - 1; ++BatchIdx) {
+    auto ChecksInCurrentBatch = BatchesAR[BatchIdx].Checks;
+    auto ChecksInOlderBatch = BatchesAR[BatchIdx + 1].Checks;
+    auto ChecksInCurrentBatchOnly = ChecksInCurrentBatch & ~ChecksInOlderBatch;
+
+    if ((Opts.BoundsSafetyBringUpMissingChecks & ChecksInCurrentBatchOnly) ==
+        ChecksInCurrentBatchOnly)
+      continue; // All checks in batch are enabled. Nothing to diagnose.
+
+    // Diagnose disabled bounds checks
+
+    if ((Opts.BoundsSafetyBringUpMissingChecks & ChecksInCurrentBatchOnly) ==
+        0) {
+      // None of the checks in the current batch are enabled. Diagnose this
+      // once for all the checks in the batch.
+      if ((DiagnosedDisabledChecks & ChecksInCurrentBatchOnly) !=
+          ChecksInCurrentBatchOnly) {
+        Diags.Report(diag::warn_bounds_safety_new_checks_none)
+            << BatchesAR[BatchIdx].Name;
+        DiagnosedDisabledChecks |= ChecksInCurrentBatchOnly;
+        continue;
+      }
+      continue;
+    }
+
+    // Some (but not all) checks are disabled in the current batch. Iterate over
+    // each check in the batch and emit a diagnostic for each disabled check
+    // in the batch.
+    assert(ChecksInCurrentBatch > 0);
+    auto FirstCheckInBatch = 1 << __builtin_ctz(ChecksInCurrentBatch);
+    for (size_t CheckBit = FirstCheckInBatch;
+         CheckBit <= LangOptions::BS_CHK_MaxMask; CheckBit <<= 1) {
+      assert(CheckBit != 0);
+      if ((CheckBit & ChecksInCurrentBatch) == 0)
+        continue; // Check not in batch
+
+      if (Opts.BoundsSafetyBringUpMissingChecks & CheckBit)
+        continue; // Check is active
+
+      // Diagnose disabled check
+      if (!(DiagnosedDisabledChecks & CheckBit)) {
+        size_t CheckNumber = __builtin_ctz(CheckBit);
+        Diags.Report(diag::warn_bounds_safety_new_checks_mixed)
+            << CheckNumber << BatchesAR[BatchIdx].Name;
+        DiagnosedDisabledChecks |= CheckBit;
+      }
+    }
+  }
+}
+/* TO_UPSTREAM(BoundsSafety) OFF*/
+
 void CompilerInvocationBase::GenerateLangArgs(const LangOptions &Opts,
                                               ArgumentConsumer Consumer,
                                               const llvm::Triple &T,
@@ -4609,6 +4681,8 @@ bool CompilerInvocation::ParseLangArgs(LangOptions &Opts, ArgList &Args,
     }
     if (!SupportsBoundsSafety)
       Diags.Report(diag::error_bounds_safety_lang_not_supported);
+
+    DiagnoseDisabledBoundsSafetyChecks(Opts, Diags);
   }
 
   bool IsBoundsSafetyAttributesExplicitlyDisabled =
diff --git a/clang/test/BoundsSafety/Frontend/bounds-safety-bringup-missing-chekcs-disabled.c b/clang/test/BoundsSafety/Frontend/bounds-safety-bringup-missing-chekcs-disabled.c
@@ -0,0 +1,103 @@
+// =============================================================================
+// All checks on
+// =============================================================================
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all -fsyntax-only %s -verify=all
+
+// all-no-diagnostics
+
+// =============================================================================
+// batch_0 on
+// =============================================================================
+
+// RUN: %clang_cc1 -fbounds-safety -fsyntax-only %s -verify=batch_0
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=batch_0 -fsyntax-only %s -verify=batch_0
+
+// batch_0-no-diagnostics
+
+// =============================================================================
+// All checks off
+// =============================================================================
+
+// RUN: %clang_cc1 -fbounds-safety -fno-bounds-safety-bringup-missing-checks=all -fsyntax-only %s -verify=none
+
+// none-warning@*{{compiling with legacy -fbounds-safety bounds checks is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to use the new bound checks}}
+
+
+// =============================================================================
+// one check off
+// =============================================================================
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=access_size -fsyntax-only %s -verify=as-off
+// as-off-warning@*{{compiling with "access_size" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=indirect_count_update -fsyntax-only %s -verify=icu-off
+// icu-off-warning@*{{compiling with "indirect_count_update" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=return_size -fsyntax-only %s -verify=rs-off
+// rs-off-warning@*{{compiling with "return_size" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=ended_by_lower_bound -fsyntax-only %s -verify=eblb-off
+// eblb-off-warning@*{{compiling with "ended_by_lower_bound" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=compound_literal_init -fsyntax-only %s -verify=cli-off
+// cli-off-warning@*{{compiling with "compound_literal_init" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=libc_attributes -fsyntax-only %s -verify=libca-off
+// libca-off-warning@*{{compiling with "libc_attributes" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all   -fno-bounds-safety-bringup-missing-checks=array_subscript_agg -fsyntax-only %s -verify=asa-off
+// asa-off-warning@*{{compiling with "array_subscript_agg" bounds check disabled is deprecated; compile with -fbounds-safety-bringup-missing-checks=batch_0 to enable the new bound checks}}
+
+// =============================================================================
+// two checks off
+// =============================================================================
+
+// Don't be exhaustive to keep this test case smaller
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=indirect_count_update \
+// RUN:   -fsyntax-only %s -verify=as-off,icu-off
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=return_size \
+// RUN:   -fsyntax-only %s -verify=as-off,rs-off
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=ended_by_lower_bound \
+// RUN:   -fsyntax-only %s -verify=as-off,eblb-off
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=compound_literal_init \
+// RUN:   -fsyntax-only %s -verify=as-off,cli-off
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=libc_attributes \
+// RUN:   -fsyntax-only %s -verify=as-off,libca-off
+
+// RUN: %clang_cc1 -fbounds-safety -fbounds-safety-bringup-missing-checks=all \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=access_size \
+// RUN:   -fno-bounds-safety-bringup-missing-checks=array_subscript_agg \
+// RUN:   -fsyntax-only %s -verify=as-off,asa-off
+
+
+// =============================================================================
+// Check the diagnostics can be made into errors
+// =============================================================================
+
+// FIXME: This doesn't work right now because
+// `TextDiagnosticBuffer::FlushDiagnostics` doesn't preserve diagnostic IDs when
+// flushing diagnostics (rdar://152730261)
+
+// =============================================================================
+// Check the diagnostics can be suppressed
+// =============================================================================
+
+// FIXME: This doesn't work right now because
+// `TextDiagnosticBuffer::FlushDiagnostics` doesn't preserve diagnostic IDs when
+// flushing diagnostics (rdar://152730261)
