[C++ Safe Buffers][BoundsSafety] Fix that some interop diagnostics cannot be suppressed by __unsafe_buffer_usage_begin/end

ziqingluo-90 · ziqingluo-90 · commit 87da2d5058ff · 2025-03-06T17:39:27.000-08:00
The interop diagnostics emitted in Sema cannot be suppressed by
`#pragma clang unsafe_buffer_usage begin/end`.  This is because the
opt-out regions marked by those pragmas are stored in Preprocessor not
DiagnosticsEngine.  We need query both the Preprocessor and
DiagnosticsEngine to confirm if C++ Safe Buffers is enabled at a
location.  This commit fixes this problem.

(rdar://146438364)
diff --git a/clang/include/clang/Lex/Preprocessor.h b/clang/include/clang/Lex/Preprocessor.h
@@ -3019,6 +3019,11 @@ class Preprocessor {
   } LoadedSafeBufferOptOutMap;
 
 public:
+  // FIXME: The result of saving Safe Buffers opt-out regions in PP is that
+  // clang needs to check two places---PP and DiagnosticsEngine, in order to
+  // confirm if C++ Safe Buffers is enabled at a location.   This might not be
+  // ideal as developers can forget to check one of the places.
+  //
   /// \return true iff the given `Loc` is in a "-Wunsafe-buffer-usage" opt-out
   /// region.  This `Loc` must be a source location that has been pre-processed.
   bool isSafeBufferOptOut(const SourceManager&SourceMgr, const SourceLocation &Loc) const;
diff --git a/clang/include/clang/Sema/Sema.h b/clang/include/clang/Sema/Sema.h
@@ -1563,10 +1563,7 @@ class Sema final : public SemaBase {
 
   /// \return true iff `-Wunsafe-buffer-usage` is enabled for `Loc` and Bounds
   /// Safety attribute-only mode is on.
-  bool isCXXSafeBuffersBoundsSafetyInteropEnabledAt(SourceLocation Loc) const {
-    return LangOpts.CPlusPlus && LangOpts.isBoundsSafetyAttributeOnlyMode() &&
-           !Diags.isIgnored(diag::warn_unsafe_buffer_operation, Loc);
-  }
+  bool isCXXSafeBuffersBoundsSafetyInteropEnabledAt(SourceLocation Loc) const;
   /* TO_UPSTREAM(BoundsSafety) OFF */
 
   /// pragma clang section kind
diff --git a/clang/lib/Sema/Sema.cpp b/clang/lib/Sema/Sema.cpp
@@ -79,6 +79,20 @@
 using namespace clang;
 using namespace sema;
 
+/* TO_UPSTREAM(BoundsSafety) ON */
+bool Sema::isCXXSafeBuffersBoundsSafetyInteropEnabledAt(
+    SourceLocation Loc) const {
+  // Informations of '#pragma clang unsafe_buffer_usage begin/end' are stored
+  // Preprocessor.  So we need also check
+  // `getPreprocessor().isSafeBufferOptOut`.
+  bool NotSupressedByPragmas =
+      Loc.isInvalid() || !getPreprocessor().isSafeBufferOptOut(SourceMgr, Loc);
+  return LangOpts.CPlusPlus && LangOpts.isBoundsSafetyAttributeOnlyMode() &&
+         NotSupressedByPragmas &&
+         !Diags.isIgnored(diag::warn_unsafe_buffer_operation, Loc);
+}
+/* TO_UPSTREAM(BoundsSafety) OFF */
+
 SourceLocation Sema::getLocForEndOfToken(SourceLocation Loc, unsigned Offset) {
   return Lexer::getLocForEndOfToken(Loc, Offset, SourceMgr, LangOpts);
 }
diff --git a/clang/test/SemaCXX/warn-unsafe-buffer-usage-null-terminated.cpp b/clang/test/SemaCXX/warn-unsafe-buffer-usage-null-terminated.cpp
@@ -188,6 +188,37 @@ C test_class(char * cstr) {
   return {"hello", {}};
 }
 
+#pragma clang unsafe_buffer_usage begin
+void basics_suppressed(const char * cstr, size_t cstr_len, std::string cxxstr) {
+  const char * __null_terminated p = "hello";   // safe init
+
+  nt_parm(p);
+  nt_parm(get_nt(cstr, cstr_len));
+
+  const char * __null_terminated p2 = cxxstr.c_str(); // safe init
+  const char * __null_terminated p3;
+
+  p3 = cxxstr.c_str();         // safe assignment
+  p3 = "hello";                // safe assignment
+  p3 = p;                      // safe assignment
+  p3 = get_nt(cstr, cstr_len); // safe assignment
+
+  const char * __null_terminated p4 = cstr;  // warn
+
+  nt_parm(cstr);                             // warn
+  p4 = cstr;                                 // warn
+
+  std::string_view view{cxxstr};
+
+  p4 = view.data();                          // warn
+  nt_parm(view.data());                      // warn
+
+  const char * __null_terminated p5 = 0;                 // nullptr is ok
+  const char * __null_terminated p6 = (const char *)1;   // other integer literal is unsafe
+  // (non-0)-terminated pointer is NOT compatible with 'std::string::c_str':
+  const char * __terminated_by(42) p7 = cxxstr.c_str();
+}
+#pragma clang unsafe_buffer_usage end
 
 // Test input/output __null_terminated parameter.
 // expected-note@+1 {{candidate function not viable:}}
