Skip to content

[-Wunsafe-buffer-usage] Support span creation from std::initializer_list and begin/end pairs #145311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 25, 2025
Merged

[-Wunsafe-buffer-usage] Support span creation from std::initializer_list and begin/end pairs #145311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9826ba3
[-Wunsafe-buffer-usage] Support span creation from std::initializer_l…
ziqingluo-90 Jun 23, 2025
b83e0e8
fix a bug
ziqingluo-90 Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 35 additions & 5 deletions clang/lib/Analysis/UnsafeBufferUsage.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ class MatchResult {
};
} // namespace

#define SIZED_CONTAINER_OR_VIEW_LIST \
"span", "array", "vector", "basic_string_view", "basic_string", \
"initializer_list",

// A `RecursiveASTVisitor` that traverses all descendants of a given node "n"
// except for those belonging to a different callable of "n".
class MatchDescendantVisitor : public DynamicRecursiveASTVisitor {
Expand Down Expand Up @@ -463,6 +467,8 @@ static bool areEqualIntegers(const Expr *E1, const Expr *E2, ASTContext &Ctx) {
// `N, M` are parameter indexes to the allocating element number and size.
// Sometimes, there is only one parameter index representing the total
// size.
// 7. `std::span<T>{x.begin(), x.end()}` where `x` is an object in the
// SIZED_CONTAINER_OR_VIEW_LIST.
static bool isSafeSpanTwoParamConstruct(const CXXConstructExpr &Node,
ASTContext &Ctx) {
assert(Node.getNumArgs() == 2 &&
Expand Down Expand Up @@ -560,6 +566,32 @@ static bool isSafeSpanTwoParamConstruct(const CXXConstructExpr &Node,
}
}
}
// Check form 7:
auto IsMethodCallToSizedObject = [](const Stmt *Node, StringRef MethodName) {
if (const auto *MC = dyn_cast<CXXMemberCallExpr>(Node)) {
const auto *MD = MC->getMethodDecl();
const auto *RD = MC->getRecordDecl();

if (RD && MD)
if (auto *II = RD->getDeclName().getAsIdentifierInfo();
II && RD->isInStdNamespace())
return llvm::is_contained({SIZED_CONTAINER_OR_VIEW_LIST},
II->getName()) &&
MD->getName() == MethodName;
}
return false;
};

if (IsMethodCallToSizedObject(Arg0, "begin") &&
IsMethodCallToSizedObject(Arg1, "end"))
return AreSameDRE(
// We know Arg0 and Arg1 are `CXXMemberCallExpr`s:
cast<CXXMemberCallExpr>(Arg0)
->getImplicitObjectArgument()
->IgnoreParenImpCasts(),
cast<CXXMemberCallExpr>(Arg1)
->getImplicitObjectArgument()
->IgnoreParenImpCasts());
return false;
}

Expand Down Expand Up @@ -1058,8 +1090,7 @@ static bool hasUnsafeSnprintfBuffer(const CallExpr &Node,
return false; // not an snprintf call

// Pattern 1:
static StringRef SizedObjs[] = {"span", "array", "vector",
"basic_string_view", "basic_string"};
static StringRef SizedObjs[] = {SIZED_CONTAINER_OR_VIEW_LIST};
Buf = Buf->IgnoreParenImpCasts();
Size = Size->IgnoreParenImpCasts();
if (auto *MCEPtr = dyn_cast<CXXMemberCallExpr>(Buf))
Expand Down Expand Up @@ -1826,9 +1857,8 @@ class DataInvocationGadget : public WarningGadget {
auto *method = cast<CXXMethodDecl>(callee);
if (method->getNameAsString() == "data" &&
method->getParent()->isInStdNamespace() &&
(method->getParent()->getName() == "span" ||
method->getParent()->getName() == "array" ||
method->getParent()->getName() == "vector"))
llvm::is_contained({SIZED_CONTAINER_OR_VIEW_LIST},
method->getParent()->getName()))
return true;
return false;
}
Expand Down
60 changes: 60 additions & 0 deletions clang/test/SemaCXX/warn-unsafe-buffer-usage-in-container-span-construct.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
// RUN: %clang_cc1 -std=c++20 -Wno-all -Wunsafe-buffer-usage-in-container -verify %s

typedef unsigned int size_t;

namespace std {
template <class T> class span {
public:
Expand All @@ -16,6 +18,9 @@ namespace std {

template<class R>
constexpr span(R && range){};

T* begin() noexcept;
T* end() noexcept;
};


Expand All @@ -27,6 +32,37 @@ namespace std {
return &__x;
}

template <typename T, size_t N>
struct array {
T* begin() noexcept;
const T* begin() const noexcept;
T* end() noexcept;
const T* end() const noexcept;
size_t size() const noexcept;
T * data() const noexcept;
T& operator[](size_t n);
};

template<class T>
class initializer_list {
public:
size_t size() const noexcept;
const T* begin() const noexcept;
const T* end() const noexcept;
T * data() const noexcept;
};

template<typename T>
struct basic_string {
T *c_str() const noexcept;
T *data() const noexcept;
unsigned size();
const T* begin() const noexcept;
const T* end() const noexcept;
};

typedef basic_string<char> string;
typedef basic_string<wchar_t> wstring;
}

namespace irrelevant_constructors {
Expand Down Expand Up @@ -232,3 +268,27 @@ struct HoldsStdSpanAndNotInitializedInCtor {
: Ptr(P), Size(S)
{}
};

namespace test_begin_end {
struct Object {
int * begin();
int * end();
};
void safe_cases(std::span<int> Sp, std::array<int, 10> Arr, std::string Str, std::initializer_list<Object> Il) {
std::span<int>{Sp.begin(), Sp.end()};
std::span<int>{Arr.begin(), Arr.end()};
std::span<char>{Str.begin(), Str.end()};
std::span<Object>{Il.begin(), Il.end()};
}

void unsafe_cases(std::span<int> Sp, std::array<int, 10> Arr, std::string Str, std::initializer_list<Object> Il,
Object Obj) {
std::span<int>{Obj.begin(), Obj.end()}; // expected-warning {{the two-parameter std::span construction is unsafe as it can introduce mismatch between buffer size and the bound information}}
std::span<int>{Sp.end(), Sp.begin()}; // expected-warning {{the two-parameter std::span construction is unsafe as it can introduce mismatch between buffer size and the bound information}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is out of scope for this change but I wonder if we should change the warning message for a two-pointer constructor case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that it warns about the mismatch between the bound information of the constructed span and the actual buffer size. So I think the message is accurate regardless of how the span is constructed.

std::span<int>{Sp.begin(), Arr.end()}; // expected-warning {{the two-parameter std::span construction is unsafe as it can introduce mismatch between buffer size and the bound information}}
}

void unsupport_cases(std::array<Object, 10> Arr) {
std::span<int>{Arr[0].begin(), Arr[0].end()}; // expected-warning {{the two-parameter std::span construction is unsafe as it can introduce mismatch between buffer size and the bound information}}
}
}