[clang] Support for read-only types

MalavikaSamak · ziqingluo-90 · commit 399ca50133f2 · 2022-12-21T14:41:06.000-08:00
The main goal of this work is to allow developers to express the need to place instances of a class or structure in the read-only part of the program memory. Such a placement is desirable to prevent any further modifications to the instances of a given structure, by leveraging the read-only run time protection. To achieve this, we are introducing a new attribute that can be attached to any record definition or a declaration. The compiler enforces that every instance of this type can be placed in the read-only segment of the program memory, provided the target triplet supports such a placement. If an instance of a given type bearing this attribute doesn’t satisfy such a placement, the compiler attaches an appropriate warning at suitable program locations. In other words, adding this attribute to a type requires every instance of this type to be a global const, which are placed in the read-only segments for most target triplets. However, this is *not a language feature* and it *need not* be true for *all target triplets*. The current patch emits a warning at global variable declaration sites of types bearing the attribute without const qualification and corresponding note attached to the type definition/declaration. Differential Revision: https://reviews.llvm.org/D135851 (cherry picked from commit 678ded0)
diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst
@@ -418,6 +418,11 @@ Attribute Changes in Clang
   used ``201904L`` (the date the proposal was seen by the committee) by mistake.
   There were no other changes to the attribute behavior.
 
+- Introduced a new record declaration attribute ``__attribute__((enforce_read_only_placement))``
+  to support analysis of instances of a given type focused on read-only program
+  memory placement. It emits a warning if something in the code provably prevents
+  an instance from a read-only memory placement.
+
 Windows Support
 ---------------
 - For the MinGW driver, added the options ``-mguard=none``, ``-mguard=cf`` and
diff --git a/clang/include/clang/Basic/Attr.td b/clang/include/clang/Basic/Attr.td
@@ -4145,3 +4145,8 @@ def FunctionReturnThunks : InheritableAttr,
   let Subjects = SubjectList<[Function]>;
   let Documentation = [FunctionReturnThunksDocs];
 }
+def ReadOnlyPlacement : InheritableAttr {
+  let Spellings = [Clang<"enforce_read_only_placement">];
+  let Subjects = SubjectList<[Record]>;
+  let Documentation = [ReadOnlyPlacementDocs];
+}
diff --git a/clang/include/clang/Basic/AttrDocs.td b/clang/include/clang/Basic/AttrDocs.td
@@ -6910,3 +6910,42 @@ The symbol used for ``thunk-extern`` is target specific:
 As such, this function attribute is currently only supported on X86 targets.
   }];
 }
+
+def ReadOnlyPlacementDocs : Documentation {
+  let Category = DocCatType;
+  let Content = [{This attribute is attached to a structure, class or union declaration.
+  When attached to a record declaration/definition, it checks if all instances
+  of this type can be placed in the read-only data segment of the program. If it
+  finds an instance that can not be placed in a read-only segment, the compiler
+  emits a warning at the source location where the type was used.
+
+  Examples:
+  * ``struct __attribute__((enforce_read_only_placement)) Foo;``
+  * ``struct __attribute__((enforce_read_only_placement)) Bar { ... };``
+
+  Both ``Foo`` and ``Bar`` types have the ``enforce_read_only_placement`` attribute.
+
+  The goal of introducing this attribute is to assist developers with writing secure
+  code. A ``const``-qualified global is generally placed in the read-only section
+  of the memory that has additional run time protection from malicious writes. By
+  attaching this attribute to a declaration, the developer can express the intent
+  to place all instances of the annotated type in the read-only program memory.
+
+  Note 1: The attribute doesn't guarantee that the object will be placed in the
+  read-only data segment as it does not instruct the compiler to ensure such
+  a placement. It emits a warning if something in the code can be proven to prevent
+  an instance from being placed in the read-only data segment.
+
+  Note 2: Currently, clang only checks if all global declarations of a given type 'T'
+  are ``const``-qualified. The following conditions would also prevent the data to be
+  put into read only segment, but the corresponding warnings are not yet implemented.
+
+  1. An instance of type ``T`` is allocated on the heap/stack.
+  2. Type ``T`` defines/inherits a mutable field.
+  3. Type ``T`` defines/inherits non-constexpr constructor(s) for initialization.
+  4. A field of type ``T`` is defined by type ``Q``, which does not bear the
+     ``enforce_read_only_placement`` attribute.
+  5. A type ``Q`` inherits from type ``T`` and it does not have the
+     ``enforce_read_only_placement`` attribute.
+  }];
+}
diff --git a/clang/include/clang/Basic/DiagnosticGroups.td b/clang/include/clang/Basic/DiagnosticGroups.td
@@ -1396,3 +1396,6 @@ def BranchProtection : DiagGroup<"branch-protection">;
 // HLSL diagnostic groups
 // Warnings for HLSL Clang extensions
 def HLSLExtension : DiagGroup<"hlsl-extensions">;
+
+// Warnings and notes related to const_var_decl_type attribute checks
+def ReadOnlyPlacementChecks : DiagGroup<"read-only-types">;
diff --git a/clang/include/clang/Basic/DiagnosticSemaKinds.td b/clang/include/clang/Basic/DiagnosticSemaKinds.td
@@ -5744,6 +5744,12 @@ def err_new_abi_tag_on_redeclaration : Error<
 def note_use_ifdef_guards : Note<
   "unguarded header; consider using #ifdef guards or #pragma once">;
 
+def warn_var_decl_not_read_only : Warning<
+  "object of type %0 cannot be placed in read-only memory">,
+  InGroup<ReadOnlyPlacementChecks>;
+def note_enforce_read_only_placement : Note<"type was declared read-only here">;
+
+
 def note_deleted_dtor_no_operator_delete : Note<
   "virtual destructor requires an unambiguous, accessible 'operator delete'">;
 def note_deleted_special_member_class_subobject : Note<
diff --git a/clang/lib/Sema/SemaDecl.cpp b/clang/lib/Sema/SemaDecl.cpp
@@ -7380,6 +7380,36 @@ static void copyAttrFromTypedefToDecl(Sema &S, Decl *D, const TypedefType *TT) {
   }
 }
 
+// This function emits warning and a corresponding note based on the
+// ReadOnlyPlacementAttr attribute. The warning checks that all global variable
+// declarations of an annotated type must be const qualified.
+void emitReadOnlyPlacementAttrWarning(Sema &S, const VarDecl *VD) {
+  QualType VarType = VD->getType().getCanonicalType();
+
+  // Ignore local declarations (for now) and those with const qualification.
+  // TODO: Local variables should not be allowed if their type declaration has
+  // ReadOnlyPlacementAttr attribute. To be handled in follow-up patch.
+  if (!VD || VD->hasLocalStorage() || VD->getType().isConstQualified())
+    return;
+
+  if (VarType->isArrayType()) {
+    // Retrieve element type for array declarations.
+    VarType = S.getASTContext().getBaseElementType(VarType);
+  }
+
+  const RecordDecl *RD = VarType->getAsRecordDecl();
+
+  // Check if the record declaration is present and if it has any attributes.
+  if (RD == nullptr)
+    return;
+
+  if (const auto *ConstDecl = RD->getAttr<ReadOnlyPlacementAttr>()) {
+    S.Diag(VD->getLocation(), diag::warn_var_decl_not_read_only) << RD;
+    S.Diag(ConstDecl->getLocation(), diag::note_enforce_read_only_placement);
+    return;
+  }
+}
+
 NamedDecl *Sema::ActOnVariableDeclarator(
     Scope *S, Declarator &D, DeclContext *DC, TypeSourceInfo *TInfo,
     LookupResult &Previous, MultiTemplateParamsArg TemplateParamLists,
@@ -8044,6 +8074,8 @@ NamedDecl *Sema::ActOnVariableDeclarator(
   if (IsMemberSpecialization && !NewVD->isInvalidDecl())
     CompleteMemberSpecialization(NewVD, Previous);
 
+  emitReadOnlyPlacementAttrWarning(*this, NewVD);
+
   return NewVD;
 }
 
diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp
@@ -8561,6 +8561,9 @@ ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D, const ParsedAttr &AL,
   case ParsedAttr::AT_X86ForceAlignArgPointer:
     handleX86ForceAlignArgPointerAttr(S, D, AL);
     break;
+  case ParsedAttr::AT_ReadOnlyPlacement:
+    handleSimpleAttribute<ReadOnlyPlacementAttr>(S, D, AL);
+    break;
   case ParsedAttr::AT_DLLExport:
   case ParsedAttr::AT_DLLImport:
     handleDLLAttr(S, D, AL);
diff --git a/clang/test/Misc/pragma-attribute-supported-attributes-list.test b/clang/test/Misc/pragma-attribute-supported-attributes-list.test
@@ -155,6 +155,7 @@
 // CHECK-NEXT: PatchableFunctionEntry (SubjectMatchRule_function, SubjectMatchRule_objc_method)
 // CHECK-NEXT: Pointer (SubjectMatchRule_record_not_is_union)
 // CHECK-NEXT: RandomizeLayout (SubjectMatchRule_record)
+// CHECK-NEXT: ReadOnlyPlacement (SubjectMatchRule_record)
 // CHECK-NEXT: ReleaseHandle (SubjectMatchRule_variable_is_parameter)
 // CHECK-NEXT: RenderScriptKernel (SubjectMatchRule_function)
 // CHECK-NEXT: ReqdWorkGroupSize (SubjectMatchRule_function)
diff --git a/clang/test/Sema/attr-read-only-placement.cpp b/clang/test/Sema/attr-read-only-placement.cpp
@@ -0,0 +1,170 @@
+// RUN: %clang_cc1 -Wread-only-types %s -verify -fsyntax-only
+// RUN: %clang_cc1 -std=c++2a -Wread-only-types %s -verify -fsyntax-only
+// RUN: %clang_cc1 -std=c++17 -Wread-only-types %s -verify -fsyntax-only
+
+struct __attribute__((enforce_read_only_placement)) A { // #A_DECL
+};
+
+A a1; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}
+      // expected-note@#A_DECL {{type was declared read-only here}}
+const A a2[10]; // no-warning
+A a3[20]; // expected-warning {{object of type 'A' cannot be placed in read-only memory}}
+          // expected-note@#A_DECL {{type was declared read-only here}}
+
+
+
+struct B;
+struct __attribute__((enforce_read_only_placement)) B { //#B_DECL
+};
+
+B b1; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}
+      // expected-note@#B_DECL {{type was declared read-only here}}
+const B b2; // no-warning
+const B b3[4]; // no-warning
+B b4[5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}
+         // expected-note@#B_DECL {{type was declared read-only here}}
+B b5[5][5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}
+            // expected-note@#B_DECL {{type was declared read-only here}}
+B b10[5][5][5]; // expected-warning {{object of type 'B' cannot be placed in read-only memory}}
+                // expected-note@#B_DECL {{type was declared read-only here}}
+
+void method1() {
+    static const B b6;
+    static B b7;// expected-warning {{object of type 'B' cannot be placed in read-only memory}}
+                // expected-note@#B_DECL {{type was declared read-only here}}
+    B b8; // no-warning
+    const B b9; // no-warning
+}
+
+struct C;
+struct __attribute__((enforce_read_only_placement)) C; // expected-note {{type was declared read-only here}}
+struct C { // no-note. The note should be attached to the definition/declaration bearing the attribute
+};
+
+C c1; // expected-warning {{object of type 'C' cannot be placed in read-only memory}}
+
+// Cases to be handled by the follow-up patches.
+
+// Attaching and checking the attribute in reverse, where the attribute is attached after the
+// type definition
+struct D;
+struct D { //expected-note{{previous definition is here}}
+};
+struct __attribute__((enforce_read_only_placement)) D; // #3
+                // expected-warning@#3{{attribute declaration must precede definition}}
+
+D d1; // We do not  emit a warning here, as there is another warning for declaring
+      // a type after the definition
+
+
+// Cases where the attribute must be explicitly attached to another type
+// Case 1: Inheriting from a type that has the attribute
+struct E : C { // FIXME: warn the user declarations of type `E`, that extends `C`, won't be
+               // checked for read only placement because `E` is not marked as `C` is.
+};
+
+// Case 2: Declaring a field of the type that has the attribute
+struct F {
+    C c1; // FIXME: warn the user type `F` that wraps type `C` won't be checked for
+          // read only placement
+};
+
+struct BaseWithoutAttribute {
+    int a;
+};
+
+struct  __attribute__((enforce_read_only_placement)) J : BaseWithoutAttribute { // no-warning
+};
+
+struct __attribute__((enforce_read_only_placement)) BaseWithAttribute {
+    int i;
+};
+
+struct __attribute__((enforce_read_only_placement)) Derived : BaseWithAttribute { // no-warning
+    int j;
+};
+
+struct __attribute__((enforce_read_only_placement)) WrapperToAttributeInstance { // no-warning
+    BaseWithAttribute b;
+};
+
+struct __attribute__((enforce_read_only_placement)) WrapperToNoAttributeInstance { // no-warning
+    BaseWithoutAttribute b;
+};
+
+// Cases where the const qualification doesn't ensure read-only memory placement
+// of an instance.
+
+// Case 1: The type defines/inherits mutable data members
+struct __attribute__((enforce_read_only_placement)) G {
+    mutable int x; // FIXME: warn the user type `G` won't be placed in the read only program memory
+};
+
+struct __attribute__((enforce_read_only_placement)) H : public G { // FIXME: Warn the user type `H`
+                                                // won't be placed in the read only program memory
+};
+
+struct __attribute__((enforce_read_only_placement)) K { // FIXME : Warn the user type `K` w on't be
+                                                // placed in the read only program memory
+    G g;
+};
+
+
+// Case 2: The type has a constructor that makes its fields modifiable
+struct  __attribute__((enforce_read_only_placement)) L {
+    int b;
+    L(int val) { // FIXME: warn the user type `L` won't be placed in the read only program memory
+      b = val;
+    }
+};
+
+struct __attribute__((enforce_read_only_placement)) ConstInClassInitializers { // no-warning
+  int b = 12;
+
+  ConstInClassInitializers() = default;
+};
+
+int foo();
+struct __attribute__((enforce_read_only_placement)) NonConstInClassInitializers {
+  int b = foo(); // FIXME: warn the user type `NonConstInClassInitializers` won't be placed
+                 // in the read only program memory
+
+  NonConstInClassInitializers() = default;
+};
+
+#if (__cplusplus >= 202002L)
+struct __attribute__((enforce_read_only_placement)) ConstevalCtor {
+  int b;
+
+  consteval ConstevalCtor(int B) : b(B) {} // no-warning
+};
+#endif
+
+#if (__cplusplus >= 201103L)
+struct __attribute__((enforce_read_only_placement)) ConstExprCtor { // no-warning
+  int b;
+
+  constexpr ConstExprCtor(int B) : b(B) {}
+};
+
+constexpr ConstExprCtor cec1(10); // no-warning
+
+#endif
+
+// Cases where an object is allocated on the heap or on the stack
+C *c2 = new C; // FIXME: warn the user this instance of 'C' won't be placed in the read only program memory
+
+void func1(C c); // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory
+
+void func2(const C c); // FIXME: warn the user the instance of 'C' won't be placed in the read
+                       // only program memory
+
+C func3(); // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory
+
+void func4() {
+    C c; // FIXME: warn the user the instance of 'C' won't be placed in the read only program memory
+}
+
+#if (__cplusplus >= 202002L)
+consteval void func4(C c); // no-warning
+#endif

Original file line number	Diff line number	Diff line change
`@@ -4145,3 +4145,8 @@ def FunctionReturnThunks : InheritableAttr,`
`4145`	`4145`	`let Subjects = SubjectList<[Function]>;`
`4146`	`4146`	`let Documentation = [FunctionReturnThunksDocs];`
`4147`	`4147`	`}`
	`4148`	`+def ReadOnlyPlacement : InheritableAttr {`
	`4149`	`+ let Spellings = [Clang<"enforce_read_only_placement">];`
	`4150`	`+ let Subjects = SubjectList<[Record]>;`
	`4151`	`+ let Documentation = [ReadOnlyPlacementDocs];`
	`4152`	`+}`