[BoundsSafety] Apply started_by on PointerType before qualifiers so that getUnqualifiedType doesn't strip started_by (#10046)

rapidsna · web-flow · commit 58a7c9ffa06d · 2025-02-18T09:50:00.000-08:00
* [BoundsSafety] Apply started_by on PointerType before qualifiers so that getUnqualifiedType doesn't strip started_by

All other bounds annotations are applied directly to bare
PointerType via recursive TypeVisitor but started_by. This caused
started_by to be stripped wheneter there is a type query to get
unqualified type and the pointer type has a qualifier. This bug
caused the started_by pointer to be treated as a single pointer,
leading to a run-time trap when it gets the upper bound which has
zero memory available..

The fix is to apply started_by at the bare PointerType just like
any other bounds annotated types. Also, this strips PtrAutoAttr
added to started_by because it's no longer an implicit single
pointer.

rdar://137701968

* Fix build failure caused by TransformAttributedType

* [BoundsSafety] SaveAndRestore MakeStartedByPointerType::Done in TransformPointerType

PointerType can be visited multiple times if it's wrapped by
AttributedType in order to build ModifiedType and EquivalentType.

This fixes the issue where started_by wasn't attached properly in
EquivalentType.
diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp
@@ -5774,20 +5774,7 @@ class MakeStartedByPointerType
       return QualType();
     }
 
-    llvm::SaveAndRestore<bool> DoneLocal(Done, true);
-
-    T = BaseClass::TransformType(TLB, TL);
-
-    // Create a new started_by() pointer.
-
-    Expr *StartPtr = BuildStartPtrExpr();
-    if (!StartPtr)
-      return QualType();
-
-    QualType NewTy = SemaRef.Context.getDynamicRangePointerType(
-        T, StartPtr, /*EndPtr=*/nullptr, {NewStartPtrInfo}, {});
-    TLB.push<DynamicRangePointerTypeLoc>(NewTy);
-    return NewTy;
+    return BaseClass::TransformType(TLB, TL);
   }
 
   QualType TransformType(QualType T) { return BaseClass::TransformType(T); }
@@ -5829,8 +5816,42 @@ class MakeStartedByPointerType
     return NewTy;
   }
 
+  using TransformModifiedFnTy =
+      std::function<QualType(TypeLocBuilder &TLB, TypeLoc TL)>;
+  QualType TransformAttributedType(TypeLocBuilder &TLB, AttributedTypeLoc TL,
+                                   TransformModifiedFnTy TransformModifiedTypeFn) {
+    // Strip attr::PtrAutoAttr because the pointer is now marked __started_by
+    // as it is referred to by __ended_by.
+    const AttributedType *oldType = TL.getTypePtr();
+    if (oldType->getAttrKind() == attr::PtrAutoAttr && Level == 0 && !Done) {
+      return TransformModifiedTypeFn(TLB, TL.getModifiedLoc());
+    }
+    return BaseClass::TransformAttributedType(TLB, TL, TransformModifiedTypeFn);
+  }
+
+  QualType TransformAttributedType(TypeLocBuilder &TLB, AttributedTypeLoc TL) {
+    return TransformAttributedType(
+        TLB, TL, [&](TypeLocBuilder &TLB, TypeLoc ModifiedLoc) -> QualType {
+          return TransformType(TLB, ModifiedLoc);
+        });
+  }
+
   QualType TransformPointerType(TypeLocBuilder &TLB, PointerTypeLoc TL) {
     llvm::SaveAndRestore<unsigned> LevelLocal(Level);
+    llvm::SaveAndRestore<bool> DoneLocal(Done);
+    if (!Done && Level == 0) {
+      Expr *StartPtr = BuildStartPtrExpr();
+      if (!StartPtr)
+        return QualType();
+      Done = true;
+
+      QualType T = BaseClass::TransformPointerType(TLB, TL);
+
+      QualType NewTy = SemaRef.Context.getDynamicRangePointerType(
+          T, StartPtr, /*EndPtr=*/nullptr, {NewStartPtrInfo}, {});
+      TLB.push<DynamicRangePointerTypeLoc>(NewTy);
+      return NewTy;
+    }
     if (!Done) {
       assert(Level > 0);
       --Level;
diff --git a/clang/test/BoundsSafety/AST/ended_by_const_param.c b/clang/test/BoundsSafety/AST/ended_by_const_param.c
@@ -0,0 +1,92 @@
+// FileCheck lines automatically generated using make-ast-dump-check-v2.py
+// REQUIRES: apple-disclosure-ios
+
+// RUN: %clang_cc1 -triple x86_64-apple-mac -ast-dump -fbounds-safety %s 2>&1 | FileCheck %s
+// RUN: %clang_cc1 -triple x86_64-apple-mac -ast-dump -fbounds-safety -x objective-c -fbounds-attributes-objc-experimental %s 2>&1 | FileCheck %s
+#include <ptrcheck.h>
+
+struct S {
+    int *end;
+    int *__ended_by(end) iter;
+};
+
+// CHECK-LABEL:|-FunctionDecl {{.+}} used foo 'void (int *__single __ended_by(end)const, int *__single /* __started_by(start) */ const)'
+// CHECK-NEXT: | |-ParmVarDecl {{.+}} used start 'int *__single __ended_by(end)const':'int *__singleconst'
+// CHECK-NEXT: | |-ParmVarDecl {{.+}} used end 'int *__single /* __started_by(start) */ const':'int *__singleconst'
+// CHECK-NEXT: | `-CompoundStmt {{.+}}
+// CHECK-NEXT: |   `-DeclStmt {{.+}}
+// CHECK-NEXT: |     `-VarDecl {{.+}} local 'int *__bidi_indexable' cinit
+// CHECK-NEXT: |       `-FirebloomPointerPromotionExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT: |         |-DeclRefExpr {{.+}} 'int *__single /* __started_by(start) */ const':'int *__singleconst' lvalue ParmVar {{.+}} 'end' 'int *__single /* __started_by(start) */ const':'int *__singleconst'
+// CHECK-NEXT: |         |-ImplicitCastExpr {{.+}} 'int *__single /* __started_by(start) */ const':'int *__singleconst' <LValueToRValue>
+// CHECK-NEXT: |         | `-DeclRefExpr {{.+}} 'int *__single /* __started_by(start) */ const':'int *__singleconst' lvalue ParmVar {{.+}} 'end' 'int *__single /* __started_by(start) */ const':'int *__singleconst'
+// CHECK-NEXT: |         `-ImplicitCastExpr {{.+}} <<invalid sloc>> 'int *__single __ended_by(end)const':'int *__singleconst' <LValueToRValue>
+// CHECK-NEXT: |           `-DeclRefExpr {{.+}} <<invalid sloc>> 'int *__single __ended_by(end)const':'int *__singleconst' lvalue ParmVar {{.+}} 'start' 'int *__single __ended_by(end)const':'int *__singleconst'
+void foo(int * const __ended_by(end) start, int* const end) {
+  int *local = end;
+}
+
+// CHECK-LABEL:`-FunctionDecl {{.+}} bar 'void (void)'
+// CHECK-NEXT:   `-CompoundStmt {{.+}}
+// CHECK-NEXT:     |-DeclStmt {{.+}}
+// CHECK-NEXT:     | `-VarDecl {{.+}} used arr 'int[40]'
+// CHECK-NEXT:     `-MaterializeSequenceExpr {{.+}} 'void' <Unbind>
+// CHECK-NEXT:       |-MaterializeSequenceExpr {{.+}} 'void' <Bind>
+// CHECK-NEXT:       | |-BoundsCheckExpr {{.+}} 'void' 'arr + 40 <= __builtin_get_pointer_upper_bound(arr) && arr <= arr + 40'
+// CHECK-NEXT:       | | |-CallExpr {{.+}} 'void'
+// CHECK-NEXT:       | | | |-ImplicitCastExpr {{.+}} 'void (*__single)(int *__single __ended_by(end)const, int *__single /* __started_by(start) */ const)' <FunctionToPointerDecay>
+// CHECK-NEXT:       | | | | `-DeclRefExpr {{.+}} 'void (int *__single __ended_by(end)const, int *__single /* __started_by(start) */ const)' Function {{.+}} 'foo' 'void (int *__single __ended_by(end)const, int *__single /* __started_by(start) */ const)'
+// CHECK-NEXT:       | | | |-ImplicitCastExpr {{.+}} 'int *__single __ended_by(end)':'int *__single' <FirebloomPointerCast>
+// CHECK-NEXT:       | | | | `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | | | |   `-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | | | |     `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | | | `-ImplicitCastExpr {{.+}} 'int *__single /* __started_by(start) */ ':'int *__single' <FirebloomPointerCast>
+// CHECK-NEXT:       | | |   `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | | |     `-BinaryOperator {{.+}} 'int *__bidi_indexable' '+'
+// CHECK-NEXT:       | | |       |-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | | |       | `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | | |       `-IntegerLiteral {{.+}} 'int' 40
+// CHECK-NEXT:       | | `-BinaryOperator {{.+}} 'int' '&&'
+// CHECK-NEXT:       | |   |-BinaryOperator {{.+}} 'int' '<='
+// CHECK-NEXT:       | |   | |-ImplicitCastExpr {{.+}} 'int *' <FirebloomPointerCast>
+// CHECK-NEXT:       | |   | | `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | |   | |   `-BinaryOperator {{.+}} 'int *__bidi_indexable' '+'
+// CHECK-NEXT:       | |   | |     |-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | |   | |     | `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | |   | |     `-IntegerLiteral {{.+}} 'int' 40
+// CHECK-NEXT:       | |   | `-ImplicitCastExpr {{.+}} 'int *' <FirebloomPointerCast>
+// CHECK-NEXT:       | |   |   `-GetBoundExpr {{.+}} 'int *__bidi_indexable' upper
+// CHECK-NEXT:       | |   |     `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | |   |       `-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | |   |         `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | |   `-BinaryOperator {{.+}} 'int' '<='
+// CHECK-NEXT:       | |     |-ImplicitCastExpr {{.+}} 'int *' <FirebloomPointerCast>
+// CHECK-NEXT:       | |     | `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | |     |   `-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | |     |     `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | |     `-ImplicitCastExpr {{.+}} 'int *' <FirebloomPointerCast>
+// CHECK-NEXT:       | |       `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | |         `-BinaryOperator {{.+}} 'int *__bidi_indexable' '+'
+// CHECK-NEXT:       | |           |-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | |           | `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | |           `-IntegerLiteral {{.+}} 'int' 40
+// CHECK-NEXT:       | |-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | | `-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       | |   `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       | `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       |   `-BinaryOperator {{.+}} 'int *__bidi_indexable' '+'
+// CHECK-NEXT:       |     |-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       |     | `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       |     `-IntegerLiteral {{.+}} 'int' 40
+// CHECK-NEXT:       |-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:       | `-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:       |   `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:       `-OpaqueValueExpr {{.+}} 'int *__bidi_indexable'
+// CHECK-NEXT:         `-BinaryOperator {{.+}} 'int *__bidi_indexable' '+'
+// CHECK-NEXT:           |-ImplicitCastExpr {{.+}} 'int *__bidi_indexable' <ArrayToPointerDecay>
+// CHECK-NEXT:           | `-DeclRefExpr {{.+}} 'int[40]' lvalue Var {{.+}} 'arr' 'int[40]'
+// CHECK-NEXT:           `-IntegerLiteral {{.+}} 'int' 40
+void bar(void) {
+  int arr[40];
+  foo(arr, arr + 40);
+}
diff --git a/clang/test/BoundsSafety/AST/typedef-function-attrs-late-parsed-param.c b/clang/test/BoundsSafety/AST/typedef-function-attrs-late-parsed-param.c
@@ -56,9 +56,8 @@ void foo(
 // CHECK: |   | `-PointerType {{.+}} 'void *__single'
 // CHECK: |   |   `-BuiltinType {{.+}} 'void'
 // CHECK: |   `-DynamicRangePointerType {{.+}} 'void *__single /* __started_by(start) */ ' sugar
-// CHECK: |     `-AttributedType {{.+}} 'void *__single' sugar
-// CHECK: |       `-PointerType {{.+}} 'void *__single'
-// CHECK: |         `-BuiltinType {{.+}} 'void'
+// CHECK: |     `-PointerType {{.+}} 'void *__single'
+// CHECK: |       `-BuiltinType {{.+}} 'void'
 // CHECK: |-TypedefDecl {{.+}} cb_ptr_t 'void (*)(int *__single __counted_by(count), int)'
 // CHECK: | `-PointerType {{.+}} 'void (*)(int *__single __counted_by(count), int)'
 // CHECK: |   `-ParenType {{.+}} 'void (int *__single __counted_by(count), int)' sugar
@@ -86,9 +85,8 @@ void foo(
 // CHECK: |       | `-PointerType {{.+}} 'void *__single'
 // CHECK: |       |   `-BuiltinType {{.+}} 'void'
 // CHECK: |       `-DynamicRangePointerType {{.+}} 'void *__single /* __started_by(start) */ ' sugar
-// CHECK: |         `-AttributedType {{.+}} 'void *__single' sugar
-// CHECK: |           `-PointerType {{.+}} 'void *__single'
-// CHECK: |             `-BuiltinType {{.+}} 'void'
+// CHECK: |         `-PointerType {{.+}} 'void *__single'
+// CHECK: |           `-BuiltinType {{.+}} 'void'
 // CHECK: |-VarDecl {{.+}} g_cb_ptr 'void (*__single)(int *__single __counted_by(count), int)'
 // CHECK: |-VarDecl {{.+}} g_sb_ptr 'void (*__single)(void *__single __sized_by(size), int)'
 // CHECK: |-VarDecl {{.+}} g_eb_ptr 'void (*__single)(void *__single __ended_by(end), void *__single /* __started_by(start) */ )'
diff --git a/clang/test/BoundsSafety/CodeGen/ended_by_const_param-O2.c b/clang/test/BoundsSafety/CodeGen/ended_by_const_param-O2.c
@@ -0,0 +1,90 @@
+// NOTE: Assertions have been autogenerated by utils/update_cc_test_checks.py UTC_ARGS: --version 5
+// REQUIRES: apple-disclosure-ios
+// RUN: %clang_cc1 -O2 -triple arm64-apple-iphoneos -fbounds-safety -emit-llvm %s -o - | FileCheck %s
+
+#include <ptrcheck.h>
+
+struct S {
+    int *end;
+    int *__ended_by(end) iter;
+};
+
+void foo(int * const __ended_by(end) start, int* const end);
+
+
+// CHECK-LABEL: define dso_local void @good(
+// CHECK-SAME: ) local_unnamed_addr #[[ATTR0:[0-9]+]] {
+// CHECK-NEXT:  [[ENTRY:.*:]]
+// CHECK-NEXT:    [[ARR:%.*]] = alloca [40 x i32], align 4
+// CHECK-NEXT:    call void @llvm.lifetime.start.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5:[0-9]+]]
+// CHECK-NEXT:    [[BOUND_PTR_ARITH:%.*]] = getelementptr inbounds i8, ptr [[ARR]], i64 160
+// CHECK-NEXT:    call void @foo(ptr noundef nonnull [[ARR]], ptr noundef nonnull [[BOUND_PTR_ARITH]]) #[[ATTR5]]
+// CHECK-NEXT:    call void @llvm.lifetime.end.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5]]
+// CHECK-NEXT:    ret void
+//
+void good(void) {
+  int arr[40];
+  foo(arr, arr + 40);
+}
+
+// CHECK-LABEL: define dso_local void @oob_upper(
+// CHECK-SAME: ) local_unnamed_addr #[[ATTR0]] {
+// CHECK-NEXT:  [[ENTRY:.*:]]
+// CHECK-NEXT:    [[ARR:%.*]] = alloca [40 x i32], align 4
+// CHECK-NEXT:    call void @llvm.lifetime.start.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5]]
+// CHECK-NEXT:    [[UPPER:%.*]] = getelementptr inbounds i8, ptr [[ARR]], i64 160
+// CHECK-NEXT:    [[BOUND_PTR_ARITH:%.*]] = getelementptr i8, ptr [[ARR]], i64 164
+// CHECK-NEXT:    [[CMP_NOT:%.*]] = icmp ugt ptr [[BOUND_PTR_ARITH]], [[UPPER]], !annotation [[META2:![0-9]+]]
+// CHECK-NEXT:    [[CMP28_NOT:%.*]] = icmp ugt ptr [[ARR]], [[BOUND_PTR_ARITH]], !annotation [[META2]]
+// CHECK-NEXT:    [[OR_COND:%.*]] = or i1 [[CMP_NOT]], [[CMP28_NOT]], !annotation [[META2]]
+// CHECK-NEXT:    br i1 [[OR_COND]], label %[[TRAP:.*]], label %[[CONT:.*]], !annotation [[META2]]
+// CHECK:       [[TRAP]]:
+// CHECK-NEXT:    call void @llvm.ubsantrap(i8 25) #[[ATTR6:[0-9]+]], !annotation [[META2]]
+// CHECK-NEXT:    unreachable, !annotation [[META2]]
+// CHECK:       [[CONT]]:
+// CHECK-NEXT:    call void @foo(ptr noundef nonnull [[ARR]], ptr noundef [[BOUND_PTR_ARITH]]) #[[ATTR5]]
+// CHECK-NEXT:    call void @llvm.lifetime.end.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5]]
+// CHECK-NEXT:    ret void
+//
+void oob_upper(void) {
+  int arr[40];
+  foo(arr, arr + 41);
+}
+
+// CHECK-LABEL: define dso_local void @oob_lower(
+// CHECK-SAME: ) local_unnamed_addr #[[ATTR0]] {
+// CHECK-NEXT:  [[ENTRY:.*:]]
+// CHECK-NEXT:    [[ARR:%.*]] = alloca [40 x i32], align 4
+// CHECK-NEXT:    call void @llvm.lifetime.start.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5]]
+// CHECK-NEXT:    [[UPPER:%.*]] = getelementptr inbounds i8, ptr [[ARR]], i64 160
+// CHECK-NEXT:    [[BOUND_PTR_ARITH:%.*]] = getelementptr i8, ptr [[ARR]], i64 -4
+// CHECK-NEXT:    [[CMP_NOT:%.*]] = icmp ugt ptr [[BOUND_PTR_ARITH]], [[UPPER]], !annotation [[META2]]
+// CHECK-NEXT:    [[CMP28_NOT:%.*]] = icmp ugt ptr [[ARR]], [[BOUND_PTR_ARITH]], !annotation [[META2]]
+// CHECK-NEXT:    [[OR_COND:%.*]] = or i1 [[CMP_NOT]], [[CMP28_NOT]], !annotation [[META2]]
+// CHECK-NEXT:    br i1 [[OR_COND]], label %[[TRAP:.*]], label %[[CONT:.*]], !annotation [[META2]]
+// CHECK:       [[TRAP]]:
+// CHECK-NEXT:    call void @llvm.ubsantrap(i8 25) #[[ATTR6]], !annotation [[META2]]
+// CHECK-NEXT:    unreachable, !annotation [[META2]]
+// CHECK:       [[CONT]]:
+// CHECK-NEXT:    call void @foo(ptr noundef nonnull [[ARR]], ptr noundef [[BOUND_PTR_ARITH]]) #[[ATTR5]]
+// CHECK-NEXT:    call void @llvm.lifetime.end.p0(i64 160, ptr nonnull [[ARR]]) #[[ATTR5]]
+// CHECK-NEXT:    ret void
+//
+void oob_lower(void) {
+  int arr[40];
+  foo(arr, arr - 1);
+}
+
+// CHECK-LABEL: define dso_local void @oob_order(
+// CHECK-SAME: ) local_unnamed_addr #[[ATTR4:[0-9]+]] {
+// CHECK-NEXT:  [[ENTRY:.*:]]
+// CHECK-NEXT:    tail call void @llvm.ubsantrap(i8 25) #[[ATTR6]], !annotation [[META2]]
+// CHECK-NEXT:    unreachable, !annotation [[META2]]
+//
+void oob_order(void) {
+  int arr[40];
+  foo(arr + 2, arr + 1);
+}
+//.
+// CHECK: [[META2]] = !{!"firebloom-generic"}
+//.
diff --git a/clang/test/BoundsSafety/CodeGen/ended_by_const_param.c b/clang/test/BoundsSafety/CodeGen/ended_by_const_param.c
