[-Wunsafe-buffer-usage] Check count-attributed assignment groups

This change adds support for checking count-attributed assignment
groups. This commit adds the following checks:

1. Standalone assignments to count-attributed objects (pointers/dependent
   counts) that are not directly inside of a compound statement. Our
   model rejects those and requires the user to simplify their code if
   necessary. For example:
   ```
     void foo(int *__counted_by(count) p, int count) {
       q = p = ...;
             ^ this is rejected
       n = count = ...;
                 ^ this is rejected
       // the following is fine:
       p = ...;
       count = ...;
     }
   ```
2. Assignments to count-attributed objects that are implicitly
   immutable. For example, assigning to a dependent count that is used
   in an inout pointer is not allowed, since the update won't be visible
   on the call-site:
   ```
     void foo(int *__counted_by(count) *out_p, int count) {
       *out_p = ...;
       count = ...; // immutable
     }
   ```
3. Missing and duplicated assignments:
   ```
     void foo(int *__counted_by(a + b) p, int a, int b) {
       p = ...;
       p = ...; // duplicated
       a = ...;
       // b missing
     }
   ```
4. Count-attributed objects that are assigned and used in the same
   group. Allowing such assignments can cause the bounds-check to use
   the old dependent count, while updating the count to a new value. For
   example, the bounds-check in `sp.first()` uses the value of `b`
   before the later update, which can lead to OOB if `b` was less than
   42:
   ```
     void foo(int *__counted_by(a + b) p, int a, int b, std::span<int> sp) {
       p = sp.first(b + 42).data();
       b = 42; // b is assigned and used
       a = b;
     }
   ```
5. Safe assignment patterns. This uses the infrastructure that is
   already available for count-attributed arguments, and checks for each
   assigned pointer in the group that the RHS has enough elements.

This analysis is hidden behind `-fexperimental-bounds-safety-attributes`
flag, so that we don't waste cycles traversing the AST when the
attributes are not enabled.

rdar://128160398
rdar://128161580

Author: patrykstefanski

clang/include/clang/AST/Decl.h

@@ -732,6 +732,10 @@ class ValueDecl : public NamedDecl {
   bool isInitCapture() const;
 
   /* TO_UPSTREAM(BoundsSafety) ON */
+  bool isDependentValue() const;
+  bool isDependentValueWithoutDeref() const;
+  bool isDependentValueWithDeref() const;
+  bool isDependentValueThatIsUsedInInoutPointer() const;
   /// Whether this decl is a dependent parameter referred to by the return type
   /// that is a bounds-attributed type.
   bool isDependentParamOfReturnType(

clang/include/clang/AST/TypeBase.h

@@ -2651,6 +2651,7 @@ class alignas(TypeAlignment) Type : public ExtQualsTypeCommonBase {
   bool isAnyVaListType(ASTContext &) const;
   bool isDynamicRangePointerType() const;
   bool isBoundsAttributedType() const;
+  bool isBoundsAttributedTypeDependingOnInoutValue() const;
   bool isValueTerminatedType() const;
   bool isImplicitlyNullTerminatedType(const ASTContext &) const;
   /* TO_UPSTREAM(BoundsSafety) OFF */

clang/include/clang/Analysis/Analyses/UnsafeBufferUsage.h

@@ -18,6 +18,7 @@
 #include "clang/AST/Expr.h"
 #include "clang/AST/Stmt.h"
 #include "clang/Basic/SourceLocation.h"
+#include "llvm/ADT/SmallPtrSet.h"
 #include "llvm/Support/Debug.h"
 #include <set>
 
@@ -142,6 +143,53 @@ class UnsafeBufferUsageHandler {
                                                  ASTContext &Ctx) {
     handleUnsafeOperation(Arg, IsRelatedToDecl, Ctx);
   }
+
+  virtual void handleStandaloneAssign(const Expr *E, const ValueDecl *VD,
+                                      bool IsRelatedToDecl, ASTContext &Ctx) {
+    handleUnsafeOperation(E, IsRelatedToDecl, Ctx);
+  }
+
+  enum class AssignToImmutableObjectKind {
+    PointerToPointer,
+    PointerToDependentValue,
+    PointerDependingOnInoutValue,
+    DependentValueUsedInInoutPointer,
+  };
+
+  virtual void handleAssignToImmutableObject(const BinaryOperator *Assign,
+                                             const ValueDecl *VD,
+                                             AssignToImmutableObjectKind Kind,
+                                             bool IsRelatedToDecl,
+                                             ASTContext &Ctx) {
+    handleUnsafeOperation(Assign, IsRelatedToDecl, Ctx);
+  }
+
+  virtual void handleMissingAssignments(
+      const Expr *LastAssignInGroup,
+      const llvm::SmallPtrSetImpl<const ValueDecl *> &Required,
+      const llvm::SmallPtrSetImpl<const ValueDecl *> &Missing,
+      bool IsRelatedToDecl, ASTContext &Ctx) {
+    handleUnsafeOperation(LastAssignInGroup, IsRelatedToDecl, Ctx);
+  }
+
+  virtual void handleDuplicatedAssignment(const BinaryOperator *Assign,
+                                          const BinaryOperator *PrevAssign,
+                                          const ValueDecl *VD,
+                                          bool IsRelatedToDecl,
+                                          ASTContext &Ctx) {
+    handleUnsafeOperation(Assign, IsRelatedToDecl, Ctx);
+  }
+
+  virtual void handleAssignedAndUsed(const BinaryOperator *Assign,
+                                     const Expr *Use, const ValueDecl *VD,
+                                     bool IsRelatedToDecl, ASTContext &Ctx) {
+    handleUnsafeOperation(Assign, IsRelatedToDecl, Ctx);
+  }
+
+  virtual void handleUnsafeCountAttributedPointerAssignment(
+      const BinaryOperator *Assign, bool IsRelatedToDecl, ASTContext &Ctx) {
+    handleUnsafeOperation(Assign, IsRelatedToDecl, Ctx);
+  }
   /* TO_UPSTREAM(BoundsSafety) OFF */
 
   /// Invoked when a fix is suggested against a variable. This function groups
@@ -196,7 +244,8 @@ class UnsafeBufferUsageHandler {
 // This function invokes the analysis and allows the caller to react to it
 // through the handler class.
 void checkUnsafeBufferUsage(const Decl *D, UnsafeBufferUsageHandler &Handler,
-                            bool EmitSuggestions);
+                            bool EmitSuggestions,
+                            bool BoundsSafetyAttributes = false);
 
 namespace internal {
 // Tests if any two `FixItHint`s in `FixIts` conflict.  Two `FixItHint`s

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -14236,6 +14236,29 @@ def note_unsafe_count_attributed_pointer_argument_null_to_nonnull : Note<
 def warn_unsafe_single_pointer_argument : Warning<
   "unsafe assignment to function parameter of __single pointer type">,
   InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_standalone_assign_to_bounds_attributed_object : Warning<
+  "assignment to %select{bounds-attributed pointer|dependent value}0 %1 "
+  "must be inside of a bounds-attributed group in a compound statement">,
+  InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_cannot_assign_to_immutable_bounds_attributed_object : Warning<
+  "cannot assign to %select{variable|parameter|member}0 %1 because %select{"
+  "it points to a bounds-attributed pointer|"
+  "it points to a dependent value|"
+  "its type depends on an inout dependent value|"
+  "it's used as dependent value in an inout bounds-attributed pointer"
+  "}2">, InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_missing_assignments_in_bounds_attributed_group : Warning<
+  "bounds-attributed group requires assigning '%0', assignments to '%1' missing">,
+  InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_duplicated_assignment_in_bounds_attributed_group : Warning<
+  "duplicated assignment to %select{variable|parameter|member}0 %1 in "
+  "bounds-attributed group">, InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_assigned_and_used_in_bounds_attributed_group : Warning<
+  "%select{variable|parameter|member}0 %1 is assigned and used in the same "
+  "bounds-attributed group">, InGroup<UnsafeBufferUsage>, DefaultIgnore;
+def warn_unsafe_count_attributed_pointer_assignment : Warning<
+  "unsafe assignment to count-attributed pointer">,
+  InGroup<UnsafeBufferUsage>, DefaultIgnore;
 #ifndef NDEBUG
 // Not a user-facing diagnostic. Useful for debugging false negatives in
 // -fsafe-buffer-usage-suggestions (i.e. lack of -Wunsafe-buffer-usage fixits).

clang/lib/AST/Decl.cpp

@@ -5502,6 +5502,27 @@ bool ValueDecl::isParameterPack() const {
 }
 
 /* TO_UPSTREAM(BoundsSafety) ON */
+bool ValueDecl::isDependentValue() const {
+  return hasAttr<DependerDeclsAttr>();
+}
+
+bool ValueDecl::isDependentValueWithoutDeref() const {
+  const auto *Att = getAttr<DependerDeclsAttr>();
+  return Att && !Att->getIsDeref();
+}
+
+bool ValueDecl::isDependentValueWithDeref() const {
+  const auto *Att = getAttr<DependerDeclsAttr>();
+  return Att && Att->getIsDeref();
+}
+
+bool ValueDecl::isDependentValueThatIsUsedInInoutPointer() const {
+  const auto *Att = getAttr<DependerDeclsAttr>();
+  return Att &&
+         std::any_of(Att->dependerLevels_begin(), Att->dependerLevels_end(),
+                     [](unsigned Level) { return Level > 0; });
+}
+
 bool ValueDecl::isDependentParamOfReturnType(
     const BoundsAttributedType **RetType,
     const TypeCoupledDeclRefInfo **Info) const {

clang/lib/AST/Type.cpp

@@ -829,6 +829,14 @@ bool Type::isBoundsAttributedType() const {
   return getAs<BoundsAttributedType>();
 }
 
+bool Type::isBoundsAttributedTypeDependingOnInoutValue() const {
+  const auto *BAT = getAs<BoundsAttributedType>();
+  return BAT &&
+         std::any_of(
+             BAT->dependent_decl_begin(), BAT->dependent_decl_end(),
+             [](const TypeCoupledDeclRefInfo &Info) { return Info.isDeref(); });
+}
+
 bool Type::isValueTerminatedType() const {
   return getAs<ValueTerminatedType>();
 }