[BoundsSafety][Attempt 2] Add warning diagnostics for uses of legacy bounds checks #10898
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@swift-ci test llvm |
delcypher
force-pushed
the
dliew/rdar-150805550-v2
branch
from
349afa5 to
bf4fa08
Compare
delcypher
commented
Jun 25, 2025
| auto FilteredArgs = | ||
| Args.filtered(OPT_fbounds_safety_bringup_missing_checks_EQ, | ||
| OPT_fno_bounds_safety_bringup_missing_checks_EQ); | ||
| if (FilteredArgs.empty()) { | ||
| // No flags present. Use the default | ||
| return LangOptions::getDefaultBoundsSafetyNewChecksMask(); | ||
| auto Result = LangOptions::getDefaultBoundsSafetyNewChecksMask(); | ||
| if (DiagnoseMissingChecks && Diags) |
There was a problem hiding this comment.
@hnrklssn This is where the bug was in the first version. There was a missing guard for the call to DiagnoseDisabledBoundsSafetyChecks which meant if DiagnoseMissingChecks was false we'd try to diagnose the issues anyway.
There was a problem hiding this comment.
Hmm. So I think I need to write a test case for this because all the BoundsSafety tests for this passed without making this fix.
There was a problem hiding this comment.
Unfortunately I figured out it's not possible to (easily) write a test case for this. The buggy behavior depends on bounds checks being disabled by default which is not desirable behavior. While technically we could add a hidden flag that changes the default for the purposes of testing I think this adds a lot of complexity without a huge benefit.
delcypher
added
the
clang:bounds-safety
delcypher
force-pushed
the
dliew/rdar-150805550-v2
branch
from
bf4fa08 to
ddcf48d
Compare
…bounds checks ** This is the second attempt landing this patch. This first (swiftlang#10800 4c8f6e7) failed because there was a bug. ** The bug was in `ParseBoundsSafetyNewChecksMaskFromArgs` where the call to `DiagnoseDisabledBoundsSafetyChecks` was not guarded with `DiagnoseMissingChecks`. This missing check caused diagnostics to appear when they shouldn't and caused crashes in cases where the `Diags` pointer was nullptr. To fix this the missing guard has been added and an assert that `Diags` is not null has been added. Unfortunately it isn't possible to write a regression test for this because the behavior depends on having at least some bounds checks disabled by default, which is not desirable behavior. While techinically we could add a hidden flag to change the default for the purposes of testing the added complexity of doing this doesn't really justify the added test coverage. This version of the patch also guards assigning to `Opts.BoundsSafetyBringUpMissingChecks` in `CompilerInvocation::ParseLangArgs` so that it is only assigned to when `-fbounds-safety` is enabled. This is done for several reasons * It avoids unnecessarily parsing the `-fbounds-safety-bringup-missing-checks=` flags when `-fbounds-safety` is disabled. * Isolates code built without `-fbounds-safety` from bugs in `ParseBoundsSafetyNewChecksMaskFromArgs`. * It is more consistent with `CompilerInvocationBase::GenerateLangArgs` which only emits `-fbounds-safety-bring-checks=` when `-fbounds-safety` is enabled. --- This adds warning diagnostics when any of the new bounds checks that can be enabled with `-fbounds-safety-bringup-missing-checks=batch_0` are disabled. If all bounds checks in the batch are disabled a single diagnostic is emitted. If only some of the bounds checks in the batch are disabled then a diagnostic is emitted for each disabled bounds check. The implementation will either suggest enabling a batch of checks (e.g. `-fbounds-safety-bringup-missing-checks=batch_0`) or will suggest removing a flag that is explicitly disabling a check (e.g. `-fno-bounds-safety-bringup-missing-checks=access_size`). The current implementation supports there being multple batches of checks. However, there is currently only one batch (`batch_0`). I originally tried to emit these warnings in the frontend. Unfortunately it turns out warning suppression (i.e. `-Wno-bounds-safety-legacy-checks-enabled`) and `-Werror` don't work correctly if warnings are emitted from the frontend (rdar://152730261). To workaround this the `-fbounds-safety-bringup-missing-checks=` flags are now also parsed in the Driver and at this point (and only this point) diagnostics for missing checks are emitted. The intention is to make these warnings be errors eventually. rdar://150805550
delcypher
force-pushed
the
dliew/rdar-150805550-v2
branch
from
ddcf48d to
0aab1a8
Compare
|
@swift-ci test llvm |
hnrklssn
approved these changes
Jul 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
** This is the second attempt landing this patch. This first (#10800
4c8f6e7) failed because there was a bug. **
The bug was in
ParseBoundsSafetyNewChecksMaskFromArgswhere the call toDiagnoseDisabledBoundsSafetyCheckswas not guarded withDiagnoseMissingChecks. This missing check caused diagnostics to appearwhen they shouldn't and caused crashes in cases where the
Diagspointer was nullptr. To fix this the missing guard has been added and
an assert that
Diagsis not null has been added.Unfortunately it isn't possible to write a regression test for this
because the behavior depends on having at least some bounds checks
disabled by default, which is not desirable behavior. While techinically
we could add a hidden flag to change the default for the purposes of
testing the added complexity of doing this doesn't really justify the
added test coverage.
This version of the patch also guards assigning to
Opts.BoundsSafetyBringUpMissingChecksinCompilerInvocation::ParseLangArgsso that it is only assigned towhen
-fbounds-safetyis enabled. This is done for several reasons-fbounds-safety-bringup-missing-checks=flagswhen
-fbounds-safetyis disabled.-fbounds-safetyfrom bugs inParseBoundsSafetyNewChecksMaskFromArgs.CompilerInvocationBase::GenerateLangArgswhich only emits
-fbounds-safety-bring-checks=when-fbounds-safetyis enabled.This adds warning diagnostics when any of the new bounds checks that can
be enabled with
-fbounds-safety-bringup-missing-checks=batch_0aredisabled.
If all bounds checks in the batch are disabled a single diagnostic is
emitted. If only some of the bounds checks in the batch are disabled
then a diagnostic is emitted for each disabled bounds check. The
implementation will either suggest enabling a batch of checks (e.g.
-fbounds-safety-bringup-missing-checks=batch_0) or will suggestremoving a flag that is explicitly disabling a check (e.g.
-fno-bounds-safety-bringup-missing-checks=access_size).The current implementation supports there being multple batches of
checks. However, there is currently only one batch (
batch_0).I originally tried to emit these warnings in the frontend. Unfortunately
it turns out warning suppression (i.e.
-Wno-bounds-safety-legacy-checks-enabled) and-Werrordon't workcorrectly if warnings are emitted from the frontend (rdar://152730261).
To workaround this the
-fbounds-safety-bringup-missing-checks=flagsare now also parsed in the Driver and at this point (and only this
point) diagnostics for missing checks are emitted.
The intention is to make these warnings be errors eventually.
rdar://150805550