[-Wunsafe-buffer-usage] Add basic support for C++ default args

patrykstefanski · patrykstefanski · commit f5a8063671e7 · 2025-08-15T13:22:44.000-07:00
This commit changes two things:
- Allows the count-attributed pointer analysis see through
  `CXXDefaultArgExpr` for both pointer and count arguments.
- Fixes the diagnostic location. Since `CXXDefaultArgExpr` has no source
  representation, we emit the diagnostic at the right parenthesis of the
  call expression.

rdar://156005108
diff --git a/clang/lib/Analysis/UnsafeBufferUsage.cpp b/clang/lib/Analysis/UnsafeBufferUsage.cpp
@@ -691,6 +691,11 @@ struct CompatibleCountExprVisitor
     }
     return false;
   }
+
+  bool VisitCXXDefaultArgExpr(const CXXDefaultArgExpr *SelfDAE,
+                              const Expr *Other, bool hasBeenSubstituted) {
+    return Visit(SelfDAE->getExpr(), Other, hasBeenSubstituted);
+  }
 };
 
 // TL'DR:
@@ -935,7 +940,10 @@ static bool isCountAttributedPointerArgumentSafeImpl(
   assert((CountedByExpr || !DependentValueMap) &&
          "If the __counted_by information is hardcoded, there is no "
          "dependent value map.");
+
   const Expr *PtrArgNoImp = PtrArg->IgnoreParenImpCasts();
+  if (const auto *DAE = dyn_cast<CXXDefaultArgExpr>(PtrArgNoImp))
+    PtrArgNoImp = DAE->getExpr()->IgnoreParenImpCasts();
 
   // check form 0:
   if (PtrArgNoImp->getType()->isNullPtrType()) {
diff --git a/clang/lib/Sema/AnalysisBasedWarnings.cpp b/clang/lib/Sema/AnalysisBasedWarnings.cpp
@@ -2587,8 +2587,9 @@ class UnsafeBufferUsageReporter : public UnsafeBufferUsageHandler {
         IsSimpleCount ? CATy->dependent_decls().begin()->getDecl()->getName()
                       : "";
 
-    S.Diag(Arg->getBeginLoc(),
-           diag::warn_unsafe_count_attributed_pointer_argument);
+    SourceLocation DiagLoc =
+        Arg->isDefaultArgument() ? Call->getRParenLoc() : Arg->getBeginLoc();
+    S.Diag(DiagLoc, diag::warn_unsafe_count_attributed_pointer_argument);
     S.Diag(PVD->getBeginLoc(),
            diag::note_unsafe_count_attributed_pointer_argument)
         << IsSimpleCount << QualType(CATy, 0) << !PtrParamName.empty()
diff --git a/clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-argument.cpp b/clang/test/SemaCXX/warn-unsafe-buffer-usage-count-attributed-pointer-argument.cpp
@@ -664,3 +664,44 @@ static void previous_infinite_loop3(int * __counted_by(n + n * m) p, size_t n,
   previous_infinite_loop3(p, n, q, r, m, o);
   previous_infinite_loop3(p, n, q, r, m, o + 1); // expected-warning 2{{unsafe assignment to function parameter of count-attributed type}}
 }
+
+// Check default args.
+
+void cb_def_arg_null_0(int *__counted_by(count) p = nullptr, size_t count = 0);
+
+// expected-note@+1{{consider using a safe container and passing '.data()' to the parameter 'p' and '.size()' to its dependent parameter 'count' or 'std::span' and passing '.first(...).data()' to the parameter 'p'}}
+void cb_def_arg_0_null(size_t count = 0, int *__counted_by(count) p = nullptr);
+
+// expected-note@+1 6{{consider using a safe container and passing '.data()' to the parameter 'p' and '.size()' to its dependent parameter 'count' or 'std::span' and passing '.first(...).data()' to the parameter 'p'}}
+void cb_def_arg_null_42(int *__counted_by(count) p = nullptr, size_t count = 42);
+
+void default_arg(std::span<int> sp) {
+  cb_def_arg_null_0();
+  cb_def_arg_null_0(nullptr);
+  cb_def_arg_null_0(nullptr, 0);
+  cb_def_arg_null_0(sp.data(), sp.size());
+
+  cb_def_arg_0_null();
+  cb_def_arg_0_null(0);
+  cb_def_arg_0_null(0, nullptr);
+  cb_def_arg_0_null(sp.size(), sp.data());
+  cb_def_arg_0_null(42);                       // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  cb_def_arg_0_null(42, sp.first(42).data());
+
+  cb_def_arg_null_42();                        // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  cb_def_arg_null_42(nullptr);                 // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  cb_def_arg_null_42(nullptr, 42);             // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  cb_def_arg_null_42(nullptr, 0);
+  cb_def_arg_null_42(sp.data());               // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  cb_def_arg_null_42(sp.data(), sp.size());
+  cb_def_arg_null_42(sp.first(42).data());
+  cb_def_arg_null_42(sp.first(42).data(), 42);
+  cb_def_arg_null_42(sp.first(41).data());     // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+
+  // Check if the diagnostic is at the right paren.
+  // clang-format off
+  cb_def_arg_null_42
+    (
+    ); // expected-warning{{unsafe assignment to function parameter of count-attributed type}}
+  // clang-format on
+}
