[NFC][libc++] Guard against operator& hijacking. (#128351)

mordante · web-flow · commit da618cf0a763 · 2025-02-27T17:47:34.000+01:00
This set usage of operator&amp; instead of std::addressof seems not be easy
to "abuse". Some seem easy to misuse, like basic_ostream::operator&lt;&lt;,
trying to do that results in compilation errors since the `widen`
function is not specialized for the hijacking character type. Hence
there are no tests.
diff --git a/libcxx/include/__atomic/atomic.h b/libcxx/include/__atomic/atomic.h
@@ -363,7 +363,7 @@ struct atomic<_Tp> : __atomic_base<_Tp> {
           // https://github.com/llvm/llvm-project/issues/47978
           // clang bug: __old is not updated on failure for atomic<long double>::compare_exchange_weak
           // Note __old = __self.load(memory_order_relaxed) will not work
-          std::__cxx_atomic_load_inplace(std::addressof(__self.__a_), &__old, memory_order_relaxed);
+          std::__cxx_atomic_load_inplace(std::addressof(__self.__a_), std::addressof(__old), memory_order_relaxed);
         }
 #  endif
         __new = __operation(__old, __operand);
diff --git a/libcxx/include/__atomic/atomic_ref.h b/libcxx/include/__atomic/atomic_ref.h
@@ -119,7 +119,7 @@ struct __atomic_ref_base {
   // that the pointer is going to be aligned properly at runtime because that is a (checked) precondition
   // of atomic_ref's constructor.
   static constexpr bool is_always_lock_free =
-      __atomic_always_lock_free(sizeof(_Tp), &__get_aligner_instance<required_alignment>::__instance);
+      __atomic_always_lock_free(sizeof(_Tp), std::addressof(__get_aligner_instance<required_alignment>::__instance));
 
   _LIBCPP_HIDE_FROM_ABI bool is_lock_free() const noexcept { return __atomic_is_lock_free(sizeof(_Tp), __ptr_); }
 
diff --git a/libcxx/include/__charconv/traits.h b/libcxx/include/__charconv/traits.h
@@ -15,6 +15,7 @@
 #include <__charconv/tables.h>
 #include <__charconv/to_chars_base_10.h>
 #include <__config>
+#include <__memory/addressof.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/is_unsigned.h>
 #include <cstdint>
@@ -142,7 +143,7 @@ __mul_overflowed(unsigned short __a, _Tp __b, unsigned short& __r) {
 template <typename _Tp>
 inline _LIBCPP_CONSTEXPR_SINCE_CXX23 _LIBCPP_HIDE_FROM_ABI bool __mul_overflowed(_Tp __a, _Tp __b, _Tp& __r) {
   static_assert(is_unsigned<_Tp>::value, "");
-  return __builtin_mul_overflow(__a, __b, &__r);
+  return __builtin_mul_overflow(__a, __b, std::addressof(__r));
 }
 
 template <typename _Tp, typename _Up>
diff --git a/libcxx/include/__filesystem/path.h b/libcxx/include/__filesystem/path.h
@@ -17,6 +17,7 @@
 #include <__fwd/functional.h>
 #include <__iterator/back_insert_iterator.h>
 #include <__iterator/iterator_traits.h>
+#include <__memory/addressof.h>
 #include <__type_traits/decay.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/is_pointer.h>
@@ -584,7 +585,7 @@ class _LIBCPP_EXPORTED_FROM_ABI path {
 
   template <class _ECharT, __enable_if_t<__can_convert_char<_ECharT>::value, int> = 0>
   _LIBCPP_HIDE_FROM_ABI path& operator+=(_ECharT __x) {
-    _PathCVT<_ECharT>::__append_source(__pn_, basic_string_view<_ECharT>(&__x, 1));
+    _PathCVT<_ECharT>::__append_source(__pn_, basic_string_view<_ECharT>(std::addressof(__x), 1));
     return *this;
   }
 
diff --git a/libcxx/include/__functional/hash.h b/libcxx/include/__functional/hash.h
@@ -13,6 +13,7 @@
 #include <__cstddef/nullptr_t.h>
 #include <__functional/unary_function.h>
 #include <__fwd/functional.h>
+#include <__memory/addressof.h>
 #include <__type_traits/conjunction.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/invoke.h>
@@ -33,7 +34,7 @@ _LIBCPP_BEGIN_NAMESPACE_STD
 template <class _Size>
 inline _LIBCPP_HIDE_FROM_ABI _Size __loadword(const void* __p) {
   _Size __r;
-  std::memcpy(&__r, __p, sizeof(__r));
+  std::memcpy(std::addressof(__r), __p, sizeof(__r));
   return __r;
 }
 
@@ -276,7 +277,7 @@ struct __scalar_hash<_Tp, 2> : public __unary_function<_Tp, size_t> {
       } __s;
     } __u;
     __u.__t = __v;
-    return __murmur2_or_cityhash<size_t>()(&__u, sizeof(__u));
+    return __murmur2_or_cityhash<size_t>()(std::addressof(__u), sizeof(__u));
   }
 };
 
@@ -292,7 +293,7 @@ struct __scalar_hash<_Tp, 3> : public __unary_function<_Tp, size_t> {
       } __s;
     } __u;
     __u.__t = __v;
-    return __murmur2_or_cityhash<size_t>()(&__u, sizeof(__u));
+    return __murmur2_or_cityhash<size_t>()(std::addressof(__u), sizeof(__u));
   }
 };
 
@@ -309,7 +310,7 @@ struct __scalar_hash<_Tp, 4> : public __unary_function<_Tp, size_t> {
       } __s;
     } __u;
     __u.__t = __v;
-    return __murmur2_or_cityhash<size_t>()(&__u, sizeof(__u));
+    return __murmur2_or_cityhash<size_t>()(std::addressof(__u), sizeof(__u));
   }
 };
 
@@ -332,7 +333,7 @@ struct _LIBCPP_TEMPLATE_VIS hash<_Tp*> : public __unary_function<_Tp*, size_t> {
       size_t __a;
     } __u;
     __u.__t = __v;
-    return __murmur2_or_cityhash<size_t>()(&__u, sizeof(__u));
+    return __murmur2_or_cityhash<size_t>()(std::addressof(__u), sizeof(__u));
   }
 };
 
diff --git a/libcxx/include/__iterator/aliasing_iterator.h b/libcxx/include/__iterator/aliasing_iterator.h
@@ -12,6 +12,7 @@
 #include <__config>
 #include <__cstddef/ptrdiff_t.h>
 #include <__iterator/iterator_traits.h>
+#include <__memory/addressof.h>
 #include <__memory/pointer_traits.h>
 #include <__type_traits/is_trivial.h>
 
@@ -102,7 +103,7 @@ struct __aliasing_iterator_wrapper {
 
     _LIBCPP_HIDE_FROM_ABI _Alias operator*() const _NOEXCEPT {
       _Alias __val;
-      __builtin_memcpy(&__val, std::__to_address(__base_), sizeof(value_type));
+      __builtin_memcpy(std::addressof(__val), std::__to_address(__base_), sizeof(value_type));
       return __val;
     }
 
diff --git a/libcxx/include/__locale b/libcxx/include/__locale
@@ -12,6 +12,7 @@
 
 #include <__config>
 #include <__locale_dir/locale_base_api.h>
+#include <__memory/addressof.h>
 #include <__memory/shared_count.h>
 #include <__mutex/once_flag.h>
 #include <__type_traits/make_unsigned.h>
@@ -156,7 +157,7 @@ locale locale::combine(const locale& __other) const {
   if (!std::has_facet<_Facet>(__other))
     std::__throw_runtime_error("locale::combine: locale missing facet");
 
-  return locale(*this, &const_cast<_Facet&>(std::use_facet<_Facet>(__other)));
+  return locale(*this, std::addressof(const_cast<_Facet&>(std::use_facet<_Facet>(__other))));
 }
 
 template <class _Facet>
diff --git a/libcxx/include/__mdspan/layout_left.h b/libcxx/include/__mdspan/layout_left.h
@@ -21,6 +21,7 @@
 #include <__config>
 #include <__fwd/mdspan.h>
 #include <__mdspan/extents.h>
+#include <__memory/addressof.h>
 #include <__type_traits/common_type.h>
 #include <__type_traits/is_constructible.h>
 #include <__type_traits/is_convertible.h>
@@ -58,7 +59,7 @@ class layout_left::mapping {
 
     index_type __prod = __ext.extent(0);
     for (rank_type __r = 1; __r < extents_type::rank(); __r++) {
-      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), &__prod);
+      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), std::addressof(__prod));
       if (__overflowed)
         return false;
     }
diff --git a/libcxx/include/__mdspan/layout_right.h b/libcxx/include/__mdspan/layout_right.h
@@ -22,6 +22,7 @@
 #include <__cstddef/size_t.h>
 #include <__fwd/mdspan.h>
 #include <__mdspan/extents.h>
+#include <__memory/addressof.h>
 #include <__type_traits/common_type.h>
 #include <__type_traits/is_constructible.h>
 #include <__type_traits/is_convertible.h>
@@ -58,7 +59,7 @@ class layout_right::mapping {
 
     index_type __prod = __ext.extent(0);
     for (rank_type __r = 1; __r < extents_type::rank(); __r++) {
-      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), &__prod);
+      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), std::addressof(__prod));
       if (__overflowed)
         return false;
     }
diff --git a/libcxx/include/__mdspan/layout_stride.h b/libcxx/include/__mdspan/layout_stride.h
@@ -22,6 +22,7 @@
 #include <__config>
 #include <__fwd/mdspan.h>
 #include <__mdspan/extents.h>
+#include <__memory/addressof.h>
 #include <__type_traits/common_type.h>
 #include <__type_traits/is_constructible.h>
 #include <__type_traits/is_convertible.h>
@@ -86,7 +87,7 @@ class layout_stride::mapping {
 
     index_type __prod = __ext.extent(0);
     for (rank_type __r = 1; __r < __rank_; __r++) {
-      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), &__prod);
+      bool __overflowed = __builtin_mul_overflow(__prod, __ext.extent(__r), std::addressof(__prod));
       if (__overflowed)
         return false;
     }
@@ -109,11 +110,12 @@ class layout_stride::mapping {
       }
       if (__ext.extent(__r) == static_cast<index_type>(0))
         return true;
-      index_type __prod     = (__ext.extent(__r) - 1);
-      bool __overflowed_mul = __builtin_mul_overflow(__prod, static_cast<index_type>(__strides[__r]), &__prod);
+      index_type __prod = (__ext.extent(__r) - 1);
+      bool __overflowed_mul =
+          __builtin_mul_overflow(__prod, static_cast<index_type>(__strides[__r]), std::addressof(__prod));
       if (__overflowed_mul)
         return false;
-      bool __overflowed_add = __builtin_add_overflow(__size, __prod, &__size);
+      bool __overflowed_add = __builtin_add_overflow(__size, __prod, std::addressof(__size));
       if (__overflowed_add)
         return false;
     }
diff --git a/libcxx/include/__mdspan/mdspan.h b/libcxx/include/__mdspan/mdspan.h
@@ -22,6 +22,7 @@
 #include <__fwd/mdspan.h>
 #include <__mdspan/default_accessor.h>
 #include <__mdspan/extents.h>
+#include <__memory/addressof.h>
 #include <__type_traits/extent.h>
 #include <__type_traits/is_abstract.h>
 #include <__type_traits/is_array.h>
@@ -215,7 +216,7 @@ class mdspan {
     _LIBCPP_ASSERT_UNCATEGORIZED(
         false == ([&]<size_t... _Idxs>(index_sequence<_Idxs...>) {
           size_type __prod = 1;
-          return (__builtin_mul_overflow(__prod, extent(_Idxs), &__prod) || ... || false);
+          return (__builtin_mul_overflow(__prod, extent(_Idxs), std::addressof(__prod)) || ... || false);
         }(make_index_sequence<rank()>())),
         "mdspan: size() is not representable as size_type");
     return [&]<size_t... _Idxs>(index_sequence<_Idxs...>) {
diff --git a/libcxx/include/__memory/shared_count.h b/libcxx/include/__memory/shared_count.h
@@ -10,6 +10,7 @@
 #define _LIBCPP___MEMORY_SHARED_COUNT_H
 
 #include <__config>
+#include <__memory/addressof.h>
 #include <typeinfo>
 
 #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
@@ -52,7 +53,7 @@ inline _LIBCPP_HIDE_FROM_ABI _ValueType __libcpp_acquire_load(_ValueType const*
 template <class _Tp>
 inline _LIBCPP_HIDE_FROM_ABI _Tp __libcpp_atomic_refcount_increment(_Tp& __t) _NOEXCEPT {
 #if _LIBCPP_HAS_BUILTIN_ATOMIC_SUPPORT && _LIBCPP_HAS_THREADS
-  return __atomic_add_fetch(&__t, 1, __ATOMIC_RELAXED);
+  return __atomic_add_fetch(std::addressof(__t), 1, __ATOMIC_RELAXED);
 #else
   return __t += 1;
 #endif
@@ -61,7 +62,7 @@ inline _LIBCPP_HIDE_FROM_ABI _Tp __libcpp_atomic_refcount_increment(_Tp& __t) _N
 template <class _Tp>
 inline _LIBCPP_HIDE_FROM_ABI _Tp __libcpp_atomic_refcount_decrement(_Tp& __t) _NOEXCEPT {
 #if _LIBCPP_HAS_BUILTIN_ATOMIC_SUPPORT && _LIBCPP_HAS_THREADS
-  return __atomic_add_fetch(&__t, -1, __ATOMIC_ACQ_REL);
+  return __atomic_add_fetch(std::addressof(__t), -1, __ATOMIC_ACQ_REL);
 #else
   return __t -= 1;
 #endif
diff --git a/libcxx/include/__ostream/basic_ostream.h b/libcxx/include/__ostream/basic_ostream.h
@@ -15,6 +15,7 @@
 
 #  include <__exception/operations.h>
 #  include <__fwd/memory.h>
+#  include <__memory/addressof.h>
 #  include <__memory/unique_ptr.h>
 #  include <__new/exceptions.h>
 #  include <__ostream/put_character_sequence.h>
@@ -339,7 +340,7 @@ basic_ostream<_CharT, _Traits>& basic_ostream<_CharT, _Traits>::operator<<(const
 
 template <class _CharT, class _Traits>
 _LIBCPP_HIDE_FROM_ABI basic_ostream<_CharT, _Traits>& operator<<(basic_ostream<_CharT, _Traits>& __os, _CharT __c) {
-  return std::__put_character_sequence(__os, &__c, 1);
+  return std::__put_character_sequence(__os, std::addressof(__c), 1);
 }
 
 template <class _CharT, class _Traits>
@@ -353,9 +354,9 @@ _LIBCPP_HIDE_FROM_ABI basic_ostream<_CharT, _Traits>& operator<<(basic_ostream<_
       typedef ostreambuf_iterator<_CharT, _Traits> _Ip;
       if (std::__pad_and_output(
               _Ip(__os),
-              &__c,
-              (__os.flags() & ios_base::adjustfield) == ios_base::left ? &__c + 1 : &__c,
-              &__c + 1,
+              std::addressof(__c),
+              std::addressof(__c) + (((__os.flags() & ios_base::adjustfield) == ios_base::left) ? 1 : 0),
+              std::addressof(__c) + 1,
               __os,
               __os.fill())
               .failed())
diff --git a/libcxx/include/__split_buffer b/libcxx/include/__split_buffer
@@ -233,7 +233,7 @@ _LIBCPP_CONSTEXPR_SINCE_CXX20 bool __split_buffer<_Tp, _Allocator>::__invariants
 //  Postcondition:  size() == size() + __n
 template <class _Tp, class _Allocator>
 _LIBCPP_CONSTEXPR_SINCE_CXX20 void __split_buffer<_Tp, _Allocator>::__construct_at_end(size_type __n) {
-  _ConstructTransaction __tx(&this->__end_, __n);
+  _ConstructTransaction __tx(std::addressof(this->__end_), __n);
   for (; __tx.__pos_ != __tx.__end_; ++__tx.__pos_) {
     __alloc_traits::construct(__alloc_, std::__to_address(__tx.__pos_));
   }
@@ -248,7 +248,7 @@ _LIBCPP_CONSTEXPR_SINCE_CXX20 void __split_buffer<_Tp, _Allocator>::__construct_
 template <class _Tp, class _Allocator>
 _LIBCPP_CONSTEXPR_SINCE_CXX20 void
 __split_buffer<_Tp, _Allocator>::__construct_at_end(size_type __n, const_reference __x) {
-  _ConstructTransaction __tx(&this->__end_, __n);
+  _ConstructTransaction __tx(std::addressof(this->__end_), __n);
   for (; __tx.__pos_ != __tx.__end_; ++__tx.__pos_) {
     __alloc_traits::construct(__alloc_, std::__to_address(__tx.__pos_), __x);
   }
@@ -283,7 +283,7 @@ template <class _Tp, class _Allocator>
 template <class _ForwardIterator>
 _LIBCPP_CONSTEXPR_SINCE_CXX20 void
 __split_buffer<_Tp, _Allocator>::__construct_at_end_with_size(_ForwardIterator __first, size_type __n) {
-  _ConstructTransaction __tx(&this->__end_, __n);
+  _ConstructTransaction __tx(std::addressof(this->__end_), __n);
   for (; __tx.__pos_ != __tx.__end_; ++__tx.__pos_, (void)++__first) {
     __alloc_traits::construct(__alloc_, std::__to_address(__tx.__pos_), *__first);
   }
diff --git a/libcxx/include/__stop_token/intrusive_shared_ptr.h b/libcxx/include/__stop_token/intrusive_shared_ptr.h
@@ -14,6 +14,7 @@
 #include <__atomic/memory_order.h>
 #include <__config>
 #include <__cstddef/nullptr_t.h>
+#include <__memory/addressof.h>
 #include <__type_traits/is_reference.h>
 #include <__utility/move.h>
 #include <__utility/swap.h>
@@ -113,7 +114,7 @@ struct __intrusive_shared_ptr {
 
   _LIBCPP_HIDE_FROM_ABI static void __decrement_ref_count(_Tp& __obj) {
     if (__get_atomic_ref_count(__obj).fetch_sub(1, std::memory_order_acq_rel) == 1) {
-      delete &__obj;
+      delete std::addressof(__obj);
     }
   }
 
diff --git a/libcxx/include/__string/constexpr_c_functions.h b/libcxx/include/__string/constexpr_c_functions.h
@@ -146,7 +146,7 @@ _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 _Tp* __constexpr_memchr(_Tp*
     return nullptr;
   } else {
     char __value_buffer = 0;
-    __builtin_memcpy(&__value_buffer, &__value, sizeof(char));
+    __builtin_memcpy(&__value_buffer, std::addressof(__value), sizeof(char));
     return static_cast<_Tp*>(__builtin_memchr(__str, __value_buffer, __count));
   }
 }
diff --git a/libcxx/include/__thread/thread.h b/libcxx/include/__thread/thread.h
@@ -16,6 +16,7 @@
 #include <__exception/terminate.h>
 #include <__functional/hash.h>
 #include <__functional/unary_function.h>
+#include <__memory/addressof.h>
 #include <__memory/unique_ptr.h>
 #include <__mutex/mutex.h>
 #include <__system_error/throw_system_error.h>
@@ -215,7 +216,7 @@ thread::thread(_Fp&& __f, _Args&&... __args) {
   _TSPtr __tsp(new __thread_struct);
   typedef tuple<_TSPtr, __decay_t<_Fp>, __decay_t<_Args>...> _Gp;
   unique_ptr<_Gp> __p(new _Gp(std::move(__tsp), std::forward<_Fp>(__f), std::forward<_Args>(__args)...));
-  int __ec = std::__libcpp_thread_create(&__t_, &__thread_proxy<_Gp>, __p.get());
+  int __ec = std::__libcpp_thread_create(&__t_, std::addressof(__thread_proxy<_Gp>), __p.get());
   if (__ec == 0)
     __p.release();
   else
diff --git a/libcxx/include/cwchar b/libcxx/include/cwchar
@@ -107,6 +107,7 @@ size_t wcsrtombs(char* restrict dst, const wchar_t** restrict src, size_t len,
 #else
 #  include <__config>
 #  include <__cstddef/size_t.h>
+#  include <__memory/addressof.h>
 #  include <__type_traits/copy_cv.h>
 #  include <__type_traits/is_constant_evaluated.h>
 #  include <__type_traits/is_equality_comparable.h>
@@ -237,7 +238,7 @@ _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 _Tp* __constexpr_wmemchr(_Tp
 #  if __has_builtin(__builtin_wmemchr)
   if (!__libcpp_is_constant_evaluated()) {
     wchar_t __value_buffer = 0;
-    __builtin_memcpy(&__value_buffer, &__value, sizeof(wchar_t));
+    __builtin_memcpy(&__value_buffer, std::addressof(__value), sizeof(wchar_t));
     return reinterpret_cast<_Tp*>(
         __builtin_wmemchr(reinterpret_cast<__copy_cv_t<_Tp, wchar_t>*>(__str), __value_buffer, __count));
   }
diff --git a/libcxx/include/fstream b/libcxx/include/fstream
diff --git a/libcxx/include/future b/libcxx/include/future
diff --git a/libcxx/include/locale b/libcxx/include/locale
diff --git a/libcxx/include/regex b/libcxx/include/regex
diff --git a/libcxx/include/string b/libcxx/include/string

Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,7 @@ struct atomic<_Tp> : __atomic_base<_Tp> {`
`363`	`363`	`// https://github.com/llvm/llvm-project/issues/47978`
`364`	`364`	`// clang bug: __old is not updated on failure for atomic<long double>::compare_exchange_weak`
`365`	`365`	`// Note __old = __self.load(memory_order_relaxed) will not work`
`366`		`- std::__cxx_atomic_load_inplace(std::addressof(__self.__a_), &__old, memory_order_relaxed);`
	`366`	`+ std::__cxx_atomic_load_inplace(std::addressof(__self.__a_), std::addressof(__old), memory_order_relaxed);`
`367`	`367`	`}`
`368`	`368`	`# endif`
`369`	`369`	`__new = __operation(__old, __operand);`