This is an archive of the discontinued LLVM Phabricator instance.

Differential D49901

[analyzer] Extend NoStoreFuncVisitor to recursively follow fields
ClosedPublic

Authored by george.karpenkov on Jul 26 2018, 7:19 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG1d08c51ee56d: [analyzer] Extend NoStoreFuncVisitor to follow fields.
rC338667: [analyzer] Extend NoStoreFuncVisitor to follow fields.
rL338667: [analyzer] Extend NoStoreFuncVisitor to follow fields.
Summary

It's probably worth to refactor a machinery for finding a path to a particular region from a particular region into a common subroutine.

rdar://39701823

Diff Detail

Repository
rL LLVM

Event Timeline

george.karpenkov created this revision.Jul 26 2018, 7:19 PM
Herald added subscribers: mikhail.ramalho, a.sidorin, szepet and 2 others. · View Herald TranscriptJul 26 2018, 7:19 PM
george.karpenkov added parent revisions: D49772: [analyzer] [NFC] Simplify some visitors by giving a convenient getter from state to analysis manager, D49701: [ASTMatchers] Introduce a matcher for `ObjCIvarExpr`, support getting it's declaration.Jul 26 2018, 7:19 PM
george.karpenkov added a parent revision: D49689: [analyzer] Extend NoStoreFuncVisitor to insert a note on IVars.
george.karpenkov updated this revision to Diff 157823.Jul 27 2018, 6:20 PM
george.karpenkov updated this revision to Diff 157824.
george.karpenkov edited the summary of this revision. (Show Details)
george.karpenkov edited parent revisions, added: D49951: [AST] [NFC] Add a convenient getter from QualType to RecordDecl; removed: D49689: [analyzer] Extend NoStoreFuncVisitor to insert a note on IVars, D49701: [ASTMatchers] Introduce a matcher for `ObjCIvarExpr`, support getting it's declaration.Jul 27 2018, 6:31 PM
george.karpenkov updated this revision to Diff 157825.Jul 27 2018, 6:38 PM
george.karpenkov updated this revision to Diff 157826.
george.karpenkov added a subscriber: Szelethus.Jul 30 2018, 10:07 AM
george.karpenkov added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
398 ↗(On Diff #157826)

@Szelethus the code below does pointer-chasing and tries to find a chain of regions from an input region to the region of interest.
Do you think it would make sense to extract in and share with your checker?

george.karpenkov updated this revision to Diff 158028.Jul 30 2018, 11:42 AM
george.karpenkov added a parent revision: D49998: [analyzer] Store ValueDecl in DeclRegion.
NoQ requested changes to this revision.Jul 30 2018, 4:13 PM

Looks great! Marking as "requested changes" as per repeated requests from the working class.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
294–296 ↗(On Diff #158028)

This would need a rebase after an update to D49772.

326–331 ↗(On Diff #158028)

Hmm, shouldn't we also verify that the receiver is the super-region of the region of interest, like we do in other places?

350–351 ↗(On Diff #158028)

I think you should use my new function, Call->getAdjustedParameterIndex(I), that's added in D49715, because parameters and arguments aren't always in sync. Then you also don't have to check parameters explicitly.

390 ↗(On Diff #158028)

Maybe let's add a TODO to warn people that we're passing vectors around quadratically?

462 ↗(On Diff #158028)

Let's instead cast it to ImplicitParamDecl and check its kind, just to be sure.

598 ↗(On Diff #158028)

I'm not sure i understand this comment.

398 ↗(On Diff #157826)

+

This revision now requires changes to proceed.Jul 30 2018, 4:13 PM
george.karpenkov updated this revision to Diff 158141.Jul 30 2018, 5:36 PM
george.karpenkov marked 4 inline comments as done.
NoQ requested changes to this revision.Jul 30 2018, 6:14 PM

Looks good, apart from waiting on D49715 for getAdjustedParameterIndex().

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
330–332 ↗(On Diff #158141)

Let's re-order the checks. The isSubRegionOf() check is cheaper.

This revision now requires changes to proceed.Jul 30 2018, 6:14 PM
NoQ added a parent revision: D49715: [analyzer] CallEvent: Add partially working methods for obtaining the callee stack frame..Jul 30 2018, 6:15 PM
Szelethus added a comment.Jul 31 2018, 3:54 AM

Is something like this worth adding to the C++ test file?

struct HasRefToItself {
  HasRefToItself &Ref; // no infinite loop
  int &z;
  HasRefToItself(int &z) : Ref(*this), z(z) {}
};

Maybe a list-like struct that has a cycle?

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
398 ↗(On Diff #157826)

Whoo, thanks for tagging me! Sadly I have little knowledge about visitors so I can't add anything meaningful to the conversation just yet, but I really like what I'm seeing in this function. I'll definitely take a look how I could incorporate this into my checker, as pointer handling is kind of a mess there.

george.karpenkov added a comment.Jul 31 2018, 10:51 AM

Is something like this worth adding to the C++ test file?

We limit the recursion depth to 1 for fields, so it won't dereference fields more than once. It could be still worthwhile to have this test to make sure this condition does not break.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
390 ↗(On Diff #158028)

I'll add a note. It's not an issue if our vectors are of size <= 2, and for a bigger size we'll have other problems first.

462 ↗(On Diff #158028)

OK. Probably deserves a separate matcher.

398 ↗(On Diff #157826)

@Szelethus the fact that it's in the visitor is immaterial here, I'm just talking about the function findRegionOfInterestInRecord.
Basically, it tries to solve a (subset) of the problem of "whether there's a path from region A to region B".
The output should either be "no path" or a sequence of regions denoting a path.

In a broad sense, that's a breadth-first-search where possible operations are

  • Dereferencing the region
  • Looking for subregions
  • Going through the fields
  • Going through superclasses

That seems too expensive though, so here we only dereference fields twice.

george.karpenkov updated this revision to Diff 158587.Aug 1 2018, 11:34 AM
george.karpenkov marked 2 inline comments as done.
george.karpenkov added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
330–332 ↗(On Diff #158141)

it depends, but OK

350–351 ↗(On Diff #158028)

I don't understand the semantics if the optional is empty. What then?

NoQ added inline comments.Aug 1 2018, 5:29 PM
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
350–351 ↗(On Diff #158028)

If the optional is empty, then the argument doesn't correspond to any parameter. For example, CXXOperatorCallExpr takes this-argument as an explicit argument, but CXXMethodDecl of a member operator doesn't take it as a parameter, but treats it as an implicit parameter instead, so no valid index into parameters() can be returned.

NoQ accepted this revision.Aug 1 2018, 5:32 PM

Looks good!

This revision is now accepted and ready to land.Aug 1 2018, 5:32 PM
Closed by commit rL338667: [analyzer] Extend NoStoreFuncVisitor to follow fields. (authored by george.karpenkov). · Explain WhyAug 1 2018, 7:03 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptAug 1 2018, 7:03 PM
NoQ added inline comments.Aug 2 2018, 3:13 PM
cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
354–356

Uhm! I realized that i was wrong about this one. You don't need the adjustment when iterating through CallEvent arguments; you only need it when iterating through CallExpr arguments, which are also conveniently shifted against each other.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
338 lines
test/
Analysis/
diagnostics/
20 lines
164 lines
32 lines

Diff 158679

cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 263 Lines▼ Show 20 Lines
namespace { namespace {
/// Put a diagnostic on return statement of all inlined functions /// Put a diagnostic on return statement of all inlined functions
/// for which the region of interest \p RegionOfInterest was passed into, /// for which the region of interest \p RegionOfInterest was passed into,
/// but not written inside, and it has caused an undefined read or a null /// but not written inside, and it has caused an undefined read or a null
/// pointer dereference outside. /// pointer dereference outside.
class NoStoreFuncVisitor final : public BugReporterVisitor { class NoStoreFuncVisitor final : public BugReporterVisitor {
const SubRegion *RegionOfInterest; const SubRegion *RegionOfInterest;
MemRegionManager &MmrMgr;
const SourceManager &SM; const SourceManager &SM;
const PrintingPolicy &PP; const PrintingPolicy &PP;
static constexpr const char *DiagnosticsMsg =
"Returning without writing to '"; /// Recursion limit for dereferencing fields when looking for the
/// region of interest.
/// The limit of two indicates that we will dereference fields only once.
static const unsigned DEREFERENCE_LIMIT = 2;
/// Frames writing into \c RegionOfInterest. /// Frames writing into \c RegionOfInterest.
/// This visitor generates a note only if a function does not write into /// This visitor generates a note only if a function does not write into
/// a region of interest. This information is not immediately available /// a region of interest. This information is not immediately available
/// by looking at the node associated with the exit from the function /// by looking at the node associated with the exit from the function
/// (usually the return statement). To avoid recomputing the same information /// (usually the return statement). To avoid recomputing the same information
/// many times (going up the path for each node and checking whether the /// many times (going up the path for each node and checking whether the
/// region was written into) we instead lazily compute the /// region was written into) we instead lazily compute the
/// stack frames along the path which write into the region of interest. /// stack frames along the path which write into the region of interest.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion; llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
using RegionVector = SmallVector<const MemRegion *, 5>;
public: public:
NoStoreFuncVisitor(const SubRegion *R) NoStoreFuncVisitor(const SubRegion *R)
: RegionOfInterest(R), : RegionOfInterest(R), MmrMgr(*R->getMemRegionManager()),
SM(R->getMemRegionManager()->getContext().getSourceManager()), SM(MmrMgr.getContext().getSourceManager()),
PP(R->getMemRegionManager()->getContext().getPrintingPolicy()) {} PP(MmrMgr.getContext().getPrintingPolicy()) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
ID.AddPointer(RegionOfInterest);
} }
std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N, std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN, const ExplodedNode *PrevN,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) override { BugReport &BR) override {
const LocationContext *Ctx = N->getLocationContext(); const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame(); const StackFrameContext *SCtx = Ctx->getStackFrame();
ProgramStateRef State = N->getState(); ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>(); auto CallExitLoc = N->getLocationAs<CallExitBegin>();
// No diagnostic if region was modified inside the frame. // No diagnostic if region was modified inside the frame.
if (!CallExitLoc) if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N))
return nullptr; return nullptr;
CallEventRef<> Call = CallEventRef<> Call =
BRC.getStateManager().getCallEventManager().getCaller(SCtx, State); BRC.getStateManager().getCallEventManager().getCaller(SCtx, State);
if (SM.isInSystemHeader(Call->getDecl()->getSourceRange().getBegin()))
return nullptr;
// Region of interest corresponds to an IVar, exiting a method // Region of interest corresponds to an IVar, exiting a method
// which could have written into that IVar, but did not. // which could have written into that IVar, but did not.
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) {
if (potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion();
IvarR->getDecl()) && if (RegionOfInterest->isSubRegionOf(SelfRegion) &&
!isRegionOfInterestModifiedInFrame(N)) potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(),
return notModifiedMemberDiagnostics( IvarR->getDecl()))
Ctx, *CallExitLoc, Call, MC->getReceiverSVal().getAsRegion()); return notModifiedDiagnostics(Ctx, *CallExitLoc, Call, {}, SelfRegion,
"self", /*FirstIsReferenceType=*/false,
1);
}
}
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) {
const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(ThisR) if (RegionOfInterest->isSubRegionOf(ThisR)
&& !CCall->getDecl()->isImplicit() && !CCall->getDecl()->isImplicit())
&& !isRegionOfInterestModifiedInFrame(N)) return notModifiedDiagnostics(Ctx, *CallExitLoc, Call, {}, ThisR,
return notModifiedMemberDiagnostics(Ctx, *CallExitLoc, Call, ThisR); "this",
/*FirstIsReferenceType=*/false, 1);
// Do not generate diagnostics for not modified parameters in
// constructors.
return nullptr;
} }
ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call);
for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) {
const ParmVarDecl *PVD = parameters[I]; Optional<unsigned> AdjustedIdx = Call->getAdjustedParameterIndex(I);
if (!AdjustedIdx)
continue;
NoQUnsubmitted
Not Done
ReplyInline Actions

Uhm! I realized that i was wrong about this one. You don't need the adjustment when iterating through CallEvent arguments; you only need it when iterating through CallExpr arguments, which are also conveniently shifted against each other.

NoQ: Uhm! I realized that i was wrong about this one. You don't need the adjustment when iterating…
const ParmVarDecl *PVD = parameters[*AdjustedIdx];
SVal S = Call->getArgSVal(I); SVal S = Call->getArgSVal(I);
unsigned IndirectionLevel = 1; bool ParamIsReferenceType = PVD->getType()->isReferenceType();
std::string ParamName = PVD->getNameAsString();
int IndirectionLevel = 1;
QualType T = PVD->getType(); QualType T = PVD->getType();
while (const MemRegion *R = S.getAsRegion()) { while (const MemRegion *R = S.getAsRegion()) {
if (RegionOfInterest->isSubRegionOf(R) if (RegionOfInterest->isSubRegionOf(R) && !isPointerToConst(T))
&& !isPointerToConst(PVD->getType())) { return notModifiedDiagnostics(Ctx, *CallExitLoc, Call, {}, R,
ParamName, ParamIsReferenceType,
IndirectionLevel);
if (isRegionOfInterestModifiedInFrame(N))
return nullptr;
return notModifiedParameterDiagnostics(
Ctx, *CallExitLoc, Call, PVD, R, IndirectionLevel);
}
QualType PT = T->getPointeeType(); QualType PT = T->getPointeeType();
if (PT.isNull() || PT->isVoidType()) break; if (PT.isNull() || PT->isVoidType()) break;
if (const RecordDecl *RD = PT->getAsRecordDecl())
if (auto P = findRegionOfInterestInRecord(RD, State, R))
return notModifiedDiagnostics(
Ctx, *CallExitLoc, Call, *P, RegionOfInterest, ParamName,
ParamIsReferenceType, IndirectionLevel);
S = State->getSVal(R, PT); S = State->getSVal(R, PT);
T = PT; T = PT;
IndirectionLevel++; IndirectionLevel++;
} }
} }
return nullptr; return nullptr;
} }
private: private:
/// Attempts to find the region of interest in a given CXX decl,
/// by either following the base classes or fields.
/// Dereferences fields up to a given recursion limit.
/// Note that \p Vec is passed by value, leading to quadratic copying cost,
/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
/// \return A chain fields leading to the region of interest or None.
const Optional<RegionVector>
findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State,
const MemRegion *R,
RegionVector Vec = {},
int depth = 0) {
if (depth == DEREFERENCE_LIMIT) // Limit the recursion depth.
return None;
if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD))
if (!RDX->hasDefinition())
return None;
// Recursively examine the base classes.
// Note that following base classes does not increase the recursion depth.
if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD))
for (const auto II : RDX->bases())
if (const RecordDecl *RRD = II.getType()->getAsRecordDecl())
if (auto Out = findRegionOfInterestInRecord(RRD, State, R, Vec, depth))
return Out;
for (const FieldDecl *I : RD->fields()) {
QualType FT = I->getType();
const FieldRegion *FR = MmrMgr.getFieldRegion(I, cast<SubRegion>(R));
const SVal V = State->getSVal(FR);
const MemRegion *VR = V.getAsRegion();
RegionVector VecF = Vec;
VecF.push_back(FR);
if (RegionOfInterest == VR)
return VecF;
if (const RecordDecl *RRD = FT->getAsRecordDecl())
if (auto Out =
findRegionOfInterestInRecord(RRD, State, FR, VecF, depth + 1))
return Out;
QualType PT = FT->getPointeeType();
if (PT.isNull() || PT->isVoidType() || !VR) continue;
if (const RecordDecl *RRD = PT->getAsRecordDecl())
if (auto Out =
findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1))
return Out;
}
return None;
}
/// \return Whether the method declaration \p Parent /// \return Whether the method declaration \p Parent
/// syntactically has a binary operation writing into the ivar \p Ivar. /// syntactically has a binary operation writing into the ivar \p Ivar.
bool potentiallyWritesIntoIvar(const Decl *Parent, bool potentiallyWritesIntoIvar(const Decl *Parent,
const ObjCIvarDecl *Ivar) { const ObjCIvarDecl *Ivar) {
using namespace ast_matchers; using namespace ast_matchers;
if (!Parent || !Parent->getBody()) const char * IvarBind = "Ivar";
if (!Parent || !Parent->hasBody())
return false; return false;
StatementMatcher WriteIntoIvarM = binaryOperator( StatementMatcher WriteIntoIvarM = binaryOperator(
hasOperatorName("="), hasLHS(ignoringParenImpCasts(objcIvarRefExpr( hasOperatorName("="),
hasDeclaration(equalsNode(Ivar)))))); hasLHS(ignoringParenImpCasts(
objcIvarRefExpr(hasDeclaration(equalsNode(Ivar))).bind(IvarBind))));
StatementMatcher ParentM = stmt(hasDescendant(WriteIntoIvarM)); StatementMatcher ParentM = stmt(hasDescendant(WriteIntoIvarM));
auto Matches = match(ParentM, *Parent->getBody(), Parent->getASTContext()); auto Matches = match(ParentM, *Parent->getBody(), Parent->getASTContext());
return !Matches.empty(); for (BoundNodes &Match : Matches) {
auto IvarRef = Match.getNodeAs<ObjCIvarRefExpr>(IvarBind);
if (IvarRef->isFreeIvar())
return true;
const Expr *Base = IvarRef->getBase();
if (const auto *ICE = dyn_cast<ImplicitCastExpr>(Base))
Base = ICE->getSubExpr();
if (const auto *DRE = dyn_cast<DeclRefExpr>(Base))
if (const auto *ID = dyn_cast<ImplicitParamDecl>(DRE->getDecl()))
if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf)
return true;
return false;
}
return false;
} }
/// Check and lazily calculate whether the region of interest is /// Check and lazily calculate whether the region of interest is
/// modified in the stack frame to which \p N belongs. /// modified in the stack frame to which \p N belongs.
/// The calculation is cached in FramesModifyingRegion. /// The calculation is cached in FramesModifyingRegion.
bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) { bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) {
const LocationContext *Ctx = N->getLocationContext(); const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame(); const StackFrameContext *SCtx = Ctx->getStackFrame();
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesprivate:
/// Get parameters associated with runtime definition in order /// Get parameters associated with runtime definition in order
/// to get the correct parameter name. /// to get the correct parameter name.
ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) { ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) {
// Use runtime definition, if available. // Use runtime definition, if available.
RuntimeDefinition RD = Call->getRuntimeDefinition(); RuntimeDefinition RD = Call->getRuntimeDefinition();
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl())) if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl()))
return FD->parameters(); return FD->parameters();
if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl()))
return MD->parameters();
return Call->parameters(); return Call->parameters();
} }
/// \return whether \p Ty points to a const type, or is a const reference. /// \return whether \p Ty points to a const type, or is a const reference.
bool isPointerToConst(QualType Ty) { bool isPointerToConst(QualType Ty) {
return !Ty->getPointeeType().isNull() && return !Ty->getPointeeType().isNull() &&
Ty->getPointeeType().getCanonicalType().isConstQualified(); Ty->getPointeeType().getCanonicalType().isConstQualified();
} }
/// \return Diagnostics piece for the member field not modified /// \return Diagnostics piece for region not modified in the current function.
/// in a given function. std::shared_ptr<PathDiagnosticPiece>
std::shared_ptr<PathDiagnosticPiece> notModifiedMemberDiagnostics( notModifiedDiagnostics(const LocationContext *Ctx,
const LocationContext *Ctx,
CallExitBegin &CallExitLoc, CallExitBegin &CallExitLoc,
CallEventRef<> Call, CallEventRef<> Call,
const MemRegion *ArgRegion) { RegionVector FieldChain,
const char *TopRegionName = isa<ObjCMethodCall>(Call) ? "self" : "this"; const MemRegion *MatchedRegion,
SmallString<256> sbuf; StringRef FirstElement,
llvm::raw_svector_ostream os(sbuf); bool FirstIsReferenceType,
os << DiagnosticsMsg; unsigned IndirectionLevel) {
bool out = prettyPrintRegionName(TopRegionName, "->", /*IsReference=*/true,
/*IndirectionLevel=*/1, ArgRegion, os, PP);
// Return nothing if we have failed to pretty-print.
if (!out)
return nullptr;
os << "'"; PathDiagnosticLocation L;
PathDiagnosticLocation L = if (const ReturnStmt *RS = CallExitLoc.getReturnStmt()) {
getPathDiagnosticLocation(CallExitLoc.getReturnStmt(), SM, Ctx, Call); L = PathDiagnosticLocation::createBegin(RS, SM, Ctx);
return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); } else {
L = PathDiagnosticLocation(
Call->getRuntimeDefinition().getDecl()->getSourceRange().getEnd(),
SM);
} }
/// \return Diagnostics piece for the parameter \p PVD not modified
/// in a given function.
/// \p IndirectionLevel How many times \c ArgRegion has to be dereferenced
/// before we get to the super region of \c RegionOfInterest
std::shared_ptr<PathDiagnosticPiece>
notModifiedParameterDiagnostics(const LocationContext *Ctx,
CallExitBegin &CallExitLoc,
CallEventRef<> Call,
const ParmVarDecl *PVD,
const MemRegion *ArgRegion,
unsigned IndirectionLevel) {
PathDiagnosticLocation L = getPathDiagnosticLocation(
CallExitLoc.getReturnStmt(), SM, Ctx, Call);
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << DiagnosticsMsg; os << "Returning without writing to '";
bool IsReference = PVD->getType()->isReferenceType(); prettyPrintRegionName(FirstElement, FirstIsReferenceType, MatchedRegion,
const char *Sep = IsReference && IndirectionLevel == 1 ? "." : "->"; FieldChain, IndirectionLevel, os);
bool Success = prettyPrintRegionName(
PVD->getQualifiedNameAsString().c_str(),
Sep, IsReference, IndirectionLevel, ArgRegion, os, PP);
// Print the parameter name if the pretty-printing has failed.
if (!Success)
PVD->printQualifiedName(os);
os << "'"; os << "'";
return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); return std::make_shared<PathDiagnosticEventPiece>(L, os.str());
} }
/// \return a path diagnostic location for the optionally /// Pretty-print region \p MatchedRegion to \p os.
/// present return statement \p RS. void prettyPrintRegionName(StringRef FirstElement, bool FirstIsReferenceType,
PathDiagnosticLocation getPathDiagnosticLocation(const ReturnStmt *RS, const MemRegion *MatchedRegion,
const SourceManager &SM, RegionVector FieldChain, int IndirectionLevel,
const LocationContext *Ctx, llvm::raw_svector_ostream &os) {
CallEventRef<> Call) {
if (RS) if (FirstIsReferenceType)
return PathDiagnosticLocation::createBegin(RS, SM, Ctx); IndirectionLevel--;
return PathDiagnosticLocation(
Call->getRuntimeDefinition().getDecl()->getSourceRange().getEnd(), SM); RegionVector RegionSequence;
}
// Add the regions in the reverse order, then reverse the resulting array.
/// Pretty-print region \p ArgRegion starting from parent to \p os. assert(RegionOfInterest->isSubRegionOf(MatchedRegion));
/// \return whether printing has succeeded
bool prettyPrintRegionName(StringRef TopRegionName,
StringRef Sep,
bool IsReference,
int IndirectionLevel,
const MemRegion *ArgRegion,
llvm::raw_svector_ostream &os,
const PrintingPolicy &PP) {
SmallVector<const MemRegion *, 5> Subregions;
const MemRegion *R = RegionOfInterest; const MemRegion *R = RegionOfInterest;
while (R != ArgRegion) { while (R != MatchedRegion) {
if (!(isa<FieldRegion>(R) || isa<CXXBaseObjectRegion>(R) || RegionSequence.push_back(R);
isa<ObjCIvarRegion>(R)))
return false; // Pattern-matching failed.
Subregions.push_back(R);
R = cast<SubRegion>(R)->getSuperRegion(); R = cast<SubRegion>(R)->getSuperRegion();
} }
bool IndirectReference = !Subregions.empty(); std::reverse(RegionSequence.begin(), RegionSequence.end());
RegionSequence.append(FieldChain.begin(), FieldChain.end());
if (IndirectReference) StringRef Sep;
IndirectionLevel--; // Due to "->" symbol. for (const MemRegion *R : RegionSequence) {
if (IsReference) // Just keep going up to the base region.
IndirectionLevel--; // Due to reference semantics. if (isa<CXXBaseObjectRegion>(R) || isa<CXXTempObjectRegion>(R))
continue;
bool ShouldSurround = IndirectReference && IndirectionLevel > 0; if (Sep.empty())
Sep = prettyPrintFirstElement(FirstElement,
/*MoreItemsExpected=*/true,
IndirectionLevel, os);
if (ShouldSurround) os << Sep;
const auto *DR = cast<DeclRegion>(R);
Sep = DR->getValueType()->isAnyPointerType() ? "->" : ".";
DR->getDecl()->getDeclName().print(os, PP);
}
if (Sep.empty())
prettyPrintFirstElement(FirstElement,
/*MoreItemsExpected=*/false, IndirectionLevel,
os);
}
/// Print first item in the chain, return new separator.
StringRef prettyPrintFirstElement(StringRef FirstElement,
bool MoreItemsExpected,
int IndirectionLevel,
llvm::raw_svector_ostream &os) {
StringRef Out = ".";
if (IndirectionLevel > 0 && MoreItemsExpected) {
IndirectionLevel--;
Out = "->";
}
if (IndirectionLevel > 0 && MoreItemsExpected)
os << "("; os << "(";
for (int i = 0; i < IndirectionLevel; i++) for (int i=0; i<IndirectionLevel; i++)
os << "*"; os << "*";
os << TopRegionName; os << FirstElement;
if (ShouldSurround)
if (IndirectionLevel > 0 && MoreItemsExpected)
os << ")"; os << ")";
for (auto I = Subregions.rbegin(), E = Subregions.rend(); I != E; ++I) { return Out;
if (const auto *FR = dyn_cast<FieldRegion>(*I)) {
os << Sep;
FR->getDecl()->getDeclName().print(os, PP);
Sep = ".";
} else if (const auto *IR = dyn_cast<ObjCIvarRegion>(*I)) {
os << "->";
IR->getDecl()->getDeclName().print(os, PP);
Sep = ".";
} else if (isa<CXXBaseObjectRegion>(*I)) {
continue; // Just keep going up to the base region.
} else {
llvm_unreachable("Previous check has missed an unexpected region");
}
}
return true;
} }
}; };
/// Suppress null-pointer-dereference bugs where dereferenced null was returned /// Suppress null-pointer-dereference bugs where dereferenced null was returned
/// the macro. /// the macro.
class MacroNullReturnSuppressionVisitor final : public BugReporterVisitor { class MacroNullReturnSuppressionVisitor final : public BugReporterVisitor {
const SubRegion *RegionOfInterest; const SubRegion *RegionOfInterest;
const SVal ValueAtDereference; const SVal ValueAtDereference;
▲ Show 20 LinesShow All 1,019 Lines▼ Show 20 Lines if (Inner && ExplodedGraph::isInterestingLValueExpr(Inner)) {
// In case of C++ references, we want to differentiate between a null // In case of C++ references, we want to differentiate between a null
// reference and reference to null pointer. // reference and reference to null pointer.
// If the LVal is null, check if we are dealing with null reference. // If the LVal is null, check if we are dealing with null reference.
// For those, we want to track the location of the reference. // For those, we want to track the location of the reference.
const MemRegion *R = (RR && LVIsNull) ? RR : const MemRegion *R = (RR && LVIsNull) ? RR :
LVNode->getSVal(Inner).getAsRegion(); LVNode->getSVal(Inner).getAsRegion();
if (R) { if (R) {
ProgramStateRef S = N->getState();
// Mark both the variable region and its contents as interesting. // Mark both the variable region and its contents as interesting.
SVal V = LVState->getRawSVal(loc::MemRegionVal(R)); SVal V = LVState->getRawSVal(loc::MemRegionVal(R));
report.addVisitor( report.addVisitor(
llvm::make_unique<NoStoreFuncVisitor>(cast<SubRegion>(R))); llvm::make_unique<NoStoreFuncVisitor>(cast<SubRegion>(R)));
MacroNullReturnSuppressionVisitor::addMacroVisitorIfNecessary( MacroNullReturnSuppressionVisitor::addMacroVisitorIfNecessary(
N, R, EnableNullFPSuppression, report, V); N, R, EnableNullFPSuppression, report, V);
▲ Show 20 LinesShow All 854 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/diagnostics/no-store-func-path-notes.c

Show First 20 LinesShow All 218 Lines▼ Show 20 Lines
int useindirectingstruct() { int useindirectingstruct() {
S s; S s;
S* p = &s; S* p = &s;
indirectingstruct(&p); //expected-note{{Calling 'indirectingstruct'}} indirectingstruct(&p); //expected-note{{Calling 'indirectingstruct'}}
//expected-note@-1{{Returning from 'indirectingstruct'}} //expected-note@-1{{Returning from 'indirectingstruct'}}
return s.x; // expected-warning{{Undefined or garbage value returned to caller}} return s.x; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}} // expected-note@-1{{Undefined or garbage value returned to caller}}
} }
typedef struct {
int *x;
} D;
void initializeMaybeInStruct(D* pD) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
*pD->x = 120;
} // expected-note{{Returning without writing to 'pD->x'}}
int useInitializeMaybeInStruct() {
int z; // expected-note{{'z' declared without an initial value}}
D d;
d.x = &z;
initializeMaybeInStruct(&d); // expected-note{{Calling 'initializeMaybeInStruct'}}
// expected-note@-1{{Returning from 'initializeMaybeInStruct'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}

cfe/trunk/test/Analysis/diagnostics/no-store-func-path-notes.cpp

// RUN: %clang_analyze_cc1 -x c++ -analyzer-checker=core -analyzer-output=text -verify %s // RUN: %clang_analyze_cc1 -x c++ -analyzer-checker=core -analyzer-output=text -verify %s
int initializer1(int &p, int x) { int initializer1(int &p, int x) {
if (x) { // expected-note{{Taking false branch}} if (x) { // expected-note{{Taking false branch}}
p = 1; p = 1;
return 0; return 0;
} else { } else {
return 1; // expected-note {{Returning without writing to 'p'}} return 1; // expected-note {{Returning without writing to 'p'}}
} }
} }
int param_not_initialized_by_func() { int param_not_initialized_by_func() {
int p; // expected-note {{'p' declared without an initial value}} int outP; // expected-note {{'outP' declared without an initial value}}
int out = initializer1(p, 0); // expected-note{{Calling 'initializer1'}} int out = initializer1(outP, 0); // expected-note{{Calling 'initializer1'}}
// expected-note@-1{{Returning from 'initializer1'}} // expected-note@-1{{Returning from 'initializer1'}}
return p; // expected-note{{Undefined or garbage value returned to caller}} return outP; // expected-note{{Undefined or garbage value returned to caller}}
// expected-warning@-1{{Undefined or garbage value returned to caller}} // expected-warning@-1{{Undefined or garbage value returned to caller}}
} }
struct S { struct S {
int initialize(int *p, int param) { int initialize(int *p, int param) {
if (param) { //expected-note{{Taking false branch}} if (param) { //expected-note{{Taking false branch}}
*p = 1; *p = 1;
return 1; return 1;
▲ Show 20 LinesShow All 145 Lines▼ Show 20 Linesvoid rdar40335545() {
void (*takes_int_ptr_argument)(int *) = (void (*)(int*))has_no_argument_and_returns_null; void (*takes_int_ptr_argument)(int *) = (void (*)(int*))has_no_argument_and_returns_null;
takes_int_ptr_argument(&local); // no-crash takes_int_ptr_argument(&local); // no-crash
int useLocal = local; //expected-warning{{}} int useLocal = local; //expected-warning{{}}
//expected-note@-1{{}} //expected-note@-1{{}}
(void)useLocal; (void)useLocal;
} }
////////
struct HasRef {
int &a;
HasRef(int &a) : a(a) {}
};
void maybeInitialize(const HasRef &&pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.a = 120;
} // expected-note{{Returning without writing to 'pA.a'}}
int useMaybeInitializerWritingIntoField() {
int z; // expected-note{{'z' declared without an initial value}}
maybeInitialize(HasRef(z)); // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
// expected-note@-2{{Calling 'maybeInitialize'}}
// expected-note@-3{{Returning from 'maybeInitialize'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////////
struct HasRefToItself {
HasRefToItself &Ref; // no infinite loop
int &z;
HasRefToItself(int &z) : Ref(*this), z(z) {}
};
void maybeInitialize(const HasRefToItself &&pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.z = 120;
} // expected-note{{Returning without writing to 'pA.Ref.z'}}
int useMaybeInitializerWritingIntoFieldWithRefToItself() {
int z; // expected-note{{'z' declared without an initial value}}
maybeInitialize(HasRefToItself(z)); // expected-note{{Calling constructor for 'HasRefToItself'}}
// expected-note@-1{{Returning from constructor for 'HasRefToItself'}}
// expected-note@-2{{Calling 'maybeInitialize'}}
// expected-note@-3{{Returning from 'maybeInitialize'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////
void maybeInitialize(const HasRef *pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA->a = 120;
} // expected-note{{Returning without writing to 'pA->a'}}
int useMaybeInitializerStructByPointer() {
int z; // expected-note{{'z' declared without an initial value}}
HasRef wrapper(z); // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
maybeInitialize(&wrapper); // expected-note{{Calling 'maybeInitialize'}}
// expected-note@-1{{Returning from 'maybeInitialize'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////////
struct HasParentWithRef : public HasRef {
HasParentWithRef(int &a) : HasRef(a) {} // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
};
void maybeInitializeWithParent(const HasParentWithRef &pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.a = 120;
} // expected-note{{Returning without writing to 'pA.a'}}
int useMaybeInitializerWritingIntoParentField() {
int z; // expected-note{{'z' declared without an initial value}}
maybeInitializeWithParent(HasParentWithRef(z)); // expected-note{{Calling constructor for 'HasParentWithRef'}}
// expected-note@-1{{Returning from constructor for 'HasParentWithRef'}}
// expected-note@-2{{Calling 'maybeInitializeWithParent'}}
// expected-note@-3{{Returning from 'maybeInitializeWithParent'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////////
struct HasIndirectRef {
HasRef &Ref;
HasIndirectRef(HasRef &Ref) : Ref(Ref) {}
};
void maybeInitializeIndirectly(const HasIndirectRef &pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.Ref.a = 120;
} // expected-note{{Returning without writing to 'pA.Ref.a'}}
int useMaybeInitializeIndirectly() {
int z; // expected-note{{'z' declared without an initial value}}
HasRef r(z); // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
maybeInitializeIndirectly(HasIndirectRef(r)); // expected-note{{Calling 'maybeInitializeIndirectly'}}
// expected-note@-1{{Returning from 'maybeInitializeIndirectly'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////////
struct HasIndirectRefByValue {
HasRef Ref;
HasIndirectRefByValue(HasRef Ref) : Ref(Ref) {}
};
void maybeInitializeIndirectly(const HasIndirectRefByValue &pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.Ref.a = 120;
} // expected-note{{Returning without writing to 'pA.Ref.a'}}
int useMaybeInitializeIndirectlyIndirectRefByValue() {
int z; // expected-note{{'z' declared without an initial value}}
HasRef r(z); // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
maybeInitializeIndirectly(HasIndirectRefByValue(r)); // expected-note{{Calling 'maybeInitializeIndirectly'}}
// expected-note@-1{{Returning from 'maybeInitializeIndirectly'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}
////////
struct HasIndirectPointerRef {
HasRef *Ref;
HasIndirectPointerRef(HasRef *Ref) : Ref(Ref) {}
};
void maybeInitializeIndirectly(const HasIndirectPointerRef &pA) {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
pA.Ref->a = 120;
} // expected-note{{Returning without writing to 'pA.Ref->a'}}
int useMaybeInitializeIndirectlyWithPointer() {
int z; // expected-note{{'z' declared without an initial value}}
HasRef r(z); // expected-note{{Calling constructor for 'HasRef'}}
// expected-note@-1{{Returning from constructor for 'HasRef'}}
maybeInitializeIndirectly(HasIndirectPointerRef(&r)); // expected-note{{Calling 'maybeInitializeIndirectly'}}
// expected-note@-1{{Returning from 'maybeInitializeIndirectly'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}

cfe/trunk/test/Analysis/diagnostics/no-store-func-path-notes.m

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines z = p; // expected-warning{{Assigned value is garbage or undefined}}
// expected-note@-1{{Assigned value is garbage or undefined}} // expected-note@-1{{Assigned value is garbage or undefined}}
}(); }();
return z; return z;
} }
extern void expectNonNull(NSString * _Nonnull a); extern void expectNonNull(NSString * _Nonnull a);
@interface A : NSObject @interface A : NSObject
- (void) func;
- (void) initAMaybe; - (void) initAMaybe;
@end @end
@implementation A { @implementation A {
NSString * a; NSString * a;
} }
- (void) initAMaybe { - (void) initAMaybe {
if (coin()) // expected-note{{Assuming the condition is false}} if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}} // expected-note@-1{{Taking false branch}}
a = @"string"; a = @"string";
} // expected-note{{Returning without writing to 'self->a'}} } // expected-note{{Returning without writing to 'self->a'}}
- (void) func { - (void) passNullToNonnull {
a = nil; // expected-note{{nil object reference stored to 'a'}} a = nil; // expected-note{{nil object reference stored to 'a'}}
[self initAMaybe]; // expected-note{{Calling 'initAMaybe'}} [self initAMaybe]; // expected-note{{Calling 'initAMaybe'}}
// expected-note@-1{{Returning from 'initAMaybe'}} // expected-note@-1{{Returning from 'initAMaybe'}}
expectNonNull(a); // expected-warning{{nil passed to a callee that requires a non-null 1st parameter}} expectNonNull(a); // expected-warning{{nil passed to a callee that requires a non-null 1st parameter}}
// expected-note@-1{{nil passed to a callee that requires a non-null 1st parameter}} // expected-note@-1{{nil passed to a callee that requires a non-null 1st parameter}}
} }
- (void) initAMaybeWithExplicitSelf {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
self->a = @"string";
} // expected-note{{Returning without writing to 'self->a'}}
- (void) passNullToNonnullWithExplicitSelf {
self->a = nil; // expected-note{{nil object reference stored to 'a'}}
[self initAMaybeWithExplicitSelf]; // expected-note{{Calling 'initAMaybeWithExplicitSelf'}}
// expected-note@-1{{Returning from 'initAMaybeWithExplicitSelf'}}
expectNonNull(a); // expected-warning{{nil passed to a callee that requires a non-null 1st parameter}}
// expected-note@-1{{nil passed to a callee that requires a non-null 1st parameter}}
}
- (void) initPassedAMaybe:(A *) param {
if (coin()) // expected-note{{Assuming the condition is false}}
// expected-note@-1{{Taking false branch}}
param->a = @"string";
} // expected-note{{Returning without writing to 'param->a'}}
- (void) useInitPassedAMaybe:(A *) paramA {
paramA->a = nil; // expected-note{{nil object reference stored to 'a'}}
[self initPassedAMaybe:paramA]; // expected-note{{Calling 'initPassedAMaybe:'}}
// expected-note@-1{{Returning from 'initPassedAMaybe:'}}
expectNonNull(paramA->a); // expected-warning{{nil passed to a callee that requires a non-null 1st parameter}}
// expected-note@-1{{nil passed to a callee that requires a non-null 1st parameter}}
}
@end @end