This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/
-
clang/
-
StaticAnalyzer/
-
Checkers/
-
SValExplainer.h
-
Core/PathSensitive/
-
PathSensitive/
1/1
CallEvent.h
4/7
MemRegion.h
1/3
ProgramState.h
-
Regions.def
-
Store.h
-
SymbolManager.h
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
2/3
NSErrorChecker.cpp
-
RetainCountChecker/
1
RetainCountChecker.cpp
2/5
RetainCountDiagnostics.cpp
2/6
ValistChecker.cpp
-
Core/
1/1
BugReporterVisitors.cpp
1/2
CallEvent.cpp
-
ExprEngineC.cpp
1/1
ExprEngineCXX.cpp
-
ExprEngineCallAndReturn.cpp
17/32
MemRegion.cpp
1/2
RegionStore.cpp
-
Store.cpp
1
SymbolManager.cpp
-
test/Analysis/
-
Analysis/
-
explain-svals.c
-
explain-svals.cpp
-
explain-svals.m
-
unittests/StaticAnalyzer/
-
StaticAnalyzer/
-
CMakeLists.txt
1/2
ParamRegionTest.cpp

Differential D79704

[Analyzer] [NFC] Parameter Regions
AbandonedPublic

Authored by baloghadamsoftware on May 11 2020, 3:58 AM.

Download Raw Diff

Details

Reviewers

NoQ
Szelethus
martong
balazske
xazax.hun

Summary

Currently, parameters of functions without their definition present cannot be represented as regions because it would be difficult to ensure that the same declaration is used in every case. To overcome this, we introduce a new kind of region called ParamRegion which does not store the Decl of the parameter variable. Instead it stores the index of the parameter which enables retrieving the actual Decl every time using the function declaration of the stack frame.

Diff Detail

Event Timeline

baloghadamsoftware created this revision.May 11 2020, 3:58 AM

Herald added subscribers: ASDenysPetrov, martong, steakhal and 10 others. · View Herald TranscriptMay 11 2020, 3:58 AM

Currently, parameters of functions without their definition present cannot be represented as regions because it would be difficult to ensure that the same declaration is used in every case. To overcome this, we introduce a new kind of region called ParamRegion which does not store the Decl of the parameter variable. Instead it stores the index of the parameter which enables retrieving the actual Decl every time using the function declaration of the stack frame.

I know vaguely of what you're talking about because I've been trying to follow your works so far, but I'd prefer to include a bit more context for those not so familiar with MemRegions. Such as, "Usually, we identify a MemRegion with ..., but for parameters, this is difficult because ..., as seen on this example ... . So, this patch introduces a new region, etcetc."

Some immediate questions:

What identifies a MemRegion, TypedValueRegions in particular? Why are parameters so special that they deserve their own region? Do you have a concrete, problematic example?
Why is it an issue that we don't always use the same declaration? Does this result in a crash, incorrect modeling?
Why are we making ParamRegion not a subclass of VarRegion?
The patch includes some code duplication, which may be okay, but do we need it?

I haven't read every line thoroughly just yet, so I'll catch up with this patch later! In any case, thank you so much for your investment in the health of the codebase!

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
435–447	Hmm. So, the surrounding code definitely suggests that we're definitely finishing for a parameter here, but it isn't always a parameter region? I know you struggled with this, have you gained any insight as to why?
clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	This is interesting. I looked up `DeclRegion`, and it seems to be the region that is tied to a `ValueDecl`. `VarDecl` is a subtype of `ValueDecl`, and `ParmVarDecl` is a subtype of `VarDecl`, so wouldn't it make sense for `ParamRegion` to be a subtype of `VarRegion`?

Thank you for quickly looking into this.

In D79704#2029230, @Szelethus wrote:

What identifies a MemRegion, TypedValueRegions in particular? Why are parameters so special that they deserve their own region? Do you have a concrete, problematic example?

ParamRegion contains different data: mainly the index of the parameter. This makes it independent of the actual Decl of the parameter.

Why is it an issue that we don't always use the same declaration? Does this result in a crash, incorrect modeling?

See D49443#1193290.

Why are we making ParamRegion not a subclass of VarRegion?

Because VarRegion is a DeclRegion which stores the Decl of the variable. Here the main purpose is to not to store it.

The patch includes some code duplication, which may be okay, but do we need it?

Yes, and this comes from my previous answers.

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
435–447	Not all regions for `ParmVarDecl` are `ParamRegions`. Exceptions are parameters captured by a lambda or a block as well as parameters of functions analyzed top-level.
clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	`DeclRegion` stores the `Decl`, `ParamRegion` retrieves it based on the `Index` it stores. There is no is-a relation between them.

Minor fix to get rid of a warning, some comments added.

baloghadamsoftware marked an inline comment as done.May 11 2020, 6:17 AM

baloghadamsoftware added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1051	We do not use this at all. However, if I remove it then tests begin to fail with strange reasons, some of them even crashes at strange points. It seems that we need this for profiling the subclass.

balazske added a subscriber: balazske.May 11 2020, 7:22 AM

balazske added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
406–407	I would expect that this returns a `ParamRegion` (from the name of the function). (The implementation shows that the type can just be changed.)
clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	During the lifetime of a `ParamRegion` is it possible that it will return different `Decl` objects?
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
744–745	This comment is not fully true any more.
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
231–232	Is it correct to create `VR` only to have this assert?
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
358	This `break` is at wrong place.

Thank you for your comments, @balazske. You are completely right, I updated the patch now.

baloghadamsoftware marked 5 inline comments as done.May 11 2020, 9:51 AM

baloghadamsoftware added inline comments.

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	@NoQ?

balazske added inline comments.May 11 2020, 11:58 PM

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	Purpose of the question is that if the answer is "no", the decl could be stored at construction of a `ParamRegion` and it could be a subclass of `DeclRegion`. From the code I do not see that the belonging `Decl` can change, probably yes if the stack frame changes somehow. So the reason to have the `ParamRegion` seems to be to have the expression and index available, maybe use these for profiling (instead of a `Decl`). Still it could be made a subclass of `DeclRegion` that stores additionally the expr and index and profiling works with these values.

In D79704#2029305, @baloghadamsoftware wrote:

Thank you for quickly looking into this.

In D79704#2029230, @Szelethus wrote:

What identifies a MemRegion, TypedValueRegions in particular? Why are parameters so special that they deserve their own region? Do you have a concrete, problematic example?

ParamRegion contains different data: mainly the index of the parameter. This makes it independent of the actual Decl of the parameter.

Why is it an issue that we don't always use the same declaration? Does this result in a crash, incorrect modeling?

See D49443#1193290.

Why are we making ParamRegion not a subclass of VarRegion?

Because VarRegion is a DeclRegion which stores the Decl of the variable. Here the main purpose is to not to store it.

To me that sounds like a technicality. Sure, inheriting from VarRegion would make you carry around a field or two you may not need/use, but is that a big deal? To me it feels like all the problems you're solving should be an implementation detail. The interface of ParamRegion looks like a superset of VarRegion's. The code changes suggests that every time we're interested in a VarRegion, we're also interested in parameters.

I may not see the obvious just yet, but I invite you to correct me! :)

Blanket reply! ParamRegion is not a DeclRegion because it does not necessarily have a corresponding Decl. For instance, when calling a function through an unknown function pointer, you don't have the declaration of a function, let alone its parameters. But for parameters of C++ object type you still need your ParamRegion because arguments are constructed into it.

clang/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp
208–209	Yes it is a `StackArgumentsSpaceRegion`! Because we're a parameter.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
164	`SSR` shouldn't ever be null. Any parameter must be on the stack.
1604–1609	I suggest making a function in `MemRegionManager` that takes a `Decl` and returns a region. There should only be one place in the code that decides when exactly do we produce a `ParamRegion` instead of a `VarRegion`.
1750	Does this method also suffer from the parameter vs. argument off-by-one problem with operators?
1753–1754	Does this actually ever happen?
1758	Why would that ever happen? If it's just a sanity check, it should be an assertion.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2031	Let's simply make a blanket assertion in `ParamRegion`'s constructor.

NoQ added inline comments.May 12 2020, 1:24 PM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1051	`Profile` is completely essential. Without it different regions will be treated as if it's the same region.
1054–1055	It looks like you decided to keep `VarRegion` for the top frame. I want that asserted here, in the constructor, so that never to make a mistake on this front.

In D79704#2032271, @NoQ wrote:

Blanket reply! ParamRegion is not a DeclRegion because it does not necessarily have a corresponding Decl. For instance, when calling a function through an unknown function pointer, you don't have the declaration of a function, let alone its parameters.

Well hold on for a second then -- how is this, if it is, different for member pointers? Aren't they represented with a VarRegion?

But for parameters of C++ object type you still need your ParamRegion because arguments are constructed into it.

Could you give a specific code example?

Since this patch isn't WIP, lets add unit tests that shows the added interface, highlighting pain points such as this.

Yeah, this patch should definitely have unit tests. All similar patches should.

This revision now requires changes to proceed.May 13 2020, 5:11 AM

Szelethus added reviewers: martong, balazske, xazax.hun.May 13 2020, 5:12 AM

Than you for your reviews, @NoQ and @Szelethus.

In D79704#2032271, @NoQ wrote:

Blanket reply! ParamRegion is not a DeclRegion because it does not necessarily have a corresponding Decl. For instance, when calling a function through an unknown function pointer, you don't have the declaration of a function, let alone its parameters. But for parameters of C++ object type you still need your ParamRegion because arguments are constructed into it.

Hmm, I removed the part that tries to retrieve the parameter from the arguments of the CallExpr-like Expr because it was never invoked (I used an assert(false) there and executed all the tests and they passed). This means that we always found a Decl. However, this Decl is not stored but retrieved always based on the actual stack frame: we get the Decl of the function/method/block/etc. from the stack frame and find its parameter using the Index. This is always successful, at least in all the analyzer tests.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1051	I know, that was not the question. It is the `OriginExpr` which I tried to remove because I do not use it at all, except for profiling. It seems that without this field the `Profile` does not work correctly.
1054–1055	Yes, because in the top frame we neither have `CallExpr` nor `Decl`. So we should assert here that we are not in the top frame, right? How do we check this based on these parameters?
clang/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp
208–209	So I can remove the inner branch?
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
164	OK, I will remove this check.
1604–1609	Good idea!
1750	Actually I removed all usage of the expression thus I got rid of the problem.
1753–1754	I will check it.
1758	This happens all the time a lambda or a block captures a parameter of the enclosing function. I decided to keep the regions of captured variables `VarRegions` regardless whether they are parameters or plain variables. This was the only way I could found. This must not cause any problem.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2031	OK.

Szelethus added inline comments.May 13 2020, 6:01 AM

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
435–447	That would be a lovely unit test case! :)

In D79704#2033669, @Szelethus wrote:

Yeah, this patch should definitely have unit tests. All similar patches should.

I wonder how I could make unit tests for this. I already looked up the unit tests and found no unit test for regions.

baloghadamsoftware marked an inline comment as done.May 13 2020, 7:50 AM

baloghadamsoftware added inline comments.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
1753–1754	Oh yes. If we have no `CallSite`, then we are in the top frame. Should I check `LC->inTopFrame()` instead?

Updated according to the comments from @NoQ.

baloghadamsoftware marked 4 inline comments as done.May 13 2020, 7:54 AM

Unit test added.

Herald added a subscriber: mgorny. · View Herald TranscriptMay 13 2020, 9:19 AM

baloghadamsoftware marked an inline comment as done.May 13 2020, 9:20 AM

In D79704#2032947, @Szelethus wrote:

In D79704#2032271, @NoQ wrote:

Blanket reply! ParamRegion is not a DeclRegion because it does not necessarily have a corresponding Decl. For instance, when calling a function through an unknown function pointer, you don't have the declaration of a function, let alone its parameters.

Well hold on for a second then -- how is this, if it is, different for member pointers? Aren't they represented with a VarRegion?

They aren't even Loc!

We currently don't have a representation for an unknown pointer-to-member. A known pointer-to-member is represented by a FieldDecl (not sure about static members) but it's still a NonLoc and as such isn't a region at all. Because, well, you can't dereference a pointer-to-member; you can only apply it to a base pointer like an offset. The mental model is "an offset". Therefore it's NonLoc.

Pointers to member functions are a different thing; they're function pointers so they're kinda regions.

But for parameters of C++ object type you still need your ParamRegion because arguments are constructed into it.

Could you give a specific code example?

struct S {
  S() {
    this; // What region does 'this' point to...
  }
};

void foo(void (*bar)(S)) {
  bar(S()); // ...in this invocation?
}

NoQ added inline comments.May 14 2020, 2:11 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
1051	Wait, how is it not used? You can't get the region type without `OriginExpr`.
1054–1055	Yes, you did what i meant. The first assertion is redundant because `isa` is implied by `cast`. Let's also assert that `OE` is non-null.
clang/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp
208–209	In fact you can go even further and change the type of the overridden `getMemorySpace()` function to return `const StackArgumentsSpaceRegion *` ("covariant return types") so that to drop the `cast` as well.
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
231–232	It's a valid pattern but it should be followed by `(void)VR;` in order to avoid unused variable warning in no-assert builds.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
187	This doesn't work when the callee is unknown. You need to consult the origin expr here.
191	This doesn't work when the callee is unknown.
579	`PVD` may be null.
1240	Let's make a stronger assertion: if (SFC->inTopFrame()) return getVarRegion(PVD, LC); assert(CallSite && "Destructors with parameters?");

Good news: I executed an analysis with all open-source checks enabled for several open-source projects: BitCoint, CURL, OpenSSL, PostGreS, TMux, Xerces using the patched and the non-patched version of Clang. There is no difference in the set of bug reports. Only one error message became more detailed for BitCoin which uses Boost: instead of Potential memory leak I get Potential leak of memory pointed to by 'Finder.m_Pred.m_Storage.m_dynSet' in line 135 of Boost header algorithm/string/detail/classification.hpp and almost the same without Finder. in line 139.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	Please give me an example where the callee is unknown. As I wrote, originally I put a `getExpr()` method here as well and `getType()` fell back to it if it could not find the `Decl()`. However, it was never invoked on the whole test suite. (I put an `assert(false)` into it, and did not get a crash.

NoQ added inline comments.May 14 2020, 5:10 AM

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	Please give me an example where the callee is unknown. In D79704#2034571, @NoQ wrote: In D79704#2032947, @Szelethus wrote: Could you give a specific code example? struct S { S() { this; // What region does 'this' point to... } }; void foo(void (*bar)(S)) { bar(S()); // ...in this invocation? }

baloghadamsoftware marked an inline comment as done.May 14 2020, 6:54 AM

baloghadamsoftware added inline comments.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	OK, but it still does not crash the analyzer, even if I enable creation of stack frames for all the callees, even for those without definition. What else should I do to enforce the crash (null pointer dereference)? Try to use `getParameterLocation()` in a unit test?

In D79704#2034571, @NoQ wrote:
In D79704#2032947, @Szelethus wrote:

In D79704#2032271, @NoQ wrote:

Blanket reply! ParamRegion is not a DeclRegion because it does not necessarily have a corresponding Decl. For instance, when calling a function through an unknown function pointer, you don't have the declaration of a function, let alone its parameters.

Well hold on for a second then -- how is this, if it is, different for member pointers? Aren't they represented with a VarRegion?

They aren't even Loc!

We currently don't have a representation for an unknown pointer-to-member. A known pointer-to-member is represented by a FieldDecl (not sure about static members) but it's still a NonLoc and as such isn't a region at all. Because, well, you can't dereference a pointer-to-member; you can only apply it to a base pointer like an offset. The mental model is "an offset". Therefore it's NonLoc.

Pointers to member functions are a different thing; they're function pointers so they're kinda regions.

But for parameters of C++ object type you still need your ParamRegion because arguments are constructed into it.

Could you give a specific code example?
struct S {
  S() {
    this; // What region does 'this' point to...
  }
};

void foo(void (*bar)(S)) {
  bar(S()); // ...in this invocation?
}

I remember this coming up so many times, and I'm an inch away from getting it but I'm not there just yet ^-^ Sorry if you have to repeat yourself too many times.

The example you have shown sounds like a case we could (should?) abstract away. If we model in accordance to the AST as closely as possible, ParamRegion should totally be a VarRegion. If something tricky like this came up, the getDecl function should just return with a nullptr, shouldn't it? The code changes make me feel like we're doing a lot of chore (and make it super easy to forget checking for parameters explicitly). The gain, which is I guess correctness, seems negligible, and I'm not sure this is actually correct, as I mentioned in D79704#inline-730731. I don't see why the most defining feature of a DeclRegion is supposed to be an always existing Decl, rather than a mirror of the AST.

In D79704#2036581, @Szelethus wrote:

If something tricky like this came up, the getDecl function should just return with a nullptr, shouldn't it?

How far are you willing to push it? For instance, are you ok with, say, TypedValueRegion::getValueType() return a null QualType in this single rare cornercase? Because that's what we'll also have to do if a Decl isn't available in VarRegion. Unless we add more stuff into VarRegion, which is basically what we're doing (and it just suddenly turns out that we don't need the Decl anymore).

The code changes make me feel like we're doing a lot of chore (and make it super easy to forget checking for parameters explicitly).

I wouldn't mind having a common base class for these regions. DeclRegion should probably be dropped in this case, in order to avoid dealing with multiple inheritance. And it's definitely the one that needs to be dropped because it currently does nothing except "inheritance for code reuse": there are basically no other common properties between its sub-classes than the accidental code reuse in its methods.

The gain, which is I guess correctness, seems negligible, and I'm not sure this is actually correct, as I mentioned in D79704#inline-730731.

The gain is that we finally have a way to express some regions that we previously could not express at all. This gain isn't huge; i agree that @baloghadamsoftware could most likely get away without it. Apart from the example with no decl at all, i'm pretty excited about eliminating a lot of annoying ambiguities with respect to virtual method calls and function redeclarations that i've been struggling in D49443.

More importantly, this change is correct because that's how programs actually behave. You don't need to know everything (and a Decl is literally everything) about the function you're calling in order to call it. The calling convention only requires you to put arguments into certain places in memory and these places are entirely determined by the indices and types of the arguments. And that's exactly what we're trying to mimic. We technically don't even need the OriginExpr itself but it's a convenient (and so far seemingly harmless) way of capturing all the information that we actually need (which is, well, indices and types of arguments).

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	Yes. I demonstrated how you can get the region without a decl but you should turn this into a test that actually calls one of the problematic functions. Like, `clang_analyzer_dump()` it or something.

Alright, I'm up to speed I think, cheers!

In D79704#2037100, @NoQ wrote:

The code changes make me feel like we're doing a lot of chore (and make it super easy to forget checking for parameters explicitly).

I wouldn't mind having a common base class for these regions. DeclRegion should probably be dropped in this case, in order to avoid dealing with multiple inheritance. And it's definitely the one that needs to be dropped because it currently does nothing except "inheritance for code reuse": there are basically no other common properties between its sub-classes than the accidental code reuse in its methods.

Totally. Something like a VarRegionBase but with a more clever name.

In D79704#2038257, @Szelethus wrote:

In D79704#2037100, @NoQ wrote:

The code changes make me feel like we're doing a lot of chore (and make it super easy to forget checking for parameters explicitly).

I wouldn't mind having a common base class for these regions. DeclRegion should probably be dropped in this case, in order to avoid dealing with multiple inheritance. And it's definitely the one that needs to be dropped because it currently does nothing except "inheritance for code reuse": there are basically no other common properties between its sub-classes than the accidental code reuse in its methods.

Totally. Something like a VarRegionBase but with a more clever name.

We can even call it VarRegion and have sub-classes be ParamVarRegion and NonParamVarRegion or something like that.

In D79704#2038280, @NoQ wrote:

In D79704#2038257, @Szelethus wrote:

In D79704#2037100, @NoQ wrote:

The code changes make me feel like we're doing a lot of chore (and make it super easy to forget checking for parameters explicitly).

I wouldn't mind having a common base class for these regions. DeclRegion should probably be dropped in this case, in order to avoid dealing with multiple inheritance. And it's definitely the one that needs to be dropped because it currently does nothing except "inheritance for code reuse": there are basically no other common properties between its sub-classes than the accidental code reuse in its methods.

Totally. Something like a VarRegionBase but with a more clever name.

We can even call it VarRegion and have sub-classes be ParamVarRegion and NonParamVarRegion or something like that.

Do you mean getDecl() should be pure virtual with different implementation for ParamVarRegion (retrieves dynamically based on its Index) and NonParamVarRegion (stores). However, there are some places in the code that check for DeclRegion and use its getDecl() so to avoid code duplication we can keep DeclRegion, but remove storing of Decl from it and make getDecl() pure virtual already at that level.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	Of course I tried `clang_analyzer_explain()`, but neither `clang_analyzer_dump()` helps. I also tried a unit test now where I call `getParameterLocation()` explicitly. It turns out that parameter regions are never created for functions without `Decl` because of the first lines in `CallEvent::getCalleeAnalysisDeclContext()`. This function needs the `Decl` to retrieve the `AnalysisDeclContext` of the callee, which is needed to retrieve its stack frame by `getCalleeStackFrame()`. Without stack frame we do not create `ParamRegion`. The other two functions creating `ParamRegion` (`CallEvent::addParameterValuesToBindings` and the newly created `MemRegionManager::getRegionForParam`) start from `ParmVarDecl` which always belongs to a `Decl`. So we can safely assume that currently all parameter regions have a `Decl`. Of course, this can be changed in the future, but I must not include dead code in a patch that cannot even be tested in the current phase. Even creation of callee stack frame for functions without definition is not part of this patch, but of the subsequent one.

It turns out that parameter regions are never created for functions without Decl because of the first lines in CallEvent::getCalleeAnalysisDeclContext().

Removing these lines is more or less the whole point of your work.

NoQ added inline comments.May 17 2020, 1:51 PM

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	neither `clang_analyzer_dump()` helps So, does it dump a parameter region? Because it obviously should.

In D79704#2040798, @NoQ wrote:

It turns out that parameter regions are never created for functions without Decl because of the first lines in CallEvent::getCalleeAnalysisDeclContext().

Removing these lines is more or less the whole point of your work.

Is it? The point of my work is to avoid the crashes you mentioned in D49443#1193290 by making the regions of the parameters independent of their declarations so we can remove the limitation that callee's stack frame is only created for functions with definition. (Can you provide me with examples which the crashes you mentioned with VarRegions? I need them for testing my solution.) It could be a future step to also remove the limitation that also allows getting the region for parameters without declaration. Even removing the original limitation (creation of stack frame without definition) is part of my planned subsequent patch, not this one. I am trying to follow incremental development to avoid too huge patches.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	It dumps a temporary region as until now. So this patch does not change the behavior of the analyzer at this point.

Unit test updated to cover all cases.

In D79704#2040798, @NoQ wrote:

It turns out that parameter regions are never created for functions without Decl because of the first lines in CallEvent::getCalleeAnalysisDeclContext().

Removing these lines is more or less the whole point of your work.

Anyway, when we remove it in a later patch, what should we use for stack frame of the callee? Currently we retrieve the AnalysisDeclContext for the Decl and then get a stack frame for it. If Decl is missing, then we cannot get its AnalysisDeclContext either, so how can we get a stack frame? However, currently we need a solution where we can get stack frame for callees with Decl but without definition. Since you wrote that this causes crashes because at different points different Decls of the same ParmVarDecl are used we created ParamRegion that does not store the Decl but dynamically retrieves it based on the contents of the actual stack frame.

Wow, this is some nice work and huge effort from all the participants, it was pretty informative to read through. Thanks @baloghadamsoftware and @NoQ for working on this!

This means that we always found a Decl. However, this Decl is not stored but retrieved always based on the actual stack frame: we get the Decl of the function/method/block/etc. from the stack frame and find its parameter using the Index. This is always successful, at least in all the analyzer tests.

Can we find the FunctionDecl if the call happens through a function pointer? Or in that case do we actually find the VarDecl of the function pointer?

Without stack frame we do not create ParamRegion. The other two functions creating ParamRegion (CallEvent::addParameterValuesToBindings and the newly created MemRegionManager::getRegionForParam) start from ParmVarDecl which always belongs to a Decl. So we can safely assume that currently all parameter regions have a Decl. Of course, this can be changed in the future, but I must not include dead code in a patch that cannot even be tested in the current phase. Even creation of callee stack frame for functions without definition is not part of this patch, but of the subsequent one.

So, in this patch, we are trying to solve only that problem when the callee FunctionDecl does not have a definition?

If Decl is missing, then we cannot get its AnalysisDeclContext either, so how can we get a stack frame? However, currently we need a solution where we can get stack frame for callees with Decl but without definition.

This happens in case of top-level params and in case of function pointers, plus the special argument construction, am I right?

Based on the answers to the above questions, possibly we are trying to solve two problems here. Could we split then this patch into two?

callee FunctionDecl does not have a definition. This could assert on having an accessable Decl in ParamVarRegion. Here we could have the foundations of the next patch, i.e. we could have ParamVarRegion and NonParamVarRegion.
function pointers, plus the special argument construction: ParamVarRegion may not have a Decl and we'd remove the related lines from getCalleeAnalysisDeclContext. This obviously requires more tests. And more brainstorming to get the AnalysisDeclContext when there is no Decl available for the function in getCalleeAnalysisDeclContext.

What do you think?

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp
176–181	During the lifetime of a ParamRegion is it possible that it will return different Decl objects? AFAIU, Yes. The `CallExpr` may refer to a `FunctionDecl` (the callee), but that Decl may not be the Canonical Decl of the redeclaration chain.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	I think we should run this patch against a test suite of open source projects. That could be tmux, curl, redis, xerces, bitcoin, protobuf (those are that we use in CTU at least). We should not have any crashes on theses projects because they exercise widely used language constructs. Besides, they provide a relatively broad set of use of the C and C++ languages, so that's quite a good coverage. In case of any assertion we can use creduce to nail the actual problem.
clang/unittests/StaticAnalyzer/ParamRegionTest.cpp
73	I think the test code would be more valuable if we could use the `ASTMatcher` to match for a given Decl and then for that Decl we could find the corresponding Region. Then we should have different test cases for the different regions (with expectations formulated on those regions). Perhaps a Decl* -> Region mapping is needed in the test Fixture.

SVal explanation extended and tests added for it.

baloghadamsoftware added a child revision: D80286: [Analyzer] Allow creation of stack frame for functions without definition.May 20 2020, 3:29 AM

Seems like many changes could be simplified or absolutely not needed in this patch if ParamRegion (or with a better name ParamVarRegion) was derived from VarRegion. Is there any difficulties in that derivation?

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
312	Is this used anywhere in this patch? And why isn't it a `CallExpr` (instead of `Expr`)?
clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
519	Again, ParamRegion should derive from VarRegion.
clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp
439	This would be simpler (noop?) again if ParamRegion was derived from VarRegion.
618	What if ParamRegion was derived from VarRegion ?
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
195	In all other cases we `assert`, here we return with a nullptr. Why?
919	Both the `VarRegion` and `ParamRegion` cases here do the same. This suggest that maybe it would be better to have `VarRegion` as a base class for `ParamVarRegion`. This is aligned to what Artem suggested: We can even call it VarRegion and have sub-classes be ParamVarRegion and NonParamVarRegion or something like that. But maybe `NonParamVarRegion` is not needed since that is actually the `VarRegion`.
1234	Why the return type is not `ParamVarRegion*`?
clang/lib/StaticAnalyzer/Core/SymbolManager.cpp
572	This is almost the copy-paste code for isLive(VarRegion). This again suggests that maybe ParamRegion (or ParamVarRegion?) should be derived from VarRegion. And in isLive(VarRegion) we should dyn_cast to ParamVarRegion and do the extra stuff if needed.

In D79704#2042130, @martong wrote:

Can we find the FunctionDecl if the call happens through a function pointer? Or in that case do we actually find the VarDecl of the function pointer?

Yes, if it has a declaration, then we can retrieve it from the stack frame.

So, in this patch, we are trying to solve only that problem when the callee FunctionDecl does not have a definition?

Not even that. This patch is just a non-functional change that prepares the ground for such improvements. The next patch intends to solve them problem where the function has declaration but no definition.

This happens in case of top-level params and in case of function pointers, plus the special argument construction, am I right?

Top-level is a special case: there we do not have Expr either so we cannot handle it. For top-level functions the regions remain VarRegions. There is nothing special in parameters when analyzed top-level.

Based on the answers to the above questions, possibly we are trying to solve two problems here. Could we split then this patch into two?

callee FunctionDecl does not have a definition. This could assert on having an accessable Decl in ParamVarRegion. Here we could have the foundations of the next patch, i.e. we could have ParamVarRegion and NonParamVarRegion.

function pointers, plus the special argument construction: ParamVarRegion may not have a Decl and we'd remove the related lines from getCalleeAnalysisDeclContext. This obviously requires more tests. And more brainstorming to get the AnalysisDeclContext when there is no Decl available for the function in getCalleeAnalysisDeclContext.

That is exactly my suggestion, but not this, current patch, but the next one. The next patch is for functions without definition but declarations, and there could be another one in the future for functions without declaration. Of course this latter requires some extra code into ParamRegions to handle cases where we do not have a Decl. I cannot write it now because I cannot make a test for it, not even a unit test.

In D79704#2046495, @martong wrote:

Seems like many changes could be simplified or absolutely not needed in this patch if ParamRegion (or with a better name ParamVarRegion) was derived from VarRegion. Is there any difficulties in that derivation?

It is one of my suggestions, I am still waiting for @NoQ's opinion: let us remove the Decl from DeclRegion and make getDecl() pure virtual there. Also not implement it in VarRegion, but as @NoQ suggested, create something like PlainVarRegion or NonParamVarRegion where we store it, and ParamVarRegion where we retrieve it instead of storing it.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
312	The origin expression of a call may be a set of different kinds of expressions: `CallExpr`, `CXXConstructExpr`, `BlockExpr` or `ObjCMessageExpr`.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
191	As I mentioned, I already did it: D79704#2036067
195	It was accidentally left here from an earlier experiment.
919	Usually we do not inherit from concrete classes by changing a method implementation that already exist. The other reason is even stronger: `NonParamVarRegion` must store the `Decl` of the variable, `ParamVarRegion` must not.
1234	Because for top-level functions and captured parameters it still returns `VarRegion`.
clang/unittests/StaticAnalyzer/ParamRegionTest.cpp
73	That was the original test, but the current one is more generic: checks for all parameters and checks whether we create the correct type of region for them.

Thanks for addressing my comments!

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
312	Is this function used anywhere in this patch? Could not find any reference to it. The origin expression of a call may be a set of different kinds of expressions: CallExpr, CXXConstructExpr, BlockExpr or ObjCMessageExpr. Okay, makes sense, could you please document it then in the comment for the function? And perhaps we should assert on these kinds as a sanity check.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
919	Usually we do not inherit from concrete classes by changing a method implementation that already exist. That's what we exactly do all over the place in the AST library. Which method(s) should we change by the way? Nevermind, I am perfectly fine having VarRegion as base and NonParamVarRegion and ParamVarRegion as derived.
1234	Okay, makes sense, could you please document it then in the comment for the function?

FIXME and assertions added.

The big question to decide: Either we keep ParamRegion as a separate region in the class hierarchy and at the few places where DeclRegion or VarRegion is used and parameters are possible we duplicate the few lines. (Current status.)

The other way is to remove Decl from DeclRegion and make getDecl() pure virtual. Also we split VarRegion into two subclasses, one of the is the non-parameter variable regions and the other is ParamVarRegion. The first one stores the Decl, the second one calculates it. This saves code duplication, however after we implement creation of stack frames for calls without Decl we must update all the code using DeclRegion and VarRegion where parameters are possible to handle nullptr as return value for getDecl().

@NoQ, please decide, which way to go.

Alternative approach is D80522.

Superseded by D80522.

baloghadamsoftware removed a child revision: D80286: [Analyzer] Allow creation of stack frame for functions without definition.Jun 8 2020, 8:24 AM

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Checkers/

SValExplainer.h

34 lines

Core/

PathSensitive/

4 lines

59 lines

4 lines

5 lines

4 lines

1 line

lib/

StaticAnalyzer/

Checkers/

NSErrorChecker.cpp

6 lines

RetainCountChecker/

RetainCountChecker.cpp

15 lines

RetainCountDiagnostics.cpp

19 lines

ValistChecker.cpp

2 lines

Core/

BugReporterVisitors.cpp

88 lines

CallEvent.cpp

42 lines

ExprEngineC.cpp

2 lines

ExprEngineCXX.cpp

6 lines

ExprEngineCallAndReturn.cpp

8 lines

122 lines

37 lines

8 lines

53 lines

test/

Analysis/

explain-svals.c

12 lines

explain-svals.cpp

28 lines

explain-svals.m

41 lines

unittests/

StaticAnalyzer/

CMakeLists.txt

1 line

ParamRegionTest.cpp

92 lines

Diff 265928

clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h

Show First 20 Lines • Show All 210 Lines • ▼ Show 20 Lines	return "temporary object constructed at statement '" +
printStmt(R->getExpr()) + "'";		printStmt(R->getExpr()) + "'";
}		}

std::string VisitCXXBaseObjectRegion(const CXXBaseObjectRegion *R) {		std::string VisitCXXBaseObjectRegion(const CXXBaseObjectRegion *R) {
return "base object '" + R->getDecl()->getQualifiedNameAsString() +		return "base object '" + R->getDecl()->getQualifiedNameAsString() +
"' inside " + Visit(R->getSuperRegion());		"' inside " + Visit(R->getSuperRegion());
}		}

		std::string VisitParamRegion(const ParamRegion *R) {
		std::string Str;
		llvm::raw_string_ostream OS(Str);

		OS << "parameter ";
		const ParmVarDecl *PVD = R->getDecl();
		std::string Name = PVD->getQualifiedNameAsString();
		if (!Name.empty()) {
		OS << "'" << Name << "'";
		return std::string(OS.str());
		} else
		OS << R->getIndex() << " ";

		OS << "of ";
		const Decl *Parent = R->getStackFrame()->getDecl();
		if (const auto *FD = dyn_cast<FunctionDecl>(Parent))
		OS <<"function '" << FD->getQualifiedNameAsString() << "()'";
		else if (const auto *CD = dyn_cast<CXXConstructorDecl>(Parent))
		OS <<"C++ constructor '" << CD->getQualifiedNameAsString() << "()'";
		else if (const auto *MD = dyn_cast<ObjCMethodDecl>(Parent)) {
		if (MD->isClassMethod())
		OS <<"Objective-C method '+" << MD->getQualifiedNameAsString() << "'";
		else
		OS <<"Objective-C method '-" << MD->getQualifiedNameAsString() << "'";
		} else if (isa<BlockDecl>(Parent)) {
		if (cast<BlockDecl>(Parent)->isConversionFromLambda())
		OS <<"lambda";
		else
		OS <<"block";
		}

		return std::string(OS.str());
		}

std::string VisitSVal(SVal V) {		std::string VisitSVal(SVal V) {
std::string Str;		std::string Str;
llvm::raw_string_ostream OS(Str);		llvm::raw_string_ostream OS(Str);
OS << V;		OS << V;
return "a value unsupported by the explainer: (" +		return "a value unsupported by the explainer: (" +
std::string(OS.str()) + ")";		std::string(OS.str()) + ")";
}		}

Show All 22 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 Lines • Show All 397 Lines • ▼ Show 20 Lines	public:
/// Returns the callee stack frame. That stack frame will only be entered		/// Returns the callee stack frame. That stack frame will only be entered
/// during analysis if the call is inlined, but it may still be useful		/// during analysis if the call is inlined, but it may still be useful
/// in intermediate calculations even if the call isn't inlined.		/// in intermediate calculations even if the call isn't inlined.
/// May fail; returns null on failure.		/// May fail; returns null on failure.
const StackFrameContext *getCalleeStackFrame(unsigned BlockCount) const;		const StackFrameContext *getCalleeStackFrame(unsigned BlockCount) const;

/// Returns memory location for a parameter variable within the callee stack		/// Returns memory location for a parameter variable within the callee stack
/// frame. May fail; returns null on failure.		/// frame. May fail; returns null on failure.
const VarRegion *getParameterLocation(unsigned Index,		const ParamRegion *getParameterLocation(unsigned Index,
unsigned BlockCount) const;		unsigned BlockCount) const;
		balazskeUnsubmitted Done Reply Inline Actions I would expect that this returns a `ParamRegion` (from the name of the function). (The implementation shows that the type can just be changed.) balazske: I would expect that this returns a `ParamRegion` (from the name of the function). (The…

/// Returns true if on the current path, the argument was constructed by		/// Returns true if on the current path, the argument was constructed by
/// calling a C++ constructor over it. This is an internal detail of the		/// calling a C++ constructor over it. This is an internal detail of the
/// analysis which doesn't necessarily represent the program semantics:		/// analysis which doesn't necessarily represent the program semantics:
/// if we are supposed to construct an argument directly, we may still		/// if we are supposed to construct an argument directly, we may still
/// not do that because we don't know how (i.e., construction context is		/// not do that because we don't know how (i.e., construction context is
/// unavailable in the CFG or not supported by the analyzer).		/// unavailable in the CFG or not supported by the analyzer).
bool isArgumentConstructedDirectly(unsigned Index) const {		bool isArgumentConstructedDirectly(unsigned Index) const {
▲ Show 20 Lines • Show All 1,069 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 Lines • Show All 698 Lines • ▼ Show 20 Lines	public:
explicit referenced_vars_iterator(const MemRegion * const *r,		explicit referenced_vars_iterator(const MemRegion * const *r,
const MemRegion * const *originalR)		const MemRegion * const *originalR)
: R(r), OriginalR(originalR) {}		: R(r), OriginalR(originalR) {}

const VarRegion *getCapturedRegion() const {		const VarRegion *getCapturedRegion() const {
return cast<VarRegion>(*R);		return cast<VarRegion>(*R);
}		}

const VarRegion *getOriginalRegion() const {		const TypedValueRegion *getOriginalRegion() const {
return cast<VarRegion>(*OriginalR);		return cast<TypedValueRegion>(*OriginalR);
}		}

bool operator==(const referenced_vars_iterator &I) const {		bool operator==(const referenced_vars_iterator &I) const {
assert((R == nullptr) == (I.R == nullptr));		assert((R == nullptr) == (I.R == nullptr));
return I.R == R;		return I.R == R;
}		}

bool operator!=(const referenced_vars_iterator &I) const {		bool operator!=(const referenced_vars_iterator &I) const {
assert((R == nullptr) == (I.R == nullptr));		assert((R == nullptr) == (I.R == nullptr));
return I.R != R;		return I.R != R;
}		}

referenced_vars_iterator &operator++() {		referenced_vars_iterator &operator++() {
++R;		++R;
++OriginalR;		++OriginalR;
return *this;		return *this;
}		}
};		};

/// Return the original region for a captured region, if		/// Return the original region for a captured region, if
/// one exists.		/// one exists.
const VarRegion getOriginalRegion(const VarRegion VR) const;		const TypedValueRegion getOriginalRegion(const VarRegion VR) const;

referenced_vars_iterator referenced_vars_begin() const;		referenced_vars_iterator referenced_vars_begin() const;
referenced_vars_iterator referenced_vars_end() const;		referenced_vars_iterator referenced_vars_end() const;

void dumpToStream(raw_ostream &os) const override;		void dumpToStream(raw_ostream &os) const override;

void Profile(llvm::FoldingSetNodeID& ID) const override;		void Profile(llvm::FoldingSetNodeID& ID) const override;

static bool classof(const MemRegion* R) {		static bool classof(const MemRegion* R) {
return R->getKind() == BlockDataRegionKind;		return R->getKind() == BlockDataRegionKind;
}		}

private:		private:
void LazyInitializeReferencedVars();		void LazyInitializeReferencedVars();
std::pair<const VarRegion , const VarRegion >		std::pair<const VarRegion , const TypedValueRegion >
getCaptureRegions(const VarDecl *VD);		getCaptureRegions(const VarDecl *VD);
};		};

/// SymbolicRegion - A special, "non-concrete" region. Unlike other region		/// SymbolicRegion - A special, "non-concrete" region. Unlike other region
/// classes, SymbolicRegion represents a region that serves as an alias for		/// classes, SymbolicRegion represents a region that serves as an alias for
/// either a real region, a NULL pointer, etc. It essentially is used to		/// either a real region, a NULL pointer, etc. It essentially is used to
/// map the concept of symbolic values into the domain of regions. Symbolic		/// map the concept of symbolic values into the domain of regions. Symbolic
/// regions do not need to be typed.		/// regions do not need to be typed.
▲ Show 20 Lines • Show All 282 Lines • ▼ Show 20 Lines	public:

void dumpToStream(raw_ostream &os) const override;		void dumpToStream(raw_ostream &os) const override;

static bool classof(const MemRegion* R) {		static bool classof(const MemRegion* R) {
return R->getKind() == ObjCIvarRegionKind;		return R->getKind() == ObjCIvarRegionKind;
}		}
};		};

		/// ParamRegion - Represents a region for paremters. Only parameters of the
		/// function in the current stack frame are represented as `ParamRegion`s.
		/// Parameters of top-level analyzed functions as well as captured paremeters
		/// by lambdas and blocks are repesented as `VarRegion`s.

		// FIXME: `ParamRegion` only supports parameters of functions, C++ constructors,
		// blocks and Objective-C methods with existing `Decl`. Upon implementing
		// stack frame creations for functions without decl (functions passed by
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions We do not use this at all. However, if I remove it then tests begin to fail with strange reasons, some of them even crashes at strange points. It seems that we need this for profiling the subclass. baloghadamsoftware: We do not use this at all. However, if I remove it then tests begin to fail with strange…
		NoQUnsubmitted Not Done Reply Inline Actions `Profile` is completely essential. Without it different regions will be treated as if it's the same region. NoQ: `Profile` is completely essential. Without it different regions will be treated as if it's the…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions I know, that was not the question. It is the `OriginExpr` which I tried to remove because I do not use it at all, except for profiling. It seems that without this field the `Profile` does not work correctly. baloghadamsoftware: I know, that was not the question. It is the `OriginExpr` which I tried to remove because I do…
		NoQUnsubmitted Not Done Reply Inline Actions Wait, how is it not used? You can't get the region type without `OriginExpr`. NoQ: Wait, how is it not used? You can't get the region type without `OriginExpr`.
		// function pointer) methods of `ParamRegion` must be updated.
		class ParamRegion : public TypedValueRegion {
		friend class MemRegionManager;

		NoQUnsubmitted Done Reply Inline Actions It looks like you decided to keep `VarRegion` for the top frame. I want that asserted here, in the constructor, so that never to make a mistake on this front. NoQ: It looks like you decided to keep `VarRegion` for the top frame. I want that asserted here, in…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Yes, because in the top frame we neither have `CallExpr` nor `Decl`. So we should assert here that we are not in the top frame, right? How do we check this based on these parameters? baloghadamsoftware: Yes, because in the top frame we neither have `CallExpr` nor `Decl`. So we should assert here…
		NoQUnsubmitted Not Done Reply Inline Actions Yes, you did what i meant. The first assertion is redundant because `isa` is implied by `cast`. Let's also assert that `OE` is non-null. NoQ: Yes, you did what i meant. The first assertion is redundant because `isa` is implied by `cast`.
		const Expr *OriginExpr;
		unsigned Index;

		ParamRegion(const Expr OE, unsigned Idx, const MemRegion SReg)
		: TypedValueRegion(SReg, ParamRegionKind), OriginExpr(OE), Index(Idx) {
		assert(!cast<StackSpaceRegion>(SReg)->getStackFrame()->inTopFrame());
		}

		static void ProfileRegion(llvm::FoldingSetNodeID &ID, const Expr *OE,
		unsigned Idx, const MemRegion *SReg);

		public:
		const Expr *getOriginExpr() const { return OriginExpr; }
		unsigned getIndex() const { return Index; }

		void Profile(llvm::FoldingSetNodeID& ID) const override;

		void dumpToStream(raw_ostream &os) const override;

		const StackFrameContext *getStackFrame() const;

		QualType getValueType() const override;
		const ParmVarDecl* getDecl() const;

		bool canPrintPrettyAsExpr() const override;
		void printPrettyAsExpr(raw_ostream &os) const override;

		static bool classof(const MemRegion* R) {
		return R->getKind() == ParamRegionKind;
		}
		};

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Auxiliary data classes for use with MemRegions.		// Auxiliary data classes for use with MemRegions.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

class RegionRawOffset {		class RegionRawOffset {
friend class ElementRegion;		friend class ElementRegion;

const MemRegion *Region;		const MemRegion *Region;
▲ Show 20 Lines • Show All 338 Lines • ▼ Show 20 Lines	const BlockDataRegion getBlockDataRegion(const BlockCodeRegion bc,
const LocationContext *lc,		const LocationContext *lc,
unsigned blockCount);		unsigned blockCount);

/// Create a CXXTempObjectRegion for temporaries which are lifetime-extended		/// Create a CXXTempObjectRegion for temporaries which are lifetime-extended
/// by static references. This differs from getCXXTempObjectRegion in the		/// by static references. This differs from getCXXTempObjectRegion in the
/// super-region used.		/// super-region used.
const CXXTempObjectRegion getCXXStaticTempObjectRegion(const Expr Ex);		const CXXTempObjectRegion getCXXStaticTempObjectRegion(const Expr Ex);

		/// getParamRegion - Retrieve or create the memory region
		/// associated with a specified CallExpr, Index and LocationContext.
		const ParamRegion getParamRegion(const Expr OriginExpr,
		unsigned Index, const LocationContext *LC);

		const TypedValueRegion getRegionForParam(const ParmVarDecl PVD,
		const LocationContext *LC);
private:		private:
template <typename RegionTy, typename SuperTy,		template <typename RegionTy, typename SuperTy,
typename Arg1Ty>		typename Arg1Ty>
RegionTy* getSubRegion(const Arg1Ty arg1,		RegionTy* getSubRegion(const Arg1Ty arg1,
const SuperTy* superRegion);		const SuperTy* superRegion);

template <typename RegionTy, typename SuperTy,		template <typename RegionTy, typename SuperTy,
typename Arg1Ty, typename Arg2Ty>		typename Arg1Ty, typename Arg2Ty>
▲ Show 20 Lines • Show All 79 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show First 20 Lines • Show All 302 Lines • ▼ Show 20 Lines	public:

/// Get the lvalue for a base class object reference.		/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;		Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;

/// Get the lvalue for a base class object reference.		/// Get the lvalue for a base class object reference.
Loc getLValue(const CXXRecordDecl BaseClass, const SubRegion Super,		Loc getLValue(const CXXRecordDecl BaseClass, const SubRegion Super,
bool IsVirtual) const;		bool IsVirtual) const;

		/// Get the lvalue for a parameter.
		Loc getLValue(const Expr *Call, unsigned Index,
		martongUnsubmitted Not Done Reply Inline Actions Is this used anywhere in this patch? And why isn't it a `CallExpr` (instead of `Expr`)? martong: Is this used anywhere in this patch? And why isn't it a `CallExpr` (instead of `Expr`)?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions The origin expression of a call may be a set of different kinds of expressions: `CallExpr`, `CXXConstructExpr`, `BlockExpr` or `ObjCMessageExpr`. baloghadamsoftware: The origin expression of a call may be a set of different kinds of expressions: `CallExpr`…
		martongUnsubmitted Not Done Reply Inline Actions Is this function used anywhere in this patch? Could not find any reference to it. The origin expression of a call may be a set of different kinds of expressions: CallExpr, CXXConstructExpr, BlockExpr or ObjCMessageExpr. Okay, makes sense, could you please document it then in the comment for the function? And perhaps we should assert on these kinds as a sanity check. martong: Is this function used anywhere in this patch? Could not find any reference to it. > The origin…
		const LocationContext *LC) const;

/// Get the lvalue for a variable reference.		/// Get the lvalue for a variable reference.
Loc getLValue(const VarDecl D, const LocationContext LC) const;		Loc getLValue(const VarDecl D, const LocationContext LC) const;

Loc getLValue(const CompoundLiteralExpr *literal,		Loc getLValue(const CompoundLiteralExpr *literal,
const LocationContext *LC) const;		const LocationContext *LC) const;

/// Get the lvalue for an ivar reference.		/// Get the lvalue for an ivar reference.
SVal getLValue(const ObjCIvarDecl *decl, SVal base) const;		SVal getLValue(const ObjCIvarDecl *decl, SVal base) const;
▲ Show 20 Lines • Show All 564 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def

Show First 20 Lines • Show All 73 Lines • ▼ Show 20 Lines	ABSTRACT_REGION(TypedValueRegion, TypedRegion)
REGION(FieldRegion, DeclRegion)		REGION(FieldRegion, DeclRegion)
REGION(ObjCIvarRegion, DeclRegion)		REGION(ObjCIvarRegion, DeclRegion)
REGION(VarRegion, DeclRegion)		REGION(VarRegion, DeclRegion)
REGION_RANGE(DECL_REGIONS, FieldRegionKind,		REGION_RANGE(DECL_REGIONS, FieldRegionKind,
VarRegionKind)		VarRegionKind)
REGION(ElementRegion, TypedValueRegion)		REGION(ElementRegion, TypedValueRegion)
REGION(ObjCStringRegion, TypedValueRegion)		REGION(ObjCStringRegion, TypedValueRegion)
REGION(StringRegion, TypedValueRegion)		REGION(StringRegion, TypedValueRegion)
		REGION(ParamRegion, TypedValueRegion)
REGION_RANGE(TYPED_VALUE_REGIONS, CompoundLiteralRegionKind,		REGION_RANGE(TYPED_VALUE_REGIONS, CompoundLiteralRegionKind,
StringRegionKind)		ParamRegionKind)
REGION_RANGE(TYPED_REGIONS, BlockDataRegionKind,		REGION_RANGE(TYPED_REGIONS, BlockDataRegionKind,
StringRegionKind)		ParamRegionKind)

#undef REGION_RANGE		#undef REGION_RANGE
#undef ABSTRACT_REGION		#undef ABSTRACT_REGION
#undef REGION		#undef REGION

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

Show First 20 Lines • Show All 125 Lines • ▼ Show 20 Lines	public:
virtual StoreRef getInitialStore(const LocationContext *InitLoc) = 0;		virtual StoreRef getInitialStore(const LocationContext *InitLoc) = 0;

/// getRegionManager - Returns the internal RegionManager object that is		/// getRegionManager - Returns the internal RegionManager object that is
/// used to query and manipulate MemRegion objects.		/// used to query and manipulate MemRegion objects.
MemRegionManager& getRegionManager() { return MRMgr; }		MemRegionManager& getRegionManager() { return MRMgr; }

SValBuilder& getSValBuilder() { return svalBuilder; }		SValBuilder& getSValBuilder() { return svalBuilder; }

virtual Loc getLValueVar(const VarDecl VD, const LocationContext LC) {		virtual Loc getLValueVar(const VarDecl VD, const LocationContext LC);
return svalBuilder.makeLoc(MRMgr.getVarRegion(VD, LC));
}

Loc getLValueCompoundLiteral(const CompoundLiteralExpr *CL,		Loc getLValueCompoundLiteral(const CompoundLiteralExpr *CL,
const LocationContext *LC) {		const LocationContext *LC) {
return loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC));		return loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC));
}		}

virtual SVal getLValueIvar(const ObjCIvarDecl *decl, SVal base);		virtual SVal getLValueIvar(const ObjCIvarDecl *decl, SVal base);

▲ Show 20 Lines • Show All 187 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h

Show First 20 Lines • Show All 578 Lines • ▼ Show 20 Lines	SymbolReaper(const StackFrameContext Ctx, const Stmt s,
: LCtx(Ctx), Loc(s), SymMgr(symmgr), reapedStore(nullptr, storeMgr) {}		: LCtx(Ctx), Loc(s), SymMgr(symmgr), reapedStore(nullptr, storeMgr) {}

const LocationContext *getLocationContext() const { return LCtx; }		const LocationContext *getLocationContext() const { return LCtx; }

bool isLive(SymbolRef sym);		bool isLive(SymbolRef sym);
bool isLiveRegion(const MemRegion *region);		bool isLiveRegion(const MemRegion *region);
bool isLive(const Stmt ExprVal, const LocationContext LCtx) const;		bool isLive(const Stmt ExprVal, const LocationContext LCtx) const;
bool isLive(const VarRegion *VR, bool includeStoreBindings = false) const;		bool isLive(const VarRegion *VR, bool includeStoreBindings = false) const;
		bool isLive(const ParamRegion *VR, bool includeStoreBindings = false) const;

/// Unconditionally marks a symbol as live.		/// Unconditionally marks a symbol as live.
///		///
/// This should never be		/// This should never be
/// used by checkers, only by the state infrastructure such as the store and		/// used by checkers, only by the state infrastructure such as the store and
/// environment. Checkers should instead use metadata symbols and markInUse.		/// environment. Checkers should instead use metadata symbols and markInUse.
void markLive(SymbolRef sym);		void markLive(SymbolRef sym);

▲ Show 20 Lines • Show All 56 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp

Show First 20 Lines • Show All 198 Lines • ▼ Show 20 Lines	static QualType parameterTypeFromSVal(SVal val, CheckerContext &C) {
const StackFrameContext * SFC = C.getStackFrame();		const StackFrameContext * SFC = C.getStackFrame();
if (Optional<loc::MemRegionVal> X = val.getAs<loc::MemRegionVal>()) {		if (Optional<loc::MemRegionVal> X = val.getAs<loc::MemRegionVal>()) {
const MemRegion* R = X->getRegion();		const MemRegion* R = X->getRegion();
if (const VarRegion *VR = R->getAs<VarRegion>())		if (const VarRegion *VR = R->getAs<VarRegion>())
if (const StackArgumentsSpaceRegion *		if (const StackArgumentsSpaceRegion *
stackReg = dyn_cast<StackArgumentsSpaceRegion>(VR->getMemorySpace()))		stackReg = dyn_cast<StackArgumentsSpaceRegion>(VR->getMemorySpace()))
if (stackReg->getStackFrame() == SFC)		if (stackReg->getStackFrame() == SFC)
return VR->getValueType();		return VR->getValueType();
		if (const ParamRegion *PR = R->getAs<ParamRegion>()) {
		const StackArgumentsSpaceRegion *stackReg =
		cast<StackArgumentsSpaceRegion>(PR->getMemorySpace());
		NoQUnsubmitted Done Reply Inline Actions Yes it is a `StackArgumentsSpaceRegion`! Because we're a parameter. NoQ: Yes it is a `StackArgumentsSpaceRegion`! Because we're a parameter.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions So I can remove the inner branch? baloghadamsoftware: So I can remove the inner branch?
		NoQUnsubmitted Not Done Reply Inline Actions In fact you can go even further and change the type of the overridden `getMemorySpace()` function to return `const StackArgumentsSpaceRegion ` ("covariant return types") so that to drop the `cast` as well. NoQ:* In fact you can go even further and change the type of the overridden `getMemorySpace()`…
		if (stackReg->getStackFrame() == SFC)
		return PR->getValueType();
		}
}		}

return QualType();		return QualType();
}		}

void NSOrCFErrorDerefChecker::checkLocation(SVal loc, bool isLoad,		void NSOrCFErrorDerefChecker::checkLocation(SVal loc, bool isLoad,
const Stmt *S,		const Stmt *S,
CheckerContext &C) const {		CheckerContext &C) const {
▲ Show 20 Lines • Show All 136 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

	Show First 20 Lines • Show All 501 Lines • ▼ Show 20 Lines
	/// assigned to a struct field, unless it is a known smart pointer			/// assigned to a struct field, unless it is a known smart pointer
	/// implementation, about which we know that it is inlined.			/// implementation, about which we know that it is inlined.
	/// FIXME: This could definitely be improved upon.			/// FIXME: This could definitely be improved upon.
	static bool shouldEscapeRegion(const MemRegion *R) {			static bool shouldEscapeRegion(const MemRegion *R) {
	if (isSmartPtrField(R))			if (isSmartPtrField(R))
	return false;			return false;

	const auto *VR = dyn_cast<VarRegion>(R);			const auto *VR = dyn_cast<VarRegion>(R);
				const auto *PR = dyn_cast<ParamRegion>(R);

	if (!R->hasStackStorage() \|\| !VR)			if (!R->hasStackStorage() \|\| (!VR && !PR))
	return true;			return true;

				if (VR) {
	const VarDecl *VD = VR->getDecl();			const VarDecl *VD = VR->getDecl();
	if (!VD->hasAttr<CleanupAttr>())			if (!VD->hasAttr<CleanupAttr>())
	return false; // CleanupAttr attaches destructors, which cause escaping.			return false; // CleanupAttr attaches destructors, which cause escaping.
				} else {
				martongUnsubmitted Not Done Reply Inline Actions Again, ParamRegion should derive from VarRegion. martong: Again, ParamRegion should derive from VarRegion.
				const ParmVarDecl *PVD = PR->getDecl();
				if (!PVD->hasAttr<CleanupAttr>())
				return false; // CleanupAttr attaches destructors, which cause escaping.
				}
	return true;			return true;
	}			}

	static SmallVector<ProgramStateRef, 2>			static SmallVector<ProgramStateRef, 2>
	updateOutParameters(ProgramStateRef State, const RetainSummary &Summ,			updateOutParameters(ProgramStateRef State, const RetainSummary &Summ,
	const CallEvent &CE) {			const CallEvent &CE) {

	SVal L = CE.getReturnValue();			SVal L = CE.getReturnValue();
	▲ Show 20 Lines • Show All 996 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp

Show First 20 Lines • Show All 426 Lines • ▼ Show 20 Lines	annotateStartParameter(const ExplodedNode *N, SymbolRef Sym,

const CFGBlock *Src = PP->getSrc();		const CFGBlock *Src = PP->getSrc();
const RefVal *CurrT = getRefBinding(N->getState(), Sym);		const RefVal *CurrT = getRefBinding(N->getState(), Sym);

if (&Src->getParent()->getEntry() != Src \|\| !CurrT \|\|		if (&Src->getParent()->getEntry() != Src \|\| !CurrT \|\|
getRefBinding(N->getFirstPred()->getState(), Sym))		getRefBinding(N->getFirstPred()->getState(), Sym))
return nullptr;		return nullptr;

const auto *VR = cast<VarRegion>(cast<SymbolRegionValue>(Sym)->getRegion());		const VarDecl *VD;
const auto *PVD = cast<ParmVarDecl>(VR->getDecl());		if (const auto *VR =
PathDiagnosticLocation L = PathDiagnosticLocation(PVD, SM);		dyn_cast<VarRegion>(cast<SymbolRegionValue>(Sym)->getRegion())) {
		VD = cast<VarDecl>(VR->getDecl());
		} else if (const auto *PR =
		martongUnsubmitted Not Done Reply Inline Actions This would be simpler (noop?) again if ParamRegion was derived from VarRegion. martong: This would be simpler (noop?) again if ParamRegion was derived from VarRegion.
		dyn_cast<ParamRegion>(cast<SymbolRegionValue>(Sym)->getRegion())) {
		VD = cast<ParmVarDecl>(PR->getDecl());
		}

		assert(VD);

		PathDiagnosticLocation L = PathDiagnosticLocation(VD, SM);

		SzelethusUnsubmitted Not Done Reply Inline Actions Hmm. So, the surrounding code definitely suggests that we're definitely finishing for a parameter here, but it isn't always a parameter region? I know you struggled with this, have you gained any insight as to why? Szelethus: Hmm. So, the surrounding code definitely suggests that we're definitely finishing for a…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Not all regions for `ParmVarDecl` are `ParamRegions`. Exceptions are parameters captured by a lambda or a block as well as parameters of functions analyzed top-level. baloghadamsoftware: Not all regions for `ParmVarDecl` are `ParamRegions`. Exceptions are parameters captured by a…
		SzelethusUnsubmitted Done Reply Inline Actions That would be a lovely unit test case! :) Szelethus: That would be a lovely unit test case! :)
std::string s;		std::string s;
llvm::raw_string_ostream os(s);		llvm::raw_string_ostream os(s);
os << "Parameter '" << PVD->getNameAsString() << "' starts at +";		os << "Parameter '" << VD->getNameAsString() << "' starts at +";
if (CurrT->getCount() == 1) {		if (CurrT->getCount() == 1) {
os << "1, as it is marked as consuming";		os << "1, as it is marked as consuming";
} else {		} else {
assert(CurrT->getCount() == 0);		assert(CurrT->getCount() == 0);
os << "0";		os << "0";
}		}
return std::make_shared<PathDiagnosticEventPiece>(L, os.str());		return std::make_shared<PathDiagnosticEventPiece>(L, os.str());
}		}
▲ Show 20 Lines • Show All 151 Lines • ▼ Show 20 Lines	if (const Expr *Exp = dyn_cast_or_null<Expr>(Child))
}		}

return std::move(P);		return std::move(P);
}		}

static Optional<std::string> describeRegion(const MemRegion *MR) {		static Optional<std::string> describeRegion(const MemRegion *MR) {
if (const auto *VR = dyn_cast_or_null<VarRegion>(MR))		if (const auto *VR = dyn_cast_or_null<VarRegion>(MR))
return std::string(VR->getDecl()->getName());		return std::string(VR->getDecl()->getName());
		if (const auto *PR = dyn_cast_or_null<ParamRegion>(MR))
		martongUnsubmitted Not Done Reply Inline Actions What if ParamRegion was derived from VarRegion ? martong: What if ParamRegion was derived from VarRegion ?
		return std::string(PR->getDecl()->getName());
// Once we support more storage locations for bindings,		// Once we support more storage locations for bindings,
// this would need to be improved.		// this would need to be improved.
return None;		return None;
}		}

namespace {		namespace {
// Find the first node in the current function context that referred to the		// Find the first node in the current function context that referred to the
// tracked symbol and the memory location that value was stored to. Note, the		// tracked symbol and the memory location that value was stored to. Note, the
▲ Show 20 Lines • Show All 301 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp

Show First 20 Lines • Show All 167 Lines • ▼ Show 20 Lines	if (!Reg)
return nullptr;		return nullptr;
// TODO: In the future this should be abstracted away by the analyzer.		// TODO: In the future this should be abstracted away by the analyzer.
bool VaListModelledAsArray = false;		bool VaListModelledAsArray = false;
if (const auto *Cast = dyn_cast<CastExpr>(E)) {		if (const auto *Cast = dyn_cast<CastExpr>(E)) {
QualType Ty = Cast->getType();		QualType Ty = Cast->getType();
VaListModelledAsArray =		VaListModelledAsArray =
Ty->isPointerType() && Ty->getPointeeType()->isRecordType();		Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
}		}
if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {		if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
if (isa<ParmVarDecl>(DeclReg->getDecl()))		if (isa<ParmVarDecl>(DeclReg->getDecl()))
Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();		Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
		} else if (Reg->getAs<ParamRegion>()) {
		Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
}		}
		SzelethusUnsubmitted Not Done Reply Inline Actions This is interesting. I looked up `DeclRegion`, and it seems to be the region that is tied to a `ValueDecl`. `VarDecl` is a subtype of `ValueDecl`, and `ParmVarDecl` is a subtype of `VarDecl`, so wouldn't it make sense for `ParamRegion` to be a subtype of `VarRegion`? Szelethus: This is interesting. I looked up `DeclRegion`, and it seems to be the region that is tied to a…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions `DeclRegion` stores the `Decl`, `ParamRegion` retrieves it based on the `Index` it stores. There is no is-a relation between them. baloghadamsoftware: `DeclRegion` stores the `Decl`, `ParamRegion` retrieves it based on the `Index` it stores.
		balazskeUnsubmitted Not Done Reply Inline Actions During the lifetime of a `ParamRegion` is it possible that it will return different `Decl` objects? balazske: During the lifetime of a `ParamRegion` is it possible that it will return different `Decl`…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions @NoQ? baloghadamsoftware: @NoQ?
		balazskeUnsubmitted Not Done Reply Inline Actions Purpose of the question is that if the answer is "no", the decl could be stored at construction of a `ParamRegion` and it could be a subclass of `DeclRegion`. From the code I do not see that the belonging `Decl` can change, probably yes if the stack frame changes somehow. So the reason to have the `ParamRegion` seems to be to have the expression and index available, maybe use these for profiling (instead of a `Decl`). Still it could be made a subclass of `DeclRegion` that stores additionally the expr and index and profiling works with these values. balazske: Purpose of the question is that if the answer is "no", the decl could be stored at construction…
		martongUnsubmitted Not Done Reply Inline Actions During the lifetime of a ParamRegion is it possible that it will return different Decl objects? AFAIU, Yes. The `CallExpr` may refer to a `FunctionDecl` (the callee), but that Decl may not be the Canonical Decl of the redeclaration chain. martong: > During the lifetime of a ParamRegion is it possible that it will return different Decl…
IsSymbolic = Reg && Reg->getAs<SymbolicRegion>();		IsSymbolic = Reg && Reg->getAs<SymbolicRegion>();
// Some VarRegion based VA lists reach here as ElementRegions.		// Some VarRegion based VA lists reach here as ElementRegions.
const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);		const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);
return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;		return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
}		}

void ValistChecker::checkPreStmt(const VAArgExpr *VAA,		void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
CheckerContext &C) const {		CheckerContext &C) const {
▲ Show 20 Lines • Show All 238 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 Lines • Show All 735 Lines • ▼ Show 20 Lines	if (isa<CXXBaseObjectRegion>(R) \|\| isa<CXXTempObjectRegion>(R))
continue;		continue;

if (Sep.empty())		if (Sep.empty())
Sep = prettyPrintFirstElement(FirstElement,		Sep = prettyPrintFirstElement(FirstElement,
/MoreItemsExpected=/true,		/MoreItemsExpected=/true,
IndirectionLevel, os);		IndirectionLevel, os);

os << Sep;		os << Sep;

// Can only reasonably pretty-print DeclRegions.		// Can only reasonably pretty-print DeclRegions and ParamRegions.
		balazskeUnsubmitted Done Reply Inline Actions This comment is not fully true any more. balazske: This comment is not fully true any more.
if (!isa<DeclRegion>(R))		if (const auto *DR = dyn_cast<DeclRegion>(R)) {
return false;

const auto *DR = cast<DeclRegion>(R);
Sep = DR->getValueType()->isAnyPointerType() ? "->" : ".";		Sep = DR->getValueType()->isAnyPointerType() ? "->" : ".";
DR->getDecl()->getDeclName().print(os, PP);		DR->getDecl()->getDeclName().print(os, PP);
		} else if (const auto *PR = dyn_cast<ParamRegion>(R)) {
		const ParmVarDecl *D = PR->getDecl();
		if (!D)
		return false;

		Sep = PR->getValueType()->isAnyPointerType() ? "->" : ".";
		D->getDeclName().print(os, PP);
		} else {
		return false;
		}
}		}

if (Sep.empty())		if (Sep.empty())
prettyPrintFirstElement(FirstElement,		prettyPrintFirstElement(FirstElement,
/MoreItemsExpected=/false, IndirectionLevel, os);		/MoreItemsExpected=/false, IndirectionLevel, os);
return true;		return true;
}		}

▲ Show 20 Lines • Show All 475 Lines • ▼ Show 20 Lines	if (!FrameSpace) {
return true;		return true;
}		}

assert(VR->getDecl()->hasLocalStorage());		assert(VR->getDecl()->hasLocalStorage());
const LocationContext *LCtx = N->getLocationContext();		const LocationContext *LCtx = N->getLocationContext();
return FrameSpace->getStackFrame() == LCtx->getStackFrame();		return FrameSpace->getStackFrame() == LCtx->getStackFrame();
}		}

		/// Returns true if \p N represents the DeclStmt declaring and initializing
		/// \p PR.
		static bool isInitializationOfParam(const ExplodedNode *N,
		const ParamRegion *PR) {
		Optional<PostStmt> P = N->getLocationAs<PostStmt>();
		if (!P)
		return false;

		const DeclStmt *DS = P->getStmtAs<DeclStmt>();
		if (!DS)
		return false;

		const ParmVarDecl *PVD = PR->getDecl();
		if (!PVD)
		return false;

		if (DS->getSingleDecl() != PVD)
		return false;

		const MemSpaceRegion *ParamSpace = PR->getMemorySpace();
		const auto *FrameSpace = dyn_cast<StackSpaceRegion>(ParamSpace);

		const LocationContext *LCtx = N->getLocationContext();
		return FrameSpace->getStackFrame() == LCtx->getStackFrame();
		}

/// Show diagnostics for initializing or declaring a region \p R with a bad value.		/// Show diagnostics for initializing or declaring a region \p R with a bad value.
static void showBRDiagnostics(const char *action, llvm::raw_svector_ostream &os,		static void showBRDiagnostics(const char *action, llvm::raw_svector_ostream &os,
const MemRegion R, SVal V, const DeclStmt DS) {		const MemRegion R, SVal V, const DeclStmt DS) {
if (R->canPrintPretty()) {		if (R->canPrintPretty()) {
R->printPretty(os);		R->printPretty(os);
os << " ";		os << " ";
}		}

Show All 28 Lines	if (V.isUndef()) {
os << (R->canPrintPretty() ? "initialized" : "Initialized")		os << (R->canPrintPretty() ? "initialized" : "Initialized")
<< " here";		<< " here";
}		}
}		}
}		}

/// Display diagnostics for passing bad region as a parameter.		/// Display diagnostics for passing bad region as a parameter.
static void showBRParamDiagnostics(llvm::raw_svector_ostream& os,		static void showBRParamDiagnostics(llvm::raw_svector_ostream& os,
const VarRegion *VR,		const ParamRegion *PR, SVal V) {
SVal V) {
const auto *Param = cast<ParmVarDecl>(VR->getDecl());

os << "Passing ";		os << "Passing ";

if (V.getAs<loc::ConcreteInt>()) {		if (V.getAs<loc::ConcreteInt>()) {
if (Param->getType()->isObjCObjectPointerType())		if (PR->getValueType()->isObjCObjectPointerType())
os << "nil object reference";		os << "nil object reference";
else		else
os << "null pointer value";		os << "null pointer value";
} else if (V.isUndef()) {		} else if (V.isUndef()) {
os << "uninitialized value";		os << "uninitialized value";
} else if (auto CI = V.getAs<nonloc::ConcreteInt>()) {		} else if (auto CI = V.getAs<nonloc::ConcreteInt>()) {
os << "the value " << CI->getValue();		os << "the value " << CI->getValue();
} else {		} else {
os << "value";		os << "value";
}		}

// Printed parameter indexes are 1-based, not 0-based.		// Printed parameter indexes are 1-based, not 0-based.
unsigned Idx = Param->getFunctionScopeIndex() + 1;		unsigned Idx = PR->getIndex() + 1;
os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter";		os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter";
if (VR->canPrintPretty()) {		if (PR->canPrintPretty()) {
os << " ";		os << " ";
VR->printPretty(os);		PR->printPretty(os);
}		}
}		}

/// Show default diagnostics for storing bad region.		/// Show default diagnostics for storing bad region.
static void showBRDefaultDiagnostics(llvm::raw_svector_ostream &os,		static void showBRDefaultDiagnostics(llvm::raw_svector_ostream &os,
const MemRegion *R, SVal V) {		const MemRegion *R, SVal V) {
if (V.getAs<loc::ConcreteInt>()) {		if (V.getAs<loc::ConcreteInt>()) {
bool b = false;		bool b = false;
▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
// First see if we reached the declaration of the region.		// First see if we reached the declaration of the region.
if (const auto *VR = dyn_cast<VarRegion>(R)) {		if (const auto *VR = dyn_cast<VarRegion>(R)) {
if (isInitializationOfVar(Pred, VR)) {		if (isInitializationOfVar(Pred, VR)) {
StoreSite = Pred;		StoreSite = Pred;
InitE = VR->getDecl()->getInit();		InitE = VR->getDecl()->getInit();
}		}
}		}

		// First see if we reached the declaration of the region.
		if (const auto *PR = dyn_cast<ParamRegion>(R)) {
		if (isInitializationOfParam(Pred, PR)) {
		StoreSite = Pred;
		InitE = PR->getDecl()->getInit();
		}
		}

// If this is a post initializer expression, initializing the region, we		// If this is a post initializer expression, initializing the region, we
// should track the initializer expression.		// should track the initializer expression.
if (Optional<PostInitializer> PIP = Pred->getLocationAs<PostInitializer>()) {		if (Optional<PostInitializer> PIP = Pred->getLocationAs<PostInitializer>()) {
const MemRegion FieldReg = (const MemRegion )PIP->getLocationValue();		const MemRegion FieldReg = (const MemRegion )PIP->getLocationValue();
if (FieldReg == R) {		if (FieldReg == R) {
StoreSite = Pred;		StoreSite = Pred;
InitE = PIP->getInitializer()->getInit();		InitE = PIP->getInitializer()->getInit();
}		}
Show All 23 Lines	if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
if (BO->isAssignmentOp())		if (BO->isAssignmentOp())
InitE = BO->getRHS();		InitE = BO->getRHS();

// If this is a call entry, the variable should be a parameter.		// If this is a call entry, the variable should be a parameter.
// FIXME: Handle CXXThisRegion as well. (This is not a priority because		// FIXME: Handle CXXThisRegion as well. (This is not a priority because
// 'this' should never be NULL, but this visitor isn't just for NULL and		// 'this' should never be NULL, but this visitor isn't just for NULL and
// UndefinedVal.)		// UndefinedVal.)
if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) {		if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) {
if (const auto *VR = dyn_cast<VarRegion>(R)) {		if (const auto *PR = dyn_cast<ParamRegion>(R)) {
		ProgramStateManager &StateMgr = BRC.getStateManager();
		CallEventManager &CallMgr = StateMgr.getCallEventManager();

		CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
		Succ->getState());
		InitE = Call->getArgExpr(PR->getIndex());
		} else if (const auto *VR = dyn_cast<VarRegion>(R)) {

if (const auto *Param = dyn_cast<ParmVarDecl>(VR->getDecl())) {		if (const auto *Param = dyn_cast<ParmVarDecl>(VR->getDecl())) {
ProgramStateManager &StateMgr = BRC.getStateManager();		ProgramStateManager &StateMgr = BRC.getStateManager();
CallEventManager &CallMgr = StateMgr.getCallEventManager();		CallEventManager &CallMgr = StateMgr.getCallEventManager();

CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),		CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
Succ->getState());		Succ->getState());
InitE = Call->getArgExpr(Param->getFunctionScopeIndex());		InitE = Call->getArgExpr(Param->getFunctionScopeIndex());
▲ Show 20 Lines • Show All 49 Lines • ▼ Show 20 Lines	if (DS) {
action = R->canPrintPretty() ? "captured by block as " :		action = R->canPrintPretty() ? "captured by block as " :
"Captured by block as ";		"Captured by block as ";
if (VR) {		if (VR) {
// See if we can get the BlockVarRegion.		// See if we can get the BlockVarRegion.
ProgramStateRef State = StoreSite->getState();		ProgramStateRef State = StoreSite->getState();
SVal V = StoreSite->getSVal(S);		SVal V = StoreSite->getSVal(S);
if (const auto *BDR =		if (const auto *BDR =
dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) {		dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) {
if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) {		if (const TypedValueRegion *OriginalR = BDR->getOriginalRegion(VR)) {
if (auto KV = State->getSVal(OriginalR).getAs<KnownSVal>())		if (auto KV = State->getSVal(OriginalR).getAs<KnownSVal>())
BR.addVisitor(std::make_unique<FindLastStoreBRVisitor>(		BR.addVisitor(std::make_unique<FindLastStoreBRVisitor>(
*KV, OriginalR, EnableNullFPSuppression, TKind, OriginSFC));		*KV, OriginalR, EnableNullFPSuppression, TKind, OriginSFC));
}		}
}		}
}		}
}		}
if (action)		if (action)
showBRDiagnostics(action, os, R, V, DS);		showBRDiagnostics(action, os, R, V, DS);

} else if (StoreSite->getLocation().getAs<CallEnter>()) {		} else if (StoreSite->getLocation().getAs<CallEnter>()) {
if (const auto *VR = dyn_cast<VarRegion>(R))		if (const auto *PR = dyn_cast<ParamRegion>(R)) {
showBRParamDiagnostics(os, VR, V);		showBRParamDiagnostics(os, PR, V);
		}
}		}

if (os.str().empty())		if (os.str().empty())
showBRDefaultDiagnostics(os, R, V);		showBRDefaultDiagnostics(os, R, V);

if (TKind == bugreporter::TrackingKind::Condition)		if (TKind == bugreporter::TrackingKind::Condition)
os << WillBeUsedForACondition;		os << WillBeUsedForACondition;

▲ Show 20 Lines • Show All 322 Lines • ▼ Show 20 Lines
static const MemRegion getLocationRegionIfReference(const Expr E,		static const MemRegion getLocationRegionIfReference(const Expr E,
const ExplodedNode *N) {		const ExplodedNode *N) {
if (const auto *DR = dyn_cast<DeclRefExpr>(E)) {		if (const auto *DR = dyn_cast<DeclRefExpr>(E)) {
if (const auto *VD = dyn_cast<VarDecl>(DR->getDecl())) {		if (const auto *VD = dyn_cast<VarDecl>(DR->getDecl())) {
if (!VD->getType()->isReferenceType())		if (!VD->getType()->isReferenceType())
return nullptr;		return nullptr;
ProgramStateManager &StateMgr = N->getState()->getStateManager();		ProgramStateManager &StateMgr = N->getState()->getStateManager();
MemRegionManager &MRMgr = StateMgr.getRegionManager();		MemRegionManager &MRMgr = StateMgr.getRegionManager();
return MRMgr.getVarRegion(VD, N->getLocationContext());		const LocationContext *LCtx = N->getLocationContext();
		if (const auto *PVD = dyn_cast<ParmVarDecl>(VD))
		return MRMgr.getRegionForParam(PVD, LCtx);

		return MRMgr.getVarRegion(VD, LCtx);
}		}
}		}

// FIXME: This does not handle other kinds of null references,		// FIXME: This does not handle other kinds of null references,
// for example, references from FieldRegions:		// for example, references from FieldRegions:
// struct Wrapper { int &ref; };		// struct Wrapper { int &ref; };
// Wrapper w = { (int )0 };		// Wrapper w = { (int )0 };
// w.ref = 1;		// w.ref = 1;
▲ Show 20 Lines • Show All 1,063 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 216 Lines • ▼ Show 20 Lines	for (; Idx < Sz; ++Idx)
if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())		if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
if (StmtElem->getStmt() == E)		if (StmtElem->getStmt() == E)
break;		break;
assert(Idx < Sz);		assert(Idx < Sz);

return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx);		return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, BlockCount, Idx);
}		}

const VarRegion *CallEvent::getParameterLocation(unsigned Index,		const ParamRegion *CallEvent::getParameterLocation(unsigned Index,
unsigned BlockCount) const {		unsigned BlockCount) const {
const StackFrameContext *SFC = getCalleeStackFrame(BlockCount);		const StackFrameContext *SFC = getCalleeStackFrame(BlockCount);
// We cannot construct a VarRegion without a stack frame.		// We cannot construct a VarRegion without a stack frame.
if (!SFC)		if (!SFC)
return nullptr;		return nullptr;

// Retrieve parameters of the definition, which are different from		const ParamRegion *PR =
		balazskeUnsubmitted Done Reply Inline Actions Is it correct to create `VR` only to have this assert? balazske: Is it correct to create `VR` only to have this assert?
		NoQUnsubmitted Not Done Reply Inline Actions It's a valid pattern but it should be followed by `(void)VR;` in order to avoid unused variable warning in no-assert builds. NoQ: It's a valid pattern but it should be followed by `(void)VR;` in order to avoid unused variable…
// CallEvent's parameters() because getDecl() isn't necessarily		State->getStateManager().getRegionManager().getParamRegion(getOriginExpr(),
// the definition. SFC contains the definition that would be used		Index, SFC);
// during analysis.		return PR;
const Decl *D = SFC->getDecl();

// TODO: Refactor into a virtual method of CallEvent, like parameters().
const ParmVarDecl *PVD = nullptr;
if (const auto *FD = dyn_cast<FunctionDecl>(D))
PVD = FD->parameters()[Index];
else if (const auto *BD = dyn_cast<BlockDecl>(D))
PVD = BD->parameters()[Index];
else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D))
PVD = MD->parameters()[Index];
else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D))
PVD = CD->parameters()[Index];
assert(PVD && "Unexpected Decl kind!");

const VarRegion *VR =
State->getStateManager().getRegionManager().getVarRegion(PVD, SFC);

// This sanity check would fail if our parameter declaration doesn't
// correspond to the stack frame's function declaration.
assert(VR->getStackFrame() == SFC);

return VR;
}		}

/// Returns true if a type is a pointer-to-const or reference-to-const		/// Returns true if a type is a pointer-to-const or reference-to-const
/// with no further indirection.		/// with no further indirection.
static bool isPointerToConst(QualType Ty) {		static bool isPointerToConst(QualType Ty) {
QualType PointeeTy = Ty->getPointeeType();		QualType PointeeTy = Ty->getPointeeType();
if (PointeeTy == QualType())		if (PointeeTy == QualType())
return false;		return false;
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	for (unsigned Idx = 0, Count = getNumArgs(); Idx != Count; ++Idx) {
// destructor has access to the temporary object after the call.		// destructor has access to the temporary object after the call.
// TODO: Support placement arguments once we start		// TODO: Support placement arguments once we start
// constructing them directly.		// constructing them directly.
// TODO: This is unnecessary when there's no destructor, but that's		// TODO: This is unnecessary when there's no destructor, but that's
// currently hard to figure out.		// currently hard to figure out.
if (getKind() != CE_CXXAllocator)		if (getKind() != CE_CXXAllocator)
if (isArgumentConstructedDirectly(Idx))		if (isArgumentConstructedDirectly(Idx))
if (auto AdjIdx = getAdjustedParameterIndex(Idx))		if (auto AdjIdx = getAdjustedParameterIndex(Idx))
if (const VarRegion VR = getParameterLocation(AdjIdx, BlockCount))		if (const TypedValueRegion *TVR =
ValuesToInvalidate.push_back(loc::MemRegionVal(VR));		getParameterLocation(*AdjIdx, BlockCount))
		ValuesToInvalidate.push_back(loc::MemRegionVal(TVR));
}		}

// Invalidate designated regions using the batch invalidation API.		// Invalidate designated regions using the batch invalidation API.
// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate		// NOTE: Even if RegionsToInvalidate is empty, we may still invalidate
// global variables.		// global variables.
return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),		return Result->invalidateRegions(ValuesToInvalidate, getOriginExpr(),
BlockCount, getLocationContext(),		BlockCount, getLocationContext(),
/CausedByPointerEscape/ true,		/CausedByPointerEscape/ true,
▲ Show 20 Lines • Show All 184 Lines • ▼ Show 20 Lines	if (Call.getKind() != CE_CXXAllocator)
if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx)))		if (Call.isArgumentConstructedDirectly(Call.getASTArgumentIndex(Idx)))
continue;		continue;

// TODO: Allocators should receive the correct size and possibly alignment,		// TODO: Allocators should receive the correct size and possibly alignment,
// determined in compile-time but not represented as arg-expressions,		// determined in compile-time but not represented as arg-expressions,
// which makes getArgSVal() fail and return UnknownVal.		// which makes getArgSVal() fail and return UnknownVal.
SVal ArgVal = Call.getArgSVal(Idx);		SVal ArgVal = Call.getArgSVal(Idx);
if (!ArgVal.isUnknown()) {		if (!ArgVal.isUnknown()) {
Loc ParamLoc = SVB.makeLoc(MRMgr.getVarRegion(ParamDecl, CalleeCtx));		Loc ParamLoc =
		SVB.makeLoc(MRMgr.getParamRegion(Call.getOriginExpr(), Idx, CalleeCtx));
Bindings.push_back(std::make_pair(ParamLoc, ArgVal));		Bindings.push_back(std::make_pair(ParamLoc, ArgVal));
}		}
}		}

// FIXME: Variadic arguments are not handled at all right now.		// FIXME: Variadic arguments are not handled at all right now.
}		}

ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {		ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
▲ Show 20 Lines • Show All 921 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 Lines • Show All 212 Lines • ▼ Show 20 Lines	if (const BlockDataRegion *BDR =

BlockDataRegion::referenced_vars_iterator I = BDR->referenced_vars_begin(),		BlockDataRegion::referenced_vars_iterator I = BDR->referenced_vars_begin(),
E = BDR->referenced_vars_end();		E = BDR->referenced_vars_end();

auto CI = BD->capture_begin();		auto CI = BD->capture_begin();
auto CE = BD->capture_end();		auto CE = BD->capture_end();
for (; I != E; ++I) {		for (; I != E; ++I) {
const VarRegion *capturedR = I.getCapturedRegion();		const VarRegion *capturedR = I.getCapturedRegion();
const VarRegion *originalR = I.getOriginalRegion();		const TypedValueRegion *originalR = I.getOriginalRegion();

// If the capture had a copy expression, use the result of evaluating		// If the capture had a copy expression, use the result of evaluating
// that expression, otherwise use the original value.		// that expression, otherwise use the original value.
// We rely on the invariant that the block declaration's capture variables		// We rely on the invariant that the block declaration's capture variables
// are a prefix of the BlockDataRegion's referenced vars (which may include		// are a prefix of the BlockDataRegion's referenced vars (which may include
// referenced globals, etc.) to enable fast lookup of the capture for a		// referenced globals, etc.) to enable fast lookup of the capture for a
// given referenced var.		// given referenced var.
const Expr *copyExpr = nullptr;		const Expr *copyExpr = nullptr;
▲ Show 20 Lines • Show All 945 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 Lines • Show All 336 Lines • ▼ Show 20 Lines	case ConstructionContext::ArgumentKind: {

// FIXME: Support for variadic arguments is not implemented here yet.		// FIXME: Support for variadic arguments is not implemented here yet.
if (CallEvent::isVariadic(CalleeD))		if (CallEvent::isVariadic(CalleeD))
return None;		return None;

// Operator arguments do not correspond to operator parameters		// Operator arguments do not correspond to operator parameters
// because this-argument is implemented as a normal argument in		// because this-argument is implemented as a normal argument in
// operator call expressions but not in operator declarations.		// operator call expressions but not in operator declarations.
const VarRegion *VR = Caller->getParameterLocation(		const TypedValueRegion *TVR = Caller->getParameterLocation(
*Caller->getAdjustedParameterIndex(Idx), currBldrCtx->blockCount());		*Caller->getAdjustedParameterIndex(Idx), currBldrCtx->blockCount());
if (!VR)		if (!TVR)
return None;		return None;

return loc::MemRegionVal(VR);		return loc::MemRegionVal(TVR);
};		};

if (const auto *CE = dyn_cast<CallExpr>(E)) {		if (const auto *CE = dyn_cast<CallExpr>(E)) {
CallEventRef<> Caller = CEMgr.getSimpleCall(CE, State, LCtx);		CallEventRef<> Caller = CEMgr.getSimpleCall(CE, State, LCtx);
if (auto OptV = getArgLoc(Caller))		if (auto OptV = getArgLoc(Caller))
V = *OptV;		V = *OptV;
else		else
break;		break;
		balazskeUnsubmitted Done Reply Inline Actions This `break` is at wrong place. balazske: This `break` is at wrong place.
State = addObjectUnderConstruction(State, {CE, Idx}, LCtx, V);		State = addObjectUnderConstruction(State, {CE, Idx}, LCtx, V);
} else if (const auto *CCE = dyn_cast<CXXConstructExpr>(E)) {		} else if (const auto *CCE = dyn_cast<CXXConstructExpr>(E)) {
// Don't bother figuring out the target region for the future		// Don't bother figuring out the target region for the future
// constructor because we won't need it.		// constructor because we won't need it.
CallEventRef<> Caller =		CallEventRef<> Caller =
CEMgr.getCXXConstructorCall(CCE, /Target=/nullptr, State, LCtx);		CEMgr.getCXXConstructorCall(CCE, /Target=/nullptr, State, LCtx);
if (auto OptV = getArgLoc(Caller))		if (auto OptV = getArgLoc(Caller))
V = *OptV;		V = *OptV;
▲ Show 20 Lines • Show All 606 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 Lines • Show All 530 Lines • ▼ Show 20 Lines	ProgramStateRef ExprEngine::finishArgumentConstruction(ProgramStateRef State,

const LocationContext *LC = Call.getLocationContext();		const LocationContext *LC = Call.getLocationContext();
for (unsigned CallI = 0, CallN = Call.getNumArgs(); CallI != CallN; ++CallI) {		for (unsigned CallI = 0, CallN = Call.getNumArgs(); CallI != CallN; ++CallI) {
unsigned I = Call.getASTArgumentIndex(CallI);		unsigned I = Call.getASTArgumentIndex(CallI);
if (Optional<SVal> V =		if (Optional<SVal> V =
getObjectUnderConstruction(State, {E, I}, LC)) {		getObjectUnderConstruction(State, {E, I}, LC)) {
SVal VV = *V;		SVal VV = *V;
(void)VV;		(void)VV;
assert(cast<VarRegion>(VV.castAs<loc::MemRegionVal>().getRegion())		if (const auto *VR =
->getStackFrame()->getParent()		dyn_cast<VarRegion>(VV.castAs<loc::MemRegionVal>().getRegion())) {
		assert(VR->getStackFrame()->getParent()
->getStackFrame() == LC->getStackFrame());		->getStackFrame() == LC->getStackFrame());
		}
State = finishObjectConstruction(State, {E, I}, LC);		State = finishObjectConstruction(State, {E, I}, LC);
}		}
}		}

return State;		return State;
}		}

void ExprEngine::finishArgumentConstruction(ExplodedNodeSet &Dst,		void ExprEngine::finishArgumentConstruction(ExplodedNodeSet &Dst,
▲ Show 20 Lines • Show All 598 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 Lines • Show All 153 Lines • ▼ Show 20 Lines	MemRegionManager &SubRegion::getMemRegionManager() const {
} while (true);		} while (true);
}		}

const StackFrameContext *VarRegion::getStackFrame() const {		const StackFrameContext *VarRegion::getStackFrame() const {
const auto *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace());		const auto *SSR = dyn_cast<StackSpaceRegion>(getMemorySpace());
return SSR ? SSR->getStackFrame() : nullptr;		return SSR ? SSR->getStackFrame() : nullptr;
}		}

		const StackFrameContext *ParamRegion::getStackFrame() const {
		const auto *SSR = cast<StackSpaceRegion>(getMemorySpace());
		return SSR->getStackFrame();
		NoQUnsubmitted Done Reply Inline Actions `SSR` shouldn't ever be null. Any parameter must be on the stack. NoQ: `SSR` shouldn't ever be null. Any parameter must be on the stack.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions OK, I will remove this check. baloghadamsoftware: OK, I will remove this check.
		}

ObjCIvarRegion::ObjCIvarRegion(const ObjCIvarDecl ivd, const SubRegion sReg)		ObjCIvarRegion::ObjCIvarRegion(const ObjCIvarDecl ivd, const SubRegion sReg)
: DeclRegion(ivd, sReg, ObjCIvarRegionKind) {}		: DeclRegion(ivd, sReg, ObjCIvarRegionKind) {}

const ObjCIvarDecl *ObjCIvarRegion::getDecl() const {		const ObjCIvarDecl *ObjCIvarRegion::getDecl() const {
return cast<ObjCIvarDecl>(D);		return cast<ObjCIvarDecl>(D);
}		}

QualType ObjCIvarRegion::getValueType() const {		QualType ObjCIvarRegion::getValueType() const {
return getDecl()->getType();		return getDecl()->getType();
}		}

QualType CXXBaseObjectRegion::getValueType() const {		QualType CXXBaseObjectRegion::getValueType() const {
return QualType(getDecl()->getTypeForDecl(), 0);		return QualType(getDecl()->getTypeForDecl(), 0);
}		}

QualType CXXDerivedObjectRegion::getValueType() const {		QualType CXXDerivedObjectRegion::getValueType() const {
return QualType(getDecl()->getTypeForDecl(), 0);		return QualType(getDecl()->getTypeForDecl(), 0);
}		}

		QualType ParamRegion::getValueType() const {
		assert (getDecl() &&
		NoQUnsubmitted Not Done Reply Inline Actions This doesn't work when the callee is unknown. You need to consult the origin expr here. NoQ: This doesn't work when the callee is unknown. You need to consult the origin expr here.
		"`ParamRegion` does not support functions without `Decl`");
		return getDecl()->getType();
		}

		NoQUnsubmitted Not Done Reply Inline Actions This doesn't work when the callee is unknown. NoQ: This doesn't work when the callee is unknown.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Please give me an example where the callee is unknown. As I wrote, originally I put a `getExpr()` method here as well and `getType()` fell back to it if it could not find the `Decl()`. However, it was never invoked on the whole test suite. (I put an `assert(false)` into it, and did not get a crash. baloghadamsoftware: Please give me an example where the callee is unknown. As I wrote, originally I put a `getExpr…
		NoQUnsubmitted Not Done Reply Inline Actions Please give me an example where the callee is unknown. In D79704#2034571, @NoQ wrote: In D79704#2032947, @Szelethus wrote: Could you give a specific code example? struct S { S() { this; // What region does 'this' point to... } }; void foo(void (bar)(S)) { bar(S()); // ...in this invocation? } NoQ:* > Please give me an example where the callee is unknown. >>! In D79704#2034571, @NoQ wrote…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions OK, but it still does not crash the analyzer, even if I enable creation of stack frames for all the callees, even for those without definition. What else should I do to enforce the crash (null pointer dereference)? Try to use `getParameterLocation()` in a unit test? baloghadamsoftware: OK, but it still does not crash the analyzer, even if I enable creation of stack frames for all…
		NoQUnsubmitted Not Done Reply Inline Actions Yes. I demonstrated how you can get the region without a decl but you should turn this into a test that actually calls one of the problematic functions. Like, `clang_analyzer_dump()` it or something. NoQ: Yes. I demonstrated how you can get the region without a decl but you should turn this into a…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Of course I tried `clang_analyzer_explain()`, but neither `clang_analyzer_dump()` helps. I also tried a unit test now where I call `getParameterLocation()` explicitly. It turns out that parameter regions are never created for functions without `Decl` because of the first lines in `CallEvent::getCalleeAnalysisDeclContext()`. This function needs the `Decl` to retrieve the `AnalysisDeclContext` of the callee, which is needed to retrieve its stack frame by `getCalleeStackFrame()`. Without stack frame we do not create `ParamRegion`. The other two functions creating `ParamRegion` (`CallEvent::addParameterValuesToBindings` and the newly created `MemRegionManager::getRegionForParam`) start from `ParmVarDecl` which always belongs to a `Decl`. So we can safely assume that currently all parameter regions have a `Decl`. Of course, this can be changed in the future, but I must not include dead code in a patch that cannot even be tested in the current phase. Even creation of callee stack frame for functions without definition is not part of this patch, but of the subsequent one. baloghadamsoftware: Of course I tried `clang_analyzer_explain()`, but neither `clang_analyzer_dump()` helps. I…
		NoQUnsubmitted Not Done Reply Inline Actions neither `clang_analyzer_dump()` helps So, does it dump a parameter region? Because it obviously should. NoQ: > neither `clang_analyzer_dump()` helps So, does it dump a parameter region? Because it…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions It dumps a temporary region as until now. So this patch does not change the behavior of the analyzer at this point. baloghadamsoftware: It dumps a temporary region as until now. So this patch does not change the behavior of the…
		martongUnsubmitted Done Reply Inline Actions I think we should run this patch against a test suite of open source projects. That could be tmux, curl, redis, xerces, bitcoin, protobuf (those are that we use in CTU at least). We should not have any crashes on theses projects because they exercise widely used language constructs. Besides, they provide a relatively broad set of use of the C and C++ languages, so that's quite a good coverage. In case of any assertion we can use creduce to nail the actual problem. martong: I think we should run this patch against a test suite of open source projects. That could be…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions As I mentioned, I already did it: D79704#2036067 baloghadamsoftware: As I mentioned, I already did it: D79704#2036067
		const ParmVarDecl *ParamRegion::getDecl() const {
		const Decl *D = getStackFrame()->getDecl();

		if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
		martongUnsubmitted Not Done Reply Inline Actions In all other cases we `assert`, here we return with a nullptr. Why? martong: In all other cases we `assert`, here we return with a nullptr. Why?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions It was accidentally left here from an earlier experiment. baloghadamsoftware: It was accidentally left here from an earlier experiment.
		assert (Index < FD->param_size());
		return FD->parameters()[Index];
		} else if (const auto *BD = dyn_cast<BlockDecl>(D)) {
		assert (Index < BD->param_size());
		return BD->parameters()[Index];
		} else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) {
		assert (Index < MD->param_size());
		return MD->parameters()[Index];
		} else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D)) {
		assert (Index < CD->param_size());
		return CD->parameters()[Index];
		} else {
		llvm_unreachable("Unexpected Decl kind!");
		}
		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// FoldingSet profiling.		// FoldingSet profiling.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

void MemSpaceRegion::Profile(llvm::FoldingSetNodeID &ID) const {		void MemSpaceRegion::Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(static_cast<unsigned>(getKind()));		ID.AddInteger(static_cast<unsigned>(getKind()));
}		}

▲ Show 20 Lines • Show All 174 Lines • ▼ Show 20 Lines	void CXXDerivedObjectRegion::ProfileRegion(llvm::FoldingSetNodeID &ID,
ID.AddPointer(RD);		ID.AddPointer(RD);
ID.AddPointer(SReg);		ID.AddPointer(SReg);
}		}

void CXXDerivedObjectRegion::Profile(llvm::FoldingSetNodeID &ID) const {		void CXXDerivedObjectRegion::Profile(llvm::FoldingSetNodeID &ID) const {
ProfileRegion(ID, getDecl(), superRegion);		ProfileRegion(ID, getDecl(), superRegion);
}		}

		void ParamRegion::ProfileRegion(llvm::FoldingSetNodeID &ID, const Expr *OE,
		unsigned Idx, const MemRegion *SReg) {
		ID.AddInteger(static_cast<unsigned>(ParamRegionKind));
		ID.AddPointer(OE);
		ID.AddInteger(Idx);
		ID.AddPointer(SReg);
		}

		void ParamRegion::Profile(llvm::FoldingSetNodeID &ID) const {
		ProfileRegion(ID, getOriginExpr(), getIndex(), superRegion);
		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Region anchors.		// Region anchors.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

void GlobalsSpaceRegion::anchor() {}		void GlobalsSpaceRegion::anchor() {}

void NonStaticGlobalSpaceRegion::anchor() {}		void NonStaticGlobalSpaceRegion::anchor() {}

▲ Show 20 Lines • Show All 147 Lines • ▼ Show 20 Lines
void StackArgumentsSpaceRegion::dumpToStream(raw_ostream &os) const {		void StackArgumentsSpaceRegion::dumpToStream(raw_ostream &os) const {
os << "StackArgumentsSpaceRegion";		os << "StackArgumentsSpaceRegion";
}		}

void StackLocalsSpaceRegion::dumpToStream(raw_ostream &os) const {		void StackLocalsSpaceRegion::dumpToStream(raw_ostream &os) const {
os << "StackLocalsSpaceRegion";		os << "StackLocalsSpaceRegion";
}		}

		void ParamRegion::dumpToStream(raw_ostream &os) const {
		const ParmVarDecl *PVD = getDecl();
		assert (PVD &&
		NoQUnsubmitted Not Done Reply Inline Actions `PVD` may be null. NoQ: `PVD` may be null.
		"`ParamRegion` does not support functions without `Decl`");
		if (const IdentifierInfo *ID = PVD->getIdentifier()) {
		os << ID->getName();
		} else {
		os << "ParamRegion{P" << PVD->getID() << '}';
		}
		}

bool MemRegion::canPrintPretty() const {		bool MemRegion::canPrintPretty() const {
return canPrintPrettyAsExpr();		return canPrintPrettyAsExpr();
}		}

bool MemRegion::canPrintPrettyAsExpr() const {		bool MemRegion::canPrintPrettyAsExpr() const {
return false;		return false;
}		}

▲ Show 20 Lines • Show All 59 Lines • ▼ Show 20 Lines
bool CXXDerivedObjectRegion::canPrintPrettyAsExpr() const {		bool CXXDerivedObjectRegion::canPrintPrettyAsExpr() const {
return superRegion->canPrintPrettyAsExpr();		return superRegion->canPrintPrettyAsExpr();
}		}

void CXXDerivedObjectRegion::printPrettyAsExpr(raw_ostream &os) const {		void CXXDerivedObjectRegion::printPrettyAsExpr(raw_ostream &os) const {
superRegion->printPrettyAsExpr(os);		superRegion->printPrettyAsExpr(os);
}		}

		bool ParamRegion::canPrintPrettyAsExpr() const {
		return true;
		}

		void ParamRegion::printPrettyAsExpr(raw_ostream &os) const {
		assert (getDecl() &&
		"`ParamRegion` does not support functions without `Decl`");
		os << getDecl()->getName();
		}

std::string MemRegion::getDescriptiveName(bool UseQuotes) const {		std::string MemRegion::getDescriptiveName(bool UseQuotes) const {
std::string VariableName;		std::string VariableName;
std::string ArrayIndices;		std::string ArrayIndices;
const MemRegion *R = this;		const MemRegion *R = this;
SmallString<50> buf;		SmallString<50> buf;
llvm::raw_svector_ostream os(buf);		llvm::raw_svector_ostream os(buf);

// Obtain array indices to add them to the variable name.		// Obtain array indices to add them to the variable name.
▲ Show 20 Lines • Show All 73 Lines • ▼ Show 20 Lines	DefinedOrUnknownSVal MemRegionManager::getStaticSize(const MemRegion *MR,
case MemRegion::CompoundLiteralRegionKind:		case MemRegion::CompoundLiteralRegionKind:
case MemRegion::CXXBaseObjectRegionKind:		case MemRegion::CXXBaseObjectRegionKind:
case MemRegion::CXXDerivedObjectRegionKind:		case MemRegion::CXXDerivedObjectRegionKind:
case MemRegion::CXXTempObjectRegionKind:		case MemRegion::CXXTempObjectRegionKind:
case MemRegion::CXXThisRegionKind:		case MemRegion::CXXThisRegionKind:
case MemRegion::ObjCIvarRegionKind:		case MemRegion::ObjCIvarRegionKind:
case MemRegion::VarRegionKind:		case MemRegion::VarRegionKind:
case MemRegion::ElementRegionKind:		case MemRegion::ElementRegionKind:
case MemRegion::ObjCStringRegionKind: {		case MemRegion::ObjCStringRegionKind:
		case MemRegion::ParamRegionKind: {
QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx);		QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx);
if (isa<VariableArrayType>(Ty))		if (isa<VariableArrayType>(Ty))
return nonloc::SymbolVal(SymMgr.getExtentSymbol(SR));		return nonloc::SymbolVal(SymMgr.getExtentSymbol(SR));

if (Ty->isIncompleteType())		if (Ty->isIncompleteType())
return UnknownVal();		return UnknownVal();

return getTypeSize(Ty, Ctx, SVB);		return getTypeSize(Ty, Ctx, SVB);
▲ Show 20 Lines • Show All 135 Lines • ▼ Show 20 Lines	if (const auto *SFC = dyn_cast<StackFrameContext>(LC)) {
return SFC;		return SFC;
}		}
if (const auto *BC = dyn_cast<BlockInvocationContext>(LC)) {		if (const auto *BC = dyn_cast<BlockInvocationContext>(LC)) {
const auto BR = static_cast<const BlockDataRegion >(BC->getData());		const auto BR = static_cast<const BlockDataRegion >(BC->getData());
// FIXME: This can be made more efficient.		// FIXME: This can be made more efficient.
for (BlockDataRegion::referenced_vars_iterator		for (BlockDataRegion::referenced_vars_iterator
I = BR->referenced_vars_begin(),		I = BR->referenced_vars_begin(),
E = BR->referenced_vars_end(); I != E; ++I) {		E = BR->referenced_vars_end(); I != E; ++I) {
const VarRegion *VR = I.getOriginalRegion();		const TypedValueRegion *OrigR = I.getOriginalRegion();
		if (const auto *VR = dyn_cast<VarRegion>(OrigR)) {
if (VR->getDecl() == VD)		if (VR->getDecl() == VD)
return cast<VarRegion>(I.getCapturedRegion());		return cast<VarRegion>(I.getCapturedRegion());
		} else if (const auto *PR = dyn_cast<ParamRegion>(OrigR)) {
		martongUnsubmitted Not Done Reply Inline Actions Both the `VarRegion` and `ParamRegion` cases here do the same. This suggest that maybe it would be better to have `VarRegion` as a base class for `ParamVarRegion`. This is aligned to what Artem suggested: We can even call it VarRegion and have sub-classes be ParamVarRegion and NonParamVarRegion or something like that. But maybe `NonParamVarRegion` is not needed since that is actually the `VarRegion`. martong: Both the `VarRegion` and `ParamRegion` cases here do the same. This suggest that maybe it would…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Usually we do not inherit from concrete classes by changing a method implementation that already exist. The other reason is even stronger: `NonParamVarRegion` must store the `Decl` of the variable, `ParamVarRegion` must not. baloghadamsoftware: Usually we do not inherit from concrete classes by changing a method implementation that…
		martongUnsubmitted Not Done Reply Inline Actions Usually we do not inherit from concrete classes by changing a method implementation that already exist. That's what we exactly do all over the place in the AST library. Which method(s) should we change by the way? Nevermind, I am perfectly fine having VarRegion as base and NonParamVarRegion and ParamVarRegion as derived. martong: > Usually we do not inherit from concrete classes by changing a method implementation that…
		if (PR->getDecl() == VD)
		return cast<VarRegion>(I.getCapturedRegion());
		}
}		}
}		}

LC = LC->getParent();		LC = LC->getParent();
}		}
return (const StackFrameContext *)nullptr;		return (const StackFrameContext *)nullptr;
}		}

▲ Show 20 Lines • Show All 287 Lines • ▼ Show 20 Lines	const MemSpaceRegion *MemRegion::getMemorySpace() const {
while (SR) {		while (SR) {
R = SR->getSuperRegion();		R = SR->getSuperRegion();
SR = dyn_cast<SubRegion>(R);		SR = dyn_cast<SubRegion>(R);
}		}

return dyn_cast<MemSpaceRegion>(R);		return dyn_cast<MemSpaceRegion>(R);
}		}

		const ParamRegion*
		MemRegionManager::getParamRegion(const Expr *OE, unsigned Index,
		const LocationContext *LC) {
		const StackFrameContext *STC = LC->getStackFrame();
		assert(STC);
		return getSubRegion<ParamRegion>(OE, Index, getStackArgumentsRegion(STC));
		}

		const TypedValueRegion*
		martongUnsubmitted Not Done Reply Inline Actions Why the return type is not `ParamVarRegion`? martong:* Why the return type is not `ParamVarRegion*`?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Because for top-level functions and captured parameters it still returns `VarRegion`. baloghadamsoftware: Because for top-level functions and captured parameters it still returns `VarRegion`.
		martongUnsubmitted Not Done Reply Inline Actions Okay, makes sense, could you please document it then in the comment for the function? martong: Okay, makes sense, could you please document it then in the comment for the function?
		MemRegionManager::getRegionForParam(const ParmVarDecl *PVD,
		const LocationContext *LC) {
		unsigned Index = PVD->getFunctionScopeIndex();
		const StackFrameContext *SFC = LC->getStackFrame();
		const Stmt *CallSite = SFC->getCallSite();
		if (!CallSite)
		NoQUnsubmitted Not Done Reply Inline Actions Let's make a stronger assertion: if (SFC->inTopFrame()) return getVarRegion(PVD, LC); assert(CallSite && "Destructors with parameters?"); NoQ: Let's make a stronger assertion: ```lang=c++ if (SFC->inTopFrame()) return getVarRegion(PVD…
		return getVarRegion(PVD, LC);

		const Decl *D = SFC->getDecl();
		if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
		if (Index >= FD->param_size() \|\| FD->parameters()[Index] != PVD)
		return getVarRegion(PVD, LC);
		} else if (const auto *BD = dyn_cast<BlockDecl>(D)) {
		if (Index >= BD->param_size() \|\| BD->parameters()[Index] != PVD)
		return getVarRegion(PVD, LC);
		}

		return getParamRegion(cast<Expr>(CallSite), Index, LC);
		}

bool MemRegion::hasStackStorage() const {		bool MemRegion::hasStackStorage() const {
return isa<StackSpaceRegion>(getMemorySpace());		return isa<StackSpaceRegion>(getMemorySpace());
}		}

bool MemRegion::hasStackNonParametersStorage() const {		bool MemRegion::hasStackNonParametersStorage() const {
return isa<StackLocalsSpaceRegion>(getMemorySpace());		return isa<StackLocalsSpaceRegion>(getMemorySpace());
}		}

▲ Show 20 Lines • Show All 174 Lines • ▼ Show 20 Lines	while (true) {
case MemRegion::SymbolicRegionKind:		case MemRegion::SymbolicRegionKind:
case MemRegion::AllocaRegionKind:		case MemRegion::AllocaRegionKind:
case MemRegion::CompoundLiteralRegionKind:		case MemRegion::CompoundLiteralRegionKind:
case MemRegion::CXXThisRegionKind:		case MemRegion::CXXThisRegionKind:
case MemRegion::StringRegionKind:		case MemRegion::StringRegionKind:
case MemRegion::ObjCStringRegionKind:		case MemRegion::ObjCStringRegionKind:
case MemRegion::VarRegionKind:		case MemRegion::VarRegionKind:
case MemRegion::CXXTempObjectRegionKind:		case MemRegion::CXXTempObjectRegionKind:
		case MemRegion::ParamRegionKind:
// Usual base regions.		// Usual base regions.
goto Finish;		goto Finish;

case MemRegion::ObjCIvarRegionKind:		case MemRegion::ObjCIvarRegionKind:
// This is a little strange, but it's a compromise between		// This is a little strange, but it's a compromise between
// ObjCIvarRegions having unknown compile-time offsets (when using the		// ObjCIvarRegions having unknown compile-time offsets (when using the
// non-fragile runtime) and yet still being distinct, non-overlapping		// non-fragile runtime) and yet still being distinct, non-overlapping
// regions. Thus we treat them as "like" base regions for the purposes		// regions. Thus we treat them as "like" base regions for the purposes
▲ Show 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	if (!cachedOffset)
cachedOffset = calculateOffset(this);		cachedOffset = calculateOffset(this);
return *cachedOffset;		return *cachedOffset;
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// BlockDataRegion		// BlockDataRegion
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

std::pair<const VarRegion , const VarRegion >		std::pair<const VarRegion , const TypedValueRegion >
BlockDataRegion::getCaptureRegions(const VarDecl *VD) {		BlockDataRegion::getCaptureRegions(const VarDecl *VD) {
MemRegionManager &MemMgr = getMemRegionManager();		MemRegionManager &MemMgr = getMemRegionManager();
const VarRegion *VR = nullptr;		const VarRegion *VR = nullptr;
const VarRegion *OriginalVR = nullptr;		const TypedValueRegion *OriginalVR = nullptr;

if (!VD->hasAttr<BlocksAttr>() && VD->hasLocalStorage()) {		if (!VD->hasAttr<BlocksAttr>() && VD->hasLocalStorage()) {
VR = MemMgr.getVarRegion(VD, this);		VR = MemMgr.getVarRegion(VD, this);
		if (const auto *PVD = dyn_cast<ParmVarDecl>(VD))
		OriginalVR = MemMgr.getRegionForParam(PVD, LC);
		else
OriginalVR = MemMgr.getVarRegion(VD, LC);		OriginalVR = MemMgr.getVarRegion(VD, LC);
}		}
else {		else {
if (LC) {		if (LC) {
VR = MemMgr.getVarRegion(VD, LC);		VR = MemMgr.getVarRegion(VD, LC);
OriginalVR = VR;		OriginalVR = VR;
		NoQUnsubmitted Done Reply Inline Actions I suggest making a function in `MemRegionManager` that takes a `Decl` and returns a region. There should only be one place in the code that decides when exactly do we produce a `ParamRegion` instead of a `VarRegion`. NoQ: I suggest making a function in `MemRegionManager` that takes a `Decl` and returns a region.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Good idea! baloghadamsoftware: Good idea!
}		}
else {		else {
VR = MemMgr.getVarRegion(VD, MemMgr.getUnknownRegion());		VR = MemMgr.getVarRegion(VD, MemMgr.getUnknownRegion());
OriginalVR = MemMgr.getVarRegion(VD, LC);		OriginalVR = MemMgr.getVarRegion(VD, LC);
}		}
}		}
return std::make_pair(VR, OriginalVR);		return std::make_pair(VR, OriginalVR);
}		}
Show All 20 Lines	void BlockDataRegion::LazyInitializeReferencedVars() {

auto *BV = A.Allocate<VarVec>();		auto *BV = A.Allocate<VarVec>();
new (BV) VarVec(BC, NumBlockVars);		new (BV) VarVec(BC, NumBlockVars);
auto *BVOriginal = A.Allocate<VarVec>();		auto *BVOriginal = A.Allocate<VarVec>();
new (BVOriginal) VarVec(BC, NumBlockVars);		new (BVOriginal) VarVec(BC, NumBlockVars);

for (const auto *VD : ReferencedBlockVars) {		for (const auto *VD : ReferencedBlockVars) {
const VarRegion *VR = nullptr;		const VarRegion *VR = nullptr;
const VarRegion *OriginalVR = nullptr;		const TypedValueRegion *OriginalVR = nullptr;
std::tie(VR, OriginalVR) = getCaptureRegions(VD);		std::tie(VR, OriginalVR) = getCaptureRegions(VD);
assert(VR);		assert(VR);
assert(OriginalVR);		assert(OriginalVR);
BV->push_back(VR, BC);		BV->push_back(VR, BC);
BVOriginal->push_back(OriginalVR, BC);		BVOriginal->push_back(OriginalVR, BC);
}		}

ReferencedVars = BV;		ReferencedVars = BV;
Show All 27 Lines	BlockDataRegion::referenced_vars_end() const {

auto *VecOriginal =		auto *VecOriginal =
static_cast<BumpVector<const MemRegion > >(OriginalVars);		static_cast<BumpVector<const MemRegion > >(OriginalVars);

return BlockDataRegion::referenced_vars_iterator(Vec->end(),		return BlockDataRegion::referenced_vars_iterator(Vec->end(),
VecOriginal->end());		VecOriginal->end());
}		}

const VarRegion BlockDataRegion::getOriginalRegion(const VarRegion R) const {		const TypedValueRegion
		BlockDataRegion::getOriginalRegion(const VarRegion R) const {
for (referenced_vars_iterator I = referenced_vars_begin(),		for (referenced_vars_iterator I = referenced_vars_begin(),
E = referenced_vars_end();		E = referenced_vars_end();
I != E; ++I) {		I != E; ++I) {
if (I.getCapturedRegion() == R)		if (I.getCapturedRegion() == R)
return I.getOriginalRegion();		return I.getOriginalRegion();
}		}
return nullptr;		return nullptr;
}		}
Show All 33 Lines	bool RegionAndSymbolInvalidationTraits::hasTrait(const MemRegion *MR,
if (const auto *SR = dyn_cast<SymbolicRegion>(MR))		if (const auto *SR = dyn_cast<SymbolicRegion>(MR))
return hasTrait(SR->getSymbol(), IK);		return hasTrait(SR->getSymbol(), IK);

const_region_iterator I = MRTraitsMap.find(MR);		const_region_iterator I = MRTraitsMap.find(MR);
if (I != MRTraitsMap.end())		if (I != MRTraitsMap.end())
return I->second & IK;		return I->second & IK;

return false;		return false;
}		}
		NoQUnsubmitted Not Done Reply Inline Actions Does this actually ever happen? NoQ: Does this actually ever happen?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions I will check it. baloghadamsoftware: I will check it.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Oh yes. If we have no `CallSite`, then we are in the top frame. Should I check `LC->inTopFrame()` instead? baloghadamsoftware: Oh yes. If we have no `CallSite`, then we are in the top frame. Should I check `LC->inTopFrame…
		NoQUnsubmitted Not Done Reply Inline Actions Why would that ever happen? If it's just a sanity check, it should be an assertion. NoQ: Why would that ever happen? If it's just a sanity check, it should be an assertion.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions This happens all the time a lambda or a block captures a parameter of the enclosing function. I decided to keep the regions of captured variables `VarRegions` regardless whether they are parameters or plain variables. This was the only way I could found. This must not cause any problem. baloghadamsoftware: This happens all the time a lambda or a block captures a parameter of the enclosing function. I…
		NoQUnsubmitted Not Done Reply Inline Actions Does this method also suffer from the parameter vs. argument off-by-one problem with operators? NoQ: Does this method also suffer from the parameter vs. argument off-by-one problem with operators?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Actually I removed all usage of the expression thus I got rid of the problem. baloghadamsoftware: Actually I removed all usage of the expression thus I got rid of the problem.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 Lines • Show All 563 Lines • ▼ Show 20 Lines	public: // Part of public interface to class.
SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R);		SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R);

SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R);		SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R);

SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R);		SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R);

SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R);		SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R);

		SVal getBindingForParam(RegionBindingsConstRef B, const ParamRegion *R);

SVal getBindingForLazySymbol(const TypedValueRegion *R);		SVal getBindingForLazySymbol(const TypedValueRegion *R);

SVal getBindingForFieldOrElementCommon(RegionBindingsConstRef B,		SVal getBindingForFieldOrElementCommon(RegionBindingsConstRef B,
const TypedValueRegion *R,		const TypedValueRegion *R,
QualType Ty);		QualType Ty);

SVal getLazyBinding(const SubRegion *LazyBindingRegion,		SVal getLazyBinding(const SubRegion *LazyBindingRegion,
RegionBindingsRef LazyBinding);		RegionBindingsRef LazyBinding);
▲ Show 20 Lines • Show All 925 Lines • ▼ Show 20 Lines	if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
// value to the variable type. What we should model is stores to variables		// value to the variable type. What we should model is stores to variables
// that blow past the extent of the variable. If the address of the		// that blow past the extent of the variable. If the address of the
// variable is reinterpretted, it is possible we stored a different value		// variable is reinterpretted, it is possible we stored a different value
// that could fit within the variable. Either we need to cast these when		// that could fit within the variable. Either we need to cast these when
// storing them or reinterpret them lazily (as we do here).		// storing them or reinterpret them lazily (as we do here).
return CastRetrievedVal(getBindingForVar(B, VR), VR, T);		return CastRetrievedVal(getBindingForVar(B, VR), VR, T);
}		}

		if (const ParamRegion *PR = dyn_cast<ParamRegion>(R)) {
		// FIXME: Here we actually perform an implicit conversion from the loaded
		// value to the variable type. What we should model is stores to variables
		// that blow past the extent of the variable. If the address of the
		// variable is reinterpretted, it is possible we stored a different value
		// that could fit within the variable. Either we need to cast these when
		// storing them or reinterpret them lazily (as we do here).
		return CastRetrievedVal(getBindingForParam(B, PR), PR, T);
		}

const SVal *V = B.lookup(R, BindingKey::Direct);		const SVal *V = B.lookup(R, BindingKey::Direct);

// Check if the region has a binding.		// Check if the region has a binding.
if (V)		if (V)
return *V;		return *V;

// The location does not have a bound value. This means that it has		// The location does not have a bound value. This means that it has
// the value it had upon its creation and/or entry to the analyzed		// the value it had upon its creation and/or entry to the analyzed
▲ Show 20 Lines • Show All 478 Lines • ▼ Show 20 Lines	if (isa<GlobalsSpaceRegion>(MS)) {
}		}

return svalBuilder.getRegionValueSymbolVal(R);		return svalBuilder.getRegionValueSymbolVal(R);
}		}

return UndefinedVal();		return UndefinedVal();
}		}

		SVal RegionStoreManager::getBindingForParam(RegionBindingsConstRef B,
		const ParamRegion *R) {
		// Check if the region has a binding.
		if (Optional<SVal> V = B.getDirectBinding(R))
		return *V;

		if (Optional<SVal> V = B.getDefaultBinding(R))
		return *V;

		// Lazily derive a value for the ParamRegion.
		const MemSpaceRegion *MS = R->getMemorySpace();

		assert (isa<StackArgumentsSpaceRegion>(MS));
		NoQUnsubmitted Not Done Reply Inline Actions Let's simply make a blanket assertion in `ParamRegion`'s constructor. NoQ: Let's simply make a blanket assertion in `ParamRegion`'s constructor.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions OK. baloghadamsoftware: OK.

		SVal V = svalBuilder.getRegionValueSymbolVal(R);
		return V;
		}

SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) {		SVal RegionStoreManager::getBindingForLazySymbol(const TypedValueRegion *R) {
// All other values are symbolic.		// All other values are symbolic.
return svalBuilder.getRegionValueSymbolVal(R);		return svalBuilder.getRegionValueSymbolVal(R);
}		}

const RegionStoreManager::SValListTy &		const RegionStoreManager::SValListTy &
RegionStoreManager::getInterestingValues(nonloc::LazyCompoundVal LCV) {		RegionStoreManager::getInterestingValues(nonloc::LazyCompoundVal LCV) {
// First, check the cache.		// First, check the cache.
▲ Show 20 Lines • Show All 485 Lines • ▼ Show 20 Lines	void RemoveDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,

if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {		if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {
if (SymReaper.isLive(VR))		if (SymReaper.isLive(VR))
AddToWorkList(baseR, &C);		AddToWorkList(baseR, &C);

return;		return;
}		}

		if (const ParamRegion *PR = dyn_cast<ParamRegion>(baseR)) {
		if (SymReaper.isLive(PR))
		AddToWorkList(baseR, &C);

		return;
		}

if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {		if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {
if (SymReaper.isLive(SR->getSymbol()))		if (SymReaper.isLive(SR->getSymbol()))
AddToWorkList(SR, &C);		AddToWorkList(SR, &C);
else		else
Postponed.push_back(SR);		Postponed.push_back(SR);

return;		return;
}		}
▲ Show 20 Lines • Show All 136 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/Store.cpp

Show First 20 Lines • Show All 132 Lines • ▼ Show 20 Lines	switch (R->getKind()) {
case MemRegion::CompoundLiteralRegionKind:		case MemRegion::CompoundLiteralRegionKind:
case MemRegion::FieldRegionKind:		case MemRegion::FieldRegionKind:
case MemRegion::ObjCIvarRegionKind:		case MemRegion::ObjCIvarRegionKind:
case MemRegion::ObjCStringRegionKind:		case MemRegion::ObjCStringRegionKind:
case MemRegion::VarRegionKind:		case MemRegion::VarRegionKind:
case MemRegion::CXXTempObjectRegionKind:		case MemRegion::CXXTempObjectRegionKind:
case MemRegion::CXXBaseObjectRegionKind:		case MemRegion::CXXBaseObjectRegionKind:
case MemRegion::CXXDerivedObjectRegionKind:		case MemRegion::CXXDerivedObjectRegionKind:
		case MemRegion::ParamRegionKind:
return MakeElementRegion(cast<SubRegion>(R), PointeeTy);		return MakeElementRegion(cast<SubRegion>(R), PointeeTy);

case MemRegion::ElementRegionKind: {		case MemRegion::ElementRegionKind: {
// If we are casting from an ElementRegion to another type, the		// If we are casting from an ElementRegion to another type, the
// algorithm is as follows:		// algorithm is as follows:
//		//
// (1) Compute the "raw offset" of the ElementRegion from the		// (1) Compute the "raw offset" of the ElementRegion from the
// base region. This is done by calling 'getAsRawOffset()'.		// base region. This is done by calling 'getAsRawOffset()'.
▲ Show 20 Lines • Show All 281 Lines • ▼ Show 20 Lines	if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion())) {
QualType sr = SR->getSymbol()->getType();		QualType sr = SR->getSymbol()->getType();
if (!hasSameUnqualifiedPointeeType(sr, castTy))		if (!hasSameUnqualifiedPointeeType(sr, castTy))
return loc::MemRegionVal(castRegion(SR, castTy));		return loc::MemRegionVal(castRegion(SR, castTy));
}		}

return svalBuilder.dispatchCast(V, castTy);		return svalBuilder.dispatchCast(V, castTy);
}		}

		Loc StoreManager::getLValueVar(const VarDecl VD, const LocationContext LC) {
		if (const auto *PVD = dyn_cast<ParmVarDecl>(VD))
		return svalBuilder.makeLoc(MRMgr.getRegionForParam(PVD, LC));

		return svalBuilder.makeLoc(MRMgr.getVarRegion(VD, LC));
		}

SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {		SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {
if (Base.isUnknownOrUndef())		if (Base.isUnknownOrUndef())
return Base;		return Base;

Loc BaseL = Base.castAs<Loc>();		Loc BaseL = Base.castAs<Loc>();
const SubRegion* BaseR = nullptr;		const SubRegion* BaseR = nullptr;

switch (BaseL.getSubKind()) {		switch (BaseL.getSubKind()) {
▲ Show 20 Lines • Show All 121 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/SymbolManager.cpp

Show First 20 Lines • Show All 426 Lines • ▼ Show 20 Lines	if (RegionRoots.count(MR))
return true;		return true;

if (const auto *SR = dyn_cast<SymbolicRegion>(MR))		if (const auto *SR = dyn_cast<SymbolicRegion>(MR))
return isLive(SR->getSymbol());		return isLive(SR->getSymbol());

if (const auto *VR = dyn_cast<VarRegion>(MR))		if (const auto *VR = dyn_cast<VarRegion>(MR))
return isLive(VR, true);		return isLive(VR, true);

		if (const auto *PR = dyn_cast<ParamRegion>(MR))
		return isLive(PR, true);

// FIXME: This is a gross over-approximation. What we really need is a way to		// FIXME: This is a gross over-approximation. What we really need is a way to
// tell if anything still refers to this region. Unlike SymbolicRegions,		// tell if anything still refers to this region. Unlike SymbolicRegions,
// AllocaRegions don't have associated symbols, though, so we don't actually		// AllocaRegions don't have associated symbols, though, so we don't actually
// have a way to track their liveness.		// have a way to track their liveness.
if (isa<AllocaRegion>(MR))		if (isa<AllocaRegion>(MR))
return true;		return true;

if (isa<CXXThisRegion>(MR))		if (isa<CXXThisRegion>(MR))
▲ Show 20 Lines • Show All 117 Lines • ▼ Show 20 Lines	if (Store store = reapedStore.getStore()) {
return hasRegion;		return hasRegion;
}		}

return false;		return false;
}		}

return VarContext->isParentOf(CurrentContext);		return VarContext->isParentOf(CurrentContext);
}		}

		bool SymbolReaper::isLive(const ParamRegion *PR,
		martongUnsubmitted Not Done Reply Inline Actions This is almost the copy-paste code for isLive(VarRegion). This again suggests that maybe ParamRegion (or ParamVarRegion?) should be derived from VarRegion. And in isLive(VarRegion) we should dyn_cast to ParamVarRegion and do the extra stuff if needed. martong: This is almost the copy-paste code for isLive(VarRegion). This again suggests that maybe…
		bool includeStoreBindings) const{
		const StackFrameContext *ParamContext = PR->getStackFrame();

		if (!ParamContext)
		return true;

		if (!LCtx)
		return false;
		const StackFrameContext *CurrentContext = LCtx->getStackFrame();

		if (ParamContext == CurrentContext) {
		// If no statement is provided, everything is live.
		if (!Loc)
		return true;

		// Anonymous parameters of an inheriting constructor are live for the entire
		// duration of the constructor.
		if (isa<CXXInheritedCtorInitExpr>(Loc))
		return true;

		if (const ParmVarDecl *PVD = PR->getDecl()) {
		if (LCtx->getAnalysis<RelaxedLiveVariables>()->isLive(Loc, PVD))
		return true;
		}

		if (!includeStoreBindings)
		return false;

		unsigned &cachedQuery =
		const_cast<SymbolReaper *>(this)->includedRegionCache[PR];

		if (cachedQuery) {
		return cachedQuery == 1;
		}

		// Query the store to see if the region occurs in any live bindings.
		if (Store store = reapedStore.getStore()) {
		bool hasRegion =
		reapedStore.getStoreManager().includedInBindings(store, PR);
		cachedQuery = hasRegion ? 1 : 2;
		return hasRegion;
		}

		return false;
		}

		return ParamContext->isParentOf(CurrentContext);
		}

clang/test/Analysis/explain-svals.c

Show All 21 Lines	if (param == 42)
clang_analyzer_explain_int(param); // expected-warning-re{{{{^signed 32-bit integer '42'$}}}}		clang_analyzer_explain_int(param); // expected-warning-re{{{{^signed 32-bit integer '42'$}}}}
}		}

void test_2(struct S s) {		void test_2(struct S s) {
clang_analyzer_explain_S(s); //expected-warning-re{{{{^lazily frozen compound value of parameter 's'$}}}}		clang_analyzer_explain_S(s); //expected-warning-re{{{{^lazily frozen compound value of parameter 's'$}}}}
clang_analyzer_explain_voidp(&s); // expected-warning-re{{{{^pointer to parameter 's'$}}}}		clang_analyzer_explain_voidp(&s); // expected-warning-re{{{{^pointer to parameter 's'$}}}}
clang_analyzer_explain_int(s.z); // expected-warning-re{{{{^initial value of field 'z' of parameter 's'$}}}}		clang_analyzer_explain_int(s.z); // expected-warning-re{{{{^initial value of field 'z' of parameter 's'$}}}}
}		}

		void test_3(int param) {
		clang_analyzer_explain_voidp(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		}

		void test_non_top_level(int param) {
		clang_analyzer_explain_voidp(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		}

		void test_4(int n) {
		test_non_top_level(n);
		}

clang/test/Analysis/explain-svals.cpp

Show All 13 Lines	struct S2 : S3 {
int *x;		int *x;
} s2[10];		} s2[10];
int z;		int z;
};		};


void clang_analyzer_explain(int);		void clang_analyzer_explain(int);
void clang_analyzer_explain(void *);		void clang_analyzer_explain(void *);
		void clang_analyzer_explain(const int *);
void clang_analyzer_explain(S);		void clang_analyzer_explain(S);

size_t clang_analyzer_getExtent(void *);		size_t clang_analyzer_getExtent(void *);

size_t strlen(const char *);		size_t strlen(const char *);

int conjure();		int conjure();
S conjure_S();		S conjure_S();
▲ Show 20 Lines • Show All 65 Lines • ▼ Show 20 Lines	public:
}		}
};		};
} // end of anonymous namespace		} // end of anonymous namespace

void test_6() {		void test_6() {
clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S'$}}}}		clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S'$}}}}
clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from $symbol of type 'int' conjured at statement 'conjure_S\($'\) for field 'z' of temporary object constructed at statement 'conjure_S'$}}}}		clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from $symbol of type 'int' conjured at statement 'conjure_S\($'\) for field 'z' of temporary object constructed at statement 'conjure_S'$}}}}
}		}

		class C_top_level {
		public:
		C_top_level(int param) {
		clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		}
		};

		class C_non_top_level {
		public:
		C_non_top_level(int param) {
		clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		}
		};

		void test_7(int n) {
		C_non_top_level c(n);

		auto lambda_top_level = [n](int param) {
		clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		};
		auto lambda_non_top_level = [n](int param) {
		clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
		};

		lambda_non_top_level(n);
		}

clang/test/Analysis/explain-svals.m

	Show All 22 Lines

	void test_2() {			void test_2() {
	__block int x;			__block int x;
	^{			^{
	clang_analyzer_explain(&x); // expected-warning-re{{{{^pointer to block variable 'x'$}}}}			clang_analyzer_explain(&x); // expected-warning-re{{{{^pointer to block variable 'x'$}}}}
	};			};
	clang_analyzer_explain(&x); // expected-warning-re{{{{^pointer to block variable 'x'$}}}}			clang_analyzer_explain(&x); // expected-warning-re{{{{^pointer to block variable 'x'$}}}}
	}			}

				@interface O
				+(instancetype)top_level_class_method:(int)param;
				+(instancetype)non_top_level_class_method:(int)param;
				-top_level_instance_method:(int)param;
				-non_top_level_instance_method:(int)param;
				@end

				@implementation O
				+(instancetype)top_level_class_method:(int)param {
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				}

				+(instancetype)non_top_level_class_method:(int)param {
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				}

				-top_level_instance_method:(int)param {
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				}

				-non_top_level_instance_method:(int)param {
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				}
				@end

				void test_3(int n, int m) {
				O* o = [O non_top_level_class_method:n];
				[o non_top_level_instance_method:m];

				void (^block_top_level)(int) = ^(int param){
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				clang_analyzer_explain(&n); // expected-warning-re{{{{^pointer to parameter 'n'$}}}}
				};
				void (^block_non_top_level)(int) = ^(int param){
				clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
				clang_analyzer_explain(&n); // expected-warning-re{{{{^pointer to parameter 'n'$}}}}
				};

				block_non_top_level(n);
				}

clang/unittests/StaticAnalyzer/CMakeLists.txt

	set(LLVM_LINK_COMPONENTS			set(LLVM_LINK_COMPONENTS
	FrontendOpenMP			FrontendOpenMP
	Support			Support
	)			)

	add_clang_unittest(StaticAnalysisTests			add_clang_unittest(StaticAnalysisTests
	AnalyzerOptionsTest.cpp			AnalyzerOptionsTest.cpp
	CallDescriptionTest.cpp			CallDescriptionTest.cpp
	CallEventTest.cpp			CallEventTest.cpp
	StoreTest.cpp			StoreTest.cpp
				ParamRegionTest.cpp
	RegisterCustomCheckersTest.cpp			RegisterCustomCheckersTest.cpp
	SymbolReaperTest.cpp			SymbolReaperTest.cpp
	)			)

	clang_target_link_libraries(StaticAnalysisTests			clang_target_link_libraries(StaticAnalysisTests
	PRIVATE			PRIVATE
	clangBasic			clangBasic
	clangAnalysis			clangAnalysis
	Show All 9 Lines

clang/unittests/StaticAnalyzer/ParamRegionTest.cpp

This file was added.

				//===- unittests/StaticAnalyzer/ParamRegionTest.cpp -----------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "Reusables.h"

				#include "clang/Tooling/Tooling.h"
				#include "gtest/gtest.h"

				namespace clang {
				namespace ento {
				namespace {

				class ParamRegionTestConsumer : public ExprEngineConsumer {
				void performTest(const Decl *D) {
				StoreManager &StMgr = Eng.getStoreManager();
				MemRegionManager &MRMgr = StMgr.getRegionManager();
				const StackFrameContext *SFC =
				Eng.getAnalysisDeclContextManager().getStackFrame(D);

				if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
				for (const auto *P : FD->parameters()) {
				const TypedValueRegion *Reg = MRMgr.getRegionForParam(P, SFC);
				if (SFC->inTopFrame())
				assert(isa<VarRegion>(Reg));
				else
				assert(isa<ParamRegion>(Reg));
				}
				} else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D)) {
				for (const auto *P : CD->parameters()) {
				const TypedValueRegion *Reg = MRMgr.getRegionForParam(P, SFC);
				if (SFC->inTopFrame())
				assert(isa<VarRegion>(Reg));
				else
				assert(isa<ParamRegion>(Reg));
				}
				} else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) {
				for (const auto *P : MD->parameters()) {
				const TypedValueRegion *Reg = MRMgr.getRegionForParam(P, SFC);
				if (SFC->inTopFrame())
				assert(isa<VarRegion>(Reg));
				else
				assert(isa<ParamRegion>(Reg));
				}
				}
				}

				public:
				ParamRegionTestConsumer(CompilerInstance &C) : ExprEngineConsumer(C) {}

				bool HandleTopLevelDecl(DeclGroupRef DG) override {
				for (const auto *D : DG) {
				performTest(D);
				}
				return true;
				}
				};

				class ParamRegionTestAction : public ASTFrontendAction {
				public:
				std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,
				StringRef File) override {
				return std::make_unique<ParamRegionTestConsumer>(Compiler);
				}
				};

				TEST(ParamRegion, ParamRegionTest) {
				EXPECT_TRUE(tooling::runToolOnCode(
				std::make_unique<ParamRegionTestAction>(),
				martongUnsubmitted Not Done Reply Inline Actions I think the test code would be more valuable if we could use the `ASTMatcher` to match for a given Decl and then for that Decl we could find the corresponding Region. Then we should have different test cases for the different regions (with expectations formulated on those regions). Perhaps a Decl* -> Region mapping is needed in the test Fixture. martong: I think the test code would be more valuable if we could use the `ASTMatcher` to match for a…
				baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions That was the original test, but the current one is more generic: checks for all parameters and checks whether we create the correct type of region for them. baloghadamsoftware: That was the original test, but the current one is more generic: checks for all parameters and…
				"void foo(int n) { "
				"auto lambda = [n](int m) { return n + m; }; "
				"int k = lambda(2); } "
				"void bar(int l) { foo(l); }"
				"struct S { int n; S(int nn): n(nn) {} };"
				"void baz(int p) { S s(p); }"));
				EXPECT_TRUE(tooling::runToolOnCode(
				std::make_unique<ParamRegionTestAction>(),
				"@interface O \n"
				"+alloc; \n"
				"-initWithInt:(int)q; \n"
				"@end \n"
				"void qix(int r) { O *o = [[O alloc] initWithInt:r]; }",
				"input.m"));
				}

				} // namespace
				} // namespace ento
				} // namespace clang

This is an archive of the discontinued LLVM Phabricator instance.

[Analyzer] [NFC] Parameter RegionsAbandonedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 265928

clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h

clang/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountDiagnostics.cpp

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

clang/lib/StaticAnalyzer/Core/Store.cpp

clang/lib/StaticAnalyzer/Core/SymbolManager.cpp

clang/test/Analysis/explain-svals.c

clang/test/Analysis/explain-svals.cpp

clang/test/Analysis/explain-svals.m

clang/unittests/StaticAnalyzer/CMakeLists.txt

clang/unittests/StaticAnalyzer/ParamRegionTest.cpp

[Analyzer] [NFC] Parameter Regions
AbandonedPublic