I think RegionState is not very descriptive. I'd call it something like RegionNullness.

This is how we used to do it, but we did not update all the checks yet. Nowadays we can just initialize bugtypes immediately, see https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp#L169

You can merge the two anonymous namespaces, this and the one below.

In LLVM we aim for full sentences as comments with a period at the end.

Here the const applies for the pointer, not the pointee. We usually do const auto *OC instead.

In case we did not report a bug, we could assume that the pointer is not-null and we could update the state accordingly. This is a common approach the analyzer takes. E.g. when we se a division by X, we either report a bug or add an assumption that X is non-zero.

I wonder if you wanted to add isSmartPointer checks below as well. In that case you can hoist this check and early return for non-smart-pointers.

You probably also want to clean up the SymbolRegionMap. It is ok to not do it right now, but we usually tend to add FIXMEs or TODOs early and aggressively to make sure we do not forget stuff.

This looks good for now. But we sometimes cache the pointer to identifier info objects so after the initial lookup we can just do pointer comparison instead of more expensive operations. Also add a fixme to check for the std namespace.

Also, this method could even be promoted to a free functions making the list of SmarPtrs global.

Please consider CallDescription and CallDescriptionMap!

I ultimately believe this map should go away. The only thing we really need is the map from smart pointer region to the symbol for its current raw pointer. As long as we have such data we can discover the nullness of that symbol (which *is* the nullness of the smart pointer as well) from Range Constraints.

These days we don't bother with lazy initialization, the usual syntax is:

class YourChecker {
  // ...
  BugType BT { this, "unique_ptr", "Dont call unique_ptr" };
  // ...
};

I prefer them like this.

linter: LLVM coding standards require to use class keyword in situations like this (https://llvm.org/docs/CodingStandards.html#use-of-class-and-struct-keywords). I would even say that struct is good for POD types.

I think that it would be better to put declarations for enum and for a field separately.
Additionally, I don't think that K is a very good name for a data member. It should be evident from the name of the member what is it. Shot names like that can be fine only for iterators or for certain clang-specific structures because of existing traditions (like SM for SourceManager and LO for LanguageOptions).

As I said above, I think we should be really careful about abbreviated and extremely short variable names. Longer names make it much easier to read the code without paying a lot of attention to declarations.

Considering the fact that more cases and more functions will get supported in the future, I vote for merging common parts of these two blocks.

I believe that methods (and data members related to them) can be static.

I'm not sure about it myself, but can DeclName be isEmpty()? If yes, it is a potential null-pointer dereference. Again, I don't know it for a fact, but I think it should be checked.

With the new changes, the struct is removed.

With the new changes, the struct is removed.

With the new changes, the enum is removed.

updated to initialize bugtype immediately

with new change only one anonymous namespace is there

Updated the comments as LLVM style

Made changes to use CallDescription and CallDescriptionMap

Removed this map.
Now maping region to SVal

fixed

Okay.
Will try to use longer names in future.

Added the check for early return

Merged

updated to initialize bugtype immediately

Changed to use CallDescription

Changed to use CallDescription

Changed to use CallDescription

This map is removed in the new changes

Added std namespace check

When you're doing evalCall, you're responsible for all aspects of the call - not just your private GDM map but also the Store and the Environment.

For .reset() the other important thing to do would be to invalidate the region in the Store so that the Store did not think that it contains the old value. We can't set the new value correctly but invalidating it would still be better than doing nothing - simply because "not being sure" is not as bad as "being confidently incorrect". That said, once you model *all* methods of the smart pointers, you would probably no longer need to invalidate the Store, because it will never be actually accessed during analysis. So my conclusion here is:

• For this first patch invalidating the Store is probably not worth it but let's add a FIXME.
• We should make sure that we eventually add the invalidation if we don't have time to model all methods.

Now, you're calling this same function for .release() as well. And for .release() there is another important thing that we're responsible for: model the return value. The .release() method returns the raw pointer - which is something this checker is accidentally an expert on! - so let's BindExpr() the value of the call-expression to the value of the raw pointer. If you want to delay this exercise until later patches, i recommend to temporarily modeling the return value as a conjured symbol instead, but we cannot completely drop this part.

Another useful thing that we should do with .release() in the future is to tell MallocChecker to start tracking the raw pointer. This will allow us to emit memory leak warnings against it. Let's add a TODO for that as well.

Not all constructors behave this way. In particular, if it's a copy/move constructor this function would track the value of the original smart pointer to this smart pointer, but what we need is to track the value of the raw pointer instead.

Nit: We do not use hypens/dashes in diagnostic names.

It might be just a personal preference but I tend to put these at the top of the file for easier discoverability. Feel free to ignore this comment unless other reviewers have the same preference as me.

Don't we want this to be also protected by the isStdSmartPointerClass check?

Early returns can decrease the indentation.

I wonder if making isStdSmartPointerClass operate on CallEvent would simllify the call sites of this function.

In LLVM we often omit braces for small single statement branches. Also, Artem mentioned that we could interact with the malloc checker. Maybe it is worth considering to notify the malloc checker to mark the appropriate region as deallocated? This would help find double release errors, avoid spurious leak errors and so on.

I wonder if we should use makeNullWithType. @NoQ what do you think? I am always confused when should we prefer one over the other.

Actually, let's add an assertion into updateTrackedRegion that the value that's put into the map is of pointer type. This would give us an automatic notification when we make such mistakes.

Maybe it is worth considering to notify the malloc checker to mark the appropriate region as deallocated?

This happens in destructor.

I think makeNull() produces a null pointer (as opposed to numeric zero produced by makeZeroVal(Ty)) and there's not much choice when it comes to types of pointers.

Like, i mean, there were a few attempts to add support for architectures in which pointers come in different sizes but i don't think we care about that situation yet.

By returning "true" here you're saying that operators * and -> do nothing. That's not quite right; they return a value. You should not return true from evalCall unless you fully model the call.

I wouldn't mind moving precondition checks such as this one into checkPreCall, even if you do evalCall later. That would clearly separate concerns and avoid the need to figure out whether we still need to model the call after the bug-reporting routine finishes (the engine will do that for you automatically).

In fact i wouldn't mind moving all bug reporting functionality into a separate checker. But that's a story for another time^^

By returning "true" here you're saying that operators * and -> do nothing. That's not quite right; they return a value. You should not return true from evalCall unless you fully model the call.

Thanks!
I completely missed this point.

I wouldn't mind moving precondition checks such as this one into checkPreCall, even if you do evalCall later. That would clearly separate concerns and avoid the need to figure out whether we still need to model the call after the bug-reporting routine finishes (the engine will do that for you automatically).

Made changes to move dereference precondition checks into checkPreCall

In fact i wouldn't mind moving all bug reporting functionality into a separate checker. But that's a story for another time^^

Cool!
I will keep this in mind.

This doesn't seem to be guarded by ShouldCheckSmartPtrDereference.

Consider adding a LIT test for the flag to make sure we're not leaking our project to the public until it's ready ^.^ Say, you could make two run-lines in your test like this:

// RUN: %clang_analyze_cc1 -verify=expected -analyzer-config cplusplus.SmartPtr:CheckSmartPtrDereference=true \
// RUN: ...
// RUN: %clang_analyze_cc1 -verify=unexpected \
// RUN: ...

// unexpected-no-diagnostics

(see https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html for more fancy tricks with -verify)

You should never get null here due to isStdSmartPointerClass guarding above. I think the null check could be transformed into an assert.

You have a CXXMemberOperatorCall which already represents an overloaded operator. This check is either redundant or could be an assert instead.

In case CXXMemberOperatorCall class does not have a way to query the overloaded operator kind maybe it would be worth to add a helper method to that class. So you can do most of the checking using one interface only.

It is possible that both updateTrackedRegion and this adds a transition. Both transition will have the same predecessor, i.e. you introduce a split in the exploded graph. Is this intended?

Aha, ok, that's what i meant at the end of D81315#inline-760088. @Szelethus insists, so let's turn ourselves into a separate checker right away!

In fact, let's *not* take the inspiration from poor-man's solutions in MallocChecker etc., but instead let's try a full-on modular approach:

• Make a separate .cpp file and a separate Checker class for emitting diagnostics.
  • Remove the checker option and instead add a separate checker entry in Checkers.td.
• Subscribe the new checker on PreCall only and move all the bug reporting logic there.
• Keep all the modeling logic in the old checker (it's called SmartPtrModeling for a reason!).
• Put common functionality into a header file shared between the two checkers.
  • In particular, the GDM trait should be only accessed through such getter.
    • Take some inspiration from Taint.h.

Sounds great! And of course, say the word if any help is needed! :)

Thanks...!

Created a new checker alpha.cplusplus.SmartPtr to emit the SmartPtr dereference diagnostic.

Changed to dyn_cast.
Added assert

Removed the redundant check

Added getOverloadedOperator() in CXXMemberOperatorCall class

Added one more run to verify it.

This was not intended.

• Fixed to avoid split in the exploded graph.
• Updated test to check with clang_analyzer_numTimesReached

Changed the modeling to SmartPtrModeling and named checker to SmartPtr

Using this flag to enable and disable modeling of SmartPtr null dereferences

Let's Hide this in addition.

alpha.cplusplus.SmartPtr on its own should be sufficient, dependencies ensure that cplusplus.SmartPtrModeling will be enabled and registered beforehand.

Added Hide

Removed cplusplus.SmartPtrModeling

Nice!

Looks like dead code.

This is probably unnecessary. The default SourceRange highlighted in path-sensitive report is the error node's statement and it should be exactly the same.

Looks like dead code.

Ok, so the normal solution to this problem is to make this logic a part of your CallDescriptionMap:

CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{

  {{"std", "unique_ptr", "reset"}, &SmartPtrModeling::handleReset},
  {{"std", "unique_ptr", "release"}, &SmartPtrModeling::handleRelease},
  {{"std", "unique_ptr", "swap", 1}, &SmartPtrModeling::handleSwap},

  {{"std", "shared_ptr", "reset"}, &SmartPtrModeling::handleReset},
  {{"std", "shared_ptr", "release"}, &SmartPtrModeling::handleRelease},
  {{"std", "shared_ptr", "swap", 1}, &SmartPtrModeling::handleSwap},

  {{"std", "weak_ptr", "reset"}, &SmartPtrModeling::handleReset},
  {{"std", "weak_ptr", "release"}, &SmartPtrModeling::handleRelease},
  {{"std", "weak_ptr", "swap", 1}, &SmartPtrModeling::handleSwap},
};

It looks like you're not doing this because CallDescriptionMap doesn't support operator calls yet. In fact, it looks like it doesn't support them because i'm not doing my homework by reviewing D81059. I just tried to catch up on it.

The other potential reason not to use CallDescriptionMap would be that you'll have to duplicate the list of methods for every smart pointer class you want to support. I don't think it's necessarily bad though, because different classes may in fact require different handling.

The downside of your solution, though, is that you're manually implementing the name matching logic that has been already implemented for you in CallDescriptionMap. And the reason we made CallDescriptionMap was because we really really wanted to re-use this logic because it's surprisingly difficult to implement correctly. One potential problem i see with your implementation is that you don't account for inline namespaces such as [[ https://github.com/llvm/llvm-project/blob/master/clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp#L127 | libcxx's __1 ]]. CallDescriptionMap knows about these things but they're almost impossible to discover independently when you're matching names by hand.

Let's leave this code as-is for now but try to get rid of this function as soon as possible (i.e., when D81059 lands).

Uh-oh, i'm shocked this wasn't in place before. Maybe we should do some code review or something. What idiot wrote this code anyway? Wait, it was me.

This second run-line no longer tests the option. The checker is disabled, of course there won't be any diagnostics. I think we should remove the second run-line now and i don't have much better tests in mind that we won't eventually remove as we write more code.

Yup, I completely agree. I think this structure will naturally evolve into something cleaner once more modeling gets added.

Thanks for the detailed comment.

I totally agree this method is handling many things.
For methods like get, get_deleter this makes no sense at all.

I will add TODO there, will address this in a later patch once we get a clear picture after more modeling added.