This is an archive of the discontinued LLVM Phabricator instance.

Differential D86373

[analyzer] Add modeling for unique_ptr move constructor
ClosedPublic

Authored by vrnithinkumar on Aug 21 2020, 2:37 PM.

Details

Reviewers
NoQ
xazax.hun
vsavchenko
Commits
rG1b743a9efa08: [analyzer] Add modeling for unique_ptr move constructor
Summary
  • Modeling unique_ptr move constructor unique_ptr( unique_ptr&& u ) noexcept

Diff Detail

Event Timeline

vrnithinkumar created this revision.Aug 21 2020, 2:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 21 2020, 2:37 PM
Herald added subscribers: cfe-commits, steakhal, ASDenysPetrov and 10 others. · View Herald Transcript
vrnithinkumar requested review of this revision.Aug 21 2020, 2:37 PM
vrnithinkumar edited the summary of this revision. (Show Details)Aug 21 2020, 2:39 PM
vrnithinkumar added reviewers: NoQ, xazax.hun, vsavchenko.
Herald added a subscriber: rnkovacs. · View Herald TranscriptAug 21 2020, 2:39 PM
vrnithinkumar added inline comments.Aug 21 2020, 2:42 PM
clang/test/Analysis/smart-ptr.cpp
296

I was trying to test the below code.

void foo_() {
  std::unique_ptr<A> PToMove;
  std::unique_ptr<A>&& AfterRValeRefCast = std::move(functionReturnsRValueRef());
  std::unique_ptr<A> P(AfterRValeRefCast);
  P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
}

But passing the local RValue reference variable to move constructor is always invoking the deleted copy constructor.

Harbormaster completed remote builds in B69179: Diff 287113.Aug 21 2020, 3:08 PM
NoQ added a comment.Aug 21 2020, 5:44 PM

This is easier than D86293 because there's no old value in the freshly constructed smart pointer, right? I suspect that you can still re-use a lot of the implementation with D86293, at least partially.

clang/test/Analysis/smart-ptr.cpp
296

Yeah, you still need an explicit move over it. Implicit moves don't happen because it's an rvalue reference, it has more to do with the anonymity of the object; the compiler only auto-moves when there's no possibility for accidental implicit use-after-move, and in presence of a named reference to the value, accidental implicit use-after-move is still very much possible, so an explicit move is required. That's not the exact rules but that's, as far as i understand, the logic behind the exact rules.

vrnithinkumar updated this revision to Diff 288101.Aug 26 2020, 1:28 PM
  • Refactoring to reuse common duplicated code
vrnithinkumar added inline comments.Aug 26 2020, 1:31 PM
clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
456

Same note tag is used for move assignment and move constructor here.

clang/test/Analysis/smart-ptr.cpp
21

Now both "use after move" and "null pointer dereference" warnings are coming. I hope it will be only "null pointer dereference" after smart pointer modeling is complete

vrnithinkumar marked an inline comment as done.Aug 26 2020, 1:32 PM
vrnithinkumar added inline comments.
clang/test/Analysis/smart-ptr.cpp
296

Okay
Thanks for the clarification.

vrnithinkumar marked an inline comment as done.Aug 26 2020, 1:33 PM
In D86373#2231605, @NoQ wrote:

This is easier than D86293 because there's no old value in the freshly constructed smart pointer, right? I suspect that you can still re-use a lot of the implementation with D86293, at least partially.

Refactored to reuse the implementation.

Harbormaster completed remote builds in B69674: Diff 288101.Aug 26 2020, 3:29 PM
NoQ accepted this revision.Aug 27 2020, 4:02 PM

Yup, that's more like it!~

This revision is now accepted and ready to land.Aug 27 2020, 4:02 PM
Closed by commit rG1b743a9efa08: [analyzer] Add modeling for unique_ptr move constructor (authored by vrnithinkumar). · Explain WhyAug 31 2020, 5:36 AM
This revision was automatically updated to reflect the committed changes.
vrnithinkumar added a commit: rG1b743a9efa08: [analyzer] Add modeling for unique_ptr move constructor.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
27 lines
test/
Analysis/
31 lines
44 lines

Diff 288928

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines checkRegionChanges(ProgramStateRef State,
const LocationContext *LCtx, const CallEvent *Call) const; const LocationContext *LCtx, const CallEvent *Call) const;
private: private:
void handleReset(const CallEvent &Call, CheckerContext &C) const; void handleReset(const CallEvent &Call, CheckerContext &C) const;
void handleRelease(const CallEvent &Call, CheckerContext &C) const; void handleRelease(const CallEvent &Call, CheckerContext &C) const;
void handleSwap(const CallEvent &Call, CheckerContext &C) const; void handleSwap(const CallEvent &Call, CheckerContext &C) const;
void handleGet(const CallEvent &Call, CheckerContext &C) const; void handleGet(const CallEvent &Call, CheckerContext &C) const;
bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const; bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const;
bool handleMoveCtr(const CallEvent &Call, CheckerContext &C,
const MemRegion *ThisRegion) const;
bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion,
const MemRegion *OtherSmartPtrRegion) const;
using SmartPtrMethodHandlerFn = using SmartPtrMethodHandlerFn =
void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const; void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;
CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{ CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{
{{"reset"}, &SmartPtrModeling::handleReset}, {{"reset"}, &SmartPtrModeling::handleReset},
{{"release"}, &SmartPtrModeling::handleRelease}, {{"release"}, &SmartPtrModeling::handleRelease},
{{"swap", 1}, &SmartPtrModeling::handleSwap}, {{"swap", 1}, &SmartPtrModeling::handleSwap},
{{"get"}, &SmartPtrModeling::handleGet}}; {{"get"}, &SmartPtrModeling::handleGet}};
▲ Show 20 LinesShow All 86 Lines▼ Show 20 Lines C.addTransition(
C.getSValBuilder().makeZeroVal(Call.getResultType()))); C.getSValBuilder().makeZeroVal(Call.getResultType())));
return true; return true;
} }
if (!ModelSmartPtrDereference) if (!ModelSmartPtrDereference)
return false; return false;
if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) { if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
if (CC->getDecl()->isCopyOrMoveConstructor()) if (CC->getDecl()->isCopyConstructor())
return false; return false;
const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion(); const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion();
if (!ThisRegion) if (!ThisRegion)
return false; return false;
if (CC->getDecl()->isMoveConstructor())
return handleMoveCtr(Call, C, ThisRegion);
if (Call.getNumArgs() == 0) { if (Call.getNumArgs() == 0) {
auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNull();
State = State->set<TrackedRegionMap>(ThisRegion, NullVal); State = State->set<TrackedRegionMap>(ThisRegion, NullVal);
C.addTransition( C.addTransition(
State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR, State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {
if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||
▲ Show 20 LinesShow All 227 Lines▼ Show 20 Lines C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
return; return;
OS << "Smart pointer "; OS << "Smart pointer ";
ThisRegion->printPretty(OS); ThisRegion->printPretty(OS);
OS << " is assigned to null"; OS << " is assigned to null";
})); }));
return true; return true;
} }
return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion);
}
bool SmartPtrModeling::handleMoveCtr(const CallEvent &Call, CheckerContext &C,
const MemRegion *ThisRegion) const {
const auto *OtherSmartPtrRegion = Call.getArgSVal(0).getAsRegion();
if (!OtherSmartPtrRegion)
return false;
return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion);
}
bool SmartPtrModeling::updateMovedSmartPointers(
CheckerContext &C, const MemRegion *ThisRegion,
const MemRegion *OtherSmartPtrRegion) const {
ProgramStateRef State = C.getState();
const auto *OtherInnerPtr = State->get<TrackedRegionMap>(OtherSmartPtrRegion); const auto *OtherInnerPtr = State->get<TrackedRegionMap>(OtherSmartPtrRegion);
if (OtherInnerPtr) { if (OtherInnerPtr) {
State = State->set<TrackedRegionMap>(ThisRegion, *OtherInnerPtr); State = State->set<TrackedRegionMap>(ThisRegion, *OtherInnerPtr);
auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNull();
State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal); State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal);
bool IsArgValNull = OtherInnerPtr->isZeroConstant(); bool IsArgValNull = OtherInnerPtr->isZeroConstant();
C.addTransition( C.addTransition(
State, State,
C.getNoteTag([ThisRegion, OtherSmartPtrRegion, IsArgValNull]( C.getNoteTag([ThisRegion, OtherSmartPtrRegion, IsArgValNull](
PathSensitiveBugReport &BR, llvm::raw_ostream &OS) { PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
if (&BR.getBugType() != smartptr::getNullDereferenceBugType()) if (&BR.getBugType() != smartptr::getNullDereferenceBugType())
return; return;
if (BR.isInteresting(OtherSmartPtrRegion)) { if (BR.isInteresting(OtherSmartPtrRegion)) {
OS << "Smart pointer "; OS << "Smart pointer ";
OtherSmartPtrRegion->printPretty(OS); OtherSmartPtrRegion->printPretty(OS);
OS << " is null after being moved to "; OS << " is null after being moved to ";
ThisRegion->printPretty(OS); ThisRegion->printPretty(OS);
} }
if (BR.isInteresting(ThisRegion) && IsArgValNull) { if (BR.isInteresting(ThisRegion) && IsArgValNull) {
OS << "Null pointer value move-assigned to "; OS << "A null pointer value is moved to ";
vrnithinkumarAuthorUnsubmitted
Done
ReplyInline Actions

Same note tag is used for move assignment and move constructor here.

vrnithinkumar: Same note tag is used for move assignment and move constructor here.
ThisRegion->printPretty(OS); ThisRegion->printPretty(OS);
BR.markInteresting(OtherSmartPtrRegion); BR.markInteresting(OtherSmartPtrRegion);
} }
})); }));
return true; return true;
} else { } else {
// In case we dont know anything about value we are moving from // In case we dont know anything about value we are moving from
// remove the entry from map for which smart pointer got moved to. // remove the entry from map for which smart pointer got moved to.
Show All 30 Lines

clang/test/Analysis/smart-ptr-text-output.cpp

Show First 20 LinesShow All 138 Lines▼ Show 20 Linesvoid derefOnMovedToNullPtr() {
P = std::move(PToMove); // No note. P = std::move(PToMove); // No note.
P->foo(); // No warning. P->foo(); // No warning.
} }
void derefOnNullPtrGotMovedFromValidPtr() { void derefOnNullPtrGotMovedFromValidPtr() {
std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}} std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}}
// FIXME: above note should go away once we fix marking region not interested. // FIXME: above note should go away once we fix marking region not interested.
std::unique_ptr<A> PToMove; // expected-note {{Default constructed smart pointer 'PToMove' is null}} std::unique_ptr<A> PToMove; // expected-note {{Default constructed smart pointer 'PToMove' is null}}
P = std::move(PToMove); // expected-note {{Null pointer value move-assigned to 'P'}} P = std::move(PToMove); // expected-note {{A null pointer value is moved to 'P'}}
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1 {{Dereference of null smart pointer 'P'}} // expected-note@-1 {{Dereference of null smart pointer 'P'}}
} }
void derefOnMovedUnknownPtr(std::unique_ptr<A> PToMove) { void derefOnMovedUnknownPtr(std::unique_ptr<A> PToMove) {
std::unique_ptr<A> P; std::unique_ptr<A> P;
P = std::move(PToMove); // expected-note {{Smart pointer 'PToMove' is null after; previous value moved to 'P'}} P = std::move(PToMove); // expected-note {{Smart pointer 'PToMove' is null after; previous value moved to 'P'}}
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}} PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
Show All 9 Lines
void derefOnAssignedZeroToNullSmartPtr() { void derefOnAssignedZeroToNullSmartPtr() {
std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}} std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}}
// FIXME: above note should go away once we fix marking region not interested. // FIXME: above note should go away once we fix marking region not interested.
P = 0; // expected-note {{Smart pointer 'P' is assigned to null}} P = 0; // expected-note {{Smart pointer 'P' is assigned to null}}
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1 {{Dereference of null smart pointer 'P'}} // expected-note@-1 {{Dereference of null smart pointer 'P'}}
} }
void derefMoveConstructedWithNullPtr() {
std::unique_ptr<A> PToMove; // expected-note {{Default constructed smart pointer 'PToMove' is null}}
std::unique_ptr<A> P(std::move(PToMove)); // expected-note {{A null pointer value is moved to 'P'}}
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'P'}}
}
void derefValidPtrMovedToConstruct() {
std::unique_ptr<A> PToMove(new A()); // expected-note {{Smart pointer 'PToMove' is constructed}}
// FIXME: above note should go away once we fix marking region not interested.
std::unique_ptr<A> P(std::move(PToMove)); // expected-note {{Smart pointer 'PToMove' is null after being moved to 'P'}}
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'PToMove'}}
}
void derefNullPtrMovedToConstruct() {
std::unique_ptr<A> PToMove; // expected-note {{Default constructed smart pointer 'PToMove' is null}}
// FIXME: above note should go away once we fix marking region not interested.
std::unique_ptr<A> P(std::move(PToMove)); // expected-note {{Smart pointer 'PToMove' is null after being moved to 'P'}}
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'PToMove'}}
}
void derefUnknownPtrMovedToConstruct(std::unique_ptr<A> PToMove) {
std::unique_ptr<A> P(std::move(PToMove)); // expected-note {{Smart pointer 'PToMove' is null after; previous value moved to 'P'}}
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'PToMove'}}
}

clang/test/Analysis/smart-ptr.cpp

Show All 11 Lines
void derefAfterMove(std::unique_ptr<int> P) { void derefAfterMove(std::unique_ptr<int> P) {
std::unique_ptr<int> Q = std::move(P); std::unique_ptr<int> Q = std::move(P);
if (Q) if (Q)
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
*Q.get() = 1; // no-warning *Q.get() = 1; // no-warning
if (P) if (P)
clang_analyzer_warnIfReached(); // no-warning clang_analyzer_warnIfReached(); // no-warning
// TODO: Report a null dereference (instead). // TODO: Report a null dereference (instead).
*P.get() = 1; // expected-warning {{Method called on moved-from object 'P'}} *P.get() = 1; // expected-warning {{Method called on moved-from object 'P' [cplusplus.Move]}}
// expected-warning@-1 {{Dereference of null pointer [core.NullDereference]}}
vrnithinkumarAuthorUnsubmitted
Done
ReplyInline Actions

Now both "use after move" and "null pointer dereference" warnings are coming. I hope it will be only "null pointer dereference" after smart pointer modeling is complete

vrnithinkumar: Now both "use after move" and "null pointer dereference" warnings are coming. I hope it will be…
} }
// Don't crash when attempting to model a call with unknown callee. // Don't crash when attempting to model a call with unknown callee.
namespace testUnknownCallee { namespace testUnknownCallee {
struct S { struct S {
void foo(); void foo();
}; };
void bar(S *s, void (S::*func)(void)) { void bar(S *s, void (S::*func)(void)) {
▲ Show 20 LinesShow All 258 Lines▼ Show 20 Linesvoid derefOnMovedToNullPtr() {
std::unique_ptr<A> PToMove(new A()); std::unique_ptr<A> PToMove(new A());
std::unique_ptr<A> P; std::unique_ptr<A> P;
P = std::move(PToMove); // No note. P = std::move(PToMove); // No note.
P->foo(); // No warning. P->foo(); // No warning.
} }
void derefOnNullPtrGotMovedFromValidPtr() { void derefOnNullPtrGotMovedFromValidPtr() {
std::unique_ptr<A> P(new A()); std::unique_ptr<A> P(new A());
std::unique_ptr<A> PToMove; std::unique_ptr<A> PToMove;
vrnithinkumarAuthorUnsubmitted
Done
ReplyInline Actions

I was trying to test the below code.

void foo_() {
  std::unique_ptr<A> PToMove;
  std::unique_ptr<A>&& AfterRValeRefCast = std::move(functionReturnsRValueRef());
  std::unique_ptr<A> P(AfterRValeRefCast);
  P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
}

But passing the local RValue reference variable to move constructor is always invoking the deleted copy constructor.

vrnithinkumar: I was trying to test the below code. ``` void foo_() { std::unique_ptr<A> PToMove; std…
NoQUnsubmitted
Done
ReplyInline Actions

Yeah, you still need an explicit move over it. Implicit moves don't happen because it's an rvalue reference, it has more to do with the anonymity of the object; the compiler only auto-moves when there's no possibility for accidental implicit use-after-move, and in presence of a named reference to the value, accidental implicit use-after-move is still very much possible, so an explicit move is required. That's not the exact rules but that's, as far as i understand, the logic behind the exact rules.

NoQ: Yeah, you still need an explicit move over it. Implicit moves don't happen because it's an…
vrnithinkumarAuthorUnsubmitted
Done
ReplyInline Actions

Okay
Thanks for the clarification.

vrnithinkumar: Okay Thanks for the clarification.
P = std::move(PToMove); P = std::move(PToMove);
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
} }
void derefOnMovedFromUnknownPtr(std::unique_ptr<A> PToMove) { void derefOnMovedFromUnknownPtr(std::unique_ptr<A> PToMove) {
std::unique_ptr<A> P; std::unique_ptr<A> P;
P = std::move(PToMove); P = std::move(PToMove);
P->foo(); // No warning. P->foo(); // No warning.
Show All 24 Lines
std::unique_ptr<A> &&returnRValRefOfUniquePtr(); std::unique_ptr<A> &&returnRValRefOfUniquePtr();
void drefOnAssignedNullFromMethodPtrValidSmartPtr() { void drefOnAssignedNullFromMethodPtrValidSmartPtr() {
std::unique_ptr<A> P(new A()); std::unique_ptr<A> P(new A());
P = returnRValRefOfUniquePtr(); P = returnRValRefOfUniquePtr();
P->foo(); // No warning. P->foo(); // No warning.
} }
void derefMoveConstructedWithValidPtr() {
std::unique_ptr<A> PToMove(new A());
std::unique_ptr<A> P(std::move(PToMove));
P->foo(); // No warning.
}
void derefMoveConstructedWithNullPtr() {
std::unique_ptr<A> PToMove;
std::unique_ptr<A> P(std::move(PToMove));
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
}
void derefMoveConstructedWithUnknownPtr(std::unique_ptr<A> PToMove) {
std::unique_ptr<A> P(std::move(PToMove));
P->foo(); // No warning.
}
void derefValidPtrMovedToConstruct() {
std::unique_ptr<A> PToMove(new A());
std::unique_ptr<A> P(std::move(PToMove));
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
}
void derefNullPtrMovedToConstruct() {
std::unique_ptr<A> PToMove;
std::unique_ptr<A> P(std::move(PToMove));
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
}
void derefUnknownPtrMovedToConstruct(std::unique_ptr<A> PToMove) {
std::unique_ptr<A> P(std::move(PToMove));
PToMove->foo(); // expected-warning {{Dereference of null smart pointer 'PToMove' [alpha.cplusplus.SmartPtr]}}
}
std::unique_ptr<A> &&functionReturnsRValueRef();
void derefMoveConstructedWithRValueRefReturn() {
std::unique_ptr<A> P(functionReturnsRValueRef());
P->foo(); // No warning.
}