This is an archive of the discontinued LLVM Phabricator instance.

Differential D104300

[analyzer] Handle std::swap for std::unique_ptr
ClosedPublic

Authored by RedDocMD on Jun 15 2021, 8:05 AM.

Details

Reviewers
NoQ
vsavchenko
teemperor
xazax.hun
Commits
rG0cd98bef1b6f: [analyzer] Handle std::swap for std::unique_ptr
Summary

This patch handles the std::swap function specialization
for std::unique_ptr. Implemented to be very similar to
how swap method is handled

Diff Detail

Event Timeline

RedDocMD created this revision.Jun 15 2021, 8:05 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald TranscriptJun 15 2021, 8:05 AM
RedDocMD requested review of this revision.Jun 15 2021, 8:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2021, 8:05 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
RedDocMD added a comment.Jun 15 2021, 8:08 AM

I am not entirely satisfied with the note that is being emitted currently from the std::swap handling (its ripped off from the note emitted for std::unique_ptr::swap).
Any suggestions?

vsavchenko added inline comments.Jun 15 2021, 8:18 AM
clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
131–138

That's great!

254–292

Maybe a separate method then?

283

Wait, and what if the second argument is interesting?

clang/test/Analysis/smart-ptr-text-output.cpp
80

I know that this case existed before, but can we initialize P with non-null, so that the warning is a bit more life-like?

vsavchenko added a comment.Jun 15 2021, 8:21 AM

It looks like new functionality is VERY much like handleSwap, and we should definitely merge common parts.

Also, I think that commit title should be more specific than "Handle std::swap". It should at least mention the checker.

Harbormaster completed remote builds in B109300: Diff 352144.Jun 15 2021, 8:59 AM
RedDocMD retitled this revision from [analyzer] Handle `std::swap` to [analyzer] Handle `std::swap` for std::unique_ptr.Jun 15 2021, 10:48 AM
RedDocMD retitled this revision from [analyzer] Handle `std::swap` for std::unique_ptr to [analyzer] Handle std::swap for std::unique_ptr.
RedDocMD added inline comments.Jun 15 2021, 11:21 AM
clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
283

I know. That's why I said that the note is crappy.
The question I have in mind is - what if we swap null with null? Do we want a note in that case?
IMO, we should have a note for every case of swapping a confirmed null with something that is not confirmed to be null.

RedDocMD added a comment.Jun 15 2021, 11:23 AM

The current implementation of how notes are emitted in handleSwap is broken. Consider the following code:

#include <memory>

void foo() {
  auto ptr1 = std::unique_ptr<int>(new int(10));
  auto ptr2 = std::unique_ptr<int>(new int(13));
  ptr1.swap(ptr2);
  ptr1.reset();
  *ptr1;
}

This yields the following warning and notes:

swap-and-reset.cpp:8:3: warning: Dereference of null smart pointer 'ptr1' [alpha.cplusplus.SmartPtr]
  *ptr1;
  ^~~~~
swap-and-reset.cpp:4:36: note: Assigning 10
  auto ptr1 = std::unique_ptr<int>(new int(10));
                                   ^~~~~~~~~~~
swap-and-reset.cpp:4:15: note: Smart pointer 'ptr1' is constructed
  auto ptr1 = std::unique_ptr<int>(new int(10));
              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
swap-and-reset.cpp:5:36: note: Assigning 13
  auto ptr2 = std::unique_ptr<int>(new int(13));
                                   ^~~~~~~~~~~
swap-and-reset.cpp:5:15: note: Smart pointer 'ptr2' is constructed
  auto ptr2 = std::unique_ptr<int>(new int(13));
              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
swap-and-reset.cpp:6:3: note: Swapped null smart pointer 'ptr2' with smart pointer 'ptr1'
  ptr1.swap(ptr2);
  ^~~~~~~~~~~~~~~
swap-and-reset.cpp:7:3: note: Smart pointer 'ptr1' reset using a null value
  ptr1.reset();
  ^~~~~~~~~~~~
swap-and-reset.cpp:8:3: note: Dereference of null smart pointer 'ptr1'
  *ptr1;
  ^~~~~

But clearly, ptr2 is not null.

RedDocMD updated this revision to Diff 352201.Jun 15 2021, 11:34 AM

Refactored common code, removed note emission

RedDocMD added a comment.Jun 15 2021, 11:38 AM

I have gotten rid of notes for the time being.
The trouble is that, we were not figuring out whether the null-pointer de-reference was occurring due to the null value being swapped with the current pointer.
We just assumed that. So I am guessing we would need a visitor to figure that out? (Hooray for Valeriy!)
Or is there a simpler solution?

Harbormaster completed remote builds in B109346: Diff 352201.Jun 15 2021, 1:48 PM
NoQ added a comment.Jun 16 2021, 12:37 AM

I think notes are fairly straightforward: if we're tracking one smart pointer below the swap, we should stop tracking it and start tracking the other smart pointer above the swap. If both were tracked, keep tracking both (but in swapped manners, assuming we're tracking them in different manners). It doesn't matter whether any of them is null, it only matters which ones were tracked. Though I guess we could mention if any of them are null or do other cosmetic improvements depending on how they participated in the bug. Trackedness is equivalent to interestingness because we're dealing with regions.

RedDocMD updated this revision to Diff 352627.Jun 17 2021, 12:14 AM

Marking and un-marking interestingness

vsavchenko added a comment.Jun 17 2021, 1:38 AM

I agree with @NoQ that notes are pretty much straightforward and we shouldn't abandon them altogether. Refinements about what is null or non-null pointer are purely cosmetic and we definitely can tweak this messaging.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
260–266

I guess handleSwap can take SVals instead of MemRegion and we can mostly cut on this boilerplate as well.

return handleSwap(State, Call.getArgSVal(0), Call.getArgSVal(1), C);

and

return handleSwap(State, IC->getCXXThisVal(), Call.getArgSVal(0), C);
628–637

nit: these two pieces of code are very much the same

Harbormaster completed remote builds in B109651: Diff 352627.Jun 17 2021, 6:20 AM
xazax.hun added inline comments.Jun 17 2021, 4:12 PM
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
435 ↗(On Diff #352627)

Bikeshedding: I wonder if we prefer Uninteresting to NotInteresting. Or alternatively, if we want to emphasize this is only the lack of interestingness, we could name it removeInterestingness. I do not have strong feelings about any of the options, I was just wondering if any of you has a preference.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
255

I wonder about the value of this assertion. Shouldn`t Call.isCalled(StdSwapCall) already validate the number of arguments?

257

Nit: we usually omit braces for simple if statements.

628–637

I guess we could make markInteresting take an optional bool and swap the interestingness unconditionally.

NoQ accepted this revision.Jun 17 2021, 11:28 PM

I think this patch is good to go as long as other folks are happy. I'm glad that uninterestingness is becoming a thing!

This revision is now accepted and ready to land.Jun 17 2021, 11:28 PM
RedDocMD marked 5 inline comments as done.Jun 18 2021, 11:47 AM
RedDocMD added inline comments.
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
435 ↗(On Diff #352627)

I was actually planning to use something like unmarkInteresting, but that is grammatically incorrect. removeInterestingness is fair enough, but a mouthful I think. As for Uninteresting, I think we are better off avoiding clever uses of English and stick with simple, programmer jargon.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
255

About as valuable as any assertion is ;)
My reasoning is that since we are calling Call.getArgSval(0) and Call.getArgSVal(1), we had better assert that there are two args.
As a side-note, I had a bug in my CallDescriptor, which was caught by this assertion

260–266

Yup, okay.

628–637

Then we would need to rename it to something like setInterestingness.
And renaming such a widely used function would be a real pain.

628–637

Yes, but I don't think refactoring them into a lambda (within a lambda) would be that nice either.

RedDocMD marked 3 inline comments as done.Jun 18 2021, 11:47 AM
RedDocMD updated this revision to Diff 353068.Jun 18 2021, 11:49 AM

Some more refactoring

Harbormaster completed remote builds in B109979: Diff 353068.Jun 19 2021, 7:06 AM
NoQ mentioned this in D104925: [Analyzer] Improve report of file read at end-of-file condition..Jul 1 2021, 1:48 AM
balazske added a subscriber: balazske.Jul 8 2021, 9:08 AM

This change is accepted already. Is it good to commit? I would need the change for symbol "uninterestingness" in D104925.

balazske mentioned this in D105637: [clang][Analyzer] Add symbol uninterestingness to bug report..Jul 8 2021, 9:11 AM
RedDocMD updated this revision to Diff 359600.Jul 18 2021, 1:11 AM

Post rebase cleanup

Harbormaster completed remote builds in B114715: Diff 359600.Jul 18 2021, 1:45 AM
This revision was landed with ongoing or failed builds.Jul 18 2021, 2:10 AM
Closed by commit rG0cd98bef1b6f: [analyzer] Handle std::swap for std::unique_ptr (authored by RedDocMD). · Explain Why
This revision was automatically updated to reflect the committed changes.
RedDocMD added a commit: rG0cd98bef1b6f: [analyzer] Handle std::swap for std::unique_ptr.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
2 lines
81 lines
Core/
2 lines
test/
Analysis/
11 lines

Diff 359603

clang/lib/StaticAnalyzer/Checkers/SmartPtr.h

Show All 19 Lines
namespace ento { namespace ento {
namespace smartptr { namespace smartptr {
/// Returns true if the event call is on smart pointer. /// Returns true if the event call is on smart pointer.
bool isStdSmartPtrCall(const CallEvent &Call); bool isStdSmartPtrCall(const CallEvent &Call);
bool isStdSmartPtr(const CXXRecordDecl *RD); bool isStdSmartPtr(const CXXRecordDecl *RD);
bool isStdSmartPtr(const Expr *E); bool isStdSmartPtr(const Expr *E);
bool isStdSmartPtr(const CXXRecordDecl *RD);
/// Returns whether the smart pointer is null or not. /// Returns whether the smart pointer is null or not.
bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion); bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion);
const BugType *getNullDereferenceBugType(); const BugType *getNullDereferenceBugType();
} // namespace smartptr } // namespace smartptr
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_SMARTPTR_H #endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_SMARTPTR_H

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

Show First 20 LinesShow All 57 Lines▼ Show 20 Lines checkRegionChanges(ProgramStateRef State,
const LocationContext *LCtx, const CallEvent *Call) const; const LocationContext *LCtx, const CallEvent *Call) const;
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override; const char *Sep) const override;
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
private: private:
void handleReset(const CallEvent &Call, CheckerContext &C) const; void handleReset(const CallEvent &Call, CheckerContext &C) const;
void handleRelease(const CallEvent &Call, CheckerContext &C) const; void handleRelease(const CallEvent &Call, CheckerContext &C) const;
void handleSwap(const CallEvent &Call, CheckerContext &C) const; void handleSwapMethod(const CallEvent &Call, CheckerContext &C) const;
void handleGet(const CallEvent &Call, CheckerContext &C) const; void handleGet(const CallEvent &Call, CheckerContext &C) const;
bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const; bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const;
bool handleMoveCtr(const CallEvent &Call, CheckerContext &C, bool handleMoveCtr(const CallEvent &Call, CheckerContext &C,
const MemRegion *ThisRegion) const; const MemRegion *ThisRegion) const;
bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion, bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion,
const MemRegion *OtherSmartPtrRegion) const; const MemRegion *OtherSmartPtrRegion) const;
void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const; void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const;
bool handleComparisionOp(const CallEvent &Call, CheckerContext &C) const; bool handleComparisionOp(const CallEvent &Call, CheckerContext &C) const;
bool handleOstreamOperator(const CallEvent &Call, CheckerContext &C) const; bool handleOstreamOperator(const CallEvent &Call, CheckerContext &C) const;
bool handleSwap(ProgramStateRef State, SVal First, SVal Second,
CheckerContext &C) const;
std::pair<SVal, ProgramStateRef> std::pair<SVal, ProgramStateRef>
retrieveOrConjureInnerPtrVal(ProgramStateRef State, retrieveOrConjureInnerPtrVal(ProgramStateRef State,
const MemRegion *ThisRegion, const Expr *E, const MemRegion *ThisRegion, const Expr *E,
QualType Type, CheckerContext &C) const; QualType Type, CheckerContext &C) const;
using SmartPtrMethodHandlerFn = using SmartPtrMethodHandlerFn =
void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const; void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;
CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{ CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{
{{"reset"}, &SmartPtrModeling::handleReset}, {{"reset"}, &SmartPtrModeling::handleReset},
{{"release"}, &SmartPtrModeling::handleRelease}, {{"release"}, &SmartPtrModeling::handleRelease},
{{"swap", 1}, &SmartPtrModeling::handleSwap}, {{"swap", 1}, &SmartPtrModeling::handleSwapMethod},
{{"get"}, &SmartPtrModeling::handleGet}}; {{"get"}, &SmartPtrModeling::handleGet}};
const CallDescription StdSwapCall{{"std", "swap"}, 2};
}; };
} // end of anonymous namespace } // end of anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal) REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)
// Checks if RD has name in Names and is in std namespace // Checks if RD has name in Names and is in std namespace
static bool hasStdClassWithName(const CXXRecordDecl *RD, static bool hasStdClassWithName(const CXXRecordDecl *RD,
ArrayRef<llvm::StringLiteral> Names) { ArrayRef<llvm::StringLiteral> Names) {
Show All 24 Lines
namespace ento { namespace ento {
namespace smartptr { namespace smartptr {
bool isStdSmartPtrCall(const CallEvent &Call) { bool isStdSmartPtrCall(const CallEvent &Call) {
const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl()); const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());
if (!MethodDecl || !MethodDecl->getParent()) if (!MethodDecl || !MethodDecl->getParent())
return false; return false;
return isStdSmartPtr(MethodDecl->getParent()); return isStdSmartPtr(MethodDecl->getParent());
} }
bool isStdSmartPtr(const CXXRecordDecl *RD) { bool isStdSmartPtr(const CXXRecordDecl *RD) {
if (!RD || !RD->getDeclContext()->isStdNamespace()) if (!RD || !RD->getDeclContext()->isStdNamespace())
return false; return false;
if (RD->getDeclName().isIdentifier()) { if (RD->getDeclName().isIdentifier()) {
StringRef Name = RD->getName(); StringRef Name = RD->getName();
return Name == "shared_ptr" || Name == "unique_ptr" || Name == "weak_ptr"; return Name == "shared_ptr" || Name == "unique_ptr" || Name == "weak_ptr";
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

That's great!

vsavchenko: That's great!
} }
return false; return false;
} }
bool isStdSmartPtr(const Expr *E) { bool isStdSmartPtr(const Expr *E) {
return isStdSmartPtr(E->getType()->getAsCXXRecordDecl()); return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());
} }
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines return isStdSmartPtr(Call.getArgExpr(1)) &&
isStdBasicOstream(Call.getArgExpr(0)); isStdBasicOstream(Call.getArgExpr(0));
} }
bool SmartPtrModeling::evalCall(const CallEvent &Call, bool SmartPtrModeling::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// If any one of the arg is a unique_ptr, then // If any one of the arg is a unique_ptr, then
// we can try this function // we can try this function
if (Call.getNumArgs() == 2 && if (Call.getNumArgs() == 2 &&
xazax.hunUnsubmitted
Done
ReplyInline Actions

I wonder about the value of this assertion. Shouldn`t Call.isCalled(StdSwapCall) already validate the number of arguments?

xazax.hun: I wonder about the value of this assertion. Shouldn`t `Call.isCalled(StdSwapCall)` already…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

About as valuable as any assertion is ;)
My reasoning is that since we are calling Call.getArgSval(0) and Call.getArgSVal(1), we had better assert that there are two args.
As a side-note, I had a bug in my CallDescriptor, which was caught by this assertion

RedDocMD: About as valuable as any assertion is ;) My reasoning is that since we are calling `Call.
Call.getDecl()->getDeclContext()->isStdNamespace()) Call.getDecl()->getDeclContext()->isStdNamespace())
if (smartptr::isStdSmartPtr(Call.getArgExpr(0)) || if (smartptr::isStdSmartPtr(Call.getArgExpr(0)) ||
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: we usually omit braces for simple if statements.

xazax.hun: Nit: we usually omit braces for simple `if` statements.
smartptr::isStdSmartPtr(Call.getArgExpr(1))) smartptr::isStdSmartPtr(Call.getArgExpr(1)))
if (handleComparisionOp(Call, C)) if (handleComparisionOp(Call, C))
return true; return true;
if (isStdOstreamOperatorCall(Call)) if (isStdOstreamOperatorCall(Call))
return handleOstreamOperator(Call, C); return handleOstreamOperator(Call, C);
if (Call.isCalled(StdSwapCall)) {
// Check the first arg, if it is of std::unique_ptr type.
vsavchenkoUnsubmitted
Done
ReplyInline Actions

I guess handleSwap can take SVals instead of MemRegion and we can mostly cut on this boilerplate as well.

return handleSwap(State, Call.getArgSVal(0), Call.getArgSVal(1), C);

and

return handleSwap(State, IC->getCXXThisVal(), Call.getArgSVal(0), C);
vsavchenko: I guess `handleSwap` can take `SVal`s instead of `MemRegion` and we can mostly cut on this…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

Yup, okay.

RedDocMD: Yup, okay.
assert(Call.getNumArgs() == 2 && "std::swap should have two arguments");
const Expr *FirstArg = Call.getArgExpr(0);
if (!smartptr::isStdSmartPtr(FirstArg->getType()->getAsCXXRecordDecl()))
return false;
return handleSwap(State, Call.getArgSVal(0), Call.getArgSVal(1), C);
}
if (!smartptr::isStdSmartPtrCall(Call)) if (!smartptr::isStdSmartPtrCall(Call))
return false; return false;
if (isBoolConversionMethod(Call)) { if (isBoolConversionMethod(Call)) {
const MemRegion *ThisR = const MemRegion *ThisR =
cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion(); cast<CXXInstanceCall>(&Call)->getCXXThisVal().getAsRegion();
if (ModelSmartPtrDereference) { if (ModelSmartPtrDereference) {
// The check for the region is moved is duplicated in handleBoolOperation // The check for the region is moved is duplicated in handleBoolOperation
// method. // method.
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Wait, and what if the second argument is interesting?

vsavchenko: Wait, and what if the second argument is interesting?
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

I know. That's why I said that the note is crappy.
The question I have in mind is - what if we swap null with null? Do we want a note in that case?
IMO, we should have a note for every case of swapping a confirmed null with something that is not confirmed to be null.

RedDocMD: I know. That's why I said that the note is crappy. The question I have in mind is - what if we…
// FIXME: Once we model std::move for smart pointers clean up this and use // FIXME: Once we model std::move for smart pointers clean up this and use
// that modeling. // that modeling.
handleBoolConversion(Call, C); handleBoolConversion(Call, C);
return true; return true;
} else { } else {
if (!move::isMovedFrom(State, ThisR)) { if (!move::isMovedFrom(State, ThisR)) {
// TODO: Model this case as well. At least, avoid invalidation of // TODO: Model this case as well. At least, avoid invalidation of
// globals. // globals.
return false; return false;
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Maybe a separate method then?

vsavchenko: Maybe a separate method then?
} }
// TODO: Add a note to bug reports describing this decision. // TODO: Add a note to bug reports describing this decision.
C.addTransition(State->BindExpr( C.addTransition(State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeZeroVal(Call.getResultType()))); C.getSValBuilder().makeZeroVal(Call.getResultType())));
return true; return true;
▲ Show 20 LinesShow All 284 Lines▼ Show 20 Lines C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,
OS << "Smart pointer"; OS << "Smart pointer";
checkAndPrettyPrintRegion(OS, ThisRegion); checkAndPrettyPrintRegion(OS, ThisRegion);
OS << " is released and set to null"; OS << " is released and set to null";
})); }));
// TODO: Add support to enable MallocChecker to start tracking the raw // TODO: Add support to enable MallocChecker to start tracking the raw
// pointer. // pointer.
} }
void SmartPtrModeling::handleSwap(const CallEvent &Call, void SmartPtrModeling::handleSwapMethod(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// To model unique_ptr::swap() method. // To model unique_ptr::swap() method.
const auto *IC = dyn_cast<CXXInstanceCall>(&Call); const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
if (!IC) if (!IC)
return; return;
const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion(); auto State = C.getState();
if (!ThisRegion) handleSwap(State, IC->getCXXThisVal(), Call.getArgSVal(0), C);
return; }
const auto *ArgRegion = Call.getArgSVal(0).getAsRegion(); bool SmartPtrModeling::handleSwap(ProgramStateRef State, SVal First,
if (!ArgRegion) SVal Second, CheckerContext &C) const {
return; const MemRegion *FirstThisRegion = First.getAsRegion();
if (!FirstThisRegion)
return false;
const MemRegion *SecondThisRegion = Second.getAsRegion();
if (!SecondThisRegion)
return false;
auto State = C.getState(); const auto *FirstInnerPtrVal = State->get<TrackedRegionMap>(FirstThisRegion);
const auto *ThisRegionInnerPointerVal = const auto *SecondInnerPtrVal =
State->get<TrackedRegionMap>(ThisRegion); State->get<TrackedRegionMap>(SecondThisRegion);
const auto *ArgRegionInnerPointerVal =
State->get<TrackedRegionMap>(ArgRegion);
// Swap the tracked region values.
State = updateSwappedRegion(State, ThisRegion, ArgRegionInnerPointerVal);
State = updateSwappedRegion(State, ArgRegion, ThisRegionInnerPointerVal);
C.addTransition( State = updateSwappedRegion(State, FirstThisRegion, SecondInnerPtrVal);
State, C.getNoteTag([ThisRegion, ArgRegion](PathSensitiveBugReport &BR, State = updateSwappedRegion(State, SecondThisRegion, FirstInnerPtrVal);
C.addTransition(State, C.getNoteTag([FirstThisRegion, SecondThisRegion](
PathSensitiveBugReport &BR,
llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {
if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType())
!BR.isInteresting(ThisRegion))
return; return;
BR.markInteresting(ArgRegion); if (BR.isInteresting(FirstThisRegion) &&
OS << "Swapped null smart pointer"; !BR.isInteresting(SecondThisRegion)) {
checkAndPrettyPrintRegion(OS, ArgRegion); BR.markInteresting(SecondThisRegion);
OS << " with smart pointer"; BR.markNotInteresting(FirstThisRegion);
checkAndPrettyPrintRegion(OS, ThisRegion); }
if (BR.isInteresting(SecondThisRegion) &&
!BR.isInteresting(FirstThisRegion)) {
BR.markInteresting(FirstThisRegion);
BR.markNotInteresting(SecondThisRegion);
}
// TODO: We need to emit some note here probably!!
})); }));
vsavchenkoUnsubmitted
Done
ReplyInline Actions

nit: these two pieces of code are very much the same

vsavchenko: nit: these two pieces of code are very much the same
xazax.hunUnsubmitted
Done
ReplyInline Actions

I guess we could make markInteresting take an optional bool and swap the interestingness unconditionally.

xazax.hun: I guess we could make `markInteresting` take an optional bool and swap the interestingness…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

Then we would need to rename it to something like setInterestingness.
And renaming such a widely used function would be a real pain.

RedDocMD: Then we would need to rename it to something like `setInterestingness`. And renaming such a…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

Yes, but I don't think refactoring them into a lambda (within a lambda) would be that nice either.

RedDocMD: Yes, but I don't think refactoring them into a lambda (within a lambda) would be that nice…
return true;
} }
void SmartPtrModeling::handleGet(const CallEvent &Call, void SmartPtrModeling::handleGet(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const auto *IC = dyn_cast<CXXInstanceCall>(&Call); const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
if (!IC) if (!IC)
return; return;
▲ Show 20 LinesShow All 198 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,257 Lines▼ Show 20 Lines
void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) { void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) {
if (!sym) if (!sym)
return; return;
InterestingSymbols.erase(sym); InterestingSymbols.erase(sym);
// The metadata part of markInteresting is not reversed here. // The metadata part of markInteresting is not reversed here.
// Just making the same region not interesting is incorrect // Just making the same region not interesting is incorrect
// in specific cases. // in specific cases.
if (const auto *meta = dyn_cast<SymbolMetadata>(sym))
markNotInteresting(meta->getRegion());
} }
void PathSensitiveBugReport::markInteresting(const MemRegion *R, void PathSensitiveBugReport::markInteresting(const MemRegion *R,
bugreporter::TrackingKind TKind) { bugreporter::TrackingKind TKind) {
if (!R) if (!R)
return; return;
R = R->getBaseRegion(); R = R->getBaseRegion();
▲ Show 20 LinesShow All 1,069 LinesShow Last 20 Lines

clang/test/Analysis/smart-ptr-text-output.cpp

Show First 20 LinesShow All 63 Lines▼ Show 20 Linesvoid derefOnReleasedNullRawPtr() {
std::unique_ptr<A> P; // FIXME: add note "Default constructed smart pointer 'P' is null" std::unique_ptr<A> P; // FIXME: add note "Default constructed smart pointer 'P' is null"
A *AP = P.release(); // expected-note {{'AP' initialized to a null pointer value}} A *AP = P.release(); // expected-note {{'AP' initialized to a null pointer value}}
AP->foo(); // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}} AP->foo(); // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}}
// expected-note@-1{{Called C++ object pointer is null}} // expected-note@-1{{Called C++ object pointer is null}}
} }
void derefOnSwappedNullPtr() { void derefOnSwappedNullPtr() {
std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}} std::unique_ptr<A> P(new A()); // expected-note {{Smart pointer 'P' is constructed}}
std::unique_ptr<A> PNull; // expected-note {{Default constructed smart pointer 'PNull' is null}} std::unique_ptr<A> PNull;
P.swap(PNull); // expected-note {{Swapped null smart pointer 'PNull' with smart pointer 'P'}} P.swap(PNull);
PNull->foo(); // No warning. PNull->foo(); // No warning.
(*P).foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} (*P).foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'P'}} // expected-note@-1{{Dereference of null smart pointer 'P'}}
} }
// FIXME: Fix this test when "std::swap" is modeled seperately.
void derefOnStdSwappedNullPtr() { void derefOnStdSwappedNullPtr() {
std::unique_ptr<A> P; // expected-note {{Default constructed smart pointer 'P' is null}} std::unique_ptr<A> P; // expected-note {{Default constructed smart pointer 'P' is null}}
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

I know that this case existed before, but can we initialize P with non-null, so that the warning is a bit more life-like?

vsavchenko: I know that this case existed before, but can we initialize `P` with non-null, so that the…
std::unique_ptr<A> PNull; // expected-note {{Default constructed smart pointer 'PNull' is null}} std::unique_ptr<A> PNull;
std::swap(P, PNull); // expected-note@Inputs/system-header-simulator-cxx.h:979 {{Swapped null smart pointer 'PNull' with smart pointer 'P'}} std::swap(P, PNull);
// expected-note@-1 {{Calling 'swap<A>'}}
// expected-note@-2 {{Returning from 'swap<A>'}}
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'P'}} // expected-note@-1{{Dereference of null smart pointer 'P'}}
} }
struct StructWithSmartPtr { // expected-note {{Default constructed smart pointer 'S.P' is null}} struct StructWithSmartPtr { // expected-note {{Default constructed smart pointer 'S.P' is null}}
std::unique_ptr<A> P; std::unique_ptr<A> P;
}; };
▲ Show 20 LinesShow All 222 LinesShow Last 20 Lines