This is an archive of the discontinued LLVM Phabricator instance.

Differential D105553

[analyzer][NFC] Split the main logic of NoStoreFuncVisitor to an abstract NoStateChangeVisitor class
ClosedPublic

Authored by Szelethus on Jul 7 2021, 8:06 AM.

Details

Reviewers
NoQ
vsavchenko
martong
steakhal
ASDenysPetrov
Commits
rG2d3668c997fa: [analyzer] MallocChecker: Add a visitor to leave a note on functions that could…
rGc019142a89b4: [analyzer][NFC] Split the main logic of NoStoreFuncVisitor to an abstract…
Summary

Preceding discussion on cfe-dev: https://lists.llvm.org/pipermail/cfe-dev/2021-June/068450.html

NoStoreFuncVisitor is a rather unique visitor. As VisitNode is invoked on most other visitors, they are looking for the point where something changed -- change on a value, some checker-specific GDM trait, a new constraint. NoStoreFuncVisitor, however, looks specifically for functions that *didn't* write to a MemRegion of interesting. Quoting from its comments:

/// Put a diagnostic on return statement of all inlined functions
/// for which  the region of interest \p RegionOfInterest was passed into,
/// but not written inside, and it has caused an undefined read or a null
/// pointer dereference outside.

It so happens that there are a number of other similar properties that are worth checking. For instance, if some memory leaks, it might be interesting why a function didn't take ownership of said memory:

void sink(int *P) {} // no notes

void f() {
  sink(new int(5)); // note: Memory is allocated
                    // Well hold on, sink() was supposed to deal with
                    // that, this must be a false positive...
} // warning: Potential memory leak [cplusplus.NewDeleteLeaks]

In here, the entity of interest isn't a MemRegion, but a symbol. The property that changed here isn't a change of value, but rather liveness and GDM traits managed by MalloChecker.

This patch moves some of the logic of NoStoreFuncVisitor to a new abstract class, NoStateChangeFuncVisitor. This is mostly calculating and caching the stack frames in which the entity of interest wasn't changed.

Descendants of this interface have to define 3 things:

  • What constitutes as a change to an entity (this is done by overriding wasModifiedBeforeCallExit)
  • What the diagnostic message should be (this is done by overriding maybeEmitNoteFor.*)
  • What constitutes as the entity of interest being passed into the function (this is also done by overriding maybeEmitNoteFor.*, to be factored out a bit more in a later patch)

Diff Detail

Event Timeline

Szelethus created this revision.Jul 7 2021, 8:06 AM
Herald added subscribers: manas, gamesh411, dkrupp and 9 others. · View Herald TranscriptJul 7 2021, 8:06 AM
Szelethus requested review of this revision.Jul 7 2021, 8:06 AM
Herald added subscribers: cfe-commits, aheejin. · View Herald TranscriptJul 7 2021, 8:06 AM
Harbormaster completed remote builds in B112786: Diff 356955.Jul 7 2021, 8:07 AM
Szelethus added a parent revision: D105552: [analyzer][NFC] NoStoreFuncVisitor: Compact parameters for region pretty printing into a class.Jul 7 2021, 8:07 AM
Szelethus mentioned this in D105552: [analyzer][NFC] NoStoreFuncVisitor: Compact parameters for region pretty printing into a class.Jul 8 2021, 3:25 AM
Szelethus updated this revision to Diff 357202.Jul 8 2021, 6:29 AM
Szelethus edited the summary of this revision. (Show Details)
  • Don't depend on D105552.
  • Merge with a followup patch; it was a poor splitting point, and the diffs didn't really convey what actually changed. However, it didn't make this patch look any more obfuscated.
    • Split up maybeEmitNote to special cases. Descendants will need to check whether the entity of interest was passed into the function or not, and emit a note if so.
      • NoStateChangeVisitor forces you to override 3 of these functions, one for ObjC 'self', one for C++ 'this', and one for regular parameters.
  • D105552#2864085 gives a bit more insight into the longer term plans:

[...] clients only need to define these 3 [...]:

  • What constitutes as a change to an entity
  • What the diagnostic message should be
  • What constitutes as the entity of interest being passed into the function

In the end, in my eye, it would look like this:

                     <--- NoStateChangeToRegionVisitor <--- NoStoreFuncVisitor
                    /
NoStateChangeVisitor                                   <--- NoDynamicMemoryOwnershipChangeVisitor
                    \                                 /
                     <--- NoStateChangeToSymbolVisitor
                                                      \
                                                       <--- NoStreamOwnershipChangeVisitor
  • NoStateChangeVisitor will ask its clients the above mentioned 3 questions.
  • NoStateChangeToSymbolVisitor and NoStateChangeToRegionVisitor would answer whether the entity of interest was actually passed into the function, and propagate the rest.
  • Visitors on the bottom would take care of what remains.
Szelethus removed a parent revision: D105552: [analyzer][NFC] NoStoreFuncVisitor: Compact parameters for region pretty printing into a class.Jul 8 2021, 6:29 AM
Harbormaster completed remote builds in B112976: Diff 357202.Jul 8 2021, 7:05 AM
NoQ accepted this revision.Jul 9 2021, 12:29 PM

This looks perfectly sensible to me.

In the mailing list I seem to have made a mistake about how this works: we don't explicitly scan the AST for potential statements that could cause a state change (eg., assignment operators in case of NoStore) but we only check if the region was explicitly made accessible. This makes things a lot easier (we don't have to build an auxiliary AST-based analysis) and I'm not sure if this other heuristic that I thought we have would actually make things significantly better. I guess it makes sense to keep in mind that we might want to ultimately plug it in but I don't immediately see what'd stop us.

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
629

Or on the } if there's no return statement.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
399

While we're at it, can you take a look if the recently introduced CallEvent::parameters() is good enough for this?

532–533

I guess this comment could be copied to the other two virtual methods?

This revision is now accepted and ready to land.Jul 9 2021, 12:29 PM
Szelethus mentioned this in D105819: [analyzer] MallocChecker: Add a visitor to leave a note on functions that could have, but did not change ownership on leaked memory.Jul 12 2021, 8:28 AM
NoQ added a child revision: D105819: [analyzer] MallocChecker: Add a visitor to leave a note on functions that could have, but did not change ownership on leaked memory.Jul 12 2021, 7:42 PM
Szelethus updated this revision to Diff 358876.Jul 15 2021, 2:40 AM
Szelethus marked 3 inline comments as done.
  • Change parameter names to highlight that the node at the end of the function call is a CallExitBegin.
  • Change individual parameter callbacks to the entire call -- if a client knows that they don't want to emit diagnostics for some function, they can early return, instead of early returning for each parameter.
  • Fix according to reviewer comments!
Szelethus added a comment.Jul 15 2021, 2:40 AM
In D105553#2867881, @NoQ wrote:

In the mailing list I seem to have made a mistake about how this works: we don't explicitly scan the AST for potential statements that could cause a state change (eg., assignment operators in case of NoStore) but we only check if the region was explicitly made accessible. This makes things a lot easier (we don't have to build an auxiliary AST-based analysis) and I'm not sure if this other heuristic that I thought we have would actually make things significantly better. I guess it makes sense to keep in mind that we might want to ultimately plug it in but I don't immediately see what'd stop us.

For NoStoreFuncVisitor, this seems to be fine I suppose, though I'm not sure how things pan out for memory leaks. As you put it,

We probably shouldn't emit a note every time the function simply accepts the value of interest by pointer, because this doesn't necessarily prove the intent to delete the pointer;

it might be rather difficult to tell this intent. For now, I'm leaning on the side of slightly too much than too little, but I need real world data on my hand to have a good feel for it.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
399

I suppose yeah, at least the lit tests all passed, though its worth mentioning that this function explicitly calls CallEvent::parameters()...

Harbormaster completed remote builds in B114182: Diff 358876.Jul 15 2021, 3:26 AM
This revision was landed with ongoing or failed builds.Aug 16 2021, 6:03 AM
Closed by commit rGc019142a89b4: [analyzer][NFC] Split the main logic of NoStoreFuncVisitor to an abstract… (authored by Szelethus). · Explain Why
This revision was automatically updated to reflect the committed changes.
Szelethus added a commit: rGc019142a89b4: [analyzer][NFC] Split the main logic of NoStoreFuncVisitor to an abstract….
Szelethus added a commit: rG2d3668c997fa: [analyzer] MallocChecker: Add a visitor to leave a note on functions that could….Aug 16 2021, 7:19 AM
Szelethus mentioned this in D108695: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire function calls, rather than each ExplodedNode in it.Aug 25 2021, 5:18 AM
Szelethus mentioned this in rG7d0e62bfb773: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire….Sep 2 2021, 7:57 AM
Szelethus mentioned this in rGa375bfb5b729: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire….Sep 3 2021, 4:50 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
68 lines
lib/
StaticAnalyzer/
Core/
380 lines

Diff 357202

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show All 15 Lines
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h" #include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include <list> #include <list>
#include <memory> #include <memory>
#include <utility> #include <utility>
namespace clang { namespace clang {
class BinaryOperator; class BinaryOperator;
▲ Show 20 LinesShow All 585 Lines▼ Show 20 Lines
public: public:
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC, BugReporterContext &BRC,
PathSensitiveBugReport &R) override; PathSensitiveBugReport &R) override;
}; };
class ObjCMethodCall;
class CXXConstructorCall;
/// Put a diagnostic on return statement of all inlined functions for which some
NoQUnsubmitted
Done
ReplyInline Actions

Or on the } if there's no return statement.

NoQ: Or on the `}` if there's no return statement.
/// property remained unchanged.
/// Resulting diagnostics may read such as "Returning without writing to X".
///
/// Descendants can define what a "state change is", like a change of value
/// to a memory region, liveness, etc. For function calls where the state did
/// not change as defined, a custom note may be constructed.
class NoStateChangeFuncVisitor : public BugReporterVisitor {
private:
/// Frames modifying the state as defined in \c wasModifiedBeforeCallExit.
/// This visitor generates a note only if a function does *not* change the
/// state that way. This information is not immediately available
/// by looking at the node associated with the exit from the function
/// (usually the return statement). To avoid recomputing the same information
/// many times (going up the path for each node and checking whether the
/// region was written into) we instead lazily compute the stack frames
/// along the path.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
/// Check and lazily calculate whether the state is modified in the stack
/// frame to which \p CallExitN belongs.
/// The calculation is cached in FramesModifying.
bool isModifiedInFrame(const ExplodedNode *CallExitN);
/// Write to \c FramesModifying all stack frames along the path in the current
/// stack frame which modifies the state.
void findModifyingFrames(const ExplodedNode *const CallExitN);
protected:
bugreporter::TrackingKind TKind;
/// \return Whether the state was modified from the current node, \CurrN, to
/// the end of the stack fram, at \p CallExitN.
virtual bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
const ExplodedNode *CallExitN) = 0;
/// Consume the information on the non-modifying stack frame in order to
/// either emit a note or not. May suppress the report entirely.
/// \return Diagnostics piece for the unmodified state in the current
/// function, if it decides to emit one. A good description might start with
/// "Returning without...".
virtual PathDiagnosticPieceRef
maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
const ObjCMethodCall &Call,
const ExplodedNode *N) = 0;
virtual PathDiagnosticPieceRef
maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
const CXXConstructorCall &Call,
const ExplodedNode *N) = 0;
virtual PathDiagnosticPieceRef maybeEmitNoteForParameter(
PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N,
ArrayRef<ParmVarDecl *> Parameters, unsigned ParamIdx) = 0;
public:
NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {}
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BR,
PathSensitiveBugReport &R) override final;
};
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 338 Lines▼ Show 20 Lines auto P = std::make_shared<PathDiagnosticEventPiece>(
L, BR.getDescription(), Ranges.begin() == Ranges.end()); L, BR.getDescription(), Ranges.begin() == Ranges.end());
for (SourceRange Range : Ranges) for (SourceRange Range : Ranges)
P->addRange(Range); P->addRange(Range);
return P; return P;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Implementation of NoStateChangeFuncVisitor.
//===----------------------------------------------------------------------===//
bool NoStateChangeFuncVisitor::isModifiedInFrame(const ExplodedNode *N) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
if (!FramesModifyingCalculated.count(SCtx))
findModifyingFrames(N);
return FramesModifying.count(SCtx);
}
void NoStateChangeFuncVisitor::findModifyingFrames(
const ExplodedNode *const CallExitN) {
assert(CallExitN->getLocationAs<CallExitBegin>());
const ExplodedNode *LastReturnN = CallExitN;
const StackFrameContext *const OriginalSCtx =
CallExitN->getLocationContext()->getStackFrame();
const ExplodedNode *CurrN = CallExitN;
do {
ProgramStateRef State = CurrN->getState();
auto CallExitLoc = CurrN->getLocationAs<CallExitBegin>();
if (CallExitLoc) {
LastReturnN = CurrN;
}
FramesModifyingCalculated.insert(
CurrN->getLocationContext()->getStackFrame());
if (wasModifiedBeforeCallExit(CurrN, LastReturnN)) {
const StackFrameContext *SCtx = CurrN->getStackFrame();
while (!SCtx->inTopFrame()) {
auto p = FramesModifying.insert(SCtx);
if (!p.second)
break; // Frame and all its parents already inserted.
SCtx = SCtx->getParent()->getStackFrame();
}
}
// Stop calculation at the call to the current function.
if (auto CE = CurrN->getLocationAs<CallEnter>())
if (CE->getCalleeContext() == OriginalSCtx)
break;
CurrN = CurrN->getFirstPred();
} while (CurrN);
}
/// Get parameters associated with runtime definition in order
/// to get the correct parameter name.
static ArrayRef<ParmVarDecl *> getCallParameters(const CallEvent &Call) {
NoQUnsubmitted
Done
ReplyInline Actions

While we're at it, can you take a look if the recently introduced CallEvent::parameters() is good enough for this?

NoQ: While we're at it, can you take a look if the recently introduced `CallEvent::parameters()` is…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

I suppose yeah, at least the lit tests all passed, though its worth mentioning that this function explicitly calls CallEvent::parameters()...

Szelethus: I suppose yeah, at least the lit tests all passed, though its worth mentioning that this…
// Use runtime definition, if available.
RuntimeDefinition RD = Call.getRuntimeDefinition();
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl()))
return FD->parameters();
if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl()))
return MD->parameters();
return Call.parameters();
}
PathDiagnosticPieceRef NoStateChangeFuncVisitor::VisitNode(
const ExplodedNode *N, BugReporterContext &BR, PathSensitiveBugReport &R) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
// No diagnostic if region was modified inside the frame.
if (!CallExitLoc || isModifiedInFrame(N))
return nullptr;
CallEventRef<> Call =
BR.getStateManager().getCallEventManager().getCaller(SCtx, State);
// Optimistically suppress uninitialized value bugs that result
// from system headers having a chance to initialize the value
// but failing to do so. It's too unlikely a system header's fault.
// It's much more likely a situation in which the function has a failure
// mode that the user decided not to check. If we want to hunt such
// omitted checks, we should provide an explicit function-specific note
// describing the precondition under which the function isn't supposed to
// initialize its out-parameter, and additionally check that such
// precondition can actually be fulfilled on the current path.
if (Call->isInSystemHeader()) {
// We make an exception for system header functions that have no branches.
// Such functions unconditionally fail to initialize the variable.
// If they call other functions that have more paths within them,
// this suppression would still apply when we visit these inner functions.
// One common example of a standard function that doesn't ever initialize
// its out parameter is operator placement new; it's up to the follow-up
// constructor (if any) to initialize the memory.
if (!N->getStackFrame()->getCFG()->isLinear()) {
static int i = 0;
R.markInvalid(&i, nullptr);
}
return nullptr;
}
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
// If we failed to construct a piece for self, we still want to check
// whether the entity of interest is in a parameter.
if (PathDiagnosticPieceRef Piece = maybeEmitNoteForObjCSelf(R, *MC, N))
return Piece;
}
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) {
// Do not generate diagnostics for not modified parameters in
// constructors.
return maybeEmitNoteForCXXThis(R, *CCall, N);
}
ArrayRef<ParmVarDecl *> parameters = getCallParameters(*Call);
for (unsigned ParamIdx = 0;
ParamIdx < Call->getNumArgs() && ParamIdx < parameters.size();
++ParamIdx) {
if (PathDiagnosticPieceRef Piece =
maybeEmitNoteForParameter(R, *Call, N, parameters, ParamIdx))
return Piece;
}
return nullptr;
}
//===----------------------------------------------------------------------===//
// Implementation of NoStoreFuncVisitor. // Implementation of NoStoreFuncVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
/// Put a diagnostic on return statement of all inlined functions /// Put a diagnostic on return statement of all inlined functions
/// for which the region of interest \p RegionOfInterest was passed into, /// for which the region of interest \p RegionOfInterest was passed into,
/// but not written inside, and it has caused an undefined read or a null /// but not written inside, and it has caused an undefined read or a null
/// pointer dereference outside. /// pointer dereference outside.
class NoStoreFuncVisitor final : public BugReporterVisitor { class NoStoreFuncVisitor final : public NoStateChangeFuncVisitor {
const SubRegion *RegionOfInterest; const SubRegion *RegionOfInterest;
MemRegionManager &MmrMgr; MemRegionManager &MmrMgr;
const SourceManager &SM; const SourceManager &SM;
const PrintingPolicy &PP; const PrintingPolicy &PP;
bugreporter::TrackingKind TKind;
/// Recursion limit for dereferencing fields when looking for the /// Recursion limit for dereferencing fields when looking for the
/// region of interest. /// region of interest.
/// The limit of two indicates that we will dereference fields only once. /// The limit of two indicates that we will dereference fields only once.
static const unsigned DEREFERENCE_LIMIT = 2; static const unsigned DEREFERENCE_LIMIT = 2;
/// Frames writing into \c RegionOfInterest.
/// This visitor generates a note only if a function does not write into
/// a region of interest. This information is not immediately available
/// by looking at the node associated with the exit from the function
/// (usually the return statement). To avoid recomputing the same information
/// many times (going up the path for each node and checking whether the
/// region was written into) we instead lazily compute the
/// stack frames along the path which write into the region of interest.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
using RegionVector = SmallVector<const MemRegion *, 5>; using RegionVector = SmallVector<const MemRegion *, 5>;
public: public:
NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind) NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind)
: RegionOfInterest(R), MmrMgr(R->getMemRegionManager()), : NoStateChangeFuncVisitor(TKind), RegionOfInterest(R),
MmrMgr(R->getMemRegionManager()),
SM(MmrMgr.getContext().getSourceManager()), SM(MmrMgr.getContext().getSourceManager()),
PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {} PP(MmrMgr.getContext().getPrintingPolicy()) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
ID.AddPointer(RegionOfInterest); ID.AddPointer(RegionOfInterest);
} }
void *getTag() const { void *getTag() const {
static int Tag = 0; static int Tag = 0;
return static_cast<void *>(&Tag); return static_cast<void *>(&Tag);
} }
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BR,
PathSensitiveBugReport &R) override;
private: private:
/// \return Whether \c RegionOfInterest was modified at \p CurrN compared to
/// the value it holds in \p CallExitN.
virtual bool
wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
const ExplodedNode *CallExitN) override;
/// Attempts to find the region of interest in a given record decl, /// Attempts to find the region of interest in a given record decl,
/// by either following the base classes or fields. /// by either following the base classes or fields.
/// Dereferences fields up to a given recursion limit. /// Dereferences fields up to a given recursion limit.
/// Note that \p Vec is passed by value, leading to quadratic copying cost, /// Note that \p Vec is passed by value, leading to quadratic copying cost,
/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
/// \return A chain fields leading to the region of interest or None. /// \return A chain fields leading to the region of interest or None.
const Optional<RegionVector> const Optional<RegionVector>
findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State, findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State,
const MemRegion *R, const RegionVector &Vec = {}, const MemRegion *R, const RegionVector &Vec = {},
int depth = 0); int depth = 0);
/// Check and lazily calculate whether the region of interest is // Region of interest corresponds to an IVar, exiting a method
/// modified in the stack frame to which \p N belongs. // which could have written into that IVar, but did not.
NoQUnsubmitted
Done
ReplyInline Actions

I guess this comment could be copied to the other two virtual methods?

NoQ: I guess this comment could be copied to the other two virtual methods?
/// The calculation is cached in FramesModifyingRegion. virtual PathDiagnosticPieceRef
bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) { maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
const LocationContext *Ctx = N->getLocationContext(); const ObjCMethodCall &Call,
const StackFrameContext *SCtx = Ctx->getStackFrame(); const ExplodedNode *N) override final;
if (!FramesModifyingCalculated.count(SCtx))
findModifyingFrames(N); virtual PathDiagnosticPieceRef
return FramesModifyingRegion.count(SCtx); maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
} const CXXConstructorCall &Call,
const ExplodedNode *N) override final;
/// Write to \c FramesModifyingRegion all stack frames along virtual PathDiagnosticPieceRef maybeEmitNoteForParameter(
/// the path in the current stack frame which modify \c RegionOfInterest. PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N,
void findModifyingFrames(const ExplodedNode *N); ArrayRef<ParmVarDecl *> Parameters, unsigned ParamIdx) override final;
/// Consume the information on the no-store stack frame in order to /// Consume the information on the no-store stack frame in order to
/// either emit a note or suppress the report enirely. /// either emit a note or suppress the report enirely.
/// \return Diagnostics piece for region not modified in the current function, /// \return Diagnostics piece for region not modified in the current function,
/// if it decides to emit one. /// if it decides to emit one.
PathDiagnosticPieceRef PathDiagnosticPieceRef
maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call, maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call,
const ExplodedNode *N, const RegionVector &FieldChain, const ExplodedNode *N, const RegionVector &FieldChain,
const MemRegion *MatchedRegion, StringRef FirstElement, const MemRegion *MatchedRegion, StringRef FirstElement,
bool FirstIsReferenceType, unsigned IndirectionLevel); bool FirstIsReferenceType, unsigned IndirectionLevel);
/// Pretty-print region \p MatchedRegion to \p os. bool prettyPrintRegionName(const RegionVector &FieldChain,
/// \return Whether printing succeeded.
bool prettyPrintRegionName(StringRef FirstElement, bool FirstIsReferenceType,
const MemRegion *MatchedRegion, const MemRegion *MatchedRegion,
const RegionVector &FieldChain, StringRef FirstElement, bool FirstIsReferenceType,
int IndirectionLevel, unsigned IndirectionLevel,
llvm::raw_svector_ostream &os); llvm::raw_svector_ostream &os);
/// Print first item in the chain, return new separator. StringRef prettyPrintFirstElement(StringRef FirstElement,
static StringRef prettyPrintFirstElement(StringRef FirstElement,
bool MoreItemsExpected, bool MoreItemsExpected,
int IndirectionLevel, int IndirectionLevel,
llvm::raw_svector_ostream &os); llvm::raw_svector_ostream &os);
}; };
} // namespace
} // end of anonymous namespace
/// \return Whether the method declaration \p Parent /// \return Whether the method declaration \p Parent
/// syntactically has a binary operation writing into the ivar \p Ivar. /// syntactically has a binary operation writing into the ivar \p Ivar.
static bool potentiallyWritesIntoIvar(const Decl *Parent, static bool potentiallyWritesIntoIvar(const Decl *Parent,
const ObjCIvarDecl *Ivar) { const ObjCIvarDecl *Ivar) {
using namespace ast_matchers; using namespace ast_matchers;
const char *IvarBind = "Ivar"; const char *IvarBind = "Ivar";
if (!Parent || !Parent->hasBody()) if (!Parent || !Parent->hasBody())
Show All 18 Lines if (const auto *DRE = dyn_cast<DeclRefExpr>(Base))
if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf) if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf)
return true; return true;
return false; return false;
} }
return false; return false;
} }
/// Get parameters associated with runtime definition in order
/// to get the correct parameter name.
static ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) {
// Use runtime definition, if available.
RuntimeDefinition RD = Call->getRuntimeDefinition();
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl()))
return FD->parameters();
if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl()))
return MD->parameters();
return Call->parameters();
}
/// \return whether \p Ty points to a const type, or is a const reference.
static bool isPointerToConst(QualType Ty) {
return !Ty->getPointeeType().isNull() &&
Ty->getPointeeType().getCanonicalType().isConstQualified();
}
/// Attempts to find the region of interest in a given CXX decl, /// Attempts to find the region of interest in a given CXX decl,
/// by either following the base classes or fields. /// by either following the base classes or fields.
/// Dereferences fields up to a given recursion limit. /// Dereferences fields up to a given recursion limit.
/// Note that \p Vec is passed by value, leading to quadratic copying cost, /// Note that \p Vec is passed by value, leading to quadratic copying cost,
/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
/// \return A chain fields leading to the region of interest or None. /// \return A chain fields leading to the region of interest or None.
const Optional<NoStoreFuncVisitor::RegionVector> const Optional<NoStoreFuncVisitor::RegionVector>
NoStoreFuncVisitor::findRegionOfInterestInRecord( NoStoreFuncVisitor::findRegionOfInterestInRecord(
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (const RecordDecl *RRD = PT->getAsRecordDecl())
findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1)) findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1))
return Out; return Out;
} }
return None; return None;
} }
PathDiagnosticPieceRef PathDiagnosticPieceRef
NoStoreFuncVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BR, NoStoreFuncVisitor::maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
PathSensitiveBugReport &R) { const ObjCMethodCall &Call,
const ExplodedNode *N) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
// No diagnostic if region was modified inside the frame.
if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N))
return nullptr;
CallEventRef<> Call =
BR.getStateManager().getCallEventManager().getCaller(SCtx, State);
// Region of interest corresponds to an IVar, exiting a method
// which could have written into that IVar, but did not.
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) {
const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); const MemRegion *SelfRegion = Call.getReceiverSVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(SelfRegion) && if (RegionOfInterest->isSubRegionOf(SelfRegion) &&
potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), potentiallyWritesIntoIvar(Call.getRuntimeDefinition().getDecl(),
IvarR->getDecl())) IvarR->getDecl()))
return maybeEmitNote(R, *Call, N, {}, SelfRegion, "self", return maybeEmitNote(R, Call, N, {}, SelfRegion, "self",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
} }
return nullptr;
} }
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { PathDiagnosticPieceRef
const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); NoStoreFuncVisitor::maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
if (RegionOfInterest->isSubRegionOf(ThisR) && const CXXConstructorCall &Call,
!CCall->getDecl()->isImplicit()) const ExplodedNode *N) {
return maybeEmitNote(R, *Call, N, {}, ThisR, "this", const MemRegion *ThisR = Call.getCXXThisVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(ThisR) && !Call.getDecl()->isImplicit())
return maybeEmitNote(R, Call, N, {}, ThisR, "this",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
// Do not generate diagnostics for not modified parameters in // Do not generate diagnostics for not modified parameters in
// constructors. // constructors.
return nullptr; return nullptr;
} }
ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); /// \return whether \p Ty points to a const type, or is a const reference.
for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { static bool isPointerToConst(QualType Ty) {
const ParmVarDecl *PVD = parameters[I]; return !Ty->getPointeeType().isNull() &&
SVal V = Call->getArgSVal(I); Ty->getPointeeType().getCanonicalType().isConstQualified();
}
PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNoteForParameter(
PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N,
ArrayRef<ParmVarDecl *> Parameters, unsigned ParamIdx) {
for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
const ParmVarDecl *PVD = Parameters[I];
SVal V = Call.getArgSVal(I);
bool ParamIsReferenceType = PVD->getType()->isReferenceType(); bool ParamIsReferenceType = PVD->getType()->isReferenceType();
std::string ParamName = PVD->getNameAsString(); std::string ParamName = PVD->getNameAsString();
int IndirectionLevel = 1; unsigned IndirectionLevel = 1;
QualType T = PVD->getType(); QualType T = PVD->getType();
while (const MemRegion *MR = V.getAsRegion()) { while (const MemRegion *MR = V.getAsRegion()) {
if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T)) if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T))
return maybeEmitNote(R, *Call, N, {}, MR, ParamName, return maybeEmitNote(R, Call, N, {}, MR, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
QualType PT = T->getPointeeType(); QualType PT = T->getPointeeType();
if (PT.isNull() || PT->isVoidType()) if (PT.isNull() || PT->isVoidType())
break; break;
ProgramStateRef State = N->getState();
if (const RecordDecl *RD = PT->getAsRecordDecl()) if (const RecordDecl *RD = PT->getAsRecordDecl())
if (Optional<RegionVector> P = if (Optional<RegionVector> P =
findRegionOfInterestInRecord(RD, State, MR)) findRegionOfInterestInRecord(RD, State, MR))
return maybeEmitNote(R, *Call, N, *P, RegionOfInterest, ParamName, return maybeEmitNote(R, Call, N, *P, RegionOfInterest, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
V = State->getSVal(MR, PT); V = State->getSVal(MR, PT);
T = PT; T = PT;
IndirectionLevel++; IndirectionLevel++;
} }
} }
return nullptr; return nullptr;
} }
void NoStoreFuncVisitor::findModifyingFrames(const ExplodedNode *N) { bool NoStoreFuncVisitor::wasModifiedBeforeCallExit(
assert(N->getLocationAs<CallExitBegin>()); const ExplodedNode *CurrN, const ExplodedNode *CallExitN) {
ProgramStateRef LastReturnState = N->getState(); return ::wasRegionOfInterestModifiedAt(
SVal ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); RegionOfInterest, CurrN,
const LocationContext *Ctx = N->getLocationContext(); CallExitN->getState()->getSVal(RegionOfInterest));
const StackFrameContext *OriginalSCtx = Ctx->getStackFrame();
do {
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
if (CallExitLoc) {
LastReturnState = State;
ValueAtReturn = LastReturnState->getSVal(RegionOfInterest);
}
FramesModifyingCalculated.insert(N->getLocationContext()->getStackFrame());
if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtReturn)) {
const StackFrameContext *SCtx = N->getStackFrame();
while (!SCtx->inTopFrame()) {
auto p = FramesModifyingRegion.insert(SCtx);
if (!p.second)
break; // Frame and all its parents already inserted.
SCtx = SCtx->getParent()->getStackFrame();
}
}
// Stop calculation at the call to the current function.
if (auto CE = N->getLocationAs<CallEnter>())
if (CE->getCalleeContext() == OriginalSCtx)
break;
N = N->getFirstPred();
} while (N);
} }
static llvm::StringLiteral WillBeUsedForACondition = static llvm::StringLiteral WillBeUsedForACondition =
", which participates in a condition later"; ", which participates in a condition later";
PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote( PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote(
PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N, PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N,
const RegionVector &FieldChain, const MemRegion *MatchedRegion, const RegionVector &FieldChain, const MemRegion *MatchedRegion,
StringRef FirstElement, bool FirstIsReferenceType, StringRef FirstElement, bool FirstIsReferenceType,
unsigned IndirectionLevel) { unsigned IndirectionLevel) {
// Optimistically suppress uninitialized value bugs that result
// from system headers having a chance to initialize the value
// but failing to do so. It's too unlikely a system header's fault.
// It's much more likely a situation in which the function has a failure
// mode that the user decided not to check. If we want to hunt such
// omitted checks, we should provide an explicit function-specific note
// describing the precondition under which the function isn't supposed to
// initialize its out-parameter, and additionally check that such
// precondition can actually be fulfilled on the current path.
if (Call.isInSystemHeader()) {
// We make an exception for system header functions that have no branches.
// Such functions unconditionally fail to initialize the variable.
// If they call other functions that have more paths within them,
// this suppression would still apply when we visit these inner functions.
// One common example of a standard function that doesn't ever initialize
// its out parameter is operator placement new; it's up to the follow-up
// constructor (if any) to initialize the memory.
if (!N->getStackFrame()->getCFG()->isLinear())
R.markInvalid(getTag(), nullptr);
return nullptr;
}
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(N->getLocation(), SM); PathDiagnosticLocation::create(N->getLocation(), SM);
// For now this shouldn't trigger, but once it does (as we add more // For now this shouldn't trigger, but once it does (as we add more
// functions to the body farm), we'll need to decide if these reports // functions to the body farm), we'll need to decide if these reports
// are worth suppressing as well. // are worth suppressing as well.
if (!L.hasValidLocation()) if (!L.hasValidLocation())
return nullptr; return nullptr;
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << "Returning without writing to '"; os << "Returning without writing to '";
// Do not generate the note if failed to pretty-print. // Do not generate the note if failed to pretty-print.
if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType, MatchedRegion, if (!prettyPrintRegionName(FieldChain, MatchedRegion, FirstElement,
FieldChain, IndirectionLevel, os)) FirstIsReferenceType, IndirectionLevel, os))
return nullptr; return nullptr;
os << "'"; os << "'";
if (TKind == bugreporter::TrackingKind::Condition) if (TKind == bugreporter::TrackingKind::Condition)
os << WillBeUsedForACondition; os << WillBeUsedForACondition;
return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); return std::make_shared<PathDiagnosticEventPiece>(L, os.str());
} }
bool NoStoreFuncVisitor::prettyPrintRegionName(StringRef FirstElement, bool NoStoreFuncVisitor::prettyPrintRegionName(const RegionVector &FieldChain,
bool FirstIsReferenceType,
const MemRegion *MatchedRegion, const MemRegion *MatchedRegion,
const RegionVector &FieldChain, StringRef FirstElement,
int IndirectionLevel, bool FirstIsReferenceType,
unsigned IndirectionLevel,
llvm::raw_svector_ostream &os) { llvm::raw_svector_ostream &os) {
if (FirstIsReferenceType) if (FirstIsReferenceType)
IndirectionLevel--; IndirectionLevel--;
RegionVector RegionSequence; RegionVector RegionSequence;
// Add the regions in the reverse order, then reverse the resulting array. // Add the regions in the reverse order, then reverse the resulting array.
▲ Show 20 LinesShow All 2,523 LinesShow Last 20 Lines