This is an archive of the discontinued LLVM Phabricator instance.

Differential D110625

[analyzer] canonicalize special case of structure/pointer deref
ClosedPublic

Authored by vabridgers on Sep 28 2021, 6:54 AM.

Details

Reviewers
steakhal
martong
ASDenysPetrov
Commits
rGb29186c08ae2: [analyzer] canonicalize special case of structure/pointer deref
Summary

This simple change addresses a special case of structure/pointer
aliasing that produced different symbolvals, leading to false positives
during analysis.

The reproducer is as simple as this.

struct s {
  int v;
};

void foo(struct s *ps) {
  struct s ss = *ps;
  clang_analyzer_dump(ss.v); // reg_$1<int Element{SymRegion{reg_$0<struct s *ps>},0 S64b,struct s}.v>
  clang_analyzer_dump(ps->v); //reg_$3<int SymRegion{reg_$0<struct s *ps>}.v>
  clang_analyzer_eval(ss.v == ps->v); // UNKNOWN
}

Acks: Many thanks to @steakhal and @martong for the group debug session.

Diff Detail

Event Timeline

vabridgers created this revision.Sep 28 2021, 6:54 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 9 others. · View Herald TranscriptSep 28 2021, 6:54 AM
vabridgers requested review of this revision.Sep 28 2021, 6:54 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 28 2021, 6:54 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
vabridgers added a comment.Sep 28 2021, 6:55 AM

Just an initial push to get this patch out there for review. I think this is pretty close. Thanks @steakhal and @martong for the debug session!

steakhal edited the summary of this revision. (Show Details)Sep 28 2021, 7:00 AM
steakhal added a reviewer: ASDenysPetrov.
steakhal edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B126094: Diff 375559.Sep 28 2021, 7:17 AM
vabridgers planned changes to this revision.Sep 28 2021, 9:49 AM
vabridgers updated this revision to Diff 375640.Sep 28 2021, 10:38 AM

update test case

Harbormaster completed remote builds in B126141: Diff 375640.Sep 28 2021, 10:55 AM
martong added a comment.Sep 28 2021, 12:51 PM

Thanks Vince! Nice work!

Do you think it would be worth to have a test that checks the equality of a double pointer and a bi-dimensional array? Something like:

void struct_pointer_canon(struct s **ps) {
  struct s ss = **ps;
  clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}}
}
martong accepted this revision.Sep 28 2021, 12:52 PM
This revision is now accepted and ready to land.Sep 28 2021, 12:52 PM
vabridgers added a comment.Sep 28 2021, 3:55 PM

@martong, Thanks for yes for sure! I'll post an update soon with a few minor test improvements.

vabridgers updated this revision to Diff 375727.Sep 28 2021, 3:58 PM

improve test cases per @martong

Harbormaster completed remote builds in B126204: Diff 375727.Sep 28 2021, 4:18 PM
steakhal added a comment.Sep 29 2021, 1:12 AM

nits

clang/test/Analysis/ptr-arith.c
337

It's probably unnecessary.

340

I would probably put this at the top of the file.

345

You should not hardcode the internal counter in the tests.
You can use regexp matching to workaround the issue. Here is an example:
// expected-warning-re@-2 {{reg_${{[[:digit:]]+}}<int v>}}

@-2 denotes that we expect a warning two lines above.

vabridgers updated this revision to Diff 375810.Sep 29 2021, 1:51 AM

updates per @steakhal comments

vabridgers marked 3 inline comments as done.Sep 29 2021, 1:52 AM

Thanks @steakhal and @martong for the comments! The patch has been updated.

Harbormaster completed remote builds in B126273: Diff 375810.Sep 29 2021, 2:02 AM
ASDenysPetrov added a comment.Sep 30 2021, 8:42 AM

I think we need to get canonical types.
Check, please, aliased types:

struct s {
  int v;
};
using T1 = s;
typedef s T2;
void foo(T1 *ps) {
  T2 ss = *ps;
  ...
}
vabridgers updated this revision to Diff 376374.Sep 30 2021, 2:42 PM

update per comments from Denys

Harbormaster completed remote builds in B126645: Diff 376374.Sep 30 2021, 2:42 PM
vabridgers added a comment.Sep 30 2021, 2:42 PM

@ASDenysPetrov , thank you for the comment. I added a test case per your suggestion.

steakhal added a comment.Sep 30 2021, 11:35 PM

'using' is the same as 'typedef' AFAIK.
So, you could simply use only typedefs and implement the test in the c test file. Seeing all the tests close together would aid readability IMO.
WDYT Denys? Btw does the SVval::getType return a canonical type in all cases?

ASDenysPetrov added a comment.EditedOct 1 2021, 1:51 AM
In D110625#3035616, @steakhal wrote:

'using' is the same as 'typedef' AFAIK.
So, you could simply use only typedefs and implement the test in the c test file. Seeing all the tests close together would aid readability IMO.

You're right. I'm OK with typedef.

WDYT Denys? Btw does the SVval::getType return a canonical type in all cases?

SVal::getType returns a QualType which can be aliased and cv-qualified. So, it may mismatch in comparison BT->getPointeeType() == elementType. That is my concern.

vabridgers updated this revision to Diff 376450.Oct 1 2021, 1:51 AM

added typedef case to C file for comparison, discussion

Harbormaster completed remote builds in B126686: Diff 376450.Oct 1 2021, 1:51 AM
vabridgers updated this revision to Diff 376452.Oct 1 2021, 1:58 AM

move test case from cpp file to c file

Harbormaster completed remote builds in B126688: Diff 376452.Oct 1 2021, 1:58 AM
vabridgers updated this revision to Diff 376453.Oct 1 2021, 2:09 AM

add const test case

Harbormaster completed remote builds in B126689: Diff 376453.Oct 1 2021, 2:09 AM
vabridgers added a comment.Oct 1 2021, 2:11 AM

I moved the test cases from ptr-arith.cpp to ptr-arith - using to typedef, and created an extra test case that uses const. I believe this may address all concerns discussed thus far? Please let me know if we need anything more and I'll get it done. Best!

steakhal added a comment.Oct 1 2021, 2:47 AM
In D110625#3035843, @ASDenysPetrov wrote:
In D110625#3035616, @steakhal wrote:

WDYT Denys? Btw does the SVval::getType return a canonical type in all cases?

SVal::getType returns a QualType which can be aliased and cv-qualified. So, it may mismatch in comparison BT->getPointeeType() == elementType. That is my concern.

I thought that SVal::getType should return an already canonical QualType. If it doesn't do that we would need to do canonicalization at each callsite, which is less than ideal IMO.
If it's not yet canonical, we should probably canonicalize within the getType() function probably. WDYT?

In D110625#3035866, @vabridgers wrote:

I moved the test cases from ptr-arith.cpp to ptr-arith - using to typedef, and created an extra test case that uses const. I believe this may address all concerns discussed thus far? Please let me know if we need anything more and I'll get it done. Best!

I think your change is good, but we need to sort some things out before moving forward with that.

ASDenysPetrov added a comment.Oct 1 2021, 3:17 AM
In D110625#3035929, @steakhal wrote:

I thought that SVal::getType should return an already canonical QualType. If it doesn't do that we would need to do canonicalization at each callsite, which is less than ideal IMO.
If it's not yet canonical, we should probably canonicalize within the getType() function probably. WDYT?

I believe that it returns non-canonical type. Yes, we shall get canonical versions separately for most cases in practice. This is not ideal but it would be worse to return canonical types at once along with loss of extra information.

steakhal added a comment.Oct 1 2021, 3:44 AM
In D110625#3035974, @ASDenysPetrov wrote:
In D110625#3035929, @steakhal wrote:

I thought that SVal::getType should return an already canonical QualType. If it doesn't do that we would need to do canonicalization at each callsite, which is less than ideal IMO.
If it's not yet canonical, we should probably canonicalize within the getType() function probably. WDYT?

I believe that it returns non-canonical type. Yes, we shall get canonical versions separately for most cases in practice. This is not ideal but it would be worse to return canonical types at once along with loss of extra information.

Okay, if this is the case, we will need to use getCanonicalType() on both BT and elementType.
Vince, could you update your change, just to make sure it will work in the future, even if the test doesn't show much difference with the current behavior?
Note that you cannot call getCanonicalType() on a null-type.

vabridgers updated this revision to Diff 376526.Oct 1 2021, 7:29 AM

Use canonical types for comparison

Harbormaster completed remote builds in B126710: Diff 376526.Oct 1 2021, 7:29 AM
vabridgers planned changes to this revision.Oct 5 2021, 9:53 AM

I'm refactoring the code change a bit. I'll push another update soon. Thanks for the comments.

vabridgers updated this revision to Diff 377309.Oct 5 2021, 11:13 AM

Refactor compare a little bit

This revision is now accepted and ready to land.Oct 5 2021, 11:13 AM
Harbormaster completed remote builds in B127122: Diff 377309.Oct 5 2021, 12:03 PM
steakhal accepted this revision.Oct 6 2021, 2:06 AM

It looks great.
Thanks Vince!

Closed by commit rGb29186c08ae2: [analyzer] canonicalize special case of structure/pointer deref (authored by vabridgers, committed by einvbri <vince.a.bridgers@ericsson.com>). · Explain WhyOct 6 2021, 3:19 AM
This revision was automatically updated to reflect the committed changes.
einvbri <vince.a.bridgers@ericsson.com> added a commit: rGb29186c08ae2: [analyzer] canonicalize special case of structure/pointer deref.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
13 lines
test/
Analysis/
57 lines

Diff 377490

clang/lib/StaticAnalyzer/Core/Store.cpp

Show First 20 LinesShow All 436 Lines▼ Show 20 Lines
} }
SVal StoreManager::getLValueIvar(const ObjCIvarDecl *decl, SVal base) { SVal StoreManager::getLValueIvar(const ObjCIvarDecl *decl, SVal base) {
return getLValueFieldOrIvar(decl, base); return getLValueFieldOrIvar(decl, base);
} }
SVal StoreManager::getLValueElement(QualType elementType, NonLoc Offset, SVal StoreManager::getLValueElement(QualType elementType, NonLoc Offset,
SVal Base) { SVal Base) {
// Special case, if index is 0, return the same type as if
// this was not an array dereference.
if (Offset.isZeroConstant()) {
QualType BT = Base.getType(this->Ctx);
if (!BT.isNull() && !elementType.isNull()) {
QualType PointeeTy = BT->getPointeeType();
if (!PointeeTy.isNull() &&
PointeeTy.getCanonicalType() == elementType.getCanonicalType())
return Base;
}
}
// If the base is an unknown or undefined value, just return it back. // If the base is an unknown or undefined value, just return it back.
// FIXME: For absolute pointer addresses, we just return that value back as // FIXME: For absolute pointer addresses, we just return that value back as
// well, although in reality we should return the offset added to that // well, although in reality we should return the offset added to that
// value. See also the similar FIXME in getLValueFieldOrIvar(). // value. See also the similar FIXME in getLValueFieldOrIvar().
if (Base.isUnknownOrUndef() || Base.getAs<loc::ConcreteInt>()) if (Base.isUnknownOrUndef() || Base.getAs<loc::ConcreteInt>())
return Base; return Base;
if (Base.getAs<loc::GotoLabel>()) if (Base.getAs<loc::GotoLabel>())
▲ Show 20 LinesShow All 74 LinesShow Last 20 Lines

clang/test/Analysis/ptr-arith.c

// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.core.FixedAddr,alpha.core.PointerArithm,alpha.core.PointerSub,debug.ExprInspection -analyzer-store=region -Wno-pointer-to-int-cast -verify -triple x86_64-apple-darwin9 -Wno-tautological-pointer-compare -analyzer-config eagerly-assume=false %s // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.core.FixedAddr,alpha.core.PointerArithm,alpha.core.PointerSub,debug.ExprInspection -analyzer-store=region -Wno-pointer-to-int-cast -verify -triple x86_64-apple-darwin9 -Wno-tautological-pointer-compare -analyzer-config eagerly-assume=false %s
// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.core.FixedAddr,alpha.core.PointerArithm,alpha.core.PointerSub,debug.ExprInspection -analyzer-store=region -Wno-pointer-to-int-cast -verify -triple i686-apple-darwin9 -Wno-tautological-pointer-compare -analyzer-config eagerly-assume=false %s // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.core.FixedAddr,alpha.core.PointerArithm,alpha.core.PointerSub,debug.ExprInspection -analyzer-store=region -Wno-pointer-to-int-cast -verify -triple i686-apple-darwin9 -Wno-tautological-pointer-compare -analyzer-config eagerly-assume=false %s
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
void clang_analyzer_dump(int);
void f1() { void f1() {
int a[10]; int a[10];
int *p = a; int *p = a;
++p; ++p;
} }
char* foo(); char* foo();
▲ Show 20 LinesShow All 312 Lines▼ Show 20 Lines
label:; label:;
} }
typedef __attribute__((__ext_vector_type__(2))) float simd_float2; typedef __attribute__((__ext_vector_type__(2))) float simd_float2;
float test_nowarning_on_vector_deref() { float test_nowarning_on_vector_deref() {
simd_float2 x = {0, 1}; simd_float2 x = {0, 1};
return x[1]; // no-warning return x[1]; // no-warning
} }
struct s {
int v;
};
steakhalUnsubmitted
Done
ReplyInline Actions

It's probably unnecessary.

steakhal: It's probably unnecessary.
// These three expressions should produce the same sym vals.
void struct_pointer_canon(struct s *ps) {
steakhalUnsubmitted
Done
ReplyInline Actions

I would probably put this at the top of the file.

steakhal: I would probably put this at the top of the file.
struct s ss = *ps;
clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}}
clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}}
steakhalUnsubmitted
Done
ReplyInline Actions

You should not hardcode the internal counter in the tests.
You can use regexp matching to workaround the issue. Here is an example:
// expected-warning-re@-2 {{reg_${{[[:digit:]]+}}<int v>}}

@-2 denotes that we expect a warning two lines above.

steakhal: You should not hardcode the internal counter in the tests. You can use regexp matching to…
clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
}
void struct_pointer_canon_bidim(struct s **ps) {
struct s ss = **ps;
clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}}
}
typedef struct s T1;
typedef struct s T2;
void struct_pointer_canon_typedef(T1 *ps) {
T2 ss = *ps;
clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}}
clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}}
clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
}
void struct_pointer_canon_bidim_typedef(T1 **ps) {
T2 ss = **ps;
clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}}
}
void struct_pointer_canon_const(const struct s *ps) {
struct s ss = *ps;
clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}}
clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}}
clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
}