This is an archive of the discontinued LLVM Phabricator instance.

Differential D111535

[analyzer] Allow matching non-CallExprs using CallDescriptions
ClosedPublic

Authored by steakhal on Oct 11 2021, 3:40 AM.

Details

Reviewers
NoQ
martong
Szelethus
balazske
ASDenysPetrov
xazax.hun
Commits
rG72d04d7b2b53: [analyzer] Allow matching non-CallExprs using CallDescriptions
Summary

Fallback to stringification and string comparison if we cannot compare
the IdentifierInfos, which is the case for C++ overloaded operators,
constructors, destructors, etc.

Examples:

{ "std", "basic_string", "basic_string", 2} // match the 2 param std::string constructor
{ "std", "basic_string", "~basic_string" }  // match the std::string destructor
{ "aaa", "bbb", "operator int" } // matches the struct bbb conversion operator to int

Diff Detail

Event Timeline

steakhal created this revision.Oct 11 2021, 3:40 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald TranscriptOct 11 2021, 3:40 AM
steakhal requested review of this revision.Oct 11 2021, 3:40 AM
steakhal added a parent revision: D111534: [analyzer][NFC] Refactor CallEvent::isCalled().
Harbormaster completed remote builds in B128072: Diff 378613.Oct 11 2021, 3:40 AM
steakhal added a child revision: D111247: [analyzer] Add std::string checker.Oct 11 2021, 3:41 AM
steakhal mentioned this in D111247: [analyzer] Add std::string checker.Oct 11 2021, 4:54 AM
whisperity added inline comments.Oct 11 2021, 5:26 AM
clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp
67

Oh yeah, if only. But also, sadly, D98477 is stalled... ☹

69

Is there a chance people accidentally passing const X (perhaps involving decltype somewhere) to T cause a problem in this logic? is_same does not remove qualifiers, right?

77

"Unsupported expression kind in CallDescriptor" for message? When an UNREACHABLE is hit, the user is only given the message (just like in the case of assert()) and not a context useful enough to deduce what only these is supposed to mean...

89

(Ditto, as before.)

steakhal added a comment.Oct 11 2021, 5:43 AM

Thanks for the review @whisperity.
If you don't have strong objections I wouldn't change the code.

clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp
69

It simply explicitly express the limitations of the unit-test itself.
It's not supposed to be user-facing to the developers.
That being said, I don't want to spew metaprogramming without much reason.

The best would be to somehow reuse the actual dispatching logic embedded into the analyzer expr engine.
However, that is tightly coupled with the exploded graph-building logic, so it won't happen any time soon.

77

By the end of the day, it doesn't really matter what the message is, it's for developers only.
They would have to check the code to make a conscious decision about *what* exactly is missing :D

I don't mind improving the message, but it won't help by any means.

balazske added a subscriber: balazske.Oct 11 2021, 9:21 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
333–335
martong added a comment.Oct 13 2021, 4:00 AM

Nice way of refactoring the tests!

However, could have a test that checks if the logic "sees through" type aliases? E.g. can we match the ctor of std::string even if we have using X = std::string; X x("banana");

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
333–335
334

Is it possible to have an empty QualifiedName at this point? Should we assert that it is not empty?

steakhal added a comment.Oct 13 2021, 4:46 AM
In D111535#3060932, @martong wrote:

Nice way of refactoring the tests!

However, could have a test that checks if the logic "sees through" type aliases? E.g. can we match the ctor of std::string even if we have using X = std::string; X x("banana");

I agree but did not want to pollute the blame of this commit. I want to have tests covering *only* the changed parts.
I'm going to create a follow-up patch covering this case.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
334

Technically it's a class invariant. We must have at least one element in that vector, representing the name of the function/operator/etc. of the entity that we want to match against. In that sense, we should add an assertion in the constructor of the class enforcing this property.

I wanted to focus only on the isCalled() function in this patch, but I can introduce that assertion into the CallDescription class without much problem I suppose. I'm gonna address this.

steakhal updated this revision to Diff 379671.Oct 14 2021, 5:10 AM
steakhal edited the summary of this revision. (Show Details)
steakhal added reviewers: balazske, ASDenysPetrov.

I reorganized the changes across the patches. The first NFC patch introduced the unittests to cover a lot more cases and gain confidence that the actual refactor in the second NFC patch does not break anything.
Finally, this patch simply switches the behavior in that sense, to have the expected behavior.

steakhal added a child revision: D111795: [analyzer] Reject incomplete matches in CallEvent::isCalled(), also introduce wildcards.Oct 14 2021, 5:12 AM
Harbormaster completed remote builds in B128833: Diff 379671.Oct 14 2021, 5:57 AM
martong accepted this revision.Oct 14 2021, 7:09 AM

LGTM!

This revision is now accepted and ready to land.Oct 14 2021, 7:09 AM
steakhal updated this revision to Diff 379779.Oct 14 2021, 11:05 AM
steakhal marked 7 inline comments as done.
Harbormaster completed remote builds in B128910: Diff 379779.Oct 14 2021, 11:53 AM
steakhal added a reviewer: xazax.hun.Oct 14 2021, 12:03 PM
Closed by commit rG72d04d7b2b53: [analyzer] Allow matching non-CallExprs using CallDescriptions (authored by steakhal). · Explain WhyOct 18 2021, 5:58 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG72d04d7b2b53: [analyzer] Allow matching non-CallExprs using CallDescriptions.
Herald added a project: Restricted Project. · View Herald TranscriptOct 18 2021, 5:58 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
6 lines
unittests/
StaticAnalyzer/
6 lines

Diff 380363

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 322 Lines▼ Show 20 Linesbool CallEvent::isCalled(const CallDescription &CD) const {
} }
const auto MatchNameOnly = [](const CallDescription &CD, const auto MatchNameOnly = [](const CallDescription &CD,
const NamedDecl *ND) -> bool { const NamedDecl *ND) -> bool {
DeclarationName Name = ND->getDeclName(); DeclarationName Name = ND->getDeclName();
if (const auto *II = Name.getAsIdentifierInfo()) if (const auto *II = Name.getAsIdentifierInfo())
return II == CD.II.getValue(); // Fast case. return II == CD.II.getValue(); // Fast case.
// Simply report mismatch for: // Fallback to the slow stringification and comparison for:
// C++ overloaded operators, constructors, destructors, etc. // C++ overloaded operators, constructors, destructors, etc.
return false; // FIXME This comparison is way SLOWER than comparing pointers.
// At some point in the future, we should compare FunctionDecl pointers.
martongUnsubmitted
Done
ReplyInline Actions

Is it possible to have an empty QualifiedName at this point? Should we assert that it is not empty?

martong: Is it possible to have an empty `QualifiedName` at this point? Should we assert that it is not…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Technically it's a class invariant. We must have at least one element in that vector, representing the name of the function/operator/etc. of the entity that we want to match against. In that sense, we should add an assertion in the constructor of the class enforcing this property.

I wanted to focus only on the isCalled() function in this patch, but I can introduce that assertion into the CallDescription class without much problem I suppose. I'm gonna address this.

steakhal: Technically it's a class invariant. We must have at least one element in that vector…
return Name.getAsString() == CD.getFunctionName();
balazskeUnsubmitted
Done
ReplyInline Actions
return II == CD.II; // Fast case.
- // Fallback to the slow case.
+ // If it's not a simple identifier, e.g. C++ overload, constructor, operator
+ // call, compare the string names.
return Name.getAsString() == CD.QualifiedName.back();
balazske:
martongUnsubmitted
Done
ReplyInline Actions
return II == CD.II; // Fast case.
- // Fallback to the slow case.
+ // If it's not a simple identifier, e.g. C++ overload, constructor, operator
+ // call, compare the strings names.
+ // FIXME This comparison is way SLOWER than comparing pointers.
+ // At some point in the future, we should compare FunctionDecl pointers.
+
return Name.getAsString() == CD.QualifiedName.back();
martong:
}; };
const auto ExactMatchArgAndParamCounts = const auto ExactMatchArgAndParamCounts =
[](const CallEvent &Call, const CallDescription &CD) -> bool { [](const CallEvent &Call, const CallDescription &CD) -> bool {
const bool ArgsMatch = const bool ArgsMatch =
!CD.RequiredArgs || CD.RequiredArgs == Call.getNumArgs(); !CD.RequiredArgs || CD.RequiredArgs == Call.getNumArgs();
const bool ParamsMatch = const bool ParamsMatch =
!CD.RequiredParams || CD.RequiredParams == Call.parameters().size(); !CD.RequiredParams || CD.RequiredParams == Call.parameters().size();
▲ Show 20 LinesShow All 1,156 LinesShow Last 20 Lines

clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines void performTest(const Decl *D) {
if (!D->hasBody()) if (!D->hasBody())
return; return;
const StackFrameContext *SFC = const StackFrameContext *SFC =
Eng.getAnalysisDeclContextManager().getStackFrame(D); Eng.getAnalysisDeclContextManager().getStackFrame(D);
const ProgramStateRef State = Eng.getInitialState(SFC); const ProgramStateRef State = Eng.getInitialState(SFC);
// FIXME: Maybe use std::variant and std::visit for these. // FIXME: Maybe use std::variant and std::visit for these.
whisperityUnsubmitted
Done
ReplyInline Actions

Oh yeah, if only. But also, sadly, D98477 is stalled... ☹

whisperity: Oh yeah, if only. But also, sadly, D98477 is stalled... ☹
const auto MatcherCreator = []() { const auto MatcherCreator = []() {
if (std::is_same<T, CallExpr>::value) if (std::is_same<T, CallExpr>::value)
whisperityUnsubmitted
Done
ReplyInline Actions

Is there a chance people accidentally passing const X (perhaps involving decltype somewhere) to T cause a problem in this logic? is_same does not remove qualifiers, right?

whisperity: Is there a chance people accidentally passing `const X` (perhaps involving `decltype`…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

It simply explicitly express the limitations of the unit-test itself.
It's not supposed to be user-facing to the developers.
That being said, I don't want to spew metaprogramming without much reason.

The best would be to somehow reuse the actual dispatching logic embedded into the analyzer expr engine.
However, that is tightly coupled with the exploded graph-building logic, so it won't happen any time soon.

steakhal: It simply explicitly express the limitations of the unit-test itself. It's not supposed to be…
return callExpr(); return callExpr();
if (std::is_same<T, CXXConstructExpr>::value) if (std::is_same<T, CXXConstructExpr>::value)
return cxxConstructExpr(); return cxxConstructExpr();
if (std::is_same<T, CXXMemberCallExpr>::value) if (std::is_same<T, CXXMemberCallExpr>::value)
return cxxMemberCallExpr(); return cxxMemberCallExpr();
if (std::is_same<T, CXXOperatorCallExpr>::value) if (std::is_same<T, CXXOperatorCallExpr>::value)
return cxxOperatorCallExpr(); return cxxOperatorCallExpr();
llvm_unreachable("Only these expressions are supported for now."); llvm_unreachable("Only these expressions are supported for now.");
whisperityUnsubmitted
Done
ReplyInline Actions

"Unsupported expression kind in CallDescriptor" for message? When an UNREACHABLE is hit, the user is only given the message (just like in the case of assert()) and not a context useful enough to deduce what only these is supposed to mean...

whisperity: `"Unsupported expression kind in CallDescriptor"` for message? When an //UNREACHABLE// is hit…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

By the end of the day, it doesn't really matter what the message is, it's for developers only.
They would have to check the code to make a conscious decision about *what* exactly is missing :D

I don't mind improving the message, but it won't help by any means.

steakhal: By the end of the day, it doesn't really matter what the message is, it's for developers only.
}; };
const Expr *E = findNode<T>(D, MatcherCreator()); const Expr *E = findNode<T>(D, MatcherCreator());
CallEventManager &CEMgr = Eng.getStateManager().getCallEventManager(); CallEventManager &CEMgr = Eng.getStateManager().getCallEventManager();
CallEventRef<> Call = [=, &CEMgr]() -> CallEventRef<CallEvent> { CallEventRef<> Call = [=, &CEMgr]() -> CallEventRef<CallEvent> {
if (std::is_base_of<CallExpr, T>::value) if (std::is_base_of<CallExpr, T>::value)
return CEMgr.getCall(E, State, SFC); return CEMgr.getCall(E, State, SFC);
if (std::is_same<T, CXXConstructExpr>::value) if (std::is_same<T, CXXConstructExpr>::value)
return CEMgr.getCXXConstructorCall(cast<CXXConstructExpr>(E), return CEMgr.getCXXConstructorCall(cast<CXXConstructExpr>(E),
/*Target=*/nullptr, State, SFC); /*Target=*/nullptr, State, SFC);
llvm_unreachable("Only these expressions are supported for now."); llvm_unreachable("Only these expressions are supported for now.");
whisperityUnsubmitted
Done
ReplyInline Actions

(Ditto, as before.)

whisperity: (Ditto, as before.)
}(); }();
// If the call actually matched, check if we really expected it to match. // If the call actually matched, check if we really expected it to match.
const bool *LookupResult = RM.lookup(*Call); const bool *LookupResult = RM.lookup(*Call);
EXPECT_TRUE(!LookupResult || *LookupResult); EXPECT_TRUE(!LookupResult || *LookupResult);
// ResultMap is responsible for making sure that we've found *all* calls. // ResultMap is responsible for making sure that we've found *all* calls.
} }
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Lines
} }
TEST(CallDescription, MatchConstructor) { TEST(CallDescription, MatchConstructor) {
constexpr StringRef AdditionalCode = R"code( constexpr StringRef AdditionalCode = R"code(
void foo() { void foo() {
using namespace std; using namespace std;
basic_string<char> s("hello"); basic_string<char> s("hello");
})code"; })code";
// FIXME: We should match.
const std::string Code = (Twine{MockStdStringHeader} + AdditionalCode).str(); const std::string Code = (Twine{MockStdStringHeader} + AdditionalCode).str();
EXPECT_TRUE(tooling::runToolOnCode( EXPECT_TRUE(tooling::runToolOnCode(
std::unique_ptr<FrontendAction>( std::unique_ptr<FrontendAction>(
new CallDescriptionAction<CXXConstructExpr>({ new CallDescriptionAction<CXXConstructExpr>({
{{{"std", "basic_string", "basic_string"}, 2, 2}, false}, {{{"std", "basic_string", "basic_string"}, 2, 2}, true},
})), })),
Code)); Code));
} }
// FIXME: Test matching destructors: {"std", "basic_string", "~basic_string"} // FIXME: Test matching destructors: {"std", "basic_string", "~basic_string"}
// This feature is actually implemented, but the test infra is not yet // This feature is actually implemented, but the test infra is not yet
// sophisticated enough for testing this. To do that, we will need to // sophisticated enough for testing this. To do that, we will need to
// implement a much more advanced dispatching mechanism using the CFG for // implement a much more advanced dispatching mechanism using the CFG for
// the implicit destructor events. // the implicit destructor events.
TEST(CallDescription, MatchConversionOperator) { TEST(CallDescription, MatchConversionOperator) {
constexpr StringRef Code = R"code( constexpr StringRef Code = R"code(
namespace aaa { namespace aaa {
namespace bbb { namespace bbb {
struct Bar { struct Bar {
operator int(); operator int();
}; };
} // bbb } // bbb
} // aaa } // aaa
void foo() { void foo() {
aaa::bbb::Bar x; aaa::bbb::Bar x;
int tmp = x; int tmp = x;
})code"; })code";
// FIXME: We should match.
EXPECT_TRUE(tooling::runToolOnCode( EXPECT_TRUE(tooling::runToolOnCode(
std::unique_ptr<FrontendAction>(new CallDescriptionAction<>({ std::unique_ptr<FrontendAction>(new CallDescriptionAction<>({
{{{"aaa", "bbb", "Bar", "operator int"}}, false}, {{{"aaa", "bbb", "Bar", "operator int"}}, true},
})), })),
Code)); Code));
} }
TEST(CallDescription, RejectOverQualifiedNames) { TEST(CallDescription, RejectOverQualifiedNames) {
constexpr auto Code = R"code( constexpr auto Code = R"code(
namespace my { namespace my {
namespace std { namespace std {
▲ Show 20 LinesShow All 265 LinesShow Last 20 Lines