This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
7/10
SValBuilder.h
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
-
CastValueChecker.cpp
-
MallocChecker.cpp
-
RetainCountChecker/
-
RetainCountChecker.cpp
12/12
SmartPtrModeling.cpp
-
StreamChecker.cpp
-
Core/
-
ExprEngineC.cpp
-
RegionStore.cpp
-
SValBuilder.cpp

Differential D119601

[analyzer] Refactor makeNull to makeNullWithWidth (NFC)
ClosedPublic

Authored by vabridgers on Feb 11 2022, 3:35 PM.

Download Raw Diff

Details

Reviewers

NoQ
martong
steakhal

Commits

rG985888411da9: [analyzer] Refactor makeNull to makeNullWithWidth (NFC)

Summary

Usages of makeNull need to be deprecated in favor of makeNullWithWidth
for architectures where the pointer size should not be assumed. This can
occur when pointer sizes can be of different sizes, depending on address
space for example. See https://reviews.llvm.org/D118050 as an example.

This was uncovered initially in a downstream compiler project, and
tested through those systems tests.

steakhal performed systems testing across a large set of open source
projects.

Co-authored-by: steakhal
Resolves: https://github.com/llvm/llvm-project/issues/53664

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	1,860 ms	x64 debian > libomp.tasking::kmp_taskwait_depend_all.c

Event Timeline

vabridgers created this revision.Feb 11 2022, 3:35 PM

Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald TranscriptFeb 11 2022, 3:35 PM

vabridgers requested review of this revision.Feb 11 2022, 3:35 PM

Herald added a project: Restricted Project. · View Herald TranscriptFeb 11 2022, 3:35 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B149131: Diff 408082.Feb 11 2022, 4:32 PM

NoQ added inline comments.Feb 11 2022, 8:15 PM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
645–646	I don't think this is the right type. This should be the raw pointer type for the corresponding smart pointer, not a pointer to the smart pointer. `Call.getResultType()` should be good. Also general advice, do not use `SVal::getType()` when you can obtain the type from the AST instead. `SVal::getType()` is speculative and it inevitably loses some information (in particular, it doesn't discriminate between lvalues and pointers).
785	Same here.
812	You're using `dyn_cast` but you're unconditionally dereferencing the result later. Looking at other copies of similar code, you probably need a null check. (Does running the static analyzer produce a warning here? We have a checker for this!)
885	I suspect that this type is going to be `bool` which is probably not what you want.

steakhal performed systems testing across a large set of open source projects.

I'm curious if any findings there caused you to make changes in the patch. If so it'd be great to reduce them into test cases so that other people didn't make the same mistake when they edit your new code.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
885	I think it makes sense to add an assertion in `makeNullWithType()` to protect against such cases. This will probably also allow you to cover this with a test case.

Thanks for the comments. I'll address and revert back soon.

In D119601#3317317, @NoQ wrote:

steakhal performed systems testing across a large set of open source projects.

I'm curious if any findings there caused you to make changes in the patch. If so it'd be great to reduce them into test cases so that other people didn't make the same mistake when they edit your new code.

This patch was driven mostly by the negative cases we uncovered as represented in patch https://reviews.llvm.org/D118050. Basically, we have an internal proprietary multicore CPU with a CPU-local address space and a "global" common address space. We support memcpy intrinsics to copy to/from these memories with the different address space pointers - which also happen to be different pointer widths. The CString checker does an overlap check, and an assert caught a pointer comparison using different pointer widths. So the basic fix is to avoid overlap checks when the pointers are of different address spaces, and then that change ripples into these changes and the required supporting test cases. We also see similar problems in the SMTConv layer that we're just patching up internally for now in a non-principled way that are not suitable for upstreaming (yet).

Since our target is downstream, it's challenging to find equivalent and relevant test cases, but we've made some headway since we found some GPUs also have similar properties. https://reviews.llvm.org/D118050 has one such test case. Perhaps it makes sense to squash that change with this one? @NoQ, do you have thoughts or a recommendation for squashing these two changes?

Looks like our internal test cases can be refactored to use GPU address spaces for supporting test cases, I'll add those.

As always, thanks for the guidance. Best

I explored some test cases, and the rabbit hole gets deeper :) Continuing to explore. Best

Address NoQ comments

I believe I've addressed all of Artem's comments thus far. This is a NFC patch, so will include no test cases. We detected these inconsistencies in getting NULL pointers in our downstream target, that supports 2 different pointer sizes depending on address space. That review is here, https://reviews.llvm.org/D118050, and is dependent upon these fixes (makeNull -> makeNullWithWidth refactoring). These two patches will be kept separate, with this patch reviewed and submitted first followed by https://reviews.llvm.org/D118050.

Please let me know what else needs to be done to move this patch forward. Thanks - Vince

vabridgers retitled this revision from [analyzer] Refactor makeNull to makeNullWithWidth to [analyzer] Refactor makeNull to makeNullWithWidth (NFC).Feb 17 2022, 12:34 PM

Harbormaster completed remote builds in B150305: Diff 409750.Feb 17 2022, 12:57 PM

steakhal added inline comments.Feb 18 2022, 3:39 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
368–375	Add a comment that `isAnyPointerType()` won't work here.
371	But you also let reference types.
372	You should also remove the `BasicValueFactor::getZeroWithPtrWidth()` along with `BasicValueFactor::getIntWithPtrWidth()` since those suffer from the same issue. Feel free to do that in a separate patch.
372–376
clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
123	You don't need the whole `CheckerContext`. Pass the `ASTContext` instead. I would also recommend using `Idx` instead of `ndx`
133	You should just return it. Oh wait, you also wrap it inside a pointer. The name of the function does not reflect this. Either rename it or hoist this to the callsite.
388	You should use the `CC->getDecl()->getThisType()` instead.
646	Similarly to the previous one, use `getThisType()`.
750–751	Same here.
786	At first glance, all callsites have access to the `getThisType()`, so we shouldn't dig this up from the specialization decl.
885	You probably never want to use `Call.getResultType()` in this file for this context. Something like this would be more appropriate: `cast<CXXMethodDecl>(Call.getDecl())->getThisType()`

refactor based on @steakhal comments

Harbormaster completed remote builds in B150402: Diff 409896.Feb 18 2022, 4:50 AM

vabridgers marked 10 inline comments as done.Feb 18 2022, 5:37 AM

vabridgers marked an inline comment as done.Feb 18 2022, 5:53 AM

vabridgers added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
372	Will do. I had also left "TODO" comments in a different source file. I'll find those, clean those up also.

vabridgers added a reviewer: steakhal.Feb 23 2022, 2:21 AM

vabridgers added a parent revision: D118050: [analyzer] Avoid checking addrspace pointers in cstring checker.Feb 23 2022, 3:21 AM

I'm satisfied. I cannot see any issues.
AFAI remember the tests runs uncovered no report changes - as expected from an NFC change.
So it's good to go on my part.
Wait for a review from @NoQ, just to be sure. Unless Artem has objections, just commit this and the whole patch stack next week.

This revision is now accepted and ready to land.Feb 23 2022, 4:12 AM

@NoQ - ping!

Herald added a project: Restricted Project. · View Herald TranscriptMar 1 2022, 5:09 PM

Is it ok to land this change? Or shall we continue to wait on @NoQ ?

Land it.

NoQ added inline comments.Mar 8 2022, 4:57 PM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
378	How do you discover the pointer width by looking only at the pointee type? Are objects of specific type always restricted to a specific address space? I.e., does every `int *` have the same width everywhere in the program? If not, how is this code supposed to work?

vabridgers added inline comments.Mar 18 2022, 5:17 PM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

378

The case this code addresses is represented in the test case clang/test/Analysis/cast-value-notes.cpp, this function ...

24 void evalReferences(const Shape &S) {
25   const auto &C = dyn_cast<Circle>(S);
26   // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
27   // expected-note@-2 {{Dereference of null pointer}}
28   // expected-warning@-3 {{Dereference of null pointer}}
29 }

The crash occurs from line 25 above.

Debug printing what I see at this point in the code for this case ...

QualType type : LValueReferenceType 0xffea820 'const class clang::Circle &'
`-QualType 0xffea7c1 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
    |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0xffe4f40 'X'
    `-RecordType 0xffea090 'class clang::Circle'
      `-CXXRecord 0xffea000 'Circle'

Context.getPointerType(type) : PointerType 0x10006ab0 'const class clang::Circle &*'
`-LValueReferenceType 0xffea820 'const class clang::Circle &'
  `-QualType 0xffea7c1 'const class clang::Circle' const
    `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
      |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0xffe4f40 'X'
      `-RecordType 0xffea090 'class clang::Circle'
        `-CXXRecord 0xffea000 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x10006ae0 'const class clang::Circle *'
`-QualType 0xffea7c1 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
    |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0xffe4f40 'X'
    `-RecordType 0xffea090 'class clang::Circle'
      `-CXXRecord 0xffea000 'Circle'

The LValueReferenceType causes a crash if I do not get a pointer type, looks like ...

clang:  <root>/clang/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h:219: const llvm::APSInt& clang::ento::BasicValueFactory::getZeroWithTypeSize(clang::QualType): Assertion `T->isScalarType()' failed.

I'm assuming the pointer type retains the address space attribute of the LValueReferenceType.

Context.getPointerType(type->getPointeeType()) produces a QualType : PointerType 'const class clang::Circle *' from an original QualType : LValueReferenceType 'const class clang::Circle &'

Is this not what's wanted - a pointer type instead of a reference, with the same address space qualifiers, or am I missing something in the query?

Thanks

NoQ added inline comments.Mar 18 2022, 10:18 PM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
378	Do I understand correctly that `__attribute__((address_space))` is a type attribute that gets applied to values rather than to pointers, so `__attribute__((address_space(3))) int *x` defines `x` as "pointer to (int that lives in address_space(3))", so when you unwrap the pointer type you get an "int that lives in address_space(3)"? Can you share some dumps to demonstrate that the attribute is correctly preserved by this procedure? Damn, a test case could be great if we could have them.

vabridgers added inline comments.Mar 19 2022, 6:24 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
378	I'll see what can be done about a test case, and provide the dumps for evaluation. Best

add updated test cases per comments from NoQ

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

378

I developed "a" test methodology to demonstrate this at work. I modified the LIT case to use "dyn_cast<Circle>(S)" and "dyn_cast<attribute((address_space(3))) Circle>(S)", checking the program state using clang_analyzer_printState(). Here's the info I see from the program state and from debug prints in each case.

First, the "dyn_cast<Circle>(S)" case.

void evalReferences(const Shape &S) {
  const auto &C = dyn_cast<Circle>(S);
  clang_analyzer_printState();
  ...
}

  "dynamic_types": [
    { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const class clang::Circle &", "sub_classable": true }


QualType type : LValueReferenceType 0x1118ef60 'const class clang::Circle &'
`-QualType 0x1118ef01 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
    |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11188780 'X'
    `-RecordType 0x1118e710 'class clang::Circle'
      `-CXXRecord 0x1118e680 'Circle'

Context.getPointerType(type) : PointerType 0x111a94d0 'const class clang::Circle &*'
`-LValueReferenceType 0x1118ef60 'const class clang::Circle &'
  `-QualType 0x1118ef01 'const class clang::Circle' const
    `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
      |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0x11188780 'X'
      `-RecordType 0x1118e710 'class clang::Circle'
        `-CXXRecord 0x1118e680 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x111a9500 'const class clang::Circle *'
`-QualType 0x1118ef01 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
    |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11188780 'X'
    `-RecordType 0x1118e710 'class clang::Circle'
      `-CXXRecord 0x1118e680 'Circle'

then the "dyn_cast<attribute((address_space(3))) Circle>(S)" case

void evalReferences(const Shape &S) {
  const auto &C = dyn_cast<__attribute__((address_space(3))) Circle>(S);
  clang_analyzer_printState();
  ...
}

 "dynamic_types": [
    { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true }


QualType type : LValueReferenceType 0x11527030 'const __attribute__((address_space(3))) class clang::Circle &'
`-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
  `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
    |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11520780 'X'
    `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
      `-RecordType 0x11526710 'class clang::Circle'
        `-CXXRecord 0x11526680 'Circle'

Context.getPointerType(type) : PointerType 0x115424e0 'const __attribute__((address_space(3))) class clang::Circle &*'
`-LValueReferenceType 0x11527030 'const __attribute__((address_space(3))) class clang::Circle &'
  `-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
    `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
      |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0x11520780 'X'
      `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
        `-RecordType 0x11526710 'class clang::Circle'
          `-CXXRecord 0x11526680 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x11542510 'const __attribute__((address_space(3))) class clang::Circle *'
`-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
  `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
    |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11520780 'X'
    `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
      `-RecordType 0x11526710 'class clang::Circle'
        `-CXXRecord 0x11526680 'Circle'

So it looks to me like the address space attribute is retained through both the "Context.getPointerType(type)" and "Context.getPointerType(type->getPointeeType())" invocations.

This also revealed the core.NullDereference checker is ignoring pointers with address space attributes - so the test cases need to be different for this change (at least for now).

I think this is enough to prove this is a NFC. Please let me know if there's anything else I need to do here.

Best

Harbormaster completed remote builds in B155225: Diff 416735.Mar 19 2022, 2:16 PM

All clear now. Amazing, thank you for your detailed response, I've corrected my understanding of address spaces so I'll be able to understand future patches better.

Closed by commit rG985888411da9: [analyzer] Refactor makeNull to makeNullWithWidth (NFC) (authored by vabridgers, committed by einvbri <vince.a.bridgers@ericsson.com>). · Explain WhyMar 22 2022, 5:35 AM

This revision was automatically updated to reflect the committed changes.

einvbri <vince.a.bridgers@ericsson.com> added a commit: rG985888411da9: [analyzer] Refactor makeNull to makeNullWithWidth (NFC).

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

SValBuilder.h

13 lines

lib/

StaticAnalyzer/

Checkers/

CastValueChecker.cpp

9 lines

MallocChecker.cpp

4 lines

RetainCountChecker/

RetainCountChecker.cpp

3 lines

SmartPtrModeling.cpp

34 lines

StreamChecker.cpp

5 lines

Core/

ExprEngineC.cpp

5 lines

RegionStore.cpp

2 lines

SValBuilder.cpp

6 lines

Diff 408082

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

Show First 20 Lines • Show All 359 Lines • ▼ Show 20 Lines public:

nonloc::ConcreteInt makeTruthVal(bool b) { nonloc::ConcreteInt makeTruthVal(bool b) {

return nonloc::ConcreteInt(BasicVals.getTruthValue(b)); return nonloc::ConcreteInt(BasicVals.getTruthValue(b));

} }

/// Create NULL pointer, with proper pointer bit-width for given address /// Create NULL pointer, with proper pointer bit-width for given address

/// space. /// space.

/// \param type pointer type. /// \param type pointer type.

Loc makeNullWithType(QualType type) { Loc makeNullWithType(QualType type) {

return loc::ConcreteInt(BasicVals.getZeroWithTypeSize(type)); // step1 - this assert

// step2 - remove this assert, add the steps from CastValueChecker.cpp

// assert(!type->isReferenceType());

QualType nullType = type;

steakhalUnsubmitted

Done

But you also let reference types.

steakhal: But you also let reference types.

if (type->isReferenceType()) {

nullType = Context.getPointerType(type->getPointeeType());

} }

return loc::ConcreteInt(BasicVals.getZeroWithTypeSize(nullType));

steakhalUnsubmitted

Done

Add a comment that isAnyPointerType() won't work here.

steakhal: Add a comment that `isAnyPointerType()` won't work here.

Loc makeNull() {

return loc::ConcreteInt(BasicVals.getZeroWithPtrWidth());

steakhalUnsubmitted

Done

You should also remove the BasicValueFactor::getZeroWithPtrWidth() along with BasicValueFactor::getIntWithPtrWidth() since those suffer from the same issue.
Feel free to do that in a separate patch.

steakhal: You should also remove the `BasicValueFactor::getZeroWithPtrWidth()` along with…

vabridgersAuthorUnsubmitted

Done

Will do. I had also left "TODO" comments in a different source file. I'll find those, clean those up also.

vabridgers: Will do. I had also left "TODO" comments in a different source file. I'll find those, clean…

} }

steakhalUnsubmitted

Done

"makeNullWithType must use pointer type");

- QualType nullType = type;

- if (type->isReferenceType()) {

- nullType = Context.getPointerType(type->getPointeeType());

- }

- return loc::ConcreteInt(BasicVals.getZeroWithTypeSize(nullType));

+ // The `sizeof(T&)` is `sizeof(T)`, thus we replace the reference with a

+ // pointer. Here we assume that references are actually implemented by

+ // pointers under-the-hood.

+ type = type->isReferenceType()

+ ? Context.getPointerType(type->getPointeeType())

+ : type;

+ return loc::ConcreteInt(BasicVals.getZeroWithTypeSize(type));

}

Loc makeLoc(SymbolRef sym) {

steakhal:

Loc makeLoc(SymbolRef sym) { Loc makeLoc(SymbolRef sym) {

NoQUnsubmitted

Not Done

How do you discover the pointer width by looking only at the pointee type? Are objects of specific type always restricted to a specific address space? I.e., does every int * have the same width everywhere in the program? If not, how is this code supposed to work?

NoQ: How do you discover the pointer width by looking only at the pointee type? Are objects of…

vabridgersAuthorUnsubmitted

Done

The case this code addresses is represented in the test case clang/test/Analysis/cast-value-notes.cpp, this function ...

24 void evalReferences(const Shape &S) {
25   const auto &C = dyn_cast<Circle>(S);
26   // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
27   // expected-note@-2 {{Dereference of null pointer}}
28   // expected-warning@-3 {{Dereference of null pointer}}
29 }

The crash occurs from line 25 above.

Debug printing what I see at this point in the code for this case ...

QualType type : LValueReferenceType 0xffea820 'const class clang::Circle &'
`-QualType 0xffea7c1 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
    |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0xffe4f40 'X'
    `-RecordType 0xffea090 'class clang::Circle'
      `-CXXRecord 0xffea000 'Circle'

Context.getPointerType(type) : PointerType 0x10006ab0 'const class clang::Circle &*'
`-LValueReferenceType 0xffea820 'const class clang::Circle &'
  `-QualType 0xffea7c1 'const class clang::Circle' const
    `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
      |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0xffe4f40 'X'
      `-RecordType 0xffea090 'class clang::Circle'
        `-CXXRecord 0xffea000 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x10006ae0 'const class clang::Circle *'
`-QualType 0xffea7c1 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0xffea7c0 'class clang::Circle' sugar
    |-TemplateTypeParmType 0xffe4f90 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0xffe4f40 'X'
    `-RecordType 0xffea090 'class clang::Circle'
      `-CXXRecord 0xffea000 'Circle'

The LValueReferenceType causes a crash if I do not get a pointer type, looks like ...

clang:  <root>/clang/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h:219: const llvm::APSInt& clang::ento::BasicValueFactory::getZeroWithTypeSize(clang::QualType): Assertion `T->isScalarType()' failed.

I'm assuming the pointer type retains the address space attribute of the LValueReferenceType.

Context.getPointerType(type->getPointeeType()) produces a QualType : PointerType 'const class clang::Circle *' from an original QualType : LValueReferenceType 'const class clang::Circle &'

Is this not what's wanted - a pointer type instead of a reference, with the same address space qualifiers, or am I missing something in the query?

Thanks

vabridgers: The case this code addresses is represented in the test case clang/test/Analysis/cast-value…

NoQUnsubmitted

Not Done

Do I understand correctly that __attribute__((address_space)) is a type attribute that gets applied to values rather than to pointers, so __attribute__((address_space(3))) int *x defines x as "pointer to (int that lives in address_space(3))", so when you unwrap the pointer type you get an "int that lives in address_space(3)"?

Can you share some dumps to demonstrate that the attribute is correctly preserved by this procedure? Damn, a test case could be great if we could have them.

NoQ: Do I understand correctly that `__attribute__((address_space))` is a type attribute that gets…

vabridgersAuthorUnsubmitted

Not Done

I'll see what can be done about a test case, and provide the dumps for evaluation. Best

vabridgers: I'll see what can be done about a test case, and provide the dumps for evaluation. Best

vabridgersAuthorUnsubmitted

Done

First, the "dyn_cast<Circle>(S)" case.

void evalReferences(const Shape &S) {
  const auto &C = dyn_cast<Circle>(S);
  clang_analyzer_printState();
  ...
}

  "dynamic_types": [
    { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const class clang::Circle &", "sub_classable": true }


QualType type : LValueReferenceType 0x1118ef60 'const class clang::Circle &'
`-QualType 0x1118ef01 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
    |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11188780 'X'
    `-RecordType 0x1118e710 'class clang::Circle'
      `-CXXRecord 0x1118e680 'Circle'

Context.getPointerType(type) : PointerType 0x111a94d0 'const class clang::Circle &*'
`-LValueReferenceType 0x1118ef60 'const class clang::Circle &'
  `-QualType 0x1118ef01 'const class clang::Circle' const
    `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
      |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0x11188780 'X'
      `-RecordType 0x1118e710 'class clang::Circle'
        `-CXXRecord 0x1118e680 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x111a9500 'const class clang::Circle *'
`-QualType 0x1118ef01 'const class clang::Circle' const
  `-SubstTemplateTypeParmType 0x1118ef00 'class clang::Circle' sugar
    |-TemplateTypeParmType 0x111887d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11188780 'X'
    `-RecordType 0x1118e710 'class clang::Circle'
      `-CXXRecord 0x1118e680 'Circle'

then the "dyn_cast<attribute((address_space(3))) Circle>(S)" case

void evalReferences(const Shape &S) {
  const auto &C = dyn_cast<__attribute__((address_space(3))) Circle>(S);
  clang_analyzer_printState();
  ...
}

 "dynamic_types": [
    { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true }


QualType type : LValueReferenceType 0x11527030 'const __attribute__((address_space(3))) class clang::Circle &'
`-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
  `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
    |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11520780 'X'
    `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
      `-RecordType 0x11526710 'class clang::Circle'
        `-CXXRecord 0x11526680 'Circle'

Context.getPointerType(type) : PointerType 0x115424e0 'const __attribute__((address_space(3))) class clang::Circle &*'
`-LValueReferenceType 0x11527030 'const __attribute__((address_space(3))) class clang::Circle &'
  `-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
    `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
      |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
      | `-TemplateTypeParm 0x11520780 'X'
      `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
        `-RecordType 0x11526710 'class clang::Circle'
          `-CXXRecord 0x11526680 'Circle'

Context.getPointerType(type->getPointeeType()) : PointerType 0x11542510 'const __attribute__((address_space(3))) class clang::Circle *'
`-QualType 0x11526fd1 'const __attribute__((address_space(3))) class clang::Circle' const
  `-SubstTemplateTypeParmType 0x11526fd0 '__attribute__((address_space(3))) class clang::Circle' sugar
    |-TemplateTypeParmType 0x115207d0 'X' dependent depth 0 index 0
    | `-TemplateTypeParm 0x11520780 'X'
    `-QualType 0x11526ce8 '__attribute__((address_space(3))) class clang::Circle' __attribute__((address_space(3)))
      `-RecordType 0x11526710 'class clang::Circle'
        `-CXXRecord 0x11526680 'Circle'

So it looks to me like the address space attribute is retained through both the "Context.getPointerType(type)" and "Context.getPointerType(type->getPointeeType())" invocations.

This also revealed the core.NullDereference checker is ignoring pointers with address space attributes - so the test cases need to be different for this change (at least for now).

I think this is enough to prove this is a NFC. Please let me know if there's anything else I need to do here.

Best

vabridgers: I developed "a" test methodology to demonstrate this at work. I modified the LIT case to use…

return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));

} }

Loc makeLoc(const MemRegion* region) { Loc makeLoc(const MemRegion* region) {

return loc::MemRegionVal(region); return loc::MemRegionVal(region);

} }

Loc makeLoc(const AddrLabelExpr *expr) { Loc makeLoc(const AddrLabelExpr *expr) {

Show All 38 Lines

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show First 20 Lines • Show All 243 Lines • ▼ Show 20 Lines	static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV,
}		}

// Store the type and the cast information.		// Store the type and the cast information.
bool IsKnownCast = CastInfo \|\| IsCheckedCast \|\| CastFromTy == CastToTy;		bool IsKnownCast = CastInfo \|\| IsCheckedCast \|\| CastFromTy == CastToTy;
if (!IsKnownCast \|\| IsCheckedCast)		if (!IsKnownCast \|\| IsCheckedCast)
State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,		State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,
CastSucceeds);		CastSucceeds);

		// Vince -- TODO: publish to github branch first for Balazs to check. and
		// check against our code base.

SVal V = CastSucceeds ? C.getSValBuilder().evalCast(DV, CastToTy, CastFromTy)		SVal V = CastSucceeds ? C.getSValBuilder().evalCast(DV, CastToTy, CastFromTy)
: C.getSValBuilder().makeNull();		: C.getSValBuilder().makeNullWithType(CastToTy);
C.addTransition(		C.addTransition(
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), V, false),		State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), V, false),
getNoteTag(C, CastInfo, CastToTy, Object, CastSucceeds, IsKnownCast));		getNoteTag(C, CastInfo, CastToTy, Object, CastSucceeds, IsKnownCast));
}		}

static void addInstanceOfTransition(const CallEvent &Call,		static void addInstanceOfTransition(const CallEvent &Call,
DefinedOrUnknownSVal DV,		DefinedOrUnknownSVal DV,
ProgramStateRef State, CheckerContext &C,		ProgramStateRef State, CheckerContext &C,
▲ Show 20 Lines • Show All 92 Lines • ▼ Show 20 Lines
}		}

static void evalNullParamNullReturn(const CallEvent &Call,		static void evalNullParamNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV,		DefinedOrUnknownSVal DV,
CheckerContext &C) {		CheckerContext &C) {
if (ProgramStateRef State = C.getState()->assume(DV, false))		if (ProgramStateRef State = C.getState()->assume(DV, false))
C.addTransition(State->BindExpr(Call.getOriginExpr(),		C.addTransition(State->BindExpr(Call.getOriginExpr(),
C.getLocationContext(),		C.getLocationContext(),
C.getSValBuilder().makeNull(), false),		C.getSValBuilder().makeNullWithType(
		Call.getOriginExpr()->getType()),
		false),
C.getNoteTag("Assuming null pointer is passed into cast",		C.getNoteTag("Assuming null pointer is passed into cast",
/IsPrunable=/true));		/IsPrunable=/true));
}		}

void CastValueChecker::evalCast(const CallEvent &Call, DefinedOrUnknownSVal DV,		void CastValueChecker::evalCast(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const {		CheckerContext &C) const {
evalNonNullParamNonNullReturn(Call, DV, C, /IsCheckedCast=/true);		evalNonNullParamNonNullReturn(Call, DV, C, /IsCheckedCast=/true);
}		}
▲ Show 20 Lines • Show All 156 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 2,537 Lines • ▼ Show 20 Lines	MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
const Expr *arg0Expr = CE->getArg(0);		const Expr *arg0Expr = CE->getArg(0);
SVal Arg0Val = C.getSVal(arg0Expr);		SVal Arg0Val = C.getSVal(arg0Expr);
if (!Arg0Val.getAs<DefinedOrUnknownSVal>())		if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
return nullptr;		return nullptr;
DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();		DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();

SValBuilder &svalBuilder = C.getSValBuilder();		SValBuilder &svalBuilder = C.getSValBuilder();

DefinedOrUnknownSVal PtrEQ =		DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());		State, arg0Val, svalBuilder.makeNullWithType(arg0Expr->getType()));

// Get the size argument.		// Get the size argument.
const Expr *Arg1 = CE->getArg(1);		const Expr *Arg1 = CE->getArg(1);

// Get the value of the size argument.		// Get the value of the size argument.
SVal TotalSize = C.getSVal(Arg1);		SVal TotalSize = C.getSVal(Arg1);
if (SuffixWithN)		if (SuffixWithN)
TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));		TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
▲ Show 20 Lines • Show All 1,035 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 Lines • Show All 939 Lines • ▼ Show 20 Lines	if (BSmr == BehaviorSummary::Identity \|\|
state = state->BindExpr(CE, LCtx, RetVal, /Invalidate=/false);		state = state->BindExpr(CE, LCtx, RetVal, /Invalidate=/false);

if (BSmr == BehaviorSummary::IdentityOrZero) {		if (BSmr == BehaviorSummary::IdentityOrZero) {
// Add a branch where the output is zero.		// Add a branch where the output is zero.
ProgramStateRef NullOutputState = C.getState();		ProgramStateRef NullOutputState = C.getState();

// Assume that output is zero on the other branch.		// Assume that output is zero on the other branch.
NullOutputState = NullOutputState->BindExpr(		NullOutputState = NullOutputState->BindExpr(
CE, LCtx, C.getSValBuilder().makeNull(), /Invalidate=/false);		CE, LCtx, C.getSValBuilder().makeNullWithType(ResultTy),
		/Invalidate=/false);
C.addTransition(NullOutputState, &getCastFailTag());		C.addTransition(NullOutputState, &getCastFailTag());

// And on the original branch assume that both input and		// And on the original branch assume that both input and
// output are non-zero.		// output are non-zero.
if (auto L = RetVal.getAs<DefinedOrUnknownSVal>())		if (auto L = RetVal.getAs<DefinedOrUnknownSVal>())
state = state->assume(L, /assumption=*/true);		state = state->assume(L, /assumption=*/true);

}		}
▲ Show 20 Lines • Show All 589 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

Show First 20 Lines • Show All 65 Lines • ▼ Show 20 Lines private:

void handleReset(const CallEvent &Call, CheckerContext &C) const; void handleReset(const CallEvent &Call, CheckerContext &C) const;

void handleRelease(const CallEvent &Call, CheckerContext &C) const; void handleRelease(const CallEvent &Call, CheckerContext &C) const;

void handleSwapMethod(const CallEvent &Call, CheckerContext &C) const; void handleSwapMethod(const CallEvent &Call, CheckerContext &C) const;

void handleGet(const CallEvent &Call, CheckerContext &C) const; void handleGet(const CallEvent &Call, CheckerContext &C) const;

bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const; bool handleAssignOp(const CallEvent &Call, CheckerContext &C) const;

bool handleMoveCtr(const CallEvent &Call, CheckerContext &C, bool handleMoveCtr(const CallEvent &Call, CheckerContext &C,

const MemRegion *ThisRegion) const; const MemRegion *ThisRegion) const;

bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion, bool updateMovedSmartPointers(CheckerContext &C, const MemRegion *ThisRegion,

const MemRegion *OtherSmartPtrRegion) const; const MemRegion *OtherSmartPtrRegion,

const CallEvent &Call) const;

void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const; void handleBoolConversion(const CallEvent &Call, CheckerContext &C) const;

bool handleComparisionOp(const CallEvent &Call, CheckerContext &C) const; bool handleComparisionOp(const CallEvent &Call, CheckerContext &C) const;

bool handleOstreamOperator(const CallEvent &Call, CheckerContext &C) const; bool handleOstreamOperator(const CallEvent &Call, CheckerContext &C) const;

bool handleSwap(ProgramStateRef State, SVal First, SVal Second, bool handleSwap(ProgramStateRef State, SVal First, SVal Second,

CheckerContext &C) const; CheckerContext &C) const;

std::pair<SVal, ProgramStateRef> std::pair<SVal, ProgramStateRef>

retrieveOrConjureInnerPtrVal(ProgramStateRef State, retrieveOrConjureInnerPtrVal(ProgramStateRef State,

const MemRegion *ThisRegion, const Expr *E, const MemRegion *ThisRegion, const Expr *E,

Show All 31 Lines

static bool isStdSmartPtr(const CXXRecordDecl *RD) { static bool isStdSmartPtr(const CXXRecordDecl *RD) {

return hasStdClassWithName(RD, STD_PTR_NAMES); return hasStdClassWithName(RD, STD_PTR_NAMES);

} }

static bool isStdSmartPtr(const Expr *E) { static bool isStdSmartPtr(const Expr *E) {

return isStdSmartPtr(E->getType()->getAsCXXRecordDecl()); return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());

} }

// Define the inter-checker API. // Define the inter-checker API.

steakhalUnsubmitted

Done

return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());

}

+ /// For `std::unique_ptr<MyClass>::get()` call, it will return `MyClass`

+ /// for the 0th \p Idx.

static QualType getTemplateSpecializationArgType(CheckerContext &C,

const CallEvent &Call,

You don't need the whole CheckerContext. Pass the ASTContext instead.
I would also recommend using Idx instead of ndx

steakhal: You don't need the whole `CheckerContext`. Pass the `ASTContext` instead. I would also…

namespace clang { namespace clang {

namespace ento { namespace ento {

namespace smartptr { namespace smartptr {

bool isStdSmartPtrCall(const CallEvent &Call) { bool isStdSmartPtrCall(const CallEvent &Call) {

const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl()); const auto *MethodDecl = dyn_cast_or_null<CXXMethodDecl>(Call.getDecl());

if (!MethodDecl || !MethodDecl->getParent()) if (!MethodDecl || !MethodDecl->getParent())

return false; return false;

return isStdSmartPtr(MethodDecl->getParent()); return isStdSmartPtr(MethodDecl->getParent());

} }

steakhalUnsubmitted

Done

You should just return it. Oh wait, you also wrap it inside a pointer. The name of the function does not reflect this. Either rename it or hoist this to the callsite.

steakhal: You should just return it. Oh wait, you also wrap it inside a pointer. The name of the function…

bool isStdSmartPtr(const CXXRecordDecl *RD) { bool isStdSmartPtr(const CXXRecordDecl *RD) {

if (!RD || !RD->getDeclContext()->isStdNamespace()) if (!RD || !RD->getDeclContext()->isStdNamespace())

return false; return false;

if (RD->getDeclName().isIdentifier()) { if (RD->getDeclName().isIdentifier()) {

StringRef Name = RD->getName(); StringRef Name = RD->getName();

return Name == "shared_ptr" || Name == "unique_ptr" || Name == "weak_ptr"; return Name == "shared_ptr" || Name == "unique_ptr" || Name == "weak_ptr";

} }

▲ Show 20 Lines • Show All 237 Lines • ▼ Show 20 Lines if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {

const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion(); const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion();

if (!ThisRegion) if (!ThisRegion)

return false; return false;

if (CC->getDecl()->isMoveConstructor()) if (CC->getDecl()->isMoveConstructor())

return handleMoveCtr(Call, C, ThisRegion); return handleMoveCtr(Call, C, ThisRegion);

if (Call.getNumArgs() == 0) { if (Call.getNumArgs() == 0) {

auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNullWithType(

CC->getCXXThisVal().getType(C.getASTContext()));

steakhalUnsubmitted

Done

You should use the CC->getDecl()->getThisType() instead.

steakhal: You should use the `CC->getDecl()->getThisType()` instead.

State = State->set<TrackedRegionMap>(ThisRegion, NullVal); State = State->set<TrackedRegionMap>(ThisRegion, NullVal);

C.addTransition( C.addTransition(

State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR, State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,

llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||

!BR.isInteresting(ThisRegion)) !BR.isInteresting(ThisRegion))

return; return;

▲ Show 20 Lines • Show All 240 Lines • ▼ Show 20 Lines void SmartPtrModeling::handleRelease(const CallEvent &Call,

const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion); const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);

if (InnerPointVal) { if (InnerPointVal) {

State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),

*InnerPointVal); *InnerPointVal);

} }

auto ValueToUpdate = C.getSValBuilder().makeNull(); auto ValueToUpdate = C.getSValBuilder().makeNullWithType(

IC->getCXXThisVal().getType(C.getASTContext()));

NoQUnsubmitted

Done

I don't think this is the right type. This should be the raw pointer type for the corresponding smart pointer, not a pointer to the smart pointer.

Call.getResultType() should be good.

Also general advice, do not use SVal::getType() when you can obtain the type from the AST instead. SVal::getType() is speculative and it inevitably loses some information (in particular, it doesn't discriminate between lvalues and pointers).

NoQ: I don't think this is the right type. This should be the raw pointer type for the corresponding…

steakhalUnsubmitted

Done

Similarly to the previous one, use getThisType().

steakhal: Similarly to the previous one, use `getThisType()`.

State = State->set<TrackedRegionMap>(ThisRegion, ValueToUpdate); State = State->set<TrackedRegionMap>(ThisRegion, ValueToUpdate);

C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR, C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,

llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||

!BR.isInteresting(ThisRegion)) !BR.isInteresting(ThisRegion))

return; return;

▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines if (!ThisRegion)

return false; return false;

const MemRegion *OtherSmartPtrRegion = OC->getArgSVal(0).getAsRegion(); const MemRegion *OtherSmartPtrRegion = OC->getArgSVal(0).getAsRegion();

// In case of 'nullptr' or '0' assigned // In case of 'nullptr' or '0' assigned

if (!OtherSmartPtrRegion) { if (!OtherSmartPtrRegion) {

bool AssignedNull = Call.getArgSVal(0).isZeroConstant(); bool AssignedNull = Call.getArgSVal(0).isZeroConstant();

if (!AssignedNull) if (!AssignedNull)

return false; return false;

auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNullWithType(

Call.getArgSVal(0).getType(C.getASTContext()));

steakhalUnsubmitted

Done

Same here.

steakhal: Same here.

State = State->set<TrackedRegionMap>(ThisRegion, NullVal); State = State->set<TrackedRegionMap>(ThisRegion, NullVal);

C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR, C.addTransition(State, C.getNoteTag([ThisRegion](PathSensitiveBugReport &BR,

llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||

!BR.isInteresting(ThisRegion)) !BR.isInteresting(ThisRegion))

return; return;

OS << "Smart pointer"; OS << "Smart pointer";

checkAndPrettyPrintRegion(OS, ThisRegion); checkAndPrettyPrintRegion(OS, ThisRegion);

OS << " is assigned to null"; OS << " is assigned to null";

})); }));

return true; return true;

} }

return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion); return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion, Call);

} }

bool SmartPtrModeling::handleMoveCtr(const CallEvent &Call, CheckerContext &C, bool SmartPtrModeling::handleMoveCtr(const CallEvent &Call, CheckerContext &C,

const MemRegion *ThisRegion) const { const MemRegion *ThisRegion) const {

const auto *OtherSmartPtrRegion = Call.getArgSVal(0).getAsRegion(); const auto *OtherSmartPtrRegion = Call.getArgSVal(0).getAsRegion();

if (!OtherSmartPtrRegion) if (!OtherSmartPtrRegion)

return false; return false;

return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion); return updateMovedSmartPointers(C, ThisRegion, OtherSmartPtrRegion, Call);

} }

bool SmartPtrModeling::updateMovedSmartPointers( bool SmartPtrModeling::updateMovedSmartPointers(

CheckerContext &C, const MemRegion *ThisRegion, CheckerContext &C, const MemRegion *ThisRegion,

const MemRegion *OtherSmartPtrRegion) const { const MemRegion *OtherSmartPtrRegion, const CallEvent &Call) const {

ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();

const auto *OtherInnerPtr = State->get<TrackedRegionMap>(OtherSmartPtrRegion); const auto *OtherInnerPtr = State->get<TrackedRegionMap>(OtherSmartPtrRegion);

if (OtherInnerPtr) { if (OtherInnerPtr) {

State = State->set<TrackedRegionMap>(ThisRegion, *OtherInnerPtr); State = State->set<TrackedRegionMap>(ThisRegion, *OtherInnerPtr);

auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNullWithType(

OtherInnerPtr->getType(C.getASTContext()));

NoQUnsubmitted

Done

Same here.

NoQ: Same here.

State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal); State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal);

steakhalUnsubmitted

Done

At first glance, all callsites have access to the getThisType(), so we shouldn't dig this up from the specialization decl.

steakhal: At first glance, all callsites have access to the `getThisType()`, so we shouldn't dig this up…

bool IsArgValNull = OtherInnerPtr->isZeroConstant(); bool IsArgValNull = OtherInnerPtr->isZeroConstant();

C.addTransition( C.addTransition(

State, State,

C.getNoteTag([ThisRegion, OtherSmartPtrRegion, IsArgValNull]( C.getNoteTag([ThisRegion, OtherSmartPtrRegion, IsArgValNull](

PathSensitiveBugReport &BR, llvm::raw_ostream &OS) { PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {

if (&BR.getBugType() != smartptr::getNullDereferenceBugType()) if (&BR.getBugType() != smartptr::getNullDereferenceBugType())

return; return;

if (BR.isInteresting(OtherSmartPtrRegion)) { if (BR.isInteresting(OtherSmartPtrRegion)) {

OS << "Smart pointer"; OS << "Smart pointer";

checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion); checkAndPrettyPrintRegion(OS, OtherSmartPtrRegion);

OS << " is null after being moved to"; OS << " is null after being moved to";

checkAndPrettyPrintRegion(OS, ThisRegion); checkAndPrettyPrintRegion(OS, ThisRegion);

} }

if (BR.isInteresting(ThisRegion) && IsArgValNull) { if (BR.isInteresting(ThisRegion) && IsArgValNull) {

OS << "A null pointer value is moved to"; OS << "A null pointer value is moved to";

checkAndPrettyPrintRegion(OS, ThisRegion); checkAndPrettyPrintRegion(OS, ThisRegion);

BR.markInteresting(OtherSmartPtrRegion); BR.markInteresting(OtherSmartPtrRegion);

} }

})); }));

return true; return true;

} else { } else {

// In case we dont know anything about value we are moving from // In case we dont know anything about value we are moving from

// remove the entry from map for which smart pointer got moved to. // remove the entry from map for which smart pointer got moved to.

auto NullVal = C.getSValBuilder().makeNull(); const ClassTemplateSpecializationDecl *SpecDecl =

dyn_cast<ClassTemplateSpecializationDecl>(

NoQUnsubmitted

Done

You're using dyn_cast but you're unconditionally dereferencing the result later. Looking at other copies of similar code, you probably need a null check.

(Does running the static analyzer produce a warning here? We have a checker for this!)

NoQ: You're using `dyn_cast` but you're unconditionally dereferencing the result later. Looking at…

cast<CXXMethodDecl>(Call.getDecl())->getParent());

ArrayRef<TemplateArgument> TemplateArgs =

SpecDecl->getTemplateArgs().asArray();

const TemplateArgument &T = TemplateArgs[0];

assert(T.getKind() == TemplateArgument::Type);

QualType Ty = C.getASTContext().getPointerType(T.getAsType());

// For unique_ptr<A>, Ty will be 'A*'.

auto NullVal = C.getSValBuilder().makeNullWithType(Ty);

State = State->remove<TrackedRegionMap>(ThisRegion); State = State->remove<TrackedRegionMap>(ThisRegion);

State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal); State = State->set<TrackedRegionMap>(OtherSmartPtrRegion, NullVal);

C.addTransition(State, C.getNoteTag([OtherSmartPtrRegion, C.addTransition(State, C.getNoteTag([OtherSmartPtrRegion,

ThisRegion](PathSensitiveBugReport &BR, ThisRegion](PathSensitiveBugReport &BR,

llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {

if (&BR.getBugType() != smartptr::getNullDereferenceBugType() || if (&BR.getBugType() != smartptr::getNullDereferenceBugType() ||

!BR.isInteresting(OtherSmartPtrRegion)) !BR.isInteresting(OtherSmartPtrRegion))

return; return;

▲ Show 20 Lines • Show All 48 Lines • ▼ Show 20 Lines C.addTransition(

State->BindExpr(CallExpr, C.getLocationContext(), State->BindExpr(CallExpr, C.getLocationContext(),

C.getSValBuilder().makeZeroVal(Call.getResultType()))); C.getSValBuilder().makeZeroVal(Call.getResultType())));

return; return;

} else { } else {

ProgramStateRef NotNullState, NullState; ProgramStateRef NotNullState, NullState;

std::tie(NotNullState, NullState) = std::tie(NotNullState, NullState) =

State->assume(InnerPointerVal.castAs<DefinedOrUnknownSVal>()); State->assume(InnerPointerVal.castAs<DefinedOrUnknownSVal>());

auto NullVal = C.getSValBuilder().makeNull(); auto NullVal = C.getSValBuilder().makeNullWithType(CallExpr->getType());

NoQUnsubmitted

Done

I suspect that this type is going to be bool which is probably not what you want.

NoQ: I suspect that this type is going to be `bool` which is probably not what you want.

NoQUnsubmitted

Done

I think it makes sense to add an assertion in makeNullWithType() to protect against such cases. This will probably also allow you to cover this with a test case.

NoQ: I think it makes sense to add an assertion in `makeNullWithType()` to protect against such…

steakhalUnsubmitted

Done

You probably never want to use Call.getResultType() in this file for this context.
Something like this would be more appropriate: cast<CXXMethodDecl>(Call.getDecl())->getThisType()

steakhal: You probably never want to use `Call.getResultType()` in this file for this context. Something…

// Explicitly tracking the region as null. // Explicitly tracking the region as null.

NullState = NullState->set<TrackedRegionMap>(ThisRegion, NullVal); NullState = NullState->set<TrackedRegionMap>(ThisRegion, NullVal);

NullState = NullState->BindExpr(CallExpr, C.getLocationContext(), NullState = NullState->BindExpr(CallExpr, C.getLocationContext(),

C.getSValBuilder().makeTruthVal(false)); C.getSValBuilder().makeTruthVal(false));

C.addTransition(NullState, C.getNoteTag( C.addTransition(NullState, C.getNoteTag(

[ThisRegion](PathSensitiveBugReport &BR, [ThisRegion](PathSensitiveBugReport &BR,

llvm::raw_ostream &OS) { llvm::raw_ostream &OS) {

Show All 32 Lines

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 Lines • Show All 543 Lines • ▼ Show 20 Lines	void StreamChecker::evalFreopen(const FnDescription *Desc,
// Generate state for non-failed case.		// Generate state for non-failed case.
// Return value is the passed stream pointer.		// Return value is the passed stream pointer.
// According to the documentations, the stream is closed first		// According to the documentations, the stream is closed first
// but any close error is ignored. The state changes to (or remains) opened.		// but any close error is ignored. The state changes to (or remains) opened.
ProgramStateRef StateRetNotNull =		ProgramStateRef StateRetNotNull =
State->BindExpr(CE, C.getLocationContext(), *StreamVal);		State->BindExpr(CE, C.getLocationContext(), *StreamVal);
// Generate state for NULL return value.		// Generate state for NULL return value.
// Stream switches to OpenFailed state.		// Stream switches to OpenFailed state.
ProgramStateRef StateRetNull = State->BindExpr(CE, C.getLocationContext(),		ProgramStateRef StateRetNull =
C.getSValBuilder().makeNull());		State->BindExpr(CE, C.getLocationContext(),
		C.getSValBuilder().makeNullWithType(CE->getType()));

StateRetNotNull =		StateRetNotNull =
StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));		StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
StateRetNull =		StateRetNull =
StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));		StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));

C.addTransition(StateRetNotNull,		C.addTransition(StateRetNotNull,
constructNoteTag(C, StreamSym, "Stream reopened here"));		constructNoteTag(C, StreamSym, "Stream reopened here"));
▲ Show 20 Lines • Show All 561 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 Lines • Show All 454 Lines • ▼ Show 20 Lines	switch (CastE->getCastKind()) {
if (Failed) {		if (Failed) {
if (T->isReferenceType()) {		if (T->isReferenceType()) {
// A bad_cast exception is thrown if input value is a reference.		// A bad_cast exception is thrown if input value is a reference.
// Currently, we model this, by generating a sink.		// Currently, we model this, by generating a sink.
Bldr.generateSink(CastE, Pred, state);		Bldr.generateSink(CastE, Pred, state);
continue;		continue;
} else {		} else {
// If the cast fails on a pointer, bind to 0.		// If the cast fails on a pointer, bind to 0.
state = state->BindExpr(CastE, LCtx, svalBuilder.makeNull());		state = state->BindExpr(CastE, LCtx,
		svalBuilder.makeNullWithType(resultType));
}		}
} else {		} else {
// If we don't know if the cast succeeded, conjure a new symbol.		// If we don't know if the cast succeeded, conjure a new symbol.
if (val.isUnknown()) {		if (val.isUnknown()) {
DefinedOrUnknownSVal NewSym =		DefinedOrUnknownSVal NewSym =
svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,		svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
currBldrCtx->blockCount());		currBldrCtx->blockCount());
state = state->BindExpr(CastE, LCtx, NewSym);		state = state->BindExpr(CastE, LCtx, NewSym);
Show All 21 Lines	switch (CastE->getCastKind()) {
svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,		svalBuilder.conjureSymbolVal(nullptr, CastE, LCtx, resultType,
currBldrCtx->blockCount());		currBldrCtx->blockCount());
}		}
state = state->BindExpr(CastE, LCtx, val);		state = state->BindExpr(CastE, LCtx, val);
Bldr.generateNode(CastE, Pred, state);		Bldr.generateNode(CastE, Pred, state);
continue;		continue;
}		}
case CK_NullToPointer: {		case CK_NullToPointer: {
SVal V = svalBuilder.makeNull();		SVal V = svalBuilder.makeNullWithType(CastE->getType());
state = state->BindExpr(CastE, LCtx, V);		state = state->BindExpr(CastE, LCtx, V);
Bldr.generateNode(CastE, Pred, state);		Bldr.generateNode(CastE, Pred, state);
continue;		continue;
}		}
case CK_NullToMemberPointer: {		case CK_NullToMemberPointer: {
SVal V = svalBuilder.getMemberPointer(nullptr);		SVal V = svalBuilder.getMemberPointer(nullptr);
state = state->BindExpr(CastE, LCtx, V);		state = state->BindExpr(CastE, LCtx, V);
Bldr.generateNode(CastE, Pred, state);		Bldr.generateNode(CastE, Pred, state);
▲ Show 20 Lines • Show All 660 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

	Show First 20 Lines • Show All 2,404 Lines • ▼ Show 20 Lines

	RegionBindingsRef			RegionBindingsRef
	RegionStoreManager::setImplicitDefaultValue(RegionBindingsConstRef B,			RegionStoreManager::setImplicitDefaultValue(RegionBindingsConstRef B,
	const MemRegion *R,			const MemRegion *R,
	QualType T) {			QualType T) {
	SVal V;			SVal V;

	if (Loc::isLocType(T))			if (Loc::isLocType(T))
	V = svalBuilder.makeNull();			V = svalBuilder.makeNullWithType(T);
	else if (T->isIntegralOrEnumerationType())			else if (T->isIntegralOrEnumerationType())
	V = svalBuilder.makeZeroVal(T);			V = svalBuilder.makeZeroVal(T);
	else if (T->isStructureOrClassType() \|\| T->isArrayType()) {			else if (T->isStructureOrClassType() \|\| T->isArrayType()) {
	// Set the default value to a zero constant when it is a structure			// Set the default value to a zero constant when it is a structure
	// or array. The type doesn't really matter.			// or array. The type doesn't really matter.
	V = svalBuilder.makeZeroVal(Ctx.IntTy);			V = svalBuilder.makeZeroVal(Ctx.IntTy);
	}			}
	else {			else {
	▲ Show 20 Lines • Show All 470 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/SValBuilder.cpp

Show First 20 Lines • Show All 55 Lines • ▼ Show 20 Lines	: Context(context), BasicVals(context, alloc),
StateMgr(stateMgr),		StateMgr(stateMgr),
AnOpts(		AnOpts(
stateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions()),		stateMgr.getOwningEngine().getAnalysisManager().getAnalyzerOptions()),
ArrayIndexTy(context.LongLongTy),		ArrayIndexTy(context.LongLongTy),
ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {}		ArrayIndexWidth(context.getTypeSize(ArrayIndexTy)) {}

DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) {		DefinedOrUnknownSVal SValBuilder::makeZeroVal(QualType type) {
if (Loc::isLocType(type))		if (Loc::isLocType(type))
return makeNull();		return makeNullWithType(type);

if (type->isIntegralOrEnumerationType())		if (type->isIntegralOrEnumerationType())
return makeIntVal(0, type);		return makeIntVal(0, type);

if (type->isArrayType() \|\| type->isRecordType() \|\| type->isVectorType() \|\|		if (type->isArrayType() \|\| type->isRecordType() \|\| type->isVectorType() \|\|
type->isAnyComplexType())		type->isAnyComplexType())
return makeCompoundVal(type, BasicVals.getEmptySValList());		return makeCompoundVal(type, BasicVals.getEmptySValList());

▲ Show 20 Lines • Show All 281 Lines • ▼ Show 20 Lines	Optional<SVal> SValBuilder::getConstantVal(const Expr *E) {

case Stmt::IntegerLiteralClass:		case Stmt::IntegerLiteralClass:
return makeIntVal(cast<IntegerLiteral>(E));		return makeIntVal(cast<IntegerLiteral>(E));

case Stmt::ObjCBoolLiteralExprClass:		case Stmt::ObjCBoolLiteralExprClass:
return makeBoolVal(cast<ObjCBoolLiteralExpr>(E));		return makeBoolVal(cast<ObjCBoolLiteralExpr>(E));

case Stmt::CXXNullPtrLiteralExprClass:		case Stmt::CXXNullPtrLiteralExprClass:
return makeNull();		return makeNullWithType(E->getType());

case Stmt::CStyleCastExprClass:		case Stmt::CStyleCastExprClass:
case Stmt::CXXFunctionalCastExprClass:		case Stmt::CXXFunctionalCastExprClass:
case Stmt::CXXConstCastExprClass:		case Stmt::CXXConstCastExprClass:
case Stmt::CXXReinterpretCastExprClass:		case Stmt::CXXReinterpretCastExprClass:
case Stmt::CXXStaticCastExprClass:		case Stmt::CXXStaticCastExprClass:
case Stmt::ImplicitCastExprClass: {		case Stmt::ImplicitCastExprClass: {
const auto *CE = cast<CastExpr>(E);		const auto *CE = cast<CastExpr>(E);
Show All 23 Lines	default: {

ASTContext &Ctx = getContext();		ASTContext &Ctx = getContext();
Expr::EvalResult Result;		Expr::EvalResult Result;
if (E->EvaluateAsInt(Result, Ctx))		if (E->EvaluateAsInt(Result, Ctx))
return makeIntVal(Result.Val.getInt());		return makeIntVal(Result.Val.getInt());

if (Loc::isLocType(E->getType()))		if (Loc::isLocType(E->getType()))
if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull))		if (E->isNullPointerConstant(Ctx, Expr::NPC_ValueDependentIsNotNull))
return makeNull();		return makeNullWithType(E->getType());

return None;		return None;
}		}
}		}
}		}

SVal SValBuilder::makeSymExprValNN(BinaryOperator::Opcode Op,		SVal SValBuilder::makeSymExprValNN(BinaryOperator::Opcode Op,
NonLoc LHS, NonLoc RHS,		NonLoc LHS, NonLoc RHS,
▲ Show 20 Lines • Show All 672 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Refactor makeNull to makeNullWithWidth (NFC)ClosedPublic

Details

Diff Detail

Unit TestsFailed

Event Timeline

Revision Contents

Diff 408082

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

clang/lib/StaticAnalyzer/Core/SValBuilder.cpp

[analyzer] Refactor makeNull to makeNullWithWidth (NFC)
ClosedPublic