This is an archive of the discontinued LLVM Phabricator instance.

Differential D125362

[NFC][analyzer] Transitive interestingness in BugReporter
Needs ReviewPublic

Authored by gamesh411 on May 11 2022, 2:24 AM.

Details

Reviewers
steakhal
Szelethus
Summary

When making a region interesting, also mark the subregions interesting.

Original author: steakhal

Diff Detail

Event Timeline

gamesh411 created this revision.May 11 2022, 2:24 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMay 11 2022, 2:24 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, martong and 8 others. · View Herald Transcript
gamesh411 requested review of this revision.May 11 2022, 2:24 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 11 2022, 2:24 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B163856: Diff 428592.May 11 2022, 2:58 AM
steakhal added a comment.May 11 2022, 6:05 AM

I think since it changes how taint spreads, this patch deserves a test.
Could you please demonstrate the correctness of this patch?

clang/lib/StaticAnalyzer/Core/BugReporter.cpp
2267
2361–2366

The comment of symbol_iterator suggests that for SymbolData this will be always the symbol data itself; thus it would iterate only once.
Is this the case? If so, can we replace the loop with just the isa<SymbolData>(sym) check?

/// Iterator over symbols that the current symbol depends on.
///
/// For SymbolData, it's the symbol itself; for expressions, it's the
/// expression symbol and all the operands in it. Note, SymbolDerived is
/// treated as SymbolData - the iterator will NOT visit the parent region.
class symbol_iterator {...
2363
balazske added a subscriber: balazske.May 11 2022, 9:13 AM

Is it problem if markNotInteresting is used on a symbol that was marked interesting and has subregions?

steakhal added a comment.May 11 2022, 9:46 AM
In D125362#3506545, @balazske wrote:

Is it problem if markNotInteresting is used on a symbol that was marked interesting and has subregions?

In that case, the sub-symbols will remain still interesting.
We might need to think about this and also make markNotInteresting() transitive. I'm not immediately sure about the implications, but a test demonstrating the transitivity should demonstrate this as well in a slightly modified example.
The test file for this should be clang/unittests/StaticAnalyzer/BugReportInterestingnessTest.cpp though.

There are only two checkers using this API: stream checker and the smart ptr checker.
We should craft a real-worl-looking example pointing out the difference between the *transitive* and *direct* markNotInteresting() implementation.

steakhal mentioned this in D124244: [analyzer] add StoreToImmutable and ModelConstQualifiedReturn checkers.May 18 2022, 3:22 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
29 lines

Diff 428592

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,255 Lines▼ Show 20 Lines if (!sym)
return; return;
insertToInterestingnessMap(InterestingSymbols, sym, TKind); insertToInterestingnessMap(InterestingSymbols, sym, TKind);
// FIXME: No tests exist for this code and it is questionable: // FIXME: No tests exist for this code and it is questionable:
// How to handle multiple metadata for the same region? // How to handle multiple metadata for the same region?
if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) if (const auto *meta = dyn_cast<SymbolMetadata>(sym))
markInteresting(meta->getRegion(), TKind); markInteresting(meta->getRegion(), TKind);
auto SubSyms = llvm::make_range(sym->symbol_begin(), sym->symbol_end());
for (SymbolRef SubSym : SubSyms) {
if (SymbolData::classof(SubSym))
steakhalUnsubmitted
Not Done
ReplyInline Actions
for (SymbolRef SubSym : SubSyms) {
- if (SymbolData::classof(SubSym))
+ if (isa<SymbolData>(SubSym))
insertToInterestingnessMap(InterestingSymbols, SubSym, TKind);
steakhal:
insertToInterestingnessMap(InterestingSymbols, SubSym, TKind);
}
} }
void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) { void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) {
if (!sym) if (!sym)
return; return;
InterestingSymbols.erase(sym); InterestingSymbols.erase(sym);
// The metadata part of markInteresting is not reversed here. // The metadata part of markInteresting is not reversed here.
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines
} }
Optional<bugreporter::TrackingKind> Optional<bugreporter::TrackingKind>
PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const { PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const {
if (!sym) if (!sym)
return None; return None;
// We don't currently consider metadata symbols to be interesting // We don't currently consider metadata symbols to be interesting
// even if we know their region is interesting. Is that correct behavior? // even if we know their region is interesting. Is that correct behavior?
auto It = InterestingSymbols.find(sym); auto TryToLookupTrackingKind =
[this](SymbolRef Sym) -> Optional<bugreporter::TrackingKind> {
auto It = InterestingSymbols.find(Sym);
if (It == InterestingSymbols.end()) if (It == InterestingSymbols.end())
return None; return None;
return It->getSecond(); return It->getSecond();
};
if (auto MaybeTK = TryToLookupTrackingKind(sym))
return MaybeTK;
auto SubSyms = llvm::make_range(sym->symbol_begin(), sym->symbol_end());
for (SymbolRef SubSym : SubSyms) {
if (SymbolData::classof(SubSym)) {
steakhalUnsubmitted
Not Done
ReplyInline Actions
for (SymbolRef SubSym : SubSyms) {
- if (SymbolData::classof(SubSym)) {
+ if (isa<SymbolData>(SubSym)) {
if (auto MaybeTK = TryToLookupTrackingKind(SubSym))
steakhal:
if (auto MaybeTK = TryToLookupTrackingKind(SubSym))
return MaybeTK;
}
steakhalUnsubmitted
Not Done
ReplyInline Actions

The comment of symbol_iterator suggests that for SymbolData this will be always the symbol data itself; thus it would iterate only once.
Is this the case? If so, can we replace the loop with just the isa<SymbolData>(sym) check?

/// Iterator over symbols that the current symbol depends on.
///
/// For SymbolData, it's the symbol itself; for expressions, it's the
/// expression symbol and all the operands in it. Note, SymbolDerived is
/// treated as SymbolData - the iterator will NOT visit the parent region.
class symbol_iterator {...
steakhal: The comment of `symbol_iterator` suggests that for `SymbolData` this will be always the symbol…
}
return None;
} }
Optional<bugreporter::TrackingKind> Optional<bugreporter::TrackingKind>
PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const { PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const {
if (!R) if (!R)
return None; return None;
R = R->getBaseRegion(); R = R->getBaseRegion();
▲ Show 20 LinesShow All 997 LinesShow Last 20 Lines