This is an archive of the discontinued LLVM Phabricator instance.

Differential D12652

[Static Analyzer] Lambda support.
ClosedPublic

Authored by xazax.hun on Sep 4 2015, 3:49 PM.

Details

Reviewers
dcoughlin
zaks.anna
jordan_rose
Commits
rG15843343b67a: [Static Analyzer] Lambda support.
rC247426: [Static Analyzer] Lambda support.
rL247426: [Static Analyzer] Lambda support.
Summary

This patch adds lambda support to the static analyzer.
All of my initial tests are passed.

Before this patch each time a LambdaExpr was encountered a sink node was generated. This also reduced the coverage of code that is actually not inside a lambda operator(). Also the lack of lambda support is a known cause of some false positives (for example in the dead store checker).

This is a work in progress version of this patch, I will move this feature behind a flag and run it on LLVM to make sure it is also tested with real world code.

Diff Detail

Event Timeline

xazax.hun updated this revision to Diff 34085.Sep 4 2015, 3:49 PM
xazax.hun retitled this revision from to [Static Analyzer] Lambda support..
xazax.hun updated this object.
xazax.hun added reviewers: dcoughlin, zaks.anna, jordan_rose, ted.
xazax.hun updated this object.
xazax.hun added a subscriber: cfe-commits.
xazax.hun updated this revision to Diff 34285.Sep 8 2015, 5:21 PM
  • Updated to newest trunk.
  • Moved the feature behind an option.
  • Fixed a crash when an operator() of a lambda is analyzed as a top level function, and a ThisExpr is referring to the this in the enclosing scope (this can only happen when lambda support is turned off).
  • Added a new test case for nested lambdas capturing 'this'.
zaks.anna edited edge metadata.Sep 10 2015, 2:55 PM

Have you tested this on a large codebase that uses lambdas? When do you think we should turn this on by default?

Please, add test cases that demonstrate what happens when an issue is reported within a lambda and to check if inlined defensive checks work.

(As a follow up to this patch, we may need to teach LiveVariables.cpp and UninitializedValues.cpp about lambdas. For example, to address issues like this one: https://llvm.org/bugs/show_bug.cgi?id=22834)

xazax.hun updated this revision to Diff 34498.Sep 10 2015, 3:21 PM
xazax.hun edited edge metadata.
  • Updated to latest trunk
  • Added test for the defensive inline check heuristic case
  • Added test for diagnostic within a lambda body
  • Added test for path notes
xazax.hun added a comment.Sep 10 2015, 3:23 PM
In D12652#243762, @zaks.anna wrote:

Have you tested this on a large codebase that uses lambdas? When do you think we should turn this on by default?

I checked llvm and clang and did not found any failure. There are no obvious limitations or problems that I know of at the moment. I think this is a good candidate to turn on by default. At least some potential errors might be found earlier.

Please, add test cases that demonstrate what happens when an issue is reported within a lambda and to check if inlined defensive checks work.

I extended the tests with these cases.

(As a follow up to this patch, we may need to teach LiveVariables.cpp and UninitializedValues.cpp about lambdas. For example, to address issues like this one: https://llvm.org/bugs/show_bug.cgi?id=22834)

zaks.anna accepted this revision.Sep 10 2015, 6:32 PM
zaks.anna edited edge metadata.

Please, do turn on by default.
LGTM

This revision is now accepted and ready to land.Sep 10 2015, 6:32 PM
jordan_rose edited edge metadata.Sep 10 2015, 6:57 PM

A few comments coming late…

include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
515–517

"inline" is kind of a misnomer, since we may not actually inline lambdas. I would have suggested "model lambdas" or "lambda support".

lib/StaticAnalyzer/Core/MemRegion.cpp
740–741

Why the extra parameter?

xazax.hun added inline comments.Sep 11 2015, 9:24 AM
include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
515–517

Even when this configuration option is set to false, the body of the lambda is analyzed as a top level function. For this reason I think the "lambda support" might be a misnomer too. What do you think?

lib/StaticAnalyzer/Core/MemRegion.cpp
740–741

This is just a leftover from code evolution, thank you for spotting this.

Closed by commit rL247426: [Static Analyzer] Lambda support. (authored by xazax). · Explain WhySep 11 2015, 9:56 AM
This revision was automatically updated to reflect the committed changes.
xazax.hun added inline comments.Sep 11 2015, 9:58 AM
include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
515–517

If we come up with a better name for the option I will address that in a separate patch.

ted removed a reviewer: ted.Sep 11 2015, 10:26 AM
zaks.anna added a comment.Sep 28 2015, 11:35 AM

Looks like this patch is causing regressions:
https://llvm.org/bugs/show_bug.cgi?id=24914

xazax.hun added a comment.Sep 28 2015, 1:45 PM

I will look into it. Do you prefer to revert the patch this it is fixed?

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
7 lines
PathSensitive/
4 lines
lib/
StaticAnalyzer/
Core/
4 lines
40 lines
38 lines
20 lines
test/
Analysis/
14 lines
204 lines
174 lines
8 lines

Diff 34498

include/clang/StaticAnalyzer/Core/AnalyzerOptions.h

Show First 20 LinesShow All 250 Lines▼ Show 20 Linesprivate:
Optional<unsigned> GraphTrimInterval; Optional<unsigned> GraphTrimInterval;
/// \sa getMaxTimesInlineLarge /// \sa getMaxTimesInlineLarge
Optional<unsigned> MaxTimesInlineLarge; Optional<unsigned> MaxTimesInlineLarge;
/// \sa getMaxNodesPerTopLevelFunction /// \sa getMaxNodesPerTopLevelFunction
Optional<unsigned> MaxNodesPerTopLevelFunction; Optional<unsigned> MaxNodesPerTopLevelFunction;
/// \sa shouldInlineLambdas
Optional<bool> InlineLambdas;
/// A helper function that retrieves option for a given full-qualified /// A helper function that retrieves option for a given full-qualified
/// checker name. /// checker name.
/// Options for checkers can be specified via 'analyzer-config' command-line /// Options for checkers can be specified via 'analyzer-config' command-line
/// option. /// option.
/// Example: /// Example:
/// @code-analyzer-config unix.Malloc:OptionName=CheckerOptionValue @endcode /// @code-analyzer-config unix.Malloc:OptionName=CheckerOptionValue @endcode
/// or @code-analyzer-config unix:OptionName=GroupOptionValue @endcode /// or @code-analyzer-config unix:OptionName=GroupOptionValue @endcode
/// for groups of checkers. /// for groups of checkers.
▲ Show 20 LinesShow All 237 Lines▼ Show 20 Linespublic:
/// Returns the maximum number of nodes the analyzer can generate while /// Returns the maximum number of nodes the analyzer can generate while
/// exploring a top level function (for each exploded graph). /// exploring a top level function (for each exploded graph).
/// 150000 is default; 0 means no limit. /// 150000 is default; 0 means no limit.
/// ///
/// This is controlled by the 'max-nodes' config option. /// This is controlled by the 'max-nodes' config option.
unsigned getMaxNodesPerTopLevelFunction(); unsigned getMaxNodesPerTopLevelFunction();
/// Returns true if lambdas should be inlined. Otherwise a sink node will be
/// generated each time a LambdaExpr is visited.
bool shouldInlineLambdas();
jordan_roseUnsubmitted
Not Done
ReplyInline Actions

"inline" is kind of a misnomer, since we may not actually inline lambdas. I would have suggested "model lambdas" or "lambda support".

jordan_rose: "inline" is kind of a misnomer, since we may not actually inline lambdas. I would have…
xazax.hunAuthorUnsubmitted
Not Done
ReplyInline Actions

Even when this configuration option is set to false, the body of the lambda is analyzed as a top level function. For this reason I think the "lambda support" might be a misnomer too. What do you think?

xazax.hun: Even when this configuration option is set to false, the body of the lambda is analyzed as a…
xazax.hunAuthorUnsubmitted
Not Done
ReplyInline Actions

If we come up with a better name for the option I will address that in a separate patch.

xazax.hun: If we come up with a better name for the option I will address that in a separate patch.
public: public:
AnalyzerOptions() : AnalyzerOptions() :
AnalysisStoreOpt(RegionStoreModel), AnalysisStoreOpt(RegionStoreModel),
AnalysisConstraintsOpt(RangeConstraintsModel), AnalysisConstraintsOpt(RangeConstraintsModel),
AnalysisDiagOpt(PD_HTML), AnalysisDiagOpt(PD_HTML),
AnalysisPurgeOpt(PurgeStmt), AnalysisPurgeOpt(PurgeStmt),
DisableAllChecks(0), DisableAllChecks(0),
ShowCheckerHelp(0), ShowCheckerHelp(0),
Show All 24 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 335 Lines▼ Show 20 Linespublic:
/// VisitMSAsmStmt - Transfer function logic for MS inline asm. /// VisitMSAsmStmt - Transfer function logic for MS inline asm.
void VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred, void VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// VisitBlockExpr - Transfer function logic for BlockExprs. /// VisitBlockExpr - Transfer function logic for BlockExprs.
void VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred, void VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// VisitLambdaExpr - Transfer function logic for LambdaExprs.
void VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred,
ExplodedNodeSet &Dst);
/// VisitBinaryOperator - Transfer function logic for binary operators. /// VisitBinaryOperator - Transfer function logic for binary operators.
void VisitBinaryOperator(const BinaryOperator* B, ExplodedNode *Pred, void VisitBinaryOperator(const BinaryOperator* B, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// VisitCall - Transfer function for function calls. /// VisitCall - Transfer function for function calls.
void VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred, void VisitCallExpr(const CallExpr *CE, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
▲ Show 20 LinesShow All 269 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

Show First 20 LinesShow All 319 Lines▼ Show 20 Lines
bool AnalyzerOptions::shouldPrunePaths() { bool AnalyzerOptions::shouldPrunePaths() {
return getBooleanOption("prune-paths", true); return getBooleanOption("prune-paths", true);
} }
bool AnalyzerOptions::shouldConditionalizeStaticInitializers() { bool AnalyzerOptions::shouldConditionalizeStaticInitializers() {
return getBooleanOption("cfg-conditional-static-initializers", true); return getBooleanOption("cfg-conditional-static-initializers", true);
} }
bool AnalyzerOptions::shouldInlineLambdas() {
return getBooleanOption("inline-lambdas", /*Default=*/false);
}

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 763 Lines▼ Show 20 Lines switch (S->getStmtClass()) {
case Stmt::TypoExprClass: case Stmt::TypoExprClass:
case Stmt::CXXNoexceptExprClass: case Stmt::CXXNoexceptExprClass:
case Stmt::PackExpansionExprClass: case Stmt::PackExpansionExprClass:
case Stmt::SubstNonTypeTemplateParmPackExprClass: case Stmt::SubstNonTypeTemplateParmPackExprClass:
case Stmt::FunctionParmPackExprClass: case Stmt::FunctionParmPackExprClass:
case Stmt::SEHTryStmtClass: case Stmt::SEHTryStmtClass:
case Stmt::SEHExceptStmtClass: case Stmt::SEHExceptStmtClass:
case Stmt::SEHLeaveStmtClass: case Stmt::SEHLeaveStmtClass:
case Stmt::LambdaExprClass:
case Stmt::SEHFinallyStmtClass: { case Stmt::SEHFinallyStmtClass: {
const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState()); const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState());
Engine.addAbortedBlock(node, currBldrCtx->getBlock()); Engine.addAbortedBlock(node, currBldrCtx->getBlock());
break; break;
} }
case Stmt::ParenExprClass: case Stmt::ParenExprClass:
llvm_unreachable("ParenExprs already handled."); llvm_unreachable("ParenExprs already handled.");
▲ Show 20 LinesShow All 227 Lines▼ Show 20 Lines case Stmt::MSAsmStmtClass:
break; break;
case Stmt::BlockExprClass: case Stmt::BlockExprClass:
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst); VisitBlockExpr(cast<BlockExpr>(S), Pred, Dst);
Bldr.addNodes(Dst); Bldr.addNodes(Dst);
break; break;
case Stmt::LambdaExprClass:
if (AMgr.options.shouldInlineLambdas()) {
Bldr.takeNodes(Pred);
VisitLambdaExpr(cast<LambdaExpr>(S), Pred, Dst);
Bldr.addNodes(Dst);
} else {
const ExplodedNode *node = Bldr.generateSink(S, Pred, Pred->getState());
Engine.addAbortedBlock(node, currBldrCtx->getBlock());
}
break;
case Stmt::BinaryOperatorClass: { case Stmt::BinaryOperatorClass: {
const BinaryOperator* B = cast<BinaryOperator>(S); const BinaryOperator* B = cast<BinaryOperator>(S);
if (B->isLogicalOp()) { if (B->isLogicalOp()) {
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
VisitLogicalExpr(B, Pred, Dst); VisitLogicalExpr(B, Pred, Dst);
Bldr.addNodes(Dst); Bldr.addNodes(Dst);
break; break;
} }
▲ Show 20 LinesShow All 824 Lines▼ Show 20 Linesvoid ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
if (const VarDecl *VD = dyn_cast<VarDecl>(D)) { if (const VarDecl *VD = dyn_cast<VarDecl>(D)) {
// C permits "extern void v", and if you cast the address to a valid type, // C permits "extern void v", and if you cast the address to a valid type,
// you can even do things with it. We simply pretend // you can even do things with it. We simply pretend
assert(Ex->isGLValue() || VD->getType()->isVoidType()); assert(Ex->isGLValue() || VD->getType()->isVoidType());
SVal V = state->getLValue(VD, Pred->getLocationContext()); const LocationContext *LocCtxt = Pred->getLocationContext();
const Decl *D = LocCtxt->getDecl();
const auto *MD = D ? dyn_cast<CXXMethodDecl>(D) : nullptr;
const auto *DeclRefEx = dyn_cast<DeclRefExpr>(Ex);
SVal V;
bool CaptureByReference = false;
if (AMgr.options.shouldInlineLambdas() && DeclRefEx &&
DeclRefEx->refersToEnclosingVariableOrCapture() && MD &&
MD->getParent()->isLambda()) {
// Lookup the field of the lambda.
const CXXRecordDecl *CXXRec = MD->getParent();
llvm::DenseMap<const VarDecl *, FieldDecl *> LambdaCaptureFields;
FieldDecl *LambdaThisCaptureField;
CXXRec->getCaptureFields(LambdaCaptureFields, LambdaThisCaptureField);
const FieldDecl *FD = LambdaCaptureFields[VD];
Loc CXXThis =
svalBuilder.getCXXThis(MD, LocCtxt->getCurrentStackFrame());
SVal CXXThisVal = state->getSVal(CXXThis);
V = state->getLValue(FD, CXXThisVal);
if (FD->getType()->isReferenceType() &&
!VD->getType()->isReferenceType())
CaptureByReference = true;
} else {
V = state->getLValue(VD, LocCtxt);
}
// For references, the 'lvalue' is the pointer address stored in the // For references, the 'lvalue' is the pointer address stored in the
// reference region. // reference region.
if (VD->getType()->isReferenceType()) { if (VD->getType()->isReferenceType() || CaptureByReference) {
if (const MemRegion *R = V.getAsRegion()) if (const MemRegion *R = V.getAsRegion())
V = state->getSVal(R); V = state->getSVal(R);
else else
V = UnknownVal(); V = UnknownVal();
} }
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind); ProgramPoint::PostLValueKind);
▲ Show 20 LinesShow All 836 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 507 Lines▼ Show 20 Lines const MemRegion *R =
svalBuilder.getRegionManager().getCXXThisRegion( svalBuilder.getRegionManager().getCXXThisRegion(
getContext().getCanonicalType(TE->getType()), getContext().getCanonicalType(TE->getType()),
LCtx); LCtx);
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
SVal V = state->getSVal(loc::MemRegionVal(R)); SVal V = state->getSVal(loc::MemRegionVal(R));
Bldr.generateNode(TE, Pred, state->BindExpr(TE, LCtx, V)); Bldr.generateNode(TE, Pred, state->BindExpr(TE, LCtx, V));
} }
void ExprEngine::VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred,
ExplodedNodeSet &Dst) {
const LocationContext *LocCtxt = Pred->getLocationContext();
// Get the region of the lambda itself.
const MemRegion *R = svalBuilder.getRegionManager().getCXXTempObjectRegion(
LE, LocCtxt);
SVal V = loc::MemRegionVal(R);
ProgramStateRef State = Pred->getState();
// If we created a new MemRegion for the lambda, we should explicitly bind
// the captures.
CXXRecordDecl::field_iterator CurField = LE->getLambdaClass()->field_begin();
for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(),
e = LE->capture_init_end();
i != e; ++i, ++CurField) {
SVal Field = State->getLValue(*CurField, V);
SVal InitExpr = State->getSVal(*i, LocCtxt);
State = State->bindLoc(Field, InitExpr);
}
// Decay the Loc into an RValue, because there might be a
// MaterializeTemporaryExpr node above this one which expects the bound value
// to be an RValue.
SVal LambdaRVal = State->getSVal(R);
ExplodedNodeSet Tmp;
StmtNodeBuilder Bldr(Pred, Tmp, *currBldrCtx);
// FIXME: is this the right program point kind?
Bldr.generateNode(LE, Pred,
State->BindExpr(LE, LocCtxt, LambdaRVal),
nullptr, ProgramPoint::PostLValueKind);
// FIXME: Move all post/pre visits to ::Visit().
getCheckerManager().runCheckersForPostStmt(Dst, Tmp, LE, *this);
}

lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 731 Lines▼ Show 20 Lines
} }
/// Look through a chain of LocationContexts to either find the /// Look through a chain of LocationContexts to either find the
/// StackFrameContext that matches a DeclContext, or find a VarRegion /// StackFrameContext that matches a DeclContext, or find a VarRegion
/// for a variable captured by a block. /// for a variable captured by a block.
static llvm::PointerUnion<const StackFrameContext *, const VarRegion *> static llvm::PointerUnion<const StackFrameContext *, const VarRegion *>
getStackOrCaptureRegionForDeclContext(const LocationContext *LC, getStackOrCaptureRegionForDeclContext(const LocationContext *LC,
const DeclContext *DC, const DeclContext *DC,
const VarDecl *VD) { const VarDecl *VD,
MemRegionManager *Mmgr) {
jordan_roseUnsubmitted
Not Done
ReplyInline Actions

Why the extra parameter?

jordan_rose: Why the extra parameter?
xazax.hunAuthorUnsubmitted
Not Done
ReplyInline Actions

This is just a leftover from code evolution, thank you for spotting this.

xazax.hun: This is just a leftover from code evolution, thank you for spotting this.
while (LC) { while (LC) {
if (const StackFrameContext *SFC = dyn_cast<StackFrameContext>(LC)) { if (const StackFrameContext *SFC = dyn_cast<StackFrameContext>(LC)) {
if (cast<DeclContext>(SFC->getDecl()) == DC) if (cast<DeclContext>(SFC->getDecl()) == DC)
return SFC; return SFC;
} }
if (const BlockInvocationContext *BC = if (const BlockInvocationContext *BC =
dyn_cast<BlockInvocationContext>(LC)) { dyn_cast<BlockInvocationContext>(LC)) {
const BlockDataRegion *BR = const BlockDataRegion *BR =
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines if (D->hasGlobalStorage() && !D->isStaticLocal()) {
} }
// Finally handle static locals. // Finally handle static locals.
} else { } else {
// FIXME: Once we implement scope handling, we will need to properly lookup // FIXME: Once we implement scope handling, we will need to properly lookup
// 'D' to the proper LocationContext. // 'D' to the proper LocationContext.
const DeclContext *DC = D->getDeclContext(); const DeclContext *DC = D->getDeclContext();
llvm::PointerUnion<const StackFrameContext *, const VarRegion *> V = llvm::PointerUnion<const StackFrameContext *, const VarRegion *> V =
getStackOrCaptureRegionForDeclContext(LC, DC, D); getStackOrCaptureRegionForDeclContext(LC, DC, D, this);
if (V.is<const VarRegion*>()) if (V.is<const VarRegion*>())
return V.get<const VarRegion*>(); return V.get<const VarRegion*>();
const StackFrameContext *STC = V.get<const StackFrameContext*>(); const StackFrameContext *STC = V.get<const StackFrameContext*>();
if (!STC) if (!STC)
sReg = getUnknownRegion(); sReg = getUnknownRegion();
▲ Show 20 LinesShow All 201 Lines▼ Show 20 LinesMemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *RD,
} }
return getSubRegion<CXXBaseObjectRegion>(RD, IsVirtual, Super); return getSubRegion<CXXBaseObjectRegion>(RD, IsVirtual, Super);
} }
const CXXThisRegion* const CXXThisRegion*
MemRegionManager::getCXXThisRegion(QualType thisPointerTy, MemRegionManager::getCXXThisRegion(QualType thisPointerTy,
const LocationContext *LC) { const LocationContext *LC) {
const StackFrameContext *STC = LC->getCurrentStackFrame();
assert(STC);
const PointerType *PT = thisPointerTy->getAs<PointerType>(); const PointerType *PT = thisPointerTy->getAs<PointerType>();
assert(PT); assert(PT);
// Inside the body of the operator() of a lambda a this expr might refer to an
// object in one of the parent location contexts.
const auto *D = dyn_cast<CXXMethodDecl>(LC->getDecl());
// FIXME: when operator() of lambda is analyzed as a top level function and
// 'this' refers to a this to the enclosing scope, there is no right region to
// return.
while (!LC->inTopFrame() &&
PT != D->getThisType(getContext())->getAs<PointerType>()) {
LC = LC->getParent();
D = dyn_cast<CXXMethodDecl>(LC->getDecl());
}
const StackFrameContext *STC = LC->getCurrentStackFrame();
assert(STC);
return getSubRegion<CXXThisRegion>(PT, getStackArgumentsRegion(STC)); return getSubRegion<CXXThisRegion>(PT, getStackArgumentsRegion(STC));
} }
const AllocaRegion* const AllocaRegion*
MemRegionManager::getAllocaRegion(const Expr *E, unsigned cnt, MemRegionManager::getAllocaRegion(const Expr *E, unsigned cnt,
const LocationContext *LC) { const LocationContext *LC) {
const StackFrameContext *STC = LC->getCurrentStackFrame(); const StackFrameContext *STC = LC->getCurrentStackFrame();
assert(STC); assert(STC);
▲ Show 20 LinesShow All 468 LinesShow Last 20 Lines

test/Analysis/dead-stores.cpp

Show First 20 LinesShow All 168 Lines▼ Show 20 Linestemplate <bool f> int radar13213575_testit(int i) {
else else
return y; return y;
} }
int radar_13213575() { int radar_13213575() {
return radar13213575_testit<true>(5) + radar13213575_testit<false>(3); return radar13213575_testit<true>(5) + radar13213575_testit<false>(3);
} }
//===----------------------------------------------------------------------===//
// Dead store checking involving lambdas.
//===----------------------------------------------------------------------===//
int basicLambda(int i, int j) {
i = 5; // no warning
j = 6; // no warning
[i] { (void)i; }();
[&j] { (void)j; }();
i = 2;
j = 3;
return i + j;
}

test/Analysis/lambda-notes.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++11 -fsyntax-only -analyze -analyzer-checker=core -analyzer-config inline-lambdas=true -analyzer-output plist -verify %s -o %t
// RUN: FileCheck --input-file=%t %s
// Diagnostic inside a lambda
void diagnosticFromLambda() {
int i = 0;
[=] {
int p = 5/i; // expected-warning{{Division by zero}}
(void)p;
}();
}
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>path</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>kind</key><string>control</string>
// CHECK: <key>edges</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>start</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>8</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>8</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: <key>end</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>kind</key><string>event</string>
// CHECK: <key>location</key>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <key>ranges</key>
// CHECK: <array>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>12</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </array>
// CHECK: <key>depth</key><integer>0</integer>
// CHECK: <key>extended_message</key>
// CHECK: <string>The value 0 is assigned to field &apos;&apos;</string>
// CHECK: <key>message</key>
// CHECK: <string>The value 0 is assigned to field &apos;&apos;</string>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>kind</key><string>event</string>
// CHECK: <key>location</key>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <key>ranges</key>
// CHECK: <array>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>3</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>12</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </array>
// CHECK: <key>depth</key><integer>0</integer>
// CHECK: <key>extended_message</key>
// CHECK: <string>Calling &apos;operator()&apos;</string>
// CHECK: <key>message</key>
// CHECK: <string>Calling &apos;operator()&apos;</string>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>kind</key><string>event</string>
// CHECK: <key>location</key>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <key>depth</key><integer>1</integer>
// CHECK: <key>extended_message</key>
// CHECK: <string>Entered call from &apos;diagnosticFromLambda&apos;</string>
// CHECK: <key>message</key>
// CHECK: <string>Entered call from &apos;diagnosticFromLambda&apos;</string>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>kind</key><string>control</string>
// CHECK: <key>edges</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>start</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>9</integer>
// CHECK: <key>col</key><integer>5</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: <key>end</key>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>14</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>14</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>kind</key><string>event</string>
// CHECK: <key>location</key>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>14</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <key>ranges</key>
// CHECK: <array>
// CHECK: <array>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>13</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>15</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </array>
// CHECK: </array>
// CHECK: <key>depth</key><integer>1</integer>
// CHECK: <key>extended_message</key>
// CHECK: <string>Division by zero</string>
// CHECK: <key>message</key>
// CHECK: <string>Division by zero</string>
// CHECK: </dict>
// CHECK: </array>
// CHECK: <key>description</key><string>Division by zero</string>
// CHECK: <key>category</key><string>Logic error</string>
// CHECK: <key>type</key><string>Division by zero</string>
// CHECK: <key>check_name</key><string>core.DivideZero</string>
// CHECK: <key>issue_context_kind</key><string>C++ method</string>
// CHECK: <key>issue_context</key><string>operator()</string>
// CHECK: <key>issue_hash</key><string>1</string>
// CHECK: <key>location</key>
// CHECK: <dict>
// CHECK: <key>line</key><integer>10</integer>
// CHECK: <key>col</key><integer>14</integer>
// CHECK: <key>file</key><integer>0</integer>
// CHECK: </dict>
// CHECK: </dict>
// CHECK: </array>

test/Analysis/lambdas.cpp

// RUN: %clang_cc1 -std=c++11 -fsyntax-only -analyze -analyzer-checker=debug.DumpCFG %s > %t 2>&1 // RUN: %clang_cc1 -std=c++11 -fsyntax-only -analyze -analyzer-checker=core,debug.ExprInspection -analyzer-config inline-lambdas=true -verify %s
// RUN: %clang_cc1 -std=c++11 -fsyntax-only -analyze -analyzer-checker=core,debug.DumpCFG -analyzer-config inline-lambdas=true %s > %t 2>&1
// RUN: FileCheck --input-file=%t %s // RUN: FileCheck --input-file=%t %s
void clang_analyzer_warnIfReached();
void clang_analyzer_eval(int);
struct X { X(const X&); }; struct X { X(const X&); };
void f(X x) { (void) [x]{}; } void f(X x) { (void) [x]{}; }
// Lambda semantics tests.
void basicCapture() {
int i = 5;
[i]() mutable {
// clang_analyzer_eval does nothing in inlined functions.
if (i != 5)
clang_analyzer_warnIfReached();
++i;
}();
[&i] {
if (i != 5)
clang_analyzer_warnIfReached();
}();
[&i] {
if (i != 5)
clang_analyzer_warnIfReached();
i++;
}();
clang_analyzer_eval(i == 6); // expected-warning{{TRUE}}
}
void deferredLambdaCall() {
int i = 5;
auto l1 = [i]() mutable {
if (i != 5)
clang_analyzer_warnIfReached();
++i;
};
auto l2 = [&i] {
if (i != 5)
clang_analyzer_warnIfReached();
};
auto l3 = [&i] {
if (i != 5)
clang_analyzer_warnIfReached();
i++;
};
l1();
l2();
l3();
clang_analyzer_eval(i == 6); // expected-warning{{TRUE}}
}
void multipleCaptures() {
int i = 5, j = 5;
[i, &j]() mutable {
if (i != 5 && j != 5)
clang_analyzer_warnIfReached();
++i;
++j;
}();
clang_analyzer_eval(i == 5); // expected-warning{{TRUE}}
clang_analyzer_eval(j == 6); // expected-warning{{TRUE}}
[=]() mutable {
if (i != 5 && j != 6)
clang_analyzer_warnIfReached();
++i;
++j;
}();
clang_analyzer_eval(i == 5); // expected-warning{{TRUE}}
clang_analyzer_eval(j == 6); // expected-warning{{TRUE}}
[&]() mutable {
if (i != 5 && j != 6)
clang_analyzer_warnIfReached();
++i;
++j;
}();
clang_analyzer_eval(i == 6); // expected-warning{{TRUE}}
clang_analyzer_eval(j == 7); // expected-warning{{TRUE}}
}
void testReturnValue() {
int i = 5;
auto l = [i] (int a) {
return i + a;
};
int b = l(3);
clang_analyzer_eval(b == 8); // expected-warning{{TRUE}}
}
// Nested lambdas.
void testNestedLambdas() {
int i = 5;
auto l = [i]() mutable {
[&i]() {
++i;
}();
if (i != 6)
clang_analyzer_warnIfReached();
};
l();
clang_analyzer_eval(i == 5); // expected-warning{{TRUE}}
}
// Captured this.
class RandomClass {
int i;
void captureFields() {
i = 5;
[this]() {
// clang_analyzer_eval does nothing in inlined functions.
if (i != 5)
clang_analyzer_warnIfReached();
++i;
}();
clang_analyzer_eval(i == 6); // expected-warning{{TRUE}}
}
};
// Nested this capture.
class RandomClass2 {
int i;
void captureFields() {
i = 5;
[this]() {
// clang_analyzer_eval does nothing in inlined functions.
if (i != 5)
clang_analyzer_warnIfReached();
++i;
[this]() {
// clang_analyzer_eval does nothing in inlined functions.
if (i != 6)
clang_analyzer_warnIfReached();
++i;
}();
}();
clang_analyzer_eval(i == 7); // expected-warning{{TRUE}}
}
};
// Captured function pointers.
void inc(int &x) {
++x;
}
void testFunctionPointerCapture() {
void (*func)(int &) = inc;
int i = 5;
[&i, func] {
func(i);
}();
clang_analyzer_eval(i == 6); // expected-warning{{TRUE}}
}
// Test inline defensive checks
int getNum();
void inlineDefensiveChecks() {
int i = getNum();
[=]() {
if (i == 0)
;
}();
int p = 5/i;
(void)p;
}
// CHECK: [B2 (ENTRY)] // CHECK: [B2 (ENTRY)]
// CHECK: Succs (1): B1 // CHECK: Succs (1): B1
// CHECK: [B1] // CHECK: [B1]
// CHECK: 1: x // CHECK: 1: x
// CHECK: 2: [B1.1] (ImplicitCastExpr, NoOp, const struct X) // CHECK: 2: [B1.1] (ImplicitCastExpr, NoOp, const struct X)
// CHECK: 3: [B1.2] (CXXConstructExpr, struct X) // CHECK: 3: [B1.2] (CXXConstructExpr, struct X)
// CHECK: 4: [x] { // CHECK: 4: [x] {
// CHECK: } // CHECK: }
// CHECK: 5: (void)[B1.4] (CStyleCastExpr, ToVoid, void) // CHECK: 5: (void)[B1.4] (CStyleCastExpr, ToVoid, void)
// CHECK: Preds (1): B2 // CHECK: Preds (1): B2
// CHECK: Succs (1): B0 // CHECK: Succs (1): B0
// CHECK: [B0 (EXIT)] // CHECK: [B0 (EXIT)]
// CHECK: Preds (1): B1 // CHECK: Preds (1): B1

test/Analysis/temporaries.cpp

Show First 20 LinesShow All 293 Lines▼ Show 20 Lines if (isInner ||
check(NoReturnDtor()) || check(NoReturnDtor()) ||
testRecursiveFrames(true)) { testRecursiveFrames(true)) {
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
} }
} }
void testRecursiveFramesStart() { testRecursiveFrames(false); } void testRecursiveFramesStart() { testRecursiveFrames(false); }
void testLambdas() { void testLambdas() {
// This is the test we would like to write: []() { check(NoReturnDtor()); } != nullptr || check(Dtor());
// []() { check(NoReturnDtor()); } != nullptr || check(Dtor());
// But currently the analyzer stops when it encounters a lambda:
[] {};
// The CFG for this now looks correct, but we still do not reach the line
// below.
clang_analyzer_warnIfReached(); // FIXME: Should warn.
} }
void testGnuExpressionStatements(int v) { void testGnuExpressionStatements(int v) {
({ ++v; v == 10 || check(NoReturnDtor()); v == 42; }) || v == 23; ({ ++v; v == 10 || check(NoReturnDtor()); v == 42; }) || v == 23;
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
({ ++v; check(NoReturnDtor()); v == 42; }) || v == 23; ({ ++v; check(NoReturnDtor()); v == 42; }) || v == 23;
clang_analyzer_warnIfReached(); // no warning, unreachable code clang_analyzer_warnIfReached(); // no warning, unreachable code
▲ Show 20 LinesShow All 159 LinesShow Last 20 Lines