This is an archive of the discontinued LLVM Phabricator instance.

Differential D127105

[analyzer] Fix null pointer deref in CastValueChecker
ClosedPublic

Authored by vabridgers on Jun 6 2022, 5:39 AM.

Details

Reviewers
martong
steakhal
NoQ
Commits
rGc7fa4e8a8bc4: [analyzer] Fix null pointer deref in CastValueChecker
Summary

A crash was seen in CastValueChecker due to a null pointer dereference.

The fix uses QualType::getAsString to avoid the null dereference
when a CXXRecordDecl cannot be obtained. A small reproducer is added,
and cast value notes LITs are updated for the new debug messages.

Diff Detail

Event Timeline

vabridgers created this revision.Jun 6 2022, 5:39 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 6 2022, 5:39 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 8 others. · View Herald Transcript
vabridgers requested review of this revision.Jun 6 2022, 5:39 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 6 2022, 5:39 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B168027: Diff 434444.Jun 6 2022, 6:43 AM
vabridgers planned changes to this revision.Jun 6 2022, 11:40 AM

I know this will need a reproducer, and I'm working on that. That work is still in progress.

vabridgers updated this revision to Diff 434628.Jun 6 2022, 3:35 PM

add test case

vabridgers added a comment.Jun 6 2022, 3:36 PM

I was able to find and add a covering test case. I understand the fix may not be "correct", but it does avoid the crash demonstrated by the test case.

Harbormaster completed remote builds in B168167: Diff 434628.Jun 6 2022, 4:08 PM
vabridgers edited the summary of this revision. (Show Details)Jun 6 2022, 5:28 PM
vabridgers updated this revision to Diff 434746.Jun 7 2022, 2:37 AM

Use QualType::getAsString() per suggestion from martong

vabridgers edited the summary of this revision. (Show Details)Jun 7 2022, 2:39 AM
Harbormaster completed remote builds in B168253: Diff 434746.Jun 7 2022, 3:11 AM
steakhal added a comment.Jun 7 2022, 3:56 AM

Likely related to https://github.com/llvm/llvm-project/issues/55715. Mention this in the summary as Fixes #55715.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
168

So this was null, right? Which caused the crash.

clang/test/Analysis/cast-value-notes.cpp
306

It's good to know which line exactly caused the crash. Put this note right there.

309–310
311

This gotta be the getAs<T>. Please try to reconstruct the 'feel' of it; like return a T* instead of void etc.

clang/test/Analysis/cast-value-state-dump.cpp
26

IDK, I see the motivation, but we don't need the full name of these in most cases.
I find it more disturbing than helpful. I would instead stick to the shorter form.

martong added inline comments.Jun 7 2022, 4:11 AM
clang/test/Analysis/cast-value-state-dump.cpp
26

I see your point, but I this way, the checker provides more precise type info, which is good in my opinion.

steakhal added a comment.Jun 7 2022, 5:08 AM

Vince, please update the summary - it looks really weird. Along with that the content of it might not be much useful, as we have a test case to demonstrate the crash; you can probably remove those dumps etc.
Otherwise LGTM.

clang/test/Analysis/cast-value-state-dump.cpp
26

Okay. It's not that important. This is a domain-specific check only for llvm codebases, so I'm not too picky about it.

vabridgers added inline comments.Jun 7 2022, 5:43 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
168

Yes, the call to "CastToTy->getPointeeCXXRecordDecl()" returned nullptr, which was then used to dereference getNameAsString(), then boom :)

clang/test/Analysis/cast-value-notes.cpp
306

Will address, thank you

311

I'll attempt a further simplification. This was the product of a very long and tedious manual and creduce reduction process from a 12M preprocessed file :/

steakhal added inline comments.Jun 7 2022, 6:10 AM
clang/test/Analysis/cast-value-notes.cpp
311

What I'm proposing is concretization.

Something like this:

template <typename> struct PointerUnion {
  template <typename T> T* getAs() {
    (void)isa<int>(*this);
    return nullptr;
}
vabridgers updated this revision to Diff 434821.Jun 7 2022, 8:18 AM

address @steakhal comments

vabridgers marked 8 inline comments as done.Jun 7 2022, 8:19 AM

I think all comments have been addressed, please let me know if I missed some detail :) Best!

vabridgers edited the summary of this revision. (Show Details)Jun 7 2022, 8:20 AM
Harbormaster completed remote builds in B168308: Diff 434821.Jun 7 2022, 8:45 AM
steakhal accepted this revision.Jun 7 2022, 9:33 AM
This revision is now accepted and ready to land.Jun 7 2022, 9:33 AM
Closed by commit rGc7fa4e8a8bc4: [analyzer] Fix null pointer deref in CastValueChecker (authored by vabridgers, committed by einvbri <vince.a.bridgers@ericsson.com>). · Explain WhyJun 7 2022, 10:35 AM
This revision was automatically updated to reflect the committed changes.
einvbri <vince.a.bridgers@ericsson.com> added a commit: rGc7fa4e8a8bc4: [analyzer] Fix null pointer deref in CastValueChecker.
steakhal added a comment.Jun 8 2022, 12:28 AM

Submitted a backport request to land this in clang-14.0.5, since many llvm devs might be affected by this crash due to clangd and clang-tidy integration.
https://github.com/llvm/llvm-project/issues/55937

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
8 lines
test/
Analysis/
63 lines
4 lines

Diff 434883

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show First 20 LinesShow All 102 Lines▼ Show 20 Lines
} }
static const NoteTag *getNoteTag(CheckerContext &C, static const NoteTag *getNoteTag(CheckerContext &C,
const DynamicCastInfo *CastInfo, const DynamicCastInfo *CastInfo,
QualType CastToTy, const Expr *Object, QualType CastToTy, const Expr *Object,
bool CastSucceeds, bool IsKnownCast) { bool CastSucceeds, bool IsKnownCast) {
std::string CastToName = std::string CastToName =
CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
: CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); : CastToTy.getAsString();
Object = Object->IgnoreParenImpCasts(); Object = Object->IgnoreParenImpCasts();
return C.getNoteTag( return C.getNoteTag(
[=]() -> std::string { [=]() -> std::string {
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
if (!IsKnownCast) if (!IsKnownCast)
Show All 38 Lines return C.getNoteTag(
} else { } else {
Out << (IsKnownCast ? "The object" : "the object"); Out << (IsKnownCast ? "The object" : "the object");
} }
Out << " is"; Out << " is";
bool First = true; bool First = true;
for (QualType CastToTy: CastToTyVec) { for (QualType CastToTy: CastToTyVec) {
std::string CastToName = std::string CastToName =
CastToTy->getAsCXXRecordDecl() ? CastToTy->getAsCXXRecordDecl()
CastToTy->getAsCXXRecordDecl()->getNameAsString() : ? CastToTy->getAsCXXRecordDecl()->getNameAsString()
CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); : CastToTy.getAsString();
steakhalUnsubmitted
Done
ReplyInline Actions

So this was null, right? Which caused the crash.

steakhal: So this was null, right? Which caused the crash.
vabridgersAuthorUnsubmitted
Done
ReplyInline Actions

Yes, the call to "CastToTy->getPointeeCXXRecordDecl()" returned nullptr, which was then used to dereference getNameAsString(), then boom :)

vabridgers: Yes, the call to "CastToTy->getPointeeCXXRecordDecl()" returned nullptr, which was then used to…
Out << ' ' << ((CastToTyVec.size() == 1) ? "not" : Out << ' ' << ((CastToTyVec.size() == 1) ? "not" :
(First ? "neither" : "nor")) << " a '" << CastToName (First ? "neither" : "nor")) << " a '" << CastToName
<< '\''; << '\'';
First = false; First = false;
} }
return std::string(Out.str()); return std::string(Out.str());
}, },
▲ Show 20 LinesShow All 352 LinesShow Last 20 Lines

clang/test/Analysis/cast-value-notes.cpp

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void clang_analyzer_printState(); void clang_analyzer_printState();
#if defined(X86) #if defined(X86)
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
clang_analyzer_printState(); clang_analyzer_printState();
// XX86-CHECK: "dynamic_types": [ // XX86-CHECK: "dynamic_types": [
// XX86-CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const class clang::Circle &", "sub_classable": true } // XX86-CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const class clang::Circle &", "sub_classable": true }
(void)C; (void)C;
} }
#if defined(SUPPRESSED) #if defined(SUPPRESSED)
void evalReferences_addrspace(const Shape &S) { void evalReferences_addrspace(const Shape &S) {
const auto &C = dyn_cast<DEVICE Circle>(S); const auto &C = dyn_cast<DEVICE Circle>(S);
clang_analyzer_printState(); clang_analyzer_printState();
// X86-CHECK-SUPPRESSED: "dynamic_types": [ // X86-CHECK-SUPPRESSED: "dynamic_types": [
// X86-CHECK-SUPPRESSED-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true } // X86-CHECK-SUPPRESSED-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true }
(void)C; (void)C;
} }
#endif #endif
#if defined(NOT_SUPPRESSED) #if defined(NOT_SUPPRESSED)
void evalReferences_addrspace(const Shape &S) { void evalReferences_addrspace(const Shape &S) {
const auto &C = dyn_cast<DEVICE Circle>(S); const auto &C = dyn_cast<DEVICE Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const __attribute__((address_space(3))) class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
clang_analyzer_printState(); clang_analyzer_printState();
// X86-CHECK: "dynamic_types": [ // X86-CHECK: "dynamic_types": [
// X86-CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true } // X86-CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const __attribute__((address_space(3))) class clang::Circle &", "sub_classable": true }
(void)C; (void)C;
} }
#endif #endif
#elif defined(MIPS) #elif defined(MIPS)
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
} }
#if defined(MIPS_SUPPRESSED) #if defined(MIPS_SUPPRESSED)
void evalReferences_addrspace(const Shape &S) { void evalReferences_addrspace(const Shape &S) {
const auto &C = dyn_cast<DEVICE Circle>(S); const auto &C = dyn_cast<DEVICE Circle>(S);
(void)C; (void)C;
} }
#endif #endif
#endif #endif
void evalNonNullParamNonNullReturnReference(const Shape &S) { void evalNonNullParamNonNullReturnReference(const Shape &S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{'C' initialized here}} // expected-note@-1 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) { if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Rectangle>(C)) { if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Hexagon>(C)) { if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{'C' is not a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
Show All 19 Lines if (isa<Circle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
} }
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S); const auto *C = cast<Circle>(S);
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) { if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Rectangle>(C)) { if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Hexagon>(C)) { if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{'C' is not a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
Show All 19 Lines if (isa<Circle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
} }
void evalNonNullParamNullReturn(const Shape *S) { void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) { if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
// expected-note@-2 {{'T' initialized here}} // expected-note@-2 {{'T' initialized here}}
// expected-note@-3 {{'T' is non-null}} // expected-note@-3 {{'T' is non-null}}
// expected-note@-4 {{Taking true branch}} // expected-note@-4 {{Taking true branch}}
(void)(1 / !T); (void)(1 / !T);
// expected-note@-1 {{'T' is non-null}} // expected-note@-1 {{'T' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
} }
void evalNullParamNullReturn(const Shape *S) { void evalNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming null pointer is passed into cast}} // expected-note@-1 {{Assuming null pointer is passed into cast}}
// expected-note@-2 {{'C' initialized to a null pointer value}} // expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C); (void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}} // expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}} // expected-warning@-2 {{Division by zero}}
} }
void evalZeroParamNonNullReturnPointer(const Shape *S) { void evalZeroParamNonNullReturnPointer(const Shape *S) {
const auto *C = S->castAs<Circle>(); const auto *C = S->castAs<Circle>();
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
void evalZeroParamNonNullReturn(const Shape &S) { void evalZeroParamNonNullReturn(const Shape &S) {
const auto *C = S.castAs<Circle>(); const auto *C = S.castAs<Circle>();
// expected-note@-1 {{'C' initialized here}} // expected-note@-1 {{'C' initialized here}}
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
void evalZeroParamNullReturn(const Shape *S) { void evalZeroParamNullReturn(const Shape *S) {
const auto &C = S->getAs<Circle>(); const auto &C = S->getAs<Circle>();
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
// expected-note@-2 {{Storing null pointer value}} // expected-note@-2 {{Storing null pointer value}}
// expected-note@-3 {{'C' initialized here}} // expected-note@-3 {{'C' initialized here}}
if (!dyn_cast_or_null<Triangle>(S)) { if (!dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (!dyn_cast_or_null<Triangle>(S)) { if (!dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{'S' is a 'Triangle'}} // expected-note@-1 {{'S' is a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
(void)(1 / (bool)C); (void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}} // expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}} // expected-warning@-2 {{Division by zero}}
} }
// don't crash
steakhalUnsubmitted
Done
ReplyInline Actions

It's good to know which line exactly caused the crash. Put this note right there.

steakhal: It's good to know which line exactly caused the crash. Put this note right there.
vabridgersAuthorUnsubmitted
Done
ReplyInline Actions

Will address, thank you

vabridgers: Will address, thank you
// CastValueChecker was using QualType()->getPointeeCXXRecordDecl(), in
// getNoteTag which evaluated to nullptr, then crashed when attempting to
// deref an invocation to getNameAsString(). The fix is to use
// QualType().getAsString().
steakhalUnsubmitted
Done
ReplyInline Actions
template <typename, typename a> void isa(a &);
- template <typename> class PointerUnion {
- public:
+ template <typename> struct PointerUnion {
template <typename> void b() { isa<int>(*this); }
steakhal:
//
steakhalUnsubmitted
Done
ReplyInline Actions

This gotta be the getAs<T>. Please try to reconstruct the 'feel' of it; like return a T* instead of void etc.

steakhal: This gotta be the `getAs<T>`. Please try to reconstruct the 'feel' of it; like return a `T*`…
vabridgersAuthorUnsubmitted
Done
ReplyInline Actions

I'll attempt a further simplification. This was the product of a very long and tedious manual and creduce reduction process from a 12M preprocessed file :/

vabridgers: I'll attempt a further simplification. This was the product of a very long and tedious manual…
steakhalUnsubmitted
Done
ReplyInline Actions

What I'm proposing is concretization.

Something like this:

template <typename> struct PointerUnion {
  template <typename T> T* getAs() {
    (void)isa<int>(*this);
    return nullptr;
}
steakhal: What I'm proposing is //concretization//. Something like this: ```lang=C++ template…
// Example:
// std::string CastToName =
// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
// : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
// Changed to:
// std::string CastToName =
// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
// : CastToTy.getAsString();
namespace llvm {
template <typename, typename a> void isa(a &);
template <typename> class PointerUnion {
public:
template <typename T> T *getAs() {
(void)isa<int>(*this);
return nullptr;
}
};
class LLVMContext {
PointerUnion<LLVMContext> c;
void d() { c.getAs<int>(); }
};
} // namespace llvm

clang/test/Analysis/cast-value-state-dump.cpp

Show All 12 Lines
class Square : public Shape {}; class Square : public Shape {};
} // namespace clang } // namespace clang
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is a 'Circle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
// FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'. // FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
if (dyn_cast_or_null<Square>(S)) { if (dyn_cast_or_null<Square>(S)) {
// expected-note@-1 {{Assuming 'S' is not a 'Square'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Square *'}}
steakhalUnsubmitted
Done
ReplyInline Actions

IDK, I see the motivation, but we don't need the full name of these in most cases.
I find it more disturbing than helpful. I would instead stick to the shorter form.

steakhal: IDK, I see the motivation, but we don't need the full name of these in most cases. I find it…
martongUnsubmitted
Done
ReplyInline Actions

I see your point, but I this way, the checker provides more precise type info, which is good in my opinion.

martong: I see your point, but I this way, the checker provides more precise type info, which is good in…
steakhalUnsubmitted
Done
ReplyInline Actions

Okay. It's not that important. This is a domain-specific check only for llvm codebases, so I'm not too picky about it.

steakhal: Okay. It's not that important. This is a domain-specific check only for llvm codebases, so I'm…
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
clang_analyzer_printState(); clang_analyzer_printState();
// CHECK: "dynamic_types": [ // CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const class clang::Circle", "sub_classable": true } // CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const class clang::Circle", "sub_classable": true }
Show All 13 Lines