This is an archive of the discontinued LLVM Phabricator instance.

Differential D127643

[Static Analyzer] Structured bindings to data members
ClosedPublic

Authored by isuckatcs on Jun 13 2022, 7:49 AM.

Details

Reviewers
NoQ
xazax.hun
Szelethus
t-rasmud
Commits
rGe77ac66b8c1c: [Static Analyzer] Structured binding to data members
Summary

Handling structured bindings to data members are relatively straightforward, as everything is taken care of by handleConstructor.

All that's left to do is just reading the values from the specific region.

At the moment if the struct is not considered a small struct (for more information see RegionStoreManager::bindStruct()), a lazy
compound value is created insted of an actual copy, from which the static analyzer fails to read the field values if they are Undefined,
it reads Unknown instead.

Diff Detail

Event Timeline

isuckatcs created this revision.Jun 13 2022, 7:49 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 13 2022, 7:49 AM
Herald added subscribers: manas, ASDenysPetrov, martong and 5 others. · View Herald Transcript
isuckatcs requested review of this revision.Jun 13 2022, 7:49 AM
isuckatcs retitled this revision from [Static Analyzer] Structured binding to data members to [Static Analyzer] Structured bindings to data members.
Harbormaster completed remote builds in B169445: Diff 436383.Jun 13 2022, 8:26 AM
martong added a comment.Jun 13 2022, 8:39 AM

I am not sure in what maturity do we handle lambda captures, but if we do handle them then this https://reviews.llvm.org/D122768 should be of your and your mentor's interest.

NoQ added inline comments.Jun 15 2022, 11:33 PM
clang/test/Analysis/uninit-structured-binding-struct.cpp
69

Another thing we could try to test is whether i is known to be equal to 1:

clang_analyzer_eval(x == 1); // expected-warning{{TRUE}}

(https://clang.llvm.org/docs/analyzer/developer-docs/DebugChecks.html#exprinspection-checks)

NoQ accepted this revision.Jun 15 2022, 11:36 PM

I think this patch is straightforward and good to go. It's nice to know that we already handle most of this stuff out of the box.

In D127643#3578265, @martong wrote:

I am not sure in what maturity do we handle lambda captures, but if we do handle them then this https://reviews.llvm.org/D122768 should be of your and your mentor's interest.

Oh thanks, that's gonna be fun! Our handling of lambdas is more or less ok, it still has missing pieces but we can at least handle some cases.

This revision is now accepted and ready to land.Jun 15 2022, 11:36 PM
isuckatcs updated this revision to Diff 437548.Jun 16 2022, 8:02 AM

Addressed the comment about using clang_analyzer_eval()

isuckatcs marked an inline comment as done.Jun 16 2022, 8:02 AM
xazax.hun accepted this revision.Jun 16 2022, 8:14 AM

I think you might want to add some test cases with a non-pod class. Of course, we can do way less in those cases. But at least the tests would demonstrate that we do not crash on code like that.

Otherwise it looks good to me, nice work!

xazax.hun added inline comments.Jun 16 2022, 8:18 AM
clang/test/Analysis/uninit-structured-binding-struct.cpp
49

Maybe we could also test the following scenario:

i = 2;
clang_analyzer_eval(tst.a == 2);
Harbormaster completed remote builds in B170271: Diff 437548.Jun 16 2022, 9:00 AM
isuckatcs updated this revision to Diff 437562.Jun 16 2022, 9:05 AM

Addressed comments

isuckatcs marked an inline comment as done.Jun 16 2022, 9:05 AM
xazax.hun added a comment.Jun 16 2022, 9:24 AM

I think we stall lack a non-POD testcase. Otherwise it is good to go :)

Harbormaster completed remote builds in B170282: Diff 437562.Jun 16 2022, 10:32 AM
isuckatcs updated this revision to Diff 437834.Jun 17 2022, 2:55 AM
  • Updated existing testcases so clang_analyzer_eval() evalutes the arguments
  • Added testcases with non-POD types.
Harbormaster completed remote builds in B170463: Diff 437834.Jun 17 2022, 3:49 AM
xazax.hun accepted this revision.Jun 17 2022, 9:39 AM

Thanks, I think this is now OK to commit.

This revision was landed with ongoing or failed builds.Jun 17 2022, 10:50 AM
Closed by commit rGe77ac66b8c1c: [Static Analyzer] Structured binding to data members (authored by isuckatcs). · Explain Why
This revision was automatically updated to reflect the committed changes.
isuckatcs added a commit: rGe77ac66b8c1c: [Static Analyzer] Structured binding to data members.
Herald added a subscriber: cfe-commits. · View Herald TranscriptJun 17 2022, 10:50 AM
steakhal added a subscriber: steakhal.Jun 20 2022, 2:32 AM

I missed this commit because it was not tagged by "[analyzer]".
What is the community preference about tagging CSA commits?

Szelethus added a comment.Jul 1 2022, 3:37 AM

I read https://en.cppreference.com/w/cpp/language/structured_binding carefully, and there are a number of interesting rules that might deserve their own test case, even if this isn't the patch where you solve that issue, or believe that the solution handles it without the need for special case handling.

Just to name a few, you seem to not have test cases for when the bindings are cv-qualified. If you declare structured bindings like this:

struct s {
  int a;
  int b;
};

void a(void) {
  s tst;

  auto [i, j](tst); // Syntax (3) according to cppreference

  int x = i; // expected-warning{{Assigned value is garbage or undefined}}
}

then the bindings are direct initialized, not copy initialized.

I'm not sure that the actual standard has anything that cppreference doesn't, but maybe we could give it a glance.

clang/test/Analysis/uninit-structured-binding-struct.cpp
10

In the long run, it might make your own life easier to create more talkative test function names, like testPODDecomp or smt like that.

NoQ added a comment.Jul 6 2022, 7:04 PM
In D127643#3595731, @steakhal wrote:

I missed this commit because it was not tagged by "[analyzer]".
What is the community preference about tagging CSA commits?

I think [analyzer] is a good tag, no need to change anything. I also just set up my subscriptions by directories rather than by tags and I like how it works.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
19 lines
test/
Analysis/
116 lines

Diff 437972

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 2,585 Lines▼ Show 20 Lines Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind); ProgramPoint::PostLValueKind);
return; return;
} }
if (isa<FieldDecl, IndirectFieldDecl>(D)) { if (isa<FieldDecl, IndirectFieldDecl>(D)) {
// Delegate all work related to pointer to members to the surrounding // Delegate all work related to pointer to members to the surrounding
// operator&. // operator&.
return; return;
} }
if (isa<BindingDecl>(D)) { if (const auto *BD = dyn_cast<BindingDecl>(D)) {
// FIXME: proper support for bound declarations. const auto *DD = cast<DecompositionDecl>(BD->getDecomposedDecl());
// For now, let's just prevent crashing.
if (const auto *ME = dyn_cast<MemberExpr>(BD->getBinding())) {
const auto *Field = cast<FieldDecl>(ME->getMemberDecl());
SVal Base = state->getLValue(DD, LCtx);
if (DD->getType()->isReferenceType()) {
Base = state->getSVal(Base.getAsRegion());
}
SVal V = state->getLValue(Field, Base);
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V));
}
return; return;
} }
llvm_unreachable("Support for this Decl not implemented."); llvm_unreachable("Support for this Decl not implemented.");
} }
/// VisitArraySubscriptExpr - Transfer function for array accesses /// VisitArraySubscriptExpr - Transfer function for array accesses
void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A, void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A,
▲ Show 20 LinesShow All 656 LinesShow Last 20 Lines

clang/test/Analysis/uninit-structured-binding-struct.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -std=c++17 -verify %s
void clang_analyzer_eval(bool);
struct s {
int a;
int b;
};
void a(void) {
SzelethusUnsubmitted
Not Done
ReplyInline Actions

In the long run, it might make your own life easier to create more talkative test function names, like testPODDecomp or smt like that.

Szelethus: In the long run, it might make your own life easier to create more talkative test function…
s tst;
auto [i, j] = tst;
int x = i; // expected-warning{{Assigned value is garbage or undefined}}
}
void b(void) {
s tst;
tst.a = 1;
auto [i, j] = tst;
clang_analyzer_eval(i == 1); // expected-warning{{TRUE}}
int y = j; // expected-warning{{Assigned value is garbage or undefined}}
}
void c(void) {
s tst;
auto &[i, j] = tst;
int x = i; // expected-warning{{Assigned value is garbage or undefined}}
}
void d(void) {
s tst;
tst.a = 1;
auto &[i, j] = tst;
clang_analyzer_eval(i == 1); // expected-warning{{TRUE}}
i = 2;
clang_analyzer_eval(tst.a == 2); // expected-warning{{TRUE}}
int y = j; // expected-warning{{Assigned value is garbage or undefined}}
}
void e(void) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

Maybe we could also test the following scenario:

i = 2;
clang_analyzer_eval(tst.a == 2);
xazax.hun: Maybe we could also test the following scenario: ``` i = 2; clang_analyzer_eval(tst.a == 2)…
s tst;
tst.a = 1;
auto &[i, j] = tst;
clang_analyzer_eval(i == 1); // expected-warning{{TRUE}}
tst.b = 2;
clang_analyzer_eval(j == 2); // expected-warning{{TRUE}}
}
void f(void) {
s tst;
auto &&[i, j] = tst;
int x = i; // expected-warning{{Assigned value is garbage or undefined}}
}
void g(void) {
NoQUnsubmitted
Done
ReplyInline Actions

Another thing we could try to test is whether i is known to be equal to 1:

clang_analyzer_eval(x == 1); // expected-warning{{TRUE}}

(https://clang.llvm.org/docs/analyzer/developer-docs/DebugChecks.html#exprinspection-checks)

NoQ: Another thing we could try to test is whether `i` is known to be equal to `1`: ```lang=c++…
s tst;
tst.a = 1;
auto &&[i, j] = tst;
clang_analyzer_eval(i == 1); // expected-warning{{TRUE}}
int y = j; // expected-warning{{Assigned value is garbage or undefined}}
}
struct s2 {
int a = 1;
int b = 2;
};
struct s3 {
s x;
s2 y;
};
void h(void) {
s3 tst;
clang_analyzer_eval(tst.y.a == 1); // expected-warning{{TRUE}}
auto [i, j] = tst;
// FIXME: These should be undefined, but we have to fix
// reading undefined from lazy compound values first.
clang_analyzer_eval(i.a); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i.b); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(j.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(j.b == 2); // expected-warning{{TRUE}}
}
void i(void) {
s3 tst;
clang_analyzer_eval(tst.y.a == 1); // expected-warning{{TRUE}}
auto &[i, j] = tst;
j.a = 3;
clang_analyzer_eval(tst.y.a == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(tst.y.b == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(j.b == 2); // expected-warning{{TRUE}}
}