This is an archive of the discontinued LLVM Phabricator instance.

Differential D129097

[clang][dataflow] Handle null pointers of type std::nullptr_t
ClosedPublic

Authored by li.zhe.hua on Jul 4 2022, 1:48 PM.

Details

Reviewers
gribozavr2
NoQ
Commits
rGf10d271ae27f: [clang][dataflow] Handle null pointers of type std::nullptr_t
Summary

Treat std::nullptr_t as a regular scalar type to avoid tripping
assertions when analyzing code that uses std::nullptr_t.

Diff Detail

Event Timeline

li.zhe.hua created this revision.Jul 4 2022, 1:48 PM
Herald added a reviewer: NoQ. · View Herald TranscriptJul 4 2022, 1:48 PM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, tschuett, xazax.hun. · View Herald Transcript
li.zhe.hua requested review of this revision.Jul 4 2022, 1:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 4 2022, 1:48 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B173599: Diff 442144.Jul 4 2022, 2:24 PM
gribozavr2 accepted this revision.Jul 5 2022, 5:47 AM
gribozavr2 added inline comments.
clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
61

Could you add a comment to the header that a caller may pass a null PointeeType as a "pointee" of a nullptr_t?

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
2216–2226
This revision is now accepted and ready to land.Jul 5 2022, 5:47 AM
li.zhe.hua updated this revision to Diff 442291.Jul 5 2022, 6:48 AM
li.zhe.hua marked 2 inline comments as done.

Address comments.

This revision was landed with ongoing or failed builds.Jul 5 2022, 6:51 AM
Closed by commit rGf10d271ae27f: [clang][dataflow] Handle null pointers of type std::nullptr_t (authored by li.zhe.hua). · Explain Why
This revision was automatically updated to reflect the committed changes.
li.zhe.hua added a commit: rGf10d271ae27f: [clang][dataflow] Handle null pointers of type std::nullptr_t.
Harbormaster completed remote builds in B173702: Diff 442291.Jul 5 2022, 7:37 AM
sgatev added a subscriber: sgatev.Aug 2 2022, 1:34 PM
sgatev added inline comments.
clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
96

This is inconsistent with the change introduced by this patch.

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
27–28

What does that mean? We are analyzing an incomplete translation unit? Why would the type ever be null here?

li.zhe.hua marked an inline comment as done.Aug 3 2022, 9:57 AM
li.zhe.hua added inline comments.
clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
96

Ah, you're correct. I can mail a fix out later today.

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
27–28

See the motivating test case:

// Alternatively, use `std::nullptr_t` instead of `my_nullptr_t`.
using my_nullptr_t = decltype(nullptr);
my_nullptr_t Null = 0;

This triggers getOrCreateNullPointerValue to be called with a null pointee type.

li.zhe.hua mentioned this in D131109: [clang][dataflow][NFC] Fix outdated comment on getStableStorageLocation.Aug 3 2022, 1:19 PM
li.zhe.hua mentioned this in rG54d24eae9872: [clang][dataflow][NFC] Fix outdated comment on getStableStorageLocation.Aug 4 2022, 8:15 AM

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
14 lines
lib/
Analysis/
FlowSensitive/
8 lines
unittests/
Analysis/
FlowSensitive/
13 lines

Diff 442144

clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h

Show First 20 LinesShow All 87 Lines▼ Show 20 Lines takeOwnership(std::unique_ptr<T> Val) {
Vals.push_back(std::move(Val)); Vals.push_back(std::move(Val));
return *cast<T>(Vals.back().get()); return *cast<T>(Vals.back().get());
} }
/// Returns a stable storage location appropriate for `Type`. /// Returns a stable storage location appropriate for `Type`.
/// ///
/// Requirements: /// Requirements:
/// ///
/// `Type` must not be null. /// `Type` must not be null.
sgatevUnsubmitted
Not Done
ReplyInline Actions

This is inconsistent with the change introduced by this patch.

sgatev: This is inconsistent with the change introduced by this patch.
li.zhe.huaAuthorUnsubmitted
Done
ReplyInline Actions

Ah, you're correct. I can mail a fix out later today.

li.zhe.hua: Ah, you're correct. I can mail a fix out later today.
StorageLocation &getStableStorageLocation(QualType Type); StorageLocation &getStableStorageLocation(QualType Type);
/// Returns a stable storage location for `D`. /// Returns a stable storage location for `D`.
StorageLocation &getStableStorageLocation(const VarDecl &D); StorageLocation &getStableStorageLocation(const VarDecl &D);
/// Returns a stable storage location for `E`. /// Returns a stable storage location for `E`.
StorageLocation &getStableStorageLocation(const Expr &E); StorageLocation &getStableStorageLocation(const Expr &E);
▲ Show 20 LinesShow All 141 Lines▼ Show 20 Linespublic:
bool flowConditionIsTautology(AtomicBoolValue &Token); bool flowConditionIsTautology(AtomicBoolValue &Token);
/// Returns true if `Val1` is equivalent to `Val2`. /// Returns true if `Val1` is equivalent to `Val2`.
/// Note: This function doesn't take into account constraints on `Val1` and /// Note: This function doesn't take into account constraints on `Val1` and
/// `Val2` imposed by the flow condition. /// `Val2` imposed by the flow condition.
bool equivalentBoolValues(BoolValue &Val1, BoolValue &Val2); bool equivalentBoolValues(BoolValue &Val1, BoolValue &Val2);
private: private:
struct NullableQualTypeDenseMapInfo : private llvm::DenseMapInfo<QualType> {
static QualType getEmptyKey() {
// Allow a NULL `QualType` by using a different value as the empty key.
return QualType::getFromOpaquePtr(reinterpret_cast<Type *>(1));
}
using DenseMapInfo::getHashValue;
using DenseMapInfo::getTombstoneKey;
using DenseMapInfo::isEqual;
};
/// Adds all constraints of the flow condition identified by `Token` and all /// Adds all constraints of the flow condition identified by `Token` and all
/// of its transitive dependencies to `Constraints`. `VisitedTokens` is used /// of its transitive dependencies to `Constraints`. `VisitedTokens` is used
/// to track tokens of flow conditions that were already visited by recursive /// to track tokens of flow conditions that were already visited by recursive
/// calls. /// calls.
void addTransitiveFlowConditionConstraints( void addTransitiveFlowConditionConstraints(
AtomicBoolValue &Token, llvm::DenseSet<BoolValue *> &Constraints, AtomicBoolValue &Token, llvm::DenseSet<BoolValue *> &Constraints,
llvm::DenseSet<AtomicBoolValue *> &VisitedTokens); llvm::DenseSet<AtomicBoolValue *> &VisitedTokens);
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesprivate:
StorageLocation *ThisPointeeLoc = nullptr; StorageLocation *ThisPointeeLoc = nullptr;
// Null pointer values, keyed by the canonical pointee type. // Null pointer values, keyed by the canonical pointee type.
// //
// FIXME: The pointer values are indexed by the pointee types which are // FIXME: The pointer values are indexed by the pointee types which are
// required to initialize the `PointeeLoc` field in `PointerValue`. Consider // required to initialize the `PointeeLoc` field in `PointerValue`. Consider
// creating a type-independent `NullPointerValue` without a `PointeeLoc` // creating a type-independent `NullPointerValue` without a `PointeeLoc`
// field. // field.
llvm::DenseMap<QualType, PointerValue *> NullPointerVals; llvm::DenseMap<QualType, PointerValue *, NullableQualTypeDenseMapInfo>
NullPointerVals;
AtomicBoolValue &TrueVal; AtomicBoolValue &TrueVal;
AtomicBoolValue &FalseVal; AtomicBoolValue &FalseVal;
// Indices that are used to avoid recreating the same composite boolean // Indices that are used to avoid recreating the same composite boolean
// values. // values.
llvm::DenseMap<std::pair<BoolValue *, BoolValue *>, ConjunctionValue *> llvm::DenseMap<std::pair<BoolValue *, BoolValue *>, ConjunctionValue *>
ConjunctionVals; ConjunctionVals;
Show All 25 Lines

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp

Show All 18 Lines
#include <memory> #include <memory>
#include <utility> #include <utility>
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
StorageLocation & StorageLocation &
DataflowAnalysisContext::getStableStorageLocation(QualType Type) { DataflowAnalysisContext::getStableStorageLocation(QualType Type) {
assert(!Type.isNull()); if (!Type.isNull() &&
if (Type->isStructureOrClassType() || Type->isUnionType()) { (Type->isStructureOrClassType() || Type->isUnionType())) {
sgatevUnsubmitted
Not Done
ReplyInline Actions

What does that mean? We are analyzing an incomplete translation unit? Why would the type ever be null here?

sgatev: What does that mean? We are analyzing an incomplete translation unit? Why would the type ever…
li.zhe.huaAuthorUnsubmitted
Done
ReplyInline Actions

See the motivating test case:

// Alternatively, use `std::nullptr_t` instead of `my_nullptr_t`.
using my_nullptr_t = decltype(nullptr);
my_nullptr_t Null = 0;

This triggers getOrCreateNullPointerValue to be called with a null pointee type.

li.zhe.hua: See the motivating test case: ``` // Alternatively, use `std::nullptr_t` instead of…
// FIXME: Explore options to avoid eager initialization of fields as some of // FIXME: Explore options to avoid eager initialization of fields as some of
// them might not be needed for a particular analysis. // them might not be needed for a particular analysis.
llvm::DenseMap<const ValueDecl *, StorageLocation *> FieldLocs; llvm::DenseMap<const ValueDecl *, StorageLocation *> FieldLocs;
for (const FieldDecl *Field : getObjectFields(Type)) for (const FieldDecl *Field : getObjectFields(Type))
FieldLocs.insert({Field, &getStableStorageLocation(Field->getType())}); FieldLocs.insert({Field, &getStableStorageLocation(Field->getType())});
return takeOwnership( return takeOwnership(
std::make_unique<AggregateStorageLocation>(Type, std::move(FieldLocs))); std::make_unique<AggregateStorageLocation>(Type, std::move(FieldLocs)));
} }
Show All 15 Lines if (auto *Loc = getStorageLocation(E))
return *Loc; return *Loc;
auto &Loc = getStableStorageLocation(E.getType()); auto &Loc = getStableStorageLocation(E.getType());
setStorageLocation(E, Loc); setStorageLocation(E, Loc);
return Loc; return Loc;
} }
PointerValue & PointerValue &
DataflowAnalysisContext::getOrCreateNullPointerValue(QualType PointeeType) { DataflowAnalysisContext::getOrCreateNullPointerValue(QualType PointeeType) {
assert(!PointeeType.isNull()); auto CanonicalPointeeType =
auto CanonicalPointeeType = PointeeType.getCanonicalType(); PointeeType.isNull() ? PointeeType : PointeeType.getCanonicalType();
gribozavr2Unsubmitted
Done
ReplyInline Actions

Could you add a comment to the header that a caller may pass a null PointeeType as a "pointee" of a nullptr_t?

gribozavr2: Could you add a comment to the header that a caller may pass a null PointeeType as a "pointee"…
auto Res = NullPointerVals.try_emplace(CanonicalPointeeType, nullptr); auto Res = NullPointerVals.try_emplace(CanonicalPointeeType, nullptr);
if (Res.second) { if (Res.second) {
auto &PointeeLoc = getStableStorageLocation(CanonicalPointeeType); auto &PointeeLoc = getStableStorageLocation(CanonicalPointeeType);
Res.first->second = Res.first->second =
&takeOwnership(std::make_unique<PointerValue>(PointeeLoc)); &takeOwnership(std::make_unique<PointerValue>(PointeeLoc));
} }
return *Res.first->second; return *Res.first->second;
} }
▲ Show 20 LinesShow All 271 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show First 20 LinesShow All 2,207 Lines▼ Show 20 Lines runDataflow(Code,
EXPECT_TRUE(isa<BoolValue>(FooVal)); EXPECT_TRUE(isa<BoolValue>(FooVal));
EXPECT_TRUE(isa<BoolValue>(BarVal)); EXPECT_TRUE(isa<BoolValue>(BarVal));
EXPECT_EQ(FooVal, BarVal); EXPECT_EQ(FooVal, BarVal);
}); });
} }
TEST(TransferTest, NullToPointerCast) { TEST(TransferTest, NullToPointerCast) {
std::string Code = R"( std::string Code = R"(
struct Baz {}; struct Baz {};
void target() { void target() {
int *FooX = nullptr; int *FooX = nullptr;
int *FooY = nullptr; int *FooY = nullptr;
bool **Bar = nullptr; bool **Bar = nullptr;
Baz *Baz = nullptr; Baz *Baz = nullptr;
// Use decltype to avoid needing to include <cstddef>. This generates an
// implicit NullToPointer cast of type `std::nullptr_t`.
decltype(nullptr) Null = 0;
// [[p]] // [[p]]
} }
gribozavr2Unsubmitted
Done
ReplyInline Actions
std::string Code = R"(
+ using my_nullptr_t = decltype(nullptr);
struct Baz {};
void target() {
int *FooX = nullptr;
int *FooY = nullptr;
bool **Bar = nullptr;
Baz *Baz = nullptr;
- // Use decltype to avoid needing to include <cstddef>. This generates an
- // implicit NullToPointer cast of type `std::nullptr_t`.
- decltype(nullptr) Null = 0;
+ my_nullptr_t Null = 0;
// [[p]]
}
)";
runDataflow(Code,
gribozavr2:
)"; )";
runDataflow(Code, runDataflow(Code,
[](llvm::ArrayRef< [](llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>> std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results, Results,
ASTContext &ASTCtx) { ASTContext &ASTCtx) {
ASSERT_THAT(Results, ElementsAre(Pair("p", _))); ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
const Environment &Env = Results[0].second.Env; const Environment &Env = Results[0].second.Env;
const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX"); const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX");
ASSERT_THAT(FooXDecl, NotNull()); ASSERT_THAT(FooXDecl, NotNull());
const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY"); const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY");
ASSERT_THAT(FooYDecl, NotNull()); ASSERT_THAT(FooYDecl, NotNull());
const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar"); const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
ASSERT_THAT(BarDecl, NotNull()); ASSERT_THAT(BarDecl, NotNull());
const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz"); const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz");
ASSERT_THAT(BazDecl, NotNull()); ASSERT_THAT(BazDecl, NotNull());
const ValueDecl *NullDecl = findValueDecl(ASTCtx, "Null");
ASSERT_THAT(NullDecl, NotNull());
const auto *FooXVal = const auto *FooXVal =
cast<PointerValue>(Env.getValue(*FooXDecl, SkipPast::None)); cast<PointerValue>(Env.getValue(*FooXDecl, SkipPast::None));
const auto *FooYVal = const auto *FooYVal =
cast<PointerValue>(Env.getValue(*FooYDecl, SkipPast::None)); cast<PointerValue>(Env.getValue(*FooYDecl, SkipPast::None));
const auto *BarVal = const auto *BarVal =
cast<PointerValue>(Env.getValue(*BarDecl, SkipPast::None)); cast<PointerValue>(Env.getValue(*BarDecl, SkipPast::None));
const auto *BazVal = const auto *BazVal =
cast<PointerValue>(Env.getValue(*BazDecl, SkipPast::None)); cast<PointerValue>(Env.getValue(*BazDecl, SkipPast::None));
const auto *NullVal =
cast<PointerValue>(Env.getValue(*NullDecl, SkipPast::None));
EXPECT_EQ(FooXVal, FooYVal); EXPECT_EQ(FooXVal, FooYVal);
EXPECT_NE(FooXVal, BarVal); EXPECT_NE(FooXVal, BarVal);
EXPECT_NE(FooXVal, BazVal); EXPECT_NE(FooXVal, BazVal);
EXPECT_NE(BarVal, BazVal); EXPECT_NE(BarVal, BazVal);
const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc(); const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc();
EXPECT_TRUE(isa<ScalarStorageLocation>(FooPointeeLoc)); EXPECT_TRUE(isa<ScalarStorageLocation>(FooPointeeLoc));
EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull()); EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull());
const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc(); const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc();
EXPECT_TRUE(isa<ScalarStorageLocation>(BarPointeeLoc)); EXPECT_TRUE(isa<ScalarStorageLocation>(BarPointeeLoc));
EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull()); EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull());
const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc(); const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc();
EXPECT_TRUE(isa<AggregateStorageLocation>(BazPointeeLoc)); EXPECT_TRUE(isa<AggregateStorageLocation>(BazPointeeLoc));
EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull()); EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull());
const StorageLocation &NullPointeeLoc =
NullVal->getPointeeLoc();
EXPECT_TRUE(isa<ScalarStorageLocation>(NullPointeeLoc));
EXPECT_THAT(Env.getValue(NullPointeeLoc), IsNull());
}); });
} }
TEST(TransferTest, NullToMemberPointerCast) { TEST(TransferTest, NullToMemberPointerCast) {
std::string Code = R"( std::string Code = R"(
struct Foo {}; struct Foo {};
void target(Foo *Foo) { void target(Foo *Foo) {
int Foo::*MemberPointer = nullptr; int Foo::*MemberPointer = nullptr;
▲ Show 20 LinesShow All 1,576 LinesShow Last 20 Lines