This is an archive of the discontinued LLVM Phabricator instance.

Differential D129496

[analyzer] ArrayInitLoopExpr with array of non-POD type.
ClosedPublic

Authored by isuckatcs on Jul 11 2022, 9:02 AM.

Details

Reviewers
NoQ
xazax.hun
Szelethus
t-rasmud
ziqingluo-90
usama54321
Commits
rG8a13326d184c: [analyzer] ArrayInitLoopExpr with array of non-POD type
Summary

At the moment we are unable to handle ArrayInitLoopExpr if the array it initializes is an array of non-POD types.
The expression is supposed to create a new array, and invoke the copy constructor for each element. The CFG only
contains the copy constructor, which is supposed to be invoked for each corresponding element, however it doesn't
contain the index of each element or a construction context.

The idea is to add a construction context to the copy ctor, so that after we evaluate it, the elements are placed in the
proper region of the store. Besides that in handleConstructor, we manually select which element of the array is going
to be passed to the ctor as parameter. Everything else is the same as it happens with a simple non-POD array construction,
in another patch, which this one depends on.

Depends on: https://reviews.llvm.org/D127973

Diff Detail

Event Timeline

isuckatcs created this revision.Jul 11 2022, 9:02 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 11 2022, 9:02 AM
Herald added subscribers: steakhal, manas, ASDenysPetrov and 8 others. · View Herald Transcript
isuckatcs requested review of this revision.Jul 11 2022, 9:02 AM
Harbormaster completed remote builds in B174689: Diff 443662.Jul 11 2022, 9:03 AM
isuckatcs added a parent revision: D127973: [analyzer] Eval construction of non POD type arrays..Jul 11 2022, 9:03 AM
NoQ added a comment.Jul 11 2022, 9:10 PM

Once again very clean patch, thanks!! I have a few ideas on how to make it even neater.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
507

Maybe turn this function into a member function of VariableConstructionContext? That'll make the caller code a bit more verbose but both the problem and the solution seems to be generic enough to be put there.

I wouldn't even mind subclassing ConstructionContext to handle this special case with a dedicated subclass, then the ArrayInitLoopExpr could become an entire layer. But that's probably an overkill since everything fits together nicely without it.

526

OpaqueValueExpr is often an indication that its sub-expression is duplicated in the AST (i.e., pointed-to from multiple different parents). I'm curious if the DeclRefExpr on the next line is the same DeclRefExpr that you're looking for. In this case we can simplify this function dramatically by consulting the ArrayInitLoopExpr instead (which is available in this function's caller).

isuckatcs updated this revision to Diff 443932.Jul 12 2022, 6:10 AM
  • ArrayInitLoopExpr with non-POD type array in implicit copy/move ctor is now handled properly.

In the third case, when a lambda captures a non-POD type array by value, there is no construction context,
so the objects would be constructed into the same temporary region. At the moment this case is ignored, and
I added a FIXME about it near the appropriate test case.

isuckatcs marked an inline comment as done.Jul 12 2022, 6:17 AM
isuckatcs added inline comments.
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
507

Sadly we can't create 1 subclass that handles ArrayInitLoopExpr, as in all 3 different use cases we have a different ConstructionContext.

  • in the implicit copy/move constructor for a class with an array member - ConstructorInitializerConstructionContext
  • when a lambda-expression captures an array by value - <<NULL>>
  • when a decomposition declaration decomposes an array - VariableConstructionContext
Harbormaster completed remote builds in B174866: Diff 443932.Jul 12 2022, 7:02 AM
isuckatcs updated this revision to Diff 444197.Jul 13 2022, 2:51 AM
  • Added a virtual method to ConstructionContext that returns ArrayInitLoopExpr.
Harbormaster completed remote builds in B175072: Diff 444197.Jul 13 2022, 3:29 AM
NoQ added a comment.Jul 13 2022, 8:34 PM

Aha this looks great! Nitpicking time.

clang/include/clang/Analysis/ConstructionContext.h
332

I think or_null can be dropped because we can be certain that this variable's initializer contains, at the very least, the constructor to which the context is provided.

403

Same here, or_null can be dropped.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
546–549

We should probably assert() that there's no else here. If this assert is ever hit, we'll know that we're missing something and change it to a FIXME.

martong added a comment.Jul 14 2022, 5:42 AM

Nice work, thanks!

clang/test/Analysis/array-init-loop.cpp
164

I think, the matching should be more precise; it is a.i that is garbage, isn't it?
Perhaps this would also make sense (unless the previous warning is a sink):

clang_analyzer_eval(a.i); // expected-warning{{UNDEFINED}}
202–204

I think, It would be useful to emphase more explicitly what we want from the S5 type. Same above with S2.

Note, is_pod is basically is_trivial && is_standard_layout from C++20 (the PODType type requirement is deprecated since then).

isuckatcs updated this revision to Diff 444664.Jul 14 2022, 7:58 AM
  • Added a new ConstructionContext for lambas, which will be polished later.
  • ArrayInitLoopExpr is evaluated properly in case of lambda captures.
Harbormaster completed remote builds in B175411: Diff 444664.Jul 14 2022, 11:07 AM
NoQ added a comment.Jul 14 2022, 11:40 AM

This looks awesome!

I think the lambda code should go into a separate patch, this one's already quite big and they're logically quite separate.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
301–302

This tiny piece of code currently mimics/duplicates ExprEngine::VisitLambdaExpr.

I'm not sure if that tiny piece of code represents the correct solution in general, I suspect that eg. if lambda is put into a variable then it needs to be constructed directly in the variable, through copy elision (?) So eventually we'll probably need to assign a construction context to LambdaExpr itself, and then use both of them here, maybe recursively. But this is what we have for now.

So for this patch, I think the right thing to do is to have ExprEngine::VisitLambdaExpr() lookup the region created here instead, from objects-under-construction. This way future improvements could be done in one place, and the infrastructure will already be there.

1173

Should we clean up the state on the else-branch as well?

isuckatcs updated this revision to Diff 444822.Jul 14 2022, 3:47 PM

Rebased onto latest relevant changes.

Harbormaster completed remote builds in B175523: Diff 444822.Jul 14 2022, 5:52 PM
xazax.hun added inline comments.Jul 14 2022, 6:29 PM
clang/include/clang/Analysis/CFG.h
205–207

Nit: is this how clang format formatted this expression? Don't we miss a bit of indentation?

clang/include/clang/Analysis/ConstructionContext.h
705–710

We have many types of captures and iterators for them. Captures, capture inits, explicit captures, implicit captures. Are you sure that fields and capture inits can be paired up this way?
Also, I think capture iterators might be random access. you might be able to get to the right element with a single arithmetic. Unfortunately, that might not be the case for fields. But you could use std::advance for that.

isuckatcs marked an inline comment as done.Jul 15 2022, 2:38 AM
isuckatcs added inline comments.
clang/include/clang/Analysis/CFG.h
205–207

Yes, clang format really formatted it this way. We miss the indentation, but if I add it and run clang format, it outputs the same result you see here.

isuckatcs marked an inline comment as done.Jul 15 2022, 2:39 AM
isuckatcs marked an inline comment as done.Jul 15 2022, 4:59 AM
isuckatcs added inline comments.
clang/include/clang/Analysis/ConstructionContext.h
705–710

Are you sure that fields and capture inits can be paired up this way?

Technically this solution is copied from VisitLamdaExpr, so I assumed it to be correct.

Since you created the original solution, I assume you already know the answer too, but I did
some digging regarding the question. The answer comes from Sema::BuildLambdaExpr.
They way the function works is that it iterates over the captures in the LambdaScopeInfo
and creates a FieldDecl and an initializer for each capture.

ExprResult Sema::BuildLambdaExpr(..., LambdaScopeInfo *LSI) {
  ...
  for (unsigned I = 0, N = LSI->Captures.size(); I != N; ++I) {
    const Capture &From = LSI->Captures[I];     
    ...
    // Form the initializer for the capture field.
    ExprResult Init = BuildCaptureInit(From, ImplicitCaptureLoc);

    // FIXME: Skip this capture if the capture is not used, the initializer
    // has no side-effects, the type of the capture is trivial, and the
    // lambda is not externally visible.

    // Add a FieldDecl for the capture and form its initializer.
    BuildCaptureField(Class, From);
    Captures.push_back(Capture);
    CaptureInits.push_back(Init.get());
    ...
  }
  ...
  Class->setCaptures(Context, Captures);
  ...
  LambdaExpr *Lambda = LambdaExpr::Create(..., CaptureInits, ...);
  ...
}

The captures and the initializers are put into 2 separate lists in the same order, so they
have the same indices, while the fields are directly constructed into the class.

FieldDecl *Sema::BuildCaptureField(RecordDecl *RD, const sema::Capture &Capture) {
  ...
  FieldDecl *Field = FieldDecl::Create(..., RD, ...);
  ...
  RD->addDecl(Field);
  ...
}

void DeclContext::addDecl(Decl *D) {
  addHiddenDecl(D);
  ...
}

void DeclContext::addHiddenDecl(Decl *D) {
  ...
  if (FirstDecl) {
    LastDecl->NextInContextAndBits.setPointer(D);
    LastDecl = D;
  } else {
    FirstDecl = LastDecl = D;
  }
  ...
}

The FieldDecls are stored in a linked list, where the new Decl is inserted to the end.
That means, the captures, the initializers and the FieldDecls have the same order and
the same index at this point.

Later the capture list is passed to the class, and the initializer list is passed to
LambdaExpr::Create(). In both cases the same simple linear copy is performed, so the
indices keep their original order. The fields are already in their final place and order.

void CXXRecordDecl::setCaptures(ASTContext &Context,
                                ArrayRef<LambdaCapture> Captures) {
  CXXRecordDecl::LambdaDefinitionData &Data = getLambdaData();

  // Copy captures.
  Data.NumCaptures = Captures.size();
  Data.NumExplicitCaptures = 0;
  Data.Captures = (LambdaCapture *)Context.Allocate(sizeof(LambdaCapture) *
                                                    Captures.size());
  LambdaCapture *ToCapture = Data.Captures;
  for (unsigned I = 0, N = Captures.size(); I != N; ++I) {
    if (Captures[I].isExplicit())
      ++Data.NumExplicitCaptures;

    *ToCapture++ = Captures[I];
  }

  if (!lambdaIsDefaultConstructibleAndAssignable())
    Data.DefaultedCopyAssignmentIsDeleted = true;
}
LambdaExpr::LambdaExpr(..., ArrayRef<Expr *> CaptureInits, ...){
  LambdaExprBits.NumCaptures = CaptureInits.size();
  LambdaExprBits.CaptureDefault = CaptureDefault; 
  ...
  CXXRecordDecl *Class = getLambdaClass();
  (void)Class;
  assert(capture_size() == Class->capture_size() && "Wrong number of captures");
  assert(getCaptureDefault() == Class->getLambdaCaptureDefault());
  ...
  // Copy initialization expressions for the non-static data members.
  Stmt **Stored = getStoredStmts();
  for (unsigned I = 0, N = CaptureInits.size(); I != N; ++I)
    *Stored++ = CaptureInits[I];  
  ...
}

Hence the capture and initializer indices kept their original orders, and the fields were also
created in the same order, we know that they still have the same indices. As a result the
iterators can be paired.

isuckatcs updated this revision to Diff 444983.Jul 15 2022, 7:57 AM
isuckatcs marked 9 inline comments as done.
  • Renamed LambdaConstructionContext to LambdaCaptureConstructionContext.
  • Addressed comments.
  • Polished existing solutions.
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
1173

Capturing a VLA by value is a compile time error. If the VLA is captured by reference, there is no CXXConstructExpr we need to evaluate, so that case is not affected by this patch. I think there's nothing to clean up.

clang/test/Analysis/array-init-loop.cpp
164

Yes a.i is the Undefined variable, but the warning we get is a sink, so there's no way to confirm it (unless we look at the egraph).

Harbormaster completed remote builds in B175641: Diff 444983.Jul 15 2022, 7:57 AM
isuckatcs updated this revision to Diff 444998.Jul 15 2022, 8:43 AM

Rebased.

Harbormaster completed remote builds in B175652: Diff 444998.Jul 15 2022, 9:52 AM
NoQ added inline comments.Jul 15 2022, 6:58 PM
clang/include/clang/Analysis/CFG.h
205–207

Hmm looks like there's extra paretheses after isa<ArgumentConstructionContext>(C).

NoQ added a comment.Jul 15 2022, 8:32 PM

Aside from these nits and the gut feeling that the patch needs to be split, I don't have any other comments. The patch looks great, let's test it a bit and land it.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
1173

Ok maybe assert() then, to make sure there's nothing to clean up(?)

isuckatcs updated this revision to Diff 445226.Jul 16 2022, 4:29 AM
isuckatcs marked 2 inline comments as done.

Addressed comments.

Harbormaster completed remote builds in B175819: Diff 445226.Jul 16 2022, 4:30 AM
isuckatcs updated this revision to Diff 445232.Jul 16 2022, 6:28 AM

Rebased

Harbormaster completed remote builds in B175823: Diff 445232.Jul 16 2022, 7:13 AM
isuckatcs updated this revision to Diff 445327.EditedJul 17 2022, 10:14 AM
isuckatcs added a child revision: D129967: [analyzer] Lambda capture non-POD type array.

Extracted the part about lambdas to a separate patch, D129967.

Harbormaster completed remote builds in B175900: Diff 445327.Jul 17 2022, 10:17 AM
isuckatcs updated this revision to Diff 445328.Jul 17 2022, 10:22 AM

Rebased

NoQ accepted this revision.Jul 17 2022, 11:39 AM

Awesome, thanks, I'm happy with the code! Let's see how it performs in real life and then commit.

This revision is now accepted and ready to land.Jul 17 2022, 11:39 AM
Harbormaster completed remote builds in B175901: Diff 445328.Jul 17 2022, 12:49 PM
isuckatcs updated this revision to Diff 446921.Jul 22 2022, 11:59 AM

Added testcases for structured binding syntax 3. Syntax 2 is not applicable for arrays.

Harbormaster completed remote builds in B177064: Diff 446921.Jul 22 2022, 1:03 PM
This revision was landed with ongoing or failed builds.Jul 26 2022, 12:07 AM
Closed by commit rG8a13326d184c: [analyzer] ArrayInitLoopExpr with array of non-POD type (authored by isuckatcs). · Explain Why
This revision was automatically updated to reflect the committed changes.
isuckatcs added a commit: rG8a13326d184c: [analyzer] ArrayInitLoopExpr with array of non-POD type.
Herald added a project: Restricted Project. · View Herald TranscriptJul 26 2022, 12:07 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
3 lines
77 lines
StaticAnalyzer/
Core/
PathSensitive/
19 lines
lib/
Analysis/
30 lines
10 lines
StaticAnalyzer/
Core/
69 lines
123 lines
28 lines
test/
Analysis/
89 lines
24 lines
3 lines
65 lines

Diff 444664

clang/include/clang/Analysis/CFG.h

Show First 20 LinesShow All 196 Lines▼ Show 20 Linespublic:
explicit CFGCXXRecordTypedCall(Expr *E, const ConstructionContext *C) explicit CFGCXXRecordTypedCall(Expr *E, const ConstructionContext *C)
: CFGStmt(E, CXXRecordTypedCall) { : CFGStmt(E, CXXRecordTypedCall) {
assert(isCXXRecordTypedCall(E)); assert(isCXXRecordTypedCall(E));
assert(C && (isa<TemporaryObjectConstructionContext>(C) || assert(C && (isa<TemporaryObjectConstructionContext>(C) ||
// These are possible in C++17 due to mandatory copy elision. // These are possible in C++17 due to mandatory copy elision.
isa<ReturnedValueConstructionContext>(C) || isa<ReturnedValueConstructionContext>(C) ||
isa<VariableConstructionContext>(C) || isa<VariableConstructionContext>(C) ||
isa<ConstructorInitializerConstructionContext>(C) || isa<ConstructorInitializerConstructionContext>(C) ||
isa<ArgumentConstructionContext>(C))); isa<ArgumentConstructionContext>(C)) ||
isa<LambdaConstructionContext>(C));
Data2.setPointer(const_cast<ConstructionContext *>(C)); Data2.setPointer(const_cast<ConstructionContext *>(C));
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: is this how clang format formatted this expression? Don't we miss a bit of indentation?

xazax.hun: Nit: is this how clang format formatted this expression? Don't we miss a bit of indentation?
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

Yes, clang format really formatted it this way. We miss the indentation, but if I add it and run clang format, it outputs the same result you see here.

isuckatcs: Yes, clang format really formatted it this way. We miss the indentation, but if I add it and…
NoQUnsubmitted
Done
ReplyInline Actions

Hmm looks like there's extra paretheses after isa<ArgumentConstructionContext>(C).

NoQ: Hmm looks like there's extra paretheses after `isa<ArgumentConstructionContext>(C)`.
} }
const ConstructionContext *getConstructionContext() const { const ConstructionContext *getConstructionContext() const {
return static_cast<ConstructionContext *>(Data2.getPointer()); return static_cast<ConstructionContext *>(Data2.getPointer());
} }
private: private:
friend class CFGElement; friend class CFGElement;
▲ Show 20 LinesShow All 1,373 LinesShow Last 20 Lines

clang/include/clang/Analysis/ConstructionContext.h

Show All 30 Lines enum ItemKind {
VariableKind, VariableKind,
NewAllocatorKind, NewAllocatorKind,
ReturnKind, ReturnKind,
MaterializationKind, MaterializationKind,
TemporaryDestructorKind, TemporaryDestructorKind,
ElidedDestructorKind, ElidedDestructorKind,
ElidableConstructorKind, ElidableConstructorKind,
ArgumentKind, ArgumentKind,
LambdaKind,
STATEMENT_WITH_INDEX_KIND_BEGIN=ArgumentKind, STATEMENT_WITH_INDEX_KIND_BEGIN = ArgumentKind,
STATEMENT_WITH_INDEX_KIND_END=ArgumentKind, STATEMENT_WITH_INDEX_KIND_END = LambdaKind,
STATEMENT_KIND_BEGIN = VariableKind, STATEMENT_KIND_BEGIN = VariableKind,
STATEMENT_KIND_END = ArgumentKind, STATEMENT_KIND_END = LambdaKind,
InitializerKind, InitializerKind,
INITIALIZER_KIND_BEGIN=InitializerKind, INITIALIZER_KIND_BEGIN = InitializerKind,
INITIALIZER_KIND_END=InitializerKind INITIALIZER_KIND_END = InitializerKind
}; };
LLVM_DUMP_METHOD static StringRef getKindAsString(ItemKind K) { LLVM_DUMP_METHOD static StringRef getKindAsString(ItemKind K) {
switch (K) { switch (K) {
case VariableKind: return "construct into local variable"; case VariableKind: return "construct into local variable";
case NewAllocatorKind: return "construct into new-allocator"; case NewAllocatorKind: return "construct into new-allocator";
case ReturnKind: return "construct into return address"; case ReturnKind: return "construct into return address";
case MaterializationKind: return "materialize temporary"; case MaterializationKind: return "materialize temporary";
case TemporaryDestructorKind: return "destroy temporary"; case TemporaryDestructorKind: return "destroy temporary";
case ElidedDestructorKind: return "elide destructor"; case ElidedDestructorKind: return "elide destructor";
case ElidableConstructorKind: return "elide constructor"; case ElidableConstructorKind: return "elide constructor";
case ArgumentKind: return "construct into argument"; case ArgumentKind: return "construct into argument";
case LambdaKind:
return "construct into lambda captured variable";
case InitializerKind: return "construct into member variable"; case InitializerKind: return "construct into member variable";
}; };
llvm_unreachable("Unknown ItemKind"); llvm_unreachable("Unknown ItemKind");
} }
private: private:
const void *const Data; const void *const Data;
const ItemKind Kind; const ItemKind Kind;
const unsigned Index = 0; const unsigned Index = 0;
bool hasStatement() const { bool hasStatement() const {
return Kind >= STATEMENT_KIND_BEGIN && return Kind >= STATEMENT_KIND_BEGIN &&
Kind <= STATEMENT_KIND_END; Kind <= STATEMENT_KIND_END;
} }
bool hasIndex() const { bool hasIndex() const {
return Kind >= STATEMENT_WITH_INDEX_KIND_BEGIN && return Kind >= STATEMENT_WITH_INDEX_KIND_BEGIN &&
Kind >= STATEMENT_WITH_INDEX_KIND_END; Kind <= STATEMENT_WITH_INDEX_KIND_END;
} }
bool hasInitializer() const { bool hasInitializer() const {
return Kind >= INITIALIZER_KIND_BEGIN && return Kind >= INITIALIZER_KIND_BEGIN &&
Kind <= INITIALIZER_KIND_END; Kind <= INITIALIZER_KIND_END;
} }
public: public:
Show All 38 Lines ConstructionContextItem(const Expr *E, unsigned Index)
assert(isa<CallExpr>(E) || isa<CXXConstructExpr>(E) || assert(isa<CallExpr>(E) || isa<CXXConstructExpr>(E) ||
isa<CXXDeleteExpr>(E) || isa<CXXInheritedCtorInitExpr>(E) || isa<CXXDeleteExpr>(E) || isa<CXXInheritedCtorInitExpr>(E) ||
isa<ObjCMessageExpr>(E)); isa<ObjCMessageExpr>(E));
} }
ConstructionContextItem(const CXXCtorInitializer *Init) ConstructionContextItem(const CXXCtorInitializer *Init)
: Data(Init), Kind(InitializerKind), Index(0) {} : Data(Init), Kind(InitializerKind), Index(0) {}
ConstructionContextItem(const LambdaExpr *LE, unsigned Index)
: Data(LE), Kind(LambdaKind), Index(Index) {}
ItemKind getKind() const { return Kind; } ItemKind getKind() const { return Kind; }
LLVM_DUMP_METHOD StringRef getKindAsString() const { LLVM_DUMP_METHOD StringRef getKindAsString() const {
return getKindAsString(getKind()); return getKindAsString(getKind());
} }
/// The construction site - the statement that triggered the construction /// The construction site - the statement that triggered the construction
/// for one of its parts. For instance, stack variable declaration statement /// for one of its parts. For instance, stack variable declaration statement
▲ Show 20 LinesShow All 111 Lines▼ Show 20 Lines enum Kind {
SimpleTemporaryObjectKind, SimpleTemporaryObjectKind,
ElidedTemporaryObjectKind, ElidedTemporaryObjectKind,
TEMPORARY_BEGIN = SimpleTemporaryObjectKind, TEMPORARY_BEGIN = SimpleTemporaryObjectKind,
TEMPORARY_END = ElidedTemporaryObjectKind, TEMPORARY_END = ElidedTemporaryObjectKind,
SimpleReturnedValueKind, SimpleReturnedValueKind,
CXX17ElidedCopyReturnedValueKind, CXX17ElidedCopyReturnedValueKind,
RETURNED_VALUE_BEGIN = SimpleReturnedValueKind, RETURNED_VALUE_BEGIN = SimpleReturnedValueKind,
RETURNED_VALUE_END = CXX17ElidedCopyReturnedValueKind, RETURNED_VALUE_END = CXX17ElidedCopyReturnedValueKind,
ArgumentKind ArgumentKind,
LambdaKind
}; };
protected: protected:
Kind K; Kind K;
// Do not make public! These need to only be constructed // Do not make public! These need to only be constructed
// via createFromLayers(). // via createFromLayers().
explicit ConstructionContext(Kind K) : K(K) {} explicit ConstructionContext(Kind K) : K(K) {}
Show All 27 Linespublic:
/// Consume the construction context layer, together with its parent layers, /// Consume the construction context layer, together with its parent layers,
/// and wrap it up into a complete construction context. May return null /// and wrap it up into a complete construction context. May return null
/// if layers do not form any supported construction context. /// if layers do not form any supported construction context.
static const ConstructionContext * static const ConstructionContext *
createFromLayers(BumpVectorContext &C, createFromLayers(BumpVectorContext &C,
const ConstructionContextLayer *TopLayer); const ConstructionContextLayer *TopLayer);
Kind getKind() const { return K; } Kind getKind() const { return K; }
virtual const ArrayInitLoopExpr *getArrayInitLoop() const { return nullptr; }
// Only declared to silence -Wnon-virtual-dtor warnings.
virtual ~ConstructionContext() = default;
}; };
/// An abstract base class for local variable constructors. /// An abstract base class for local variable constructors.
class VariableConstructionContext : public ConstructionContext { class VariableConstructionContext : public ConstructionContext {
const DeclStmt *DS; const DeclStmt *DS;
protected: protected:
VariableConstructionContext(ConstructionContext::Kind K, const DeclStmt *DS) VariableConstructionContext(ConstructionContext::Kind K, const DeclStmt *DS)
: ConstructionContext(K), DS(DS) { : ConstructionContext(K), DS(DS) {
assert(classof(this)); assert(classof(this));
assert(DS); assert(DS);
} }
public: public:
const DeclStmt *getDeclStmt() const { return DS; } const DeclStmt *getDeclStmt() const { return DS; }
const ArrayInitLoopExpr *getArrayInitLoop() const override {
const auto *Var = cast<VarDecl>(DS->getSingleDecl());
return dyn_cast_or_null<ArrayInitLoopExpr>(Var->getInit());
NoQUnsubmitted
Done
ReplyInline Actions

I think or_null can be dropped because we can be certain that this variable's initializer contains, at the very least, the constructor to which the context is provided.

NoQ: I think `or_null` can be dropped because we can be certain that this variable's initializer…
}
static bool classof(const ConstructionContext *CC) { static bool classof(const ConstructionContext *CC) {
return CC->getKind() >= VARIABLE_BEGIN && return CC->getKind() >= VARIABLE_BEGIN &&
CC->getKind() <= VARIABLE_END; CC->getKind() <= VARIABLE_END;
} }
}; };
/// Represents construction into a simple local variable, eg. T var(123);. /// Represents construction into a simple local variable, eg. T var(123);.
/// If a variable has an initializer, eg. T var = makeT();, then the final /// If a variable has an initializer, eg. T var = makeT();, then the final
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Lines explicit ConstructorInitializerConstructionContext(
: ConstructionContext(K), I(I) { : ConstructionContext(K), I(I) {
assert(classof(this)); assert(classof(this));
assert(I); assert(I);
} }
public: public:
const CXXCtorInitializer *getCXXCtorInitializer() const { return I; } const CXXCtorInitializer *getCXXCtorInitializer() const { return I; }
const ArrayInitLoopExpr *getArrayInitLoop() const override {
return dyn_cast_or_null<ArrayInitLoopExpr>(I->getInit());
NoQUnsubmitted
Done
ReplyInline Actions

Same here, or_null can be dropped.

NoQ: Same here, `or_null` can be dropped.
}
static bool classof(const ConstructionContext *CC) { static bool classof(const ConstructionContext *CC) {
return CC->getKind() >= INITIALIZER_BEGIN && return CC->getKind() >= INITIALIZER_BEGIN &&
CC->getKind() <= INITIALIZER_END; CC->getKind() <= INITIALIZER_END;
} }
}; };
/// Represents construction into a field or a base class within a bigger object /// Represents construction into a field or a base class within a bigger object
/// via a constructor initializer, eg. T(): field(123) { ... }. /// via a constructor initializer, eg. T(): field(123) { ... }.
▲ Show 20 LinesShow All 262 Lines▼ Show 20 Linespublic:
unsigned getIndex() const { return Index; } unsigned getIndex() const { return Index; }
const CXXBindTemporaryExpr *getCXXBindTemporaryExpr() const { return BTE; } const CXXBindTemporaryExpr *getCXXBindTemporaryExpr() const { return BTE; }
static bool classof(const ConstructionContext *CC) { static bool classof(const ConstructionContext *CC) {
return CC->getKind() == ArgumentKind; return CC->getKind() == ArgumentKind;
} }
}; };
class LambdaConstructionContext : public ConstructionContext {
// The lambda of which the initializer we capture.
const LambdaExpr *LE;
// Index of the captured element in the captured list.
unsigned Index;
friend class ConstructionContext; // Allows to create<>() itself.
explicit LambdaConstructionContext(const LambdaExpr *LE, unsigned Index)
: ConstructionContext(LambdaKind), LE(LE), Index(Index) {}
public:
const LambdaExpr *getLambdaExpr() const { return LE; }
unsigned getIndex() const { return Index; }
std::pair<const FieldDecl *, const Expr *>
getCaptureFieldAndInitializer() const {
unsigned Idx = 0;
CXXRecordDecl::field_iterator CurField =
LE->getLambdaClass()->field_begin();
for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(),
e = LE->capture_init_end();
i != e; ++i, ++CurField, ++Idx) {
if (Idx == Index)
return {*CurField, *i};
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

We have many types of captures and iterators for them. Captures, capture inits, explicit captures, implicit captures. Are you sure that fields and capture inits can be paired up this way?
Also, I think capture iterators might be random access. you might be able to get to the right element with a single arithmetic. Unfortunately, that might not be the case for fields. But you could use std::advance for that.

xazax.hun: We have many types of captures and iterators for them. Captures, capture inits, explicit…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

Are you sure that fields and capture inits can be paired up this way?

Technically this solution is copied from VisitLamdaExpr, so I assumed it to be correct.

Since you created the original solution, I assume you already know the answer too, but I did
some digging regarding the question. The answer comes from Sema::BuildLambdaExpr.
They way the function works is that it iterates over the captures in the LambdaScopeInfo
and creates a FieldDecl and an initializer for each capture.

ExprResult Sema::BuildLambdaExpr(..., LambdaScopeInfo *LSI) {
  ...
  for (unsigned I = 0, N = LSI->Captures.size(); I != N; ++I) {
    const Capture &From = LSI->Captures[I];     
    ...
    // Form the initializer for the capture field.
    ExprResult Init = BuildCaptureInit(From, ImplicitCaptureLoc);

    // FIXME: Skip this capture if the capture is not used, the initializer
    // has no side-effects, the type of the capture is trivial, and the
    // lambda is not externally visible.

    // Add a FieldDecl for the capture and form its initializer.
    BuildCaptureField(Class, From);
    Captures.push_back(Capture);
    CaptureInits.push_back(Init.get());
    ...
  }
  ...
  Class->setCaptures(Context, Captures);
  ...
  LambdaExpr *Lambda = LambdaExpr::Create(..., CaptureInits, ...);
  ...
}

The captures and the initializers are put into 2 separate lists in the same order, so they
have the same indices, while the fields are directly constructed into the class.

FieldDecl *Sema::BuildCaptureField(RecordDecl *RD, const sema::Capture &Capture) {
  ...
  FieldDecl *Field = FieldDecl::Create(..., RD, ...);
  ...
  RD->addDecl(Field);
  ...
}

void DeclContext::addDecl(Decl *D) {
  addHiddenDecl(D);
  ...
}

void DeclContext::addHiddenDecl(Decl *D) {
  ...
  if (FirstDecl) {
    LastDecl->NextInContextAndBits.setPointer(D);
    LastDecl = D;
  } else {
    FirstDecl = LastDecl = D;
  }
  ...
}

The FieldDecls are stored in a linked list, where the new Decl is inserted to the end.
That means, the captures, the initializers and the FieldDecls have the same order and
the same index at this point.

Later the capture list is passed to the class, and the initializer list is passed to
LambdaExpr::Create(). In both cases the same simple linear copy is performed, so the
indices keep their original order. The fields are already in their final place and order.

void CXXRecordDecl::setCaptures(ASTContext &Context,
                                ArrayRef<LambdaCapture> Captures) {
  CXXRecordDecl::LambdaDefinitionData &Data = getLambdaData();

  // Copy captures.
  Data.NumCaptures = Captures.size();
  Data.NumExplicitCaptures = 0;
  Data.Captures = (LambdaCapture *)Context.Allocate(sizeof(LambdaCapture) *
                                                    Captures.size());
  LambdaCapture *ToCapture = Data.Captures;
  for (unsigned I = 0, N = Captures.size(); I != N; ++I) {
    if (Captures[I].isExplicit())
      ++Data.NumExplicitCaptures;

    *ToCapture++ = Captures[I];
  }

  if (!lambdaIsDefaultConstructibleAndAssignable())
    Data.DefaultedCopyAssignmentIsDeleted = true;
}
LambdaExpr::LambdaExpr(..., ArrayRef<Expr *> CaptureInits, ...){
  LambdaExprBits.NumCaptures = CaptureInits.size();
  LambdaExprBits.CaptureDefault = CaptureDefault; 
  ...
  CXXRecordDecl *Class = getLambdaClass();
  (void)Class;
  assert(capture_size() == Class->capture_size() && "Wrong number of captures");
  assert(getCaptureDefault() == Class->getLambdaCaptureDefault());
  ...
  // Copy initialization expressions for the non-static data members.
  Stmt **Stored = getStoredStmts();
  for (unsigned I = 0, N = CaptureInits.size(); I != N; ++I)
    *Stored++ = CaptureInits[I];  
  ...
}

Hence the capture and initializer indices kept their original orders, and the fields were also
created in the same order, we know that they still have the same indices. As a result the
iterators can be paired.

isuckatcs: > Are you sure that fields and capture inits can be paired up this way? Technically this…
llvm_unreachable("Lambda capture field not found!");
}
const ArrayInitLoopExpr *getArrayInitLoop() const override {
return dyn_cast_or_null<ArrayInitLoopExpr>(
getCaptureFieldAndInitializer().second);
}
static bool classof(const ConstructionContext *CC) {
return CC->getKind() == LambdaKind;
}
};
} // end namespace clang } // end namespace clang
#endif // LLVM_CLANG_ANALYSIS_CONSTRUCTIONCONTEXT_H #endif // LLVM_CLANG_ANALYSIS_CONSTRUCTIONCONTEXT_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 616 Lines▼ Show 20 Lines SVal evalBinOp(ProgramStateRef ST, BinaryOperator::Opcode Op,
return svalBuilder.evalBinOp(ST, Op, LHS, RHS, T); return svalBuilder.evalBinOp(ST, Op, LHS, RHS, T);
} }
/// Retreives which element is being constructed in a non POD type array. /// Retreives which element is being constructed in a non POD type array.
static Optional<unsigned> static Optional<unsigned>
getIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E, getIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E,
const LocationContext *LCtx); const LocationContext *LCtx);
/// Retreives the size of the array in the pending ArrayInitLoopExpr.
static Optional<unsigned> getPendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx);
/// By looking at a certain item that may be potentially part of an object's /// By looking at a certain item that may be potentially part of an object's
/// ConstructionContext, retrieve such object's location. A particular /// ConstructionContext, retrieve such object's location. A particular
/// statement can be transparently passed as \p Item in most cases. /// statement can be transparently passed as \p Item in most cases.
static Optional<SVal> static Optional<SVal>
getObjectUnderConstruction(ProgramStateRef State, getObjectUnderConstruction(ProgramStateRef State,
const ConstructionContextItem &Item, const ConstructionContextItem &Item,
const LocationContext *LC); const LocationContext *LC);
▲ Show 20 LinesShow All 178 Lines▼ Show 20 Linesprivate:
/// Checks our policies and decides weither the given call should be inlined. /// Checks our policies and decides weither the given call should be inlined.
bool shouldInlineCall(const CallEvent &Call, const Decl *D, bool shouldInlineCall(const CallEvent &Call, const Decl *D,
const ExplodedNode *Pred, const ExplodedNode *Pred,
const EvalCallOptions &CallOpts = {}); const EvalCallOptions &CallOpts = {});
/// Checks whether our policies allow us to inline a non-POD type array /// Checks whether our policies allow us to inline a non-POD type array
/// construction. /// construction.
bool shouldInlineArrayConstruction(const ArrayType *Type); bool shouldInlineArrayConstruction(const ProgramStateRef State,
const CXXConstructExpr *CE,
const LocationContext *LCtx);
/// Checks whether we construct an array of non-POD type, and decides if the /// Checks whether we construct an array of non-POD type, and decides if the
/// constructor should be inkoved once again. /// constructor should be inkoved once again.
bool shouldRepeatCtorCall(ProgramStateRef State, const CXXConstructExpr *E, bool shouldRepeatCtorCall(ProgramStateRef State, const CXXConstructExpr *E,
const LocationContext *LCtx); const LocationContext *LCtx);
void inlineCall(WorkList *WList, const CallEvent &Call, const Decl *D, void inlineCall(WorkList *WList, const CallEvent &Call, const Decl *D,
NodeBuilder &Bldr, ExplodedNode *Pred, ProgramStateRef State); NodeBuilder &Bldr, ExplodedNode *Pred, ProgramStateRef State);
▲ Show 20 LinesShow All 83 Lines▼ Show 20 Linesprivate:
setIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E, setIndexOfElementToConstruct(ProgramStateRef State, const CXXConstructExpr *E,
const LocationContext *LCtx, unsigned Idx); const LocationContext *LCtx, unsigned Idx);
static ProgramStateRef static ProgramStateRef
removeIndexOfElementToConstruct(ProgramStateRef State, removeIndexOfElementToConstruct(ProgramStateRef State,
const CXXConstructExpr *E, const CXXConstructExpr *E,
const LocationContext *LCtx); const LocationContext *LCtx);
/// Sets the size of the array in a pending ArrayInitLoopExpr.
static ProgramStateRef setPendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx,
unsigned Idx);
static ProgramStateRef removePendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx);
/// Store the location of a C++ object corresponding to a statement /// Store the location of a C++ object corresponding to a statement
/// until the statement is actually encountered. For example, if a DeclStmt /// until the statement is actually encountered. For example, if a DeclStmt
/// has CXXConstructExpr as its initializer, the object would be considered /// has CXXConstructExpr as its initializer, the object would be considered
/// to be "under construction" between CXXConstructExpr and DeclStmt. /// to be "under construction" between CXXConstructExpr and DeclStmt.
/// This allows, among other things, to keep bindings to variable's fields /// This allows, among other things, to keep bindings to variable's fields
/// made within the constructor alive until its declaration actually /// made within the constructor alive until its declaration actually
/// goes into scope. /// goes into scope.
static ProgramStateRef static ProgramStateRef
▲ Show 20 LinesShow All 56 LinesShow Last 20 Lines

clang/lib/Analysis/CFG.cpp

Show First 20 LinesShow All 1,652 Lines▼ Show 20 Lines if (BuildOpts.AddTemporaryDtors && HasTemporaries) {
/*ExternallyDestructed=*/false, Context); /*ExternallyDestructed=*/false, Context);
} }
} }
autoCreateBlock(); autoCreateBlock();
appendInitializer(Block, I); appendInitializer(Block, I);
if (Init) { if (Init) {
// If the initializer is an ArrayInitLoopExpr, we want to extract the
// initializer, that's used for each element.
const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init);
findConstructionContexts( findConstructionContexts(
ConstructionContextLayer::create(cfg->getBumpVectorContext(), I), ConstructionContextLayer::create(cfg->getBumpVectorContext(), I),
Init); AILE ? AILE->getSubExpr() : Init);
if (HasTemporaries) { if (HasTemporaries) {
// For expression with temporaries go directly to subexpression to omit // For expression with temporaries go directly to subexpression to omit
// generating destructors for the second time. // generating destructors for the second time.
return Visit(cast<ExprWithCleanups>(Init)->getSubExpr()); return Visit(cast<ExprWithCleanups>(Init)->getSubExpr());
} }
if (BuildOpts.AddCXXDefaultInitExprInCtors) { if (BuildOpts.AddCXXDefaultInitExprInCtors) {
if (CXXDefaultInitExpr *Default = dyn_cast<CXXDefaultInitExpr>(Init)) { if (CXXDefaultInitExpr *Default = dyn_cast<CXXDefaultInitExpr>(Init)) {
▲ Show 20 LinesShow All 1,250 Lines▼ Show 20 Lines if (BuildOpts.AddTemporaryDtors && HasTemporaries) {
VisitForTemporaryDtors(cast<ExprWithCleanups>(Init)->getSubExpr(), VisitForTemporaryDtors(cast<ExprWithCleanups>(Init)->getSubExpr(),
/*ExternallyDestructed=*/true, Context); /*ExternallyDestructed=*/true, Context);
} }
} }
autoCreateBlock(); autoCreateBlock();
appendStmt(Block, DS); appendStmt(Block, DS);
// If the initializer is an ArrayInitLoopExpr, we want to extract the
// initializer, that's used for each element.
const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init);
findConstructionContexts( findConstructionContexts(
ConstructionContextLayer::create(cfg->getBumpVectorContext(), DS), ConstructionContextLayer::create(cfg->getBumpVectorContext(), DS),
Init); AILE ? AILE->getSubExpr() : Init);
// Keep track of the last non-null block, as 'Block' can be nulled out // Keep track of the last non-null block, as 'Block' can be nulled out
// if the initializer expression is something like a 'while' in a // if the initializer expression is something like a 'while' in a
// statement-expression. // statement-expression.
CFGBlock *LastBlock = Block; CFGBlock *LastBlock = Block;
if (Init) { if (Init) {
if (HasTemporaries) { if (HasTemporaries) {
▲ Show 20 LinesShow All 390 Lines▼ Show 20 Lines if (Expr *CopyExpr = CI.getCopyExpr()) {
LastBlock = Tmp; LastBlock = Tmp;
} }
} }
return LastBlock; return LastBlock;
} }
CFGBlock *CFGBuilder::VisitLambdaExpr(LambdaExpr *E, AddStmtChoice asc) { CFGBlock *CFGBuilder::VisitLambdaExpr(LambdaExpr *E, AddStmtChoice asc) {
CFGBlock *LastBlock = VisitNoRecurse(E, asc); CFGBlock *LastBlock = VisitNoRecurse(E, asc);
unsigned Idx = 0;
for (LambdaExpr::capture_init_iterator it = E->capture_init_begin(), for (LambdaExpr::capture_init_iterator it = E->capture_init_begin(),
et = E->capture_init_end(); it != et; ++it) { et = E->capture_init_end(); it != et; ++it) {
if (Expr *Init = *it) { if (Expr *Init = *it) {
// If the initializer is an ArrayInitLoopExpr, we want to extract the
// initializer, that's used for each element.
const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init);
findConstructionContexts(ConstructionContextLayer::create(
cfg->getBumpVectorContext(), {E, Idx}),
AILE ? AILE->getSubExpr() : Init);
CFGBlock *Tmp = Visit(Init); CFGBlock *Tmp = Visit(Init);
if (Tmp) if (Tmp)
LastBlock = Tmp; LastBlock = Tmp;
} }
++Idx;
} }
return LastBlock; return LastBlock;
} }
CFGBlock *CFGBuilder::VisitGotoStmt(GotoStmt *G) { CFGBlock *CFGBuilder::VisitGotoStmt(GotoStmt *G) {
// Goto is a control-flow statement. Thus we stop processing the current // Goto is a control-flow statement. Thus we stop processing the current
// block and create a new one. // block and create a new one.
▲ Show 20 LinesShow All 2,234 Lines▼ Show 20 Linesstatic void print_construction_context(raw_ostream &OS,
} }
case ConstructionContext::ElidedTemporaryObjectKind: { case ConstructionContext::ElidedTemporaryObjectKind: {
const auto *TOCC = cast<ElidedTemporaryObjectConstructionContext>(CC); const auto *TOCC = cast<ElidedTemporaryObjectConstructionContext>(CC);
Stmts.push_back(TOCC->getCXXBindTemporaryExpr()); Stmts.push_back(TOCC->getCXXBindTemporaryExpr());
Stmts.push_back(TOCC->getMaterializedTemporaryExpr()); Stmts.push_back(TOCC->getMaterializedTemporaryExpr());
Stmts.push_back(TOCC->getConstructorAfterElision()); Stmts.push_back(TOCC->getConstructorAfterElision());
break; break;
} }
case ConstructionContext::LambdaKind: {
const auto *LCC = cast<LambdaConstructionContext>(CC);
Helper.handledStmt(const_cast<LambdaExpr *>(LCC->getLambdaExpr()), OS);
OS << "+" << LCC->getIndex();
return;
}
case ConstructionContext::ArgumentKind: { case ConstructionContext::ArgumentKind: {
const auto *ACC = cast<ArgumentConstructionContext>(CC); const auto *ACC = cast<ArgumentConstructionContext>(CC);
if (const Stmt *BTE = ACC->getCXXBindTemporaryExpr()) { if (const Stmt *BTE = ACC->getCXXBindTemporaryExpr()) {
OS << ", "; OS << ", ";
Helper.handledStmt(const_cast<Stmt *>(BTE), OS); Helper.handledStmt(const_cast<Stmt *>(BTE), OS);
} }
OS << ", "; OS << ", ";
Helper.handledStmt(const_cast<Expr *>(ACC->getCallLikeExpr()), OS); Helper.handledStmt(const_cast<Expr *>(ACC->getCallLikeExpr()), OS);
▲ Show 20 LinesShow All 619 LinesShow Last 20 Lines

clang/lib/Analysis/ConstructionContext.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Linesconst ConstructionContext *ConstructionContext::createBoundTemporaryFromLayers(
case ConstructionContextItem::InitializerKind: { case ConstructionContextItem::InitializerKind: {
assert(ParentLayer->isLast()); assert(ParentLayer->isLast());
const auto *I = ParentItem.getCXXCtorInitializer(); const auto *I = ParentItem.getCXXCtorInitializer();
assert(!I->getAnyMember()->getType().getCanonicalType() assert(!I->getAnyMember()->getType().getCanonicalType()
->getAsCXXRecordDecl()->hasTrivialDestructor()); ->getAsCXXRecordDecl()->hasTrivialDestructor());
return create<CXX17ElidedCopyConstructorInitializerConstructionContext>( return create<CXX17ElidedCopyConstructorInitializerConstructionContext>(
C, I, BTE); C, I, BTE);
} }
case ConstructionContextItem::LambdaKind: {
assert(ParentLayer->isLast());
const auto *E = cast<LambdaExpr>(ParentItem.getStmt());
return create<LambdaConstructionContext>(C, E, ParentItem.getIndex());
}
} // switch (ParentItem.getKind()) } // switch (ParentItem.getKind())
llvm_unreachable("Unexpected construction context with destructor!"); llvm_unreachable("Unexpected construction context with destructor!");
} }
const ConstructionContext *ConstructionContext::createFromLayers( const ConstructionContext *ConstructionContext::createFromLayers(
BumpVectorContext &C, const ConstructionContextLayer *TopLayer) { BumpVectorContext &C, const ConstructionContextLayer *TopLayer) {
// Before this point all we've had was a stockpile of arbitrary layers. // Before this point all we've had was a stockpile of arbitrary layers.
Show All 28 Lines case ConstructionContextItem::TemporaryDestructorKind: {
return createBoundTemporaryFromLayers(C, BTE, TopLayer->getParent()); return createBoundTemporaryFromLayers(C, BTE, TopLayer->getParent());
} }
case ConstructionContextItem::ElidedDestructorKind: { case ConstructionContextItem::ElidedDestructorKind: {
llvm_unreachable("Elided destructor items are not produced by the CFG!"); llvm_unreachable("Elided destructor items are not produced by the CFG!");
} }
case ConstructionContextItem::ElidableConstructorKind: { case ConstructionContextItem::ElidableConstructorKind: {
llvm_unreachable("The argument needs to be materialized first!"); llvm_unreachable("The argument needs to be materialized first!");
} }
case ConstructionContextItem::LambdaKind: {
assert(TopLayer->isLast());
const auto *E = cast<LambdaExpr>(TopItem.getStmt());
return create<LambdaConstructionContext>(C, E, TopItem.getIndex());
}
case ConstructionContextItem::InitializerKind: { case ConstructionContextItem::InitializerKind: {
assert(TopLayer->isLast()); assert(TopLayer->isLast());
const CXXCtorInitializer *I = TopItem.getCXXCtorInitializer(); const CXXCtorInitializer *I = TopItem.getCXXCtorInitializer();
return create<SimpleConstructorInitializerConstructionContext>(C, I); return create<SimpleConstructorInitializerConstructionContext>(C, I);
} }
case ConstructionContextItem::ArgumentKind: { case ConstructionContextItem::ArgumentKind: {
assert(TopLayer->isLast()); assert(TopLayer->isLast());
const auto *E = cast<Expr>(TopItem.getStmt()); const auto *E = cast<Expr>(TopItem.getStmt());
return create<ArgumentConstructionContext>(C, E, TopItem.getIndex(), return create<ArgumentConstructionContext>(C, E, TopItem.getIndex(),
/*BTE=*/nullptr); /*BTE=*/nullptr);
} }
} // switch (TopItem.getKind()) } // switch (TopItem.getKind())
llvm_unreachable("Unexpected construction context!"); llvm_unreachable("Unexpected construction context!");
} }

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 190 Lines▼ Show 20 Lines
// memory region, which is important for multi-dimensional arrays. E.g:: int // memory region, which is important for multi-dimensional arrays. E.g:: int
// arr[2][2]; assume arr[1][1] will be the next element under construction, so // arr[2][2]; assume arr[1][1] will be the next element under construction, so
// the index is 3. // the index is 3.
typedef llvm::ImmutableMap< typedef llvm::ImmutableMap<
std::pair<const CXXConstructExpr *, const LocationContext *>, unsigned> std::pair<const CXXConstructExpr *, const LocationContext *>, unsigned>
IndexOfElementToConstructMap; IndexOfElementToConstructMap;
REGISTER_TRAIT_WITH_PROGRAMSTATE(IndexOfElementToConstruct, REGISTER_TRAIT_WITH_PROGRAMSTATE(IndexOfElementToConstruct,
IndexOfElementToConstructMap) IndexOfElementToConstructMap)
// This trait is responsible for holding our pending ArrayInitLoopExprs.
// It pairs the LocationContext and the initializer CXXConstructExpr with
// the size of the array that's being copy initialized.
typedef llvm::ImmutableMap<
std::pair<const CXXConstructExpr *, const LocationContext *>, unsigned>
PendingInitLoopMap;
REGISTER_TRAIT_WITH_PROGRAMSTATE(PendingInitLoop, PendingInitLoopMap)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Engine construction and deletion. // Engine construction and deletion.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static const char* TagProviderName = "ExprEngine"; static const char* TagProviderName = "ExprEngine";
ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
AnalysisManager &mgr, SetOfConstDecls *VisitedCalleesIn, AnalysisManager &mgr, SetOfConstDecls *VisitedCalleesIn,
▲ Show 20 LinesShow All 250 Lines▼ Show 20 LinesProgramStateRef ExprEngine::setIndexOfElementToConstruct(
const LocationContext *LCtx, unsigned Idx) { const LocationContext *LCtx, unsigned Idx) {
auto Key = std::make_pair(E, LCtx->getStackFrame()); auto Key = std::make_pair(E, LCtx->getStackFrame());
assert(!State->contains<IndexOfElementToConstruct>(Key) || Idx > 0); assert(!State->contains<IndexOfElementToConstruct>(Key) || Idx > 0);
return State->set<IndexOfElementToConstruct>(Key, Idx); return State->set<IndexOfElementToConstruct>(Key, Idx);
} }
Optional<unsigned> ExprEngine::getPendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx) {
return Optional<unsigned>::create(
State->get<PendingInitLoop>({E, LCtx->getStackFrame()}));
}
ProgramStateRef ExprEngine::removePendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx) {
auto Key = std::make_pair(E, LCtx->getStackFrame());
assert(E && State->contains<PendingInitLoop>(Key));
return State->remove<PendingInitLoop>(Key);
}
ProgramStateRef ExprEngine::setPendingInitLoop(ProgramStateRef State,
const CXXConstructExpr *E,
const LocationContext *LCtx,
unsigned Size) {
auto Key = std::make_pair(E, LCtx->getStackFrame());
assert(!State->contains<PendingInitLoop>(Key) && Size > 0);
return State->set<PendingInitLoop>(Key, Size);
}
Optional<unsigned> Optional<unsigned>
ExprEngine::getIndexOfElementToConstruct(ProgramStateRef State, ExprEngine::getIndexOfElementToConstruct(ProgramStateRef State,
const CXXConstructExpr *E, const CXXConstructExpr *E,
const LocationContext *LCtx) { const LocationContext *LCtx) {
return Optional<unsigned>::create( return Optional<unsigned>::create(
State->get<IndexOfElementToConstruct>({E, LCtx->getStackFrame()})); State->get<IndexOfElementToConstruct>({E, LCtx->getStackFrame()}));
} }
Show All 9 Lines
} }
ProgramStateRef ProgramStateRef
ExprEngine::addObjectUnderConstruction(ProgramStateRef State, ExprEngine::addObjectUnderConstruction(ProgramStateRef State,
const ConstructionContextItem &Item, const ConstructionContextItem &Item,
const LocationContext *LC, SVal V) { const LocationContext *LC, SVal V) {
ConstructedObjectKey Key(Item, LC->getStackFrame()); ConstructedObjectKey Key(Item, LC->getStackFrame());
const CXXConstructExpr *E = nullptr; const Expr *Init = nullptr;
if (auto DS = dyn_cast_or_null<DeclStmt>(Item.getStmtOrNull())) { if (auto DS = dyn_cast_or_null<DeclStmt>(Item.getStmtOrNull())) {
if (auto VD = dyn_cast_or_null<VarDecl>(DS->getSingleDecl())) if (auto VD = dyn_cast_or_null<VarDecl>(DS->getSingleDecl()))
E = dyn_cast<CXXConstructExpr>(VD->getInit()); Init = VD->getInit();
} }
if (!E && !Item.getStmtOrNull()) { if (!Init && !Item.getStmtOrNull())
auto CtorInit = Item.getCXXCtorInitializer(); Init = Item.getCXXCtorInitializer()->getInit();
E = dyn_cast<CXXConstructExpr>(CtorInit->getInit());
if (Item.getKind() == ConstructionContextItem::LambdaKind) {
const auto *LE = cast<LambdaExpr>(Item.getStmt());
unsigned Idx = Item.getIndex();
for (auto &&I : LE->capture_inits()) {
if (Idx == 0) {
Init = I;
break;
}
--Idx;
} }
}
// In an ArrayInitLoopExpr the real initializer is returned by
// getSubExpr().
if (const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init))
Init = AILE->getSubExpr();
const auto *E = dyn_cast_or_null<CXXConstructExpr>(Init);
// FIXME: Currently the state might already contain the marker due to // FIXME: Currently the state might already contain the marker due to
// incorrect handling of temporaries bound to default parameters. // incorrect handling of temporaries bound to default parameters.
// The state will already contain the marker if we construct elements // The state will already contain the marker if we construct elements
// in an array, as we visit the same statement multiple times before // in an array, as we visit the same statement multiple times before
// the array declaration. The marker is removed when we exit the // the array declaration. The marker is removed when we exit the
// constructor call. // constructor call.
assert((!State->get<ObjectsUnderConstruction>(Key) || assert((!State->get<ObjectsUnderConstruction>(Key) ||
▲ Show 20 LinesShow All 2,276 Lines▼ Show 20 Linesvoid ExprEngine::VisitArrayInitLoopExpr(const ArrayInitLoopExpr *Ex,
getCheckerManager().runCheckersForPreStmt(CheckerPreStmt, Pred, Ex, *this); getCheckerManager().runCheckersForPreStmt(CheckerPreStmt, Pred, Ex, *this);
ExplodedNodeSet EvalSet; ExplodedNodeSet EvalSet;
StmtNodeBuilder Bldr(CheckerPreStmt, EvalSet, *currBldrCtx); StmtNodeBuilder Bldr(CheckerPreStmt, EvalSet, *currBldrCtx);
const Expr *Arr = Ex->getCommonExpr()->getSourceExpr(); const Expr *Arr = Ex->getCommonExpr()->getSourceExpr();
for (auto *Node : CheckerPreStmt) { for (auto *Node : CheckerPreStmt) {
// The constructor visitior has already taken care of everything.
if (auto *CE = dyn_cast<CXXConstructExpr>(Ex->getSubExpr()))
break;
const LocationContext *LCtx = Node->getLocationContext(); const LocationContext *LCtx = Node->getLocationContext();
ProgramStateRef state = Node->getState(); ProgramStateRef state = Node->getState();
SVal Base = UnknownVal(); SVal Base = UnknownVal();
// As in case of this expression the sub-expressions are not visited by any // As in case of this expression the sub-expressions are not visited by any
// other transfer functions, they are handled by matching their AST. // other transfer functions, they are handled by matching their AST.
▲ Show 20 LinesShow All 730 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 284 Lines▼ Show 20 Lines case ConstructionContext::SimpleTemporaryObjectKind: {
if (MTE->getStorageDuration() == SD_Static || if (MTE->getStorageDuration() == SD_Static ||
MTE->getStorageDuration() == SD_Thread) MTE->getStorageDuration() == SD_Thread)
return loc::MemRegionVal(MRMgr.getCXXStaticTempObjectRegion(E)); return loc::MemRegionVal(MRMgr.getCXXStaticTempObjectRegion(E));
} }
return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx)); return loc::MemRegionVal(MRMgr.getCXXTempObjectRegion(E, LCtx));
} }
case ConstructionContext::LambdaKind: {
CallOpts.IsTemporaryCtorOrDtor = true;
const auto *LCC = cast<LambdaConstructionContext>(CC);
const auto *LE = LCC->getLambdaExpr();
// Get the region of the lambda itself.
const MemRegion *R =
svalBuilder.getRegionManager().getCXXTempObjectRegion(LE, LCtx);
NoQUnsubmitted
Done
ReplyInline Actions

This tiny piece of code currently mimics/duplicates ExprEngine::VisitLambdaExpr.

I'm not sure if that tiny piece of code represents the correct solution in general, I suspect that eg. if lambda is put into a variable then it needs to be constructed directly in the variable, through copy elision (?) So eventually we'll probably need to assign a construction context to LambdaExpr itself, and then use both of them here, maybe recursively. But this is what we have for now.

So for this patch, I think the right thing to do is to have ExprEngine::VisitLambdaExpr() lookup the region created here instead, from objects-under-construction. This way future improvements could be done in one place, and the infrastructure will already be there.

NoQ: This tiny piece of code currently mimics/duplicates `ExprEngine::VisitLambdaExpr`. I'm not…
SVal V = loc::MemRegionVal(R);
const FieldDecl *FieldForCapture;
const Expr *FieldInitializer;
std::tie(FieldForCapture, FieldInitializer) =
LCC->getCaptureFieldAndInitializer();
SVal Base = State->getLValue(FieldForCapture, V);
if (getIndexOfElementToConstruct(
State, dyn_cast_or_null<CXXConstructExpr>(E), LCtx)) {
CallOpts.IsArrayCtorOrDtor = true;
Base = State->getLValue(E->getType(), svalBuilder.makeArrayIndex(Idx),
Base);
}
return Base;
}
case ConstructionContext::ArgumentKind: { case ConstructionContext::ArgumentKind: {
// Arguments are technically temporaries. // Arguments are technically temporaries.
CallOpts.IsTemporaryCtorOrDtor = true; CallOpts.IsTemporaryCtorOrDtor = true;
const auto *ACC = cast<ArgumentConstructionContext>(CC); const auto *ACC = cast<ArgumentConstructionContext>(CC);
const Expr *E = ACC->getCallLikeExpr(); const Expr *E = ACC->getCallLikeExpr();
unsigned Idx = ACC->getIndex(); unsigned Idx = ACC->getIndex();
▲ Show 20 LinesShow All 144 Lines▼ Show 20 Lines case ConstructionContext::SimpleTemporaryObjectKind: {
if (const auto *BTE = TCC->getCXXBindTemporaryExpr()) if (const auto *BTE = TCC->getCXXBindTemporaryExpr())
State = addObjectUnderConstruction(State, BTE, LCtx, V); State = addObjectUnderConstruction(State, BTE, LCtx, V);
if (const auto *MTE = TCC->getMaterializedTemporaryExpr()) if (const auto *MTE = TCC->getMaterializedTemporaryExpr())
State = addObjectUnderConstruction(State, MTE, LCtx, V); State = addObjectUnderConstruction(State, MTE, LCtx, V);
return State; return State;
} }
case ConstructionContext::LambdaKind: {
const auto *LCC = cast<LambdaConstructionContext>(CC);
const FieldDecl *FieldForCapture;
const Expr *FieldInitializer;
std::tie(FieldForCapture, FieldInitializer) =
LCC->getCaptureFieldAndInitializer();
if (const auto *AILE = dyn_cast<ArrayInitLoopExpr>(FieldInitializer))
FieldInitializer = AILE->getSubExpr();
return addObjectUnderConstruction(
State, {LCC->getLambdaExpr(), LCC->getIndex()}, LCtx, V);
}
case ConstructionContext::ArgumentKind: { case ConstructionContext::ArgumentKind: {
const auto *ACC = cast<ArgumentConstructionContext>(CC); const auto *ACC = cast<ArgumentConstructionContext>(CC);
if (const auto *BTE = ACC->getCXXBindTemporaryExpr()) if (const auto *BTE = ACC->getCXXBindTemporaryExpr())
State = addObjectUnderConstruction(State, BTE, LCtx, V); State = addObjectUnderConstruction(State, BTE, LCtx, V);
return addObjectUnderConstruction( return addObjectUnderConstruction(
State, {ACC->getCallLikeExpr(), ACC->getIndex()}, LCtx, V); State, {ACC->getCallLikeExpr(), ACC->getIndex()}, LCtx, V);
} }
} }
llvm_unreachable("Unhandled construction context!"); llvm_unreachable("Unhandled construction context!");
} }
static ProgramStateRef
bindRequiredArrayElementToEnvironment(ProgramStateRef State,
NoQUnsubmitted
Done
ReplyInline Actions

Maybe turn this function into a member function of VariableConstructionContext? That'll make the caller code a bit more verbose but both the problem and the solution seems to be generic enough to be put there.

I wouldn't even mind subclassing ConstructionContext to handle this special case with a dedicated subclass, then the ArrayInitLoopExpr could become an entire layer. But that's probably an overkill since everything fits together nicely without it.

NoQ: Maybe turn this function into a member function of `VariableConstructionContext`? That'll make…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

Sadly we can't create 1 subclass that handles ArrayInitLoopExpr, as in all 3 different use cases we have a different ConstructionContext.

  • in the implicit copy/move constructor for a class with an array member - ConstructorInitializerConstructionContext
  • when a lambda-expression captures an array by value - <<NULL>>
  • when a decomposition declaration decomposes an array - VariableConstructionContext
isuckatcs: Sadly we can't create 1 subclass that handles `ArrayInitLoopExpr`, as in all 3 different use…
const ArrayInitLoopExpr *AILE,
const LocationContext *LCtx, SVal Idx) {
// The ctor in this case is guaranteed to be a copy ctor, otherwise we hit a
// compile time error.
//
// -ArrayInitLoopExpr <-- we're here
// |-OpaqueValueExpr
// | `-DeclRefExpr <-- match this
// `-CXXConstructExpr
// `-ImplicitCastExpr
// `-ArraySubscriptExpr
// |-ImplicitCastExpr
// | `-OpaqueValueExpr
// | `-DeclRefExpr
// `-ArrayInitIndexExpr
//
// The resulting expression might look like the one below in an implicit
// copy/move ctor.
//
NoQUnsubmitted
Done
ReplyInline Actions

OpaqueValueExpr is often an indication that its sub-expression is duplicated in the AST (i.e., pointed-to from multiple different parents). I'm curious if the DeclRefExpr on the next line is the same DeclRefExpr that you're looking for. In this case we can simplify this function dramatically by consulting the ArrayInitLoopExpr instead (which is available in this function's caller).

NoQ: `OpaqueValueExpr` is often an indication that its sub-expression is duplicated in the AST (i.e.
// ArrayInitLoopExpr <-- we're here
// |-OpaqueValueExpr
// | `-MemberExpr <-- match this
// | `-DeclRefExpr
// `-CXXConstructExpr
// `-ArraySubscriptExpr
// |-ImplicitCastExpr
// | `-OpaqueValueExpr
// | `-MemberExpr
// | `-DeclRefExpr
// `-ArrayInitIndexExpr
//
// HACK: There is no way we can put the index of the array element into the
// CFG unless we unroll the loop, so we manually select and bind the required
// parameter to the environment.
const auto *CE = cast<CXXConstructExpr>(AILE->getSubExpr());
const auto *OVESrc = AILE->getCommonExpr()->getSourceExpr();
SVal Base = UnknownVal();
if (const auto *ME = dyn_cast<MemberExpr>(OVESrc))
Base = State->getSVal(ME, LCtx);
else if (const auto *DRE = cast<DeclRefExpr>(OVESrc))
Base = State->getLValue(cast<VarDecl>(DRE->getDecl()), LCtx);
NoQUnsubmitted
Done
ReplyInline Actions

We should probably assert() that there's no else here. If this assert is ever hit, we'll know that we're missing something and change it to a FIXME.

NoQ: We should probably `assert()` that there's no `else` here. If this assert is ever hit, we'll…
SVal NthElem = State->getLValue(CE->getType(), Idx, Base);
return State->BindExpr(CE->getArg(0), LCtx, NthElem);
}
void ExprEngine::handleConstructor(const Expr *E, void ExprEngine::handleConstructor(const Expr *E,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &destNodes) { ExplodedNodeSet &destNodes) {
const auto *CE = dyn_cast<CXXConstructExpr>(E); const auto *CE = dyn_cast<CXXConstructExpr>(E);
const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(E); const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(E);
assert(CE || CIE); assert(CE || CIE);
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
Show All 24 Linesvoid ExprEngine::handleConstructor(const Expr *E,
const CXXConstructExpr::ConstructionKind CK = const CXXConstructExpr::ConstructionKind CK =
CE ? CE->getConstructionKind() : CIE->getConstructionKind(); CE ? CE->getConstructionKind() : CIE->getConstructionKind();
switch (CK) { switch (CK) {
case CXXConstructExpr::CK_Complete: { case CXXConstructExpr::CK_Complete: {
// Inherited constructors are always base class constructors. // Inherited constructors are always base class constructors.
assert(CE && !CIE && "A complete constructor is inherited?!"); assert(CE && !CIE && "A complete constructor is inherited?!");
// If the ctor is part of an ArrayInitLoopExpr, we want to handle it
// differently.
auto *AILE = CC ? CC->getArrayInitLoop() : nullptr;
unsigned Idx = 0; unsigned Idx = 0;
if (CE->getType()->isArrayType()) { if (CE->getType()->isArrayType() || AILE) {
Idx = getIndexOfElementToConstruct(State, CE, LCtx).getValueOr(0u); Idx = getIndexOfElementToConstruct(State, CE, LCtx).getValueOr(0u);
State = setIndexOfElementToConstruct(State, CE, LCtx, Idx + 1); State = setIndexOfElementToConstruct(State, CE, LCtx, Idx + 1);
} }
if (AILE) {
// Only set this once even though we loop through it multiple times.
if (!getPendingInitLoop(State, CE, LCtx))
State = setPendingInitLoop(State, CE, LCtx,
AILE->getArraySize().getLimitedValue());
State = bindRequiredArrayElementToEnvironment(
State, AILE, LCtx, svalBuilder.makeArrayIndex(Idx));
}
// The target region is found from construction context. // The target region is found from construction context.
std::tie(State, Target) = std::tie(State, Target) =
handleConstructionContext(CE, State, LCtx, CC, CallOpts, Idx); handleConstructionContext(CE, State, LCtx, CC, CallOpts, Idx);
break; break;
} }
case CXXConstructExpr::CK_VirtualBase: { case CXXConstructExpr::CK_VirtualBase: {
// Make sure we are not calling virtual base class initializers twice. // Make sure we are not calling virtual base class initializers twice.
// Only the most-derived object should initialize virtual base classes. // Only the most-derived object should initialize virtual base classes.
▲ Show 20 LinesShow All 514 Lines▼ Show 20 Linesvoid ExprEngine::VisitLambdaExpr(const LambdaExpr *LE, ExplodedNode *Pred,
const MemRegion *R = svalBuilder.getRegionManager().getCXXTempObjectRegion( const MemRegion *R = svalBuilder.getRegionManager().getCXXTempObjectRegion(
LE, LocCtxt); LE, LocCtxt);
SVal V = loc::MemRegionVal(R); SVal V = loc::MemRegionVal(R);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
// If we created a new MemRegion for the lambda, we should explicitly bind // If we created a new MemRegion for the lambda, we should explicitly bind
// the captures. // the captures.
unsigned Idx = 0;
CXXRecordDecl::field_iterator CurField = LE->getLambdaClass()->field_begin(); CXXRecordDecl::field_iterator CurField = LE->getLambdaClass()->field_begin();
for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(), for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(),
e = LE->capture_init_end(); e = LE->capture_init_end();
i != e; ++i, ++CurField) { i != e; ++i, ++CurField) {
FieldDecl *FieldForCapture = *CurField; FieldDecl *FieldForCapture = *CurField;
SVal FieldLoc = State->getLValue(FieldForCapture, V); SVal FieldLoc = State->getLValue(FieldForCapture, V);
SVal InitVal; SVal InitVal;
if (!FieldForCapture->hasCapturedVLAType()) { if (!FieldForCapture->hasCapturedVLAType()) {
Expr *InitExpr = *i; Expr *InitExpr = *i;
if (const auto AILE = dyn_cast<ArrayInitLoopExpr>(InitExpr)) {
// If the AILE initializes a non-POD array, we need to keep it as the
// InitExpr.
if (dyn_cast<CXXConstructExpr>(AILE->getSubExpr()))
InitExpr = AILE->getSubExpr();
}
if (dyn_cast<CXXConstructExpr>(InitExpr)) {
State = finishObjectConstruction(State, {LE, Idx}, LocCtxt);
++Idx;
continue;
}
assert(InitExpr && "Capture missing initialization expression"); assert(InitExpr && "Capture missing initialization expression");
InitVal = State->getSVal(InitExpr, LocCtxt); InitVal = State->getSVal(InitExpr, LocCtxt);
} else { } else {
NoQUnsubmitted
Done
ReplyInline Actions

Should we clean up the state on the else-branch as well?

NoQ: Should we clean up the state on the else-branch as well?
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

Capturing a VLA by value is a compile time error. If the VLA is captured by reference, there is no CXXConstructExpr we need to evaluate, so that case is not affected by this patch. I think there's nothing to clean up.

isuckatcs: Capturing a VLA by value is a compile time error. If the VLA is captured by reference, there is…
NoQUnsubmitted
Done
ReplyInline Actions

Ok maybe assert() then, to make sure there's nothing to clean up(?)

NoQ: Ok maybe `assert()` then, to make sure there's nothing to clean up(?)
// The field stores the length of a captured variable-length array. // The field stores the length of a captured variable-length array.
// These captures don't have initialization expressions; instead we // These captures don't have initialization expressions; instead we
// get the length from the VLAType size expression. // get the length from the VLAType size expression.
Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr(); Expr *SizeExpr = FieldForCapture->getCapturedVLAType()->getSizeExpr();
InitVal = State->getSVal(SizeExpr, LocCtxt); InitVal = State->getSVal(SizeExpr, LocCtxt);
} }
++Idx;
State = State->bindLoc(FieldLoc, InitVal, LocCtxt); State = State->bindLoc(FieldLoc, InitVal, LocCtxt);
} }
// Decay the Loc into an RValue, because there might be a // Decay the Loc into an RValue, because there might be a
// MaterializeTemporaryExpr node above this one which expects the bound value // MaterializeTemporaryExpr node above this one which expects the bound value
// to be an RValue. // to be an RValue.
SVal LambdaRVal = State->getSVal(R); SVal LambdaRVal = State->getSVal(R);
Show All 10 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 253 Lines▼ Show 20 Lines if (const CXXConstructExpr *CCE = dyn_cast<CXXConstructExpr>(CE)) {
loc::MemRegionVal This = loc::MemRegionVal This =
svalBuilder.getCXXThis(CCE->getConstructor()->getParent(), calleeCtx); svalBuilder.getCXXThis(CCE->getConstructor()->getParent(), calleeCtx);
SVal ThisV = state->getSVal(This); SVal ThisV = state->getSVal(This);
ThisV = state->getSVal(ThisV.castAs<Loc>()); ThisV = state->getSVal(ThisV.castAs<Loc>());
state = state->BindExpr(CCE, callerCtx, ThisV); state = state->BindExpr(CCE, callerCtx, ThisV);
ShouldLoopCall = shouldRepeatCtorCall(state, CCE, callerCtx); ShouldLoopCall = shouldRepeatCtorCall(state, CCE, callerCtx);
if (!ShouldLoopCall && if (!ShouldLoopCall) {
getIndexOfElementToConstruct(state, CCE, callerCtx)) if (getIndexOfElementToConstruct(state, CCE, callerCtx))
state = removeIndexOfElementToConstruct(state, CCE, callerCtx); state = removeIndexOfElementToConstruct(state, CCE, callerCtx);
if (getPendingInitLoop(state, CCE, callerCtx))
state = removePendingInitLoop(state, CCE, callerCtx);
}
} }
if (const auto *CNE = dyn_cast<CXXNewExpr>(CE)) { if (const auto *CNE = dyn_cast<CXXNewExpr>(CE)) {
// We are currently evaluating a CXXNewAllocator CFGElement. It takes a // We are currently evaluating a CXXNewAllocator CFGElement. It takes a
// while to reach the actual CXXNewExpr element from here, so keep the // while to reach the actual CXXNewExpr element from here, so keep the
// region for later use. // region for later use.
// Additionally cast the return value of the inlined operator new // Additionally cast the return value of the inlined operator new
// (which is of type 'void *') to the correct object type. // (which is of type 'void *') to the correct object type.
▲ Show 20 LinesShow All 531 Lines▼ Show 20 Lines if (llvm::isa_and_nonnull<NewAllocatedObjectConstructionContext>(CC) &&
return CIP_DisallowedOnce; return CIP_DisallowedOnce;
// FIXME: We don't handle constructors or destructors for arrays properly. // FIXME: We don't handle constructors or destructors for arrays properly.
// Even once we do, we still need to be careful about implicitly-generated // Even once we do, we still need to be careful about implicitly-generated
// initializers for array fields in default move/copy constructors. // initializers for array fields in default move/copy constructors.
// We still allow construction into ElementRegion targets when they don't // We still allow construction into ElementRegion targets when they don't
// represent array elements. // represent array elements.
if (CallOpts.IsArrayCtorOrDtor) { if (CallOpts.IsArrayCtorOrDtor) {
if (!shouldInlineArrayConstruction( if (!shouldInlineArrayConstruction(Pred->getState(), CtorExpr, CurLC))
dyn_cast<ArrayType>(CtorExpr->getType())))
return CIP_DisallowedOnce; return CIP_DisallowedOnce;
} }
// Inlining constructors requires including initializers in the CFG. // Inlining constructors requires including initializers in the CFG.
const AnalysisDeclContext *ADC = CallerSFC->getAnalysisDeclContext(); const AnalysisDeclContext *ADC = CallerSFC->getAnalysisDeclContext();
assert(ADC->getCFGBuildOptions().AddInitializers && "No CFG initializers"); assert(ADC->getCFGBuildOptions().AddInitializers && "No CFG initializers");
(void)ADC; (void)ADC;
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Linesbool ExprEngine::shouldInlineCall(const CallEvent &Call, const Decl *D,
} }
if (HowToInline == Inline_Minimal && (!isSmall(CalleeADC) || IsRecursive)) if (HowToInline == Inline_Minimal && (!isSmall(CalleeADC) || IsRecursive))
return false; return false;
return true; return true;
} }
bool ExprEngine::shouldInlineArrayConstruction(const ArrayType *Type) { bool ExprEngine::shouldInlineArrayConstruction(const ProgramStateRef State,
if (!Type) const CXXConstructExpr *CE,
const LocationContext *LCtx) {
if (!CE)
return false; return false;
auto Type = CE->getType();
// FIXME: Handle other arrays types. // FIXME: Handle other arrays types.
if (const auto *CAT = dyn_cast<ConstantArrayType>(Type)) { if (const auto *CAT = dyn_cast<ConstantArrayType>(Type)) {
unsigned Size = getContext().getConstantArrayElementCount(CAT); unsigned Size = getContext().getConstantArrayElementCount(CAT);
return Size <= AMgr.options.maxBlockVisitOnPath; return Size <= AMgr.options.maxBlockVisitOnPath;
} }
// Check if we're inside an ArrayInitLoopExpr, and it's sufficiently small.
if (auto Size = getPendingInitLoop(State, CE, LCtx))
return *Size <= AMgr.options.maxBlockVisitOnPath;
return false; return false;
} }
bool ExprEngine::shouldRepeatCtorCall(ProgramStateRef State, bool ExprEngine::shouldRepeatCtorCall(ProgramStateRef State,
const CXXConstructExpr *E, const CXXConstructExpr *E,
const LocationContext *LCtx) { const LocationContext *LCtx) {
if (!E) if (!E)
return false; return false;
auto Ty = E->getType(); auto Ty = E->getType();
// FIXME: Handle non constant array types // FIXME: Handle non constant array types
if (const auto *CAT = dyn_cast<ConstantArrayType>(Ty)) { if (const auto *CAT = dyn_cast<ConstantArrayType>(Ty)) {
unsigned Size = getContext().getConstantArrayElementCount(CAT); unsigned Size = getContext().getConstantArrayElementCount(CAT);
return Size > getIndexOfElementToConstruct(State, E, LCtx); return Size > getIndexOfElementToConstruct(State, E, LCtx);
} }
if (auto Size = getPendingInitLoop(State, E, LCtx))
return Size > getIndexOfElementToConstruct(State, E, LCtx);
return false; return false;
} }
static bool isTrivialObjectAssignment(const CallEvent &Call) { static bool isTrivialObjectAssignment(const CallEvent &Call) {
const CXXInstanceCall *ICall = dyn_cast<CXXInstanceCall>(&Call); const CXXInstanceCall *ICall = dyn_cast<CXXInstanceCall>(&Call);
if (!ICall) if (!ICall)
return false; return false;
▲ Show 20 LinesShow All 111 LinesShow Last 20 Lines

clang/test/Analysis/array-init-loop.cpp

Show First 20 LinesShow All 119 Lines▼ Show 20 Linesvoid move_ctor_uninit() {
// FIXME: These should be Undefined, but we fail to read Undefined from a lazyCompoundVal. // FIXME: These should be Undefined, but we fail to read Undefined from a lazyCompoundVal.
clang_analyzer_eval(moved.arr[0]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(moved.arr[0]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(moved.arr[1]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(moved.arr[1]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(moved.arr[2]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(moved.arr[2]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(moved.arr[3]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(moved.arr[3]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(moved.arr[4]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(moved.arr[4]); // expected-warning{{UNKNOWN}}
} }
struct S2 {
inline static int c = 0;
int i;
S2() : i(++c) {}
S2(const S2 &copy) {
i = copy.i + 1;
}
S2(S2 &&move) {
i = move.i + 2;
}
};
void array_init_non_pod() {
S2::c = 0;
S2 arr[4];
auto [a, b, c, d] = arr;
clang_analyzer_eval(a.i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(b.i == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(c.i == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(d.i == 5); // expected-warning{{TRUE}}
}
struct S3 {
int i;
};
void array_uninit_non_pod() {
// FIXME: core.uninitialized.Assign in an implicit copy ctor is reported only once,
// we prefer to catch it in lambda_uninit_non_pod()
// S3 arr[1];
martongUnsubmitted
Done
ReplyInline Actions

I think, the matching should be more precise; it is a.i that is garbage, isn't it?
Perhaps this would also make sense (unless the previous warning is a sink):

clang_analyzer_eval(a.i); // expected-warning{{UNDEFINED}}
martong: I think, the matching should be more precise; it is `a.i` that is garbage, isn't it? Perhaps…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

Yes a.i is the Undefined variable, but the warning we get is a sink, so there's no way to confirm it (unless we look at the egraph).

isuckatcs: Yes `a.i` is the `Undefined` variable, but the warning we get is a sink, so there's no way to…
// auto [a] = arr;
}
void lambda_init_non_pod() {
S2::c = 0;
S2 arr[4];
auto l = [arr] { return arr[0].i; }();
clang_analyzer_eval(l == 2); // expected-warning{{TRUE}}
l = [arr] { return arr[1].i; }();
clang_analyzer_eval(l == 3); // expected-warning{{TRUE}}
l = [arr] { return arr[2].i; }();
clang_analyzer_eval(l == 4); // expected-warning{{TRUE}}
l = [arr] { return arr[3].i; }();
clang_analyzer_eval(l == 5); // expected-warning{{TRUE}}
}
void lambda_uninit_non_pod() {
S3 arr[4];
int l = [arr] { return arr[3].i; }(); // expected-warning@156{{ in implicit constructor is garbage or undefined }}
}
struct S5 {
S2 arr[4];
};
void copy_ctor_init_non_pod() {
S2::c = 0;
S5 orig;
S5 copy = orig;
clang_analyzer_eval(copy.arr[0].i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(copy.arr[1].i == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(copy.arr[2].i == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(copy.arr[3].i == 5); // expected-warning{{TRUE}}
}
martongUnsubmitted
Done
ReplyInline Actions
clang_analyzer_eval(l); // expected-warning{{UNKNOWN}}
}
struct S5 {
S2 arr[4];
};
+ static_assert(!std::is_pod<S5>::value, "");
+
void copy_ctor_init_non_pod() {

I think, It would be useful to emphase more explicitly what we want from the S5 type. Same above with S2.

Note, is_pod is basically is_trivial && is_standard_layout from C++20 (the PODType type requirement is deprecated since then).

martong: I think, It would be useful to emphase more explicitly what we want from the `S5` type. Same…
void move_ctor_init_non_pod() {
S2::c = 0;
S5 orig;
S5 moved = (S5 &&) orig;
clang_analyzer_eval(moved.arr[0].i == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[1].i == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[2].i == 5); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[3].i == 6); // expected-warning{{TRUE}}
}

clang/test/Analysis/ctor.mm

Show First 20 LinesShow All 433 Lines▼ Show 20 Lines void testNonPOD() {
a.values[2].x = 3; a.values[2].x = 3;
clang_analyzer_eval(a.values[0].x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(a.values[1].x == 2); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(a.values[2].x == 3); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[2].x == 3); // expected-warning{{TRUE}}
NonPOD b = a; NonPOD b = a;
clang_analyzer_eval(b.values[0].x == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(b.values[1].x == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(b.values[2].x == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[2].x == 3); // expected-warning{{TRUE}}
NonPOD c; NonPOD c;
c = b; c = b;
clang_analyzer_eval(c.values[0].x == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(c.values[1].x == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(c.values[2].x == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[2].x == 3); // expected-warning{{TRUE}}
} }
struct NestedNonPOD { struct NestedNonPOD {
NonPODIntWrapper values[2][3]; NonPODIntWrapper values[2][3];
}; };
void testNestedNonPOD() { void testNestedNonPOD() {
NestedNonPOD a; NestedNonPOD a;
Show All 37 Lines void testNonPODDefaulted() {
a.values[2].x = 3; a.values[2].x = 3;
clang_analyzer_eval(a.values[0].x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(a.values[1].x == 2); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(a.values[2].x == 3); // expected-warning{{TRUE}} clang_analyzer_eval(a.values[2].x == 3); // expected-warning{{TRUE}}
NonPODDefaulted b = a; NonPODDefaulted b = a;
clang_analyzer_eval(b.values[0].x == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(b.values[1].x == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(b.values[2].x == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b.values[2].x == 3); // expected-warning{{TRUE}}
NonPODDefaulted c; NonPODDefaulted c;
c = b; c = b;
clang_analyzer_eval(c.values[0].x == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[0].x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(c.values[1].x == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[1].x == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(c.values[2].x == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c.values[2].x == 3); // expected-warning{{TRUE}}
} }
}; };
namespace VirtualInheritance { namespace VirtualInheritance {
int counter; int counter;
struct base { struct base {
base() { base() {
▲ Show 20 LinesShow All 341 LinesShow Last 20 Lines

clang/test/Analysis/lambdas.cpp

Show First 20 LinesShow All 394 Lines▼ Show 20 Lines
#endif #endif
// CHECK: [B2 (ENTRY)] // CHECK: [B2 (ENTRY)]
// CHECK: Succs (1): B1 // CHECK: Succs (1): B1
// CHECK: [B1] // CHECK: [B1]
// CHECK: 1: x // CHECK: 1: x
// CHECK: 2: [B1.1] (ImplicitCastExpr, NoOp, const struct X) // CHECK: 2: [B1.1] (ImplicitCastExpr, NoOp, const struct X)
// CHECK: 3: [B1.2] (CXXConstructExpr, struct X) // CHECK: 3: [B1.2] (CXXConstructExpr[B1.4]+0, struct X)
// CHECK: 4: [x] { // CHECK: 4: [x] {
// CHECK: } // CHECK: }
// CHECK: 5: (void)[B1.4] (CStyleCastExpr, ToVoid, void) // CHECK: 5: (void)[B1.4] (CStyleCastExpr, ToVoid, void)
// CHECK: Preds (1): B2 // CHECK: Preds (1): B2
// CHECK: Succs (1): B0 // CHECK: Succs (1): B0
// CHECK: [B0 (EXIT)] // CHECK: [B0 (EXIT)]
// CHECK: Preds (1): B1 // CHECK: Preds (1): B1

clang/test/Analysis/uninit-structured-binding-array.cpp

Show First 20 LinesShow All 286 Lines▼ Show 20 Linesvoid array_big_a(void) {
// FIXME: These will be Undefined when we handle reading Undefined values from lazyCompoundVal. // FIXME: These will be Undefined when we handle reading Undefined values from lazyCompoundVal.
clang_analyzer_eval(a == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(b == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(c == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(c == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(d == 4); // expected-warning{{UNKNOWN}} clang_analyzer_eval(d == 4); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(e == 5); // expected-warning{{UNKNOWN}} clang_analyzer_eval(e == 5); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(f == 6); // expected-warning{{UNKNOWN}} clang_analyzer_eval(f == 6); // expected-warning{{UNKNOWN}}
} }
struct S {
int a = 1;
int b = 2;
};
void non_pod_val(void) {
S arr[2];
auto [x, y] = arr;
clang_analyzer_eval(x.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(x.b == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(y.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(y.b == 2); // expected-warning{{TRUE}}
}
void non_pod_lref(void) {
S arr[2];
auto &[x, y] = arr;
clang_analyzer_eval(x.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(x.b == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(y.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(y.b == 2); // expected-warning{{TRUE}}
}
void non_pod_rref(void) {
S arr[2];
auto &&[x, y] = arr;
clang_analyzer_eval(x.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(x.b == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(y.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(y.b == 2); // expected-warning{{TRUE}}
}
struct SUD {
int a = 1;
int b = 2;
SUD() = default;
SUD(const SUD &copy) {
a = copy.a + 1;
b = copy.b + 1;
}
};
void non_pod_user_defined_val(void) {
SUD arr[2];
auto [x, y] = arr;
clang_analyzer_eval(x.a == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(x.b == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(y.a == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(y.b == 3); // expected-warning{{TRUE}}
}