This is an archive of the discontinued LLVM Phabricator instance.

Differential D131840

[analyzer] Handling non-POD multidimensional arrays in ArrayInitLoopExpr
ClosedPublic

Authored by isuckatcs on Aug 13 2022, 8:43 AM.

Details

Reviewers
NoQ
xazax.hun
Szelethus
t-rasmud
ziqingluo-90
usama54321
Commits
rGc81bf940c77e: [analyzer] Handling non-POD multidimensional arrays in ArrayInitLoopExpr
Summary

This patch makes it possible for lambdas, implicit copy/move ctors and structured bindings to
handle non-POD multidimensional arrays.

Diff Detail

Event Timeline

isuckatcs created this revision.Aug 13 2022, 8:43 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 13 2022, 8:43 AM
Herald added subscribers: steakhal, manas, ASDenysPetrov and 8 others. · View Herald Transcript
isuckatcs requested review of this revision.Aug 13 2022, 8:43 AM
isuckatcs added a child revision: D131501: [analyzer] Fix for incorrect handling of 0 length non-POD array construction.
Harbormaster completed remote builds in B181097: Diff 452430.Aug 13 2022, 9:13 AM
NoQ accepted this revision.Aug 14 2022, 12:06 AM

Lovely, thanks!

This revision is now accepted and ready to land.Aug 14 2022, 12:06 AM
xazax.hun added inline comments.Aug 14 2022, 9:35 AM
clang/lib/Analysis/CFG.cpp
1724

Would a regular dyn_cast work? I would not expect getSubExpr to return nullptr. This applies to some other places as well.

3432–3436

Instead of duplicating both the code and adding this comment, I wonder if a well named small utility function can make this code equally clear and reduce duplication.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
569

Do you need a dyn_cast here? ``AILE alreadt has the right type.

isuckatcs added inline comments.Aug 14 2022, 1:39 PM
clang/lib/Analysis/CFG.cpp
3432–3436

I've been thinking about the same thing. I would also place the getArrayInitLoopExprSize() helper function into ASTContext as it also has a similar helper called getConstantArrayElementCount().

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
569

It handles if the user passes a nullptr to the function. Also because AILE is an ArrayInitLoopExpr *, in the loop I also have
AILE = dyn_cast<ArrayInitLoopExpr>(E->getSubExpr()) which can still make a nullptr from AILE.

This might not be the best solution but this helper will be reworked anyway due to a mistake I've made below.

575
xazax.hun added inline comments.Aug 14 2022, 1:45 PM
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
569

I think if you just declare E to be const ArrayInitLoopExpr*, you might not need the cast at all. while should already guard against nullptr from the user.

isuckatcs updated this revision to Diff 452622.Aug 15 2022, 3:42 AM
isuckatcs marked 4 inline comments as done.
  • Moved getArrayInitLoopExprSize() to ASTContext.
  • Addressed comments.
Harbormaster completed remote builds in B181245: Diff 452622.Aug 15 2022, 4:19 AM
xazax.hun accepted this revision.Aug 15 2022, 8:32 AM

Some nits inline but overall looks good to me.

clang/lib/AST/ASTContext.cpp
6917

Did you see examples where the SubExpr of an ArrayInitLoopExpr returned a nullptr? If not, I'd go with dyn_cast for now.

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
544–545

Shouldn't this also use extractElementInitializerFromNestedAILE?

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
544–545

extractElementInitializerFromNestedAILE?

1169–1170

extractElementInitializerFromNestedAILE?

isuckatcs updated this revision to Diff 452932.Aug 16 2022, 2:42 AM
isuckatcs marked 4 inline comments as done.
  • Rebased
  • Moved extractElementInitializerFromNestedAILE() to ExprEngine
  • Addressed comments
isuckatcs added a parent revision: D131944: [analyzer] Remove pattern matching of lambda capture initializers.Aug 16 2022, 2:42 AM
isuckatcs added inline comments.
clang/lib/AST/ASTContext.cpp
6917

getSubExpr() uses a regular cast, so it cannot return nullptr.

isuckatcs added inline comments.Aug 16 2022, 2:47 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
983 ↗(On Diff #452932)

The definition is in the header, because this method is used in CFG.cpp, but that source file is not linked against any of the ExprEngine source files and I don't want to change the linking of libraries.

@xazax.hun do you have any suggestions, where to put a function that is referenced in both the Analysis and the Static Analyzer library? I want to avoid creating the same helper twice.

Harbormaster completed remote builds in B181471: Diff 452932.Aug 16 2022, 3:25 AM
xazax.hun added inline comments.Aug 16 2022, 8:48 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
983 ↗(On Diff #452932)

Are you sure? CFG.cpp is linked into clangAnalysis and clangAnalysis is linked a dependency of the static analyzer core. I'd expect putting this in CFG.cpp should work perfectly well. Just be sure to not put the implementation in an anonymous namespace.

xazax.hun accepted this revision.Aug 16 2022, 8:51 AM

Overall looks good to me. I think extractElementInitializerFromNestedAILE should live somewhere in the clangAnalysis component due to how layering is done, but otherwise it looks wonderful, thanks!

isuckatcs updated this revision to Diff 453830.EditedAug 18 2022, 4:25 PM

Moved extractElementInitializerFromNestedAILE to CFG.cpp.

@xazax.hun is this how you meant it?

Harbormaster completed remote builds in B182114: Diff 453830.Aug 18 2022, 6:12 PM
xazax.hun accepted this revision.Aug 19 2022, 2:16 AM
In D131840#3733717, @isuckatcs wrote:

Moved extractElementInitializerFromNestedAILE to CFG.cpp.

@xazax.hun is this how you meant it?

Yep, looks great, thanks!

xazax.hun added inline comments.Aug 19 2022, 2:18 AM
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
236–237

Would moving this declaration to CFG.h work?

isuckatcs updated this revision to Diff 454007.EditedAug 19 2022, 8:10 AM

Added a testcase for the crashing snippet. (Wrong revision)

isuckatcs updated this revision to Diff 454014.Aug 19 2022, 8:27 AM

Moved the declaration of extractElementInitializerFromNestedAILE to CFG.h.

isuckatcs marked an inline comment as done.Aug 19 2022, 8:28 AM
Harbormaster completed remote builds in B182231: Diff 454014.Aug 19 2022, 9:22 AM
Closed by commit rGc81bf940c77e: [analyzer] Handling non-POD multidimensional arrays in ArrayInitLoopExpr (authored by isuckatcs). · Explain WhyAug 22 2022, 4:54 AM
This revision was automatically updated to reflect the committed changes.
isuckatcs added a commit: rGc81bf940c77e: [analyzer] Handling non-POD multidimensional arrays in ArrayInitLoopExpr.
Herald added a project: Restricted Project. · View Herald TranscriptAug 22 2022, 4:54 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
AST/
4 lines
Analysis/
2 lines
lib/
AST/
15 lines
Analysis/
22 lines
StaticAnalyzer/
Core/
5 lines
27 lines
test/
Analysis/
83 lines

Diff 454455

clang/include/clang/AST/ASTContext.h

Show First 20 LinesShow All 2,725 Lines▼ Show 20 Linespublic:
/// Return the innermost element type of a type (which needn't /// Return the innermost element type of a type (which needn't
/// actually be an array type). /// actually be an array type).
QualType getBaseElementType(QualType QT) const; QualType getBaseElementType(QualType QT) const;
/// Return number of constant array elements. /// Return number of constant array elements.
uint64_t getConstantArrayElementCount(const ConstantArrayType *CA) const; uint64_t getConstantArrayElementCount(const ConstantArrayType *CA) const;
/// Return number of elements initialized in an ArrayInitLoopExpr.
uint64_t
getArrayInitLoopExprElementCount(const ArrayInitLoopExpr *AILE) const;
/// Perform adjustment on the parameter type of a function. /// Perform adjustment on the parameter type of a function.
/// ///
/// This routine adjusts the given parameter type @p T to the actual /// This routine adjusts the given parameter type @p T to the actual
/// parameter type used by semantic analysis (C99 6.7.5.3p[7,8], /// parameter type used by semantic analysis (C99 6.7.5.3p[7,8],
/// C++ [dcl.fct]p3). The adjusted parameter type is returned. /// C++ [dcl.fct]p3). The adjusted parameter type is returned.
QualType getAdjustedParameterType(QualType T) const; QualType getAdjustedParameterType(QualType T) const;
/// Retrieve the parameter type as adjusted for use in the signature /// Retrieve the parameter type as adjusted for use in the signature
▲ Show 20 LinesShow All 709 LinesShow Last 20 Lines

clang/include/clang/Analysis/CFG.h

Show First 20 LinesShow All 1,460 Lines▼ Show 20 Linesprivate:
/// This is the collection of such blocks present in the CFG. /// This is the collection of such blocks present in the CFG.
std::vector<const CFGBlock *> TryDispatchBlocks; std::vector<const CFGBlock *> TryDispatchBlocks;
/// Collects DeclStmts synthesized for this CFG and maps each one back to its /// Collects DeclStmts synthesized for this CFG and maps each one back to its
/// source DeclStmt. /// source DeclStmt.
llvm::DenseMap<const DeclStmt *, const DeclStmt *> SyntheticDeclStmts; llvm::DenseMap<const DeclStmt *, const DeclStmt *> SyntheticDeclStmts;
}; };
Expr *extractElementInitializerFromNestedAILE(const ArrayInitLoopExpr *AILE);
} // namespace clang } // namespace clang
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// GraphTraits specializations for CFG basic block graphs (source-level CFGs) // GraphTraits specializations for CFG basic block graphs (source-level CFGs)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace llvm { namespace llvm {
▲ Show 20 LinesShow All 112 LinesShow Last 20 Lines

clang/lib/AST/ASTContext.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 6,899 Lines▼ Show 20 LinesASTContext::getConstantArrayElementCount(const ConstantArrayType *CA) const {
do { do {
ElementCount *= CA->getSize().getZExtValue(); ElementCount *= CA->getSize().getZExtValue();
CA = dyn_cast_or_null<ConstantArrayType>( CA = dyn_cast_or_null<ConstantArrayType>(
CA->getElementType()->getAsArrayTypeUnsafe()); CA->getElementType()->getAsArrayTypeUnsafe());
} while (CA); } while (CA);
return ElementCount; return ElementCount;
} }
uint64_t ASTContext::getArrayInitLoopExprElementCount(
const ArrayInitLoopExpr *AILE) const {
if (!AILE)
return 0;
uint64_t ElementCount = 1;
do {
ElementCount *= AILE->getArraySize().getZExtValue();
AILE = dyn_cast<ArrayInitLoopExpr>(AILE->getSubExpr());
xazax.hunUnsubmitted
Done
ReplyInline Actions

Did you see examples where the SubExpr of an ArrayInitLoopExpr returned a nullptr? If not, I'd go with dyn_cast for now.

xazax.hun: Did you see examples where the `SubExpr` of an `ArrayInitLoopExpr` returned a `nullptr`? If not…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

getSubExpr() uses a regular cast, so it cannot return nullptr.

isuckatcs: `getSubExpr()` uses a regular cast, so it cannot return `nullptr`.
} while (AILE);
return ElementCount;
}
/// getFloatingRank - Return a relative rank for floating point types. /// getFloatingRank - Return a relative rank for floating point types.
/// This routine will assert if passed a built-in type that isn't a float. /// This routine will assert if passed a built-in type that isn't a float.
static FloatingRank getFloatingRank(QualType T) { static FloatingRank getFloatingRank(QualType T) {
if (const auto *CT = T->getAs<ComplexType>()) if (const auto *CT = T->getAs<ComplexType>())
return getFloatingRank(CT->getElementType()); return getFloatingRank(CT->getElementType());
switch (T->castAs<BuiltinType>()->getKind()) { switch (T->castAs<BuiltinType>()->getKind()) {
default: llvm_unreachable("getFloatingRank(): not a floating type"); default: llvm_unreachable("getFloatingRank(): not a floating type");
▲ Show 20 LinesShow All 5,521 LinesShow Last 20 Lines

clang/lib/Analysis/CFG.cpp

Show First 20 LinesShow All 1,326 Lines▼ Show 20 Lines TryResult evaluateAsBooleanConditionNoCache(Expr *E) {
return {}; return {};
} }
bool hasTrivialDestructor(VarDecl *VD); bool hasTrivialDestructor(VarDecl *VD);
}; };
} // namespace } // namespace
Expr *
clang::extractElementInitializerFromNestedAILE(const ArrayInitLoopExpr *AILE) {
if (!AILE)
return nullptr;
Expr *AILEInit = AILE->getSubExpr();
while (const auto *E = dyn_cast<ArrayInitLoopExpr>(AILEInit))
AILEInit = E->getSubExpr();
return AILEInit;
}
inline bool AddStmtChoice::alwaysAdd(CFGBuilder &builder, inline bool AddStmtChoice::alwaysAdd(CFGBuilder &builder,
const Stmt *stmt) const { const Stmt *stmt) const {
return builder.alwaysAdd(stmt) || kind == AlwaysAdd; return builder.alwaysAdd(stmt) || kind == AlwaysAdd;
} }
bool CFGBuilder::alwaysAdd(const Stmt *stmt) { bool CFGBuilder::alwaysAdd(const Stmt *stmt) {
bool shouldAdd = BuildOpts.alwaysAdd(stmt); bool shouldAdd = BuildOpts.alwaysAdd(stmt);
▲ Show 20 LinesShow All 358 Lines▼ Show 20 LinesCFGBlock *CFGBuilder::addInitializer(CXXCtorInitializer *I) {
} }
autoCreateBlock(); autoCreateBlock();
appendInitializer(Block, I); appendInitializer(Block, I);
if (Init) { if (Init) {
// If the initializer is an ArrayInitLoopExpr, we want to extract the // If the initializer is an ArrayInitLoopExpr, we want to extract the
// initializer, that's used for each element. // initializer, that's used for each element.
const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init); auto *AILEInit = extractElementInitializerFromNestedAILE(
dyn_cast<ArrayInitLoopExpr>(Init));
findConstructionContexts( findConstructionContexts(
xazax.hunUnsubmitted
Done
ReplyInline Actions

Would a regular dyn_cast work? I would not expect getSubExpr to return nullptr. This applies to some other places as well.

xazax.hun: Would a regular `dyn_cast` work? I would not expect `getSubExpr` to return `nullptr`. This…
ConstructionContextLayer::create(cfg->getBumpVectorContext(), I), ConstructionContextLayer::create(cfg->getBumpVectorContext(), I),
AILE ? AILE->getSubExpr() : Init); AILEInit ? AILEInit : Init);
if (HasTemporaries) { if (HasTemporaries) {
// For expression with temporaries go directly to subexpression to omit // For expression with temporaries go directly to subexpression to omit
// generating destructors for the second time. // generating destructors for the second time.
return Visit(cast<ExprWithCleanups>(Init)->getSubExpr()); return Visit(cast<ExprWithCleanups>(Init)->getSubExpr());
} }
if (BuildOpts.AddCXXDefaultInitExprInCtors) { if (BuildOpts.AddCXXDefaultInitExprInCtors) {
if (CXXDefaultInitExpr *Default = dyn_cast<CXXDefaultInitExpr>(Init)) { if (CXXDefaultInitExpr *Default = dyn_cast<CXXDefaultInitExpr>(Init)) {
▲ Show 20 LinesShow All 1,688 Lines▼ Show 20 LinesCFGBlock *CFGBuilder::VisitLambdaExpr(LambdaExpr *E, AddStmtChoice asc) {
unsigned Idx = 0; unsigned Idx = 0;
for (LambdaExpr::capture_init_iterator it = E->capture_init_begin(), for (LambdaExpr::capture_init_iterator it = E->capture_init_begin(),
et = E->capture_init_end(); et = E->capture_init_end();
it != et; ++it, ++Idx) { it != et; ++it, ++Idx) {
if (Expr *Init = *it) { if (Expr *Init = *it) {
// If the initializer is an ArrayInitLoopExpr, we want to extract the // If the initializer is an ArrayInitLoopExpr, we want to extract the
// initializer, that's used for each element. // initializer, that's used for each element.
const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init); auto *AILEInit = extractElementInitializerFromNestedAILE(
dyn_cast<ArrayInitLoopExpr>(Init));
findConstructionContexts(ConstructionContextLayer::create( findConstructionContexts(ConstructionContextLayer::create(
cfg->getBumpVectorContext(), {E, Idx}), cfg->getBumpVectorContext(), {E, Idx}),
AILE ? AILE->getSubExpr() : Init); AILEInit ? AILEInit : Init);
xazax.hunUnsubmitted
Done
ReplyInline Actions

Instead of duplicating both the code and adding this comment, I wonder if a well named small utility function can make this code equally clear and reduce duplication.

xazax.hun: Instead of duplicating both the code and adding this comment, I wonder if a well named small…
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

I've been thinking about the same thing. I would also place the getArrayInitLoopExprSize() helper function into ASTContext as it also has a similar helper called getConstantArrayElementCount().

isuckatcs: I've been thinking about the same thing. I would also place the `getArrayInitLoopExprSize()`…
CFGBlock *Tmp = Visit(Init); CFGBlock *Tmp = Visit(Init);
if (Tmp) if (Tmp)
LastBlock = Tmp; LastBlock = Tmp;
} }
} }
return LastBlock; return LastBlock;
} }
▲ Show 20 LinesShow All 2,899 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 227 Lines▼ Show 20 Lines if (TrimInterval != 0) {
G.enableNodeReclamation(TrimInterval); G.enableNodeReclamation(TrimInterval);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility methods. // Utility methods.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) { ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {
ProgramStateRef state = StateMgr.getInitialState(InitLoc); ProgramStateRef state = StateMgr.getInitialState(InitLoc);
xazax.hunUnsubmitted
Done
ReplyInline Actions

Would moving this declaration to CFG.h work?

xazax.hun: Would moving this declaration to `CFG.h` work?
const Decl *D = InitLoc->getDecl(); const Decl *D = InitLoc->getDecl();
// Preconditions. // Preconditions.
// FIXME: It would be nice if we had a more general mechanism to add // FIXME: It would be nice if we had a more general mechanism to add
// such preconditions. Some day. // such preconditions. Some day.
do { do {
if (const auto *FD = dyn_cast<FunctionDecl>(D)) { if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
// Precondition: the first argument of 'main' is an integer guaranteed // Precondition: the first argument of 'main' is an integer guaranteed
▲ Show 20 LinesShow All 286 Lines▼ Show 20 LinesExprEngine::addObjectUnderConstruction(ProgramStateRef State,
if (auto LE = dyn_cast_or_null<LambdaExpr>(Item.getStmtOrNull())) if (auto LE = dyn_cast_or_null<LambdaExpr>(Item.getStmtOrNull()))
Init = *(LE->capture_init_begin() + Item.getIndex()); Init = *(LE->capture_init_begin() + Item.getIndex());
if (!Init && !Item.getStmtOrNull()) if (!Init && !Item.getStmtOrNull())
Init = Item.getCXXCtorInitializer()->getInit(); Init = Item.getCXXCtorInitializer()->getInit();
// In an ArrayInitLoopExpr the real initializer is returned by // In an ArrayInitLoopExpr the real initializer is returned by
// getSubExpr(). // getSubExpr(). Note that AILEs can be nested in case of
// multidimesnional arrays.
if (const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init)) if (const auto *AILE = dyn_cast_or_null<ArrayInitLoopExpr>(Init))
Init = AILE->getSubExpr(); Init = extractElementInitializerFromNestedAILE(AILE);
// FIXME: Currently the state might already contain the marker due to // FIXME: Currently the state might already contain the marker due to
xazax.hunUnsubmitted
Done
ReplyInline Actions

Shouldn't this also use extractElementInitializerFromNestedAILE?

xazax.hun: Shouldn't this also use `extractElementInitializerFromNestedAILE`?
// incorrect handling of temporaries bound to default parameters. // incorrect handling of temporaries bound to default parameters.
// The state will already contain the marker if we construct elements // The state will already contain the marker if we construct elements
// in an array, as we visit the same statement multiple times before // in an array, as we visit the same statement multiple times before
// the array declaration. The marker is removed when we exit the // the array declaration. The marker is removed when we exit the
// constructor call. // constructor call.
assert((!State->get<ObjectsUnderConstruction>(Key) || assert((!State->get<ObjectsUnderConstruction>(Key) ||
Key.getItem().getKind() == Key.getItem().getKind() ==
ConstructionContextItem::TemporaryDestructorKind || ConstructionContextItem::TemporaryDestructorKind ||
▲ Show 20 LinesShow All 3,049 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 518 Lines▼ Show 20 LinesbindRequiredArrayElementToEnvironment(ProgramStateRef State,
// `-CXXConstructExpr // `-CXXConstructExpr
// `-ArraySubscriptExpr // `-ArraySubscriptExpr
// |-ImplicitCastExpr // |-ImplicitCastExpr
// | `-OpaqueValueExpr // | `-OpaqueValueExpr
// | `-MemberExpr // | `-MemberExpr
// | `-DeclRefExpr // | `-DeclRefExpr
// `-ArrayInitIndexExpr // `-ArrayInitIndexExpr
// //
// The resulting expression for a multidimensional array.
// ArrayInitLoopExpr <-- we're here
// |-OpaqueValueExpr
// | `-DeclRefExpr <-- match this
// `-ArrayInitLoopExpr
// |-OpaqueValueExpr
// | `-ArraySubscriptExpr
// | |-ImplicitCastExpr
// | | `-OpaqueValueExpr
// | | `-DeclRefExpr
// | `-ArrayInitIndexExpr
// `-CXXConstructExpr <-- extract this
// ` ...
const auto *OVESrc = AILE->getCommonExpr()->getSourceExpr();
// HACK: There is no way we can put the index of the array element into the // HACK: There is no way we can put the index of the array element into the
// CFG unless we unroll the loop, so we manually select and bind the required // CFG unless we unroll the loop, so we manually select and bind the required
// parameter to the environment. // parameter to the environment.
xazax.hunUnsubmitted
Done
ReplyInline Actions

extractElementInitializerFromNestedAILE?

xazax.hun: `extractElementInitializerFromNestedAILE`?
const auto *CE = cast<CXXConstructExpr>(AILE->getSubExpr()); const auto *CE =
const auto *OVESrc = AILE->getCommonExpr()->getSourceExpr(); cast<CXXConstructExpr>(extractElementInitializerFromNestedAILE(AILE));
SVal Base = UnknownVal(); SVal Base = UnknownVal();
if (const auto *ME = dyn_cast<MemberExpr>(OVESrc)) if (const auto *ME = dyn_cast<MemberExpr>(OVESrc))
Base = State->getSVal(ME, LCtx); Base = State->getSVal(ME, LCtx);
else if (const auto *DRE = cast<DeclRefExpr>(OVESrc)) else if (const auto *DRE = dyn_cast<DeclRefExpr>(OVESrc))
Base = State->getLValue(cast<VarDecl>(DRE->getDecl()), LCtx); Base = State->getLValue(cast<VarDecl>(DRE->getDecl()), LCtx);
else else
llvm_unreachable("ArrayInitLoopExpr contains unexpected source expression"); llvm_unreachable("ArrayInitLoopExpr contains unexpected source expression");
SVal NthElem = State->getLValue(CE->getType(), Idx, Base); SVal NthElem = State->getLValue(CE->getType(), Idx, Base);
return State->BindExpr(CE->getArg(0), LCtx, NthElem); return State->BindExpr(CE->getArg(0), LCtx, NthElem);
} }
void ExprEngine::handleConstructor(const Expr *E, void ExprEngine::handleConstructor(const Expr *E,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &destNodes) { ExplodedNodeSet &destNodes) {
const auto *CE = dyn_cast<CXXConstructExpr>(E); const auto *CE = dyn_cast<CXXConstructExpr>(E);
const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(E); const auto *CIE = dyn_cast<CXXInheritedCtorInitExpr>(E);
assert(CE || CIE); assert(CE || CIE);
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
xazax.hunUnsubmitted
Done
ReplyInline Actions

Do you need a dyn_cast here? ``AILE alreadt has the right type.

xazax.hun: Do you need a `dyn_cast` here? ``AILE alreadt has the right type.
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

It handles if the user passes a nullptr to the function. Also because AILE is an ArrayInitLoopExpr *, in the loop I also have
AILE = dyn_cast<ArrayInitLoopExpr>(E->getSubExpr()) which can still make a nullptr from AILE.

This might not be the best solution but this helper will be reworked anyway due to a mistake I've made below.

isuckatcs: It handles if the user passes a `nullptr` to the function. Also because `AILE` is an…
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think if you just declare E to be const ArrayInitLoopExpr*, you might not need the cast at all. while should already guard against nullptr from the user.

xazax.hun: I think if you just declare E to be `const ArrayInitLoopExpr*`, you might not need the cast at…
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
SVal Target = UnknownVal(); SVal Target = UnknownVal();
if (CE) { if (CE) {
if (Optional<SVal> ElidedTarget = if (Optional<SVal> ElidedTarget =
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions
return 0;
- Size += CurSize;
+ Size *= CurSize;
AILE = dyn_cast<ArrayInitLoopExpr>(E->getSubExpr());
isuckatcs:
getObjectUnderConstruction(State, CE, LCtx)) { getObjectUnderConstruction(State, CE, LCtx)) {
// We've previously modeled an elidable constructor by pretending that it // We've previously modeled an elidable constructor by pretending that it
// in fact constructs into the correct target. This constructor can // in fact constructs into the correct target. This constructor can
// therefore be skipped. // therefore be skipped.
Target = *ElidedTarget; Target = *ElidedTarget;
StmtNodeBuilder Bldr(Pred, destNodes, *currBldrCtx); StmtNodeBuilder Bldr(Pred, destNodes, *currBldrCtx);
State = finishObjectConstruction(State, CE, LCtx); State = finishObjectConstruction(State, CE, LCtx);
if (auto L = Target.getAs<Loc>()) if (auto L = Target.getAs<Loc>())
Show All 23 Lines case CXXConstructExpr::CK_Complete: {
if (CE->getType()->isArrayType() || AILE) { if (CE->getType()->isArrayType() || AILE) {
Idx = getIndexOfElementToConstruct(State, CE, LCtx).value_or(0u); Idx = getIndexOfElementToConstruct(State, CE, LCtx).value_or(0u);
State = setIndexOfElementToConstruct(State, CE, LCtx, Idx + 1); State = setIndexOfElementToConstruct(State, CE, LCtx, Idx + 1);
} }
if (AILE) { if (AILE) {
// Only set this once even though we loop through it multiple times. // Only set this once even though we loop through it multiple times.
if (!getPendingInitLoop(State, CE, LCtx)) if (!getPendingInitLoop(State, CE, LCtx))
State = setPendingInitLoop(State, CE, LCtx, State = setPendingInitLoop(
AILE->getArraySize().getLimitedValue()); State, CE, LCtx,
getContext().getArrayInitLoopExprElementCount(AILE));
State = bindRequiredArrayElementToEnvironment( State = bindRequiredArrayElementToEnvironment(
State, AILE, LCtx, svalBuilder.makeArrayIndex(Idx)); State, AILE, LCtx, svalBuilder.makeArrayIndex(Idx));
} }
// The target region is found from construction context. // The target region is found from construction context.
std::tie(State, Target) = std::tie(State, Target) =
handleConstructionContext(CE, State, LCtx, CC, CallOpts, Idx); handleConstructionContext(CE, State, LCtx, CC, CallOpts, Idx);
▲ Show 20 LinesShow All 535 Lines▼ Show 20 Lines for (LambdaExpr::const_capture_init_iterator i = LE->capture_init_begin(),
SVal InitVal; SVal InitVal;
if (!FieldForCapture->hasCapturedVLAType()) { if (!FieldForCapture->hasCapturedVLAType()) {
const Expr *InitExpr = *i; const Expr *InitExpr = *i;
assert(InitExpr && "Capture missing initialization expression"); assert(InitExpr && "Capture missing initialization expression");
// With C++17 copy elision the InitExpr can be anything, so instead of // With C++17 copy elision the InitExpr can be anything, so instead of
// pattern matching all cases, we simple check if the current field is // pattern matching all cases, we simple check if the current field is
// under construction or not, regardless what it's InitExpr is. // under construction or not, regardless what it's InitExpr is.
if (const auto OUC = if (const auto OUC =
xazax.hunUnsubmitted
Done
ReplyInline Actions

extractElementInitializerFromNestedAILE?

xazax.hun: `extractElementInitializerFromNestedAILE`?
getObjectUnderConstruction(State, {LE, Idx}, LocCtxt)) { getObjectUnderConstruction(State, {LE, Idx}, LocCtxt)) {
InitVal = State->getSVal(OUC->getAsRegion()); InitVal = State->getSVal(OUC->getAsRegion());
State = finishObjectConstruction(State, {LE, Idx}, LocCtxt); State = finishObjectConstruction(State, {LE, Idx}, LocCtxt);
} else } else
InitVal = State->getSVal(InitExpr, LocCtxt); InitVal = State->getSVal(InitExpr, LocCtxt);
} else { } else {
Show All 29 Lines

clang/test/Analysis/array-init-loop.cpp

Show First 20 LinesShow All 217 Lines▼ Show 20 Linesvoid move_ctor_init_non_pod() {
S5 moved = (S5 &&) orig; S5 moved = (S5 &&) orig;
clang_analyzer_eval(moved.arr[0].i == 3); // expected-warning{{TRUE}} clang_analyzer_eval(moved.arr[0].i == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[1].i == 4); // expected-warning{{TRUE}} clang_analyzer_eval(moved.arr[1].i == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[2].i == 5); // expected-warning{{TRUE}} clang_analyzer_eval(moved.arr[2].i == 5); // expected-warning{{TRUE}}
clang_analyzer_eval(moved.arr[3].i == 6); // expected-warning{{TRUE}} clang_analyzer_eval(moved.arr[3].i == 6); // expected-warning{{TRUE}}
} }
//Note: This is the only solution I could find to check the values without
// crashing clang. For more details on the crash see Issue #57135.
void lambda_capture_multi_array() {
S3 arr[2][2] = {1,2,3,4};
{
int x = [arr] { return arr[0][0].i; }();
clang_analyzer_eval(x == 1); // expected-warning{{TRUE}}
}
{
int x = [arr] { return arr[0][1].i; }();
clang_analyzer_eval(x == 2); // expected-warning{{TRUE}}
}
{
int x = [arr] { return arr[1][0].i; }();
clang_analyzer_eval(x == 3); // expected-warning{{TRUE}}
}
{
int x = [arr] { return arr[1][1].i; }();
clang_analyzer_eval(x == 4); // expected-warning{{TRUE}}
}
}
// This struct will force constructor inlining in MultiWrapper.
struct UserDefinedCtor {
int i;
UserDefinedCtor() {}
UserDefinedCtor(const UserDefinedCtor &copy) {
int j = 1;
i = copy.i;
}
};
struct MultiWrapper {
UserDefinedCtor arr[2][2];
};
void copy_ctor_multi() {
MultiWrapper MW;
MW.arr[0][0].i = 0;
MW.arr[0][1].i = 1;
MW.arr[1][0].i = 2;
MW.arr[1][1].i = 3;
MultiWrapper MWCopy = MW;
clang_analyzer_eval(MWCopy.arr[0][0].i == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(MWCopy.arr[0][1].i == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(MWCopy.arr[1][0].i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(MWCopy.arr[1][1].i == 3); // expected-warning{{TRUE}}
}
void move_ctor_multi() {
MultiWrapper MW;
MW.arr[0][0].i = 0;
MW.arr[0][1].i = 1;
MW.arr[1][0].i = 2;
MW.arr[1][1].i = 3;
MultiWrapper MWMove = (MultiWrapper &&) MW;
clang_analyzer_eval(MWMove.arr[0][0].i == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(MWMove.arr[0][1].i == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(MWMove.arr[1][0].i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(MWMove.arr[1][1].i == 3); // expected-warning{{TRUE}}
}
void structured_binding_multi() {
S3 arr[2][2] = {1,2,3,4};
auto [a,b] = arr;
clang_analyzer_eval(a[0].i == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(a[1].i == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(b[0].i == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(b[1].i == 4); // expected-warning{{TRUE}}
}