This is an archive of the discontinued LLVM Phabricator instance.

Differential D132142

[analyzer] Prefer wrapping SymbolicRegions by ElementRegions
ClosedPublic

Authored by steakhal on Aug 18 2022, 8:42 AM.

Details

Reviewers
NoQ
martong
ASDenysPetrov
Szelethus
isuckatcs
vabridgers
xazax.hun
Commits
rGf8643a9b31c4: [analyzer] Prefer wrapping SymbolicRegions by ElementRegions
Summary

It turns out that in certain cases SymbolRegions are wrapped by
ElementRegions; in others, it's not. This discrepancy can cause the
analyzer not to recognize if the two regions are actually referring to
the same entity, which then can lead to unreachable paths discovered.

Consider this example:

struct Node { int* ptr; };
void with_structs(Node* n1) {
  Node c = *n1; // copy
  Node* n2 = &c;
  clang_analyzer_dump(*n1); // lazy...
  clang_analyzer_dump(*n2); // lazy...
  clang_analyzer_dump(n1->ptr); // rval(n1->ptr): reg_$2<int * SymRegion{reg_$0<struct Node * n1>}.ptr>
  clang_analyzer_dump(n2->ptr); // rval(n2->ptr): reg_$1<int * Element{SymRegion{reg_$0<struct Node * n1>},0 S64b,struct Node}.ptr>
  clang_analyzer_eval(n1->ptr != n2->ptr); // UNKNOWN, bad!
  (void)(*n1);
  (void)(*n2);
}

The copy of n1 will insert a new binding to the store; but for doing
that it actually must create a TypedValueRegion which it could pass to
the LazyCompoundVal. Since the memregion in question is a
SymbolicRegion - which is untyped, it needs to first wrap it into an
ElementRegion basically implementing this untyped -> typed conversion
for the sake of passing it to the LazyCompoundVal.
So, this is why we have Element{SymRegion{.}, 0,struct Node} for n1.

The problem appears if the analyzer evaluates a read from the expression
n1->ptr. The same logic won't apply for SymbolRegionValues, since
they accept raw SubRegions, hence the SymbolicRegion won't be
wrapped into an ElementRegion in that case.

Later when we arrive at the equality comparison, we cannot prove that
they are equal.

For more details check the corresponding thread on discourse:
https://discourse.llvm.org/t/are-symbolicregions-really-untyped/64406

In this patch, I'm eagerly wrapping each SymbolicRegion by an
ElementRegion; basically canonicalizing to this form.
It seems reasonable to do so since any object can be thought of as a single
array of that object; so this should not make much of a difference.

The tests also underpin this assumption, as only a few were broken by
this change; and actually fixed a FIXME along the way.

About the second example, which does the same copy operation - but on
the heap - it will be fixed by the next patch.

Diff Detail

Event Timeline

steakhal created this revision.Aug 18 2022, 8:42 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2022, 8:42 AM
Herald added subscribers: manas, dkrupp, donat.nagy and 6 others. · View Herald Transcript
steakhal requested review of this revision.Aug 18 2022, 8:42 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2022, 8:42 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal mentioned this in D132143: [analyzer] LazyCompoundVals should be always bound as default bindings.Aug 18 2022, 8:45 AM
steakhal added a child revision: D132143: [analyzer] LazyCompoundVals should be always bound as default bindings.
steakhal edited the summary of this revision. (Show Details)Aug 18 2022, 8:49 AM
Harbormaster completed remote builds in B182013: Diff 453675.Aug 18 2022, 9:16 AM
steakhal added a reviewer: xazax.hun.Aug 18 2022, 10:59 AM
NoQ added a comment.Aug 18 2022, 3:51 PM

Like I vaguely mentioned in the thread, I'm really curious whether it's possible to canonicalize the *absence* of element regions instead, as it allows modeling pointer casts as no-op and avoids problems like D38797 where results of even very basic operations are impossible to represent.

steakhal added a comment.Aug 18 2022, 9:33 PM
In D132142#3733629, @NoQ wrote:

Like I vaguely mentioned in the thread, I'm really curious whether it's possible to canonicalize the *absence* of element regions instead, as it allows modeling pointer casts as no-op and avoids problems like D38797 where results of even very basic operations are impossible to represent.

Yes, that would make more sense if we were getting rid of the current memory model. However, I'm not feeling confident working on that before finalizing a detailed plan.
For that, we would need to discuss the potential pros and cons thoroughly and then approach how it should look & we could incrementally land it. So, it definitely does not feels like a cheap thing to do.

For now, I believe this change makes the modeling of trivial copies a bit better from the user's perspective. In the future, we could still get rid of the memory model and implement a new one if we want.

steakhal added inline comments.Aug 19 2022, 1:30 AM
clang/test/Analysis/trivial-copy-struct.cpp
27

and in the rest of the cases

xazax.hun added a comment.Aug 19 2022, 2:21 AM

I agree with @steakhal. Getting rid of element regions might be a lot of work and might have a lot of fallout that we need to deal with. I think we should not block a fix for something that we might not be able to land for a long time. Fixing this here, and independently start working on the long-term solutions sounds reasonable to me. At least once we switch over, we will have test coverage for all of the cases that used to be problematic :)

steakhal updated this revision to Diff 454009.Aug 19 2022, 8:13 AM
  • Use :digit: regex matching in the tests.
steakhal added inline comments.Aug 19 2022, 8:16 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
791–793

I'm not sure how much explanation I need to do here, but first, we should settle on the name of this member function if we decide to have it.

796–800

I guess, these two questions together form the answer. The ctor only asserts that it is either a any pointer, reference *or* a block pointer. However, I'd like to get this confirmed. @NoQ

steakhal added a subscriber: tomasz-kaminski-sonarsource.Aug 19 2022, 8:21 AM
Harbormaster completed remote builds in B182226: Diff 454009.Aug 19 2022, 8:50 AM
steakhal updated this revision to Diff 454857.Aug 23 2022, 8:43 AM
  • Simplify getApproximatedType() to return sym->getType()->getPointeeType();
  • Add doc comments to getApproximatedType()
  • Removed the "Copied from RegionStoreManager::bind()" FIXME from the ExprEngine::VisitMemberExpr()
steakhal updated this revision to Diff 454859.Aug 23 2022, 8:44 AM

upload the same with context

Harbormaster completed remote builds in B182862: Diff 454859.Aug 23 2022, 10:52 AM
martong accepted this revision.Aug 31 2022, 9:34 AM

I am okay with this change, it does give a proper canonical form, which is good. On the other hand, I agree that (on the long term) base regions and offsets would be a better memory model than what we have now with field and element regions.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
799

I think we should express that this returns the

  • type of the pointee
  • the type that is the "static" type, id est, the type of the declaration; void, char and base in your example above.

In this sense, what about getPointeeStaticType?

clang/test/Analysis/ctor.mm
221

Nice!

This revision is now accepted and ready to land.Aug 31 2022, 9:34 AM
steakhal added inline comments.Sep 1 2022, 12:45 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
799

I think it's important to discourage people from using this; hence the approximated calls attention that this might always be accurate.
I'm okay to add the pointee somewhere in the name.

I don't have a strong opinion about this.

martong added inline comments.Sep 1 2022, 4:16 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
799

Isn't precise enough to say that this returns the static type? I don't quite get the exact definition of the "approximation" we do here, so I guess others will not get that either.

Closed by commit rGf8643a9b31c4: [analyzer] Prefer wrapping SymbolicRegions by ElementRegions (authored by steakhal). · Explain WhySep 12 2022, 11:59 PM
This revision was automatically updated to reflect the committed changes.
steakhal marked 3 inline comments as done.
steakhal added a commit: rGf8643a9b31c4: [analyzer] Prefer wrapping SymbolicRegions by ElementRegions.
steakhal mentioned this in rGafcd862b2e0a: [analyzer] LazyCompoundVals should be always bound as default bindings.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
21 lines
Core/
PathSensitive/
12 lines
lib/
StaticAnalyzer/
Checkers/
3 lines
5 lines
Core/
2 lines
8 lines
2 lines
15 lines
test/
Analysis/
4 lines
2 lines
2 lines
18 lines
4 lines
36 lines

Diff 459656

clang/include/clang/StaticAnalyzer/Checkers/SValExplainer.h

Show All 36 Linesprivate:
bool isThisObject(const SymbolicRegion *R) { bool isThisObject(const SymbolicRegion *R) {
if (auto S = dyn_cast<SymbolRegionValue>(R->getSymbol())) if (auto S = dyn_cast<SymbolRegionValue>(R->getSymbol()))
if (isa<CXXThisRegion>(S->getRegion())) if (isa<CXXThisRegion>(S->getRegion()))
return true; return true;
return false; return false;
} }
bool isThisObject(const ElementRegion *R) {
if (const auto *Idx = R->getIndex().getAsInteger()) {
if (const auto *SR = R->getSuperRegion()->getAs<SymbolicRegion>()) {
QualType Ty = SR->getPointeeStaticType();
bool IsNotReinterpretCast = R->getValueType() == Ty;
if (Idx->isZero() && IsNotReinterpretCast)
return isThisObject(SR);
}
}
return false;
}
public: public:
SValExplainer(ASTContext &Ctx) : ACtx(Ctx) {} SValExplainer(ASTContext &Ctx) : ACtx(Ctx) {}
std::string VisitUnknownVal(UnknownVal V) { std::string VisitUnknownVal(UnknownVal V) {
return "unknown value"; return "unknown value";
} }
std::string VisitUndefinedVal(UndefinedVal V) { std::string VisitUndefinedVal(UndefinedVal V) {
▲ Show 20 LinesShow All 86 Lines▼ Show 20 Lines std::string VisitUnarySymExpr(const UnarySymExpr *S) {
return std::string(UnaryOperator::getOpcodeStr(S->getOpcode())) + " (" + return std::string(UnaryOperator::getOpcodeStr(S->getOpcode())) + " (" +
Visit(S->getOperand()) + ")"; Visit(S->getOperand()) + ")";
} }
// TODO: SymbolCast doesn't appear in practice. // TODO: SymbolCast doesn't appear in practice.
// Add the relevant code once it does. // Add the relevant code once it does.
std::string VisitSymbolicRegion(const SymbolicRegion *R) { std::string VisitSymbolicRegion(const SymbolicRegion *R) {
// Explain 'this' object here. // Explain 'this' object here - if it's not wrapped by an ElementRegion.
// TODO: Explain CXXThisRegion itself, find a way to test it. // TODO: Explain CXXThisRegion itself, find a way to test it.
if (isThisObject(R)) if (isThisObject(R))
return "'this' object"; return "'this' object";
// Objective-C objects are not normal symbolic regions. At least, // Objective-C objects are not normal symbolic regions. At least,
// they're always on the heap. // they're always on the heap.
if (R->getSymbol()->getType() if (R->getSymbol()->getType()
.getCanonicalType()->getAs<ObjCObjectPointerType>()) .getCanonicalType()->getAs<ObjCObjectPointerType>())
return "object at " + Visit(R->getSymbol()); return "object at " + Visit(R->getSymbol());
Show All 13 Linespublic:
std::string VisitStringRegion(const StringRegion *R) { std::string VisitStringRegion(const StringRegion *R) {
return "string literal " + R->getString(); return "string literal " + R->getString();
} }
std::string VisitElementRegion(const ElementRegion *R) { std::string VisitElementRegion(const ElementRegion *R) {
std::string Str; std::string Str;
llvm::raw_string_ostream OS(Str); llvm::raw_string_ostream OS(Str);
// Explain 'this' object here.
// They are represented by a SymRegion wrapped by an ElementRegion; so
// match and handle it here.
if (isThisObject(R))
return "'this' object";
OS << "element of type '" << R->getElementType() << "' with index "; OS << "element of type '" << R->getElementType() << "' with index ";
// For concrete index: omit type of the index integer. // For concrete index: omit type of the index integer.
if (auto I = R->getIndex().getAs<nonloc::ConcreteInt>()) if (auto I = R->getIndex().getAs<nonloc::ConcreteInt>())
OS << I->getValue(); OS << I->getValue();
else else
OS << "'" << Visit(R->getIndex()) << "'"; OS << "'" << Visit(R->getIndex()) << "'";
OS << " of " + Visit(R->getSuperRegion()); OS << " of " + Visit(R->getSuperRegion());
return Str; return Str;
▲ Show 20 LinesShow All 102 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 782 Lines▼ Show 20 Lines SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)
assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg) || assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg) ||
isa<GlobalSystemSpaceRegion>(sreg)); isa<GlobalSystemSpaceRegion>(sreg));
} }
public: public:
/// It might return null. /// It might return null.
SymbolRef getSymbol() const { return sym; } SymbolRef getSymbol() const { return sym; }
/// Gets the type of the wrapped symbol.
/// This type might not be accurate at all times - it's just our best guess.
/// Consider these cases:
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I'm not sure how much explanation I need to do here, but first, we should settle on the name of this member function if we decide to have it.

steakhal: I'm not sure how much explanation I need to do here, but first, we should settle on the name of…
/// void foo(void *data, char *str, base *obj) {...}
/// The type of the pointee of `data` is of course not `void`, yet that's our
/// best guess. `str` might point to any object and `obj` might point to some
/// derived instance. `TypedRegions` other hand are representing the cases
/// when we actually know their types.
QualType getPointeeStaticType() const {
martongUnsubmitted
Done
ReplyInline Actions

I think we should express that this returns the

  • type of the pointee
  • the type that is the "static" type, id est, the type of the declaration; void, char and base in your example above.

In this sense, what about getPointeeStaticType?

martong: I think we should express that this returns the - type of the pointee - the type that is…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I think it's important to discourage people from using this; hence the approximated calls attention that this might always be accurate.
I'm okay to add the pointee somewhere in the name.

I don't have a strong opinion about this.

steakhal: I think it's important to discourage people from using this; hence the `approximated` calls…
martongUnsubmitted
Done
ReplyInline Actions

Isn't precise enough to say that this returns the static type? I don't quite get the exact definition of the "approximation" we do here, so I guess others will not get that either.

martong: Isn't precise enough to say that this returns the `static` type? I don't quite get the exact…
return sym->getType()->getPointeeType();
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I guess, these two questions together form the answer. The ctor only asserts that it is either a any pointer, reference *or* a block pointer. However, I'd like to get this confirmed. @NoQ

steakhal: I guess, these two questions together form the answer. The ctor only asserts that it is either…
}
bool isBoundable() const override { return true; } bool isBoundable() const override { return true; }
void Profile(llvm::FoldingSetNodeID& ID) const override; void Profile(llvm::FoldingSetNodeID& ID) const override;
static void ProfileRegion(llvm::FoldingSetNodeID& ID, static void ProfileRegion(llvm::FoldingSetNodeID& ID,
SymbolRef sym, SymbolRef sym,
const MemRegion* superRegion); const MemRegion* superRegion);
▲ Show 20 LinesShow All 809 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

Show First 20 LinesShow All 348 Lines▼ Show 20 Linesvoid ExprInspectionChecker::analyzerDumpElementCount(const CallExpr *CE,
const MemRegion *MR = getArgRegion(CE, C); const MemRegion *MR = getArgRegion(CE, C);
if (!MR) if (!MR)
return; return;
QualType ElementTy; QualType ElementTy;
if (const auto *TVR = MR->getAs<TypedValueRegion>()) { if (const auto *TVR = MR->getAs<TypedValueRegion>()) {
ElementTy = TVR->getValueType(); ElementTy = TVR->getValueType();
} else { } else {
ElementTy = ElementTy = MR->castAs<SymbolicRegion>()->getPointeeStaticType();
MR->castAs<SymbolicRegion>()->getSymbol()->getType()->getPointeeType();
} }
assert(!ElementTy->isPointerType()); assert(!ElementTy->isPointerType());
DefinedOrUnknownSVal ElementCount = DefinedOrUnknownSVal ElementCount =
getDynamicElementCount(C.getState(), MR, C.getSValBuilder(), ElementTy); getDynamicElementCount(C.getState(), MR, C.getSValBuilder(), ElementTy);
printAndReport(C, ElementCount); printAndReport(C, ElementCount);
} }
▲ Show 20 LinesShow All 199 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 LinesShow All 279 Lines▼ Show 20 LinesNullabilityChecker::getTrackRegion(SVal Val, bool CheckSuperRegion) const {
auto RegionSVal = Val.getAs<loc::MemRegionVal>(); auto RegionSVal = Val.getAs<loc::MemRegionVal>();
if (!RegionSVal) if (!RegionSVal)
return nullptr; return nullptr;
const MemRegion *Region = RegionSVal->getRegion(); const MemRegion *Region = RegionSVal->getRegion();
if (CheckSuperRegion) { if (CheckSuperRegion) {
if (auto FieldReg = Region->getAs<FieldRegion>()) if (const SubRegion *FieldReg = Region->getAs<FieldRegion>()) {
if (const auto *ER = dyn_cast<ElementRegion>(FieldReg->getSuperRegion()))
FieldReg = ER;
return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion()); return dyn_cast<SymbolicRegion>(FieldReg->getSuperRegion());
}
if (auto ElementReg = Region->getAs<ElementRegion>()) if (auto ElementReg = Region->getAs<ElementRegion>())
return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion()); return dyn_cast<SymbolicRegion>(ElementReg->getSuperRegion());
} }
return dyn_cast<SymbolicRegion>(Region); return dyn_cast<SymbolicRegion>(Region);
} }
PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode( PathDiagnosticPieceRef NullabilityChecker::NullabilityBugVisitor::VisitNode(
▲ Show 20 LinesShow All 968 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 2,489 Lines▼ Show 20 Lines Tracker::Result handle(const Expr *Inner, const ExplodedNode *InputNode,
// Is it a symbolic value? // Is it a symbolic value?
if (auto L = V.getAs<loc::MemRegionVal>()) { if (auto L = V.getAs<loc::MemRegionVal>()) {
// FIXME: this is a hack for fixing a later crash when attempting to // FIXME: this is a hack for fixing a later crash when attempting to
// dereference a void* pointer. // dereference a void* pointer.
// We should not try to dereference pointers at all when we don't care // We should not try to dereference pointers at all when we don't care
// what is written inside the pointer. // what is written inside the pointer.
bool CanDereference = true; bool CanDereference = true;
if (const auto *SR = L->getRegionAs<SymbolicRegion>()) { if (const auto *SR = L->getRegionAs<SymbolicRegion>()) {
if (SR->getSymbol()->getType()->getPointeeType()->isVoidType()) if (SR->getPointeeStaticType()->isVoidType())
CanDereference = false; CanDereference = false;
} else if (L->getRegionAs<AllocaRegion>()) } else if (L->getRegionAs<AllocaRegion>())
CanDereference = false; CanDereference = false;
// At this point we are dealing with the region's LValue. // At this point we are dealing with the region's LValue.
// However, if the rvalue is a symbolic region, we should track it as // However, if the rvalue is a symbolic region, we should track it as
// well. Try to use the correct type when looking up the value. // well. Try to use the correct type when looking up the value.
SVal RVal; SVal RVal;
▲ Show 20 LinesShow All 1,009 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 3,348 Lines▼ Show 20 Lines for (const auto I : CheckedSet) {
// Handle regular struct fields / member variables. // Handle regular struct fields / member variables.
const SubRegion *MR = nullptr; const SubRegion *MR = nullptr;
state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr, state = createTemporaryRegionIfNeeded(state, LCtx, BaseExpr,
/*Result=*/nullptr, /*Result=*/nullptr,
/*OutRegionWithAdjustments=*/&MR); /*OutRegionWithAdjustments=*/&MR);
SVal baseExprVal = SVal baseExprVal =
MR ? loc::MemRegionVal(MR) : state->getSVal(BaseExpr, LCtx); MR ? loc::MemRegionVal(MR) : state->getSVal(BaseExpr, LCtx);
// FIXME: Copied from RegionStoreManager::bind()
if (const auto *SR =
dyn_cast_or_null<SymbolicRegion>(baseExprVal.getAsRegion())) {
QualType T = SR->getPointeeStaticType();
baseExprVal =
loc::MemRegionVal(getStoreManager().GetElementZeroRegion(SR, T));
}
const auto *field = cast<FieldDecl>(Member); const auto *field = cast<FieldDecl>(Member);
SVal L = state->getLValue(field, baseExprVal); SVal L = state->getLValue(field, baseExprVal);
if (M->isGLValue() || M->getType()->isArrayType()) { if (M->isGLValue() || M->getType()->isArrayType()) {
// We special-case rvalues of array type because the analyzer cannot // We special-case rvalues of array type because the analyzer cannot
// reason about them, since we expect all regions to be wrapped in Locs. // reason about them, since we expect all regions to be wrapped in Locs.
// We instead treat these as lvalues and assume that they will decay to // We instead treat these as lvalues and assume that they will decay to
// pointers as soon as they are used. // pointers as soon as they are used.
▲ Show 20 LinesShow All 555 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 1,479 Lines▼ Show 20 Lines case MemRegion::CXXBaseObjectRegionKind: {
QualType Ty; QualType Ty;
bool RootIsSymbolic = false; bool RootIsSymbolic = false;
if (const auto *TVR = dyn_cast<TypedValueRegion>(R)) { if (const auto *TVR = dyn_cast<TypedValueRegion>(R)) {
Ty = TVR->getDesugaredValueType(R->getContext()); Ty = TVR->getDesugaredValueType(R->getContext());
} else if (const auto *SR = dyn_cast<SymbolicRegion>(R)) { } else if (const auto *SR = dyn_cast<SymbolicRegion>(R)) {
// If our base region is symbolic, we don't know what type it really is. // If our base region is symbolic, we don't know what type it really is.
// Pretend the type of the symbol is the true dynamic type. // Pretend the type of the symbol is the true dynamic type.
// (This will at least be self-consistent for the life of the symbol.) // (This will at least be self-consistent for the life of the symbol.)
Ty = SR->getSymbol()->getType()->getPointeeType(); Ty = SR->getPointeeStaticType();
RootIsSymbolic = true; RootIsSymbolic = true;
} }
const CXXRecordDecl *Child = Ty->getAsCXXRecordDecl(); const CXXRecordDecl *Child = Ty->getAsCXXRecordDecl();
if (!Child) { if (!Child) {
// We cannot compute the offset of the base class. // We cannot compute the offset of the base class.
SymbolicOffsetBase = R; SymbolicOffsetBase = R;
} else { } else {
▲ Show 20 LinesShow All 260 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 1,415 Lines▼ Show 20 Lines if (isa<BlockDataRegion>(MR)) {
return UnknownVal(); return UnknownVal();
} }
if (!isa<TypedValueRegion>(MR)) { if (!isa<TypedValueRegion>(MR)) {
if (T.isNull()) { if (T.isNull()) {
if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR)) if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR))
T = TR->getLocationType()->getPointeeType(); T = TR->getLocationType()->getPointeeType();
else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR)) else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR))
T = SR->getSymbol()->getType()->getPointeeType(); T = SR->getPointeeStaticType();
} }
assert(!T.isNull() && "Unable to auto-detect binding type!"); assert(!T.isNull() && "Unable to auto-detect binding type!");
assert(!T->isVoidType() && "Attempting to dereference a void pointer!"); assert(!T->isVoidType() && "Attempting to dereference a void pointer!");
MR = GetElementZeroRegion(cast<SubRegion>(MR), T); MR = GetElementZeroRegion(cast<SubRegion>(MR), T);
} else { } else {
T = cast<TypedValueRegion>(MR)->getValueType(); T = cast<TypedValueRegion>(MR)->getValueType();
} }
▲ Show 20 LinesShow All 952 Lines▼ Show 20 Lines if (const TypedValueRegion* TR = dyn_cast<TypedValueRegion>(R)) {
if (Ty->isStructureOrClassType()) if (Ty->isStructureOrClassType())
return bindStruct(B, TR, V); return bindStruct(B, TR, V);
if (Ty->isVectorType()) if (Ty->isVectorType())
return bindVector(B, TR, V); return bindVector(B, TR, V);
if (Ty->isUnionType()) if (Ty->isUnionType())
return bindAggregate(B, TR, V); return bindAggregate(B, TR, V);
} }
if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) {
// Binding directly to a symbolic region should be treated as binding // Binding directly to a symbolic region should be treated as binding
// to element 0. // to element 0.
QualType T = SR->getSymbol()->getType(); if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
if (T->isAnyPointerType() || T->isReferenceType()) R = GetElementZeroRegion(SR, SR->getPointeeStaticType());
T = T->getPointeeType();
R = GetElementZeroRegion(SR, T);
}
assert((!isa<CXXThisRegion>(R) || !B.lookup(R)) && assert((!isa<CXXThisRegion>(R) || !B.lookup(R)) &&
"'this' pointer is not an l-value and is not assignable"); "'this' pointer is not an l-value and is not assignable");
// Clear out bindings that may overlap with this binding. // Clear out bindings that may overlap with this binding.
RegionBindingsRef NewB = removeSubRegionBindings(B, cast<SubRegion>(R)); RegionBindingsRef NewB = removeSubRegionBindings(B, cast<SubRegion>(R));
return NewB.addBinding(BindingKey::Make(R, BindingKey::Direct), V); return NewB.addBinding(BindingKey::Make(R, BindingKey::Direct), V);
} }
▲ Show 20 LinesShow All 529 LinesShow Last 20 Lines

clang/test/Analysis/ctor.mm

Show First 20 LinesShow All 212 Lines▼ Show 20 Lines void testPOD(const POD &pp) {
// Use rvalues as well. // Use rvalues as well.
clang_analyzer_eval(POD(p3).x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(POD(p3).x == 1); // expected-warning{{TRUE}}
// Copy from symbolic references correctly. // Copy from symbolic references correctly.
POD p4 = pp; POD p4 = pp;
// Make sure that p4.x contains a symbol after copy. // Make sure that p4.x contains a symbol after copy.
if (p4.x > 0) if (p4.x > 0)
clang_analyzer_eval(p4.x > 0); // expected-warning{{TRUE}} clang_analyzer_eval(p4.x > 0); // expected-warning{{TRUE}}
// FIXME: Element region gets in the way, so these aren't the same symbols clang_analyzer_eval(pp.x == p4.x); // expected-warning{{TRUE}}
martongUnsubmitted
Done
ReplyInline Actions

Nice!

martong: Nice!
// as they should be.
clang_analyzer_eval(pp.x == p4.x); // expected-warning{{UNKNOWN}}
PODWrapper w; PODWrapper w;
w.p.y = 1; w.p.y = 1;
PODWrapper w2 = w; // no-warning PODWrapper w2 = w; // no-warning
clang_analyzer_eval(w2.p.y == 1); // expected-warning{{TRUE}} clang_analyzer_eval(w2.p.y == 1); // expected-warning{{TRUE}}
PODWrapper w3 = move(w); // no-warning PODWrapper w3 = move(w); // no-warning
clang_analyzer_eval(w3.p.y == 1); // expected-warning{{TRUE}} clang_analyzer_eval(w3.p.y == 1); // expected-warning{{TRUE}}
▲ Show 20 LinesShow All 632 LinesShow Last 20 Lines

clang/test/Analysis/expr-inspection.c

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines
// CHECK-NEXT: } // CHECK-NEXT: }
struct S { struct S {
int x, y; int x, y;
}; };
void test_field_dumps(struct S s, struct S *p) { void test_field_dumps(struct S s, struct S *p) {
clang_analyzer_dump_pointer(&s.x); // expected-warning{{&s.x}} clang_analyzer_dump_pointer(&s.x); // expected-warning{{&s.x}}
clang_analyzer_dump_pointer(&p->x); // expected-warning{{&SymRegion{reg_$1<struct S * p>}.x}} clang_analyzer_dump_pointer(&p->x); // expected-warning{{&Element{SymRegion{reg_$1<struct S * p>},0 S64b,struct S}.x}}
clang_analyzer_dumpSvalType_pointer(&s.x); // expected-warning {{int *}} clang_analyzer_dumpSvalType_pointer(&s.x); // expected-warning {{int *}}
} }

clang/test/Analysis/memory-model.cpp

Show First 20 LinesShow All 59 Lines▼ Show 20 Lines
void field_ref(S a) { void field_ref(S a) {
clang_analyzer_dump(&a.f); // expected-warning {{a.f}} clang_analyzer_dump(&a.f); // expected-warning {{a.f}}
clang_analyzer_dumpExtent(&a.f); // expected-warning {{4 S64b}} clang_analyzer_dumpExtent(&a.f); // expected-warning {{4 S64b}}
clang_analyzer_dumpElementCount(&a.f); // expected-warning {{1 S64b}} clang_analyzer_dumpElementCount(&a.f); // expected-warning {{1 S64b}}
} }
void field_ptr(S *a) { void field_ptr(S *a) {
clang_analyzer_dump(&a->f); // expected-warning {{SymRegion{reg_$0<S * a>}.f}} clang_analyzer_dump(&a->f); // expected-warning {{Element{SymRegion{reg_$0<S * a>},0 S64b,struct S}.f}}
clang_analyzer_dumpExtent(&a->f); // expected-warning {{4 S64b}} clang_analyzer_dumpExtent(&a->f); // expected-warning {{4 S64b}}
clang_analyzer_dumpElementCount(&a->f); // expected-warning {{1 S64b}} clang_analyzer_dumpElementCount(&a->f); // expected-warning {{1 S64b}}
} }
void symbolic_array() { void symbolic_array() {
int *a = new int[3]; int *a = new int[3];
clang_analyzer_dump(a); // expected-warning {{Element{HeapSymRegion{conj}} clang_analyzer_dump(a); // expected-warning {{Element{HeapSymRegion{conj}}
clang_analyzer_dumpExtent(a); // expected-warning {{12 S64b}} clang_analyzer_dumpExtent(a); // expected-warning {{12 S64b}}
▲ Show 20 LinesShow All 81 LinesShow Last 20 Lines

clang/test/Analysis/ptr-arith.c

Show First 20 LinesShow All 334 Lines▼ Show 20 Lines
struct s { struct s {
int v; int v;
}; };
// These three expressions should produce the same sym vals. // These three expressions should produce the same sym vals.
void struct_pointer_canon(struct s *ps) { void struct_pointer_canon(struct s *ps) {
struct s ss = *ps; struct s ss = *ps;
clang_analyzer_dump((*ps).v); clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps[0].v); clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps->v); clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
} }
void struct_pointer_canon_bidim(struct s **ps) { void struct_pointer_canon_bidim(struct s **ps) {
struct s ss = **ps; struct s ss = **ps;
clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}} clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}}
} }
typedef struct s T1; typedef struct s T1;
typedef struct s T2; typedef struct s T2;
void struct_pointer_canon_typedef(T1 *ps) { void struct_pointer_canon_typedef(T1 *ps) {
T2 ss = *ps; T2 ss = *ps;
clang_analyzer_dump((*ps).v); clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps[0].v); clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps->v); clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<T1 * ps>},0 S64b,struct s}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
} }
void struct_pointer_canon_bidim_typedef(T1 **ps) { void struct_pointer_canon_bidim_typedef(T1 **ps) {
T2 ss = **ps; T2 ss = **ps;
clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}} clang_analyzer_eval(&(ps[0][0].v) == &((*ps)->v)); // expected-warning{{TRUE}}
} }
void struct_pointer_canon_const(const struct s *ps) { void struct_pointer_canon_const(const struct s *ps) {
struct s ss = *ps; struct s ss = *ps;
clang_analyzer_dump((*ps).v); clang_analyzer_dump((*ps).v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps[0].v); clang_analyzer_dump(ps[0].v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_dump(ps->v); clang_analyzer_dump(ps->v);
// expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>}.v>}} // expected-warning-re@-1{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<const struct s * ps>},0 S64b,struct s}.v>}}
clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps[0].v); // expected-warning{{TRUE}}
clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval((*ps).v == ps->v); // expected-warning{{TRUE}}
clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}} clang_analyzer_eval(ps[0].v == ps->v); // expected-warning{{TRUE}}
} }

clang/test/Analysis/ptr-arith.cpp

Show First 20 LinesShow All 128 Lines▼ Show 20 Lines
struct parse_t { struct parse_t {
unsigned bits0 : 1; unsigned bits0 : 1;
unsigned bits2 : 2; // <-- header unsigned bits2 : 2; // <-- header
unsigned bits4 : 4; unsigned bits4 : 4;
}; };
int parse(parse_t *p) { int parse(parse_t *p) {
unsigned copy = p->bits2; unsigned copy = p->bits2;
clang_analyzer_dump(copy); clang_analyzer_dump(copy);
// expected-warning@-1 {{reg_$1<unsigned int SymRegion{reg_$0<parse_t * p>}.bits2>}} // expected-warning@-1 {{reg_$1<unsigned int Element{SymRegion{reg_$0<parse_t * p>},0 S64b,struct Bug_55934::parse_t}.bits2>}}
header *bits = (header *)&copy; header *bits = (header *)&copy;
clang_analyzer_dump(bits->b); clang_analyzer_dump(bits->b);
// expected-warning@-1 {{derived_$2{reg_$1<unsigned int SymRegion{reg_$0<parse_t * p>}.bits2>,Element{copy,0 S64b,struct Bug_55934::header}.b}}} // expected-warning@-1 {{derived_$2{reg_$1<unsigned int Element{SymRegion{reg_$0<parse_t * p>},0 S64b,struct Bug_55934::parse_t}.bits2>,Element{copy,0 S64b,struct Bug_55934::header}.b}}}
return bits->b; // no-warning return bits->b; // no-warning
} }
} // namespace Bug_55934 } // namespace Bug_55934

clang/test/Analysis/trivial-copy-struct.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
template <typename T> void clang_analyzer_dump(T);
void clang_analyzer_warnIfReached();
struct Node { int* ptr; };
void copy_on_stack(Node* n1) {
Node tmp = *n1;
Node* n2 = &tmp;
clang_analyzer_dump(n1); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<Node * n1>}}}
clang_analyzer_dump(n2); // expected-warning {{&tmp}}
clang_analyzer_dump(n1->ptr); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<int * Element{SymRegion{reg_${{[0-9]+}}<Node * n1>},0 S64b,struct Node}.ptr>}}}
clang_analyzer_dump(n2->ptr); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<int * Element{SymRegion{reg_${{[0-9]+}}<Node * n1>},0 S64b,struct Node}.ptr>}}}
if (n1->ptr != n2->ptr)
clang_analyzer_warnIfReached(); // unreachable
(void)(n1->ptr);
(void)(n2->ptr);
}
void copy_on_heap(Node* n1) {
Node* n2 = new Node(*n1);
clang_analyzer_dump(n1); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<Node * n1>}}}
clang_analyzer_dump(n2); // expected-warning-re {{&HeapSymRegion{conj_${{[0-9]+}}{Node *, LC{{[0-9]+}}, S{{[0-9]+}}, #{{[0-9]+}}}}}}
steakhalAuthorUnsubmitted
Done
ReplyInline Actions
Node* n2 = new Node(*n1);
- clang_analyzer_dump(n1); // expected-warning {{&SymRegion{reg_$2<Node * n1>}}}
+ clang_analyzer_dump(n1); // expected-warning {{&SymRegion{reg_${{[[:digit:]]+}}<Node * n1>}}}
clang_analyzer_dump(n2); // expected-warning {{&HeapSymRegion{conj_$1{Node *, LC1, S1855, #1}}}}

and in the rest of the cases

steakhal: and in the rest of the cases
clang_analyzer_dump(n1->ptr); // expected-warning-re {{&SymRegion{reg_${{[0-9]+}}<int * Element{SymRegion{reg_${{[0-9]+}}<Node * n1>},0 S64b,struct Node}.ptr>}}}
clang_analyzer_dump(n2->ptr); // expected-warning {{Unknown}} FIXME: This should be the same as above.
if (n1->ptr != n2->ptr)
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}} FIXME: This should not be reachable.
(void)(n1->ptr);
(void)(n2->ptr);
}