This is an archive of the discontinued LLVM Phabricator instance.

Differential D135763

[analyzer] Workaround crash on encountering Class non-type template parameters
ClosedPublic

Authored by steakhal on Oct 12 2022, 4:35 AM.

Details

Reviewers
NoQ
martong
Szelethus
xazax.hun
Commits
rGb062ee7dc451: [analyzer] Workaround crash on encountering Class non-type template parameters
Summary

The Clang Static Analyzer will crash on this code:

struct Box {
  int value;
};
template <Box V> int get() {
  return V.value;
}
template int get<Box{-1}>();

https://godbolt.org/z/5Yb1sMMMb

The problem is that we don't account for encountering TemplateParamObjectDecls
within the DeclRefExpr handler in the ExprEngine.

IMO we should create a new memregion for representing such template
param objects, to model their language semantics.
Such as:

  • it should have global static storage
  • for two identical values, their addresses should be identical as well

http://eel.is/c%2B%2Bdraft/temp.param#8

I was thinking of introducing a TemplateParamObjectRegion under DeclRegion
for this purpose. It could have TemplateParamObjectDecl as a field.

The TemplateParamObjectDecl::getValue() returns APValue, which might
represent multiple levels of structures, unions and other goodies -
making the transformation from APValue to SVal a bit complicated.

That being said, for now, I think having Unknowns for such cases is
definitely an improvement to crashing, hence I'm proposing this patch.

Diff Detail

Event Timeline

steakhal created this revision.Oct 12 2022, 4:35 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 12 2022, 4:35 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 6 others. · View Herald Transcript
steakhal requested review of this revision.Oct 12 2022, 4:35 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 12 2022, 4:35 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B191699: Diff 467087.Oct 12 2022, 5:23 AM
xazax.hun accepted this revision.Oct 12 2022, 1:19 PM

This change look good to me. I am not entirely sure about the future plans though. We should be able to read the values out from the AST, so we do not need the store to map memregions to values (as far as the values inside the object are concerned). How to deal with the address of such object is a good question, but a special symbol or constant might be an alternative to introducing memregions.

This revision is now accepted and ready to land.Oct 12 2022, 1:19 PM
steakhal added a comment.Oct 12 2022, 11:28 PM
In D135763#3853746, @xazax.hun wrote:

This change look good to me. I am not entirely sure about the future plans though.

Me neither. That was just a thought.

We should be able to read the values out from the AST, so we do not need the store to map memregions to values (as far as the values inside the object are concerned).

That's true.

How to deal with the address of such object is a good question, but a special symbol or constant might be an alternative to introducing memregions.

I'm not sure if we should introduce more and more special cases.
We should experiment with some ideas, that's for sure.

Closed by commit rGb062ee7dc451: [analyzer] Workaround crash on encountering Class non-type template parameters (authored by steakhal). · Explain WhyOct 12 2022, 11:42 PM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rGb062ee7dc451: [analyzer] Workaround crash on encountering Class non-type template parameters.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
6 lines
test/
Analysis/
33 lines

Diff 467366

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 3,152 Lines▼ Show 20 Lines if (const auto *BD = dyn_cast<BindingDecl>(D)) {
} }
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind); ProgramPoint::PostLValueKind);
return; return;
} }
if (const auto *TPO = dyn_cast<TemplateParamObjectDecl>(D)) {
// FIXME: We should meaningfully implement this.
(void)TPO;
return;
}
llvm_unreachable("Support for this Decl not implemented."); llvm_unreachable("Support for this Decl not implemented.");
} }
/// VisitArrayInitLoopExpr - Transfer function for array init loop. /// VisitArrayInitLoopExpr - Transfer function for array init loop.
void ExprEngine::VisitArrayInitLoopExpr(const ArrayInitLoopExpr *Ex, void ExprEngine::VisitArrayInitLoopExpr(const ArrayInitLoopExpr *Ex,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
ExplodedNodeSet CheckerPreStmt; ExplodedNodeSet CheckerPreStmt;
▲ Show 20 LinesShow All 759 LinesShow Last 20 Lines

clang/test/Analysis/template-param-objects.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false -std=c++20 -verify %s
template <class T> void clang_analyzer_dump(T);
void clang_analyzer_eval(bool);
struct Box {
int value;
};
bool operator ==(Box lhs, Box rhs) {
return lhs.value == rhs.value;
}
template <Box V> void dumps() {
clang_analyzer_dump(V); // expected-warning {{lazyCompoundVal}}
clang_analyzer_dump(&V); // expected-warning {{Unknown}}
clang_analyzer_dump(V.value); // expected-warning {{Unknown}} FIXME: It should be '6 S32b'.
clang_analyzer_dump(&V.value); // expected-warning {{Unknown}}
}
template void dumps<Box{6}>();
// [temp.param].7.3.2:
// "All such template parameters in the program of the same type with the
// same value denote the same template parameter object."
template <Box A1, Box A2, Box B1, Box B2> void stable_addresses() {
clang_analyzer_eval(&A1 == &A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
clang_analyzer_eval(&B1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
clang_analyzer_eval(&A1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
clang_analyzer_eval(A1 == A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
clang_analyzer_eval(B1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
clang_analyzer_eval(A1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
}
template void stable_addresses<Box{1}, Box{1}, Box{2}, Box{2}>();