This is an archive of the discontinued LLVM Phabricator instance.

Differential D146514

[clang][dataflow] Fix crash when RHS of `&&` or `||` calls `noreturn` func.
ClosedPublic

Authored by mboehme on Mar 21 2023, 4:30 AM.

Details

Reviewers
NoQ
xazax.hun
gribozavr
ymandel
sammccall
sgatev
gribozavr2
Commits
rG5acd29eb4d9e: [clang][dataflow] Fix crash when RHS of `&&` or `||` calls `noreturn` func.
Summary

The crash happened because the transfer fucntion for && and ||
unconditionally tried to retrieve the value of the RHS. However, if the RHS
is unreachable, there is no environment for it, and trying to retrieve the
operand's value causes an assertion failure.

See also the comments in the code for further details.

Diff Detail

Event Timeline

mboehme created this revision.Mar 21 2023, 4:30 AM
Herald added a reviewer: NoQ. · View Herald TranscriptMar 21 2023, 4:30 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, xazax.hun. · View Herald Transcript
mboehme requested review of this revision.Mar 21 2023, 4:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 21 2023, 4:30 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
mboehme added reviewers: xazax.hun, gribozavr, ymandel, sammccall, sgatev.Mar 21 2023, 4:31 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 21 2023, 4:31 AM
gribozavr2 accepted this revision.Mar 21 2023, 4:33 AM
gribozavr2 added a subscriber: gribozavr2.
gribozavr2 added inline comments.
clang/unittests/Analysis/FlowSensitive/TestingSupport.h
399

getValueForDecl?

A value corresponds to a decl, a value for the decl.

"From" suggests that the value is inside the decl, or that we transform the decl into a value.

This revision is now accepted and ready to land.Mar 21 2023, 4:33 AM
mboehme mentioned this in D146507: [clang][dataflow][NFC] Eliminate StmtToEnvMap interface..Mar 21 2023, 4:41 AM
sgatev accepted this revision.Mar 21 2023, 4:43 AM
sgatev added inline comments.
clang/include/clang/Analysis/FlowSensitive/ControlFlowContext.h
52

What do you think about making this a const reference? Alternatively, let's document that it must not be null?

mboehme updated this revision to Diff 506917.Mar 21 2023, 4:45 AM

Changes in response to review comments.

mboehme marked an inline comment as done.Mar 21 2023, 4:46 AM
mboehme added inline comments.
clang/unittests/Analysis/FlowSensitive/TestingSupport.h
399

Good point -- done!

mboehme updated this revision to Diff 506919.Mar 21 2023, 4:50 AM
mboehme marked an inline comment as done.

Changes in response to review comments.

mboehme marked an inline comment as done.Mar 21 2023, 4:51 AM
mboehme added inline comments.
clang/include/clang/Analysis/FlowSensitive/ControlFlowContext.h
52

Good point -- done!

mboehme marked an inline comment as done.Mar 21 2023, 4:51 AM
ymandel accepted this revision.Mar 21 2023, 5:40 AM

Nice! Thank you.

clang/lib/Analysis/FlowSensitive/Transfer.cpp
174–175

nit. reworded (using A => B => C is the same as A & B => C). but, your call.

Harbormaster completed remote builds in B220677: Diff 506919.Mar 21 2023, 6:00 AM
xazax.hun added a comment.Mar 21 2023, 9:01 AM

This fix looks good for me for this particular problem, but I wonder whether the solution is general enough. In case the analysis figures out that a call would not return (e.g., the value method is called on a provably empty optional, and it would throw instead of returning), would this approach still work? Would the analysis update the BlockReachable bitvector on demand?

mboehme added a comment.Mar 22 2023, 2:53 AM
In D146514#4209931, @xazax.hun wrote:

This fix looks good for me for this particular problem, but I wonder whether the solution is general enough. In case the analysis figures out that a call would not return (e.g., the value method is called on a provably empty optional, and it would throw instead of returning), would this approach still work? Would the analysis update the BlockReachable bitvector on demand?

No, I think this is a different case.

BlockReachable is intended to encode reachability solely as defined by the structure of the CFG. The whole problem we're trying to solve in this patch is that the CFG understands that noreturn functions don't return and therefore eliminates any successor edges from calls to noreturn functions. This means that some of the CFG nodes become unreachable; specifically, in our case, the RHS of the && and || become unreachable, and so the dataflow analysis never computes a value for them. We therefore need to make sure that we don't try to query the value of the RHS in this case.

The case of calling value on a provably empty optional is different: The CFG does not understand that such a call does not return and therefore generates successor edges as it would for any other function call.

A side effect of the logic that this patch adds is that we get some neat inference results, as demonstrated in the newly added test. However, generating these results isn't the main goal of this patch; the patch is merely intended to ensure that we can process CFGs containing unreachable nodes caused by noreturn functions.

It would certainly be nice to generate similar inference results in the example that you mention (value on a provably empty optional), but that would require more work and a different approach.

mboehme updated this revision to Diff 507287.Mar 22 2023, 2:56 AM

Reworded comment.

mboehme updated this revision to Diff 507288.Mar 22 2023, 2:57 AM

Reworded comment again.

mboehme marked an inline comment as done.Mar 22 2023, 2:58 AM
mboehme added inline comments.
clang/lib/Analysis/FlowSensitive/Transfer.cpp
174–175

Thanks, this is easier to understand. Done!

Harbormaster completed remote builds in B220965: Diff 507288.Mar 22 2023, 4:01 AM
xazax.hun added a comment.EditedMar 22 2023, 8:29 AM
In D146514#4212528, @mboehme wrote:

No, I think this is a different case.

Sorry, I might have been unclear. I 100% agree that these are different cases. I was wondering whether we can/should have a single code path supporting both. But I do not insist since we do not seem to have precedent for the scenario I mentioned and do not want to block anything based on hypotheticals.

xazax.hun accepted this revision.Mar 22 2023, 8:31 AM
mboehme marked an inline comment as done.Mar 23 2023, 12:36 AM
In D146514#4213302, @xazax.hun wrote:
In D146514#4212528, @mboehme wrote:

No, I think this is a different case.

Sorry, I might have been unclear. I 100% agree that these are different cases. I was wondering whether we can/should have a single code path supporting both. But I do not insist since we do not seem to have precedent for the scenario I mentioned and do not want to block anything based on hypotheticals.

Got it, thanks!

Closed by commit rG5acd29eb4d9e: [clang][dataflow] Fix crash when RHS of `&&` or `||` calls `noreturn` func. (authored by mboehme). · Explain WhyMar 23 2023, 1:03 AM
This revision was automatically updated to reflect the committed changes.
mboehme added a commit: rG5acd29eb4d9e: [clang][dataflow] Fix crash when RHS of `&&` or `||` calls `noreturn` func..

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
13 lines
6 lines
lib/
Analysis/
FlowSensitive/
29 lines
42 lines
2 lines
unittests/
Analysis/
FlowSensitive/
14 lines
66 lines

Diff 507634

clang/include/clang/Analysis/FlowSensitive/ControlFlowContext.h

Show All 12 Lines
#ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H #ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H
#define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H #define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H
#include "clang/AST/ASTContext.h" #include "clang/AST/ASTContext.h"
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "llvm/ADT/BitVector.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/Support/Error.h" #include "llvm/Support/Error.h"
#include <memory> #include <memory>
#include <utility> #include <utility>
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
Show All 13 Linespublic:
/// Returns the CFG that is stored in this context. /// Returns the CFG that is stored in this context.
const CFG &getCFG() const { return *Cfg; } const CFG &getCFG() const { return *Cfg; }
/// Returns a mapping from statements to basic blocks that contain them. /// Returns a mapping from statements to basic blocks that contain them.
const llvm::DenseMap<const Stmt *, const CFGBlock *> &getStmtToBlock() const { const llvm::DenseMap<const Stmt *, const CFGBlock *> &getStmtToBlock() const {
return StmtToBlock; return StmtToBlock;
} }
/// Returns whether `B` is reachable from the entry block.
bool isBlockReachable(const CFGBlock &B) const {
sgatevUnsubmitted
Done
ReplyInline Actions

What do you think about making this a const reference? Alternatively, let's document that it must not be null?

sgatev: What do you think about making this a const reference? Alternatively, let's document that it…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

Good point -- done!

mboehme: Good point -- done!
return BlockReachable[B.getBlockID()];
}
private: private:
// FIXME: Once the deprecated `build` method is removed, mark `D` as "must not // FIXME: Once the deprecated `build` method is removed, mark `D` as "must not
// be null" and add an assertion. // be null" and add an assertion.
ControlFlowContext(const Decl *D, std::unique_ptr<CFG> Cfg, ControlFlowContext(const Decl *D, std::unique_ptr<CFG> Cfg,
llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock) llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock,
llvm::BitVector BlockReachable)
: ContainingDecl(D), Cfg(std::move(Cfg)), : ContainingDecl(D), Cfg(std::move(Cfg)),
StmtToBlock(std::move(StmtToBlock)) {} StmtToBlock(std::move(StmtToBlock)),
BlockReachable(std::move(BlockReachable)) {}
/// The `Decl` containing the statement used to construct the CFG. /// The `Decl` containing the statement used to construct the CFG.
const Decl *ContainingDecl; const Decl *ContainingDecl;
std::unique_ptr<CFG> Cfg; std::unique_ptr<CFG> Cfg;
llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock; llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock;
llvm::BitVector BlockReachable;
}; };
} // namespace dataflow } // namespace dataflow
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H #endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_CONTROLFLOWCONTEXT_H

clang/include/clang/Analysis/FlowSensitive/Transfer.h

Show All 20 Lines
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
/// Maps statements to the environments of basic blocks that contain them. /// Maps statements to the environments of basic blocks that contain them.
class StmtToEnvMap { class StmtToEnvMap {
public: public:
virtual ~StmtToEnvMap() = default; virtual ~StmtToEnvMap() = default;
/// Returns the environment of the basic block that contains `S` or nullptr if /// Retrieves the environment of the basic block that contains `S`.
/// there isn't one. /// If `S` is reachable, returns a non-null pointer to the environment.
/// FIXME: Ensure that the result can't be null and return a const reference. /// If `S` is not reachable, returns nullptr.
virtual const Environment *getEnvironment(const Stmt &S) const = 0; virtual const Environment *getEnvironment(const Stmt &S) const = 0;
}; };
/// Evaluates `S` and updates `Env` accordingly. /// Evaluates `S` and updates `Env` accordingly.
/// ///
/// Requirements: /// Requirements:
/// ///
/// `S` must not be `ParenExpr` or `ExprWithCleanups`. /// `S` must not be `ParenExpr` or `ExprWithCleanups`.
void transfer(const StmtToEnvMap &StmtToEnv, const Stmt &S, Environment &Env); void transfer(const StmtToEnvMap &StmtToEnv, const Stmt &S, Environment &Env);
} // namespace dataflow } // namespace dataflow
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_TRANSFER_H #endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_TRANSFER_H

clang/lib/Analysis/FlowSensitive/ControlFlowContext.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Analysis/FlowSensitive/ControlFlowContext.h" #include "clang/Analysis/FlowSensitive/ControlFlowContext.h"
#include "clang/AST/ASTContext.h" #include "clang/AST/ASTContext.h"
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "llvm/ADT/BitVector.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/Support/Error.h" #include "llvm/Support/Error.h"
#include <utility> #include <utility>
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
/// Returns a map from statements to basic blocks that contain them. /// Returns a map from statements to basic blocks that contain them.
Show All 12 Lines for (const CFGElement &Element : *Block) {
StmtToBlock[Stmt->getStmt()] = Block; StmtToBlock[Stmt->getStmt()] = Block;
} }
if (const Stmt *TerminatorStmt = Block->getTerminatorStmt()) if (const Stmt *TerminatorStmt = Block->getTerminatorStmt())
StmtToBlock[TerminatorStmt] = Block; StmtToBlock[TerminatorStmt] = Block;
} }
return StmtToBlock; return StmtToBlock;
} }
static llvm::BitVector findReachableBlocks(const CFG &Cfg) {
llvm::BitVector BlockReachable(Cfg.getNumBlockIDs(), false);
llvm::SmallVector<const CFGBlock *> BlocksToVisit;
BlocksToVisit.push_back(&Cfg.getEntry());
while (!BlocksToVisit.empty()) {
const CFGBlock *Block = BlocksToVisit.back();
BlocksToVisit.pop_back();
if (BlockReachable[Block->getBlockID()])
continue;
BlockReachable[Block->getBlockID()] = true;
for (const CFGBlock *Succ : Block->succs())
if (Succ)
BlocksToVisit.push_back(Succ);
}
return BlockReachable;
}
llvm::Expected<ControlFlowContext> llvm::Expected<ControlFlowContext>
ControlFlowContext::build(const Decl *D, Stmt &S, ASTContext &C) { ControlFlowContext::build(const Decl *D, Stmt &S, ASTContext &C) {
CFG::BuildOptions Options; CFG::BuildOptions Options;
Options.PruneTriviallyFalseEdges = false; Options.PruneTriviallyFalseEdges = false;
Options.AddImplicitDtors = true; Options.AddImplicitDtors = true;
Options.AddTemporaryDtors = true; Options.AddTemporaryDtors = true;
Options.AddInitializers = true; Options.AddInitializers = true;
Options.AddCXXDefaultInitExprInCtors = true; Options.AddCXXDefaultInitExprInCtors = true;
// Ensure that all sub-expressions in basic blocks are evaluated. // Ensure that all sub-expressions in basic blocks are evaluated.
Options.setAllAlwaysAdd(); Options.setAllAlwaysAdd();
auto Cfg = CFG::buildCFG(D, &S, &C, Options); auto Cfg = CFG::buildCFG(D, &S, &C, Options);
if (Cfg == nullptr) if (Cfg == nullptr)
return llvm::createStringError( return llvm::createStringError(
std::make_error_code(std::errc::invalid_argument), std::make_error_code(std::errc::invalid_argument),
"CFG::buildCFG failed"); "CFG::buildCFG failed");
llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock = llvm::DenseMap<const Stmt *, const CFGBlock *> StmtToBlock =
buildStmtToBasicBlockMap(*Cfg); buildStmtToBasicBlockMap(*Cfg);
return ControlFlowContext(D, std::move(Cfg), std::move(StmtToBlock));
llvm::BitVector BlockReachable = findReachableBlocks(*Cfg);
return ControlFlowContext(D, std::move(Cfg), std::move(StmtToBlock),
std::move(BlockReachable));
} }
} // namespace dataflow } // namespace dataflow
} // namespace clang } // namespace clang

clang/lib/Analysis/FlowSensitive/Transfer.cpp

Show First 20 LinesShow All 156 Lines▼ Show 20 Lines case BO_Assign: {
Env.setValue(*LHSLoc, *RHSVal); Env.setValue(*LHSLoc, *RHSVal);
// Assign a storage location for the whole expression. // Assign a storage location for the whole expression.
Env.setStorageLocation(*S, *LHSLoc); Env.setStorageLocation(*S, *LHSLoc);
break; break;
} }
case BO_LAnd: case BO_LAnd:
case BO_LOr: { case BO_LOr: {
BoolValue &LHSVal = getLogicOperatorSubExprValue(*LHS);
BoolValue &RHSVal = getLogicOperatorSubExprValue(*RHS);
auto &Loc = Env.createStorageLocation(*S); auto &Loc = Env.createStorageLocation(*S);
Env.setStorageLocation(*S, Loc); Env.setStorageLocation(*S, Loc);
BoolValue *LHSVal = getLogicOperatorSubExprValue(*LHS);
// If the LHS was not reachable, this BinaryOperator would also not be
// reachable, and we would never get here.
assert(LHSVal != nullptr);
BoolValue *RHSVal = getLogicOperatorSubExprValue(*RHS);
if (RHSVal == nullptr) {
// If the RHS isn't reachable and we evaluate this BinaryOperator,
// then the value of the LHS must have triggered the short-circuit
ymandelUnsubmitted
Done
ReplyInline Actions
if (RHSVal == nullptr) {
- // If the RHS isn't reachable, this implies that if we end up evaluating
- // this BinaryOperator, the value of the LHS must have triggered the
+ // If the RHS isn't reachable and we evaluate this BinaryOperator,
+ // then the value of the LHS must have triggered the
// short-circuit logic. This implies that the value of the entire

nit. reworded (using A => B => C is the same as A & B => C). but, your call.

ymandel: nit. reworded (using A => B => C is the same as A & B => C). but, your call.
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, this is easier to understand. Done!

mboehme: Thanks, this is easier to understand. Done!
// logic. This implies that the value of the entire expression must be
// equal to the value of the LHS.
Env.setValue(Loc, *LHSVal);
break;
}
if (S->getOpcode() == BO_LAnd) if (S->getOpcode() == BO_LAnd)
Env.setValue(Loc, Env.makeAnd(LHSVal, RHSVal)); Env.setValue(Loc, Env.makeAnd(*LHSVal, *RHSVal));
else else
Env.setValue(Loc, Env.makeOr(LHSVal, RHSVal)); Env.setValue(Loc, Env.makeOr(*LHSVal, *RHSVal));
break; break;
} }
case BO_NE: case BO_NE:
case BO_EQ: { case BO_EQ: {
auto &LHSEqRHSValue = evaluateBooleanEquality(*LHS, *RHS, Env); auto &LHSEqRHSValue = evaluateBooleanEquality(*LHS, *RHS, Env);
auto &Loc = Env.createStorageLocation(*S); auto &Loc = Env.createStorageLocation(*S);
Env.setStorageLocation(*S, Loc); Env.setStorageLocation(*S, Loc);
Env.setValue(Loc, S->getOpcode() == BO_EQ ? LHSEqRHSValue Env.setValue(Loc, S->getOpcode() == BO_EQ ? LHSEqRHSValue
▲ Show 20 LinesShow All 592 Lines▼ Show 20 Lines void VisitExprWithCleanups(const ExprWithCleanups *S) {
// basic blocks, however manual traversal to sub-expressions may encounter // basic blocks, however manual traversal to sub-expressions may encounter
// them. Redirect to the sub-expression. // them. Redirect to the sub-expression.
auto *SubExpr = S->getSubExpr(); auto *SubExpr = S->getSubExpr();
assert(SubExpr != nullptr); assert(SubExpr != nullptr);
Visit(SubExpr); Visit(SubExpr);
} }
private: private:
BoolValue &getLogicOperatorSubExprValue(const Expr &SubExpr) { /// If `SubExpr` is reachable, returns a non-null pointer to the value for
/// `SubExpr`. If `SubExpr` is not reachable, returns nullptr.
BoolValue *getLogicOperatorSubExprValue(const Expr &SubExpr) {
// `SubExpr` and its parent logic operator might be part of different basic // `SubExpr` and its parent logic operator might be part of different basic
// blocks. We try to access the value that is assigned to `SubExpr` in the // blocks. We try to access the value that is assigned to `SubExpr` in the
// corresponding environment. // corresponding environment.
if (const Environment *SubExprEnv = StmtToEnv.getEnvironment(SubExpr)) { const Environment *SubExprEnv = StmtToEnv.getEnvironment(SubExpr);
if (!SubExprEnv)
return nullptr;
if (auto *Val = dyn_cast_or_null<BoolValue>( if (auto *Val = dyn_cast_or_null<BoolValue>(
SubExprEnv->getValue(SubExpr, SkipPast::Reference))) SubExprEnv->getValue(SubExpr, SkipPast::Reference)))
return *Val; return Val;
}
if (Env.getStorageLocation(SubExpr, SkipPast::None) == nullptr) { if (Env.getStorageLocation(SubExpr, SkipPast::None) == nullptr) {
// Sub-expressions that are logic operators are not added in basic blocks // Sub-expressions that are logic operators are not added in basic blocks
// (e.g. see CFG for `bool d = a && (b || c);`). If `SubExpr` is a logic // (e.g. see CFG for `bool d = a && (b || c);`). If `SubExpr` is a logic
// operator, it may not have been evaluated and assigned a value yet. In // operator, it may not have been evaluated and assigned a value yet. In
// that case, we need to first visit `SubExpr` and then try to get the // that case, we need to first visit `SubExpr` and then try to get the
// value that gets assigned to it. // value that gets assigned to it.
Visit(&SubExpr); Visit(&SubExpr);
} }
if (auto *Val = dyn_cast_or_null<BoolValue>( if (auto *Val = dyn_cast_or_null<BoolValue>(
Env.getValue(SubExpr, SkipPast::Reference))) Env.getValue(SubExpr, SkipPast::Reference)))
return *Val; return Val;
// If the value of `SubExpr` is still unknown, we create a fresh symbolic // If the value of `SubExpr` is still unknown, we create a fresh symbolic
// boolean value for it. // boolean value for it.
return Env.makeAtomicBoolValue(); return &Env.makeAtomicBoolValue();
} }
// If context sensitivity is enabled, try to analyze the body of the callee // If context sensitivity is enabled, try to analyze the body of the callee
// `F` of `S`. The type `E` must be either `CallExpr` or `CXXConstructExpr`. // `F` of `S`. The type `E` must be either `CallExpr` or `CXXConstructExpr`.
template <typename E> template <typename E>
void transferInlineCall(const E *S, const FunctionDecl *F) { void transferInlineCall(const E *S, const FunctionDecl *F) {
const auto &Options = Env.getAnalysisOptions(); const auto &Options = Env.getAnalysisOptions();
if (!(Options.ContextSensitiveOpts && if (!(Options.ContextSensitiveOpts &&
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines StmtToEnvMapImpl(
const ControlFlowContext &CFCtx, const ControlFlowContext &CFCtx,
llvm::ArrayRef<std::optional<TypeErasedDataflowAnalysisState>> llvm::ArrayRef<std::optional<TypeErasedDataflowAnalysisState>>
BlockToState) BlockToState)
: CFCtx(CFCtx), BlockToState(BlockToState) {} : CFCtx(CFCtx), BlockToState(BlockToState) {}
const Environment *getEnvironment(const Stmt &S) const override { const Environment *getEnvironment(const Stmt &S) const override {
auto BlockIt = CFCtx.getStmtToBlock().find(&ignoreCFGOmittedNodes(S)); auto BlockIt = CFCtx.getStmtToBlock().find(&ignoreCFGOmittedNodes(S));
assert(BlockIt != CFCtx.getStmtToBlock().end()); assert(BlockIt != CFCtx.getStmtToBlock().end());
if (!CFCtx.isBlockReachable(*BlockIt->getSecond()))
return nullptr;
const auto &State = BlockToState[BlockIt->getSecond()->getBlockID()]; const auto &State = BlockToState[BlockIt->getSecond()->getBlockID()];
assert(State); assert(State);
return &State->Env; return &State->Env;
} }
private: private:
const ControlFlowContext &CFCtx; const ControlFlowContext &CFCtx;
llvm::ArrayRef<std::optional<TypeErasedDataflowAnalysisState>> BlockToState; llvm::ArrayRef<std::optional<TypeErasedDataflowAnalysisState>> BlockToState;
▲ Show 20 LinesShow All 439 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TestingSupport.h

Show First 20 LinesShow All 383 Lines▼ Show 20 Lines
/// Returns the `ValueDecl` for the given identifier. /// Returns the `ValueDecl` for the given identifier.
/// ///
/// Requirements: /// Requirements:
/// ///
/// `Name` must be unique in `ASTCtx`. /// `Name` must be unique in `ASTCtx`.
const ValueDecl *findValueDecl(ASTContext &ASTCtx, llvm::StringRef Name); const ValueDecl *findValueDecl(ASTContext &ASTCtx, llvm::StringRef Name);
/// Returns the value (of type `ValueT`) for the given identifier.
/// `ValueT` must be a subclass of `Value` and must be of the appropriate type.
///
/// Requirements:
///
/// `Name` must be unique in `ASTCtx`.
template <class ValueT>
ValueT &getValueForDecl(ASTContext &ASTCtx, const Environment &Env,
gribozavr2Unsubmitted
Done
ReplyInline Actions

getValueForDecl?

A value corresponds to a decl, a value for the decl.

"From" suggests that the value is inside the decl, or that we transform the decl into a value.

gribozavr2: getValueForDecl? A value corresponds to a decl, a value for the decl. "From" suggests that…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

Good point -- done!

mboehme: Good point -- done!
llvm::StringRef Name) {
const ValueDecl *VD = findValueDecl(ASTCtx, Name);
assert(VD != nullptr);
return *cast<ValueT>(Env.getValue(*VD, SkipPast::None));
}
/// Creates and owns constraints which are boolean values. /// Creates and owns constraints which are boolean values.
class ConstraintContext { class ConstraintContext {
public: public:
// Creates an atomic boolean value. // Creates an atomic boolean value.
BoolValue *atom() { BoolValue *atom() {
Vals.push_back(std::make_unique<AtomicBoolValue>()); Vals.push_back(std::make_unique<AtomicBoolValue>());
return Vals.back().get(); return Vals.back().get();
} }
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show First 20 LinesShow All 5,098 Lines▼ Show 20 Lines runDataflow(
Code, Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results, [](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) { ASTContext &ASTCtx) {
// This doesn't need a body because this test was crashing the framework // This doesn't need a body because this test was crashing the framework
// before handling correctly Unnamed bitfields in `InitListExpr`. // before handling correctly Unnamed bitfields in `InitListExpr`.
}); });
} }
// Repro for a crash that used to occur when we call a `noreturn` function
// within one of the operands of a `&&` or `||` operator.
TEST(TransferTest, NoReturnFunctionInsideShortCircuitedBooleanOp) {
std::string Code = R"(
__attribute__((noreturn)) int doesnt_return();
bool some_condition();
void target(bool b1, bool b2) {
// Neither of these should crash. In addition, if we don't terminate the
// program, we know that the operators need to trigger the short-circuit
// logic, so `NoreturnOnRhsOfAnd` will be false and `NoreturnOnRhsOfOr`
// will be true.
bool NoreturnOnRhsOfAnd = b1 && doesnt_return() > 0;
bool NoreturnOnRhsOfOr = b2 || doesnt_return() > 0;
// Calling a `noreturn` function on the LHS of an `&&` or `||` makes the
// entire expression unreachable. So we know that in both of the following
// cases, if `target()` terminates, the `else` branch was taken.
bool NoreturnOnLhsMakesAndUnreachable = false;
if (some_condition())
doesnt_return() > 0 && some_condition();
else
NoreturnOnLhsMakesAndUnreachable = true;
bool NoreturnOnLhsMakesOrUnreachable = false;
if (some_condition())
doesnt_return() > 0 || some_condition();
else
NoreturnOnLhsMakesOrUnreachable = true;
// [[p]]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
ASSERT_THAT(Results.keys(), UnorderedElementsAre("p"));
const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
// Check that [[p]] is reachable with a non-false flow condition.
EXPECT_FALSE(Env.flowConditionImplies(Env.getBoolLiteralValue(false)));
auto &B1 = getValueForDecl<BoolValue>(ASTCtx, Env, "b1");
EXPECT_TRUE(Env.flowConditionImplies(Env.makeNot(B1)));
auto &NoreturnOnRhsOfAnd =
getValueForDecl<BoolValue>(ASTCtx, Env, "NoreturnOnRhsOfAnd");
EXPECT_TRUE(Env.flowConditionImplies(Env.makeNot(NoreturnOnRhsOfAnd)));
auto &B2 = getValueForDecl<BoolValue>(ASTCtx, Env, "b2");
EXPECT_TRUE(Env.flowConditionImplies(B2));
auto &NoreturnOnRhsOfOr =
getValueForDecl<BoolValue>(ASTCtx, Env, "NoreturnOnRhsOfOr");
EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnRhsOfOr));
auto &NoreturnOnLhsMakesAndUnreachable = getValueForDecl<BoolValue>(
ASTCtx, Env, "NoreturnOnLhsMakesAndUnreachable");
EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesAndUnreachable));
auto &NoreturnOnLhsMakesOrUnreachable = getValueForDecl<BoolValue>(
ASTCtx, Env, "NoreturnOnLhsMakesOrUnreachable");
EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesOrUnreachable));
});
}
} // namespace } // namespace