This is an archive of the discontinued LLVM Phabricator instance.

Differential D147698

[clang][dataflow] Add support for new expressions.
ClosedPublic

Authored by mboehme on Apr 6 2023, 4:28 AM.

Details

Reviewers
NoQ
sgatev
xazax.hun
gribozavr2
Commits
rG6ab900f8746e: [clang][dataflow] Add support for new expressions.

Diff Detail

Event Timeline

mboehme created this revision.Apr 6 2023, 4:28 AM
Herald added a reviewer: NoQ. · View Herald TranscriptApr 6 2023, 4:28 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, xazax.hun. · View Herald Transcript
mboehme requested review of this revision.Apr 6 2023, 4:28 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 6 2023, 4:28 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
mboehme added reviewers: sgatev, xazax.hun.Apr 6 2023, 4:29 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptApr 6 2023, 4:29 AM
Harbormaster completed remote builds in B223975: Diff 511366.Apr 6 2023, 5:06 AM
gribozavr2 added a subscriber: gribozavr2.Apr 6 2023, 7:00 PM
gribozavr2 added inline comments.
clang/include/clang/Analysis/FlowSensitive/Value.h
315 ↗(On Diff #511366)

Modifying already-created values is wrong since values are supposed to be immutable (I know we already do it in setChild above, but let's not add more?)

A value can be stored in multiple locations, and if one of them is deleted, the other users of the same value shouldn't observe the change.

clang/lib/Analysis/FlowSensitive/Transfer.cpp
485

I'm not convinced that we need to break the loc/value association for deleted heap allocations. After all, we don't do that for stack allocations that go out of scope. So why bother for the heap? Especially since "delete" is very rare in modern idiomatic C++.

490

It is correct that we shouldn't deallocate PointerValue, but the reasons for that are different:

(1) The code being analyzed might have multiple copies of the pointer, and it might have a double-free or a use-after-free. The analyzer shouldn't execute UB when the program being analyzed has UB.

(2) The PointerValue is needed to analyze other basic blocks.

(3) The downstream code that is going to inspect the environments at various program points will need the PointerValues (like the test in this patch).

gribozavr2 added a reviewer: gribozavr2.Apr 6 2023, 7:00 PM
mboehme added a comment.Apr 11 2023, 4:18 AM

@gribozavr2 Just to make sure I understand you correctly here (before I make any changes to the code): IIUC you recommend simply doing nothing on a delete expression? (Your arguments for this make sense to me, just want to double-check I understood correctly.)

gribozavr2 added a comment.Apr 11 2023, 6:12 AM
In D147698#4257698, @mboehme wrote:

@gribozavr2 Just to make sure I understand you correctly here (before I make any changes to the code): IIUC you recommend simply doing nothing on a delete expression? (Your arguments for this make sense to me, just want to double-check I understood correctly.)

Yes, that's my suggestion.

mboehme updated this revision to Diff 512434.Apr 11 2023, 6:51 AM

Eliminate specific handling of delete expressions.

mboehme retitled this revision from [clang][dataflow] Add support for new and delete expressions. to [clang][dataflow] Add support for new expressions..Apr 11 2023, 6:51 AM
mboehme edited the summary of this revision. (Show Details)
mboehme marked 3 inline comments as done.Apr 11 2023, 6:55 AM
mboehme added inline comments.
clang/include/clang/Analysis/FlowSensitive/Value.h
315 ↗(On Diff #511366)

Modifying already-created values is wrong since values are supposed to be immutable (I know we already do it in setChild above, but let's not add more?)

Good point -- removed.

A value can be stored in multiple locations, and if one of them is deleted, the other users of the same value shouldn't observe the change.

No longer relevant, but just to complete the discussion: I don't believe this is true for StructValues because of the way that prvalues of class type get materialized into result objects. I believe this causes every StructValue to be materialized into exactly one AggregateStorageLocation.

clang/lib/Analysis/FlowSensitive/Transfer.cpp
485

Good point. This makes everything much simpler. Done.

490

(1) The code being analyzed might have multiple copies of the pointer, and it might have a double-free or a use-after-free. The analyzer shouldn't execute UB when the program being analyzed has UB.

That's what I was trying to say with my comment here -- but this is now moot anyway, as we no longer do anything for deletes.

gribozavr2 accepted this revision.Apr 11 2023, 7:30 AM
This revision is now accepted and ready to land.Apr 11 2023, 7:30 AM
Harbormaster completed remote builds in B224766: Diff 512434.Apr 11 2023, 7:45 AM
xazax.hun accepted this revision.Apr 17 2023, 8:46 AM
Closed by commit rG6ab900f8746e: [clang][dataflow] Add support for new expressions. (authored by mboehme). · Explain WhyApr 17 2023, 9:11 PM
This revision was automatically updated to reflect the committed changes.
mboehme marked 3 inline comments as done.
mboehme added a commit: rG6ab900f8746e: [clang][dataflow] Add support for new expressions..

Revision Contents

PathSize
clang/
lib/
Analysis/
FlowSensitive/
14 lines
unittests/
Analysis/
FlowSensitive/
62 lines

Diff 514517

clang/lib/Analysis/FlowSensitive/Transfer.cpp

Show First 20 LinesShow All 463 Lines▼ Show 20 Lines if (ThisPointeeLoc == nullptr)
// `this` expression's pointee. // `this` expression's pointee.
return; return;
auto &Loc = Env.createStorageLocation(*S); auto &Loc = Env.createStorageLocation(*S);
Env.setStorageLocation(*S, Loc); Env.setStorageLocation(*S, Loc);
Env.setValue(Loc, Env.create<PointerValue>(*ThisPointeeLoc)); Env.setValue(Loc, Env.create<PointerValue>(*ThisPointeeLoc));
} }
void VisitCXXNewExpr(const CXXNewExpr *S) {
auto &Loc = Env.createStorageLocation(*S);
Env.setStorageLocation(*S, Loc);
if (Value *Val = Env.createValue(S->getType()))
Env.setValue(Loc, *Val);
}
void VisitCXXDeleteExpr(const CXXDeleteExpr *S) {
// Empty method.
// We consciously don't do anything on deletes. Diagnosing double deletes
// (for example) should be done by a specific analysis, not by the
// framework.
}
gribozavr2Unsubmitted
Done
ReplyInline Actions

I'm not convinced that we need to break the loc/value association for deleted heap allocations. After all, we don't do that for stack allocations that go out of scope. So why bother for the heap? Especially since "delete" is very rare in modern idiomatic C++.

gribozavr2: I'm not convinced that we need to break the loc/value association for deleted heap allocations.
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

Good point. This makes everything much simpler. Done.

mboehme: Good point. This makes everything much simpler. Done.
void VisitReturnStmt(const ReturnStmt *S) { void VisitReturnStmt(const ReturnStmt *S) {
if (!Env.getAnalysisOptions().ContextSensitiveOpts) if (!Env.getAnalysisOptions().ContextSensitiveOpts)
return; return;
auto *Ret = S->getRetValue(); auto *Ret = S->getRetValue();
gribozavr2Unsubmitted
Done
ReplyInline Actions

It is correct that we shouldn't deallocate PointerValue, but the reasons for that are different:

(1) The code being analyzed might have multiple copies of the pointer, and it might have a double-free or a use-after-free. The analyzer shouldn't execute UB when the program being analyzed has UB.

(2) The PointerValue is needed to analyze other basic blocks.

(3) The downstream code that is going to inspect the environments at various program points will need the PointerValues (like the test in this patch).

gribozavr2: It is correct that we shouldn't deallocate PointerValue, but the reasons for that are different…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

(1) The code being analyzed might have multiple copies of the pointer, and it might have a double-free or a use-after-free. The analyzer shouldn't execute UB when the program being analyzed has UB.

That's what I was trying to say with my comment here -- but this is now moot anyway, as we no longer do anything for deletes.

mboehme: > (1) The code being analyzed might have multiple copies of the pointer, and it might have a…
if (Ret == nullptr) if (Ret == nullptr)
return; return;
auto *Val = Env.getValue(*Ret, SkipPast::None); auto *Val = Env.getValue(*Ret, SkipPast::None);
if (Val == nullptr) if (Val == nullptr)
return; return;
// FIXME: Support reference-type returns. // FIXME: Support reference-type returns.
▲ Show 20 LinesShow All 407 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show First 20 LinesShow All 5,164 Lines▼ Show 20 Lines runDataflow(
EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesAndUnreachable)); EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesAndUnreachable));
auto &NoreturnOnLhsMakesOrUnreachable = getValueForDecl<BoolValue>( auto &NoreturnOnLhsMakesOrUnreachable = getValueForDecl<BoolValue>(
ASTCtx, Env, "NoreturnOnLhsMakesOrUnreachable"); ASTCtx, Env, "NoreturnOnLhsMakesOrUnreachable");
EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesOrUnreachable)); EXPECT_TRUE(Env.flowConditionImplies(NoreturnOnLhsMakesOrUnreachable));
}); });
} }
TEST(TransferTest, NewExpressions) {
std::string Code = R"(
void target() {
int *p = new int(42);
// [[after_new]]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
const Environment &Env =
getEnvironmentAtAnnotation(Results, "after_new");
auto &P = getValueForDecl<PointerValue>(ASTCtx, Env, "p");
EXPECT_THAT(Env.getValue(P.getPointeeLoc()), NotNull());
});
}
TEST(TransferTest, NewExpressions_Structs) {
std::string Code = R"(
struct Inner {
int InnerField;
};
struct Outer {
Inner OuterField;
};
void target() {
Outer *p = new Outer;
// Access the fields to make sure the analysis actually generates children
// for them in the `AggregateStorageLoc` and `StructValue`.
p->OuterField.InnerField;
// [[after_new]]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
const Environment &Env =
getEnvironmentAtAnnotation(Results, "after_new");
const ValueDecl *OuterField = findValueDecl(ASTCtx, "OuterField");
const ValueDecl *InnerField = findValueDecl(ASTCtx, "InnerField");
auto &P = getValueForDecl<PointerValue>(ASTCtx, Env, "p");
auto &OuterLoc = cast<AggregateStorageLocation>(P.getPointeeLoc());
auto &OuterFieldLoc =
cast<AggregateStorageLocation>(OuterLoc.getChild(*OuterField));
auto &InnerFieldLoc = OuterFieldLoc.getChild(*InnerField);
// Values for the struct and all fields exist after the new.
EXPECT_THAT(Env.getValue(OuterLoc), NotNull());
EXPECT_THAT(Env.getValue(OuterFieldLoc), NotNull());
EXPECT_THAT(Env.getValue(InnerFieldLoc), NotNull());
});
}
} // namespace } // namespace