This is an archive of the discontinued LLVM Phabricator instance.

Differential D150775

[clang][dataflow] Fix a bug in handling of `operator->` for optional checker.
ClosedPublic

Authored by mboehme on May 17 2023, 6:27 AM.

Details

Reviewers
NoQ
sgatev
xazax.hun
ymandel
Commits
rG3bc1ea5b0ac9: [clang][dataflow] Fix a bug in handling of `operator->` for optional checker.
Summary

Prior to this patch, operator-> was being handled like operator*: It was
associating a Value of type T with the expression result (where T is the
template argument of the optional<T>). This is correct for operator*, which
returns a reference (of some flavor) to T, so that the result of the
CXXOperatorCallExpr is a glvalue of type T. However, operator* returns a
T*, so the result of the CXXOperatorCallExpr is a prvalue T*, which should
therefore be associated with PointerValue that in turn refers to a T.

I noticed this issue while working on the migration to strict handling of
value categories (see https://discourse.llvm.org/t/70086). The current behavior
also seems problematic more generally because it's plausible that the framework
may at some point introduce behavior that assumes an Expr of pointer type is
always associated with a PointerValue.

As it turns out, this patch fixes an existing FIXME in the test
OptionalValueInitialization.

Depends On D150657

Diff Detail

Event Timeline

mboehme created this revision.May 17 2023, 6:27 AM
Herald added a reviewer: NoQ. · View Herald TranscriptMay 17 2023, 6:27 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, xazax.hun. · View Herald Transcript
mboehme requested review of this revision.May 17 2023, 6:27 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 17 2023, 6:27 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
mboehme added a child revision: D150776: [clang][dataflow] Use `Strict` accessors in comma operator and no-op cast..May 17 2023, 6:27 AM
mboehme added reviewers: sgatev, xazax.hun.May 17 2023, 6:29 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptMay 17 2023, 6:29 AM
ymandel accepted this revision.May 17 2023, 7:15 AM
ymandel added a subscriber: ymandel.

Nice catch!

clang/lib/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.cpp
789

this function will be left with only one caller. Maybe inline it? For that matter, should the other caller be changed in some parallel way?

This revision is now accepted and ready to land.May 17 2023, 7:15 AM
mboehme added inline comments.May 17 2023, 7:38 AM
clang/lib/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.cpp
789

this function will be left with only one caller. Maybe inline it?

The general style in this file seems to be to pull matcher expressions out into helper functions, even if they're only used in one place. FWIW, I'm personally not convinced this is helpful because you _want_ to be able to see exactly what a CaseOfCFGStmt is matching on, so inlining makes sense IMO. But I'm not sure I want to be inconsistent with the general style of this file -- it would make more sense to do a general cleanup. WDYT?

For that matter, should the other caller be changed in some parallel way?

No, that caller (buildDiagnoseMatchSwitch()) does not have the same problem because it looks only at the optional, not at the value that is contained in it (see also D150756, which makes this explicit), and the distinction between operator* and operator-> (for our purposes) is only in the way they return the contained value.

ymandel added inline comments.May 17 2023, 7:54 AM
clang/lib/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.cpp
789

regarding the matcher -- it's a judgment call; I agree that having to jump back and forth to read this case "statement" is problematic, but some of the matchers are kind of complicated, so a name can be a service to the reader. This one looked sufficiently simple to consider just inlining it, but I'm also fine leaving as is.

Harbormaster completed remote builds in B232597: Diff 523033.May 17 2023, 1:47 PM
mboehme marked 2 inline comments as done.May 21 2023, 11:16 PM
mboehme added inline comments.
clang/lib/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.cpp
789

In that case, I think I'll leave this as-is for the time being and will revisit the question of inlining more generally.

This revision was landed with ongoing or failed builds.May 21 2023, 11:51 PM
Closed by commit rG3bc1ea5b0ac9: [clang][dataflow] Fix a bug in handling of `operator->` for optional checker. (authored by mboehme). · Explain Why
This revision was automatically updated to reflect the committed changes.
mboehme marked an inline comment as done.
mboehme added a commit: rG3bc1ea5b0ac9: [clang][dataflow] Fix a bug in handling of `operator->` for optional checker..

Revision Contents

PathSize
clang/
lib/
Analysis/
FlowSensitive/
Models/
35 lines
unittests/
Analysis/
FlowSensitive/
5 lines

Diff 524175

clang/lib/Analysis/FlowSensitive/Models/UncheckedOptionalAccessModel.cpp

Show First 20 LinesShow All 393 Lines▼ Show 20 Lines if (auto *OptionalVal =
getValueBehindPossiblePointer(*ObjectExpr, State.Env)) { getValueBehindPossiblePointer(*ObjectExpr, State.Env)) {
if (State.Env.getStorageLocation(*UnwrapExpr, SkipPast::None) == nullptr) if (State.Env.getStorageLocation(*UnwrapExpr, SkipPast::None) == nullptr)
if (auto *Loc = maybeInitializeOptionalValueMember( if (auto *Loc = maybeInitializeOptionalValueMember(
UnwrapExpr->getType(), *OptionalVal, State.Env)) UnwrapExpr->getType(), *OptionalVal, State.Env))
State.Env.setStorageLocation(*UnwrapExpr, *Loc); State.Env.setStorageLocation(*UnwrapExpr, *Loc);
} }
} }
void transferArrowOpCall(const Expr *UnwrapExpr, const Expr *ObjectExpr,
LatticeTransferState &State) {
if (auto *OptionalVal =
getValueBehindPossiblePointer(*ObjectExpr, State.Env)) {
if (auto *Loc = maybeInitializeOptionalValueMember(
UnwrapExpr->getType()->getPointeeType(), *OptionalVal, State.Env)) {
State.Env.setValueStrict(*UnwrapExpr,
State.Env.create<PointerValue>(*Loc));
}
}
}
void transferMakeOptionalCall(const CallExpr *E, void transferMakeOptionalCall(const CallExpr *E,
const MatchFinder::MatchResult &, const MatchFinder::MatchResult &,
LatticeTransferState &State) { LatticeTransferState &State) {
auto &Loc = State.Env.createStorageLocation(*E); auto &Loc = State.Env.createStorageLocation(*E);
State.Env.setStorageLocation(*E, Loc); State.Env.setStorageLocation(*E, Loc);
State.Env.setValue( State.Env.setValue(
Loc, createOptionalValue(State.Env, State.Env.getBoolLiteralValue(true))); Loc, createOptionalValue(State.Env, State.Env.getBoolLiteralValue(true)));
} }
▲ Show 20 LinesShow All 359 Lines▼ Show 20 Lines return CFGMatchSwitchBuilder<LatticeTransferState>()
// optional::value // optional::value
.CaseOfCFGStmt<CXXMemberCallExpr>( .CaseOfCFGStmt<CXXMemberCallExpr>(
valueCall(std::nullopt), valueCall(std::nullopt),
[](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &, [](const CXXMemberCallExpr *E, const MatchFinder::MatchResult &,
LatticeTransferState &State) { LatticeTransferState &State) {
transferUnwrapCall(E, E->getImplicitObjectArgument(), State); transferUnwrapCall(E, E->getImplicitObjectArgument(), State);
}) })
// optional::operator*, optional::operator-> // optional::operator*
// FIXME: This does something slightly strange for `operator->`. .CaseOfCFGStmt<CallExpr>(isOptionalOperatorCallWithName("*"),
// `transferUnwrapCall()` may create a new value of type `T` for the
// `optional<T>`, and it associates that value with `E`. In the case of
// `operator->`, `E` is a pointer. As a result, we associate an
// expression of pointer type with a storage location of non-pointer type
// `T`. This can confound other code that expects expressions of
// pointer type to be associated with `PointerValue`s, such as the
// centrally provided accessors `getImplicitObjectLocation()` and
// `getBaseObjectLocation()`, and this is the reason we need to use our
// own 'maybeSkipPointer()` and `getValueBehindPossiblePointer()` instead
// of these accessors.
.CaseOfCFGStmt<CallExpr>(valueOperatorCall(std::nullopt),
ymandelUnsubmitted
Done
ReplyInline Actions

this function will be left with only one caller. Maybe inline it? For that matter, should the other caller be changed in some parallel way?

ymandel: this function will be left with only one caller. Maybe inline it? For that matter, should the…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

this function will be left with only one caller. Maybe inline it?

The general style in this file seems to be to pull matcher expressions out into helper functions, even if they're only used in one place. FWIW, I'm personally not convinced this is helpful because you _want_ to be able to see exactly what a CaseOfCFGStmt is matching on, so inlining makes sense IMO. But I'm not sure I want to be inconsistent with the general style of this file -- it would make more sense to do a general cleanup. WDYT?

For that matter, should the other caller be changed in some parallel way?

No, that caller (buildDiagnoseMatchSwitch()) does not have the same problem because it looks only at the optional, not at the value that is contained in it (see also D150756, which makes this explicit), and the distinction between operator* and operator-> (for our purposes) is only in the way they return the contained value.

mboehme: > this function will be left with only one caller. Maybe inline it? The general style in this…
ymandelUnsubmitted
Done
ReplyInline Actions

regarding the matcher -- it's a judgment call; I agree that having to jump back and forth to read this case "statement" is problematic, but some of the matchers are kind of complicated, so a name can be a service to the reader. This one looked sufficiently simple to consider just inlining it, but I'm also fine leaving as is.

ymandel: regarding the matcher -- it's a judgment call; I agree that having to jump back and forth to…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

In that case, I think I'll leave this as-is for the time being and will revisit the question of inlining more generally.

mboehme: In that case, I think I'll leave this as-is for the time being and will revisit the question of…
[](const CallExpr *E, [](const CallExpr *E,
const MatchFinder::MatchResult &, const MatchFinder::MatchResult &,
LatticeTransferState &State) { LatticeTransferState &State) {
transferUnwrapCall(E, E->getArg(0), State); transferUnwrapCall(E, E->getArg(0), State);
}) })
// optional::operator->
.CaseOfCFGStmt<CallExpr>(isOptionalOperatorCallWithName("->"),
[](const CallExpr *E,
const MatchFinder::MatchResult &,
LatticeTransferState &State) {
transferArrowOpCall(E, E->getArg(0), State);
})
// optional::has_value // optional::has_value
.CaseOfCFGStmt<CXXMemberCallExpr>( .CaseOfCFGStmt<CXXMemberCallExpr>(
isOptionalMemberCallWithName("has_value"), isOptionalMemberCallWithName("has_value"),
transferOptionalHasValueCall) transferOptionalHasValueCall)
// optional::operator bool // optional::operator bool
.CaseOfCFGStmt<CXXMemberCallExpr>( .CaseOfCFGStmt<CXXMemberCallExpr>(
isOptionalMemberCallWithName("operator bool"), isOptionalMemberCallWithName("operator bool"),
▲ Show 20 LinesShow All 201 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/UncheckedOptionalAccessModelTest.cpp

Show First 20 LinesShow All 2,758 Lines▼ Show 20 Lines void target($ns::$optional<Foo> foo) {
if (foo && foo->opt) { if (foo && foo->opt) {
foo->opt.value(); foo->opt.value();
} }
} }
)"); )");
} }
TEST_P(UncheckedOptionalAccessTest, OptionalValueInitialization) { TEST_P(UncheckedOptionalAccessTest, OptionalValueInitialization) {
// FIXME: Fix when to initialize `value`. All unwrapping should be safe in
// this example, but `value` initialization is done multiple times during the
// fixpoint iterations and joining the environment won't correctly merge them.
ExpectDiagnosticsFor( ExpectDiagnosticsFor(
R"( R"(
#include "unchecked_optional_access_test.h" #include "unchecked_optional_access_test.h"
using Foo = $ns::$optional<std::string>; using Foo = $ns::$optional<std::string>;
void target($ns::$optional<Foo> foo, bool b) { void target($ns::$optional<Foo> foo, bool b) {
if (!foo.has_value()) return; if (!foo.has_value()) return;
if (b) { if (b) {
if (!foo->has_value()) return; if (!foo->has_value()) return;
// We have created `foo.value()`. // We have created `foo.value()`.
foo->value(); foo->value();
} else { } else {
if (!foo->has_value()) return; if (!foo->has_value()) return;
// We have created `foo.value()` again, in a different environment. // We have created `foo.value()` again, in a different environment.
foo->value(); foo->value();
} }
// Now we merge the two values. UncheckedOptionalAccessModel::merge() will // Now we merge the two values. UncheckedOptionalAccessModel::merge() will
// throw away the "value" property. // throw away the "value" property.
foo->value(); // [[unsafe]] foo->value();
} }
)"); )");
} }
// This test is aimed at the core model, not the diagnostic. It is a regression // This test is aimed at the core model, not the diagnostic. It is a regression
// test against a crash when using non-trivial smart pointers, like // test against a crash when using non-trivial smart pointers, like
// `std::unique_ptr`. As such, it doesn't test the access itself, which would be // `std::unique_ptr`. As such, it doesn't test the access itself, which would be
// ignored regardless because of `IgnoreSmartPointerDereference = true`, above. // ignored regardless because of `IgnoreSmartPointerDereference = true`, above.
▲ Show 20 LinesShow All 410 LinesShow Last 20 Lines