This is an archive of the discontinued LLVM Phabricator instance.

Differential D153960

[clang][dataflow] Don't crash when creating pointers to members.
ClosedPublic

Authored by mboehme on Jun 28 2023, 4:33 AM.

Details

Reviewers
NoQ
sammccall
xazax.hun
gribozavr2
Commits
rG1d7f9ce61f6e: [clang][dataflow] Don't crash when creating pointers to members.
Summary

The newly added tests crash without the other changes in this patch.

Diff Detail

Event Timeline

mboehme created this revision.Jun 28 2023, 4:33 AM
Herald added a reviewer: NoQ. · View Herald TranscriptJun 28 2023, 4:33 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, xazax.hun. · View Herald Transcript
mboehme requested review of this revision.Jun 28 2023, 4:33 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 28 2023, 4:33 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
mboehme added reviewers: sammccall, xazax.hun.Jun 28 2023, 4:33 AM
gribozavr2 requested changes to this revision.Jun 28 2023, 4:50 AM
gribozavr2 added a subscriber: gribozavr2.

Using PointerValue to model pointers to data members does not look right to me, because a pointer to data member is an offset within an object that we apply this pointer to, it is not a specific storage location.

I think we either shouldn't be modeling them at all (current implementation) and fix any crashes in the downstream code to allow non-modeled constructs in more places, or we should have a distinct kind of Value for pointers to members.

This revision now requires changes to proceed.Jun 28 2023, 4:50 AM
Harbormaster completed remote builds in B241743: Diff 535326.Jun 28 2023, 5:05 AM
sammccall accepted this revision.Jun 28 2023, 5:12 AM

Per offline discussion, I think modelling pointer-to-member as PointerValue does make sense, though that's not completely obvious.
Can we document this on PointerValue? (And that it points to a StorageLocation for the decl, which has no value)

clang/lib/Analysis/FlowSensitive/Transfer.cpp
236

I'm a bit confused by this. Why bail out rather than create the storage location?

C::x is going to be part of &C::x, and we're going to create the storagelocation by calling getStorageLocation() on line 456. So why not do it already?

mboehme added a comment.Jun 28 2023, 6:25 AM
In D153960#4455661, @gribozavr2 wrote:

Using PointerValue to model pointers to data members does not look right to me, because a pointer to data member is an offset within an object that we apply this pointer to, it is not a specific storage location.

I think we either shouldn't be modeling them at all (current implementation) and fix any crashes in the downstream code to allow non-modeled constructs in more places, or we should have a distinct kind of Value for pointers to members.

After some offline discussion, I'll proceed by not modeling pointers to members at all for the time being (i.e. not associating them with a Value) but fixing the crashes.

Modeling pointers-to-members as a PointerValue works to the extent that it allows us to compare different pointers-to-members for equality, but where it breaks down is if we want to dereference them (assuming that we know unambiguously what value the pointer-to-member will have). At that point, what we would probably want is some MemberPointerValue that refers to the Decl for the field or member function being referenced.

I'll ping this patch once it's ready to review again.

mboehme marked an inline comment as done.Jun 28 2023, 6:26 AM
mboehme added inline comments.
clang/lib/Analysis/FlowSensitive/Transfer.cpp
236

We can't associate a storage location with *S because it's not a glvalue, and only glvalues are allowed to be associated with storage locations. So we have to defer this work until we get to the & operator.

mboehme updated this revision to Diff 535401.Jun 28 2023, 7:25 AM
mboehme marked an inline comment as done.

Don't produce values for pointers to members. For consistency, also make
the NullToMemberPointer cast not produce any values.

mboehme added a comment.Jun 28 2023, 7:27 AM

PTAL

clang/lib/Analysis/FlowSensitive/Transfer.cpp
447

While I'm here, streamline the code for the not-pointer-to-member case.

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
2536

Noticed that the parameter here was unused, so I removed it.

gribozavr2 accepted this revision.Jun 28 2023, 8:01 AM
This revision is now accepted and ready to land.Jun 28 2023, 8:01 AM
Harbormaster completed remote builds in B241789: Diff 535401.Jun 28 2023, 8:28 AM
xazax.hun accepted this revision.Jun 28 2023, 8:46 AM
mboehme added a comment.Jun 28 2023, 11:38 PM

Pre-merge failure looks unrelated

mboehme retitled this revision from [clang][dataflow] Implement support for pointers to members. to [clang][dataflow] Don't crash when creating pointers to members..Jun 28 2023, 11:42 PM
This revision was landed with ongoing or failed builds.Jun 29 2023, 12:13 AM
Closed by commit rG1d7f9ce61f6e: [clang][dataflow] Don't crash when creating pointers to members. (authored by mboehme). · Explain Why
This revision was automatically updated to reflect the committed changes.
mboehme added a commit: rG1d7f9ce61f6e: [clang][dataflow] Don't crash when creating pointers to members..

Revision Contents

PathSize
clang/
lib/
Analysis/
FlowSensitive/
26 lines
unittests/
Analysis/
FlowSensitive/
55 lines

Diff 535651

clang/lib/Analysis/FlowSensitive/Transfer.cpp

Show First 20 LinesShow All 225 Lines▼ Show 20 Lines void VisitBinaryOperator(const BinaryOperator *S) {
default: default:
break; break;
} }
} }
void VisitDeclRefExpr(const DeclRefExpr *S) { void VisitDeclRefExpr(const DeclRefExpr *S) {
const ValueDecl *VD = S->getDecl(); const ValueDecl *VD = S->getDecl();
assert(VD != nullptr); assert(VD != nullptr);
// `DeclRefExpr`s to fields and non-static methods aren't glvalues, and
// there's also no sensible `Value` we can assign to them, so skip them.
sammccallUnsubmitted
Done
ReplyInline Actions

I'm a bit confused by this. Why bail out rather than create the storage location?

C::x is going to be part of &C::x, and we're going to create the storagelocation by calling getStorageLocation() on line 456. So why not do it already?

sammccall: I'm a bit confused by this. Why bail out rather than create the storage location? `C::x` is…
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

We can't associate a storage location with *S because it's not a glvalue, and only glvalues are allowed to be associated with storage locations. So we have to defer this work until we get to the & operator.

mboehme: We can't associate a storage location with `*S` because it's not a glvalue, and only glvalues…
if (isa<FieldDecl>(VD))
return;
if (auto *Method = dyn_cast<CXXMethodDecl>(VD);
Method && !Method->isStatic())
return;
auto *DeclLoc = Env.getStorageLocation(*VD); auto *DeclLoc = Env.getStorageLocation(*VD);
if (DeclLoc == nullptr) if (DeclLoc == nullptr)
return; return;
Env.setStorageLocationStrict(*S, *DeclLoc); Env.setStorageLocationStrict(*S, *DeclLoc);
} }
void VisitDeclStmt(const DeclStmt *S) { void VisitDeclStmt(const DeclStmt *S) {
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Lines case CK_UserDefinedConversion:
// CK_ConstructorConversion, and CK_UserDefinedConversion. // CK_ConstructorConversion, and CK_UserDefinedConversion.
case CK_NoOp: { case CK_NoOp: {
// FIXME: Consider making `Environment::getStorageLocation` skip noop // FIXME: Consider making `Environment::getStorageLocation` skip noop
// expressions (this and other similar expressions in the file) instead // expressions (this and other similar expressions in the file) instead
// of assigning them storage locations. // of assigning them storage locations.
propagateValueOrStorageLocation(*SubExpr, *S, Env); propagateValueOrStorageLocation(*SubExpr, *S, Env);
break; break;
} }
case CK_NullToPointer: case CK_NullToPointer: {
case CK_NullToMemberPointer: {
auto &Loc = Env.createStorageLocation(S->getType()); auto &Loc = Env.createStorageLocation(S->getType());
Env.setStorageLocation(*S, Loc); Env.setStorageLocation(*S, Loc);
auto &NullPointerVal = auto &NullPointerVal =
Env.getOrCreateNullPointerValue(S->getType()->getPointeeType()); Env.getOrCreateNullPointerValue(S->getType()->getPointeeType());
Env.setValue(Loc, NullPointerVal); Env.setValue(Loc, NullPointerVal);
break; break;
} }
case CK_NullToMemberPointer:
// FIXME: Implement pointers to members. For now, don't associate a value
// with this expression.
break;
case CK_FunctionToPointerDecay: case CK_FunctionToPointerDecay:
case CK_BuiltinFnToFnPtr: { case CK_BuiltinFnToFnPtr: {
StorageLocation *PointeeLoc = StorageLocation *PointeeLoc =
Env.getStorageLocation(*SubExpr, SkipPast::Reference); Env.getStorageLocation(*SubExpr, SkipPast::Reference);
if (PointeeLoc == nullptr) if (PointeeLoc == nullptr)
break; break;
auto &PointerLoc = Env.createStorageLocation(*S); auto &PointerLoc = Env.createStorageLocation(*S);
Show All 17 Lines case UO_Deref: {
cast_or_null<PointerValue>(Env.getValueStrict(*SubExpr)); cast_or_null<PointerValue>(Env.getValueStrict(*SubExpr));
if (SubExprVal == nullptr) if (SubExprVal == nullptr)
break; break;
Env.setStorageLocationStrict(*S, SubExprVal->getPointeeLoc()); Env.setStorageLocationStrict(*S, SubExprVal->getPointeeLoc());
break; break;
} }
case UO_AddrOf: { case UO_AddrOf: {
// Do not form a pointer to a reference. If `SubExpr` is assigned a // FIXME: Model pointers to members.
// `ReferenceValue` then form a value that points to the location of its if (S->getType()->isMemberPointerType())
// pointee.
StorageLocation *PointeeLoc = Env.getStorageLocationStrict(*SubExpr);
if (PointeeLoc == nullptr)
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

While I'm here, streamline the code for the not-pointer-to-member case.

mboehme: While I'm here, streamline the code for the not-pointer-to-member case.
break; break;
if (StorageLocation *PointeeLoc = Env.getStorageLocationStrict(*SubExpr))
Env.setValueStrict(*S, Env.create<PointerValue>(*PointeeLoc)); Env.setValueStrict(*S, Env.create<PointerValue>(*PointeeLoc));
break; break;
} }
case UO_LNot: { case UO_LNot: {
auto *SubExprVal = auto *SubExprVal =
dyn_cast_or_null<BoolValue>(Env.getValueStrict(*SubExpr)); dyn_cast_or_null<BoolValue>(Env.getValueStrict(*SubExpr));
if (SubExprVal == nullptr) if (SubExprVal == nullptr)
break; break;
▲ Show 20 LinesShow All 423 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show First 20 LinesShow All 2,524 Lines▼ Show 20 Lines runDataflow(
EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull()); EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull());
const StorageLocation &NullPointeeLoc = NullVal->getPointeeLoc(); const StorageLocation &NullPointeeLoc = NullVal->getPointeeLoc();
EXPECT_TRUE(isa<ScalarStorageLocation>(NullPointeeLoc)); EXPECT_TRUE(isa<ScalarStorageLocation>(NullPointeeLoc));
EXPECT_THAT(Env.getValue(NullPointeeLoc), IsNull()); EXPECT_THAT(Env.getValue(NullPointeeLoc), IsNull());
}); });
} }
TEST(TransferTest, PointerToMemberVariable) {
std::string Code = R"(
struct S {
int i;
};
void target() {
int S::*MemberPointer = &S::i;
// [[p]]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
const ValueDecl *MemberPointerDecl =
findValueDecl(ASTCtx, "MemberPointer");
ASSERT_THAT(MemberPointerDecl, NotNull());
ASSERT_THAT(Env.getValue(*MemberPointerDecl), IsNull());
});
}
TEST(TransferTest, PointerToMemberFunction) {
std::string Code = R"(
struct S {
void Method();
};
void target() {
void (S::*MemberPointer)() = &S::Method;
// [[p]]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
const ValueDecl *MemberPointerDecl =
findValueDecl(ASTCtx, "MemberPointer");
ASSERT_THAT(MemberPointerDecl, NotNull());
ASSERT_THAT(Env.getValue(*MemberPointerDecl), IsNull());
});
}
TEST(TransferTest, NullToMemberPointerCast) { TEST(TransferTest, NullToMemberPointerCast) {
std::string Code = R"( std::string Code = R"(
struct Foo {}; struct Foo {};
void target(Foo *Foo) { void target() {
mboehmeAuthorUnsubmitted
Done
ReplyInline Actions

Noticed that the parameter here was unused, so I removed it.

mboehme: Noticed that the parameter here was unused, so I removed it.
int Foo::*MemberPointer = nullptr; int Foo::*MemberPointer = nullptr;
// [[p]] // [[p]]
} }
)"; )";
runDataflow( runDataflow(
Code, Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results, [](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) { ASTContext &ASTCtx) {
ASSERT_THAT(Results.keys(), UnorderedElementsAre("p")); ASSERT_THAT(Results.keys(), UnorderedElementsAre("p"));
const Environment &Env = getEnvironmentAtAnnotation(Results, "p"); const Environment &Env = getEnvironmentAtAnnotation(Results, "p");
const ValueDecl *MemberPointerDecl = const ValueDecl *MemberPointerDecl =
findValueDecl(ASTCtx, "MemberPointer"); findValueDecl(ASTCtx, "MemberPointer");
ASSERT_THAT(MemberPointerDecl, NotNull()); ASSERT_THAT(MemberPointerDecl, NotNull());
ASSERT_THAT(Env.getValue(*MemberPointerDecl), IsNull());
const auto *MemberPointerVal =
cast<PointerValue>(Env.getValue(*MemberPointerDecl));
const StorageLocation &MemberLoc = MemberPointerVal->getPointeeLoc();
EXPECT_THAT(Env.getValue(MemberLoc), IsNull());
}); });
} }
TEST(TransferTest, AddrOfValue) { TEST(TransferTest, AddrOfValue) {
std::string Code = R"( std::string Code = R"(
void target() { void target() {
int Foo; int Foo;
int *Bar = &Foo; int *Bar = &Foo;
▲ Show 20 LinesShow All 2,945 LinesShow Last 20 Lines