This is an archive of the discontinued LLVM Phabricator instance.

Differential D159248

[clang][dataflow] Fix crash when struct with inheritance is initialized with InitExpr
AbandonedPublic

Authored by kinu on Aug 30 2023, 11:37 PM.

Details

Reviewers
NoQ
Summary

This fix still leaves inherited fields from base classes unpopulated
(even if they are accessed in the code), and might cause false
positives, but fix crashes that could happen because of source /
destination mismatches.

More details:
When a struct is declared, the Record value of the struct is usually
initialized with Environment::createValue() which internally calls
getObjectFields() (via filtering in DACtx::getModeledFields())
to collects all fields from the current and base classes.

However, if a struct is initialized with InitListExpr, its fields are
initialized based on what is returned by getFieldsForInitListExpr(),
which doesn't collect fields from base classes. Moreover, if the base
classes have their own InitListExpr, those InitListExpr's are also
visited, but the field values and locations that are initialized by
them are not merged when the child class's InitListExpr is visited.

This change adds a new getChildOrError() method in StorageLocation
and uses it in copyRecord(), so that only the fields that exist in
both record can be copied. A follow-up change can add more proper fix
around InitListExpr.

Diff Detail

Event Timeline

kinu created this revision.Aug 30 2023, 11:37 PM
Herald added a reviewer: NoQ. · View Herald TranscriptAug 30 2023, 11:37 PM
Herald added a project: Restricted Project. · View Herald Transcript
kinu requested review of this revision.Aug 30 2023, 11:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 30 2023, 11:37 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
kinu updated this revision to Diff 554906.Aug 30 2023, 11:40 PM

updated comment

kinu edited the summary of this revision. (Show Details)Aug 30 2023, 11:41 PM
kinu retitled this revision from Fix crash when struct with inheritance is initialized with InitExpr to [clang][dataflow] Fix crash when struct with inheritance is initialized with InitExpr.
Herald added subscribers: martong, xazax.hun. · View Herald TranscriptAug 30 2023, 11:42 PM
kinu abandoned this revision.Sep 4 2023, 9:55 AM

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
14 lines
lib/
Analysis/
FlowSensitive/
5 lines
unittests/
Analysis/
FlowSensitive/
83 lines

Diff 554906

clang/include/clang/Analysis/FlowSensitive/StorageLocation.h

Show All 12 Lines
#ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_STORAGELOCATION_H #ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_STORAGELOCATION_H
#define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_STORAGELOCATION_H #define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_STORAGELOCATION_H
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/Support/Debug.h" #include "llvm/Support/Debug.h"
#include "llvm/Support/ErrorOr.h"
#include <cassert> #include <cassert>
#define DEBUG_TYPE "dataflow" #define DEBUG_TYPE "dataflow"
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
/// Base class for elements of the local variable store and of the heap. /// Base class for elements of the local variable store and of the heap.
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Lines LLVM_DEBUG({
llvm::dbgs() << Field->getNameAsString() << "\n"; llvm::dbgs() << Field->getNameAsString() << "\n";
} }
} }
}); });
assert(It != Children.end()); assert(It != Children.end());
return It->second; return It->second;
} }
/// Returns the child storage location for `D` if it exists.
///
/// Same as `getChild()`, but returns llvm::Error if the field `D` does not
/// exist. Most users should use `getChild()` instead, except for the code
/// that performs deep copy of two records of the same class, where a field
/// in one record may not exist in another record.
llvm::ErrorOr<StorageLocation *> getChildOrError(const ValueDecl &D) const {
auto It = Children.find(&D);
if (It == Children.end())
return std::errc::invalid_argument;
return It->second;
}
/// Changes the child storage location for a field `D` of reference type. /// Changes the child storage location for a field `D` of reference type.
/// All other fields cannot change their storage location and always retain /// All other fields cannot change their storage location and always retain
/// the storage location passed to the `RecordStorageLocation` constructor. /// the storage location passed to the `RecordStorageLocation` constructor.
/// ///
/// Requirements: /// Requirements:
/// ///
/// `D` must have reference type. /// `D` must have reference type.
void setChild(const ValueDecl &D, StorageLocation *Loc) { void setChild(const ValueDecl &D, StorageLocation *Loc) {
Show All 21 Lines

clang/lib/Analysis/FlowSensitive/RecordOps.cpp

Show All 30 Lines LLVM_DEBUG({
if (!compatibleTypes) { if (!compatibleTypes) {
llvm::dbgs() << "Source type " << Src.getType() << "\n"; llvm::dbgs() << "Source type " << Src.getType() << "\n";
llvm::dbgs() << "Destination type " << Dst.getType() << "\n"; llvm::dbgs() << "Destination type " << Dst.getType() << "\n";
} }
}); });
assert(compatibleTypes); assert(compatibleTypes);
for (auto [Field, DstFieldLoc] : Dst.children()) { for (auto [Field, DstFieldLoc] : Dst.children()) {
StorageLocation *SrcFieldLoc = Src.getChild(*Field); llvm::ErrorOr<StorageLocation *> SrcField = Src.getChildOrError(*Field);
if (!SrcField)
continue;
StorageLocation *SrcFieldLoc = SrcField.get();
assert(Field->getType()->isReferenceType() || assert(Field->getType()->isReferenceType() ||
(SrcFieldLoc != nullptr && DstFieldLoc != nullptr)); (SrcFieldLoc != nullptr && DstFieldLoc != nullptr));
if (Field->getType()->isRecordType()) { if (Field->getType()->isRecordType()) {
copyRecord(cast<RecordStorageLocation>(*SrcFieldLoc), copyRecord(cast<RecordStorageLocation>(*SrcFieldLoc),
cast<RecordStorageLocation>(*DstFieldLoc), Env); cast<RecordStorageLocation>(*DstFieldLoc), Env);
} else if (Field->getType()->isReferenceType()) { } else if (Field->getType()->isReferenceType()) {
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show All 10 Lines
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/ASTMatchers/ASTMatchers.h" #include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h" #include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h"
#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h" #include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
#include "clang/Analysis/FlowSensitive/RecordOps.h" #include "clang/Analysis/FlowSensitive/RecordOps.h"
#include "clang/Analysis/FlowSensitive/StorageLocation.h" #include "clang/Analysis/FlowSensitive/StorageLocation.h"
#include "clang/Analysis/FlowSensitive/Value.h" #include "clang/Analysis/FlowSensitive/Value.h"
#include "clang/Basic/LangStandard.h" #include "clang/Basic/LangStandard.h"
#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include "llvm/Support/Casting.h"
#include "llvm/Testing/Support/Error.h" #include "llvm/Testing/Support/Error.h"
#include "gmock/gmock.h" #include "gmock/gmock.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <optional> #include <optional>
#include <string> #include <string>
#include <utility> #include <utility>
namespace { namespace {
▲ Show 20 LinesShow All 1,987 Lines▼ Show 20 Lines runDataflow(
cast<IntegerValue>(getFieldValue(FooLoc3, *BazDecl, Env3)); cast<IntegerValue>(getFieldValue(FooLoc3, *BazDecl, Env3));
const auto *BarBazVal3 = const auto *BarBazVal3 =
cast<IntegerValue>(getFieldValue(BarLoc3, *BazDecl, Env3)); cast<IntegerValue>(getFieldValue(BarLoc3, *BazDecl, Env3));
EXPECT_NE(FooBazVal3, BarBazVal3); EXPECT_NE(FooBazVal3, BarBazVal3);
} }
}); });
} }
TEST(TransferTest, AssignmentOperatorWithInitAndInheritance) {
// This is a crash repro.
std::string Code = R"(
struct B { int Foo; };
struct S : public B {};
void target() {
S S1 = { 1 };
S S2;
S S3;
S1 = S2; // Only Dst has InitListExpr.
S3 = S1; // Only Src has InitListExpr.
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
// FIXME: Add tests to check if `Foo` exists in S1, S2, and S3 once
// initialization with inheritance is fixed.
});
}
TEST(TransferTest, AssignmentOperatorFromCallResult) { TEST(TransferTest, AssignmentOperatorFromCallResult) {
std::string Code = R"( std::string Code = R"(
struct A {}; struct A {};
A ReturnA(); A ReturnA();
void target() { void target() {
A MyA; A MyA;
MyA = ReturnA(); MyA = ReturnA();
▲ Show 20 LinesShow All 214 Lines▼ Show 20 Lines std::string Code = R"(
} }
)"; )";
runDataflow( runDataflow(
Code, Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results, [](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {}); ASTContext &ASTCtx) {});
} }
TEST(TransferTest, CopyConstructorWithInheritance) {
// This is a crash repro.
std::string Code = R"(
struct B { int Foo; };
struct S : public B {};
void target() {
S S1 = { 1 };
S S2(S1);
// [p1]
S2.Foo = 2;
// [p2]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
// FIXME: Add tests to check if `Foo` exists both in S1 and S2 once
// initialization with inheritance is fixed.
});
}
TEST(TransferTest, CopyConstructorWithBaseInitAndInheritance) {
// This is a crash repro.
std::string Code = R"(
struct Foo { int Bar; };
struct B { Foo F = { 1 }; };
struct S : public B {};
void target() {
S S1 = {};
S S2(S1);
// [p]
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {
// FIXME: Add tests to check if `Bar` exists both in S1 and S2 once
// initialization with inheritance is fixed.
});
}
TEST(TransferTest, MoveConstructor) { TEST(TransferTest, MoveConstructor) {
std::string Code = R"( std::string Code = R"(
namespace std { namespace std {
template <typename T> struct remove_reference { using type = T; }; template <typename T> struct remove_reference { using type = T; };
template <typename T> struct remove_reference<T&> { using type = T; }; template <typename T> struct remove_reference<T&> { using type = T; };
template <typename T> struct remove_reference<T&&> { using type = T; }; template <typename T> struct remove_reference<T&&> { using type = T; };
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Lines runDataflow(
EXPECT_TRUE(recordsEqual(*FooLoc2, Env2, *BarLoc1, Env1)); EXPECT_TRUE(recordsEqual(*FooLoc2, Env2, *BarLoc1, Env1));
const auto *FooBazVal2 = const auto *FooBazVal2 =
cast<IntegerValue>(getFieldValue(FooLoc1, *BazDecl, Env2)); cast<IntegerValue>(getFieldValue(FooLoc1, *BazDecl, Env2));
EXPECT_EQ(FooBazVal2, BarBazVal1); EXPECT_EQ(FooBazVal2, BarBazVal1);
}); });
} }
TEST(TransferTest, ReturnStructWithInheritance) {
// This is a crash repro.
std::string Code = R"(
struct B { int Foo; };
struct S : public B { };
S target() {
S S1 = { 1 };
return S1;
}
)";
runDataflow(
Code,
[](const llvm::StringMap<DataflowAnalysisState<NoopLattice>> &Results,
ASTContext &ASTCtx) {});
}
TEST(TransferTest, BindTemporary) { TEST(TransferTest, BindTemporary) {
std::string Code = R"( std::string Code = R"(
struct A { struct A {
virtual ~A() = default; virtual ~A() = default;
int Baz; int Baz;
}; };
▲ Show 20 LinesShow All 3,403 LinesShow Last 20 Lines