This is an archive of the discontinued LLVM Phabricator instance.

Differential D24246

StaticAnalyzer - MisusedMovedObjectChecker
ClosedPublic

Authored by szepet on Sep 6 2016, 3:07 AM.

Details

Reviewers
dcoughlin
zaks.anna
NoQ
xazax.hun
Commits
rG356151ff5fd2: [analyzer] Add MisusedMovedObjectChecker for detecting use-after-move errors.
rC298698: [analyzer] Add MisusedMovedObjectChecker for detecting use-after-move errors.
rL298698: [analyzer] Add MisusedMovedObjectChecker for detecting use-after-move errors.
Summary

A checker implementation which checks for various cases when a moved-from object is potentially misused.
That means That means method calls on the object or copying it in moved-from state.

Diff Detail

Event Timeline

szepet updated this revision to Diff 70369.Sep 6 2016, 3:07 AM
szepet retitled this revision from to StaticAnalyzer - MisusedMovedObjectChecker.
szepet updated this object.
szepet added reviewers: xazax.hun, zaks.anna, NoQ.
szepet added a subscriber: o.gyorgy.
szepet updated this revision to Diff 70389.Sep 6 2016, 5:12 AM

removed empty file which was added by mistake

xazax.hun added a reviewer: dcoughlin.Sep 6 2016, 7:10 AM
xazax.hun edited edge metadata.Sep 14 2016, 12:01 PM

We should compare this patch with the just released tidy checker: https://github.com/llvm-mirror/clang-tools-extra/commit/5434827564c9c3741c63b4dc368b37a630857e29

zaks.anna edited edge metadata.Sep 14 2016, 12:37 PM

The clang-tidy check that Gabor has pointed to has a lot of great test cases!

The main differences I see are:

  • It would be much easier to write a static analyzer check for this since the infrastructure for reasoning about ordered events is already in place.
  • I suspect one of the examples the clang-tidy check will not handle well is something like this:

    A a(42, 42.0); A b; if (cond) b = std::move(a); if (!cond) a.foo();

This is a classical example where path sensitivity is needed not to report a false positive.

  • I am guessing the check is intra-procedural as well.

(It would be great if someone could confirm these are actually true:))

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
33

nit: Please define MoveStmt before the constructor.

120

Please, add text diagnostic tests for the bug visitor.

140

When is this condition hit? Please, add a test case.

150

nit: Would be good to special case and capitalize the case where the ObjectName is not known.

180

"Unspecified usage of a 'moved-from' object" -> "Usage of a 'moved-from' object"

181

For consistency with other category names, how about "C++ move semantics"?

258

Why is this necessary? Why using checkPointerEscape is not enough?

test/Analysis/MisusedMovedObject.cpp
50

Adding "//no-warning" on lines where you explicitly test that a warning is not produced will simplify with readability and maintainability.

109

How about improving the wording a bit: "Method call on a 'moved-from' object 'a'". Note, all diagnostic messages should be capitalized.

szepet updated this revision to Diff 73216.EditedOct 2 2016, 6:03 AM
szepet edited edge metadata.
szepet marked 8 inline comments as done.
  • Some refactor based on comments.
  • Updated testfiles.

I checked the tidy checker and I can confirm Anna's statements. To get in details:

  • tidy checker is intraprocedural, so doesn't find the interprocedural case in this testfile (and false positives on right reference calls)
  • mutually exclusive conditions in if statements results false positive
  • In addition, because of no semantic check it does not find the pointer and array examples in this testcase - false negativ
  • However it can find the misuse if it comes from the parameter evaluation order, for example:
foobar(std::move(a), a.getI()); //both checker find the problem
foobar(a.getI(), std::move(a)); //only tidy report a warning

That is the case where we have a false negative.

Herald added subscribers: mgorny, beanz. · View Herald TranscriptOct 2 2016, 6:03 AM
szepet added inline comments.Oct 2 2016, 6:12 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
258

Based on my tests,checkPointerEscape works on only SymRegion but we needed some more generic approach. (In connection with MemRegions.)
It seems kind of hacking it into this checker and it's probably exactly that but I had no other ideas to implement it.

NoQ added inline comments.Oct 3 2016, 12:21 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
258

As far as i understand, at a glance, this code invalidates the program state trait for objects that have escaped into a function.

This makes me think you should be taking check::RegionChanges here. See CStringChecker as an example. This callback would save you a large amount of code by presenting a list of superregions that cover all invalidated regions (well, you can't list all of them). It automatically handles regions pointed to by contents of invalidated regions etc., which you'd still want to handle.

check::PointerEscape is truly not enough because it handles only symbolic pointers, while you are also interested in concrete pointers (such as VarRegion).

There's a bit of a mess with these callbacks which we're trying to sort out (http://lists.llvm.org/pipermail/cfe-dev/2016-September/050792.html), but it shouldn't affect you.

szepet added inline comments.Oct 6 2016, 8:09 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
258

I have tried this callback on some trivial examples.
It seems it solves this problem (function calls with no body), however, in cases when a constructor /destructor called, the callback provides only the members regions in the ExplicitRegions. In case of destructor the Regions contains the element's region, but unfortunately it is not always right to iterate over the whole Regions array.
For example: Destructor calls on an array element would cause invalidating the whole array.

So this callback can help on this one, and it would be structured invalidating instead of this hacking. However, the invalidating in the checkPreCall still needed. (constructorcall, destructorcall...)

Am I right or did I miss/misunderstand something?

NoQ added inline comments.Oct 7 2016, 3:47 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
258

Hmm, i think i want to know more about that. Could you post a version of the patch with checkRegionChanges and the failing test, which you are trying, in case you already have it?

Destructor calls on an array element would cause invalidating the whole array.

Yyeeeah, that's right, we're always invalidating the whole base region. Essentially, you can get from one array element to another array element with a reliable pointer arithmetic (eg. "this - 1" in your case). And i agree that for your case this ultraconservative invalidation is definitely worth lifting.

in cases when a constructor /destructor called, the callback provides only the members regions in the ExplicitRegions

That's probably because the constructor/destructor was inlined, otherwise how would he know what members are there? In this case, there is actually no invalidation, just separate callbacks for every store bind of every member. And in this case...

However, the invalidating in the checkPreCall still needed. (constructorcall, destructorcall...)

... in this case, yeah, this is definitely needed. This is private logic of your checker, the analyzer couldn't have guessed that a perfectly inlined call, without any invalidations, may have such special meaning for your checker.

However, if the constructor/destructor wasn't inlined, then i expect the object to be present in explicit regions. If it isn't there, it's probably worth adding on the core side rather than hacking in checkers.

So in my opinion this leaves us with standard checkRegionChanges and special code for inlined constructors/destructors.

263

By the way, we have C.wasInlined, would it be more useful/accurate here?

zaks.anna added a comment.Oct 11 2016, 10:23 AM

Please, add the tests from test/clang-tidy/misc-use-after-move.cpp so that we have better test coverage.

zaks.anna added a comment.Dec 9 2016, 11:25 PM

Peter, Do you plan on addressing the review comments or can we commander the revision?

szepet added a comment.Dec 13 2016, 2:09 AM

I wasn't able to find time for this checker the last few weeks, but my schedule became much lighter and I plan to commit the required changes (and a bugfix) next week. Starting from next week I can work on the checker on a daily basis. Hopefully it can make it into 4.0.

szepet updated this revision to Diff 82469.Dec 25 2016, 5:58 AM
szepet marked 2 inline comments as done.

Test cases updated.
Some invalidation moved to checkRegionChanges callback.
Missing feature added: do not report an SubRegion if any of its SuperRegion is already reported

NoQ edited edge metadata.Jan 19 2017, 4:03 AM

Thanks for looking into the region-changes approach, and sorry for the delay in replies.
I think we're close to seeing this checker merged, as it looks great.
A few smaller comments.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
155

Could we use the static PathDiagnosticLocation::getStmt(N) function for obtaining S? That'd be the statement of the program point of the node. This way we don't need to store the statement in the program state. Or are you looking for a different statement?

231

Hmm. Is this not caught by checkDeadSymbols? I expect parameter regions to die eventually. It should not only catch regions themselves, but also regions to which they contain pointers.

479

I definitely admire this trick. However, it only works when the object from which we move is "opaque" enough: for example, if at least one body of its setter methods is available in the current translation unit, we could easily see an arbitrary symbol inside the object (not necessarily having this object as its origin region, probably reassigned from other regions or even conjured), and the code will have no effect.

szepet added inline comments.Feb 6 2017, 3:22 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
231

Lets consider the next case:

struct C {};

void f(C c)
{
  C b = std::move(c);
 //...
}

void g()
{
  C c;
  for(int i = 0;i<2;i++)
  {
    f(c);
  }
}

During the analysis of g() the checker will report that an already moved object will be copied. (Since it is passed by value).
So the main problem was these for loops and resulted false positives as well when i ran the checker on the llvm codebase.
The problem can be come from that tha analyzer doesnt see any difference between the call since not just the parameter but their location are the same and that cause the problem. This is reason why came up with that not so elegant solution.

Please correct me if I'm wrong or let me know in case you know a solution for that but I was not able to write checkDeadSymbols callback to handle that.

479

Well I planned to remove this callback and only remained in the code by mistake. As I understand it is unnecessary since checkRegionChanges will handle these cases, I needed it just before it was implemented. So yes, you are right but this callback can (and should) be removed.

Do you agree?

szepet updated this revision to Diff 87218.Feb 6 2017, 6:25 AM
szepet marked an inline comment as done.

CheckPointerEscape callback removed since checkRegionChanges handle all the necessary cases.
Member MoveStmt removed from RegionState.
+Some typo fixes in comments.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
155

No, you are right. First I tried to compare the RegionStates so I the statements for operator== but then the code changed and I havent refactored this part.

NoQ added a comment.Feb 9 2017, 6:59 AM

This checker would need a bit of rebase before landing, but i think it's almost good to land. I'd even consider enabling by default after some evaluation, unless there are many known false positives - with an awesome test suite and very detailed bugreports, i think it's quite worth it.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
1

This line needs some care (alignment, maybe a short description).

231

Hmm. Debugged this a bit.

Well, they are different objects. c from the old call and c from the new call are different objects, they may even have different addresses on the stack.

The analyzer should normally be noticing the difference between these two objects and represent them with different memory regions. Even though they're represented by VarRegions with same VarDecls, these regions should differ by having different super-regions, namely different StackArgumentsSpaceRegion instances, which, in turn, are different because they are built over different StackFrameContext instances.

But unfortunately in this case the StackFrameContext is the same, because it doesn't include the call site block count! So as long as the call site's statement is the same on subsequent calls, such as in the loop, we run into this problem.

This should be fixed on StackFrameContext side. D19979 should have addressed that, but it ran into problems and doesn't seem to be landing soon. For now, i guess i'd try to add a block count directly to StackFrameContext when i have time, it should be trivial. Then your checkEndFunction callback will be unnecessary.

I'm still curious why checkDeadSymbols doesn't kill these map items, but i guess we already have a bigger problem to tackle.

Could you add this test to your test set for now?

szepet updated this revision to Diff 88200.Feb 13 2017, 7:23 AM
szepet marked 2 inline comments as done.

Small infotext added and test cases updated. (More loop test to make sure the checkEndFunction workaround works fine.)

xazax.hun added a comment.Feb 13 2017, 8:47 AM

There is a CERT C++ Secure Coding Standard rule that is very similar to this check. I think you should mention this rule somewhere in the documentation or comments (but do not imply that this check conforms to that rule since it is not guaranteed that it finds all those issues).

The description of the rule also contains several useful exceptions that you can check whether your checker already has implemented: https://www.securecoding.cert.org/confluence/display/cplusplus/EXP63-CPP.+Do+not+rely+on+the+value+of+a+moved-from+object

kromanenkov added a subscriber: kromanenkov.Feb 14 2017, 7:40 AM
NoQ accepted this revision.Feb 16 2017, 8:11 AM

I believe this checker is great and should be merged. Do you have commit access? If not, could you rebase the checker to the top of trunk? because the patch doesn't apply cleanly anymore.

This revision is now accepted and ready to land.Feb 16 2017, 8:11 AM
zaks.anna added a comment.Feb 16 2017, 12:19 PM

Great to see this converging? What is left before you would recommend turning this on by default?
You mention evaluating this on LLVM codebase. What were the results?

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
231

But unfortunately in this case the StackFrameContext is the same, because it doesn't include the call site block count! So as long as the call site's statement is the same on subsequent calls, such as in the loop, we run into this problem.

This sounds scary! Can you file a bug/PR about it with a reduced test case.
Can we refer to the PR here if we think this code should change once the PR is fixed?

479

Has this been resolved?

test/Analysis/MisusedMovedObject.cpp
231

Can you please split these notes so that each one is on a separate line? You can use // expected-note@+1 to show that there is 1 line difference between the locations.

NoQ added a comment.Mar 7 2017, 2:24 AM

Hello,

I tested this checker on WebKit code. It seems to work as expected, and i liked the support for WTFMove(). However i suddenly realized that it is not always unsafe to use a moved-from object, as discussed in detail at, for example, http://stackoverflow.com/a/7028318 . The checker already includes a state-reset method list, however there are also methods that are generally safe to call and possibly useful (such as .size()) or methods that don't entirely reset the state but affect it (.resize()?). People may use these tricks to improve performance. We shouldn't flag these tricks in a checker that is enabled by default, because it'd make people change and regress working code.

I guess the solution is to come up with more detailed heuristics to figure out which methods are safe and which aren't - either larger lists of methods, or regex-based analysis over method names. Would you be willing to come up with those in a follow-up patch? We may also have a look eventually, because we believe this checker is useful :)

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
231

Filed: http://bugs.llvm.org/show_bug.cgi?id=32163

Also recalled that fixing StackFrameContext is not enough to get rid of this problem entirely, because the inner function call is not bound to exist.

479

Yep.

szepet added a subscriber: dkrupp.Mar 7 2017, 8:32 AM
szepet updated this revision to Diff 90978.Mar 7 2017, 6:58 PM
szepet marked an inline comment as done.

Done in this diff:

  • branch rebase
  • check comments in the test file separated to lines (only notes with the same messages are in the same line)

I have runned the checker on the LLVM source, it can be viewed here: http://cc.elte.hu:15001/#run=1 .
This checker reported 44 bugs, but let me summarize them:

  • 22 bug from the same location (/mnt/storage/szepet/dev/CodeChecker/llvm/include/llvm/Support/Error.h:841) which is a false positive and it was resulted by not tracking the bitfields (bool Unchecked : 1; ).
  • 6 from the toy.cpp-s and they are a true positve in my opinion (http://cc.elte.hu:15001/#run=1&report=351)
  • 5 from the test files where some specific class's function was tested in moved state (e.g. http://cc.elte.hu:15001/#run=1&report=48)
  • 11 various report but the checker worked as expected (it could be 4 less with better heuristics but probably it would be better to commit the heuristics in a follow up patch)
szepet added a comment.EditedMar 7 2017, 7:10 PM

I guess the solution is to come up with more detailed heuristics to figure out which methods are safe and which aren't - either larger lists of methods, or regex-based analysis over method names. Would you be willing to come up with those in a follow-up patch? We may also have a look eventually, because we believe this checker is useful :)

Yeah, for sure I would really like to work on that! Once this is accepted I will start to figure out some heuristics and experiment with them.

xazax.hun accepted this revision.Mar 13 2017, 7:25 AM

I only found two nits. In case you think this is ready to commit, let me know.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
3

Nit, it looks like the description is too long and the end of the first line is moved to the second.

test/Analysis/MisusedMovedObject.cpp
2

Nit: due to the upcomming Z3 support (as a constraint solver), you should use %clang_analyze_cc1 instead of %clang_cc1

szepet updated this revision to Diff 92399.Mar 20 2017, 4:27 PM
szepet marked 5 inline comments as done.

Nit resolved.

Closed by commit rL298698: [analyzer] Add MisusedMovedObjectChecker for detecting use-after-move errors. (authored by dergachev). · Explain WhyMar 24 2017, 3:04 AM
This revision was automatically updated to reflect the committed changes.
NoQ added a comment.Mar 24 2017, 3:18 AM

I committed the checker. Thanks / congrats / all the stuff!

I've also been thinking that when doing move-after-move, we should probably say "Moving a 'moved-from' object..." rather than "Copying...".

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Checkers/
7 lines
lib/
StaticAnalyzer/
Checkers/
1 line
486 lines
test/
Analysis/
533 lines

Diff 87218

include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 262 Lines▼ Show 20 Lines
} // end: "cplusplus" } // end: "cplusplus"
let ParentPackage = CplusplusAlpha in { let ParentPackage = CplusplusAlpha in {
def VirtualCallChecker : Checker<"VirtualCall">, def VirtualCallChecker : Checker<"VirtualCall">,
HelpText<"Check virtual function calls during construction or destruction">, HelpText<"Check virtual function calls during construction or destruction">,
DescFile<"VirtualCallChecker.cpp">; DescFile<"VirtualCallChecker.cpp">;
def MisusedMovedObjectChecker: Checker<"MisusedMovedObject">,
HelpText<"Method calls on a moved-from object and copying a moved-from "
"object will be reported">,
DescFile<"MisusedMovedObject.cpp">;
} // end: "alpha.cplusplus" } // end: "alpha.cplusplus"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Valist checkers. // Valist checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = ValistAlpha in { let ParentPackage = ValistAlpha in {
▲ Show 20 LinesShow All 303 Lines▼ Show 20 Linesdef DirectIvarAssignmentForAnnotatedFunctions : Checker<"DirectIvarAssignmentForAnnotatedFunctions">,
HelpText<"Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment">, HelpText<"Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment">,
DescFile<"DirectIvarAssignment.cpp">; DescFile<"DirectIvarAssignment.cpp">;
} // end "alpha.osx.cocoa" } // end "alpha.osx.cocoa"
let ParentPackage = CoreFoundation in { let ParentPackage = CoreFoundation in {
def CFNumberChecker : Checker<"CFNumber">, def CFNumberChecker : Checker<"CFNumber">,
HelpText<"Check for proper uses of CFNumber APIs">, HelpText<"Check for proper uses of CFNumber Create">,
DescFile<"BasicObjCFoundationChecks.cpp">; DescFile<"BasicObjCFoundationChecks.cpp">;
def CFRetainReleaseChecker : Checker<"CFRetainRelease">, def CFRetainReleaseChecker : Checker<"CFRetainRelease">,
HelpText<"Check for null arguments to CFRetain/CFRelease/CFMakeCollectable">, HelpText<"Check for null arguments to CFRetain/CFRelease/CFMakeCollectable">,
DescFile<"BasicObjCFoundationChecks.cpp">; DescFile<"BasicObjCFoundationChecks.cpp">;
def CFErrorChecker : Checker<"CFError">, def CFErrorChecker : Checker<"CFError">,
HelpText<"Check usage of CFErrorRef* parameters">, HelpText<"Check usage of CFErrorRef* parameters">,
▲ Show 20 LinesShow All 126 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show All 32 Linesadd_clang_library(clangStaticAnalyzerCheckers
DirectIvarAssignment.cpp DirectIvarAssignment.cpp
DivZeroChecker.cpp DivZeroChecker.cpp
DynamicTypePropagation.cpp DynamicTypePropagation.cpp
DynamicTypeChecker.cpp DynamicTypeChecker.cpp
ExprInspectionChecker.cpp ExprInspectionChecker.cpp
FixedAddressChecker.cpp FixedAddressChecker.cpp
GenericTaintChecker.cpp GenericTaintChecker.cpp
IdenticalExprChecker.cpp IdenticalExprChecker.cpp
MisusedMovedObjectChecker.cpp
IvarInvalidationChecker.cpp IvarInvalidationChecker.cpp
LLVMConventionsChecker.cpp LLVMConventionsChecker.cpp
LocalizationChecker.cpp LocalizationChecker.cpp
MacOSKeychainAPIChecker.cpp MacOSKeychainAPIChecker.cpp
MacOSXAPIChecker.cpp MacOSXAPIChecker.cpp
MallocChecker.cpp MallocChecker.cpp
MallocOverflowSecurityChecker.cpp MallocOverflowSecurityChecker.cpp
MallocSizeofChecker.cpp MallocSizeofChecker.cpp
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp

  • This file was added.
//== MisusedMovedObjectChecker --------------*- C++ -*--==//
NoQUnsubmitted
Done
ReplyInline Actions

This line needs some care (alignment, maybe a short description).

NoQ: This line needs some care (alignment, maybe a short description).
//
// The LLVM Compiler Infrastructure
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit, it looks like the description is too long and the end of the first line is moved to the second.

xazax.hun: Nit, it looks like the description is too long and the end of the first line is moved to the…
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This defines checker which checks for potential misuses of a moved-from
// object. That means method calls on the object or copying it in moved-from
// state.
//
//===----------------------------------------------------------------------===//
#include "ClangSACheckers.h"
#include "clang/AST/ExprCXX.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
struct RegionState {
private:
enum Kind { Moved, Reported } K;
RegionState(Kind InK) : K(InK) {}
zaks.annaUnsubmitted
Done
ReplyInline Actions

nit: Please define MoveStmt before the constructor.

zaks.anna: nit: Please define MoveStmt before the constructor.
public:
bool isReported() const { return K == Reported; }
bool isMoved() const { return K == Moved; }
static RegionState getReported() { return RegionState(Reported); }
static RegionState getMoved() { return RegionState(Moved); }
bool operator==(const RegionState &X) const { return K == X.K; }
void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(K); }
};
class MisusedMovedObjectChecker
: public Checker<check::PreCall, check::PostCall, check::EndFunction,
check::DeadSymbols, check::RegionChanges> {
public:
bool wantsRegionChangeUpdate(ProgramStateRef State) const;
ProgramStateRef checkRegionChanges(
ProgramStateRef State, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, const CallEvent *Call) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkPreCall(const CallEvent &MC, CheckerContext &C) const;
void checkPostCall(const CallEvent &MC, CheckerContext &C) const;
void checkEndFunction(CheckerContext &C) const;
private:
class MovedBugVisitor : public BugReporterVisitorImpl<MovedBugVisitor> {
public:
MovedBugVisitor(const MemRegion *R) : Region(R), Found(false) {}
void Profile(llvm::FoldingSetNodeID &ID) const override {
static int X = 0;
ID.AddPointer(&X);
ID.AddPointer(Region);
}
PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN,
BugReporterContext &BRC,
BugReport &BR) override;
private:
// The tracked region.
const MemRegion *Region;
bool Found;
};
mutable std::unique_ptr<BugType> BT;
ExplodedNode *reportBug(const MemRegion *Region, const CallEvent &Call,
CheckerContext &C, bool isCopy) const;
bool isInMoveSafeContext(const LocationContext *LC) const;
bool isStateResetMethod(const CXXMethodDecl *MethodDec) const;
bool isMoveSafeMethod(const CXXMethodDecl *MethodDec) const;
const ExplodedNode *getMoveLocation(const ExplodedNode *N,
const MemRegion *Region,
CheckerContext &C) const;
};
} // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, RegionState)
// If a region is removed all of the subregions needs to be removed too.
static ProgramStateRef removeFromState(ProgramStateRef State,
const MemRegion *Region) {
if (!Region)
return State;
// Note: The isSubRegionOf function is not reflexive.
State = State->remove<TrackedRegionMap>(Region);
for (auto &E : State->get<TrackedRegionMap>()) {
if (E.first->isSubRegionOf(Region))
State = State->remove<TrackedRegionMap>(E.first);
}
return State;
}
static bool isAnyBaseRegionReported(ProgramStateRef State,
const MemRegion *Region) {
for (auto &E : State->get<TrackedRegionMap>()) {
if (Region->isSubRegionOf(E.first) && E.second.isReported())
return true;
}
return false;
}
PathDiagnosticPiece *MisusedMovedObjectChecker::MovedBugVisitor::VisitNode(
zaks.annaUnsubmitted
Done
ReplyInline Actions

Please, add text diagnostic tests for the bug visitor.

zaks.anna: Please, add text diagnostic tests for the bug visitor.
const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
BugReport &BR) {
// We need only the last move of the reported object's region.
// The visitor walks the ExplodedGraph backwards.
if (Found)
return nullptr;
ProgramStateRef State = N->getState();
ProgramStateRef StatePrev = PrevN->getState();
const RegionState *TrackedObject = State->get<TrackedRegionMap>(Region);
const RegionState *TrackedObjectPrev =
StatePrev->get<TrackedRegionMap>(Region);
if (!TrackedObject)
return nullptr;
if (TrackedObjectPrev && TrackedObject)
return nullptr;
// Retrieve the associated statement.
const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)
return nullptr;
zaks.annaUnsubmitted
Done
ReplyInline Actions

When is this condition hit? Please, add a test case.

zaks.anna: When is this condition hit? Please, add a test case.
Found = true;
std::string ObjectName;
if (const auto DecReg = Region->getAs<DeclRegion>()) {
const auto *RegionDecl = dyn_cast<NamedDecl>(DecReg->getDecl());
ObjectName = RegionDecl->getNameAsString();
}
std::string InfoText;
if (ObjectName != "")
InfoText = "'" + ObjectName + "' became 'moved-from' here";
zaks.annaUnsubmitted
Done
ReplyInline Actions

nit: Would be good to special case and capitalize the case where the ObjectName is not known.

zaks.anna: nit: Would be good to special case and capitalize the case where the ObjectName is not known.
else
InfoText = "Became 'moved-from' here";
// Generate the extra diagnostic.
PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
NoQUnsubmitted
Done
ReplyInline Actions

Could we use the static PathDiagnosticLocation::getStmt(N) function for obtaining S? That'd be the statement of the program point of the node. This way we don't need to store the statement in the program state. Or are you looking for a different statement?

NoQ: Could we use the static `PathDiagnosticLocation::getStmt(N)` function for obtaining `S`? That'd…
szepetAuthorUnsubmitted
Not Done
ReplyInline Actions

No, you are right. First I tried to compare the RegionStates so I the statements for operator== but then the code changed and I havent refactored this part.

szepet: No, you are right. First I tried to compare the RegionStates so I the statements for operator==…
N->getLocationContext());
return new PathDiagnosticEventPiece(Pos, InfoText, true, nullptr);
}
const ExplodedNode *MisusedMovedObjectChecker::getMoveLocation(
const ExplodedNode *N, const MemRegion *Region, CheckerContext &C) const {
// Walk the ExplodedGraph backwards and find the first node that referred to
// the tracked region.
const ExplodedNode *MoveNode = N;
while (N) {
ProgramStateRef State = N->getState();
if (!State->get<TrackedRegionMap>(Region))
break;
MoveNode = N;
N = N->pred_empty() ? nullptr : *(N->pred_begin());
}
return MoveNode;
}
ExplodedNode *MisusedMovedObjectChecker::reportBug(const MemRegion *Region,
const CallEvent &Call,
CheckerContext &C,
bool isCopy = false) const {
if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
zaks.annaUnsubmitted
Done
ReplyInline Actions

"Unspecified usage of a 'moved-from' object" -> "Usage of a 'moved-from' object"

zaks.anna: "Unspecified usage of a 'moved-from' object" -> "Usage of a 'moved-from' object"
if (!BT)
zaks.annaUnsubmitted
Done
ReplyInline Actions

For consistency with other category names, how about "C++ move semantics"?

zaks.anna: For consistency with other category names, how about "C++ move semantics"?
BT.reset(new BugType(this, "Usage of a 'moved-from' object",
"C++ move semantics"));
// Uniqueing report to the same object.
PathDiagnosticLocation LocUsedForUniqueing;
const ExplodedNode *MoveNode = getMoveLocation(N, Region, C);
if (const Stmt *MoveStmt = PathDiagnosticLocation::getStmt(MoveNode))
LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
MoveStmt, C.getSourceManager(), MoveNode->getLocationContext());
// Creating the error message.
std::string ErrorMessage;
if (isCopy)
ErrorMessage = "Copying a 'moved-from' object";
else
ErrorMessage = "Method call on a 'moved-from' object";
if (const auto DecReg = Region->getAs<DeclRegion>()) {
const auto *RegionDecl = dyn_cast<NamedDecl>(DecReg->getDecl());
ErrorMessage += " '" + RegionDecl->getNameAsString() + "'";
}
auto R =
llvm::make_unique<BugReport>(*BT, ErrorMessage, N, LocUsedForUniqueing,
MoveNode->getLocationContext()->getDecl());
R->addVisitor(llvm::make_unique<MovedBugVisitor>(Region));
C.emitReport(std::move(R));
return N;
}
return nullptr;
}
// Removing the function parameters' MemRegion from the state. This is needed
// for PODs where the trivial destructor does not even created nor executed.
void MisusedMovedObjectChecker::checkEndFunction(CheckerContext &C) const {
auto State = C.getState();
TrackedRegionMapTy Objects = State->get<TrackedRegionMap>();
if (Objects.isEmpty())
return;
auto LC = C.getLocationContext();
const auto LD = dyn_cast_or_null<FunctionDecl>(LC->getDecl());
if (!LD)
return;
llvm::SmallSet<const MemRegion *, 8> InvalidRegions;
for (auto Param : LD->parameters()) {
auto Type = Param->getType().getTypePtrOrNull();
NoQUnsubmitted
Not Done
ReplyInline Actions

Hmm. Is this not caught by checkDeadSymbols? I expect parameter regions to die eventually. It should not only catch regions themselves, but also regions to which they contain pointers.

NoQ: Hmm. Is this not caught by `checkDeadSymbols`? I expect parameter regions to die eventually. It…
szepetAuthorUnsubmitted
Not Done
ReplyInline Actions

Lets consider the next case:

struct C {};

void f(C c)
{
  C b = std::move(c);
 //...
}

void g()
{
  C c;
  for(int i = 0;i<2;i++)
  {
    f(c);
  }
}

During the analysis of g() the checker will report that an already moved object will be copied. (Since it is passed by value).
So the main problem was these for loops and resulted false positives as well when i ran the checker on the llvm codebase.
The problem can be come from that tha analyzer doesnt see any difference between the call since not just the parameter but their location are the same and that cause the problem. This is reason why came up with that not so elegant solution.

Please correct me if I'm wrong or let me know in case you know a solution for that but I was not able to write checkDeadSymbols callback to handle that.

szepet: Lets consider the next case: ``` struct C {}; void f(C c) { C b = std::move(c); //... }…
NoQUnsubmitted
Done
ReplyInline Actions

Hmm. Debugged this a bit.

Well, they are different objects. c from the old call and c from the new call are different objects, they may even have different addresses on the stack.

The analyzer should normally be noticing the difference between these two objects and represent them with different memory regions. Even though they're represented by VarRegions with same VarDecls, these regions should differ by having different super-regions, namely different StackArgumentsSpaceRegion instances, which, in turn, are different because they are built over different StackFrameContext instances.

But unfortunately in this case the StackFrameContext is the same, because it doesn't include the call site block count! So as long as the call site's statement is the same on subsequent calls, such as in the loop, we run into this problem.

This should be fixed on StackFrameContext side. D19979 should have addressed that, but it ran into problems and doesn't seem to be landing soon. For now, i guess i'd try to add a block count directly to StackFrameContext when i have time, it should be trivial. Then your checkEndFunction callback will be unnecessary.

I'm still curious why checkDeadSymbols doesn't kill these map items, but i guess we already have a bigger problem to tackle.

Could you add this test to your test set for now?

NoQ: Hmm. Debugged this a bit. Well, they are different objects. `c` from the old call and `c` from…
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

But unfortunately in this case the StackFrameContext is the same, because it doesn't include the call site block count! So as long as the call site's statement is the same on subsequent calls, such as in the loop, we run into this problem.

This sounds scary! Can you file a bug/PR about it with a reduced test case.
Can we refer to the PR here if we think this code should change once the PR is fixed?

zaks.anna: > But unfortunately in this case the StackFrameContext is the same, because it doesn't include…
NoQUnsubmitted
Not Done
ReplyInline Actions

Filed: http://bugs.llvm.org/show_bug.cgi?id=32163

Also recalled that fixing StackFrameContext is not enough to get rid of this problem entirely, because the inner function call is not bound to exist.

NoQ: Filed: http://bugs.llvm.org/show_bug.cgi?id=32163 Also recalled that fixing StackFrameContext…
if (!Type)
continue;
if (!Type->isPointerType() && !Type->isReferenceType()) {
InvalidRegions.insert(State->getLValue(Param, LC).getAsRegion());
}
}
if (InvalidRegions.empty())
return;
for (const auto &E : State->get<TrackedRegionMap>()) {
if (InvalidRegions.count(E.first->getBaseRegion()))
State = State->remove<TrackedRegionMap>(E.first);
}
C.addTransition(State);
}
void MisusedMovedObjectChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
const auto *AFC = dyn_cast<AnyFunctionCall>(&Call);
if (!AFC)
return;
ProgramStateRef State = C.getState();
const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(AFC->getDecl());
if (!MethodDecl)
zaks.annaUnsubmitted
Done
ReplyInline Actions

Why is this necessary? Why using checkPointerEscape is not enough?

zaks.anna: Why is this necessary? Why using checkPointerEscape is not enough?
szepetAuthorUnsubmitted
Not Done
ReplyInline Actions

Based on my tests,checkPointerEscape works on only SymRegion but we needed some more generic approach. (In connection with MemRegions.)
It seems kind of hacking it into this checker and it's probably exactly that but I had no other ideas to implement it.

szepet: Based on my tests,checkPointerEscape works on only SymRegion but we needed some more generic…
NoQUnsubmitted
Not Done
ReplyInline Actions

As far as i understand, at a glance, this code invalidates the program state trait for objects that have escaped into a function.

This makes me think you should be taking check::RegionChanges here. See CStringChecker as an example. This callback would save you a large amount of code by presenting a list of superregions that cover all invalidated regions (well, you can't list all of them). It automatically handles regions pointed to by contents of invalidated regions etc., which you'd still want to handle.

check::PointerEscape is truly not enough because it handles only symbolic pointers, while you are also interested in concrete pointers (such as VarRegion).

There's a bit of a mess with these callbacks which we're trying to sort out (http://lists.llvm.org/pipermail/cfe-dev/2016-September/050792.html), but it shouldn't affect you.

NoQ: As far as i understand, at a glance, this code invalidates the program state trait for objects…
szepetAuthorUnsubmitted
Not Done
ReplyInline Actions

I have tried this callback on some trivial examples.
It seems it solves this problem (function calls with no body), however, in cases when a constructor /destructor called, the callback provides only the members regions in the ExplicitRegions. In case of destructor the Regions contains the element's region, but unfortunately it is not always right to iterate over the whole Regions array.
For example: Destructor calls on an array element would cause invalidating the whole array.

So this callback can help on this one, and it would be structured invalidating instead of this hacking. However, the invalidating in the checkPreCall still needed. (constructorcall, destructorcall...)

Am I right or did I miss/misunderstand something?

szepet: I have tried this callback on some trivial examples. It seems it solves this problem (function…
NoQUnsubmitted
Not Done
ReplyInline Actions

Hmm, i think i want to know more about that. Could you post a version of the patch with checkRegionChanges and the failing test, which you are trying, in case you already have it?

Destructor calls on an array element would cause invalidating the whole array.

Yyeeeah, that's right, we're always invalidating the whole base region. Essentially, you can get from one array element to another array element with a reliable pointer arithmetic (eg. "this - 1" in your case). And i agree that for your case this ultraconservative invalidation is definitely worth lifting.

in cases when a constructor /destructor called, the callback provides only the members regions in the ExplicitRegions

That's probably because the constructor/destructor was inlined, otherwise how would he know what members are there? In this case, there is actually no invalidation, just separate callbacks for every store bind of every member. And in this case...

However, the invalidating in the checkPreCall still needed. (constructorcall, destructorcall...)

... in this case, yeah, this is definitely needed. This is private logic of your checker, the analyzer couldn't have guessed that a perfectly inlined call, without any invalidations, may have such special meaning for your checker.

However, if the constructor/destructor wasn't inlined, then i expect the object to be present in explicit regions. If it isn't there, it's probably worth adding on the core side rather than hacking in checkers.

So in my opinion this leaves us with standard checkRegionChanges and special code for inlined constructors/destructors.

NoQ: Hmm, i think i want to know more about that. Could you post a version of the patch with…
return;
const auto *ConstructorDecl = dyn_cast<CXXConstructorDecl>(MethodDecl);
const auto *CC = dyn_cast_or_null<CXXConstructorCall>(&Call);
NoQUnsubmitted
Done
ReplyInline Actions

By the way, we have C.wasInlined, would it be more useful/accurate here?

NoQ: By the way, we have `C.wasInlined`, would it be more useful/accurate here?
// Check if an object became moved-from.
// Object can become moved from after a call to move assignment operator or
// move constructor .
if (ConstructorDecl && !ConstructorDecl->isMoveConstructor())
return;
if (!ConstructorDecl && !MethodDecl->isMoveAssignmentOperator())
return;
const auto ArgRegion = AFC->getArgSVal(0).getAsRegion();
if (!ArgRegion)
return;
// Skip moving the object to itself.
if (CC && CC->getCXXThisVal().getAsRegion() == ArgRegion)
return;
if (const auto *IC = dyn_cast<CXXInstanceCall>(AFC))
if (IC->getCXXThisVal().getAsRegion() == ArgRegion)
return;
const MemRegion *BaseRegion = ArgRegion->getBaseRegion();
// Skip temp objects because of their short lifetime.
if (BaseRegion->getAs<CXXTempObjectRegion>() ||
AFC->getArgExpr(0)->isRValue())
return;
// If it has already been reported do not need to modify the state.
if (State->get<TrackedRegionMap>(ArgRegion))
return;
// Mark object as moved-from.
State = State->set<TrackedRegionMap>(ArgRegion, RegionState::getMoved());
C.addTransition(State);
}
bool MisusedMovedObjectChecker::isMoveSafeMethod(
const CXXMethodDecl *MethodDec) const {
// We abandon the cases where bool/void/void* conversion happens.
if (const auto *ConversionDec =
dyn_cast_or_null<CXXConversionDecl>(MethodDec)) {
const Type *Tp = ConversionDec->getConversionType().getTypePtrOrNull();
if (!Tp)
return false;
if (Tp->isBooleanType() || Tp->isVoidType() || Tp->isVoidPointerType())
return true;
}
// Function call `empty` can be skipped.
if (MethodDec && MethodDec->getDeclName().isIdentifier() &&
(MethodDec->getName().lower() == "empty" ||
MethodDec->getName().lower() == "isempty"))
return true;
return false;
}
bool MisusedMovedObjectChecker::isStateResetMethod(
const CXXMethodDecl *MethodDec) const {
if (MethodDec && MethodDec->getDeclName().isIdentifier()) {
std::string MethodName = MethodDec->getName().lower();
if (MethodName == "reset" || MethodName == "clear" ||
MethodName == "destroy")
return true;
}
return false;
}
// Don't report an error inside a move related operation.
// We assume that the programmer knows what she does.
bool MisusedMovedObjectChecker::isInMoveSafeContext(
const LocationContext *LC) const {
do {
const auto *CtxDec = LC->getDecl();
auto *CtorDec = dyn_cast_or_null<CXXConstructorDecl>(CtxDec);
auto *DtorDec = dyn_cast_or_null<CXXDestructorDecl>(CtxDec);
auto *MethodDec = dyn_cast_or_null<CXXMethodDecl>(CtxDec);
if (DtorDec || (CtorDec && CtorDec->isCopyOrMoveConstructor()) ||
(MethodDec && MethodDec->isOverloadedOperator() &&
MethodDec->getOverloadedOperator() == OO_Equal) ||
isStateResetMethod(MethodDec) || isMoveSafeMethod(MethodDec))
return true;
} while ((LC = LC->getParent()));
return false;
}
void MisusedMovedObjectChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
const LocationContext *LC = C.getLocationContext();
ExplodedNode *N = nullptr;
// Remove the MemRegions from the map on which a ctor/dtor call or assignement
// happened.
// Checking constructor calls.
if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
State = removeFromState(State, CC->getCXXThisVal().getAsRegion());
auto CtorDec = CC->getDecl();
// Check for copying a moved-from object and report the bug.
if (CtorDec && CtorDec->isCopyOrMoveConstructor()) {
const MemRegion *ArgRegion = CC->getArgSVal(0).getAsRegion();
const RegionState *ArgState = State->get<TrackedRegionMap>(ArgRegion);
if (ArgState && ArgState->isMoved()) {
if (!isInMoveSafeContext(LC)) {
N = reportBug(ArgRegion, Call, C, /*isCopy=*/true);
State = State->set<TrackedRegionMap>(ArgRegion,
RegionState::getReported());
}
}
}
C.addTransition(State, N);
return;
}
const auto IC = dyn_cast<CXXInstanceCall>(&Call);
if (!IC)
return;
// In case of destructor call we do not track the object anymore.
const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
if (dyn_cast_or_null<CXXDestructorDecl>(Call.getDecl())) {
State = removeFromState(State, IC->getCXXThisVal().getAsRegion());
C.addTransition(State);
return;
}
const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(IC->getDecl());
if (!MethodDecl)
return;
// Checking assignment operators.
bool OperatorEq = MethodDecl->isOverloadedOperator() &&
MethodDecl->getOverloadedOperator() == OO_Equal;
// Remove the tracked object for every assignment operator, but report bug
// only for move or copy assignment's argument.
if (OperatorEq) {
State = removeFromState(State, ThisRegion);
if (MethodDecl->isCopyAssignmentOperator() ||
MethodDecl->isMoveAssignmentOperator()) {
const RegionState *ArgState =
State->get<TrackedRegionMap>(IC->getArgSVal(0).getAsRegion());
if (ArgState && ArgState->isMoved() && !isInMoveSafeContext(LC)) {
const MemRegion *ArgRegion = IC->getArgSVal(0).getAsRegion();
N = reportBug(ArgRegion, Call, C, /*isCopy=*/true);
State =
State->set<TrackedRegionMap>(ArgRegion, RegionState::getReported());
}
}
C.addTransition(State, N);
return;
}
// The remaining part is check only for method call on a moved-from object.
if (isMoveSafeMethod(MethodDecl))
return;
if (isStateResetMethod(MethodDecl)) {
State = State->remove<TrackedRegionMap>(ThisRegion);
C.addTransition(State);
return;
}
// If it is already reported then we dont report the bug again.
const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion);
if (!(ThisState && ThisState->isMoved()))
return;
// Dont report it in case if any base region is already reported
if (isAnyBaseRegionReported(State, ThisRegion))
return;
if (isInMoveSafeContext(LC))
return;
N = reportBug(ThisRegion, Call, C);
State = State->set<TrackedRegionMap>(ThisRegion, RegionState::getReported());
C.addTransition(State, N);
}
void MisusedMovedObjectChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
for (TrackedRegionMapTy::value_type E : TrackedRegions) {
const MemRegion *Region = E.first;
bool IsRegDead = !SymReaper.isLiveRegion(Region);
// Remove the dead regions from the region map.
if (IsRegDead) {
State = State->remove<TrackedRegionMap>(Region);
}
}
C.addTransition(State);
}
bool MisusedMovedObjectChecker::wantsRegionChangeUpdate(
ProgramStateRef State) const {
TrackedRegionMapTy Regions = State->get<TrackedRegionMap>();
return !Regions.isEmpty();
}
ProgramStateRef MisusedMovedObjectChecker::checkRegionChanges(
ProgramStateRef State, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, const CallEvent *Call) const {
// In case of an InstanceCall don't remove the ThisRegion from the GDM since
// it is handled in checkPreCall and checkPostCall.
const MemRegion *ThisRegion = nullptr;
if (const auto *IC = dyn_cast_or_null<CXXInstanceCall>(Call)) {
ThisRegion = IC->getCXXThisVal().getAsRegion();
}
for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(),
E = ExplicitRegions.end();
I != E; ++I) {
const auto *Region = *I;
if (ThisRegion != Region)
State = removeFromState(State, Region);
}
NoQUnsubmitted
Done
ReplyInline Actions

I definitely admire this trick. However, it only works when the object from which we move is "opaque" enough: for example, if at least one body of its setter methods is available in the current translation unit, we could easily see an arbitrary symbol inside the object (not necessarily having this object as its origin region, probably reassigned from other regions or even conjured), and the code will have no effect.

NoQ: I definitely admire this trick. However, it only works when the object from which we move is…
szepetAuthorUnsubmitted
Done
ReplyInline Actions

Well I planned to remove this callback and only remained in the code by mistake. As I understand it is unnecessary since checkRegionChanges will handle these cases, I needed it just before it was implemented. So yes, you are right but this callback can (and should) be removed.

Do you agree?

szepet: Well I planned to remove this callback and only remained in the code by mistake. As I…
zaks.annaUnsubmitted
Done
ReplyInline Actions

Has this been resolved?

zaks.anna: Has this been resolved?
NoQUnsubmitted
Done
ReplyInline Actions

Yep.

NoQ: Yep.
return State;
}
void ento::registerMisusedMovedObjectChecker(CheckerManager &mgr) {
mgr.registerChecker<MisusedMovedObjectChecker>();
}

test/Analysis/MisusedMovedObject.cpp

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.cplusplus.MisusedMovedObject -std=c++11 -verify -analyzer-output=text %s
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Nit: due to the upcomming Z3 support (as a constraint solver), you should use %clang_analyze_cc1 instead of %clang_cc1

xazax.hun: Nit: due to the upcomming Z3 support (as a constraint solver), you should use…
namespace std {
template <typename>
struct remove_reference;
template <typename _Tp>
struct remove_reference { typedef _Tp type; };
template <typename _Tp>
struct remove_reference<_Tp &> { typedef _Tp type; };
template <typename _Tp>
struct remove_reference<_Tp &&> { typedef _Tp type; };
template <typename _Tp>
typename remove_reference<_Tp>::type &&move(_Tp &&__t) {
return static_cast<typename remove_reference<_Tp>::type &&>(__t);
}
template <typename _Tp>
_Tp &&forward(typename remove_reference<_Tp>::type &__t) noexcept {
return static_cast<_Tp &&>(__t);
}
template <class T>
void swap(T &a, T &b) {
T c(std::move(a));
a = std::move(b);
b = std::move(c);
}
} // namespace std
class B {
public:
B() = default;
B(const B &) = default;
B(B &&) = default;
void operator=(B &&b) {
return;
}
void foo() { return; }
};
class A {
int i;
double d;
zaks.annaUnsubmitted
Done
ReplyInline Actions

Adding "//no-warning" on lines where you explicitly test that a warning is not produced will simplify with readability and maintainability.

zaks.anna: Adding "//no-warning" on lines where you explicitly test that a warning is not produced will…
public:
B b;
A(int ii = 42, double dd = 1.0) : d(dd), i(ii), b(B()) {}
void moveconstruct(A &&other) {
std::swap(b, other.b);
std::swap(d, other.d);
std::swap(i, other.i);
return;
}
static A get() {
A v(12, 13);
return v;
}
A(A *a) {
moveconstruct(std::move(*a));
}
A(const A &other) : i(other.i), d(other.d), b(other.b) {}
A(A &&other) : i(other.i), d(other.d), b(std::move(other.b)) { // expected-note {{'b' became 'moved-from' here}}
}
A(A &&other, char *k) {
moveconstruct(std::move(other));
}
void operator=(A &&other) {
moveconstruct(std::move(other));
return;
}
int getI() { return i; }
int foo() const;
void bar() const;
void reset();
void destroy();
void clear();
bool empty() const;
bool isEmpty() const;
operator bool() const;
};
int bignum();
void leftRefCall(A &a) {
a.foo();
}
void rightRefCall(A &&a) {
a.foo();
}
void copyOrMoveCall(const A a) {
a.foo();
}
void simpleMoveCtorTest() {
A a;
A b; b = std::move(a); // expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
void simpleMoveAssignementTest() {
A a;
A b;
b = std::move(a); // expected-note {{'a' became 'moved-from' here}}
zaks.annaUnsubmitted
Done
ReplyInline Actions

How about improving the wording a bit: "Method call on a 'moved-from' object 'a'". Note, all diagnostic messages should be capitalized.

zaks.anna: How about improving the wording a bit: "Method call on a 'moved-from' object 'a'". Note, all…
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
void moveInInitListTest() {
struct S {
A a;
};
A a;
S s{std::move(a)}; // expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
// Don't report a bug if the variable was assigned to in the meantime.
void reinitializationTest(int i) {
{
A a;
A b; b = std::move(a);
a = A();
a.foo();
}
{
A a;
if (i == 1) { //expected-note {{Assuming 'i' is not equal to 1}} //expected-note {{Taking false branch}} //expected-note {{Assuming 'i' is not equal to 1}} //expected-note {{Taking false branch}}
A b; b = std::move(a);
a = A();
}
if (i == 2) { //expected-note {{Assuming 'i' is not equal to 2}} //expected-note {{Taking false branch}} //expected-note {{Assuming 'i' is not equal to 2}} //expected-note {{Taking false branch}}
a.foo(); // no-warning
}
}
{
A a;
if (i == 1) { //expected-note {{Taking false branch}} //expected-note {{Taking false branch}}
std::move(a);
}
if (i == 2) { //expected-note {{Taking false branch}} //expected-note {{Taking false branch}}
a = A();
a.foo();
}
}
// The built-in assignment operator should also be recognized as a
// reinitialization. (std::move() may be called on built-in types in template
// code.)
{
int a1 = 1, a2 = 2;
std::swap(a1, a2);
}
// A std::move() after the assignment makes the variable invalid again.
{
A a;
A b; b = std::move(a);
a = A();
b = std::move(a); //expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
// If a path exist where we not reinitialize the variable we report a bug.
{
A a;
A b; b = std::move(a); //expected-note {{'a' became 'moved-from' here}}
if (i < 10) { //expected-note {{Assuming 'i' is >= 10}} //expected-note {{Taking false branch}}
a = A();
}
if (i > 5) { //expected-note {{Taking true branch}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
}
}
// Using decltype on an expression is not a use.
void decltypeIsNotUse() {
A a;
// A b(std::move(a));
decltype(a) other_a; // no-warning
}
void looptest() {
A Var;
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is false. Execution continues on line 190}}
rightRefCall(std::move(Var)); // no-warning
}
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is false. Execution continues on line 193}}
leftRefCall(Var); // no-warning
}
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is false. Execution continues on line 196}}
copyOrMoveCall(Var); // no-warning
}
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is true. Entering loop body}} expected-note {{Loop condition is true. Entering loop body}}
copyOrMoveCall(std::move(Var)); // expected-warning {{Copying a 'moved-from' object 'Var'}} expected-note {{Copying a 'moved-from' object 'Var'}}
// expected-note@-1 {{'Var' became 'moved-from' here}}
}
// Don't warn if we return after the move.
{
A a;
for (int i = 0; i < 10; ++i) {
a.bar();
if (a.foo() > 0) {
A b; b = std::move(a); // no-warning
return;
}
}
}
}
//report a usage of a moved-from object only at the first use
void uniqueTest(bool cond) {
A a(42, 42.0);
A b; b = std::move(a); // expected-note {{'a' became 'moved-from' here}}
if (cond) { // expected-note {{Assuming 'cond' is not equal to 0}} expected-note {{Taking true branch}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
if (cond) {
a.bar(); // no-warning
}
a.bar(); // no-warning
}
void uniqueTest2() {
A a;
A a1 = std::move(a); //expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
zaks.annaUnsubmitted
Done
ReplyInline Actions

Can you please split these notes so that each one is on a separate line? You can use // expected-note@+1 to show that there is 1 line difference between the locations.

zaks.anna: Can you please split these notes so that each one is on a separate line? You can use //…
A a2 = std::move(a); // no-warning
a.foo(); // no-warning
}
// There are exceptions where we assume in general that the method works fine
//even on moved-from objects.
void moveSafeFunctionsTest()
{
A a;
A b = std::move(a); //expected-note {{'a' became 'moved-from' here}}
a.empty(); // no-warning
a.isEmpty(); // no-warning
(void) a; // no-warning
(bool) a; // no-warning //expected-warning {{expression result unused}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
void moveStateResetFunctionsTest()
{
{
A a;
A b = std::move(a);
a.reset(); // no-warning
a.foo(); // no-warning
}
{
A a;
A b = std::move(a);
a.destroy(); // no-warning
a.foo(); // no-warning
}
{
A a;
A b = std::move(a);
a.clear(); // no-warning
a.foo(); // no-warning
}
}
// Moves or uses that occur as part of template arguments.
template <int>
class ClassTemplate {
public:
void foo(A a);
};
template <int>
void functionTemplate(A a);
void templateArgIsNotUse() {
{
// A pattern like this occurs in the EXPECT_EQ and ASSERT_EQ macros in
// Google Test.
A a;
ClassTemplate<sizeof(A(std::move(a)))>().foo(std::move(a)); // no-warning
}
{
A a;
functionTemplate<sizeof(A(std::move(a)))>(std::move(a)); // no-warning
}
}
// Moves of global variables are not reported.
A global_a;
void globalVariablesTest() {
std::move(global_a);
global_a.foo(); // no-warning
}
// Moves of member variables.
class memberVariablesTest {
A a;
static A static_a;
void f() {
A b; b = std::move(a); //expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object 'a'}}
b = std::move(static_a); //expected-note {{'static_a' became 'moved-from' here}}
static_a.foo(); // expected-warning {{Method call on a 'moved-from' object 'static_a'}} expected-note {{Method call on a 'moved-from' object 'static_a'}}
}
};
void PtrAndArrayTest() {
A *Ptr = new A(1, 1.5);
A Arr[10];
Arr[2] = std::move(*Ptr); // expected-note {{Became 'moved-from' here}}
(*Ptr).foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object}}
Ptr = &Arr[1];
Arr[3] = std::move(Arr[1]); // expected-note {{Became 'moved-from' here}}
Ptr->foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object}}
Arr[3] = std::move(Arr[2]); // expected-note {{Became 'moved-from' here}}
Arr[2].foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object}}
Arr[2] = std::move(Arr[3]); // reinitialization
Arr[2].foo(); // no-warning
}
void exclusiveConditionsTest(bool cond) {
A a;
if (cond) {
A b; b = std::move(a);
}
if (!cond) {
a.bar(); // no-warning
}
}
void differentBranchesTest(int i) {
// Don't warn if the use is in a different branch from the move.
{
A a;
if (i > 0) { //expected-note {{Assuming 'i' is > 0}} //expected-note {{Taking true branch}}
A b; b = std::move(a);
} else {
a.foo(); // no-warning
}
}
// Same thing, but with a ternary operator.
{
A a, b;
i > 0 ? (void)(b = std::move(a)) : a.bar(); // no-warning //expected-note {{'?' condition is true}}
}
// A variation on the theme above.
{
A a;
a.foo() > 0 ? a.foo() : A(std::move(a)).foo(); //expected-note {{Assuming the condition is false}} //expected-note {{'?' condition is false}}
}
// Same thing, but with a switch statement.
{
A a, b;
switch (i) { //expected-note {{Control jumps to 'case 1:' at line 367}}
case 1:
b = std::move(a); // no-warning
break; //expected-note {{Execution jumps to the end of the function}}
case 2:
a.foo(); // no-warning
break;
}
}
// However, if there's a fallthrough, we do warn.
{
A a, b;
switch (i) { //expected-note {{Control jumps to 'case 1:' at line 379}}
case 1:
b = std::move(a); //expected-note {{'a' became 'moved-from' here}}
case 2:
a.foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object 'a'}}
break;
}
}
}
void tempTest() {
A a = A::get();
A::get().foo(); // no-warning
for (int i = 0; i < bignum(); i++) {
A::get().foo(); // no-warning
}
}
void interFunTest1(A &a) {
a.bar(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
}
void interFunTest2() {
A a;
A b;
b = std::move(a); // expected-note {{'a' became 'moved-from' here}}
interFunTest1(a); // expected-note {{Calling 'interFunTest1'}}
}
void foobar(A a, int i);
void foobar(int i, A a);
void paramEvaluateOrderTest() {
A a;
foobar(std::move(a), a.getI()); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
//expected-note@-1 {{'a' became 'moved-from' here}}
//FALSE NEGATIVE since parameters evaluate order is undefined
foobar(a.getI(), std::move(a)); //no-warning
}
void not_known(A &a);
void not_known(A *a);
void regionAndPointerEscapeTest() {
{
A a;
A b;
b = std::move(a);
not_known(a);
a.foo(); //no-warning
}
{
A a;
A b;
b = std::move(a);
not_known(&a);
a.foo(); // no-warning
}
}
// A declaration statement containing multiple declarations sequences the
// initializer expressions.
void declarationSequenceTest() {
{
A a;
A a1 = a, a2 = std::move(a); // no-warning
}
{
A a;
A a1 = std::move(a), a2 = a; // expected-warning {{Copying a 'moved-from' object 'a'}} expected-note {{Copying a 'moved-from' object 'a'}}
// expected-note@-1 {{'a' became 'moved-from' here}}
}
}
// The logical operators && and || sequence their operands.
void logicalOperatorsSequenceTest() {
{
A a;
if (a.foo() > 0 && A(std::move(a)).foo() > 0) { //expected-note {{Assuming the condition is false}} //expected-note {{Assuming the condition is false}}
//expected-note@-1 {{Left side of '&&' is false}} //expected-note@-1 {{Left side of '&&' is false}}
A().bar();
}
}
// A variation: Negate the result of the && (which pushes the && further down
// into the AST).
{
A a;
if (!(a.foo() > 0 && A(std::move(a)).foo() > 0)) { //expected-note {{Assuming the condition is false}} //expected-note {{Assuming the condition is false}}
//expected-note@-1 {{Left side of '&&' is false}} //expected-note@-1 {{Left side of '&&' is false}}
//expected-note@-2 {{Taking true branch}} //expected-note@-2 {{Taking true branch}}
A().bar();
}
}
{
A a;
if (A(std::move(a)).foo() > 0 && a.foo() > 0) { // expected-warning {{Method call on a 'moved-from' object 'a'}} //expected-note {{Method call on a 'moved-from' object 'a'}}
//expected-note@-1 {{'a' became 'moved-from' here}} //expected-note@-1 {{Assuming the condition is true}} //expected-note@-1 {{Assuming the condition is false}}
//expected-note@-2 {{Left side of '&&' is false}} //expected-note@-2 {{Left side of '&&' is true}}
A().bar();
}
}
{
A a;
if (a.foo() > 0 || A(std::move(a)).foo() > 0) { //expected-note {{Assuming the condition is true}} //expected-note {{Left side of '||' is true}}
A().bar();
}
}
{
A a;
if (A(std::move(a)).foo() > 0 || a.foo() > 0) { // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
//expected-note@-1 {{'a' became 'moved-from' here}} //expected-note@-1 {{Assuming the condition is false}} //expected-note@-1 {{Left side of '||' is false}}
A().bar();
}
}
}
// A range-based for sequences the loop variable declaration before the body.
void forRangeSequencesTest() {
A v[2] = {A(), A()};
for (A &a : v) {
A b; b = std::move(a); // no-warning
}
}
// If a variable is declared in an if statement, the declaration of the variable
// (which is treated like a reinitialization by the check) is sequenced before
// the evaluation of the condition (which constitutes a use).
void ifStmtSequencesDeclAndConditionTest() {
for (int i = 0; i < 3; ++i) {
if (A a = A()) {
A b; b = std::move(a); // no-warning
}
}
}
void subRegionMoveTest()
{
{
A a;
B b = std::move(a.b); // expected-note {{'b' became 'moved-from' here}}
a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}}
}
{
A a;
A a1 = std::move(a); // expected-note {{Calling move constructor for 'A'}} // expected-note {{Returning from move constructor for 'A'}}
a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}}
}
// Don't report a misuse if any SuperRegion is already reported.
{
A a;
A a1 = std::move(a); // expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
a.b.foo(); // no-warning
}
}
No newline at end of file