Maybe llvm::PointerUnion?

I think functions should always begin with a stack frame context, not sure, does this ever get violated? Do we have checkBeginBlock? Sorry if i'm wrong.

LLVM cast<> should be used, because it asserts cast correctness through LLVM's custom RTTI (and LocationContext child classes do support that).

I think this trick needs more comments/explaining. It is very unusual. Are you trying to model effects of passing an iterator by value into a function? What part of these effects are not modeled magically by the core?

So the thing about evalCall is that every call can only be eval'ed by only one checker. So if you're doing this, you should be sure that your checker is modelling all effects of the call on everything in the program state, manually, and any checker that relies on that modelling should make sure that your checker is turned on.

Because the functions you are modelling are pure, i think it's, in general, a good idea to evalCall() them. Other checkers should be able to rely on PreCall/PostCall events to model their state changes.

So the question is, in what checker do we want this modelling to happen. Because your checker is looking for very specific errors, it might be a good idea to eventually split it into a separate checker. I think, at least, a FIXME for this task should be left around. I'm also currently tackling with a single checker to model all standard library functions (D20811), maybe i'd come up with a way to merge it there.

Accessing end() is a UB, we should probably generate a fatal error node here.

I think path-sensitive checkers should present their findings proudly. After all, they did their best to find a single execution path on which the problem certainly manifests.

Number of arguments of CE should be checked beforehand. Yes, it is UB to modify namespace std:: to introduce functions with same names but less arguments, but we still should not crash when we see such code.

It's not analyzer's fault :) We're inspecting the AST here.

Anyway, does CXXRecordDecl::needsImplicitCopyAssignment() look useful?

We should probably separate this into an #include-able header in test/Analysis/Inputs/.

Also, there's always a bit of concern that it wasn't copy-pasted from a standard library implementation with an incompatible license such as (L)GPL. Which often happens when you do your best to emulate the normal way of defining things as closely as possible.

If I pass an iterator by value (the most usual case) I have to assign its position (in or out of range) to the formal parameter from the actual one.

No, it does not. I need to check whether the type is copiable, since that is a criteria for being an operator (copiable via constructor and assignment, deleteable, incrementable and dereferencable). It seems that while copy constructor and destructor is generated automatically, copy assignment not, at least not in this simple case. So I defaulted it to true, and I set it to false if I find a deleted or a non-public copy assignment.

I did it now, but first one of my tests failed. I fixed the bug, but it turned out that if I include these types and functions, no method or function is checked, just conjured symbols are generated. Should including not behave the same as copying the contents? This happened even if I removed the pragma.

Aha, i guess that's because we don't inline STL headers. See mayInlineCXXStandardLibrary() / -analyzer-config c++-stdlib-inlining.

The lesson to learn here is that it's a good idea to make tests as similar to real code as possible. Because on real code, it would probably also not be inlined.

Actually, I always test first on real code, and it seemed to be inlined. But now, even if I removed the pragma it was not inlined.

This can be written some shorter: if (const auto *InstCall = dyn_cast<CXXInstance>(&Call)

As I remember, PostCall is also called for ObjC calls like ObjCMethodCall which may not have FunctionDecl as their callee. So, Func may be a nullptr and needs a check.

isa<StackFrameContext>(LCtx)?
And cast<> below already does the same check with an assertion.

Just C.getLocationContext()?

This loop may be C++11-fied.

What will happen if we compare two iterators related to different containers? I guess the result will be undefined but I'm not sure if we can track it in this checker without referencing the owning container. Let's leave this code as-is but I think this choice deserves a comment.

Maybe we should just swap Rhs and Lhs if LPos is null? So, we can avoid code duplication.

What will happen if we write something like this:

bool Eq1 = it1 == it2;
bool Eq2 = it3 == it4;
if (Eq1) {...}?

As I understand, we'll assume the second condition instead of first.

I'm not sure it's totally correct. -- for begin() will give us out-of-range iterator. According to header description, we're catching just "past-end" iterators, but this is confusing a bit for me.
Moreover, if we're out of end() in multiple positions, a single -- will not make the iterator valid again. You use a good conservative approach, but could you please add a comment describing it?

Just C.getLocationContext().

You can use overload which does not require the tag.

getLocationContext => LCtx

A common way of defining iterator types is just their declaration as pointers. I'm not sure this code will work well in such cases.
You can see some example in LLVM containers like SmallVector, where iterators are declared in the following way:

typedef T *iterator;
typedef const T *const_iterator;

HasCopyCtor, HasCopyAssign, etc.

We usually prefer informative names like "Method" or "Ctor".

There was a comment. Phabricator disallows me to delete my own comments so I was forced to edit it. Nevermind.

We often do forward declare in the implementation file as it is done here. We mainly use the Inputs directory to simulate system headers.

Had a look. So, essentially, the core copies argument values to parameter regions in enterStackFrame() without ever notifying checkers about it in any way. Okaay. Yep, let's stick to that for now, as i've no better approach in mind.

Had a look. So the problem is, we obtain the result of the comparison as a symbol, from which it is too hard to recover the operands in order to move iterator position data from one value to another.

Normally we obtain a simple SymbolConjured for the return value of the operator==() call (or, similarly, operator!=()). For plain-value iterators (eg. typedef T *iterator) we might be obtaining an actual binary symbolic expression, but even then it's not quite clear how to obtain operands (the structure of the expression might have changed due to algebraic simplifications). Additionally, LHS and RHS aren't necessarily symbols (they might be semi-concrete), so composing symbolic expressions from them in general is problematic with our symbol hierarchy, which is rarely a problem for numbers but for structural symbols it'd be a mess.

For now i suggest, instead of storing only the last LHS and RHS, to save a map from symbols (which are results of comparisons) to (LHS value, RHS value) pairs. This map should, apart from the obvious, be cleaned up whenever one of the iterators in the pair gets mutated (incremented or decremented). This should take care of the problem Alexey points out, and should work with semi-concrete stuff.

For the future i suggest to let users construct their own symbols and symbolic expressions more easily. In fact, if only we had all iterators as regions, we should have probably used SymbolMetadata for this purpose: it's easy to both recover the parent region from it and use it in symbolic expressions. We could also deprecate the confusing structural symbols (provide default-bound lazy compound values for conjured structures instead), and then it'd be possible to transition to SymbolMetadata entirely.

Ouch, i have one more concern, which can be expressed with the following false-positive test which currently fails:

void foo() {
  std::vector<int> vec;
  vec.push_back(2016);
  auto i = vec.find(vec.begin(), vec.end(), 2016);
  *i; // no-warning
}

Not instantly sure what to do with this. You can avoid state splits until you are actually sure if both branches are possible, but that'd suppress a lot of useful positives. Such positives could be suppressed with assertions, of course, but i'd still hope there aren't too many of those.

I mean, std::find(... ><

Thank you for the suggestion. I am not sure if I fully understand you. If I create a map where the key is the resulting symbol of the comparison, it will not work because evalAssume is called for the innermost comparison. So if the body of operator== (or operator!=) is inlined, then I get a binary symbolic expression in evalAssume, not the SymbolConjured. This binary Symbolic expression is a comparison of the internals of the iterators, e.g. the internal pointer. So the key will not match any LHS and RHS value pair in the map. I also thought on such solution earlier but I dismissed it because of this.

False positives can occur whenever we are sure that we will find the element so we do not check for the result to be equal with end().

Instead of swapping I moved the code into a separate function and I call this functions now with differenet parameters.

There is an overload that does not requires a tag, but it requires a type instad.

Maybe if I evaluate the operator==() call for iterators using evalCall()?

This code definitely deserves comments. I managed to understand that this is a workaround for completely replacing the conjured symbol with a lazy value upon calling a method over temporary, which the core does from time to time, and i suspect that this code may break whenever more than one checker starts doing this (i.e. you'd have to skip more than one predecessor node in this case).

I still think that the root cause here is conjured structural symbols which i'd probably prefer to get rid of completely, and then this hack wouldn't be necessary.

Well, even if the body of the comparison operator is inlined, PreStmt/PostStmt callbacks should still work, and it doesn't really matter if there's a SymbolConjured or not, we can still add the symbolic expression to our map as a key.

Essentially, you ignore whatever happens in the iterator's operator==() when it's inlined (including any evalAssume events), then in PostStmt of operator==() you map the return-value symbol of the operator to the operator's arguments (operands), then whenever an assumption is being made against the return-value symbol, you carry over this assumption to the operands. I think it shouldn't really matter if the operator call was inlined.

The only unexpected thing that may happen due to inlining is if the inlined operator returns a concrete value (plain true or plain false) instead of the symbol, but in this case what we need to do is to just carry over the assumption to the operands instantly.

Yep, so there's a bit of grey area here. The test case i wrote is very artificial, i.e. it is not idiomatic, in fact there aren't many cases when doing find() is actually useful when we're sure the element is there.

However, if we eventually enable this checker by default (move out of the alpha.* package), then i think we need to come up with a better behavior for this case:

• maybe it depends on container type (eg. for map-like containers we may know that the key is there but we don't know the value?);
• maybe it's a good idea to add a checker option to enable or disable the warning upon using unchecked find results;
• maybe we'd learn to reason about containers a bit better, even though it'd be hard.

So i've a feeling this can be moved to a FIXME/later, but it's definitely something to think about.

Sorry, maybe my phrasing was not accurate enough. The problem is that the assumption is not being made against the return-value symbol of the operator==(), but if inlined, against the internal == operator. So I do not have the same key in evalAssume() thus I cannot access the operands from the map I stored in checkPostCall(). The only solution I can imagine is that I evalCall() the operator==() but then we lose the opportunity to check anything inside the body of the operator.

I think I do not fully understand you here: do you mean some fix in the core?

At least one advantage of the assert is that it provides an error message. I'd not try to minimize the number of asserts.

Thanks for working on this!!!

We've discussed this with Artem and Devin in more detail and here are the notes from the conversation.

Just to summarize, Artem's proposal is to replace the two trates for RHS and LHS with a map from a symbol that represents the result of the iterator comparison to LHS SVal, RHS SVal, and the relation between them (== | !=).

Are you concerned about this case:

bool operator==(const it&RHS) {

return x == RHS.x; // If evalAssume is called here, we are just going to ignore it.

} // We get a post call and can fill in the map from binary symbolic expression to LHS and RHS.

You are right, we will get a binary symbolic expression and not SymbolConjured. And we will not fill in the map until the return from the inlined operator. However, even if the operator is inlined, we will be calling PostCall on it after the return. So at that point, the (binary symbolic expression) -> (LHS, RHS, ==) entry will be added to the map, where the LHS and RHS will be the arguments to the call. The evalAssume will be called on the caller side.

Another example:
bool operator==(const it&RHS) {

if (x == RHS.x)
  return y = RHS.y;
return false; // <- Constant is returned.

}
In this case, a concrete value is returned on one of the branches. The suggestion is not to rely on evalAssume, but record the relation of the iterators based on the value of the constant being returned. When the expression is evaluated on the caller side, one of the branches will be unreachable anyway, so we will not loose precision here even if we do nothing on evalAssume.

Also, could you please add examples that use the inlined and non-inlined operators in the following way to make sure everything still works:

if ( ! (i==e) )

Very Important: You should test your patch with eagerly assume option turned on since this mode the analyzer is on by default and running without eagerly assume is outdated. An option to run without eagerly assume should be removed altogether.

You are right, and the same is true for PreCall.

I agree, but I think Alexei is rigt here: cast<> already has the assert we need here.

That will be part of another checker, but where exactly to put the comment you suggest?

OK, I did it. My initial problem was that I believed that the return value in checkPostCall will be different from the symbolic expression representing the internal comparison, but no, it was the same. I also put a new trick into evalAssume for the negated case you mention. Furthermore, if eagerly assume is enabled, we get concrete integer as result in checkPostCall so we process the iterator there in this case.

In the automatic test I cannot test inlined operators, because it does not inline anything that is included from a remote file. But I tested it manually, everything seems to work.

You can test the inlining case by turning on inlining of containers. I think it's important to add a test since the logic is somewhat complicated and it's possible the analyzer will change the treatment of containers in the future. Here is the option. I'd just add another test case with that option enabled:

/// Returns whether or not methods of C++ container objects may be considered
/// for inlining.
///
/// This is controlled by the 'c++-container-inlining' config option, which
/// accepts the values "true" and "false".
bool mayInlineCXXContainerMethods();

Maybe we should merge this file with the system-header-simulator-cxx.h? It already contains a vector type but no iterators.

I am not sure why I am handleing CXXOperatorCall here. Instead, I should handle every call, but only instance calls. For final solution would it not be better to make the checker explicitely metrialize a temporary object here instead of just creating it silently? Then my existing checker function would catch it.

How about: "C++ STL Error" -> "Misuse of STL APIs"

Please, quote svn revision number instead of phabricator number.

You could simplify the code a bit by moving all these identifier lookups into a subrutine and/or just have a single statement guard checking f they have been initialized.

I agree with Artem that the future readers and maintainers of this code would greatly benefit if there were higher level comments explaining how this checker works. For example, here, we are saving the information about the comparison because iterators are value types...

Would isInStdNamespace() from BugReporterVisitor.cpp be useful here? It would be fine to add this API to the CheckerContext or some other place accessible from here and the BugReporter.

This could be useful for other checkers as well. Maybe refactor this out as part of a subsequent commit?

Yes, we the headers are supposed to be reusable for different checkers!

The error message is not very good for the find API cases. There is only a possibility of access past end. Also its much better to be explicit about what went wrong here - the user forgot to check the return value of find. We could say something like "The value returned from 'find' needs to be checked before it's accessed".

We'd need to implement a custom BugReporterVisitor that detects if the iterator is a return value from some method that needs checking. This can be & should be a separate patch.

OK, I copied it from another checker :-)

Is there a reason not to use isInStdNamespace() instead of the inTopLevelNamespace()? We can add the API to Checker Context.