This is an archive of the discontinued LLVM Phabricator instance.

Differential D27202

[analyzer] Do not conjure a symbol for return value of a conservatively evaluated function
AbandonedPublic

Authored by NoQ on Nov 29 2016, 4:46 AM.

Details

Reviewers
dcoughlin
a.sidorin
zaks.anna
xazax.hun
george.karpenkov
Summary

Instead, return a nonloc::LazyCompoundVal of a temporary region for the call expression, with a trivial store in which the temporary region is invalidated.

Returning a conjured record-type symbol is painful because the return value of the function may suddenly change during materialization of a temporary - it will be hotfixed into the same lazy compound value anyway in some cases, eg. in createTemporaryRegionIfNeeded when handling a MaterializeTemporaryExpr. After this patch, we should be receiving the same temporary region during materialization, instead of constructing a new region, and materialization of a conjured structure starts doing a lot less things.

I'm including a change in the yet-to-land iterator checker (D25660), which should or should not be committed depending on the order of patches landing. This change demonstrates how the problem explained above causes checkers to hack around.

In fact, there are other places in which we conjure structure-type symbols, eg. some cases of array invalidations. They aren't known to cause problems though.

Diff Detail

Event Timeline

NoQ updated this revision to Diff 79541.Nov 29 2016, 4:46 AM
NoQ retitled this revision from to [analyzer] Do not conjure a symbol for return value of a conservatively evaluated function.
NoQ updated this object.
NoQ added reviewers: zaks.anna, dcoughlin, xazax.hun, a.sidorin.
NoQ added parent revisions: D26837: [analyzer] Litter the SVal/SymExpr/MemRegion class hierarchy with asserts., D25660: [Analyzer] Checker for iterators dereferenced beyond their range..
NoQ added subscribers: cfe-commits, baloghadamsoftware.
NoQ updated this object.Nov 29 2016, 4:49 AM
NoQ mentioned this in D25660: [Analyzer] Checker for iterators dereferenced beyond their range..Nov 29 2016, 5:10 AM
baloghadamsoftware mentioned this in D26837: [analyzer] Litter the SVal/SymExpr/MemRegion class hierarchy with asserts..Dec 5 2016, 1:10 AM
baloghadamsoftware added a comment.Dec 8 2016, 2:07 AM

Could you please remove the IteratorPastEndChecker file differences from this patch and make D25660 dependent on this one?

zaks.anna edited edge metadata.Dec 9 2016, 11:12 PM

Could you please remove the IteratorPastEndChecker file differences from this patch and make D25660
dependent on this one?

Since this has not been reviewed yet while the IteratorPastEndChecker has been, I do not think we should block the checker on this.

baloghadamsoftware added a comment.Jan 16 2017, 5:56 AM

Any progress regarding this patch? Is D26837 necessarily a dependency, or we just need isCompoundType() function? This function could be moved to a separate patch so the dependency could be removed.

zaks.anna added a comment.Jan 17 2017, 1:58 PM

From what I recall, it is not clear that this patch is the step in the right direction. At least, it need more investigation.

NoQ planned changes to this revision.Jan 18 2017, 12:03 AM

Yep, because there are a lot more places in which the value of the expression suddenly changes, i think i'd want to either fix all of them, or (if i find some of those really reasonable) make a callback for checkers to subscribe to value replacements (which i'd prefer to treat as a trivial but definite step into alpha-renaming support).

NoQ mentioned this in D35216: [analyzer] Escape symbols when creating std::initializer_list..Jul 10 2017, 11:54 AM
NoQ mentioned this in D44131: [analyzer] Support temporaries conjured by conservatively evaluated functions..Mar 5 2018, 6:06 PM
NoQ abandoned this revision.Jul 11 2018, 6:10 PM

Outdated by D44131.

Herald added a reviewer: george.karpenkov. · View Herald TranscriptJul 11 2018, 6:10 PM
Herald added subscribers: mikhail.ramalho, rnkovacs, szepet. · View Herald Transcript

Revision Contents

Diff 79541

lib/StaticAnalyzer/Checkers/IteratorPastEndChecker.cpp

Show First 20 LinesShow All 62 Lines▼ Show 20 Linespublic:
bool operator!=(const IteratorComparison &X) const { bool operator!=(const IteratorComparison &X) const {
return Left != X.Left || Right != X.Right || Equality != X.Equality; return Left != X.Left || Right != X.Right || Equality != X.Equality;
} }
void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(Equality); } void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(Equality); }
}; };
class IteratorPastEndChecker class IteratorPastEndChecker
: public Checker< : public Checker<
check::PreCall, check::PostCall, check::PreStmt<CXXOperatorCallExpr>, check::PreCall, check::PostCall, check::PostStmt<CXXConstructExpr>,
check::PostStmt<CXXConstructExpr>, check::PostStmt<DeclStmt>, check::PostStmt<DeclStmt>, check::PostStmt<MaterializeTemporaryExpr>,
check::PostStmt<MaterializeTemporaryExpr>, check::BeginFunction, check::BeginFunction, check::DeadSymbols, eval::Assume, eval::Call> {
check::DeadSymbols, eval::Assume, eval::Call> {
mutable IdentifierInfo *II_std = nullptr, *II_find = nullptr, mutable IdentifierInfo *II_std = nullptr, *II_find = nullptr,
*II_find_end = nullptr, *II_find_first_of = nullptr, *II_find_end = nullptr, *II_find_first_of = nullptr,
*II_find_if = nullptr, *II_find_if_not = nullptr, *II_find_if = nullptr, *II_find_if_not = nullptr,
*II_lower_bound = nullptr, *II_upper_bound = nullptr, *II_lower_bound = nullptr, *II_upper_bound = nullptr,
*II_search = nullptr, *II_search_n = nullptr; *II_search = nullptr, *II_search_n = nullptr;
std::unique_ptr<BugType> PastEndBugType; std::unique_ptr<BugType> PastEndBugType;
Show All 17 Linesclass IteratorPastEndChecker
void reportPastEndBug(const StringRef &Message, const SVal &Val, void reportPastEndBug(const StringRef &Message, const SVal &Val,
CheckerContext &C, ExplodedNode *ErrNode) const; CheckerContext &C, ExplodedNode *ErrNode) const;
public: public:
IteratorPastEndChecker(); IteratorPastEndChecker();
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const CXXOperatorCallExpr *COCE, CheckerContext &C) const;
void checkBeginFunction(CheckerContext &C) const; void checkBeginFunction(CheckerContext &C) const;
void checkPostStmt(const CXXConstructExpr *CCE, CheckerContext &C) const; void checkPostStmt(const CXXConstructExpr *CCE, CheckerContext &C) const;
void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkPostStmt(const MaterializeTemporaryExpr *MTE, void checkPostStmt(const MaterializeTemporaryExpr *MTE,
CheckerContext &C) const; CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
bool Assumption) const; bool Assumption) const;
▲ Show 20 LinesShow All 94 Lines▼ Show 20 Lines if (Func->isOverloadedOperator()) {
if (!isEndCall(Func)) if (!isEndCall(Func))
return; return;
if (!isIteratorType(Call.getResultType())) if (!isIteratorType(Call.getResultType()))
return; return;
handleEnd(C, Call.getReturnValue()); handleEnd(C, Call.getReturnValue());
} }
} }
void IteratorPastEndChecker::checkPreStmt(const CXXOperatorCallExpr *COCE,
CheckerContext &C) const {
const auto *ThisExpr = COCE->getArg(0);
auto State = C.getState();
const auto *LCtx = C.getPredecessor()->getLocationContext();
const auto CurrentThis = State->getSVal(ThisExpr, LCtx);
if (const auto *Reg = CurrentThis.getAsRegion()) {
if (!Reg->getAs<CXXTempObjectRegion>())
return;
const auto OldState = C.getPredecessor()->getFirstPred()->getState();
const auto OldThis = OldState->getSVal(ThisExpr, LCtx);
const auto *Pos = getIteratorPosition(OldState, OldThis);
if (!Pos)
return;
State = setIteratorPosition(State, CurrentThis, *Pos);
C.addTransition(State);
}
}
void IteratorPastEndChecker::checkBeginFunction(CheckerContext &C) const { void IteratorPastEndChecker::checkBeginFunction(CheckerContext &C) const {
auto State = C.getState(); auto State = C.getState();
const auto *LCtx = C.getLocationContext(); const auto *LCtx = C.getLocationContext();
const auto *Site = cast<StackFrameContext>(LCtx)->getCallSite(); const auto *Site = cast<StackFrameContext>(LCtx)->getCallSite();
if (!Site) if (!Site)
return; return;
▲ Show 20 LinesShow All 602 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 547 Lines▼ Show 20 Lines if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
return State->BindExpr(E, LCtx, ThisV); return State->BindExpr(E, LCtx, ThisV);
} }
// Conjure a symbol if the return value is unknown. // Conjure a symbol if the return value is unknown.
QualType ResultTy = Call.getResultType(); QualType ResultTy = Call.getResultType();
SValBuilder &SVB = getSValBuilder(); SValBuilder &SVB = getSValBuilder();
unsigned Count = currBldrCtx->blockCount(); unsigned Count = currBldrCtx->blockCount();
SVal R = SVB.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count); SVal R;
if (NonLoc::isCompoundType(ResultTy)) {
// Return a (lazy) compound value for compound types.
MemRegionManager &MemMgr = SVB.getRegionManager();
StoreManager &StoreMgr = SVB.getStateManager().getStoreManager();
const CXXTempObjectRegion *TR = MemMgr.getCXXTempObjectRegion(E, LCtx);
StoreRef EmptyStore = StoreMgr.getInitialStore(LCtx);
InvalidatedSymbols IS;
RegionAndSymbolInvalidationTraits ITraits;
ITraits.setTrait(TR, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
StoreRef ConjuredStore = StoreMgr.invalidateRegions(
EmptyStore.getStore(), loc::MemRegionVal(TR), E, Count, LCtx, nullptr,
IS, ITraits, nullptr, nullptr);
R = SVB.makeLazyCompoundVal(ConjuredStore, TR);
} else {
R = SVB.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
}
return State->BindExpr(E, LCtx, R); return State->BindExpr(E, LCtx, R);
} }
// Conservatively evaluate call by invalidating regions and binding // Conservatively evaluate call by invalidating regions and binding
// a conjured return value. // a conjured return value.
void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr, void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
ExplodedNode *Pred, ExplodedNode *Pred,
ProgramStateRef State) { ProgramStateRef State) {
▲ Show 20 LinesShow All 428 LinesShow Last 20 Lines

test/Analysis/explain-svals.cpp

Show First 20 LinesShow All 88 Lines▼ Show 20 Lines void test_5(int i) {
clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}} clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}}
clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca\(i\)'$}}}} clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca\(i\)'$}}}}
} }
}; };
} // end of anonymous namespace } // end of anonymous namespace
void test_6() { void test_6() {
clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S\(\)'$}}}} clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S\(\)'$}}}}
clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'struct S' conjured at statement 'conjure_S\(\)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}} clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure_S\(\)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}}
} }