This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] MisusedMovedObjectChecker: Fix a false positive on state-resetting a base-class sub-object.
ClosedPublic

Authored by NoQ on Mar 31 2017, 9:05 AM.

Download Raw Diff

Details

Reviewers

dcoughlin
a.sidorin
zaks.anna
xazax.hun
szepet

Commits

rG65f8f83a7497: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting…
rG0f22a06b4de7: [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.
rC316850: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting…
rC315301: [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.
rL316850: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting…
rL315301: [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.

Summary

If a state reset method is defined in a parent class, but called over an object of a child class, then the checker doesn't treat this as a state reset, at least for the sake of "Copying a 'moved-from' object" warning class.

The patch fixes it, but Peter may have a better fix in mind :)

Diff Detail

Event Timeline

NoQ created this revision.Mar 31 2017, 9:05 AM

Thank you for working on that, Artem!
The changes look good, just one comment about that suspicious remove.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
426	I am wondering if I made a mistake but I think this should be removeFromState() function call. (We should remove every marked subregions of the object too.) So I suspect a code like this would result a false positive: struct A{ B b; void clear(); }; void test(){ A a; B b = std::move(a.b); a.clear(); b = std::move(a); //report a bug } I mean it is probably a report we do not want to have.

szepet added inline comments.Mar 31 2017, 10:36 AM

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
426	Shame on the test file writer that he does not covered this, though. ^^

szepet accepted this revision.Apr 15 2017, 1:22 PM

szepet added inline comments.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
426	Okay, I have checked it and yes, it produces a bugreport (false positive) on the code snippet above (which contains a misspelled variable name so let me write it again): struct B{}; struct A{ B b; void clear(); }; void test(){ A a; B b = std::move(a.b); a.clear(); b = std::move(a.b); //report a bug } In order to eliminate these type of bugs I suggest using here the removeFromState function and move this "WholeObjectRegion algorithm" (the for loop) to the removeFromState function. It is probably out of scope from this patch. Anyway, I accept this since it is great to fix this bug and a good step to a follow-up patch. (Well, if you would like to make these changes in this patch. I'm not gonna hold you back. It is highly appreciated and I would certainly review and all the stuff but I would do it gladly in a follow-up too.) Again, thank you for pointing this out and making the checker more precise!

This revision is now accepted and ready to land.Apr 15 2017, 1:22 PM

Hello Artem!

Could you please commit these changes? (And D31541 as well.) Thanks in advance!

szepet mentioned this in D38673: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, handling method calls on base-class sub-objects.Oct 8 2017, 9:32 AM

szepet added a child revision: D38673: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, handling method calls on base-class sub-objects.

I think there was only one comment but that is already addressed in a dependent revision. So I think this one is good as is.

NoQ mentioned this in D38675: [analyzer] MoveChecker Pt.10: Move the checker out of alpha state..Oct 10 2017, 2:51 AM

Closed by commit rL315301: [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object. (authored by dergachev). · Explain WhyOct 10 2017, 4:56 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

MisusedMovedObjectChecker.cpp

9 lines

test/

Analysis/

MisusedMovedObject.cpp

8 lines

Diff 93652

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp

Show First 20 Lines • Show All 410 Lines • ▼ Show 20 Lines	if (OperatorEq) {
return;		return;
}		}

// The remaining part is check only for method call on a moved-from object.		// The remaining part is check only for method call on a moved-from object.
if (isMoveSafeMethod(MethodDecl))		if (isMoveSafeMethod(MethodDecl))
return;		return;

if (isStateResetMethod(MethodDecl)) {		if (isStateResetMethod(MethodDecl)) {
State = State->remove<TrackedRegionMap>(ThisRegion);		// A state reset method resets the whole object, not only sub-object
		// of a parent class in which it is defined.
		const MemRegion *WholeObjectRegion = ThisRegion;
		while (const CXXBaseObjectRegion *BR =
		dyn_cast<CXXBaseObjectRegion>(WholeObjectRegion))
		WholeObjectRegion = BR->getSuperRegion();

		State = State->remove<TrackedRegionMap>(WholeObjectRegion);
		szepetUnsubmitted Not Done Reply Inline Actions I am wondering if I made a mistake but I think this should be removeFromState() function call. (We should remove every marked subregions of the object too.) So I suspect a code like this would result a false positive: struct A{ B b; void clear(); }; void test(){ A a; B b = std::move(a.b); a.clear(); b = std::move(a); //report a bug } I mean it is probably a report we do not want to have. szepet: I am wondering if I made a mistake but I think this should be removeFromState() function call.
		szepetUnsubmitted Not Done Reply Inline Actions Shame on the test file writer that he does not covered this, though. ^^ szepet: Shame on the test file writer that he does not covered this, though. ^^
		szepetUnsubmitted Not Done Reply Inline Actions Okay, I have checked it and yes, it produces a bugreport (false positive) on the code snippet above (which contains a misspelled variable name so let me write it again): struct B{}; struct A{ B b; void clear(); }; void test(){ A a; B b = std::move(a.b); a.clear(); b = std::move(a.b); //report a bug } In order to eliminate these type of bugs I suggest using here the removeFromState function and move this "WholeObjectRegion algorithm" (the for loop) to the removeFromState function. It is probably out of scope from this patch. Anyway, I accept this since it is great to fix this bug and a good step to a follow-up patch. (Well, if you would like to make these changes in this patch. I'm not gonna hold you back. It is highly appreciated and I would certainly review and all the stuff but I would do it gladly in a follow-up too.) Again, thank you for pointing this out and making the checker more precise! szepet: Okay, I have checked it and yes, it produces a bugreport (false positive) on the code snippet…
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}

// If it is already reported then we dont report the bug again.		// If it is already reported then we dont report the bug again.
const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion);		const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion);
if (!(ThisState && ThisState->isMoved()))		if (!(ThisState && ThisState->isMoved()))
return;		return;
▲ Show 20 Lines • Show All 75 Lines • Show Last 20 Lines

test/Analysis/MisusedMovedObject.cpp

Show First 20 Lines • Show All 611 Lines • ▼ Show 20 Lines	void subRegionMoveTest() {
// Don't report a misuse if any SuperRegion is already reported.		// Don't report a misuse if any SuperRegion is already reported.
{		{
A a;		A a;
A a1 = std::move(a); // expected-note {{'a' became 'moved-from' here}}		A a1 = std::move(a); // expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}		a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
a.b.foo(); // no-warning		a.b.foo(); // no-warning
}		}
}		}

		class C: public A {};
		void resetSuperClass() {
		C c;
		C c1 = std::move(c);
		c.clear();
		C c2 = c; // no-warning
		}