This is an archive of the discontinued LLVM Phabricator instance.

Differential D32437

[analyzer] Nullability: fix a crash when adding notes inside a synthesized property accessor.
ClosedPublic

Authored by NoQ on Apr 24 2017, 8:45 AM.

Details

Reviewers
zaks.anna
dcoughlin
Commits
rGfbe891ee05a5: [analyzer] Nullability: fix notes around synthesized ObjC property accessors.
rC304710: [analyzer] Nullability: fix notes around synthesized ObjC property accessors.
rL304710: [analyzer] Nullability: fix notes around synthesized ObjC property accessors.
Summary

In this test case, the body of a property is autosynthesized, and its source locations are invalid. Path diagnostic locations must refer to valid source locations, hence we're hitting an assertion. This patch disables the bugvisitor's note, however we'd need to figure out where to stick it eventually. These new "extra notes" of mine might be useful (we could put them at property declaration), i could add them if everybody likes this idea.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Apr 24 2017, 8:45 AM
zaks.anna accepted this revision.May 9 2017, 11:22 PM

These new "extra notes" of mine might be useful (we could put them at property declaration), i could add them if everybody likes this idea.

What are these? Is there a PR?

It would be great if we could place a note on a parent that has location. For example, can we walk up the location context?
If you do not fix it in this PR, it's definitely worth a FIXME.

This revision is now accepted and ready to land.May 9 2017, 11:22 PM
NoQ added a comment.May 9 2017, 11:40 PM

What are these? Is there a PR?

The best explanation we currently have, with examples, is D24278

It would be great if we could place a note on a parent that has location.

That's actually the best approach in my opinion, if achievable.

For example, can we walk up the location context?

That wouldn't work this way because we'd have the completely redundant "calling property accessor" piece before that, and "returning..." after that. Instead, i guess i'd try to actually report a note either before entering the call or after returning from the call, so that call enter notes get pruned for having nothing in between.

zaks.anna added a comment.May 9 2017, 11:45 PM

That wouldn't work this way because we'd have the completely redundant "calling property accessor" piece before that, and "returning..." after that.

I think we should not print "calling" and "returning" for calling into and returning from autogenerated code, If we do, we should fix that as well. Wouldn't it be simpler to just not emit those nodes if we see that they are calling autogenerated code? (Do we have a valid source location in autogenerated context? If not, we could just not print "calling" and "returning" for calls into a body that does not have proper location info.) If you looked into this already and these are not useful suggestions, please, disregard:)

NoQ added a comment.May 9 2017, 11:48 PM
In D32437#750622, @zaks.anna wrote:

That wouldn't work this way because we'd have the completely redundant "calling property accessor" piece before that, and "returning..." after that.

I think we should not print "calling" and "returning" for calling into and returning from autogenerated code,

This sounds logical, yeah, i could do that as well (though right now it doesn't work that way, and i suspect nobody tried).

NoQ updated this revision to Diff 99300.May 17 2017, 7:35 AM

Automatically pop up from bodyfarm-originated code in PathDiagnosticLocation::getStmt().

Avoid putting "Calling..." and "Returning..." notes on Objective-C auto-synthesized property calls, because they would never call visible code later.

Test the newly added path notes.

Herald added a subscriber: xazax.hun. · View Herald TranscriptMay 17 2017, 7:35 AM
zaks.anna added a comment.May 17 2017, 10:44 AM

Thanks! A couple of minor comments below.

lib/StaticAnalyzer/Core/PathDiagnostic.cpp
699 ↗(On Diff #99300)

Nit: You could probably factor this into a nicely named helper function.

704 ↗(On Diff #99300)

Is ParentLC guaranteed never to be null? I would prefer checking for it inside the while. Even if it is not likely to happen now, the code could evolve to handle more cases..

932 ↗(On Diff #99300)

There was a case where we wanted to produce events for auto synthesized code, could you add a comment on what they were? (Otherwise, it's not clear why we need the isPropertyAccessor check.)

NoQ updated this revision to Diff 100673.May 30 2017, 2:18 AM
NoQ marked 3 inline comments as done.

Fix comments.

lib/StaticAnalyzer/Core/PathDiagnostic.cpp
704 ↗(On Diff #99300)

We're unlikely to begin analysis at top-frames with auto-synthesized code bodies in the future. Added an assertion.

NoQ mentioned this in D33671: [analyzer] In plist alternate mode, don't add weird control flow pieces from ObjC property declarations to uses..May 30 2017, 5:04 AM
NoQ added a child revision: D33671: [analyzer] In plist alternate mode, don't add weird control flow pieces from ObjC property declarations to uses..May 30 2017, 5:08 AM
Closed by commit rL304710: [analyzer] Nullability: fix notes around synthesized ObjC property accessors. (authored by dergachev). · Explain WhyJun 5 2017, 5:40 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
16 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
Core/
46 lines
test/
Analysis/
18 lines

Diff 101392

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h

Show First 20 LinesShow All 544 Lines▼ Show 20 Linespublic:
static inline bool classof(const PathDiagnosticPiece *P) { static inline bool classof(const PathDiagnosticPiece *P) {
return P->getKind() == Event; return P->getKind() == Event;
} }
}; };
class PathDiagnosticCallPiece : public PathDiagnosticPiece { class PathDiagnosticCallPiece : public PathDiagnosticPiece {
PathDiagnosticCallPiece(const Decl *callerD, PathDiagnosticCallPiece(const Decl *callerD,
const PathDiagnosticLocation &callReturnPos) const PathDiagnosticLocation &callReturnPos)
: PathDiagnosticPiece(Call), Caller(callerD), Callee(nullptr), : PathDiagnosticPiece(Call), Caller(callerD), Callee(nullptr),
NoExit(false), callReturn(callReturnPos) {} NoExit(false), IsCalleeAnAutosynthesizedPropertyAccessor(false),
callReturn(callReturnPos) {}
PathDiagnosticCallPiece(PathPieces &oldPath, const Decl *caller) PathDiagnosticCallPiece(PathPieces &oldPath, const Decl *caller)
: PathDiagnosticPiece(Call), Caller(caller), Callee(nullptr), : PathDiagnosticPiece(Call), Caller(caller), Callee(nullptr),
NoExit(true), path(oldPath) {} NoExit(true), IsCalleeAnAutosynthesizedPropertyAccessor(false),
path(oldPath) {}
const Decl *Caller; const Decl *Caller;
const Decl *Callee; const Decl *Callee;
// Flag signifying that this diagnostic has only call enter and no matching // Flag signifying that this diagnostic has only call enter and no matching
// call exit. // call exit.
bool NoExit; bool NoExit;
// Flag signifying that the callee function is an Objective-C autosynthesized
// property getter or setter.
bool IsCalleeAnAutosynthesizedPropertyAccessor;
// The custom string, which should appear after the call Return Diagnostic. // The custom string, which should appear after the call Return Diagnostic.
// TODO: Should we allow multiple diagnostics? // TODO: Should we allow multiple diagnostics?
std::string CallStackMessage; std::string CallStackMessage;
public: public:
PathDiagnosticLocation callEnter; PathDiagnosticLocation callEnter;
PathDiagnosticLocation callEnterWithin; PathDiagnosticLocation callEnterWithin;
PathDiagnosticLocation callReturn; PathDiagnosticLocation callReturn;
▲ Show 20 LinesShow All 291 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 LinesShow All 320 Lines▼ Show 20 Lines if (!TrackedNullab)
return nullptr; return nullptr;
if (TrackedNullabPrev && if (TrackedNullabPrev &&
TrackedNullabPrev->getValue() == TrackedNullab->getValue()) TrackedNullabPrev->getValue() == TrackedNullab->getValue())
return nullptr; return nullptr;
// Retrieve the associated statement. // Retrieve the associated statement.
const Stmt *S = TrackedNullab->getNullabilitySource(); const Stmt *S = TrackedNullab->getNullabilitySource();
if (!S) { if (!S || S->getLocStart().isInvalid()) {
S = PathDiagnosticLocation::getStmt(N); S = PathDiagnosticLocation::getStmt(N);
} }
if (!S) if (!S)
return nullptr; return nullptr;
std::string InfoText = std::string InfoText =
(llvm::Twine("Nullability '") + (llvm::Twine("Nullability '") +
▲ Show 20 LinesShow All 901 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp

Show First 20 LinesShow All 688 Lines▼ Show 20 Lines return getLocationForCaller(CEE->getCalleeContext(),
SMng); SMng);
} else { } else {
llvm_unreachable("Unexpected ProgramPoint"); llvm_unreachable("Unexpected ProgramPoint");
} }
return PathDiagnosticLocation(S, SMng, P.getLocationContext()); return PathDiagnosticLocation(S, SMng, P.getLocationContext());
} }
static const LocationContext *
findTopAutosynthesizedParentContext(const LocationContext *LC) {
assert(LC->getAnalysisDeclContext()->isBodyAutosynthesized());
const LocationContext *ParentLC = LC->getParent();
assert(ParentLC && "We don't start analysis from autosynthesized code");
while (ParentLC->getAnalysisDeclContext()->isBodyAutosynthesized()) {
LC = ParentLC;
ParentLC = LC->getParent();
assert(ParentLC && "We don't start analysis from autosynthesized code");
}
return LC;
}
const Stmt *PathDiagnosticLocation::getStmt(const ExplodedNode *N) { const Stmt *PathDiagnosticLocation::getStmt(const ExplodedNode *N) {
// We cannot place diagnostics on autosynthesized code.
// Put them onto the call site through which we jumped into autosynthesized
// code for the first time.
const LocationContext *LC = N->getLocationContext();
if (LC->getAnalysisDeclContext()->isBodyAutosynthesized()) {
// It must be a stack frame because we only autosynthesize functions.
return cast<StackFrameContext>(findTopAutosynthesizedParentContext(LC))
->getCallSite();
}
// Otherwise, see if the node's program point directly points to a statement.
ProgramPoint P = N->getLocation(); ProgramPoint P = N->getLocation();
if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) if (Optional<StmtPoint> SP = P.getAs<StmtPoint>())
return SP->getStmt(); return SP->getStmt();
if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) if (Optional<BlockEdge> BE = P.getAs<BlockEdge>())
return BE->getSrc()->getTerminator(); return BE->getSrc()->getTerminator();
if (Optional<CallEnter> CE = P.getAs<CallEnter>()) if (Optional<CallEnter> CE = P.getAs<CallEnter>())
return CE->getCallExpr(); return CE->getCallExpr();
if (Optional<CallExitEnd> CEE = P.getAs<CallExitEnd>()) if (Optional<CallExitEnd> CEE = P.getAs<CallExitEnd>())
▲ Show 20 LinesShow All 201 Lines▼ Show 20 Lines
void PathDiagnosticCallPiece::setCallee(const CallEnter &CE, void PathDiagnosticCallPiece::setCallee(const CallEnter &CE,
const SourceManager &SM) { const SourceManager &SM) {
const StackFrameContext *CalleeCtx = CE.getCalleeContext(); const StackFrameContext *CalleeCtx = CE.getCalleeContext();
Callee = CalleeCtx->getDecl(); Callee = CalleeCtx->getDecl();
callEnterWithin = PathDiagnosticLocation::createBegin(Callee, SM); callEnterWithin = PathDiagnosticLocation::createBegin(Callee, SM);
callEnter = getLocationForCaller(CalleeCtx, CE.getLocationContext(), SM); callEnter = getLocationForCaller(CalleeCtx, CE.getLocationContext(), SM);
// Autosynthesized property accessors are special because we'd never
// pop back up to non-autosynthesized code until we leave them.
// This is not generally true for autosynthesized callees, which may call
// non-autosynthesized callbacks.
// Unless set here, the IsCalleeAnAutosynthesizedPropertyAccessor flag
// defaults to false.
if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(Callee))
IsCalleeAnAutosynthesizedPropertyAccessor = (
MD->isPropertyAccessor() &&
CalleeCtx->getAnalysisDeclContext()->isBodyAutosynthesized());
} }
static inline void describeClass(raw_ostream &Out, const CXXRecordDecl *D, static inline void describeClass(raw_ostream &Out, const CXXRecordDecl *D,
StringRef Prefix = StringRef()) { StringRef Prefix = StringRef()) {
if (!D->getIdentifier()) if (!D->getIdentifier())
return; return;
Out << Prefix << '\'' << *D << '\''; Out << Prefix << '\'' << *D << '\'';
} }
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Linesstatic bool describeCodeDecl(raw_ostream &Out, const Decl *D,
} }
Out << Prefix << '\'' << cast<NamedDecl>(*D) << '\''; Out << Prefix << '\'' << cast<NamedDecl>(*D) << '\'';
return true; return true;
} }
std::shared_ptr<PathDiagnosticEventPiece> std::shared_ptr<PathDiagnosticEventPiece>
PathDiagnosticCallPiece::getCallEnterEvent() const { PathDiagnosticCallPiece::getCallEnterEvent() const {
if (!Callee) // We do not produce call enters and call exits for autosynthesized property
// accessors. We do generally produce them for other functions coming from
// the body farm because they may call callbacks that bring us back into
// visible code.
if (!Callee || IsCalleeAnAutosynthesizedPropertyAccessor)
return nullptr; return nullptr;
SmallString<256> buf; SmallString<256> buf;
llvm::raw_svector_ostream Out(buf); llvm::raw_svector_ostream Out(buf);
Out << "Calling "; Out << "Calling ";
describeCodeDecl(Out, Callee, /*ExtendedDescription=*/true); describeCodeDecl(Out, Callee, /*ExtendedDescription=*/true);
Show All 17 LinesPathDiagnosticCallPiece::getCallEnterWithinCallerEvent() const {
Out << "Entered call"; Out << "Entered call";
describeCodeDecl(Out, Caller, /*ExtendedDescription=*/false, " from "); describeCodeDecl(Out, Caller, /*ExtendedDescription=*/false, " from ");
return std::make_shared<PathDiagnosticEventPiece>(callEnterWithin, Out.str()); return std::make_shared<PathDiagnosticEventPiece>(callEnterWithin, Out.str());
} }
std::shared_ptr<PathDiagnosticEventPiece> std::shared_ptr<PathDiagnosticEventPiece>
PathDiagnosticCallPiece::getCallExitEvent() const { PathDiagnosticCallPiece::getCallExitEvent() const {
if (NoExit) // We do not produce call enters and call exits for autosynthesized property
// accessors. We do generally produce them for other functions coming from
// the body farm because they may call callbacks that bring us back into
// visible code.
if (NoExit || IsCalleeAnAutosynthesizedPropertyAccessor)
return nullptr; return nullptr;
SmallString<256> buf; SmallString<256> buf;
llvm::raw_svector_ostream Out(buf); llvm::raw_svector_ostream Out(buf);
if (!CallStackMessage.empty()) { if (!CallStackMessage.empty()) {
Out << CallStackMessage; Out << CallStackMessage;
} else { } else {
▲ Show 20 LinesShow All 160 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/nullability-notes.m

// RUN: %clang_analyze_cc1 -fblocks -analyzer-checker=core,nullability.NullPassedToNonnull,nullability.NullReturnedFromNonnull,nullability.NullablePassedToNonnull,nullability.NullableReturnedFromNonnull,nullability.NullableDereferenced -analyzer-output=text -verify %s
#include "Inputs/system-header-simulator-for-nullability.h"
void takesNonnull(NSObject *_Nonnull y);
@interface ClassWithProperties: NSObject
@property(copy, nullable) NSObject *x;
-(void) method;
@end;
@implementation ClassWithProperties
-(void) method {
// no-crash
NSObject *x = self.x; // expected-note{{Nullability 'nullable' is inferred}}
takesNonnull(x); // expected-warning{{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
// expected-note@-1{{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
}
@end