This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/
-
clang/
-
AST/
-
Decl.h
-
StaticAnalyzer/Core/PathSensitive/
-
Core/
-
PathSensitive/
-
ExprEngine.h
-
lib/
-
AST/
-
Decl.cpp
-
Analysis/
1
CallGraph.cpp
-
StaticAnalyzer/Core/
-
Core/
1/11
ExprEngine.cpp
-
test/Analysis/
-
Analysis/
-
global-vars.c

Differential D37897

[StaticAnalyzer] Fix ProgramState for static variables that are not written
AbandonedPublic

Authored by danielmarjamaki on Sep 15 2017, 2:15 AM.

Download Raw Diff

Details

Reviewers

zaks.anna
xazax.hun
dcoughlin
dkrupp
NoQ
AndersRonnholm

Summary

I saw a false positive where the analyzer made wrong conclusions about a static variable.

Static variables that are not written have known values (initialized values).

This is the (simplified) code that motivated me to create this patch:

static char *allv[] = {
	"rpcgen", "-s", "udp", "-s", "tcp",

};
static int allc = sizeof(allv) / sizeof(allv[0]);

static void f(void) {
	int i;

	for (i = 1; i < allc; i++) {
		const char *p = allv[i];  // <- line 28
		i++;
	}
}

Clang output:

array-fp3.c:28:19: warning: Access out-of-bound array element (buffer overflow)
                const char *p = allv[i];
                                ^~~~~~~

I added testcases that shows this patch solves both false positives and false negatives

Diff Detail

Repository: rL LLVM

Event Timeline

danielmarjamaki created this revision.Sep 15 2017, 2:15 AM

danielmarjamaki added a reviewer: AndersRonnholm.Sep 15 2017, 2:30 AM

Minor cleanups. Changed names. Updated comments.

Out of curiosity, does the false positive disappear after making the static variables const?

In D37897#871858, @xazax.hun wrote:

Out of curiosity, does the false positive disappear after making the static variables const?

Yes that fixes the false positive

I have some comments and questions but maybe you do not want to address those until Devin, NoQ, or Anna approved the general directions.

lib/StaticAnalyzer/Core/ExprEngine.cpp
107	Usually, we do not like bug recursions since it might eat up the stack. Also, do you consider the case when the variable is passed by reference to a function in another translation unit?
169	Does this work for non-integer typed e.g. structs?

The overall idea makes sense to me. I'd like you to join the effort with Peter who during his work on loop widening came up with a matcher-based procedure for finding out if a variable is changed anywhere; it currently lives in LoopUnrolling.cpp and we need only once implementation of that.

Fixes according to review comments. Reuse ast matchers in LoopUnrolling.cpp. Avoid some recursion (however the isChanged() is still recursive but it is very small and simple).

Herald added a subscriber: szepet. · View Herald TranscriptOct 6 2017, 12:03 AM

danielmarjamaki marked an inline comment as done.Oct 6 2017, 12:20 AM

danielmarjamaki added inline comments.

lib/StaticAnalyzer/Core/ExprEngine.cpp
107	I rewrote the code to reuse the ast matchers in LoopUnroll.. and that is not recursive. I rewrote the getGlobalStaticVars (this code is longer and in my opinion less readable but it's not recursive).
169	Currently static struct objects are unaffected by these changes. There is no regression. Reviews are taking too long time. I am not against getting reviews but I am against waiting for reviews for months, ideally people would only need to wait for at most a week to get a review. This is why I don't want to handle structs now -- I am not eager to prolong the review process for this patch.

danielmarjamaki marked an inline comment as done.Oct 6 2017, 12:21 AM

Hello Daniel!

It is a great feature to add, thanks for working on this!
I have just small comments (rather questions) on the code.

lib/StaticAnalyzer/Core/ExprEngine.cpp
155	I think instead of this logic it would be better to use ConstStmtVisitor. In this case it does quite the same thing in a (maybe?) more structured manner. What do you think?
168	Is it possible that a type is an IntegerType and a PointerType at the same time? If these are excluding cases then the check for !isPointer could be removed.

Apologies for the delay reviewing! As I noted inline, I'm pretty worried about the performance impact of this. Is it possible to do the analysis in a single traversal of the translation unit?

lib/StaticAnalyzer/Core/ExprEngine.cpp
123	Since you are calling `getInitialStateForGlobalStaticVar()` in `getInitialState()` for each static variable declaration and `getInitialState()` is called for each top-level function, you are doing an n^3 operation in the size of the translation unit, which is going to be very, very expensive for large translation units. Have you considered doing the analysis for static variables that are never changed during call-graph construction? This should be a linear operation and doing it during call-graph construction would avoid an extra walk of the entire translation unit.

This revision now requires changes to proceed.Oct 9 2017, 6:17 PM

In D37897#892667, @dcoughlin wrote:

Apologies for the delay reviewing! As I noted inline, I'm pretty worried about the performance impact of this. Is it possible to do the analysis in a single traversal of the translation unit?

I agree. I first tried more like that but ran into problems. Don't remember the details. I will try again.. however as far as I see this will mean the LoopUnroller AST matchers can't be reused unless I change them.

danielmarjamaki added inline comments.Oct 12 2017, 8:52 AM

lib/StaticAnalyzer/Core/ExprEngine.cpp
123	hmm... could you tell me where the call-graph construction is that I can tweak?

danielmarjamaki added inline comments.Oct 12 2017, 9:25 AM

lib/StaticAnalyzer/Core/ExprEngine.cpp
123	I think I found it: `clang/lib/Analysis/CallGraph.cpp`

Track modification of global static variables in CallGraph construction

danielmarjamaki added inline comments.Oct 13 2017, 11:46 AM

lib/StaticAnalyzer/Core/ExprEngine.cpp
123	I now track variable modifications in call-graph construction instead.
155	As far as I see ConstStmtVisitor is also recursive. Imho let's have readable code instead..

however as far as I see this will mean the LoopUnroller AST matchers can't be reused unless I change them.

Hmm. What is the problem here? I'm expecting library linkage issues (i.e. libAnalysis is not linked to libASTMatchers directly), but i guess it'd better to have the whole thing in libAnalysis then (Peter, WDYT?). Or maybe we could move the code around a bit, so that we're still in libStaticAnalyzerCore but at roughly the same moment of time.

Because you're duplicating the solution for exact same problem, using different technology, and this problem is not trivial (eg. you still need to consider reference-type declstmts and initializer lists which are not taken into account in your solution yet) so i'd dislike the idea of duplicating it.

lib/Analysis/CallGraph.cpp
104	A hint, even if we don't use visitors: the whole point of having a visitor is about not needing to make a pattern-matching (switch or sequence of dyn_casts) by statement kind yourself, like you do in this function. You already have VisitUnaryOperator, VisitBinaryOperator, VisitCallExpr, etc., so you can add the code there.

I will not continue working on this. Feel free to take over the patch or write a new patch.

Herald added subscribers: llvm-commits, a.sidorin, rnkovacs. · View Herald TranscriptJan 15 2018, 12:30 AM

Revision Contents

Path

Size

include/

clang/

AST/

Decl.h

6 lines

StaticAnalyzer/

Core/

PathSensitive/

ExprEngine.h

16 lines

lib/

AST/

Decl.cpp

10 lines

Analysis/

CallGraph.cpp

58 lines

StaticAnalyzer/

Core/

ExprEngine.cpp

63 lines

test/

Analysis/

global-vars.c

18 lines

Diff 118947

include/clang/AST/Decl.h

Show First 20 Lines • Show All 784 Lines • ▼ Show 20 Lines	public:

/// \brief Kinds of thread-local storage.		/// \brief Kinds of thread-local storage.
enum TLSKind {		enum TLSKind {
TLS_None, ///< Not a TLS variable.		TLS_None, ///< Not a TLS variable.
TLS_Static, ///< TLS with a known-constant initializer.		TLS_Static, ///< TLS with a known-constant initializer.
TLS_Dynamic ///< TLS with a dynamic initializer.		TLS_Dynamic ///< TLS with a dynamic initializer.
};		};

		void setModified();
		bool isModified() const;

protected:		protected:
// A pointer union of Stmt * and EvaluatedStmt *. When an EvaluatedStmt, we		// A pointer union of Stmt * and EvaluatedStmt *. When an EvaluatedStmt, we
// have allocated the auxiliary struct of information there.		// have allocated the auxiliary struct of information there.
//		//
// TODO: It is a bit unfortunate to use a PointerUnion inside the VarDecl for		// TODO: It is a bit unfortunate to use a PointerUnion inside the VarDecl for
// this as many VarDecls are ParmVarDecls that don't have default		// this as many VarDecls are ParmVarDecls that don't have default
// arguments. We could save some space by moving this pointer union to be		// arguments. We could save some space by moving this pointer union to be
// allocated in trailing space when necessary.		// allocated in trailing space when necessary.
typedef llvm::PointerUnion<Stmt , EvaluatedStmt > InitType;		typedef llvm::PointerUnion<Stmt , EvaluatedStmt > InitType;

/// \brief The initializer for this variable or, for a ParmVarDecl, the		/// \brief The initializer for this variable or, for a ParmVarDecl, the
/// C++ default argument.		/// C++ default argument.
mutable InitType Init;		mutable InitType Init;

private:		private:
class VarDeclBitfields {		class VarDeclBitfields {
friend class VarDecl;		friend class VarDecl;
friend class ASTDeclReader;		friend class ASTDeclReader;

unsigned SClass : 3;		unsigned SClass : 3;
unsigned TSCSpec : 2;		unsigned TSCSpec : 2;
unsigned InitStyle : 2;		unsigned InitStyle : 2;
		unsigned Modified : 1;
};		};
enum { NumVarDeclBits = 7 };		enum { NumVarDeclBits = 8 };

friend class ASTDeclReader;		friend class ASTDeclReader;
friend class StmtIteratorBase;		friend class StmtIteratorBase;
friend class ASTNodeImporter;		friend class ASTNodeImporter;

protected:		protected:
enum { NumParameterIndexBits = 8 };		enum { NumParameterIndexBits = 8 };

▲ Show 20 Lines • Show All 3,223 Lines • Show Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 Lines • Show All 569 Lines • ▼ Show 20 Lines	public:
/// Evaluate a call, running pre- and post-call checks and allowing checkers		/// Evaluate a call, running pre- and post-call checks and allowing checkers
/// to be responsible for handling the evaluation of the call itself.		/// to be responsible for handling the evaluation of the call itself.
void evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred,		void evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred,
const CallEvent &Call);		const CallEvent &Call);

/// \brief Default implementation of call evaluation.		/// \brief Default implementation of call evaluation.
void defaultEvalCall(NodeBuilder &B, ExplodedNode *Pred,		void defaultEvalCall(NodeBuilder &B, ExplodedNode *Pred,
const CallEvent &Call);		const CallEvent &Call);

private:		private:
		ProgramStateRef getInitialStateForGlobalStaticVar(const LocationContext *LCtx,
		const ProgramStateRef State,
		const VarDecl *VD);

void evalLoadCommon(ExplodedNodeSet &Dst,		void evalLoadCommon(ExplodedNodeSet &Dst,
const Expr NodeEx, / Eventually will be a CFGStmt */		const Expr NodeEx, / Eventually will be a CFGStmt */
const Expr *BoundEx,		const Expr BoundEx, ExplodedNode Pred,
ExplodedNode *Pred,		ProgramStateRef St, SVal location,
ProgramStateRef St,		const ProgramPointTag *tag, QualType LoadTy);
SVal location,
const ProgramPointTag *tag,
QualType LoadTy);

// FIXME: 'tag' should be removed, and a LocationContext should be used		// FIXME: 'tag' should be removed, and a LocationContext should be used
// instead.		// instead.
void evalLocation(ExplodedNodeSet &Dst,		void evalLocation(ExplodedNodeSet &Dst,
const Stmt NodeEx, / This will eventually be a CFGStmt */		const Stmt NodeEx, / This will eventually be a CFGStmt */
const Stmt *BoundEx,		const Stmt *BoundEx,
ExplodedNode *Pred,		ExplodedNode *Pred,
ProgramStateRef St, SVal location,		ProgramStateRef St, SVal location,
▲ Show 20 Lines • Show All 81 Lines • Show Last 20 Lines

lib/AST/Decl.cpp

Show First 20 Lines • Show All 1,834 Lines • ▼ Show 20 Lines	static_assert(sizeof(ParmVarDeclBitfields) <= sizeof(unsigned),
"ParmVarDeclBitfields too large!");		"ParmVarDeclBitfields too large!");
static_assert(sizeof(NonParmVarDeclBitfields) <= sizeof(unsigned),		static_assert(sizeof(NonParmVarDeclBitfields) <= sizeof(unsigned),
"NonParmVarDeclBitfields too large!");		"NonParmVarDeclBitfields too large!");
AllBits = 0;		AllBits = 0;
VarDeclBits.SClass = SC;		VarDeclBits.SClass = SC;
// Everything else is implicitly initialized to false.		// Everything else is implicitly initialized to false.
}		}

VarDecl VarDecl::Create(ASTContext &C, DeclContext DC,		void VarDecl::setModified() { VarDeclBits.Modified = true; }
SourceLocation StartL, SourceLocation IdL,		bool VarDecl::isModified() const { return VarDeclBits.Modified; }
IdentifierInfo Id, QualType T, TypeSourceInfo TInfo,
StorageClass S) {		VarDecl VarDecl::Create(ASTContext &C, DeclContext DC, SourceLocation StartL,
		SourceLocation IdL, IdentifierInfo *Id, QualType T,
		TypeSourceInfo *TInfo, StorageClass S) {
return new (C, DC) VarDecl(Var, C, DC, StartL, IdL, Id, T, TInfo, S);		return new (C, DC) VarDecl(Var, C, DC, StartL, IdL, Id, T, TInfo, S);
}		}

VarDecl *VarDecl::CreateDeserialized(ASTContext &C, unsigned ID) {		VarDecl *VarDecl::CreateDeserialized(ASTContext &C, unsigned ID) {
return new (C, ID)		return new (C, ID)
VarDecl(Var, C, nullptr, SourceLocation(), SourceLocation(), nullptr,		VarDecl(Var, C, nullptr, SourceLocation(), SourceLocation(), nullptr,
QualType(), nullptr, SC_None);		QualType(), nullptr, SC_None);
}		}
▲ Show 20 Lines • Show All 2,596 Lines • Show Last 20 Lines

lib/Analysis/CallGraph.cpp

Show All 27 Lines
namespace {		namespace {
/// A helper class, which walks the AST and locates all the call sites in the		/// A helper class, which walks the AST and locates all the call sites in the
/// given function body.		/// given function body.
class CGBuilder : public StmtVisitor<CGBuilder> {		class CGBuilder : public StmtVisitor<CGBuilder> {
CallGraph *G;		CallGraph *G;
CallGraphNode *CallerNode;		CallGraphNode *CallerNode;

public:		public:
CGBuilder(CallGraph g, CallGraphNode N)		CGBuilder(CallGraph g, CallGraphNode N) : G(g), CallerNode(N) {}
: G(g), CallerNode(N) {}

void VisitStmt(Stmt *S) { VisitChildren(S); }		void VisitStmt(Stmt *S) {
		markModifiedVars(S);
		VisitChildren(S);
		}

Decl getDeclFromCall(CallExpr CE) {		Decl getDeclFromCall(CallExpr CE) {
if (FunctionDecl *CalleeDecl = CE->getDirectCallee())		if (FunctionDecl *CalleeDecl = CE->getDirectCallee())
return CalleeDecl;		return CalleeDecl;

// Simple detection of a call through a block.		// Simple detection of a call through a block.
Expr *CEE = CE->getCallee()->IgnoreParenImpCasts();		Expr *CEE = CE->getCallee()->IgnoreParenImpCasts();
if (BlockExpr *Block = dyn_cast<BlockExpr>(CEE)) {		if (BlockExpr *Block = dyn_cast<BlockExpr>(CEE)) {
Show All 10 Lines	if (G->includeInGraph(D)) {
CallerNode->addCallee(CalleeNode);		CallerNode->addCallee(CalleeNode);
}		}
}		}

void VisitCallExpr(CallExpr *CE) {		void VisitCallExpr(CallExpr *CE) {
if (Decl *D = getDeclFromCall(CE))		if (Decl *D = getDeclFromCall(CE))
addCalledDecl(D);		addCalledDecl(D);
VisitChildren(CE);		VisitChildren(CE);
		markModifiedVars(CE);
}		}

// Adds may-call edges for the ObjC message sends.		// Adds may-call edges for the ObjC message sends.
void VisitObjCMessageExpr(ObjCMessageExpr *ME) {		void VisitObjCMessageExpr(ObjCMessageExpr *ME) {
if (ObjCInterfaceDecl *IDecl = ME->getReceiverInterface()) {		if (ObjCInterfaceDecl *IDecl = ME->getReceiverInterface()) {
Selector Sel = ME->getSelector();		Selector Sel = ME->getSelector();

// Find the callee definition within the same translation unit.		// Find the callee definition within the same translation unit.
Decl *D = nullptr;		Decl *D = nullptr;
if (ME->isInstanceMessage())		if (ME->isInstanceMessage())
D = IDecl->lookupPrivateMethod(Sel);		D = IDecl->lookupPrivateMethod(Sel);
else		else
D = IDecl->lookupPrivateClassMethod(Sel);		D = IDecl->lookupPrivateClassMethod(Sel);
if (D) {		if (D) {
addCalledDecl(D);		addCalledDecl(D);
NumObjCCallEdges++;		NumObjCCallEdges++;
}		}
}		}
}		}

void VisitChildren(Stmt *S) {		void VisitChildren(Stmt *S) {
for (Stmt *SubStmt : S->children())		for (Stmt *SubStmt : S->children())
if (SubStmt)		if (SubStmt)
this->Visit(SubStmt);		this->Visit(SubStmt);
}		}

		void modifyVar(Expr *E) {
		auto *D = dyn_cast<DeclRefExpr>(E->IgnoreParenCasts());
		if (!D)
		return;
		VarDecl *VD = dyn_cast<VarDecl>(D->getDecl());
		if (VD)
		VD->setModified();
		}

		void markModifiedVars(Stmt *S) {
		NoQUnsubmitted Not Done Reply Inline Actions A hint, even if we don't use visitors: the whole point of having a visitor is about not needing to make a pattern-matching (switch or sequence of dyn_casts) by statement kind yourself, like you do in this function. You already have VisitUnaryOperator, VisitBinaryOperator, VisitCallExpr, etc., so you can add the code there. NoQ: A hint, even if we don't use visitors: the whole point of having a visitor is about not needing…
		// Increment/Decrement, taking address of variable
		if (UnaryOperator *U = dyn_cast<UnaryOperator>(S)) {
		const UnaryOperatorKind K = U->getOpcode();
		if (K == UO_AddrOf \|\| K == UO_PostDec \|\| K == UO_PostInc \|\|
		K == UO_PreDec \|\| K == UO_PreInc)
		modifyVar(U->getSubExpr());
		return;
		}

		// Assignments
		if (BinaryOperator *B = dyn_cast<BinaryOperator>(S)) {
		if (!B->isAssignmentOp())
		return;
		modifyVar(B->getLHS());
		if (B->getLHS()->getType()->isReferenceType())
		modifyVar(B->getRHS());
		return;
		}

		// Handle reference arguments
		if (auto *CE = dyn_cast<CallExpr>(S)) {
		const Decl *D = CE->getCalleeDecl();
		if (!D)
		return;
		const FunctionDecl *FD = dyn_cast<FunctionDecl>(D);
		if (!FD)
		return;
		unsigned N = 0;
		for (const auto Arg : FD->parameters()) {
		if (Arg->getType()->isReferenceType() &&
		!Arg->getType().isConstQualified() && N < CE->getNumArgs())
		modifyVar(CE->getArg(N));
		N++;
		}
		}
		}
};		};

} // end anonymous namespace		} // end anonymous namespace

void CallGraph::addNodesForBlocks(DeclContext *D) {		void CallGraph::addNodesForBlocks(DeclContext *D) {
if (BlockDecl *BD = dyn_cast<BlockDecl>(D))		if (BlockDecl *BD = dyn_cast<BlockDecl>(D))
addNodeForDecl(BD, true);		addNodeForDecl(BD, true);

▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

	Show First 20 Lines • Show All 97 Lines • ▼ Show 20 Lines
	ExprEngine::~ExprEngine() {			ExprEngine::~ExprEngine() {
	BR.FlushReports();			BR.FlushReports();
	}			}

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// Utility methods.			// Utility methods.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

				/** Get initial state for global static variable */
				ProgramStateRef ExprEngine::getInitialStateForGlobalStaticVar(
				xazax.hunUnsubmitted Done Reply Inline Actions Usually, we do not like bug recursions since it might eat up the stack. Also, do you consider the case when the variable is passed by reference to a function in another translation unit? xazax.hun: Usually, we do not like bug recursions since it might eat up the stack. Also, do you consider…
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions I rewrote the code to reuse the ast matchers in LoopUnroll.. and that is not recursive. I rewrote the getGlobalStaticVars (this code is longer and in my opinion less readable but it's not recursive). danielmarjamaki: I rewrote the code to reuse the ast matchers in LoopUnroll.. and that is not recursive. I…
				const LocationContext LCtx, ProgramStateRef State, const VarDecl VD) {
				// Is variable changed anywhere in TU?
				if (VD->isModified())
				return State;

				// What is the initialized value?
				llvm::APSInt InitVal;
				if (const Expr *I = VD->getInit()) {
				if (!I->EvaluateAsInt(InitVal, getContext()))
				return State;
				} else {
				InitVal = 0;
				}

				const MemRegion *R = State->getRegion(VD, LCtx);
				if (!R)
				dcoughlinUnsubmitted Not Done Reply Inline Actions Since you are calling `getInitialStateForGlobalStaticVar()` in `getInitialState()` for each static variable declaration and `getInitialState()` is called for each top-level function, you are doing an n^3 operation in the size of the translation unit, which is going to be very, very expensive for large translation units. Have you considered doing the analysis for static variables that are never changed during call-graph construction? This should be a linear operation and doing it during call-graph construction would avoid an extra walk of the entire translation unit. dcoughlin: Since you are calling `getInitialStateForGlobalStaticVar()` in `getInitialState()` for each…
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions hmm... could you tell me where the call-graph construction is that I can tweak? danielmarjamaki: hmm... could you tell me where the call-graph construction is that I can tweak?
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions I think I found it: `clang/lib/Analysis/CallGraph.cpp` danielmarjamaki: I think I found it: `clang/lib/Analysis/CallGraph.cpp`
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions I now track variable modifications in call-graph construction instead. danielmarjamaki: I now track variable modifications in call-graph construction instead.
				return State;
				SVal V = State->getSVal(loc::MemRegionVal(R));
				SVal Constraint_untested =
				evalBinOp(State, BO_EQ, V, svalBuilder.makeIntVal(InitVal),
				svalBuilder.getConditionType());
				Optional<DefinedOrUnknownSVal> Constraint =
				Constraint_untested.getAs<DefinedOrUnknownSVal>();
				if (!Constraint)
				return State;
				return State->assume(*Constraint, true);
				}

				static void getGlobalStaticVars(const Stmt *FuncBody,
				llvm::SmallSet<const VarDecl , 4> Vars) {
				std::stack<const Stmt *> Children;
				Children.push(FuncBody);
				while (!Children.empty()) {
				const Stmt *Child = Children.top();
				Children.pop();
				if (!Child)
				continue;
				for (const Stmt *C : Child->children()) {
				Children.push(C);
				}
				if (const DeclRefExpr *D = dyn_cast<DeclRefExpr>(Child)) {
				const VarDecl *VD = dyn_cast<VarDecl>(D->getDecl());
				if (VD && VD->isDefinedOutsideFunctionOrMethod() &&
				VD->getType()->isIntegerType() &&
				VD->getStorageClass() == SC_Static &&
				!VD->getType()->isPointerType()) {
				Vars->insert(VD);
				}
				szepetUnsubmitted Not Done Reply Inline Actions I think instead of this logic it would be better to use ConstStmtVisitor. In this case it does quite the same thing in a (maybe?) more structured manner. What do you think? szepet: I think instead of this logic it would be better to use ConstStmtVisitor. In this case it does…
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions As far as I see ConstStmtVisitor is also recursive. Imho let's have readable code instead.. danielmarjamaki: As far as I see ConstStmtVisitor is also recursive. Imho let's have readable code instead..
				}
				}
				}

	ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {			ProgramStateRef ExprEngine::getInitialState(const LocationContext *InitLoc) {
	ProgramStateRef state = StateMgr.getInitialState(InitLoc);			ProgramStateRef state = StateMgr.getInitialState(InitLoc);
				// Get initial states for static global variables.
				if (const auto *FD = dyn_cast<FunctionDecl>(InitLoc->getDecl())) {
				llvm::SmallSet<const VarDecl *, 4> Vars;
				getGlobalStaticVars(FD->getBody(), &Vars);
				for (const VarDecl *VD : Vars) {
				state = getInitialStateForGlobalStaticVar(InitLoc, state, VD);
				}
				szepetUnsubmitted Not Done Reply Inline Actions Is it possible that a type is an IntegerType and a PointerType at the same time? If these are excluding cases then the check for !isPointer could be removed. szepet: Is it possible that a type is an IntegerType and a PointerType at the same time? If these are…
				}
				xazax.hunUnsubmitted Not Done Reply Inline Actions Does this work for non-integer typed e.g. structs? xazax.hun: Does this work for non-integer typed e.g. structs?
				danielmarjamakiAuthorUnsubmitted Not Done Reply Inline Actions Currently static struct objects are unaffected by these changes. There is no regression. Reviews are taking too long time. I am not against getting reviews but I am against waiting for reviews for months, ideally people would only need to wait for at most a week to get a review. This is why I don't want to handle structs now -- I am not eager to prolong the review process for this patch. danielmarjamaki: Currently static struct objects are unaffected by these changes. There is no regression.

	const Decl *D = InitLoc->getDecl();			const Decl *D = InitLoc->getDecl();

	// Preconditions.			// Preconditions.
	// FIXME: It would be nice if we had a more general mechanism to add			// FIXME: It would be nice if we had a more general mechanism to add
	// such preconditions. Some day.			// such preconditions. Some day.
	do {			do {

	if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {			if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) {
	▲ Show 20 Lines • Show All 2,838 Lines • Show Last 20 Lines

test/Analysis/global-vars.c

				// RUN: %clang_analyze_cc1 -analyzer-checker=alpha,core -verify %s

				// Avoid false positive.
				static char *allv[] = {"rpcgen", "-s", "udp", "-s", "tcp"};
				static int allc = sizeof(allv) / sizeof(allv[0]);
				static void falsePositive1(void) {
				int i;
				for (i = 1; i < allc; i++) {
				const char *p = allv[i]; // no-warning
				i++;
				}
				}

				// Detect division by zero.
				static int zero = 0;
				void truePositive1() {
				int x = 1000 / zero; // expected-warning{{Division by zero}}
				}