This is an archive of the discontinued LLVM Phabricator instance.

Differential D38673

[analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, handling method calls on base-class sub-objects
ClosedPublic

Authored by szepet on Oct 8 2017, 9:32 AM.

Details

Reviewers
zaks.anna
dcoughlin
xazax.hun
NoQ
Commits
rL316850: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting…
Summary
  1. Artem's solution D31538 solves the reset problem, however, the reports should be handled the same way in case of method calls. We should not just report the base class of the object where the method was defined but the whole object.
  1. Fixed false positive which came from not removing the subobjects in case of a state-resetting function. (Just replaced the State->remove(...) call to removeFromState(..) which was defined exactly for that purpose.)
  1. Some minor typos fixed in this patch as well which did not worth a whole new patch in my opinion, so included them here.

Diff Detail

Event Timeline

szepet created this revision.Oct 8 2017, 9:32 AM
Herald added subscribers: baloghadamsoftware, whisperity. · View Herald TranscriptOct 8 2017, 9:32 AM
szepet added a parent revision: D31538: [analyzer] MisusedMovedObjectChecker: Fix a false positive on state-resetting a base-class sub-object..Oct 8 2017, 9:33 AM
szepet edited the summary of this revision. (Show Details)
szepet edited reviewers, added: NoQ; removed: dergachev.a.Oct 8 2017, 9:36 AM
szepet added a parent revision: D38674: [analyzer] MisusedMovedObjectChecker: More precise warning message.Oct 8 2017, 9:44 AM
szepet removed a parent revision: D38674: [analyzer] MisusedMovedObjectChecker: More precise warning message.
szepet added a child revision: D38674: [analyzer] MisusedMovedObjectChecker: More precise warning message.
xazax.hun accepted this revision.Oct 9 2017, 6:38 AM

LGTM! I only found a nit.

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
416

I think this loop could be moved after the check isMoveSafeMethod to improve the performance.

This revision is now accepted and ready to land.Oct 9 2017, 6:38 AM
NoQ added inline comments.Oct 10 2017, 6:21 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
380

I guess we'd have to check this for null, eg. when this-value is Unknown (seeing crashes on dyn_casting this pointer to CXXBaseObjectRegion in the code you just moved).

xazax.hun added inline comments.Oct 10 2017, 6:22 AM
lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp
380

Good catch. I can confirm that this can return a null pointer.

szepet updated this revision to Diff 119033.Oct 14 2017, 10:20 AM

Fixed the commented bug (check if ThisRegion is null).

szepet marked 2 inline comments as done.Oct 14 2017, 10:20 AM
szepet closed this revision.Oct 28 2017, 4:19 PM
szepet added a commit: rL316850: [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting….

Revision Contents

Diff 118169

lib/StaticAnalyzer/Checkers/MisusedMovedObjectChecker.cpp

Show First 20 LinesShow All 344 Lines▼ Show 20 Lines
} }
void MisusedMovedObjectChecker::checkPreCall(const CallEvent &Call, void MisusedMovedObjectChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const LocationContext *LC = C.getLocationContext(); const LocationContext *LC = C.getLocationContext();
ExplodedNode *N = nullptr; ExplodedNode *N = nullptr;
// Remove the MemRegions from the map on which a ctor/dtor call or assignement // Remove the MemRegions from the map on which a ctor/dtor call or assignment
// happened. // happened.
// Checking constructor calls. // Checking constructor calls.
if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) { if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
State = removeFromState(State, CC->getCXXThisVal().getAsRegion()); State = removeFromState(State, CC->getCXXThisVal().getAsRegion());
auto CtorDec = CC->getDecl(); auto CtorDec = CC->getDecl();
// Check for copying a moved-from object and report the bug. // Check for copying a moved-from object and report the bug.
if (CtorDec && CtorDec->isCopyOrMoveConstructor()) { if (CtorDec && CtorDec->isCopyOrMoveConstructor()) {
Show All 10 Lines if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
C.addTransition(State, N); C.addTransition(State, N);
return; return;
} }
const auto IC = dyn_cast<CXXInstanceCall>(&Call); const auto IC = dyn_cast<CXXInstanceCall>(&Call);
if (!IC) if (!IC)
return; return;
// In case of destructor call we do not track the object anymore. // In case of destructor call we do not track the object anymore.
const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion(); const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
NoQUnsubmitted
Done
ReplyInline Actions

I guess we'd have to check this for null, eg. when this-value is Unknown (seeing crashes on dyn_casting this pointer to CXXBaseObjectRegion in the code you just moved).

NoQ: I guess we'd have to check this for null, eg. when this-value is `Unknown` (seeing crashes on…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Good catch. I can confirm that this can return a null pointer.

xazax.hun: Good catch. I can confirm that this can return a null pointer.
if (dyn_cast_or_null<CXXDestructorDecl>(Call.getDecl())) { if (dyn_cast_or_null<CXXDestructorDecl>(Call.getDecl())) {
State = removeFromState(State, IC->getCXXThisVal().getAsRegion()); State = removeFromState(State, IC->getCXXThisVal().getAsRegion());
C.addTransition(State); C.addTransition(State);
return; return;
} }
const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(IC->getDecl()); const auto MethodDecl = dyn_cast_or_null<CXXMethodDecl>(IC->getDecl());
if (!MethodDecl) if (!MethodDecl)
Show All 16 Lines if (MethodDecl->isCopyAssignmentOperator() ||
State->set<TrackedRegionMap>(ArgRegion, RegionState::getReported()); State->set<TrackedRegionMap>(ArgRegion, RegionState::getReported());
} }
} }
C.addTransition(State, N); C.addTransition(State, N);
return; return;
} }
// The remaining part is check only for method call on a moved-from object. // The remaining part is check only for method call on a moved-from object.
// We want to investigate the whole object, not only sub-object of a parent
// class in which the encountered method defined.
while (const CXXBaseObjectRegion *BR =
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

I think this loop could be moved after the check isMoveSafeMethod to improve the performance.

xazax.hun: I think this loop could be moved after the check `isMoveSafeMethod` to improve the performance.
dyn_cast<CXXBaseObjectRegion>(ThisRegion))
ThisRegion = BR->getSuperRegion();
if (isMoveSafeMethod(MethodDecl)) if (isMoveSafeMethod(MethodDecl))
return; return;
if (isStateResetMethod(MethodDecl)) { if (isStateResetMethod(MethodDecl)) {
// A state reset method resets the whole object, not only sub-object State = removeFromState(State, ThisRegion);
// of a parent class in which it is defined.
const MemRegion *WholeObjectRegion = ThisRegion;
while (const CXXBaseObjectRegion *BR =
dyn_cast<CXXBaseObjectRegion>(WholeObjectRegion))
WholeObjectRegion = BR->getSuperRegion();
State = State->remove<TrackedRegionMap>(WholeObjectRegion);
C.addTransition(State); C.addTransition(State);
return; return;
} }
// If it is already reported then we dont report the bug again. // If it is already reported then we don't report the bug again.
const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion); const RegionState *ThisState = State->get<TrackedRegionMap>(ThisRegion);
if (!(ThisState && ThisState->isMoved())) if (!(ThisState && ThisState->isMoved()))
return; return;
// Dont report it in case if any base region is already reported // Don't report it in case if any base region is already reported
if (isAnyBaseRegionReported(State, ThisRegion)) if (isAnyBaseRegionReported(State, ThisRegion))
return; return;
if (isInMoveSafeContext(LC)) if (isInMoveSafeContext(LC))
return; return;
N = reportBug(ThisRegion, Call, C); N = reportBug(ThisRegion, Call, C);
State = State->set<TrackedRegionMap>(ThisRegion, RegionState::getReported()); State = State->set<TrackedRegionMap>(ThisRegion, RegionState::getReported());
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

test/Analysis/MisusedMovedObject.cpp

Show First 20 LinesShow All 326 Lines▼ Show 20 Lines
} }
void moveStateResetFunctionsTest() { void moveStateResetFunctionsTest() {
{ {
A a; A a;
A b = std::move(a); A b = std::move(a);
a.reset(); // no-warning a.reset(); // no-warning
a.foo(); // no-warning a.foo(); // no-warning
// Test if resets the state of subregions as well.
a.b.foo(); // no-warning
} }
{ {
A a; A a;
A b = std::move(a); A b = std::move(a);
a.destroy(); // no-warning a.destroy(); // no-warning
a.foo(); // no-warning a.foo(); // no-warning
} }
{ {
A a; A a;
A b = std::move(a); A b = std::move(a);
a.clear(); // no-warning a.clear(); // no-warning
a.foo(); // no-warning a.foo(); // no-warning
a.b.foo(); // no-warning
} }
} }
// Moves or uses that occur as part of template arguments. // Moves or uses that occur as part of template arguments.
template <int> template <int>
class ClassTemplate { class ClassTemplate {
public: public:
void foo(A a); void foo(A a);
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Linesvoid differentBranchesTest(int i) {
// A variation on the theme above. // A variation on the theme above.
{ {
A a; A a;
a.foo() > 0 ? a.foo() : A(std::move(a)).foo(); // expected-note {{Assuming the condition is false}} expected-note {{'?' condition is false}} a.foo() > 0 ? a.foo() : A(std::move(a)).foo(); // expected-note {{Assuming the condition is false}} expected-note {{'?' condition is false}}
} }
// Same thing, but with a switch statement. // Same thing, but with a switch statement.
{ {
A a, b; A a, b;
switch (i) { // expected-note {{Control jumps to 'case 1:' at line 448}} switch (i) { // expected-note {{Control jumps to 'case 1:' at line 451}}
case 1: case 1:
b = std::move(a); // no-warning b = std::move(a); // no-warning
break; // expected-note {{Execution jumps to the end of the function}} break; // expected-note {{Execution jumps to the end of the function}}
case 2: case 2:
a.foo(); // no-warning a.foo(); // no-warning
break; break;
} }
} }
// However, if there's a fallthrough, we do warn. // However, if there's a fallthrough, we do warn.
{ {
A a, b; A a, b;
switch (i) { // expected-note {{Control jumps to 'case 1:' at line 460}} switch (i) { // expected-note {{Control jumps to 'case 1:' at line 463}}
case 1: case 1:
b = std::move(a); // expected-note {{'a' became 'moved-from' here}} b = std::move(a); // expected-note {{'a' became 'moved-from' here}}
case 2: case 2:
a.foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object 'a'}} a.foo(); // expected-warning {{Method call on a 'moved-from' object}} expected-note {{Method call on a 'moved-from' object 'a'}}
break; break;
} }
} }
} }
▲ Show 20 LinesShow All 125 Lines▼ Show 20 Linesvoid ifStmtSequencesDeclAndConditionTest() {
for (int i = 0; i < 3; ++i) { for (int i = 0; i < 3; ++i) {
if (A a = A()) { if (A a = A()) {
A b; A b;
b = std::move(a); // no-warning b = std::move(a); // no-warning
} }
} }
} }
class C : public A {};
void subRegionMoveTest() { void subRegionMoveTest() {
{ {
A a; A a;
B b = std::move(a.b); // expected-note {{'b' became 'moved-from' here}} B b = std::move(a.b); // expected-note {{'b' became 'moved-from' here}}
a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}} a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}}
} }
{ {
A a; A a;
A a1 = std::move(a); // expected-note {{Calling move constructor for 'A'}} expected-note {{Returning from move constructor for 'A'}} A a1 = std::move(a); // expected-note {{Calling move constructor for 'A'}} expected-note {{Returning from move constructor for 'A'}}
a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}} a.b.foo(); // expected-warning {{Method call on a 'moved-from' object 'b'}} expected-note {{Method call on a 'moved-from' object 'b'}}
} }
// Don't report a misuse if any SuperRegion is already reported. // Don't report a misuse if any SuperRegion is already reported.
{ {
A a; A a;
A a1 = std::move(a); // expected-note {{'a' became 'moved-from' here}} A a1 = std::move(a); // expected-note {{'a' became 'moved-from' here}}
a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}} a.foo(); // expected-warning {{Method call on a 'moved-from' object 'a'}} expected-note {{Method call on a 'moved-from' object 'a'}}
a.b.foo(); // no-warning a.b.foo(); // no-warning
} }
{
C c;
C c1 = std::move(c); // expected-note {{'c' became 'moved-from' here}}
c.foo(); // expected-warning {{Method call on a 'moved-from' object 'c'}} expected-note {{Method call on a 'moved-from' object 'c'}}
c.b.foo(); // no-warning
}
} }
class C: public A {};
void resetSuperClass() { void resetSuperClass() {
C c; C c;
C c1 = std::move(c); C c1 = std::move(c);
c.clear(); c.clear();
C c2 = c; // no-warning C c2 = c; // no-warning
} }
void reportSuperClass() {
C c;
C c1 = std::move(c); // expected-note {{'c' became 'moved-from' here}}
c.foo(); // expected-warning {{Method call on a 'moved-from' object 'c'}} expected-note {{Method call on a 'moved-from' object 'c'}}
C c2 = c; // no-warning
}