This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
RegionStore.cpp
-
test/Analysis/
-
Analysis/
-
arc-zero-init.m

Differential D41478

[analyzer] Fix zero-initialization of stack VLAs under ARC.
ClosedPublic

Authored by NoQ on Dec 20 2017, 7:53 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
george.karpenkov

Commits

rG9d3ca9a5ae35: [analyzer] Fix zero-initialization of stack VLAs under ObjC ARC.
rL321290: [analyzer] Fix zero-initialization of stack VLAs under ObjC ARC.
rC321290: [analyzer] Fix zero-initialization of stack VLAs under ObjC ARC.

Summary

https://developer.apple.com/library/content/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html#//apple_ref/doc/uid/TP40011226-CH1-SW5 :

Using ARC, strong, weak, and autoreleasing stack variables are now implicitly initialized with nil.

This includes variable-length arrays of Objective-C object pointers. However, in the analyzer we don't zero-initialize them. We used to, but it accidentally regressed after r289618.

Under ARC, the array variable's initializer within DeclStmt is an ImplicitValueInitExpr. Environment doesn't maintain any bindings for this expression kind - instead it always knows that it's a known constant (0 in our case), so it just returns the known value by calling SValBuilder::makeZeroVal() (see EnvironmentManager::getSVal(). Commit r289618 had introduced reasonable behavior of SValBuilder::makeZeroVal() for the arrays, which produces a zero-length compoundVal{}. When such value is bound to arrays, in RegionStoreManager::bindArray() "remaining" items in the array are default-initialized with zero, as in RegionStoreManager::setImplicitDefaultValue(). The similar mechanism works when an array is initialized by an initializer list that is too short, eg. int a[3] = { 1, 2 }; would result in a[2] initialized with 0. However, in case of variable-length arrays it didn't know if any more items need to be added, because, well, the length is variable.

Add the default binding anyway, regardless of how many actually need to be added. We don't really care, because the default binding covers the whole array anyway.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Dec 20 2017, 7:53 PM

Herald added subscribers: cfe-commits, a.sidorin, szepet, xazax.hun. · View Herald TranscriptDec 20 2017, 7:53 PM

LGTM. The tests are great!!

This revision is now accepted and ready to land.Dec 21 2017, 10:24 AM

Closed by commit rC321290: [analyzer] Fix zero-initialization of stack VLAs under ObjC ARC. (authored by NoQ). · Explain WhyDec 21 2017, 10:43 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

RegionStore.cpp

7 lines

test/

Analysis/

arc-zero-init.m

46 lines

Diff 127913

lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 Lines • Show All 2,126 Lines • ▼ Show 20 Lines	for (; Size.hasValue() ? i < Size.getValue() : true ; ++i, ++VI) {
if (ElementTy->isStructureOrClassType())		if (ElementTy->isStructureOrClassType())
NewB = bindStruct(NewB, ER, *VI);		NewB = bindStruct(NewB, ER, *VI);
else if (ElementTy->isArrayType())		else if (ElementTy->isArrayType())
NewB = bindArray(NewB, ER, *VI);		NewB = bindArray(NewB, ER, *VI);
else		else
NewB = bind(NewB, loc::MemRegionVal(ER), *VI);		NewB = bind(NewB, loc::MemRegionVal(ER), *VI);
}		}

// If the init list is shorter than the array length, set the		// If the init list is shorter than the array length (or the array has
// array default value.		// variable length), set the array default value. Values that are already set
if (Size.hasValue() && i < Size.getValue())		// are not overwritten.
		if (!Size.hasValue() \|\| i < Size.getValue())
NewB = setImplicitDefaultValue(NewB, R, ElementTy);		NewB = setImplicitDefaultValue(NewB, R, ElementTy);

return NewB;		return NewB;
}		}

RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B,		RegionBindingsRef RegionStoreManager::bindVector(RegionBindingsConstRef B,
const TypedValueRegion* R,		const TypedValueRegion* R,
SVal V) {		SVal V) {
▲ Show 20 Lines • Show All 356 Lines • Show Last 20 Lines

test/Analysis/arc-zero-init.m

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
				// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify -fobjc-arc %s

				#if __has_feature(objc_arc)
				// expected-no-diagnostics
				#endif

				@interface SomeClass
				@end

				void simpleStrongPointerValue() {
				SomeClass *x;
				if (x) {}
				#if !__has_feature(objc_arc)
				// expected-warning@-2{{Branch condition evaluates to a garbage value}}
				#endif
				}

				void simpleArray() {
				SomeClass *vlaArray[5];

				if (vlaArray[0]) {}
				#if !__has_feature(objc_arc)
				// expected-warning@-2{{Branch condition evaluates to a garbage value}}
				#endif
				}

				void variableLengthArray() {
				int count = 1;
				SomeClass * vlaArray[count];

				if (vlaArray[0]) {}
				#if !__has_feature(objc_arc)
				// expected-warning@-2{{Branch condition evaluates to a garbage value}}
				#endif
				}

				void variableLengthArrayWithExplicitStrongAttribute() {
				int count = 1;
				__attribute__((objc_ownership(strong))) SomeClass * vlaArray[count];

				if (vlaArray[0]) {}
				#if !__has_feature(objc_arc)
				// expected-warning@-2{{Branch condition evaluates to a garbage value}}
				#endif
				}