This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
AnalyzerStatsChecker.cpp
-
test/Analysis/
-
Analysis/
-
analyzer-stats.c

Differential D42266

[analyzer] Prevent AnalyzerStatsChecker from crash
ClosedPublic

Authored by szepet on Jan 18 2018, 3:27 PM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
xazax.hun
george.karpenkov

Commits

rG5184fae04e4c: [analyzer] Prevent AnalyzerStatsChecker from crash
rL325693: [analyzer] Prevent AnalyzerStatsChecker from crash
rC325693: [analyzer] Prevent AnalyzerStatsChecker from crash

Summary

The checker marks the locations where the analyzer creates sinks. However, it can happen that the sink was created because of a loop which does not contain condition statement, only breaks in the body. The exhausted block is the block which should contain the condition but empty, in this case.
This change only emits this marking in order to avoid the undefined behavior.

Diff Detail

Repository: rC Clang

Event Timeline

szepet created this revision.Jan 18 2018, 3:27 PM

Herald added subscribers: dkrupp, a.sidorin, rnkovacs and 2 others. · View Herald TranscriptJan 18 2018, 3:27 PM

This seems reasonable.

Would it make sense to use the last element of the block edge's source for the diagnostic location when the destination block is empty?

Would it make sense to use the last element of the block edge's source for the diagnostic location when the destination block is empty?

I do not think so. In the testfile emptyConditionLoop function is a great counter example since the last element of the source block is the num = 1 which would not make sense (in my opinion). However, in this case the location of the terminator statement could be used (if there is any). If you are OK with that solution, I can update the patch.

LGTM! @george.karpenkov has also tested that when he was gathering statistics about his traversal order improvements and it helped :)

This revision is now accepted and ready to land.Feb 16 2018, 7:44 PM

Herald added a reviewer: george.karpenkov. · View Herald TranscriptFeb 16 2018, 7:44 PM

Closed by commit rC325693: [analyzer] Prevent AnalyzerStatsChecker from crash (authored by szepet). · Explain WhyFeb 21 2018, 8:09 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

AnalyzerStatsChecker.cpp

2 lines

test/

Analysis/

analyzer-stats.c

18 lines

Diff 135266

lib/StaticAnalyzer/Checkers/AnalyzerStatsChecker.cpp

Show First 20 Lines • Show All 116 Lines • ▼ Show 20 Lines	void AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,

// Emit warning for each block we bailed out on.		// Emit warning for each block we bailed out on.
typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;		typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;
const CoreEngine &CE = Eng.getCoreEngine();		const CoreEngine &CE = Eng.getCoreEngine();
for (ExhaustedIterator I = CE.blocks_exhausted_begin(),		for (ExhaustedIterator I = CE.blocks_exhausted_begin(),
E = CE.blocks_exhausted_end(); I != E; ++I) {		E = CE.blocks_exhausted_end(); I != E; ++I) {
const BlockEdge &BE = I->first;		const BlockEdge &BE = I->first;
const CFGBlock *Exit = BE.getDst();		const CFGBlock *Exit = BE.getDst();
		if (Exit->empty())
		continue;
const CFGElement &CE = Exit->front();		const CFGElement &CE = Exit->front();
if (Optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {		if (Optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {
SmallString<128> bufI;		SmallString<128> bufI;
llvm::raw_svector_ostream outputI(bufI);		llvm::raw_svector_ostream outputI(bufI);
outputI << "(" << NameOfRootFunction << ")" <<		outputI << "(" << NameOfRootFunction << ")" <<
": The analyzer generated a sink at this point";		": The analyzer generated a sink at this point";
B.EmitBasicReport(		B.EmitBasicReport(
D, this, "Sink Point", "Internal Statistics", outputI.str(),		D, this, "Sink Point", "Internal Statistics", outputI.str(),
PathDiagnosticLocation::createBegin(CS->getStmt(), SM, LC));		PathDiagnosticLocation::createBegin(CS->getStmt(), SM, LC));
}		}
}		}
}		}

void ento::registerAnalyzerStatsChecker(CheckerManager &mgr) {		void ento::registerAnalyzerStatsChecker(CheckerManager &mgr) {
mgr.registerChecker<AnalyzerStatsChecker>();		mgr.registerChecker<AnalyzerStatsChecker>();
}		}

test/Analysis/analyzer-stats.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,deadcode.DeadStores,debug.Stats -verify -Wno-unreachable-code -analyzer-opt-analyze-nested-blocks %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,deadcode.DeadStores,debug.Stats -verify -Wno-unreachable-code -analyzer-opt-analyze-nested-blocks -analyzer-max-loop 4 %s

	int foo();			int foo();

	int test() { // expected-warning-re{{test -> Total CFGBlocks: {{[0-9]+}} \| Unreachable CFGBlocks: 0 \| Exhausted Block: no \| Empty WorkList: yes}}			int test() { // expected-warning-re{{test -> Total CFGBlocks: {{[0-9]+}} \| Unreachable CFGBlocks: 0 \| Exhausted Block: no \| Empty WorkList: yes}}
	int a = 1;			int a = 1;
	a = 34 / 12;			a = 34 / 12;

	if (foo())			if (foo())
	return a;			return a;

	a /= 4;			a /= 4;
	return a;			return a;
	}			}


				int sink() // expected-warning-re{{sink -> Total CFGBlocks: {{[0-9]+}} \| Unreachable CFGBlocks: 1 \| Exhausted Block: yes \| Empty WorkList: yes}}
				{
				for (int i = 0; i < 10; ++i) // expected-warning {{(sink): The analyzer generated a sink at this point}}
				++i;

				return 0;
				}

				int emptyConditionLoop() // expected-warning-re{{emptyConditionLoop -> Total CFGBlocks: {{[0-9]+}} \| Unreachable CFGBlocks: 0 \| Exhausted Block: yes \| Empty WorkList: yes}}
				{
				int num = 1;
				for (;;)
				num++;
				}