This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Frontend/
-
StaticAnalyzer/
-
Frontend/
2/9
AnalysisConsumer.cpp
-
test/Analysis/
-
Analysis/
-
yaccignore.c

Differential D43421

[analyzer] Do not analyze bison-generated files
ClosedPublic

Authored by george.karpenkov on Feb 16 2018, 4:14 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
NoQ

Commits

rG1d3e49e781a3: [analyzer] Do not analyze bison-generated files
rL326135: [analyzer] Do not analyze bison-generated files
rC326135: [analyzer] Do not analyze bison-generated files

Summary

Bison/YACC generated files result in a very large number of (presumably) false positives from the analyzer.
These false positives are "true" in a sense of the information analyzer sees: assuming that the lexer can return any token at any point a number of uninitialized reads does occur.
(naturally, the analyzer can not capture a complex invariant that certain tokens can only occur under certain conditions).

Current fix simply stops analysis on those files.
I have examined a very large number of such auto-generated files, and they do all start with such a comment.
Conversely, user code is very unlikely to contain such a comment.

rdar://33608161

Diff Detail

Repository: rC Clang

Event Timeline

george.karpenkov created this revision.Feb 16 2018, 4:14 PM

Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptFeb 16 2018, 4:14 PM

Looks good, just a nit inline.

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
522	Could we use `Buffer->getBuffer().startswith(...)` instead?

Actually, after posting this I've realized that this behavior is somewhat inconsistent, and we should still produce an empty plist when requested to: just as we do for files with no generated reports.

george.karpenkov added inline comments.Feb 23 2018, 7:11 PM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
522	we could if there was such a method? getBuffer() returns a `MutableArrayRef`

Actually, after posting this I've realized that this behavior is somewhat inconsistent, and we should still produce an empty plist when requested to: just as we do for files with no generated reports.

Actually, after thinking about this some more, the answer is those plists should not be produced, as they are not produced in similar cases (disableAllChecks is set, etc).

NoQ added inline comments.Feb 23 2018, 7:15 PM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
522	Hmm okay. So is the buffer actually null-terminated?

In D43421#1018270, @george.karpenkov wrote:

Actually, after posting this I've realized that this behavior is somewhat inconsistent, and we should still produce an empty plist when requested to: just as we do for files with no generated reports.

Actually, after thinking about this some more, the answer is those plists should not be produced, as they are not produced in similar cases (disableAllChecks is set, etc).

This seems to be about the contract that the analyzer promises to tools that ingest the plists. Will those tools be OK with missing plists? What do they expect?

a.sidorin added inline comments.Feb 26 2018, 7:21 AM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
522	Looks like this method of the base class is overridden with different return result. However, we are still allowed to use parent class methods: llvm::WritableMemoryBuffer WBuf; llvm::MemoryBuffer MBuf; StringRef Str = MBuf->MemoryBuffer::getBuffer(); Str = WBuf->MemoryBuffer::getBuffer();

Always produces plists now, less brittle string check.

NoQ added inline comments.Feb 26 2018, 12:49 PM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
585	It seems that previously it didn't do the timer stop thing and whatever is below when analysis is skipped, now it does. Is this an intended or an accidental change?

george.karpenkov added inline comments.Feb 26 2018, 1:10 PM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
585	Intended, as "whatever is below" is the code producing the plist.

NoQ added inline comments.Feb 26 2018, 1:11 PM

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
585	I mean, is it intended even in the `Opts->DisableAllChecks` mode?
585	Emm, wait, there's another return above. So that's dead code.

george.karpenkov updated this revision to Diff 135959.Feb 26 2018, 1:14 PM

george.karpenkov marked an inline comment as done.

george.karpenkov added inline comments.

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
585	I mean, is it intended even in the Opts->DisableAllChecks mode? Yes, to me it seems logical to have less code paths and to always perform same wrapping, lest the clients expect that.

Yeah, looks correct. And they'd have to deal with some of these empty plists anyway now.

This revision is now accepted and ready to land.Feb 26 2018, 1:32 PM

Closed by commit rC326135: [analyzer] Do not analyze bison-generated files (authored by george.karpenkov). · Explain WhyFeb 26 2018, 2:16 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: cfe-commits. · View Herald TranscriptFeb 26 2018, 2:16 PM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Frontend/

AnalysisConsumer.cpp

100 lines

test/

Analysis/

yaccignore.c

13 lines

Diff 135979

lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Show First 20 Lines • Show All 383 Lines • ▼ Show 20 Lines	#include "clang/StaticAnalyzer/Core/Analyses.def"
}		}

private:		private:
void storeTopLevelDecls(DeclGroupRef DG);		void storeTopLevelDecls(DeclGroupRef DG);
std::string getFunctionName(const Decl *D);		std::string getFunctionName(const Decl *D);

/// \brief Check if we should skip (not analyze) the given function.		/// \brief Check if we should skip (not analyze) the given function.
AnalysisMode getModeForDecl(Decl *D, AnalysisMode Mode);		AnalysisMode getModeForDecl(Decl *D, AnalysisMode Mode);
		void runAnalysisOnTranslationUnit(ASTContext &C);

		/// Print \p S to stderr if \c Opts->AnalyzerDisplayProgress is set.
		void reportAnalyzerProgress(StringRef S);
};		};
} // end anonymous namespace		} // end anonymous namespace


//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// AnalysisConsumer implementation.		// AnalysisConsumer implementation.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
bool AnalysisConsumer::HandleTopLevelDecl(DeclGroupRef DG) {		bool AnalysisConsumer::HandleTopLevelDecl(DeclGroupRef DG) {
▲ Show 20 Lines • Show All 105 Lines • ▼ Show 20 Lines	for (const Decl *Callee : VisitedCallees)
// Decls from CallGraph are already canonical. But Decls coming from		// Decls from CallGraph are already canonical. But Decls coming from
// CallExprs may be not. We should canonicalize them manually.		// CallExprs may be not. We should canonicalize them manually.
Visited.insert(isa<ObjCMethodDecl>(Callee) ? Callee		Visited.insert(isa<ObjCMethodDecl>(Callee) ? Callee
: Callee->getCanonicalDecl());		: Callee->getCanonicalDecl());
VisitedAsTopLevel.insert(D);		VisitedAsTopLevel.insert(D);
}		}
}		}

void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {		static bool isBisonFile(ASTContext &C) {
// Don't run the actions if an error has occurred with parsing the file.		const SourceManager &SM = C.getSourceManager();
DiagnosticsEngine &Diags = PP.getDiagnostics();		FileID FID = SM.getMainFileID();
if (Diags.hasErrorOccurred() \|\| Diags.hasFatalErrorOccurred())		StringRef Buffer = SM.getBuffer(FID)->getBuffer();
return;		if (Buffer.startswith("/* A Bison parser, made by"))
		return true;
		a.sidorinUnsubmitted Not Done Reply Inline Actions Could we use `Buffer->getBuffer().startswith(...)` instead? a.sidorin: Could we use `Buffer->getBuffer().startswith(...)` instead?
		george.karpenkovAuthorUnsubmitted Not Done Reply Inline Actions we could if there was such a method? getBuffer() returns a `MutableArrayRef` george.karpenkov: we could if there was such a method? getBuffer() returns a `MutableArrayRef`
		NoQUnsubmitted Not Done Reply Inline Actions Hmm okay. So is the buffer actually null-terminated? NoQ: Hmm okay. So is the buffer actually null-terminated?
		a.sidorinUnsubmitted Done Reply Inline Actions Looks like this method of the base class is overridden with different return result. However, we are still allowed to use parent class methods: llvm::WritableMemoryBuffer WBuf; llvm::MemoryBuffer MBuf; StringRef Str = MBuf->MemoryBuffer::getBuffer(); Str = WBuf->MemoryBuffer::getBuffer(); a.sidorin: Looks like this method of the base class is overridden with different return result. However…
// Don't analyze if the user explicitly asked for no checks to be performed		return false;
// on this file.		}
if (Opts->DisableAllChecks)
return;

{
if (TUTotalTimer) TUTotalTimer->startTimer();

// Introduce a scope to destroy BR before Mgr.		void AnalysisConsumer::runAnalysisOnTranslationUnit(ASTContext &C) {
BugReporter BR(*Mgr);		BugReporter BR(*Mgr);
TranslationUnitDecl *TU = C.getTranslationUnitDecl();		TranslationUnitDecl *TU = C.getTranslationUnitDecl();
checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);		checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);

// Run the AST-only checks using the order in which functions are defined.		// Run the AST-only checks using the order in which functions are defined.
// If inlining is not turned on, use the simplest function order for path		// If inlining is not turned on, use the simplest function order for path
// sensitive analyzes as well.		// sensitive analyzes as well.
RecVisitorMode = AM_Syntax;		RecVisitorMode = AM_Syntax;
if (!Mgr->shouldInlineCall())		if (!Mgr->shouldInlineCall())
RecVisitorMode \|= AM_Path;		RecVisitorMode \|= AM_Path;
RecVisitorBR = &BR;		RecVisitorBR = &BR;

// Process all the top level declarations.		// Process all the top level declarations.
//		//
// Note: TraverseDecl may modify LocalTUDecls, but only by appending more		// Note: TraverseDecl may modify LocalTUDecls, but only by appending more
// entries. Thus we don't use an iterator, but rely on LocalTUDecls		// entries. Thus we don't use an iterator, but rely on LocalTUDecls
// random access. By doing so, we automatically compensate for iterators		// random access. By doing so, we automatically compensate for iterators
// possibly being invalidated, although this is a bit slower.		// possibly being invalidated, although this is a bit slower.
const unsigned LocalTUDeclsSize = LocalTUDecls.size();		const unsigned LocalTUDeclsSize = LocalTUDecls.size();
for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) {		for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) {
TraverseDecl(LocalTUDecls[i]);		TraverseDecl(LocalTUDecls[i]);
}		}

if (Mgr->shouldInlineCall())		if (Mgr->shouldInlineCall())
HandleDeclsCallGraph(LocalTUDeclsSize);		HandleDeclsCallGraph(LocalTUDeclsSize);

// After all decls handled, run checkers on the entire TranslationUnit.		// After all decls handled, run checkers on the entire TranslationUnit.
checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);		checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);

RecVisitorBR = nullptr;		RecVisitorBR = nullptr;
}		}

		void AnalysisConsumer::reportAnalyzerProgress(StringRef S) {
		if (Opts->AnalyzerDisplayProgress)
		llvm::errs() << S;
		}

		void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {

		// Don't run the actions if an error has occurred with parsing the file.
		DiagnosticsEngine &Diags = PP.getDiagnostics();
		if (Diags.hasErrorOccurred() \|\| Diags.hasFatalErrorOccurred())
		return;

		if (TUTotalTimer) TUTotalTimer->startTimer();

		if (isBisonFile(C)) {
		reportAnalyzerProgress("Skipping bison-generated file\n");
		} else if (Opts->DisableAllChecks) {

		// Don't analyze if the user explicitly asked for no checks to be performed
		// on this file.
		reportAnalyzerProgress("All checks are disabled using a supplied option\n");
		} else {
		// Otherwise, just run the analysis.
		runAnalysisOnTranslationUnit(C);
		}

if (TUTotalTimer) TUTotalTimer->stopTimer();		if (TUTotalTimer) TUTotalTimer->stopTimer();
		NoQUnsubmitted Not Done Reply Inline Actions It seems that previously it didn't do the timer stop thing and whatever is below when analysis is skipped, now it does. Is this an intended or an accidental change? NoQ: It seems that previously it didn't do the timer stop thing and whatever is below when analysis…
		george.karpenkovAuthorUnsubmitted Not Done Reply Inline Actions Intended, as "whatever is below" is the code producing the plist. george.karpenkov: Intended, as "whatever is below" is the code producing the plist.
		NoQUnsubmitted Not Done Reply Inline Actions I mean, is it intended even in the `Opts->DisableAllChecks` mode? NoQ: I mean, is it intended even in the `Opts->DisableAllChecks` mode?
		NoQUnsubmitted Done Reply Inline Actions Emm, wait, there's another return above. So that's dead code. NoQ: Emm, wait, there's another return above. So that's dead code.
		george.karpenkovAuthorUnsubmitted Not Done Reply Inline Actions I mean, is it intended even in the Opts->DisableAllChecks mode? Yes, to me it seems logical to have less code paths and to always perform same wrapping, lest the clients expect that. george.karpenkov: > I mean, is it intended even in the Opts->DisableAllChecks mode? Yes, to me it seems logical…

// Count how many basic blocks we have not covered.		// Count how many basic blocks we have not covered.
NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks();		NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks();
NumVisitedBlocksInAnalyzedFunctions =		NumVisitedBlocksInAnalyzedFunctions =
FunctionSummaries.getTotalNumVisitedBasicBlocks();		FunctionSummaries.getTotalNumVisitedBasicBlocks();
if (NumBlocksInAnalyzedFunctions > 0)		if (NumBlocksInAnalyzedFunctions > 0)
PercentReachableBlocks =		PercentReachableBlocks =
(FunctionSummaries.getTotalNumVisitedBasicBlocks() * 100) /		(FunctionSummaries.getTotalNumVisitedBasicBlocks() * 100) /
▲ Show 20 Lines • Show All 298 Lines • Show Last 20 Lines

test/Analysis/yaccignore.c

				/* A Bison parser, made by GNU Bison 1.875. */

				// RUN: rm -rf %t.plist
				// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-output=plist -o %t.plist -verify %s
				// RUN: FileCheck --input-file=%t.plist %s

				// expected-no-diagnostics
				int foo() {
				int *x = 0;
				return *x; // no-warning
				}

				// CHECK: <key>diagnostics</key>