This is an archive of the discontinued LLVM Phabricator instance.

Differential D43666

[analyzer] When constructing a temporary without construction context, track it for destruction anyway.
ClosedPublic

Authored by NoQ on Feb 22 2018, 6:13 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG1e3dbd7a17b3: [analyzer] Track temporaries without construction contexts for destruction.
rC326246: [analyzer] Track temporaries without construction contexts for destruction.
rL326246: [analyzer] Track temporaries without construction contexts for destruction.
Summary

This brings back code that was doing so earlier (when we had no constructed contexts at all) but was removed too early in D43104, as discussed in D43497. This allows us to call the correct destructor sequence in the end of the operator && in the test, even if not all of them are inlined, because we keep track of all temporaries we've constructed in order to resolve situations when the number or nature of temporaries is not known in compile-time.

The test case provided in D43497 was not entirely correct: the global variable would anyway be invalidated by the other destructor that we don't inline yet. Though, yeah, it needs to be fixed as well, but it isn't addressed by the fix that i've been thinking of (this patch).

Cleanup process misbehaves when the node after the cleanup is caching out: in this case we take the node that wasn't cleaned up and hit the assertion. This was fixed as well. It's a bit disappointing that our process of constructing a single exploded node is so complicated and error-prone.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Feb 22 2018, 6:13 PM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptFeb 22 2018, 6:13 PM
NoQ added a parent revision: D43533: [CFG] [analyzer] NFC: Refactor ConstructionContext into a finite set of cases..Feb 22 2018, 6:15 PM
dcoughlin added inline comments.Feb 24 2018, 10:47 AM
lib/StaticAnalyzer/Core/ExprEngine.cpp
2234 ↗(On Diff #135580)

Can you add a comment explaining the criteria under which the DidCacheOutOnCleanup part can be removed?

2257 ↗(On Diff #135580)

I realize this isn't new code in this patch, but can you use the result of Bldr.generateNode() to determine whether we cached out and also to get the new Pred? That seems cleaner than querying the ExplodedNodeSet.

2262 ↗(On Diff #135580)

It sounds like this means if we did cache out then there are places where the initialized temporaries are not cleared (that is, we have extra gunk in the state that we don't want).

Is that true? If so, then this relaxation of the assertion doesn't seem right to me.

Do we need to introduce a new program point when calling Bldr.generateNode on the cleaned up state (for example, with a new tag or a new program point kind)? This would make it so that when we cache out when generating a node for the state with the cleaned up temporaries we know that it is safe to early return from processEndOfFunction(). It would be safe because we would know that the other node (the one we cached out because of) has already had its temporaries cleared and notified the checkers about the end of the function, etc.

NoQ updated this revision to Diff 135994.Feb 26 2018, 3:01 PM
NoQ marked 3 inline comments as done.

Fix cleanup node generation logic.

lib/StaticAnalyzer/Core/ExprEngine.cpp
2262 ↗(On Diff #135580)

Yep, this is a bug and also it can be simplified a lot.

NoQ added a child revision: D43804: [analyzer] Enable cfg-temporary-dtors by default?.Feb 26 2018, 8:14 PM
This revision was not accepted when it landed; it landed in state Needs Review.Feb 27 2018, 1:05 PM
Closed by commit rL326246: [analyzer] Track temporaries without construction contexts for destruction. (authored by NoQ). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 27 2018, 1:05 PM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
4 lines
lib/
StaticAnalyzer/
Core/
55 lines
test/
Analysis/
17 lines

Diff 136138

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 446 Lines▼ Show 20 Linespublic:
void VisitUnaryOperator(const UnaryOperator* B, ExplodedNode *Pred, void VisitUnaryOperator(const UnaryOperator* B, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
/// Handle ++ and -- (both pre- and post-increment). /// Handle ++ and -- (both pre- and post-increment).
void VisitIncrementDecrementOperator(const UnaryOperator* U, void VisitIncrementDecrementOperator(const UnaryOperator* U,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
void VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
ExplodedNodeSet &PreVisit,
ExplodedNodeSet &Dst);
void VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred, void VisitCXXCatchStmt(const CXXCatchStmt *CS, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
void VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred, void VisitCXXThisExpr(const CXXThisExpr *TE, ExplodedNode *Pred,
ExplodedNodeSet & Dst); ExplodedNodeSet & Dst);
void VisitCXXConstructExpr(const CXXConstructExpr *E, ExplodedNode *Pred, void VisitCXXConstructExpr(const CXXConstructExpr *E, ExplodedNode *Pred,
ExplodedNodeSet &Dst); ExplodedNodeSet &Dst);
▲ Show 20 LinesShow All 306 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 1,083 Lines▼ Show 20 Lines if (Pred->getState()->contains<InitializedTemporaries>(
TempDtorBuilder.markInfeasible(false); TempDtorBuilder.markInfeasible(false);
TempDtorBuilder.generateNode(Pred->getState(), true, Pred); TempDtorBuilder.generateNode(Pred->getState(), true, Pred);
} else { } else {
TempDtorBuilder.markInfeasible(true); TempDtorBuilder.markInfeasible(true);
TempDtorBuilder.generateNode(Pred->getState(), false, Pred); TempDtorBuilder.generateNode(Pred->getState(), false, Pred);
} }
} }
void ExprEngine::VisitCXXBindTemporaryExpr(const CXXBindTemporaryExpr *BTE,
ExplodedNodeSet &PreVisit,
ExplodedNodeSet &Dst) {
// This is a fallback solution in case we didn't have a construction
// context when we were constructing the temporary. Otherwise the map should
// have been populated there.
if (!getAnalysisManager().options.includeTemporaryDtorsInCFG()) {
// In case we don't have temporary destructors in the CFG, do not mark
// the initialization - we would otherwise never clean it up.
Dst = PreVisit;
return;
}
StmtNodeBuilder StmtBldr(PreVisit, Dst, *currBldrCtx);
for (ExplodedNode *Node : PreVisit) {
ProgramStateRef State = Node->getState();
const auto &Key = std::make_pair(BTE, Node->getStackFrame());
if (!State->contains<InitializedTemporaries>(Key)) {
// FIXME: Currently the state might also already contain the marker due to
// incorrect handling of temporaries bound to default parameters; for
// those, we currently skip the CXXBindTemporaryExpr but rely on adding
// temporary destructor nodes.
State = State->set<InitializedTemporaries>(Key, nullptr);
}
StmtBldr.generateNode(BTE, Node, State);
}
}
namespace { namespace {
class CollectReachableSymbolsCallback final : public SymbolVisitor { class CollectReachableSymbolsCallback final : public SymbolVisitor {
InvalidatedSymbols Symbols; InvalidatedSymbols Symbols;
public: public:
explicit CollectReachableSymbolsCallback(ProgramStateRef State) {} explicit CollectReachableSymbolsCallback(ProgramStateRef State) {}
const InvalidatedSymbols &getSymbols() const { return Symbols; } const InvalidatedSymbols &getSymbols() const { return Symbols; }
▲ Show 20 LinesShow All 146 Lines▼ Show 20 Lines switch (S->getStmtClass()) {
case Stmt::ExprWithCleanupsClass: case Stmt::ExprWithCleanupsClass:
// Handled due to fully linearised CFG. // Handled due to fully linearised CFG.
break; break;
case Stmt::CXXBindTemporaryExprClass: { case Stmt::CXXBindTemporaryExprClass: {
Bldr.takeNodes(Pred); Bldr.takeNodes(Pred);
ExplodedNodeSet PreVisit; ExplodedNodeSet PreVisit;
getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this); getCheckerManager().runCheckersForPreStmt(PreVisit, Pred, S, *this);
getCheckerManager().runCheckersForPostStmt(Dst, PreVisit, S, *this); ExplodedNodeSet Next;
VisitCXXBindTemporaryExpr(cast<CXXBindTemporaryExpr>(S), PreVisit, Next);
getCheckerManager().runCheckersForPostStmt(Dst, Next, S, *this);
Bldr.addNodes(Dst); Bldr.addNodes(Dst);
break; break;
} }
// Cases not handled yet; but will handle some day. // Cases not handled yet; but will handle some day.
case Stmt::DesignatedInitExprClass: case Stmt::DesignatedInitExprClass:
case Stmt::DesignatedInitUpdateExprClass: case Stmt::DesignatedInitUpdateExprClass:
case Stmt::ArrayInitLoopExprClass: case Stmt::ArrayInitLoopExprClass:
▲ Show 20 LinesShow All 926 Lines▼ Show 20 Lines
void ExprEngine::processEndOfFunction(NodeBuilderContext& BC, void ExprEngine::processEndOfFunction(NodeBuilderContext& BC,
ExplodedNode *Pred, ExplodedNode *Pred,
const ReturnStmt *RS) { const ReturnStmt *RS) {
// See if we have any stale C++ allocator values. // See if we have any stale C++ allocator values.
assert(areCXXNewAllocatorValuesClear(Pred->getState(), assert(areCXXNewAllocatorValuesClear(Pred->getState(),
Pred->getLocationContext(), Pred->getLocationContext(),
Pred->getStackFrame()->getParent())); Pred->getStackFrame()->getParent()));
// FIXME: We currently assert that temporaries are clear, as lifetime extended // FIXME: We currently cannot assert that temporaries are clear, because
// temporaries are not always modelled correctly. In some cases when we // lifetime extended temporaries are not always modelled correctly. In some
// materialize the temporary, we do createTemporaryRegionIfNeeded(), and // cases when we materialize the temporary, we do
// the region changes, and also the respective destructor becomes automatic // createTemporaryRegionIfNeeded(), and the region changes, and also the
// from temporary. So for now clean up the state manually before asserting. // respective destructor becomes automatic from temporary. So for now clean up
// Ideally, the code above the assertion should go away, but the assertion // the state manually before asserting. Ideally, the code above the assertion
// should remain. // should go away, but the assertion should remain.
{ {
ExplodedNodeSet CleanUpTemporaries; ExplodedNodeSet CleanUpTemporaries;
NodeBuilder Bldr(Pred, CleanUpTemporaries, BC); NodeBuilder Bldr(Pred, CleanUpTemporaries, BC);
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
const LocationContext *FromLC = Pred->getLocationContext(); const LocationContext *FromLC = Pred->getLocationContext();
const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent(); const LocationContext *ToLC = FromLC->getCurrentStackFrame()->getParent();
const LocationContext *LC = FromLC; const LocationContext *LC = FromLC;
while (LC != ToLC) { while (LC != ToLC) {
assert(LC && "ToLC must be a parent of FromLC!"); assert(LC && "ToLC must be a parent of FromLC!");
for (auto I : State->get<InitializedTemporaries>()) for (auto I : State->get<InitializedTemporaries>())
if (I.first.second == LC) if (I.first.second == LC)
State = State->remove<InitializedTemporaries>(I.first); State = State->remove<InitializedTemporaries>(I.first);
LC = LC->getParent(); LC = LC->getParent();
} }
if (State != Pred->getState()) { if (State != Pred->getState()) {
Bldr.generateNode(Pred->getLocation(), State, Pred); Pred = Bldr.generateNode(Pred->getLocation(), State, Pred);
assert(CleanUpTemporaries.size() <= 1); if (!Pred) {
Pred = CleanUpTemporaries.empty() ? Pred : *CleanUpTemporaries.begin(); // The node with clean temporaries already exists. We might have reached
// it on a path on which we initialize different temporaries.
return;
}
} }
} }
assert(areInitializedTemporariesClear(Pred->getState(), assert(areInitializedTemporariesClear(Pred->getState(),
Pred->getLocationContext(), Pred->getLocationContext(),
Pred->getStackFrame()->getParent())); Pred->getStackFrame()->getParent()));
assert(areTemporaryMaterializationsClear(Pred->getState(), assert(areTemporaryMaterializationsClear(Pred->getState(),
Pred->getLocationContext(), Pred->getLocationContext(),
Pred->getStackFrame()->getParent())); Pred->getStackFrame()->getParent()));
▲ Show 20 LinesShow All 1,004 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/temporaries.cpp

Show First 20 LinesShow All 894 Lines▼ Show 20 Lines
} }
} // namespace test_match_constructors_and_destructors } // namespace test_match_constructors_and_destructors
namespace dont_forget_destructor_around_logical_op { namespace dont_forget_destructor_around_logical_op {
int glob; int glob;
class C { class C {
public: public:
~C() { glob = 1; } ~C() {
glob = 1;
clang_analyzer_checkInlined(true);
#ifdef TEMPORARY_DTORS
// expected-warning@-2{{TRUE}}
#endif
}
}; };
C get(); C get();
bool is(C); bool is(C);
void test(int coin) { void test(int coin) {
// Here temporaries are being cleaned up after && is evaluated. There are two // Here temporaries are being cleaned up after && is evaluated. There are two
// temporaries: the return value of get() and the elidable copy constructor // temporaries: the return value of get() and the elidable copy constructor
// of that return value into is(). According to the CFG, we need to cleanup // of that return value into is(). According to the CFG, we need to cleanup
// both of them depending on whether the temporary corresponding to the // both of them depending on whether the temporary corresponding to the
// return value of get() was initialized. However, for now we don't track // return value of get() was initialized. However, we didn't track
// temporaries returned from functions, so we take the wrong branch. // temporaries returned from functions, so we took the wrong branch.
coin && is(get()); // no-crash coin && is(get()); // no-crash
// FIXME: We should have called the destructor, i.e. should be TRUE, // FIXME: Should be true once we inline all destructors.
// at least when we inline temporary destructors. clang_analyzer_eval(glob); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(glob == 1); // expected-warning{{UNKNOWN}}
} }
} // namespace dont_forget_destructor_around_logical_op } // namespace dont_forget_destructor_around_logical_op
#if __cplusplus >= 201103L #if __cplusplus >= 201103L
namespace temporary_list_crash { namespace temporary_list_crash {
class C { class C {
public: public:
C() {} C() {}
~C() {} ~C() {}
}; };
void test() { void test() {
std::initializer_list<C>{C(), C()}; // no-crash std::initializer_list<C>{C(), C()}; // no-crash
} }
} // namespace temporary_list_crash } // namespace temporary_list_crash
#endif // C++11 #endif // C++11