This is an archive of the discontinued LLVM Phabricator instance.

Differential D44183

[analyzer] Don't crash with assertion failure on structured bindings
ClosedPublic

Authored by george.karpenkov on Mar 6 2018, 6:26 PM.

Details

Reviewers
NoQ
dcoughlin
Commits
rG065962375dbd: [analyzer] Don't crash with assertion failure on structured bindings
rL326951: [analyzer] Don't crash with assertion failure on structured bindings
rC326951: [analyzer] Don't crash with assertion failure on structured bindings
Summary

Proper modeling still remains to be done.
Note that BindingDecl#getHoldingVar() is almost always null, and this should probably be handled by dealing with DecompositionDecl beforehand.

rdar://36852163

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Mar 6 2018, 6:26 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptMar 6 2018, 6:26 PM
NoQ accepted this revision.Mar 7 2018, 1:28 PM

It seems that semantically this construct creates a copy of s - let's refer to it as _s (it could be represented as a VarRegion because DecompositionDecl is a sub-class of VarDecl) - and the lvalue of a would be a sub-region within _s based on the BindingDecl which would be represented via a completely new kind of DeclRegion (because BindingDecl is not a sub-class of FieldDecl, which is good, because otherwise we would have jumped into the pointer-to-member handling code, which is not correct).

As far as i understand, decompositions may also be user-defined, and in this case they might require different regions to represent the result (and also call expressions in the CFG to inline user-defined implementations).

test/Analysis/structured_bindings.cc
8–9

You can add clang_analyzer_eval or clang_analyzer_warnIfReached that demonstrates the current incorrect behavior that should be fixed by addressing the FIXME. Eg., we don't understand that a is equal to 1, so clang_analyzer_eval(a == 1) would be UNKNOWN, and clang_analyzer_warnIfReached() on the else-branch would warn.

This revision is now accepted and ready to land.Mar 7 2018, 1:28 PM
Closed by commit rC326951: [analyzer] Don't crash with assertion failure on structured bindings (authored by george.karpenkov). · Explain WhyMar 7 2018, 2:23 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptMar 7 2018, 2:23 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
7 lines
test/
Analysis/
10 lines

Diff 137479

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 2,457 Lines▼ Show 20 Lines if (isa<FieldDecl>(D) || isa<IndirectFieldDecl>(D)) {
// Right now we just use a non-null void pointer, so that it gives proper // Right now we just use a non-null void pointer, so that it gives proper
// results in boolean contexts. // results in boolean contexts.
// FIXME: Maybe delegate this to the surrounding operator&. // FIXME: Maybe delegate this to the surrounding operator&.
// Note how this expression is lvalue, however pointer-to-member is NonLoc. // Note how this expression is lvalue, however pointer-to-member is NonLoc.
SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy, SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy,
currBldrCtx->blockCount()); currBldrCtx->blockCount());
state = state->assume(V.castAs<DefinedOrUnknownSVal>(), true); state = state->assume(V.castAs<DefinedOrUnknownSVal>(), true);
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind); ProgramPoint::PostLValueKind);
return; return;
} }
if (const auto* BD = dyn_cast<BindingDecl>(D)) {
// FIXME: proper support for bound declarations.
// For now, let's just prevent crashing.
return;
}
llvm_unreachable("Support for this Decl not implemented."); llvm_unreachable("Support for this Decl not implemented.");
} }
/// VisitArraySubscriptExpr - Transfer function for array accesses /// VisitArraySubscriptExpr - Transfer function for array accesses
void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A, void ExprEngine::VisitArraySubscriptExpr(const ArraySubscriptExpr *A,
ExplodedNode *Pred, ExplodedNode *Pred,
ExplodedNodeSet &Dst){ ExplodedNodeSet &Dst){
▲ Show 20 LinesShow All 791 LinesShow Last 20 Lines

test/Analysis/structured_bindings.cc

// RUN: %clang_analyze_cc1 -std=c++17 -analyzer-checker=core -verify %s
// expected-no-diagnostics
struct s { int a; };
int foo() {
auto[a] = s{1}; // FIXME: proper modelling
if (a) {
}
}
NoQUnsubmitted
Not Done
ReplyInline Actions

You can add clang_analyzer_eval or clang_analyzer_warnIfReached that demonstrates the current incorrect behavior that should be fixed by addressing the FIXME. Eg., we don't understand that a is equal to 1, so clang_analyzer_eval(a == 1) would be UNKNOWN, and clang_analyzer_warnIfReached() on the else-branch would warn.

NoQ: You can add `clang_analyzer_eval` or `clang_analyzer_warnIfReached` that demonstrates the…