This is an archive of the discontinued LLVM Phabricator instance.

Differential D45416

[AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu-extensions)
ClosedPublic

Authored by a.sidorin on Apr 8 2018, 9:49 AM.

Details

Reviewers
NoQ
dcoughlin
xazax.hun
george.karpenkov
rsmith
Commits
rG55365e4b39fd: [AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu…
rC344864: [AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu…
rL344864: [AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu…
Summary

Despite the fact that cast expressions return rvalues, GCC still handles such outputs as lvalues when compiling inline assembler. In this commit, we are treating it by removing LValueToRValue casts inside GCCAsmStmt outputs.

Diff Detail

Repository
rC Clang

Event Timeline

a.sidorin created this revision.Apr 8 2018, 9:49 AM
Herald added a reviewer: george.karpenkov. · View Herald TranscriptApr 8 2018, 9:49 AM
Herald added subscribers: cfe-commits, rnkovacs, szepet. · View Herald Transcript
george.karpenkov requested changes to this revision.Apr 9 2018, 11:05 AM
george.karpenkov added inline comments.
lib/StaticAnalyzer/Core/ExprEngine.cpp
3082

From my understanding, the code inside the if-block is not tested below

This revision now requires changes to proceed.Apr 9 2018, 11:05 AM
a.sidorin added inline comments.Apr 9 2018, 11:15 AM
lib/StaticAnalyzer/Core/ExprEngine.cpp
3082

It is tested: without this code, "TRUE" will be printed. The reason is that the lvalue of 'global' is removed from Environment after the cast happens so X becomes Unknown. But the way of retrieving the value is definitely not the best so if you have any suggestions on improvement - they are welcome.

george.karpenkov accepted this revision.Apr 9 2018, 11:24 AM

Right, sorry. LGTM, but maybe Artem has something to add as well.
I don't have any suggestions, and trying to modifying lifetimes of expressions in environment for the sake of a GCC extensions seems suboptimal as well.

This revision is now accepted and ready to land.Apr 9 2018, 11:24 AM
NoQ accepted this revision.Apr 9 2018, 2:40 PM

Thanks!

Eww. Weird AST.

I wonder how this should work:

// RUN: %clang_analyze_cc1 -analyzer-checker debug.ExprInspection -fheinous-gnu-extensions -w %s -verify

int clang_analyzer_eval(int);

int global;
void testRValueOutput() {
  int &ref = global;
  ref = 1;
  __asm__("" : "=r"((int)ref));
  clang_analyzer_eval(ref == 1); // currently says UNKNOWN
  clang_analyzer_eval(global == 1); // currently says TRUE
}

The ultimate solution would probably be to add a fake cloned asm statement to the CFG (instead of the real asm statement) that would point to the correct output child-expression(s) that are untouched themselves but simply have their noop casts removed.

Or we could try

a.sidorin added a comment.Apr 10 2018, 5:16 AM

The ultimate solution would probably be to add a fake cloned asm statement to the CFG (instead of the real asm statement) that would point to the correct output child-expression(s) that are untouched themselves but simply have their noop casts removed.

I have some concerns about this solution. It will result in difference between AST nodes and nodes that user will receive during analysis and I'm not sure that it is good. What is even worse here is that a lot of AST stuff won't work properly - ParentMap, for example.

Or we could try

Looks like something is missed here :)

a.sidorin added a comment.Apr 10 2018, 11:02 AM

Maybe we should just remove the condition and leave a FIXME?

NoQ added a comment.Apr 10 2018, 11:09 AM
In D45416#1062901, @a.sidorin wrote:

The ultimate solution would probably be to add a fake cloned asm statement to the CFG (instead of the real asm statement) that would point to the correct output child-expression(s) that are untouched themselves but simply have their noop casts removed.

I have some concerns about this solution. It will result in difference between AST nodes and nodes that user will receive during analysis and I'm not sure that it is good. What is even worse here is that a lot of AST stuff won't work properly - ParentMap, for example.

Yep. But i'd rather avoid using the ParentMap. Also we already do this for DeclStmts that declare more than one VarDecl (split them up into single-decl statements), and the practical effect of such simplification is barely noticeable even though DeclStmts are so much more common.

Or we could try

Looks like something is missed here :)

Whoops sry nvm. And and and mmm you didn't include the diff context :p

In D45416#1063366, @a.sidorin wrote:

Maybe we should just remove the condition and leave a FIXME?

The fix is already there and it's valid and it makes things better overall, why not keep it around. We still need a FIXME though.

NoQ added a comment.Apr 10 2018, 8:02 PM

I mean, like, if we try to work with the existing AST then we're stuck with a prvalue expression that represents an lvalue and will be assigned a Loc value, which is pretty weird anyway. Getting rid of the ParentMap in favor of providing enough context (eg. in the CFG or in checker callbacks) whenever we might want to use it sounds like a much saner solution. There might be other "unknown unknowns" about rewriting the AST, but our current problem looks as safe as we'll ever get.

a.sidorin updated this revision to Diff 142226.Apr 12 2018, 11:28 AM

Rewrite the GCCAsmStmt in the CFG.

NoQ accepted this revision.Apr 13 2018, 8:31 PM

Wow, you actually did that.

Ok, now we can decide if we want this to be analyzer-only (with a CFG::BuildOptions flag) or get someone else to have a look at that as a global CFG change (i.e. it may potentially affect compiler warnings). Or at least make sure to run all clang tests :)

NoQ added a comment.Apr 13 2018, 8:32 PM

(i'd much rather do the latter)

NoQ added a comment.Apr 16 2018, 2:44 PM

(also we'll need CFG dump tests)

a.sidorin updated this revision to Diff 143959.Apr 25 2018, 10:27 AM

Add a test for CFG dump; replace static_cast with an initialization.
No test failures on check-all were observed.

NoQ accepted this revision.Apr 27 2018, 5:05 PM
NoQ added a subscriber: rsmith.

Woohoo LGTM.

Heads up to @rsmith because we're about to break the CFG again, and also yay we've found another use case for rewriting AST in our CFG.

rsmith added inline comments.Apr 27 2018, 5:15 PM
test/Analysis/asm.cpp
10

Ugh, do we really need to support this nonsense? :(

If so, it'd seem reasonable to me to do the cleanup when building the AST rather than in the CFG builder (that is, convert the LValueToRValue cast here to a NoOp lvalue cast node, since that matches its actual semantics).

a.sidorin updated this revision to Diff 144998.May 3 2018, 4:18 AM
a.sidorin retitled this revision from [analyzer] ExprEngine: model GCC inline asm rvalue cast outputs to [AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu-extensions).
a.sidorin edited the summary of this revision. (Show Details)
a.sidorin added a reviewer: rsmith.

Transform AST instead.
I don't remove analyzer guys from reviewers because the test is still for the analyzer.
@rsmith Feel free to correct me if I'm doing something wrong.

a.sidorin added a comment.May 14 2018, 7:13 AM

Gentle ping.

NoQ added a comment.Sep 6 2018, 5:44 PM

Dunno, i guess you can just commit it.

lib/Sema/SemaStmtAsm.cpp
57 ↗(On Diff #144998)

Like father, like son :D

Herald added a subscriber: Szelethus. · View Herald TranscriptSep 6 2018, 5:44 PM
NoQ accepted this revision.Sep 6 2018, 5:44 PM
Closed by commit rL344864: [AST, analyzer] Transform rvalue cast outputs to lvalues (fheinous-gnu… (authored by a.sidorin). · Explain WhyOct 20 2018, 3:51 PM
This revision was automatically updated to reflect the committed changes.
Herald added subscribers: llvm-commits, dkrupp, donat.nagy. · View Herald TranscriptOct 20 2018, 3:51 PM

Revision Contents

PathSize
include/
clang/
Analysis/
19 lines
lib/
Analysis/
74 lines
StaticAnalyzer/
Core/
5 lines
test/
Analysis/
12 lines

Diff 142226

include/clang/Analysis/CFG.h

Show First 20 LinesShow All 1,111 Lines▼ Show 20 Linespublic:
/// Records a synthetic DeclStmt and the DeclStmt it was constructed from. /// Records a synthetic DeclStmt and the DeclStmt it was constructed from.
/// ///
/// The CFG uses synthetic DeclStmts when a single AST DeclStmt contains /// The CFG uses synthetic DeclStmts when a single AST DeclStmt contains
/// multiple decls. /// multiple decls.
void addSyntheticDeclStmt(const DeclStmt *Synthetic, void addSyntheticDeclStmt(const DeclStmt *Synthetic,
const DeclStmt *Source) { const DeclStmt *Source) {
assert(Synthetic->isSingleDecl() && "Can handle single declarations only"); assert(Synthetic->isSingleDecl() && "Can handle single declarations only");
assert(Synthetic != Source && "Don't include original DeclStmts in map"); addSyntheticStmt(Synthetic, Source);
assert(!SyntheticDeclStmts.count(Synthetic) && "Already in map"); }
SyntheticDeclStmts[Synthetic] = Source;
/// Records a synthetic Stmt and the Stmt it was constructed from.
void addSyntheticStmt(const Stmt *Synthetic, const Stmt *Source) {
assert(Synthetic != Source && "Don't include original Stmts in map");
assert(!SyntheticStmts.count(Synthetic) && "Already in map");
SyntheticStmts[Synthetic] = Source;
} }
using synthetic_stmt_iterator = using synthetic_stmt_iterator =
llvm::DenseMap<const DeclStmt *, const DeclStmt *>::const_iterator; llvm::DenseMap<const Stmt *, const Stmt *>::const_iterator;
using synthetic_stmt_range = llvm::iterator_range<synthetic_stmt_iterator>; using synthetic_stmt_range = llvm::iterator_range<synthetic_stmt_iterator>;
/// Iterates over synthetic DeclStmts in the CFG. /// Iterates over synthetic DeclStmts in the CFG.
/// ///
/// Each element is a (synthetic statement, source statement) pair. /// Each element is a (synthetic statement, source statement) pair.
/// ///
/// \sa addSyntheticDeclStmt /// \sa addSyntheticDeclStmt
synthetic_stmt_iterator synthetic_stmt_begin() const { synthetic_stmt_iterator synthetic_stmt_begin() const {
return SyntheticDeclStmts.begin(); return SyntheticStmts.begin();
} }
/// \sa synthetic_stmt_begin /// \sa synthetic_stmt_begin
synthetic_stmt_iterator synthetic_stmt_end() const { synthetic_stmt_iterator synthetic_stmt_end() const {
return SyntheticDeclStmts.end(); return SyntheticStmts.end();
} }
/// \sa synthetic_stmt_begin /// \sa synthetic_stmt_begin
synthetic_stmt_range synthetic_stmts() const { synthetic_stmt_range synthetic_stmts() const {
return synthetic_stmt_range(synthetic_stmt_begin(), synthetic_stmt_end()); return synthetic_stmt_range(synthetic_stmt_begin(), synthetic_stmt_end());
} }
//===--------------------------------------------------------------------===// //===--------------------------------------------------------------------===//
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Linesprivate:
CFGBlockListTy Blocks; CFGBlockListTy Blocks;
/// C++ 'try' statements are modeled with an indirect dispatch block. /// C++ 'try' statements are modeled with an indirect dispatch block.
/// This is the collection of such blocks present in the CFG. /// This is the collection of such blocks present in the CFG.
std::vector<const CFGBlock *> TryDispatchBlocks; std::vector<const CFGBlock *> TryDispatchBlocks;
/// Collects DeclStmts synthesized for this CFG and maps each one back to its /// Collects DeclStmts synthesized for this CFG and maps each one back to its
/// source DeclStmt. /// source DeclStmt.
llvm::DenseMap<const DeclStmt *, const DeclStmt *> SyntheticDeclStmts; llvm::DenseMap<const Stmt *, const Stmt *> SyntheticStmts;
}; };
} // namespace clang } // namespace clang
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// GraphTraits specializations for CFG basic block graphs (source-level CFGs) // GraphTraits specializations for CFG basic block graphs (source-level CFGs)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 114 LinesShow Last 20 Lines

lib/Analysis/CFG.cpp

Show First 20 LinesShow All 542 Lines▼ Show 20 Linesprivate:
CFGBlock *VisitCXXThrowExpr(CXXThrowExpr *T); CFGBlock *VisitCXXThrowExpr(CXXThrowExpr *T);
CFGBlock *VisitCXXTryStmt(CXXTryStmt *S); CFGBlock *VisitCXXTryStmt(CXXTryStmt *S);
CFGBlock *VisitDeclStmt(DeclStmt *DS); CFGBlock *VisitDeclStmt(DeclStmt *DS);
CFGBlock *VisitDeclSubExpr(DeclStmt *DS); CFGBlock *VisitDeclSubExpr(DeclStmt *DS);
CFGBlock *VisitDefaultStmt(DefaultStmt *D); CFGBlock *VisitDefaultStmt(DefaultStmt *D);
CFGBlock *VisitDoStmt(DoStmt *D); CFGBlock *VisitDoStmt(DoStmt *D);
CFGBlock *VisitExprWithCleanups(ExprWithCleanups *E, AddStmtChoice asc); CFGBlock *VisitExprWithCleanups(ExprWithCleanups *E, AddStmtChoice asc);
CFGBlock *VisitForStmt(ForStmt *F); CFGBlock *VisitForStmt(ForStmt *F);
CFGBlock *VisitGCCAsmStmt(GCCAsmStmt *GCCAsmS, AddStmtChoice asc);
CFGBlock *VisitGotoStmt(GotoStmt *G); CFGBlock *VisitGotoStmt(GotoStmt *G);
CFGBlock *VisitIfStmt(IfStmt *I); CFGBlock *VisitIfStmt(IfStmt *I);
CFGBlock *VisitImplicitCastExpr(ImplicitCastExpr *E, AddStmtChoice asc); CFGBlock *VisitImplicitCastExpr(ImplicitCastExpr *E, AddStmtChoice asc);
CFGBlock *VisitIndirectGotoStmt(IndirectGotoStmt *I); CFGBlock *VisitIndirectGotoStmt(IndirectGotoStmt *I);
CFGBlock *VisitLabelStmt(LabelStmt *L); CFGBlock *VisitLabelStmt(LabelStmt *L);
CFGBlock *VisitBlockExpr(BlockExpr *E, AddStmtChoice asc); CFGBlock *VisitBlockExpr(BlockExpr *E, AddStmtChoice asc);
CFGBlock *VisitLambdaExpr(LambdaExpr *E, AddStmtChoice asc); CFGBlock *VisitLambdaExpr(LambdaExpr *E, AddStmtChoice asc);
CFGBlock *VisitLogicalOperator(BinaryOperator *B); CFGBlock *VisitLogicalOperator(BinaryOperator *B);
Show All 23 Linesprivate:
CFGBlock *VisitUnaryOperator(UnaryOperator *U, AddStmtChoice asc); CFGBlock *VisitUnaryOperator(UnaryOperator *U, AddStmtChoice asc);
CFGBlock *VisitWhileStmt(WhileStmt *W); CFGBlock *VisitWhileStmt(WhileStmt *W);
CFGBlock *Visit(Stmt *S, AddStmtChoice asc = AddStmtChoice::NotAlwaysAdd); CFGBlock *Visit(Stmt *S, AddStmtChoice asc = AddStmtChoice::NotAlwaysAdd);
CFGBlock *VisitStmt(Stmt *S, AddStmtChoice asc); CFGBlock *VisitStmt(Stmt *S, AddStmtChoice asc);
CFGBlock *VisitChildren(Stmt *S); CFGBlock *VisitChildren(Stmt *S);
CFGBlock *VisitNoRecurse(Expr *E, AddStmtChoice asc); CFGBlock *VisitNoRecurse(Expr *E, AddStmtChoice asc);
GCCAsmStmt *getOrCreateGCCAsmStmtWithoutGnuExtensions(GCCAsmStmt *GCCAsmS);
template <typename StmtTy> void *allocateMemForStmt() {
// Get the alignment of the new Stmt, padding out to >=8 bytes.
unsigned Align = std::max(alignof(StmtTy), static_cast<size_t>(8));
// Allocate a new Stmt using the BumpPtrAllocator. It will get
// automatically freed with the CFG.
return cfg->getAllocator().Allocate(sizeof(StmtTy), Align);
}
void maybeAddScopeBeginForVarDecl(CFGBlock *B, const VarDecl *VD, void maybeAddScopeBeginForVarDecl(CFGBlock *B, const VarDecl *VD,
const Stmt *S) { const Stmt *S) {
if (ScopePos && (VD == ScopePos.getFirstVarInScope())) if (ScopePos && (VD == ScopePos.getFirstVarInScope()))
appendScopeBegin(B, VD, S); appendScopeBegin(B, VD, S);
} }
/// When creating the CFG for temporary destructors, we want to mirror the /// When creating the CFG for temporary destructors, we want to mirror the
/// branch structure of the corresponding constructor calls. /// branch structure of the corresponding constructor calls.
▲ Show 20 LinesShow All 1,436 Lines▼ Show 20 Lines case Stmt::DefaultStmtClass:
return VisitDefaultStmt(cast<DefaultStmt>(S)); return VisitDefaultStmt(cast<DefaultStmt>(S));
case Stmt::DoStmtClass: case Stmt::DoStmtClass:
return VisitDoStmt(cast<DoStmt>(S)); return VisitDoStmt(cast<DoStmt>(S));
case Stmt::ForStmtClass: case Stmt::ForStmtClass:
return VisitForStmt(cast<ForStmt>(S)); return VisitForStmt(cast<ForStmt>(S));
case Stmt::GCCAsmStmtClass:
return VisitGCCAsmStmt(cast<GCCAsmStmt>(S), asc);
case Stmt::GotoStmtClass: case Stmt::GotoStmtClass:
return VisitGotoStmt(cast<GotoStmt>(S)); return VisitGotoStmt(cast<GotoStmt>(S));
case Stmt::IfStmtClass: case Stmt::IfStmtClass:
return VisitIfStmt(cast<IfStmt>(S)); return VisitIfStmt(cast<IfStmt>(S));
case Stmt::ImplicitCastExprClass: case Stmt::ImplicitCastExprClass:
return VisitImplicitCastExpr(cast<ImplicitCastExpr>(S), asc); return VisitImplicitCastExpr(cast<ImplicitCastExpr>(S), asc);
▲ Show 20 LinesShow All 516 Lines▼ Show 20 Lines if (DS->isSingleDecl())
return VisitDeclSubExpr(DS); return VisitDeclSubExpr(DS);
CFGBlock *B = nullptr; CFGBlock *B = nullptr;
// Build an individual DeclStmt for each decl. // Build an individual DeclStmt for each decl.
for (DeclStmt::reverse_decl_iterator I = DS->decl_rbegin(), for (DeclStmt::reverse_decl_iterator I = DS->decl_rbegin(),
E = DS->decl_rend(); E = DS->decl_rend();
I != E; ++I) { I != E; ++I) {
// Get the alignment of the new DeclStmt, padding out to >=8 bytes.
unsigned A = alignof(DeclStmt) < 8 ? 8 : alignof(DeclStmt);
// Allocate the DeclStmt using the BumpPtrAllocator. It will get
// automatically freed with the CFG.
DeclGroupRef DG(*I); DeclGroupRef DG(*I);
Decl *D = *I; Decl *D = *I;
void *Mem = cfg->getAllocator().Allocate(sizeof(DeclStmt), A); void *Mem = allocateMemForStmt<DeclStmt>();
DeclStmt *DSNew = new (Mem) DeclStmt(DG, D->getLocation(), GetEndLoc(D)); DeclStmt *DSNew = new (Mem) DeclStmt(DG, D->getLocation(), GetEndLoc(D));
cfg->addSyntheticDeclStmt(DSNew, DS); cfg->addSyntheticDeclStmt(DSNew, DS);
// Append the fake DeclStmt to block. // Append the fake DeclStmt to block.
B = VisitDeclSubExpr(DSNew); B = VisitDeclSubExpr(DSNew);
} }
return B; return B;
▲ Show 20 LinesShow All 414 Lines▼ Show 20 Lines for (LambdaExpr::capture_init_iterator it = E->capture_init_begin(),
if (Expr *Init = *it) { if (Expr *Init = *it) {
CFGBlock *Tmp = Visit(Init); CFGBlock *Tmp = Visit(Init);
if (Tmp) if (Tmp)
LastBlock = Tmp; LastBlock = Tmp;
} }
} }
return LastBlock; return LastBlock;
} }
GCCAsmStmt *
CFGBuilder::getOrCreateGCCAsmStmtWithoutGnuExtensions(GCCAsmStmt *S) {
// GCC asm syntax allows using no-op-like casts as outputs. While GCC treats
// them as lvalues, clang builds an LValueToRValue cast.
// We are going to re-create the GCCAsmStmt if this happens.
if (std::find_if(S->begin_outputs(), S->end_outputs(), [this](const Expr *E) {
return E != E->IgnoreParenNoopCasts(*Context);
}) == S->end_outputs())
return S;
SmallVector<IdentifierInfo *, 4> Names;
for (unsigned I = 0, E = S->getNumOutputs(); I != E; I++)
Names.push_back(S->getOutputIdentifier(I));
for (unsigned I = 0, E = S->getNumInputs(); I != E; I++)
Names.push_back(S->getInputIdentifier(I));
SmallVector<StringLiteral *, 4> Clobbers;
for (unsigned I = 0, E = S->getNumClobbers(); I != E; I++)
Clobbers.push_back(S->getClobberStringLiteral(I));
SmallVector<StringLiteral *, 4> Constraints;
for (unsigned I = 0, E = S->getNumOutputs(); I != E; I++)
Constraints.push_back(S->getOutputConstraintLiteral(I));
for (unsigned I = 0, E = S->getNumInputs(); I != E; I++)
Constraints.push_back(S->getInputConstraintLiteral(I));
SmallVector<Expr *, 4> Exprs(S->getNumOutputs() + S->getNumInputs());
std::transform(
S->begin_outputs(), S->end_outputs(), Exprs.begin(),
[this](Expr *E) -> Expr * { return E->IgnoreParenNoopCasts(*Context); });
std::copy(S->begin_inputs(), S->end_inputs(),
Exprs.begin() + S->getNumOutputs());
void *Mem = allocateMemForStmt<GCCAsmStmt>();
GCCAsmStmt *CleanGCCAsmStmt = new (Mem) GCCAsmStmt(
*Context, S->getAsmLoc(), S->isSimple(), S->isVolatile(),
S->getNumOutputs(), S->getNumInputs(), Names.data(), Constraints.data(),
Exprs.data(), S->getAsmString(), S->getNumClobbers(), Clobbers.data(),
S->getRParenLoc());
cfg->addSyntheticStmt(CleanGCCAsmStmt, S);
return CleanGCCAsmStmt;
}
CFGBlock *CFGBuilder::VisitGCCAsmStmt(GCCAsmStmt *GCCAsmS, AddStmtChoice asc) {
GCCAsmS = getOrCreateGCCAsmStmtWithoutGnuExtensions(GCCAsmS);
return VisitStmt(GCCAsmS, asc);
}
CFGBlock *CFGBuilder::VisitGotoStmt(GotoStmt *G) { CFGBlock *CFGBuilder::VisitGotoStmt(GotoStmt *G) {
// Goto is a control-flow statement. Thus we stop processing the current // Goto is a control-flow statement. Thus we stop processing the current
// block and create a new one. // block and create a new one.
Block = createBlock(false); Block = createBlock(false);
Block->setTerminator(G); Block->setTerminator(G);
// If we already know the mapping to the label block add the successor now. // If we already know the mapping to the label block add the successor now.
▲ Show 20 LinesShow All 2,426 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 3,065 Lines▼ Show 20 Linesvoid ExprEngine::VisitGCCAsmStmt(const GCCAsmStmt *A, ExplodedNode *Pred,
// We have processed both the inputs and the outputs. All of the outputs // We have processed both the inputs and the outputs. All of the outputs
// should evaluate to Locs. Nuke all of their values. // should evaluate to Locs. Nuke all of their values.
// FIXME: Some day in the future it would be nice to allow a "plug-in" // FIXME: Some day in the future it would be nice to allow a "plug-in"
// which interprets the inline asm and stores proper results in the // which interprets the inline asm and stores proper results in the
// outputs. // outputs.
ProgramStateRef state = Pred->getState(); ProgramStateRef state = Pred->getState();
const auto *LCtx = Pred->getLocationContext();
for (const Expr *O : A->outputs()) { for (const Expr *O : A->outputs()) {
SVal X = state->getSVal(O, Pred->getLocationContext()); SVal X = state->getSVal(O, LCtx);
assert(!X.getAs<NonLoc>()); // Should be an Lval, or unknown, undef. assert(!X.getAs<NonLoc>()); // Should be an Lval, or unknown, undef.
if (Optional<Loc> LV = X.getAs<Loc>()) if (Optional<Loc> LV = X.getAs<Loc>())
state = state->bindLoc(*LV, UnknownVal(), Pred->getLocationContext()); state = state->bindLoc(*LV, UnknownVal(), LCtx);
} }
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

From my understanding, the code inside the if-block is not tested below

george.karpenkov: From my understanding, the code inside the if-block is not tested below
a.sidorinAuthorUnsubmitted
Not Done
ReplyInline Actions

It is tested: without this code, "TRUE" will be printed. The reason is that the lvalue of 'global' is removed from Environment after the cast happens so X becomes Unknown. But the way of retrieving the value is definitely not the best so if you have any suggestions on improvement - they are welcome.

a.sidorin: It is tested: without this code, "TRUE" will be printed. The reason is that the lvalue of…
Bldr.generateNode(A, Pred, state); Bldr.generateNode(A, Pred, state);
} }
void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred, void ExprEngine::VisitMSAsmStmt(const MSAsmStmt *A, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(A, Pred, Pred->getState()); Bldr.generateNode(A, Pred, Pred->getState());
▲ Show 20 LinesShow All 266 LinesShow Last 20 Lines

test/Analysis/asm.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker debug.ExprInspection -fheinous-gnu-extensions -w %s -verify
int clang_analyzer_eval(int);
int global;
void testRValueOutput() {
int &ref = global;
ref = 1;
__asm__("" : "=r"((int)global)); // don't crash on rvalue output operand
clang_analyzer_eval(global == 1); // expected-warning{{UNKNOWN}}
rsmithUnsubmitted
Not Done
ReplyInline Actions

Ugh, do we really need to support this nonsense? :(

If so, it'd seem reasonable to me to do the cleanup when building the AST rather than in the CFG builder (that is, convert the LValueToRValue cast here to a NoOp lvalue cast node, since that matches its actual semantics).

rsmith: Ugh, do we really need to support this nonsense? :( If so, it'd seem reasonable to me to do…
clang_analyzer_eval(ref == 1); // expected-warning{{UNKNOWN}}
}