This is an archive of the discontinued LLVM Phabricator instance.

Differential D48325

[analyzer][UninitializedObjectChecker] Support for MemberPointerTypes
ClosedPublic

Authored by Szelethus on Jun 19 2018, 9:05 AM.

Details

Reviewers
NoQ
george.karpenkov
xazax.hun
rnkovacs
Commits
rG7212cc0e48c0: [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes
rC336994: [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes
rL336994: [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Jun 19 2018, 9:05 AM
Herald added subscribers: cfe-commits, mikhail.ramalho, a.sidorin and 2 others. · View Herald TranscriptJun 19 2018, 9:05 AM
Szelethus updated this revision to Diff 151943.Jun 19 2018, 10:46 AM

Accidently added the pointer MemberPointer objects twice, fixed that.

Szelethus added a comment.Jun 26 2018, 9:00 AM

Polite ping :)

george.karpenkov requested changes to this revision.Jun 26 2018, 5:59 PM

Requesting changes or clarification on uninitialized references.

lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
392 ↗(On Diff #151943)

I am confused here, how can references be uninitialized?

393 ↗(On Diff #151943)

Same question here (though that's for a different commit) -- I'm confused on how a reference can be uninitialized after the constructor call has finished.

This revision now requires changes to proceed.Jun 26 2018, 5:59 PM
NoQ accepted this revision.Jun 26 2018, 6:00 PM

Looks good! One minor comment.

lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
488–491 ↗(On Diff #151943)

Ok, this isn't related to that review, but i still don't understand why this loop terminates. We might skip void * above, but we don't skip void *****, right? And if we go on dereferencing that, we'll eventually get to a void * that can point to anything.

A bit more of an intuition dump: I strongly believe that in getSVal(Loc, T) the optional argument T should be mandatory. Omitting it almost always leads to errors, because there are no types in machine memory, and our RegionStore tries to work exactly like machine memory, and getSVal(Loc) makes a best-effort guess on what the type of the region is, which in some cases may work reliably (these are exactly the cases where you don't mind passing the type directly), but is usually error-prone in other cases. So whenever i see a getSVal(Loc) without a type, i imagine that the code essentially reads raw bytes from the symbolic memory and makes random guesses on what they mean.

So the point is "oh we can do better with dynamic type info", it's "we're doing something completely unreliable here". It's not just about void pointers, it's about the fact that the underlying storage simply has no types at all.

524 ↗(On Diff #151943)

Why not just isPrimitiveUninit()? I believe that there shouldn't really be any difference, because member pointer types are kinda primitive. You can't really "dereference" a member pointer, at least not on its own, so i think there's no need to make an extra function here.

NoQ added inline comments.Jun 26 2018, 6:01 PM
lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
392 ↗(On Diff #151943)

Hmm, that's actually a good question. I guess we technically initialize a reference with an undefined pointer, but that should be caught by another checker early because it's an immediate UB.

In any case, there don't seem to be tests for this.

Szelethus added inline comments.Jun 27 2018, 4:25 AM
lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
392 ↗(On Diff #151943)

I guess you could say that naming could be improved upon. I didn't mean that the reference object itself, but rather it's pointee is uninitialized.

int a; // say that this isn't zero initialized
int &c = a;

There are numerous tests for this both for left value and right value references in cxx-uninitialized-object-ptr-ref.cpp.

488–491 ↗(On Diff #151943)

From the code a couple lines back:

if (isVoidPointer(FD)) {
  IsAnyFieldInitialized = true;
  return false;
}

Note that isn't Type::isVoidPointer, I'm calling a statically defined function to filter out all void pointer cases.

/// Returns whether FD can be (transitively) dereferenced to a void pointer type
/// (void*, void**, ...). The type of the region behind a void pointer isn't
/// known, and thus FD can not be analyzed.
bool isVoidPointer(const FieldDecl *FD);

I see your point, this is a bit dodgy. I'm already working on a fix, and hope to upload it along with other important fixes during the next week. It's high on my priority list :)

Szelethus added inline comments.Jun 27 2018, 7:09 AM
lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
488–491 ↗(On Diff #151943)

Also note that there are tests in cxx-uninitialized-object-ptr-ref.cpp for void*, void*&, void**, and void**&&.

NoQ added inline comments.Jun 27 2018, 10:27 AM
lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
392 ↗(On Diff #151943)

Aha, oh, i see, you just reordered the ifs and it seemed as if you're suddenly doing new stuff with references, sorry><

488–491 ↗(On Diff #151943)

Aha, yeah, i see, got it, yeah.

I think the way this should work is you take the type of the field FR, unwrap it to the pointee type as long as it is a pointer type, and dereference the pointer with that unwrapped type every time you unwrap it.

This would terminate because you'll eventually get to the leaf type. Values loaded from the store would also match types that the program would see if it tried to dereference the pointer that many times.

Szelethus updated this revision to Diff 154398.Jul 6 2018, 6:45 AM

MemberPointerTypes are regarded as primitive types from now. I agree with @NoQ, it makes so much more sense this way :)

Szelethus marked 10 inline comments as done.Jul 6 2018, 6:46 AM
Szelethus added a child revision: D49199: [analyzer][UninitializedObjectChecker] Pointer/reference objects are dereferenced according to dynamic type.Jul 11 2018, 11:52 AM
NoQ accepted this revision.Jul 12 2018, 12:24 PM

Yay less code.

Szelethus updated this revision to Diff 155356.Jul 13 2018, 5:24 AM

Thank you! ^-^

Rebased to rC336901.

This revision was not accepted when it landed; it landed in state Needs Review.Jul 13 2018, 5:26 AM
Closed by commit rL336994: [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes (authored by Szelethus). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJul 13 2018, 5:26 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
40 lines
test/
Analysis/
12 lines

Diff 155357

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp

Show First 20 LinesShow All 125 Lines▼ Show 20 Linesprivate:
// For the purposes of this checker, we'll regard the object under checking as // For the purposes of this checker, we'll regard the object under checking as
// a directed tree, where // a directed tree, where
// * the root is the object under checking // * the root is the object under checking
// * every node is an object that is // * every node is an object that is
// - a union // - a union
// - a non-union record // - a non-union record
// - a pointer/reference // - a pointer/reference
// - an array // - an array
// - of a member pointer type // - of a primitive type, which we'll define later in a helper function.
// - of a primitive type, which we'll define as either a BuiltinType or
// EnumeralType.
// * the parent of each node is the object that contains it // * the parent of each node is the object that contains it
// * every leaf is an array, a primitive object, a member pointer, a nullptr // * every leaf is an array, a primitive object, a nullptr or an undefined
// or an undefined pointer. // pointer.
// //
// Example: // Example:
// //
// struct A { // struct A {
// struct B { // struct B {
// int x, y = 0; // int x, y = 0;
// }; // };
// B b; // B b;
Show All 10 Linesprivate:
// ->b--->y // ->b--->y
// / // /
// A-->iptr->(int value) // A-->iptr->(int value)
// \ // \
// ->bptr // ->bptr
// //
// From this we'll construct a vector of fieldchains, where each fieldchain // From this we'll construct a vector of fieldchains, where each fieldchain
// represents an uninitialized field. An uninitialized field may be a // represents an uninitialized field. An uninitialized field may be a
// primitive object, a member pointer, a pointer, a pointee or a union without // primitive object, a pointer, a pointee or a union without a single
// a single initialized field. // initialized field.
// In the above example, for the default constructor call we'll end up with // In the above example, for the default constructor call we'll end up with
// these fieldchains: // these fieldchains:
// //
// this->b.x // this->b.x
// this->iptr (pointee uninit) // this->iptr (pointee uninit)
// this->bptr (pointer uninit) // this->bptr (pointer uninit)
// //
// We'll traverse each node of the above graph with the appropiate one of // We'll traverse each node of the above graph with the appropiate one of
// these methods: // these methods:
/// This method checks a region of a union object, and returns true if no /// This method checks a region of a union object, and returns true if no
/// field is initialized within the region. /// field is initialized within the region.
bool isUnionUninit(const TypedValueRegion *R); bool isUnionUninit(const TypedValueRegion *R);
/// This method checks a region of a non-union object, and returns true if /// This method checks a region of a non-union object, and returns true if
/// an uninitialized field is found within the region. /// an uninitialized field is found within the region.
bool isNonUnionUninit(const TypedValueRegion *R, FieldChainInfo LocalChain); bool isNonUnionUninit(const TypedValueRegion *R, FieldChainInfo LocalChain);
/// This method checks a region of a pointer or reference object, and returns /// This method checks a region of a pointer or reference object, and returns
/// true if the ptr/ref object itself or any field within the pointee's region /// true if the ptr/ref object itself or any field within the pointee's region
/// is uninitialized. /// is uninitialized.
bool isPointerOrReferenceUninit(const FieldRegion *FR, bool isPointerOrReferenceUninit(const FieldRegion *FR,
FieldChainInfo LocalChain); FieldChainInfo LocalChain);
/// This method checks a region of MemberPointerType, and returns true if the
/// the pointer is uninitialized.
bool isMemberPointerUninit(const FieldRegion *FR, FieldChainInfo LocalChain);
/// This method returns true if the value of a primitive object is /// This method returns true if the value of a primitive object is
/// uninitialized. /// uninitialized.
bool isPrimitiveUninit(const SVal &V); bool isPrimitiveUninit(const SVal &V);
// Note that we don't have a method for arrays -- the elements of an array are // Note that we don't have a method for arrays -- the elements of an array are
// often left uninitialized intentionally even when it is of a C++ record // often left uninitialized intentionally even when it is of a C++ record
// type, so we'll assume that an array is always initialized. // type, so we'll assume that an array is always initialized.
// TODO: Add a support for nonloc::LocAsInteger. // TODO: Add a support for nonloc::LocAsInteger.
Show All 16 Lines
/// constructor. /// constructor.
static bool isCalledByConstructor(const CheckerContext &Context); static bool isCalledByConstructor(const CheckerContext &Context);
/// Returns whether FD can be (transitively) dereferenced to a void pointer type /// Returns whether FD can be (transitively) dereferenced to a void pointer type
/// (void*, void**, ...). The type of the region behind a void pointer isn't /// (void*, void**, ...). The type of the region behind a void pointer isn't
/// known, and thus FD can not be analyzed. /// known, and thus FD can not be analyzed.
static bool isVoidPointer(const FieldDecl *FD); static bool isVoidPointer(const FieldDecl *FD);
/// Returns true if T is a primitive type. We'll call a type primitive if it's /// Returns true if T is a primitive type. We defined this type so that for
/// either a BuiltinType or an EnumeralType. /// objects that we'd only like analyze as much as checking whether their
/// value is undefined or not, such as ints and doubles, can be analyzed with
/// ease. This also helps ensuring that every special field type is handled
/// correctly.
static bool isPrimitiveType(const QualType &T) { static bool isPrimitiveType(const QualType &T) {
return T->isBuiltinType() || T->isEnumeralType(); return T->isBuiltinType() || T->isEnumeralType() || T->isMemberPointerType();
} }
/// Constructs a note message for a given FieldChainInfo object. /// Constructs a note message for a given FieldChainInfo object.
static void printNoteMessage(llvm::raw_ostream &Out, static void printNoteMessage(llvm::raw_ostream &Out,
const FieldChainInfo &Chain); const FieldChainInfo &Chain);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods for UninitializedObjectChecker. // Methods for UninitializedObjectChecker.
▲ Show 20 LinesShow All 147 Lines▼ Show 20 Lines if (T->isUnionType()) {
continue; continue;
} }
if (T->isArrayType()) { if (T->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
continue; continue;
} }
if (T->isMemberPointerType()) {
if (isMemberPointerUninit(FR, LocalChain))
ContainsUninitField = true;
continue;
}
// If this is a pointer or reference type.
if (T->isPointerType() || T->isReferenceType()) { if (T->isPointerType() || T->isReferenceType()) {
if (isPointerOrReferenceUninit(FR, LocalChain)) if (isPointerOrReferenceUninit(FR, LocalChain))
ContainsUninitField = true; ContainsUninitField = true;
continue; continue;
} }
if (isPrimitiveType(T)) { if (isPrimitiveType(T)) {
SVal V = State->getSVal(FieldVal); SVal V = State->getSVal(FieldVal);
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Linesbool FindUninitializedFields::isPointerOrReferenceUninit(
if (isPrimitiveUninit(DerefdV)) if (isPrimitiveUninit(DerefdV))
return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true}); return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true});
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
bool FindUninitializedFields::isMemberPointerUninit(const FieldRegion *FR,
FieldChainInfo LocalChain) {
assert(FR->getDecl()->getType()->isMemberPointerType() &&
"This function only checks regions that hold MemberPointerTypes!");
// TODO: Implement support for MemberPointerTypes.
return false;
}
bool FindUninitializedFields::isPrimitiveUninit(const SVal &V) { bool FindUninitializedFields::isPrimitiveUninit(const SVal &V) {
if (V.isUndef()) if (V.isUndef())
return true; return true;
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
▲ Show 20 LinesShow All 143 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show First 20 LinesShow All 410 Lines▼ Show 20 Linesstruct UsefulFunctions {
int a, b; int a, b;
void print() {} void print() {}
void dump() {} void dump() {}
}; };
#ifdef PEDANTIC #ifdef PEDANTIC
struct PointerToMemberFunctionTest1 { struct PointerToMemberFunctionTest1 {
// TODO: we'd expect the note {{uninitialized field 'this->f'}} void (UsefulFunctions::*f)(void); // expected-note{{uninitialized field 'this->f'}}
void (UsefulFunctions::*f)(void); // no-note
PointerToMemberFunctionTest1() {} PointerToMemberFunctionTest1() {}
}; };
void fPointerToMemberFunctionTest1() { void fPointerToMemberFunctionTest1() {
// TODO: we'd expect the warning {{1 uninitialized field}} PointerToMemberFunctionTest1(); // expected-warning{{1 uninitialized field}}
PointerToMemberFunctionTest1(); // no-warning
} }
struct PointerToMemberFunctionTest2 { struct PointerToMemberFunctionTest2 {
void (UsefulFunctions::*f)(void); void (UsefulFunctions::*f)(void);
PointerToMemberFunctionTest2(void (UsefulFunctions::*f)(void)) : f(f) { PointerToMemberFunctionTest2(void (UsefulFunctions::*f)(void)) : f(f) {
// All good! // All good!
} }
}; };
Show All 20 Lines
}; };
void fMultiPointerToMemberFunctionTest2() { void fMultiPointerToMemberFunctionTest2() {
void (UsefulFunctions::*f)(void) = &UsefulFunctions::print; void (UsefulFunctions::*f)(void) = &UsefulFunctions::print;
MultiPointerToMemberFunctionTest2 a(&f); MultiPointerToMemberFunctionTest2 a(&f);
} }
struct PointerToMemberDataTest1 { struct PointerToMemberDataTest1 {
// TODO: we'd expect the note {{uninitialized field 'this->f'}} int UsefulFunctions::*d; // expected-note{{uninitialized field 'this->d'}}
int UsefulFunctions::*d; // no-note
PointerToMemberDataTest1() {} PointerToMemberDataTest1() {}
}; };
void fPointerToMemberDataTest1() { void fPointerToMemberDataTest1() {
// TODO: we'd expect the warning {{1 uninitialized field}} PointerToMemberDataTest1(); // expected-warning{{1 uninitialized field}}
PointerToMemberDataTest1(); // no-warning
} }
struct PointerToMemberDataTest2 { struct PointerToMemberDataTest2 {
int UsefulFunctions::*d; int UsefulFunctions::*d;
PointerToMemberDataTest2(int UsefulFunctions::*d) : d(d) { PointerToMemberDataTest2(int UsefulFunctions::*d) : d(d) {
// All good! // All good!
} }
}; };
▲ Show 20 LinesShow All 221 LinesShow Last 20 Lines