This is an archive of the discontinued LLVM Phabricator instance.

Differential D49437

[analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger
ClosedPublic

Authored by Szelethus on Jul 17 2018, 10:41 AM.

Details

Reviewers
NoQ
george.karpenkov
rnkovacs
xazax.hun
Commits
rGf051379fbc3f: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger
rC342221: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger
rL342221: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Jul 17 2018, 10:41 AM
Herald added subscribers: mikhail.ramalho, a.sidorin, szepet, whisperity. · View Herald TranscriptJul 17 2018, 10:41 AM
Szelethus added a parent revision: D49228: [analyzer][UninitializedObjectChecker] Void pointer objects are casted back to their dynmic type in note message.Jul 17 2018, 10:41 AM
george.karpenkov requested changes to this revision.Jul 17 2018, 11:06 AM

I think a checker for uninitialized values left after a constructor call is very valuable.

It is uncertain whether it is valuable to check that all pointers point to initialized objects for a number of reasons:

  • As we have seen, it increases the number of false positives
  • It significantly increases the complexity of the checker
  • Projects would be more reluctant to try the checker due to the first point

Could we actually go in an opposite direction and try to separate the pointer-chasing into perhaps a separate checker?

This revision now requires changes to proceed.Jul 17 2018, 11:06 AM
Szelethus added a comment.Jul 17 2018, 11:22 AM

I just added a new patch as you wrote that comment (D49438)! Separating this functionality to a separate checker sounds great. I didn't actually check it, but I bet that around ~30-40% is at least indirectly in relation with pointer/reference handling, and it is getting a little out of hand.

I'll definitely explore this option too. Thanks for the idea! :)

Szelethus mentioned this in D49438: [analyzer][UninitializedObjectChecker] New flag to turn off dereferencing.Jul 17 2018, 11:26 AM
george.karpenkov accepted this revision.Aug 2 2018, 2:30 PM

I'm fine with this if pointer-chasing is not on by default.

This revision is now accepted and ready to land.Aug 2 2018, 2:30 PM
NoQ requested changes to this revision.Aug 7 2018, 1:43 PM
NoQ added inline comments.
test/Analysis/cxx-uninitialized-object-ptr-ref.cpp
26 ↗(On Diff #155920)

This one also suffers from D49228#1176136

This revision now requires changes to proceed.Aug 7 2018, 1:43 PM
Szelethus updated this revision to Diff 159929.Aug 9 2018, 8:24 AM

Re-implemented with the refactored checker.

Szelethus marked an inline comment as done.Aug 9 2018, 10:20 AM
Szelethus updated this revision to Diff 161213.Aug 17 2018, 5:03 AM

Rebased to D50509.

Szelethus edited parent revisions, added: D50509: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a function; removed: D49228: [analyzer][UninitializedObjectChecker] Void pointer objects are casted back to their dynmic type in note message.Aug 17 2018, 5:03 AM
Szelethus updated this revision to Diff 162226.Aug 23 2018, 10:32 AM

Rebased to D51057.

Szelethus edited parent revisions, added: D51057: [analyzer][UninitializedObjectChecker] Fixed dereferencing; removed: D50509: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a function.Aug 23 2018, 10:32 AM
NoQ accepted this revision.Aug 28 2018, 12:58 PM

Let's see what it finds, i guess.

This revision is now accepted and ready to land.Aug 28 2018, 12:58 PM
Closed by commit rL342221: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger (authored by Szelethus). · Explain WhySep 14 2018, 3:19 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptSep 14 2018, 3:19 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
UninitializedObject/
6 lines
31 lines
test/
Analysis/
18 lines

Diff 165459

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp

Show First 20 LinesShow All 268 Lines▼ Show 20 Lines if (T->isUnionType()) {
continue; continue;
} }
if (T->isArrayType()) { if (T->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
continue; continue;
} }
if (isDereferencableType(T)) { SVal V = State->getSVal(FieldVal);
if (isDereferencableType(T) || V.getAs<nonloc::LocAsInteger>()) {
if (isDereferencableUninit(FR, LocalChain)) if (isDereferencableUninit(FR, LocalChain))
ContainsUninitField = true; ContainsUninitField = true;
continue; continue;
} }
if (isPrimitiveType(T)) { if (isPrimitiveType(T)) {
SVal V = State->getSVal(FieldVal);
if (isPrimitiveUninit(V)) { if (isPrimitiveUninit(V)) {
if (addFieldToUninits(LocalChain.add(RegularField(FR)))) if (addFieldToUninits(LocalChain.add(RegularField(FR))))
ContainsUninitField = true; ContainsUninitField = true;
} }
continue; continue;
} }
llvm_unreachable("All cases are handled!"); llvm_unreachable("All cases are handled!");
▲ Show 20 LinesShow All 214 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp

Show First 20 LinesShow All 51 Lines▼ Show 20 Linespublic:
virtual void printSeparator(llvm::raw_ostream &Out) const override { virtual void printSeparator(llvm::raw_ostream &Out) const override {
if (getDecl()->getType()->isPointerType()) if (getDecl()->getType()->isPointerType())
Out << "->"; Out << "->";
else else
Out << '.'; Out << '.';
} }
}; };
/// Represents a void* field that needs to be casted back to its dynamic type /// Represents a nonloc::LocAsInteger or void* field, that point to objects, but
/// for a correct note message. /// needs to be casted back to its dynamic type for a correct note message.
class NeedsCastLocField final : public FieldNode { class NeedsCastLocField : public FieldNode {
QualType CastBackType; QualType CastBackType;
public: public:
NeedsCastLocField(const FieldRegion *FR, const QualType &T) NeedsCastLocField(const FieldRegion *FR, const QualType &T)
: FieldNode(FR), CastBackType(T) {} : FieldNode(FR), CastBackType(T) {}
virtual void printNoteMsg(llvm::raw_ostream &Out) const override { virtual void printNoteMsg(llvm::raw_ostream &Out) const override {
Out << "uninitialized pointee "; Out << "uninitialized pointee ";
} }
virtual void printPrefix(llvm::raw_ostream &Out) const override { virtual void printPrefix(llvm::raw_ostream &Out) const override {
Out << "static_cast" << '<' << CastBackType.getAsString() << ">("; // If this object is a nonloc::LocAsInteger.
if (getDecl()->getType()->isIntegerType())
Out << "reinterpret_cast";
// If this pointer's dynamic type is different then it's static type.
else
Out << "static_cast";
Out << '<' << CastBackType.getAsString() << ">(";
} }
virtual void printNode(llvm::raw_ostream &Out) const override { virtual void printNode(llvm::raw_ostream &Out) const override {
Out << getVariableName(getDecl()) << ')'; Out << getVariableName(getDecl()) << ')';
} }
virtual void printSeparator(llvm::raw_ostream &Out) const override { virtual void printSeparator(llvm::raw_ostream &Out) const override {
Out << "->"; Out << "->";
Show All 18 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods for FindUninitializedFields. // Methods for FindUninitializedFields.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool FindUninitializedFields::isDereferencableUninit( bool FindUninitializedFields::isDereferencableUninit(
const FieldRegion *FR, FieldChainInfo LocalChain) { const FieldRegion *FR, FieldChainInfo LocalChain) {
assert(isDereferencableType(FR->getDecl()->getType()) &&
"This method only checks dereferencable objects!");
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
assert((isDereferencableType(FR->getDecl()->getType()) ||
V.getAs<nonloc::LocAsInteger>()) &&
"This method only checks dereferencable objects!");
if (V.isUnknown() || V.getAs<loc::ConcreteInt>()) { if (V.isUnknown() || V.getAs<loc::ConcreteInt>()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
if (V.isUndef()) { if (V.isUndef()) {
return addFieldToUninits( return addFieldToUninits(
LocalChain.add(LocField(FR, /*IsDereferenced*/ false))); LocalChain.add(LocField(FR, /*IsDereferenced*/ false)));
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Linesstatic bool isVoidPointer(QualType T) {
return false; return false;
} }
static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State, static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
const FieldRegion *FR) { const FieldRegion *FR) {
llvm::SmallSet<const TypedValueRegion *, 5> VisitedRegions; llvm::SmallSet<const TypedValueRegion *, 5> VisitedRegions;
// If the static type of the field is a void pointer, we need to cast it back
// to the dynamic type before dereferencing.
bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType());
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
assert(V.getAsRegion() && "V must have an underlying region!"); assert(V.getAsRegion() && "V must have an underlying region!");
// If the static type of the field is a void pointer, or it is a
// nonloc::LocAsInteger, we need to cast it back to the dynamic type before
// dereferencing.
bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType()) ||
V.getAs<nonloc::LocAsInteger>();
// The region we'd like to acquire. // The region we'd like to acquire.
const auto *R = V.getAsRegion()->getAs<TypedValueRegion>(); const auto *R = V.getAsRegion()->getAs<TypedValueRegion>();
if (!R) if (!R)
return None; return None;
VisitedRegions.insert(R); VisitedRegions.insert(R);
// We acquire the dynamic type of R, // We acquire the dynamic type of R,
Show All 30 Lines

cfe/trunk/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show All 16 Linesstruct ConcreteIntLocTest {
ConcreteIntLocTest() : ptr(reinterpret_cast<int *>(0xDEADBEEF)) {} ConcreteIntLocTest() : ptr(reinterpret_cast<int *>(0xDEADBEEF)) {}
}; };
void fConcreteIntLocTest() { void fConcreteIntLocTest() {
ConcreteIntLocTest(); ConcreteIntLocTest();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// nonloc::LocAsInteger tests.
//===----------------------------------------------------------------------===//
using intptr_t = long;
struct LocAsIntegerTest {
intptr_t ptr; // expected-note{{uninitialized pointee 'reinterpret_cast<char *>(this->ptr)'}}
int dontGetFilteredByNonPedanticMode = 0;
LocAsIntegerTest(void *ptr) : ptr(reinterpret_cast<intptr_t>(ptr)) {} // expected-warning{{1 uninitialized field}}
};
void fLocAsIntegerTest() {
char c;
LocAsIntegerTest t(&c);
}
//===----------------------------------------------------------------------===//
// Null pointer tests. // Null pointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class NullPtrTest { class NullPtrTest {
struct RecordType { struct RecordType {
int x; int x;
int y; int y;
}; };
▲ Show 20 LinesShow All 812 LinesShow Last 20 Lines