This is an archive of the discontinued LLVM Phabricator instance.

Differential D49715

[analyzer] CallEvent: Add partially working methods for obtaining the callee stack frame.
ClosedPublic

Authored by NoQ on Jul 23 2018, 7:27 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs
Commits
rGb21b479653fd: [analyzer] CallEvent: Add helper methods for obtaining the callee stack frame.
rC338474: [analyzer] CallEvent: Add helper methods for obtaining the callee stack frame.
rL338474: [analyzer] CallEvent: Add helper methods for obtaining the callee stack frame.
Summary

These methods allow reasoning about the stack frame that will be (or was) used when the function will be (or was) inlined, even if it will not be (or was not) inlined.

They are implemented in a fairly ugly manner, and while i plan to address some of the issues in follow-up patches (at least, do something about virtual calls), i don't think it'll work perfectly soon. A proper implementation would require a large amount of refactoring for Call::getDecl() and Call::getRuntimeDefinition() and the logic in ExprEngine's call modeling and i didn't accomplish much in a couple days of working on it, so i'm putting a proper implementation on hold for now, safely returning nullptr when the proper Decl cannot be reliably obtained.

This was ultimately necessary to obtain the parameter regions on the future stack frame for the purposes of D49443. We don't need this function to be perfect because a lot of other things are imperfect and we're fine with falling back to a conservative behavior.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Jul 23 2018, 7:27 PM
Herald added subscribers: cfe-commits, mikhail.ramalho, baloghadamsoftware. · View Herald TranscriptJul 23 2018, 7:27 PM
NoQ mentioned this in D49443: [analyzer] Support function argument constructors..Jul 23 2018, 7:29 PM
NoQ added a child revision: D49443: [analyzer] Support function argument constructors..
george.karpenkov requested changes to this revision.Jul 24 2018, 12:05 PM

Minor nits mostly.

include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
411 ↗(On Diff #156957)

Could we be more succinct here?
e.g. \return Best-effort getter for AnalysisDeclContext, returns null on failure.

Same for all the methods below.

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
776 ↗(On Diff #156957)

Could we group it with other public methods at the top?

lib/StaticAnalyzer/Core/CallEvent.cpp
193 ↗(On Diff #156957)

"we cannot have" comments seem redundant, it's usually implied by the code.
This one is up to you though.

197 ↗(On Diff #156957)

Can we remove "maybe" / "that would have been" comments?

This revision now requires changes to proceed.Jul 24 2018, 12:05 PM
NoQ updated this revision to Diff 157416.Jul 25 2018, 6:55 PM
NoQ marked 4 inline comments as done.

Address comments by editing comments.

NoQ added inline comments.Jul 26 2018, 11:39 AM
lib/StaticAnalyzer/Core/CallEvent.cpp
197 ↗(On Diff #156957)

Changed them into a TODO because they're rather important to keep. Like, that's a flaw in this code.

NoQ updated this revision to Diff 157550.Jul 26 2018, 12:21 PM

Add one more handy method, getAdjustedParameterIndex(), which helps using getParameterLocation().

MTC added a subscriber: MTC.Jul 26 2018, 7:58 PM
george.karpenkov accepted this revision.Jul 30 2018, 11:49 AM
This revision is now accepted and ready to land.Jul 30 2018, 11:49 AM
NoQ mentioned this in D49901: [analyzer] Extend NoStoreFuncVisitor to recursively follow fields.Jul 30 2018, 4:13 PM
NoQ added a child revision: D49901: [analyzer] Extend NoStoreFuncVisitor to recursively follow fields.Jul 30 2018, 6:15 PM
Closed by commit rL338474: [analyzer] CallEvent: Add helper methods for obtaining the callee stack frame. (authored by NoQ). · Explain WhyJul 31 2018, 6:58 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJul 31 2018, 6:58 PM
NoQ added inline comments.Aug 1 2018, 7:31 PM
cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
431

Whoops, this is wrong: should say getLocationContext().

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
Analysis/
7 lines
StaticAnalyzer/
Core/
PathSensitive/
41 lines
15 lines
lib/
StaticAnalyzer/
Core/
63 lines

Diff 158446

cfe/trunk/include/clang/Analysis/ConstructionContext.h

Show First 20 LinesShow All 106 Lines▼ Show 20 Lines ConstructionContextItem(const CallExpr *CE, unsigned Index)
: Data(CE), Kind(ArgumentKind), Index(Index) {} : Data(CE), Kind(ArgumentKind), Index(Index) {}
ConstructionContextItem(const CXXConstructExpr *CE, unsigned Index) ConstructionContextItem(const CXXConstructExpr *CE, unsigned Index)
: Data(CE), Kind(ArgumentKind), Index(Index) {} : Data(CE), Kind(ArgumentKind), Index(Index) {}
ConstructionContextItem(const ObjCMessageExpr *ME, unsigned Index) ConstructionContextItem(const ObjCMessageExpr *ME, unsigned Index)
: Data(ME), Kind(ArgumentKind), Index(Index) {} : Data(ME), Kind(ArgumentKind), Index(Index) {}
// A polymorphic version of the previous calls with dynamic type check.
ConstructionContextItem(const Expr *E, unsigned Index)
: Data(E), Kind(ArgumentKind), Index(Index) {
assert(isa<CallExpr>(E) || isa<CXXConstructExpr>(E) ||
isa<ObjCMessageExpr>(E));
}
ConstructionContextItem(const CXXCtorInitializer *Init) ConstructionContextItem(const CXXCtorInitializer *Init)
: Data(Init), Kind(InitializerKind), Index(0) {} : Data(Init), Kind(InitializerKind), Index(0) {}
ItemKind getKind() const { return Kind; } ItemKind getKind() const { return Kind; }
LLVM_DUMP_METHOD StringRef getKindAsString() const { LLVM_DUMP_METHOD StringRef getKindAsString() const {
return getKindAsString(getKind()); return getKindAsString(getKind());
} }
▲ Show 20 LinesShow All 523 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show All 23 Lines
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/ExprObjC.h" #include "clang/AST/ExprObjC.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
#include "clang/Basic/IdentifierTable.h" #include "clang/Basic/IdentifierTable.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceLocation.h" #include "clang/Basic/SourceLocation.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h" #include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/PointerIntPair.h" #include "llvm/ADT/PointerIntPair.h"
#include "llvm/ADT/PointerUnion.h" #include "llvm/ADT/PointerUnion.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
▲ Show 20 LinesShow All 359 Lines▼ Show 20 Linespublic:
/// This will return a null QualType if the result type cannot be determined. /// This will return a null QualType if the result type cannot be determined.
static QualType getDeclaredResultType(const Decl *D); static QualType getDeclaredResultType(const Decl *D);
/// Returns true if the given decl is known to be variadic. /// Returns true if the given decl is known to be variadic.
/// ///
/// \p D must not be null. /// \p D must not be null.
static bool isVariadic(const Decl *D); static bool isVariadic(const Decl *D);
/// Returns AnalysisDeclContext for the callee stack frame.
/// Currently may fail; returns null on failure.
AnalysisDeclContext *getCalleeAnalysisDeclContext() const;
/// Returns the callee stack frame. That stack frame will only be entered
/// during analysis if the call is inlined, but it may still be useful
/// in intermediate calculations even if the call isn't inlined.
/// May fail; returns null on failure.
const StackFrameContext *getCalleeStackFrame() const;
/// Returns memory location for a parameter variable within the callee stack
/// frame. May fail; returns null on failure.
const VarRegion *getParameterLocation(unsigned Index) const;
/// Returns true if on the current path, the argument was constructed by
/// calling a C++ constructor over it. This is an internal detail of the
/// analysis which doesn't necessarily represent the program semantics:
/// if we are supposed to construct an argument directly, we may still
/// not do that because we don't know how (i.e., construction context is
/// unavailable in the CFG or not supported by the analyzer).
bool isArgumentConstructedDirectly(unsigned Index) const {
// This assumes that the object was not yet removed from the state.
return ExprEngine::getObjectUnderConstruction(
getState(), {getOriginExpr(), Index}, getCalleeStackFrame()).hasValue();
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Whoops, this is wrong: should say getLocationContext().

NoQ: Whoops, this is wrong: should say `getLocationContext()`.
}
/// Some calls have parameter numbering mismatched from argument numbering.
/// This function converts an argument index to the corresponding
/// parameter index. Returns None is the argument doesn't correspond
/// to any parameter variable.
Optional<unsigned> getAdjustedParameterIndex(unsigned ArgumentIndex) const {
if (dyn_cast_or_null<CXXOperatorCallExpr>(getOriginExpr()) &&
dyn_cast_or_null<CXXMethodDecl>(getDecl())) {
// For member operator calls argument 0 on the expression corresponds
// to implicit this-parameter on the declaration.
return (ArgumentIndex > 0) ? Optional<unsigned>(ArgumentIndex - 1) : None;
}
return ArgumentIndex;
}
// Iterator access to formal parameters and their types. // Iterator access to formal parameters and their types.
private: private:
struct GetTypeFn { struct GetTypeFn {
QualType operator()(ParmVarDecl *PD) const { return PD->getType(); } QualType operator()(ParmVarDecl *PD) const { return PD->getType(); }
}; };
public: public:
/// Return call's formal parameters. /// Return call's formal parameters.
▲ Show 20 LinesShow All 731 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 575 Lines▼ Show 20 Lines return R.isValid() ? svalBuilder.evalBinOpNN(state, op, L,
R.castAs<NonLoc>(), T) : R; R.castAs<NonLoc>(), T) : R;
} }
SVal evalBinOp(ProgramStateRef ST, BinaryOperator::Opcode Op, SVal evalBinOp(ProgramStateRef ST, BinaryOperator::Opcode Op,
SVal LHS, SVal RHS, QualType T) { SVal LHS, SVal RHS, QualType T) {
return svalBuilder.evalBinOp(ST, Op, LHS, RHS, T); return svalBuilder.evalBinOp(ST, Op, LHS, RHS, T);
} }
/// By looking at a certain item that may be potentially part of an object's
/// ConstructionContext, retrieve such object's location. A particular
/// statement can be transparently passed as \p Item in most cases.
static Optional<SVal>
getObjectUnderConstruction(ProgramStateRef State,
const ConstructionContextItem &Item,
const LocationContext *LC);
protected: protected:
/// evalBind - Handle the semantics of binding a value to a specific location. /// evalBind - Handle the semantics of binding a value to a specific location.
/// This method is used by evalStore, VisitDeclStmt, and others. /// This method is used by evalStore, VisitDeclStmt, and others.
void evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, ExplodedNode *Pred, void evalBind(ExplodedNodeSet &Dst, const Stmt *StoreE, ExplodedNode *Pred,
SVal location, SVal Val, bool atDeclInit = false, SVal location, SVal Val, bool atDeclInit = false,
const ProgramPoint *PP = nullptr); const ProgramPoint *PP = nullptr);
/// Call PointerEscape callback when a value escapes as a result of bind. /// Call PointerEscape callback when a value escapes as a result of bind.
▲ Show 20 LinesShow All 176 Lines▼ Show 20 Linesprivate:
/// Mark the object sa fully constructed, cleaning up the state trait /// Mark the object sa fully constructed, cleaning up the state trait
/// that tracks objects under construction. /// that tracks objects under construction.
static ProgramStateRef static ProgramStateRef
finishObjectConstruction(ProgramStateRef State, finishObjectConstruction(ProgramStateRef State,
const ConstructionContextItem &Item, const ConstructionContextItem &Item,
const LocationContext *LC); const LocationContext *LC);
/// If the given statement corresponds to an object under construction,
/// being part of its construciton context, retrieve that object's location.
static Optional<SVal>
getObjectUnderConstruction(ProgramStateRef State,
const ConstructionContextItem &Item,
const LocationContext *LC);
/// If the given expression corresponds to a temporary that was used for /// If the given expression corresponds to a temporary that was used for
/// passing into an elidable copy/move constructor and that constructor /// passing into an elidable copy/move constructor and that constructor
/// was actually elided, track that we also need to elide the destructor. /// was actually elided, track that we also need to elide the destructor.
static ProgramStateRef elideDestructor(ProgramStateRef State, static ProgramStateRef elideDestructor(ProgramStateRef State,
const CXXBindTemporaryExpr *BTE, const CXXBindTemporaryExpr *BTE,
const LocationContext *LC); const LocationContext *LC);
/// Stop tracking the destructor that corresponds to an elided constructor. /// Stop tracking the destructor that corresponds to an elided constructor.
Show All 37 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp

Show All 21 Lines
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/ExprObjC.h" #include "clang/AST/ExprObjC.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/AST/Stmt.h" #include "clang/AST/Stmt.h"
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
#include "clang/Analysis/AnalysisDeclContext.h" #include "clang/Analysis/AnalysisDeclContext.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "clang/Analysis/CFGStmtMap.h"
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/CrossTU/CrossTranslationUnit.h" #include "clang/CrossTU/CrossTranslationUnit.h"
#include "clang/Basic/IdentifierTable.h" #include "clang/Basic/IdentifierTable.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceLocation.h" #include "clang/Basic/SourceLocation.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/Specifiers.h" #include "clang/Basic/Specifiers.h"
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Lines
bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl()); const auto *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
if (!FD) if (!FD)
return false; return false;
return CheckerContext::isCLibraryFunction(FD, FunctionName); return CheckerContext::isCLibraryFunction(FD, FunctionName);
} }
AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {
const Decl *D = getDecl();
// If the callee is completely unknown, we cannot construct the stack frame.
if (!D)
return nullptr;
// FIXME: Skip virtual functions for now. There's no easy procedure to foresee
// the exact decl that should be used, especially when it's not a definition.
if (const Decl *RD = getRuntimeDefinition().getDecl())
if (RD != D)
return nullptr;
return LCtx->getAnalysisDeclContext()->getManager()->getContext(D);
}
const StackFrameContext *CallEvent::getCalleeStackFrame() const {
AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
if (!ADC)
return nullptr;
const Expr *E = getOriginExpr();
if (!E)
return nullptr;
// Recover CFG block via reverse lookup.
// TODO: If we were to keep CFG element information as part of the CallEvent
// instead of doing this reverse lookup, we would be able to build the stack
// frame for non-expression-based calls, and also we wouldn't need the reverse
// lookup.
CFGStmtMap *Map = LCtx->getAnalysisDeclContext()->getCFGStmtMap();
const CFGBlock *B = Map->getBlock(E);
assert(B);
// Also recover CFG index by scanning the CFG block.
unsigned Idx = 0, Sz = B->size();
for (; Idx < Sz; ++Idx)
if (auto StmtElem = (*B)[Idx].getAs<CFGStmt>())
if (StmtElem->getStmt() == E)
break;
assert(Idx < Sz);
return ADC->getManager()->getStackFrame(ADC, LCtx, E, B, Idx);
}
const VarRegion *CallEvent::getParameterLocation(unsigned Index) const {
const StackFrameContext *SFC = getCalleeStackFrame();
// We cannot construct a VarRegion without a stack frame.
if (!SFC)
return nullptr;
const ParmVarDecl *PVD = parameters()[Index];
const VarRegion *VR =
State->getStateManager().getRegionManager().getVarRegion(PVD, SFC);
// This sanity check would fail if our parameter declaration doesn't
// correspond to the stack frame's function declaration.
assert(VR->getStackFrame() == SFC);
return VR;
}
/// Returns true if a type is a pointer-to-const or reference-to-const /// Returns true if a type is a pointer-to-const or reference-to-const
/// with no further indirection. /// with no further indirection.
static bool isPointerToConst(QualType Ty) { static bool isPointerToConst(QualType Ty) {
QualType PointeeTy = Ty->getPointeeType(); QualType PointeeTy = Ty->getPointeeType();
if (PointeeTy == QualType()) if (PointeeTy == QualType())
return false; return false;
if (!PointeeTy.isConstQualified()) if (!PointeeTy.isConstQualified())
return false; return false;
▲ Show 20 LinesShow All 1,101 LinesShow Last 20 Lines