This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
-
AnalysisOrderChecker.cpp
-
Core/
-
CoreEngine.cpp
-
test/Analysis/
-
Analysis/
-
end-function-return-stmt.cpp

Differential D49811

[analyzer] Obtain a ReturnStmt from a CFGAutomaticObjDtor
ClosedPublic

Authored by rnkovacs on Jul 25 2018, 11:38 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
george.karpenkov

Commits

rG38679fd63025: [analyzer] Obtain a ReturnStmt from a CFGAutomaticObjDtor.
rL338777: [analyzer] Obtain a ReturnStmt from a CFGAutomaticObjDtor.
rC338777: [analyzer] Obtain a ReturnStmt from a CFGAutomaticObjDtor.

Summary

The CoreEngine only gives us a ReturnStmt if the last element in the CFGBlock is a CFGStmt, otherwise the ReturnStmt is nullptr.
This patch adds support for the case when the last element is a CFGAutomaticObjDtor, by returning its TriggerStmt as a ReturnStmt.

Diff Detail

Repository: rC Clang

Event Timeline

rnkovacs created this revision.Jul 25 2018, 11:38 AM

Herald added subscribers: mikhail.ramalho, a.sidorin, dkrupp and 3 others. · View Herald TranscriptJul 25 2018, 11:38 AM

rnkovacs added a child revision: D49361: [analyzer] Detect pointers escaped after return statement execution in MallocChecker.Jul 25 2018, 12:24 PM

I'm not sure how to test this.
I'll need it in D49361 when I update it to use the changed checkEndFunction() callback, and that will kind of test this too.

Yet another great catch!

I guess you could write a test with debug.AnalysisOrder (by making its checkEndFunction callback (that you'll have to define) print different things depending on the return statement), not sure if it's worth it; you can also merge this commit with D49361 instead.

This revision is now accepted and ready to land.Jul 25 2018, 1:14 PM

Devin has recently pointed out that we might have as well reordered CFG elements to have return statement kick in after automatic destructors, so that callbacks were called in a different order. I don't see any problems with that solution, but let's stick to the current solution for now, because who knows.

In D49811#1175726, @NoQ wrote:

I guess you could write a test with debug.AnalysisOrder (by making its checkEndFunction callback (that you'll have to define) print different things depending on the return statement), not sure if it's worth it; you can also merge this commit with D49361 instead.

This is what I could come up with, what do you think?

We could also print something about the ReturnStmt, like source location or pretty print of its expressions so we can check that we picked the right one in case we have multiple.
But consider this as an optional task if you have nothing better to do. I am ok with committing this as is.

Closed by commit rC338777: [analyzer] Obtain a ReturnStmt from a CFGAutomaticObjDtor. (authored by rkovacs). · Explain WhyAug 2 2018, 3:31 PM

This revision was automatically updated to reflect the committed changes.

In D49811#1175927, @NoQ wrote:

Devin has recently pointed out that we might have as well reordered CFG elements to have return statement kick in after automatic destructors, so that callbacks were called in a different order. I don't see any problems with that solution, but let's stick to the current solution for now, because who knows.

In https://bugs.llvm.org/show_bug.cgi?id=11645#c9 Ted wrote:

If we treat an occurrence of "return" in the CFG is meaning "bind an expression result for the return value" and not as a transfer of control then it is is fine for the destructors to appear after the "return". From this view, the transfer back to the caller is when we hit the Exit block.

Another possible solution is to check in the destructor if the newly dangling pointer is already bound to the return statement.

Herald added a subscriber: Szelethus. · View Herald TranscriptAug 21 2018, 10:56 AM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

AnalysisOrderChecker.cpp

19 lines

Core/

CoreEngine.cpp

6 lines

test/

Analysis/

end-function-return-stmt.cpp

34 lines

Diff 158850

lib/StaticAnalyzer/Checkers/AnalysisOrderChecker.cpp

Show All 10 Lines
// This is required to ensure that callbacks are fired in order		// This is required to ensure that callbacks are fired in order
// and do not duplicate or get lost.		// and do not duplicate or get lost.
// Feel free to extend this checker with any callback you need to check.		// Feel free to extend this checker with any callback you need to check.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "ClangSACheckers.h"		#include "ClangSACheckers.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
		#include "clang/Analysis/CFGStmtMap.h"
#include "clang/StaticAnalyzer/Core/Checker.h"		#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

namespace {		namespace {

class AnalysisOrderChecker		class AnalysisOrderChecker
: public Checker<check::PreStmt<CastExpr>,		: public Checker<check::PreStmt<CastExpr>,
check::PostStmt<CastExpr>,		check::PostStmt<CastExpr>,
check::PreStmt<ArraySubscriptExpr>,		check::PreStmt<ArraySubscriptExpr>,
check::PostStmt<ArraySubscriptExpr>,		check::PostStmt<ArraySubscriptExpr>,
check::PreStmt<CXXNewExpr>,		check::PreStmt<CXXNewExpr>,
check::PostStmt<CXXNewExpr>,		check::PostStmt<CXXNewExpr>,
check::PreStmt<OffsetOfExpr>,		check::PreStmt<OffsetOfExpr>,
check::PostStmt<OffsetOfExpr>,		check::PostStmt<OffsetOfExpr>,
check::PreCall,		check::PreCall,
check::PostCall,		check::PostCall,
		check::EndFunction,
check::NewAllocator,		check::NewAllocator,
check::Bind,		check::Bind,
check::RegionChanges,		check::RegionChanges,
check::LiveSymbols> {		check::LiveSymbols> {

bool isCallbackEnabled(AnalyzerOptions &Opts, StringRef CallbackName) const {		bool isCallbackEnabled(AnalyzerOptions &Opts, StringRef CallbackName) const {
return Opts.getBooleanOption("*", false, this) \|\|		return Opts.getBooleanOption("*", false, this) \|\|
Opts.getBooleanOption(CallbackName, false, this);		Opts.getBooleanOption(CallbackName, false, this);
▲ Show 20 Lines • Show All 68 Lines • ▼ Show 20 Lines	void checkPostCall(const CallEvent &Call, CheckerContext &C) const {
if (isCallbackEnabled(C, "PostCall")) {		if (isCallbackEnabled(C, "PostCall")) {
llvm::errs() << "PostCall";		llvm::errs() << "PostCall";
if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(Call.getDecl()))		if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(Call.getDecl()))
llvm::errs() << " (" << ND->getQualifiedNameAsString() << ')';		llvm::errs() << " (" << ND->getQualifiedNameAsString() << ')';
llvm::errs() << '\n';		llvm::errs() << '\n';
}		}
}		}

		void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const {
		if (isCallbackEnabled(C, "EndFunction")) {
		llvm::errs() << "EndFunction\nReturnStmt: " << (S ? "yes" : "no") << "\n";
		if (!S)
		return;

		llvm::errs() << "CFGElement: ";
		CFGStmtMap *Map = C.getCurrentAnalysisDeclContext()->getCFGStmtMap();
		CFGElement LastElement = Map->getBlock(S)->back();

		if (LastElement.getAs<CFGStmt>())
		llvm::errs() << "CFGStmt\n";
		else if (LastElement.getAs<CFGAutomaticObjDtor>())
		llvm::errs() << "CFGAutomaticObjDtor\n";
		}
		}

void checkNewAllocator(const CXXNewExpr *CNE, SVal Target,		void checkNewAllocator(const CXXNewExpr *CNE, SVal Target,
CheckerContext &C) const {		CheckerContext &C) const {
if (isCallbackEnabled(C, "NewAllocator"))		if (isCallbackEnabled(C, "NewAllocator"))
llvm::errs() << "NewAllocator\n";		llvm::errs() << "NewAllocator\n";
}		}

void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const {		void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const {
if (isCallbackEnabled(C, "Bind"))		if (isCallbackEnabled(C, "Bind"))
Show All 28 Lines

lib/StaticAnalyzer/Core/CoreEngine.cpp

Show First 20 Lines • Show All 217 Lines • ▼ Show 20 Lines	void CoreEngine::HandleBlockEdge(const BlockEdge &L, ExplodedNode *Pred) {
// Check if we are entering the EXIT block.		// Check if we are entering the EXIT block.
if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {		if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
assert(L.getLocationContext()->getCFG()->getExit().empty() &&		assert(L.getLocationContext()->getCFG()->getExit().empty() &&
"EXIT block cannot contain Stmts.");		"EXIT block cannot contain Stmts.");

// Get return statement..		// Get return statement..
const ReturnStmt *RS = nullptr;		const ReturnStmt *RS = nullptr;
if (!L.getSrc()->empty()) {		if (!L.getSrc()->empty()) {
if (Optional<CFGStmt> LastStmt = L.getSrc()->back().getAs<CFGStmt>()) {		CFGElement LastElement = L.getSrc()->back();
		if (Optional<CFGStmt> LastStmt = LastElement.getAs<CFGStmt>()) {
RS = dyn_cast<ReturnStmt>(LastStmt->getStmt());		RS = dyn_cast<ReturnStmt>(LastStmt->getStmt());
		} else if (Optional<CFGAutomaticObjDtor> AutoDtor =
		LastElement.getAs<CFGAutomaticObjDtor>()) {
		RS = dyn_cast<ReturnStmt>(AutoDtor->getTriggerStmt());
}		}
}		}

// Process the final state transition.		// Process the final state transition.
SubEng.processEndOfFunction(BuilderCtx, Pred, RS);		SubEng.processEndOfFunction(BuilderCtx, Pred, RS);

// This path is done. Don't enqueue any more nodes.		// This path is done. Don't enqueue any more nodes.
return;		return;
▲ Show 20 Lines • Show All 414 Lines • Show Last 20 Lines

test/Analysis/end-function-return-stmt.cpp

				//RUN: %clang_analyze_cc1 -analyzer-checker=debug.AnalysisOrder -analyzer-config debug.AnalysisOrder:EndFunction=true %s 2>&1 \| FileCheck %s

				// At the end of a function, we can only obtain a ReturnStmt if the last
				// CFGElement in the CFGBlock is either a CFGStmt or a CFGAutomaticObjDtor.

				void noReturnStmt() {}

				struct S {
				S();
				~S();
				};

				int dtorAfterReturnStmt() {
				S s;
				return 0;
				}

				S endsWithReturnStmt() {
				return S();
				}

				// endsWithReturnStmt()
				// CHECK: EndFunction
				// CHECK-NEXT: ReturnStmt: yes
				// CHECK-NEXT: CFGElement: CFGStmt

				// dtorAfterReturnStmt()
				// CHECK: EndFunction
				// CHECK-NEXT: ReturnStmt: yes
				// CHECK-NEXT: CFGElement: CFGAutomaticObjDtor

				// noReturnStmt()
				// CHECK: EndFunction
				// CHECK-NEXT: ReturnStmt: no