This is an archive of the discontinued LLVM Phabricator instance.

Differential D50509

[analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a function
ClosedPublic

Authored by Szelethus on Aug 9 2018, 6:30 AM.

Details

Reviewers
george.karpenkov
NoQ
xazax.hun
rnkovacs
Commits
rG646019655c2e: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a…
rC340265: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a…
rL340265: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a…
Summary

Now that it has it's own file, it makes little sense for isPointerOrReferenceUninit to be this large, so I moved dereferencing to a separate function.

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Aug 9 2018, 6:30 AM
Herald added subscribers: cfe-commits, mikhail.ramalho, a.sidorin and 2 others. · View Herald TranscriptAug 9 2018, 6:30 AM
Szelethus added a parent revision: D50504: [analyzer][UninitializedObjectChecker] Refactoring p2.: Moving pointer chasing to a separate file.Aug 9 2018, 6:30 AM
Szelethus updated this revision to Diff 159916.Aug 9 2018, 6:55 AM

Fixed a comment.

george.karpenkov requested changes to this revision.Aug 10 2018, 11:54 AM
george.karpenkov added inline comments.
lib/StaticAnalyzer/Checkers/UninitializedPointee.cpp
78 ↗(On Diff #159916)

In general, using return values is better than out-parameters.
Could you instead return Optional<std::pair<SVal, QualType>> ?

This revision now requires changes to proceed.Aug 10 2018, 11:54 AM
Szelethus updated this revision to Diff 161209.Aug 17 2018, 4:52 AM
Szelethus edited the summary of this revision. (Show Details)
Szelethus mentioned this in D49437: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger.Aug 17 2018, 5:03 AM
Szelethus added a child revision: D49437: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger.
NoQ added inline comments.Aug 17 2018, 12:18 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
223 ↗(On Diff #161209)

Hmm, i still have concerns about things like int *x = (int *)&x;. Why not just check the type to terminate the loop? Type hierarchy is guaranteed to be finite.

NoQ accepted this revision.Aug 17 2018, 12:19 PM

Which shouldn't prevent us from moving code around.

Szelethus added inline comments.Aug 17 2018, 1:22 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
223 ↗(On Diff #161209)

There actually is a testcase for that -- it would create a nonloc::LocAsInteger, not a loc::MemRegionVal.

I'll add a TODO to revisit this loop condition (again :) ).

NoQ added inline comments.Aug 17 2018, 1:31 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
223 ↗(On Diff #161209)

Ok, let's try with one more asterisk:

1 void test() {
2   int **x = (int **)&x;
3   int *y = *x;
4   int z = *y;
5 }

Here's what i get in the Store:

(x,0,direct) : &element{x,0 S64b,int *}
(y,0,direct) : &element{x,0 S64b,int *}
(z,0,direct) : &element{x,0 S64b,int *}
Szelethus added inline comments.Aug 17 2018, 2:18 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
223 ↗(On Diff #161209)

Sounds fun, I'll see how the checker behaves to these when I'm in the office.

Szelethus added inline comments.Aug 21 2018, 3:37 AM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
223 ↗(On Diff #161209)

Yup, you were correct, it ends up in an infinite loop. I'll add the testcase for it before commiting.

This revision was not accepted when it landed; it landed in state Needs Review.Aug 21 2018, 3:46 AM
Closed by commit rL340265: [analyzer][UninitializedObjectChecker] Refactoring p6.: Move dereferencing to a… (authored by Szelethus). · Explain Why
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptAug 21 2018, 3:46 AM
Szelethus removed a child revision: D49437: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger.Aug 23 2018, 10:32 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
UninitializedObject/
3 lines
116 lines
test/
Analysis/
21 lines

Diff 161685

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp

Show First 20 LinesShow All 259 Lines▼ Show 20 Lines if (T->isUnionType()) {
continue; continue;
} }
if (T->isArrayType()) { if (T->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
continue; continue;
} }
if (T->isAnyPointerType() || T->isReferenceType() || T->isBlockPointerType()) { if (T->isAnyPointerType() || T->isReferenceType() ||
T->isBlockPointerType()) {
if (isPointerOrReferenceUninit(FR, LocalChain)) if (isPointerOrReferenceUninit(FR, LocalChain))
ContainsUninitField = true; ContainsUninitField = true;
continue; continue;
} }
if (isPrimitiveType(T)) { if (isPrimitiveType(T)) {
SVal V = State->getSVal(FieldVal); SVal V = State->getSVal(FieldVal);
▲ Show 20 LinesShow All 212 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp

Show First 20 LinesShow All 89 Lines▼ Show 20 Lines
// Utility function declarations. // Utility function declarations.
/// Returns whether T can be (transitively) dereferenced to a void pointer type /// Returns whether T can be (transitively) dereferenced to a void pointer type
/// (void*, void**, ...). The type of the region behind a void pointer isn't /// (void*, void**, ...). The type of the region behind a void pointer isn't
/// known, and thus FD can not be analyzed. /// known, and thus FD can not be analyzed.
static bool isVoidPointer(QualType T); static bool isVoidPointer(QualType T);
/// Dereferences \p V and returns the value and dynamic type of the pointee, as
/// well as wether \p FR needs to be casted back to that type. If for whatever
/// reason dereferencing fails, returns with None.
static llvm::Optional<std::tuple<SVal, QualType, bool>>
dereference(ProgramStateRef State, const FieldRegion *FR);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods for FindUninitializedFields. // Methods for FindUninitializedFields.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Note that pointers/references don't contain fields themselves, so in this // Note that pointers/references don't contain fields themselves, so in this
// function we won't add anything to LocalChain. // function we won't add anything to LocalChain.
bool FindUninitializedFields::isPointerOrReferenceUninit( bool FindUninitializedFields::isPointerOrReferenceUninit(
const FieldRegion *FR, FieldChainInfo LocalChain) { const FieldRegion *FR, FieldChainInfo LocalChain) {
Show All 15 Lines return addFieldToUninits(
LocalChain.add(LocField(FR, /*IsDereferenced*/ false))); LocalChain.add(LocField(FR, /*IsDereferenced*/ false)));
} }
if (!CheckPointeeInitialization) { if (!CheckPointeeInitialization) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
assert(V.getAs<loc::MemRegionVal>() &&
"At this point V must be loc::MemRegionVal!");
auto L = V.castAs<loc::MemRegionVal>();
// We can't reason about symbolic regions, assume its initialized.
// Note that this also avoids a potential infinite recursion, because
// constructors for list-like classes are checked without being called, and
// the Static Analyzer will construct a symbolic region for Node *next; or
// similar code snippets.
if (L.getRegion()->getSymbolicBase()) {
IsAnyFieldInitialized = true;
return false;
}
DynamicTypeInfo DynTInfo = getDynamicTypeInfo(State, L.getRegion());
if (!DynTInfo.isValid()) {
IsAnyFieldInitialized = true;
return false;
}
QualType DynT = DynTInfo.getType();
// If the static type of the field is a void pointer, we need to cast it back
// to the dynamic type before dereferencing.
bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType());
if (isVoidPointer(DynT)) {
IsAnyFieldInitialized = true;
return false;
}
// At this point the pointer itself is initialized and points to a valid // At this point the pointer itself is initialized and points to a valid
// location, we'll now check the pointee. // location, we'll now check the pointee.
SVal DerefdV = State->getSVal(V.castAs<Loc>(), DynT); llvm::Optional<std::tuple<SVal, QualType, bool>> DerefInfo =
dereference(State, FR);
// If DerefdV is still a pointer value, we'll dereference it again (e.g.: if (!DerefInfo) {
// int** -> int*).
while (auto Tmp = DerefdV.getAs<loc::MemRegionVal>()) {
if (Tmp->getRegion()->getSymbolicBase()) {
IsAnyFieldInitialized = true;
return false;
}
DynTInfo = getDynamicTypeInfo(State, Tmp->getRegion());
if (!DynTInfo.isValid()) {
IsAnyFieldInitialized = true;
return false;
}
DynT = DynTInfo.getType();
if (isVoidPointer(DynT)) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
DerefdV = State->getSVal(*Tmp, DynT); V = std::get<0>(*DerefInfo);
} QualType DynT = std::get<1>(*DerefInfo);
bool NeedsCastBack = std::get<2>(*DerefInfo);
// If FR is a pointer pointing to a non-primitive type. // If FR is a pointer pointing to a non-primitive type.
if (Optional<nonloc::LazyCompoundVal> RecordV = if (Optional<nonloc::LazyCompoundVal> RecordV =
DerefdV.getAs<nonloc::LazyCompoundVal>()) { V.getAs<nonloc::LazyCompoundVal>()) {
const TypedValueRegion *R = RecordV->getRegion(); const TypedValueRegion *R = RecordV->getRegion();
if (DynT->getPointeeType()->isStructureOrClassType()) { if (DynT->getPointeeType()->isStructureOrClassType()) {
if (NeedsCastBack) if (NeedsCastBack)
return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT))); return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT)));
return isNonUnionUninit(R, LocalChain.add(LocField(FR))); return isNonUnionUninit(R, LocalChain.add(LocField(FR)));
} }
Show All 17 Lines if (Optional<nonloc::LazyCompoundVal> RecordV =
llvm_unreachable("All cases are handled!"); llvm_unreachable("All cases are handled!");
} }
assert((isPrimitiveType(DynT->getPointeeType()) || DynT->isAnyPointerType() || assert((isPrimitiveType(DynT->getPointeeType()) || DynT->isAnyPointerType() ||
DynT->isReferenceType()) && DynT->isReferenceType()) &&
"At this point FR must either have a primitive dynamic type, or it " "At this point FR must either have a primitive dynamic type, or it "
"must be a null, undefined, unknown or concrete pointer!"); "must be a null, undefined, unknown or concrete pointer!");
if (isPrimitiveUninit(DerefdV)) { if (isPrimitiveUninit(V)) {
if (NeedsCastBack) if (NeedsCastBack)
return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT))); return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT)));
return addFieldToUninits(LocalChain.add(LocField(FR))); return addFieldToUninits(LocalChain.add(LocField(FR)));
} }
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static bool isVoidPointer(QualType T) { static bool isVoidPointer(QualType T) {
while (!T.isNull()) { while (!T.isNull()) {
if (T->isVoidPointerType()) if (T->isVoidPointerType())
return true; return true;
T = T->getPointeeType(); T = T->getPointeeType();
} }
return false; return false;
} }
static llvm::Optional<std::tuple<SVal, QualType, bool>>
dereference(ProgramStateRef State, const FieldRegion *FR) {
DynamicTypeInfo DynTInfo;
QualType DynT;
// If the static type of the field is a void pointer, we need to cast it back
// to the dynamic type before dereferencing.
bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType());
SVal V = State->getSVal(FR);
assert(V.getAs<loc::MemRegionVal>() && "V must be loc::MemRegionVal!");
// If V is multiple pointer value, we'll dereference it again (e.g.: int** ->
// int*).
// TODO: Dereference according to the dynamic type to avoid infinite loop for
// these kind of fields:
// int **ptr = reinterpret_cast<int **>(&ptr);
while (auto Tmp = V.getAs<loc::MemRegionVal>()) {
// We can't reason about symbolic regions, assume its initialized.
// Note that this also avoids a potential infinite recursion, because
// constructors for list-like classes are checked without being called, and
// the Static Analyzer will construct a symbolic region for Node *next; or
// similar code snippets.
if (Tmp->getRegion()->getSymbolicBase()) {
return None;
}
DynTInfo = getDynamicTypeInfo(State, Tmp->getRegion());
if (!DynTInfo.isValid()) {
return None;
}
DynT = DynTInfo.getType();
if (isVoidPointer(DynT)) {
return None;
}
V = State->getSVal(*Tmp, DynT);
}
return std::make_tuple(V, DynT, NeedsCastBack);
}

cfe/trunk/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show First 20 LinesShow All 188 Lines▼ Show 20 Linesstruct CharPointerTest {
CharPointerTest() : str("") {} CharPointerTest() : str("") {}
}; };
void fCharPointerTest() { void fCharPointerTest() {
CharPointerTest(); CharPointerTest();
} }
struct CyclicPointerTest { struct CyclicPointerTest1 {
int *ptr; int *ptr;
CyclicPointerTest() : ptr(reinterpret_cast<int *>(&ptr)) {} CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {}
}; };
void fCyclicPointerTest() { void fCyclicPointerTest1() {
CyclicPointerTest(); CyclicPointerTest1();
} }
// TODO: Currently, the checker ends up in an infinite loop for the following
// test case.
/*
struct CyclicPointerTest2 {
int **pptr;
CyclicPointerTest2() : pptr(reinterpret_cast<int **>(&pptr)) {}
};
void fCyclicPointerTest2() {
CyclicPointerTest2();
}
*/
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests. // Void pointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests are mainly no-crash tests. // Void pointer tests are mainly no-crash tests.
void *malloc(int size); void *malloc(int size);
▲ Show 20 LinesShow All 536 LinesShow Last 20 Lines