This is an archive of the discontinued LLVM Phabricator instance.

Differential D51300

[analyzer][UninitializedObjectChecker] No longer using nonloc::LazyCompoundVal
ClosedPublic

Authored by Szelethus on Aug 27 2018, 6:43 AM.

Details

Reviewers
NoQ
george.karpenkov
xazax.hun
rnkovacs
Commits
rGdbabdfaca5c9: [analyzer][UninitializedObjectChecker] No longer using nonloc::LazyCompoundVal
rC344879: [analyzer][UninitializedObjectChecker] No longer using nonloc::LazyCompoundVal
rL344879: [analyzer][UninitializedObjectChecker] No longer using nonloc::LazyCompoundVal
Summary

As rightly pointed out by @NoQ, nonloc::LazyCompoundVals were only used to acquire a constructed object's region, which isn't what LazyCompoundVal was made for.

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Aug 27 2018, 6:43 AM
Herald added subscribers: cfe-commits, mikhail.ramalho, a.sidorin and 2 others. · View Herald TranscriptAug 27 2018, 6:43 AM
NoQ accepted this revision.Aug 28 2018, 1:17 PM

Yup, looks correct to me!

lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp
448–449 ↗(On Diff #162669)

This totally needs assert(CtorDecl == Context.getStackFrame()->getDecl()). Otherwise we're in big trouble because we'll be looking into a this-region that doesn't exist on this stack frame.

On second thought, though, i guess we should put this assertion into the constructor of CXXThisRegion. I'll do this.

Also there's an overload of getCXXThis that accepts the method itself, no need to get parent.

This revision is now accepted and ready to land.Aug 28 2018, 1:17 PM
Szelethus added inline comments.Aug 29 2018, 4:22 AM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp
448–449 ↗(On Diff #162669)

Ummmm that wouldn't be very nice, because...

456–483 ↗(On Diff #162669)

...willBeAnalyzerLater() relies on this, and it uses all sorts of constructor decls to check whether Context.getLocationContext()->getDecl() would be a subregion of another object. Are you sure that this is incorrect?

NoQ added inline comments.Aug 29 2018, 4:05 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp
448–449 ↗(On Diff #162669)

Yeah, i guess i'll have to think a bit deeper about this. I really want to prevent invalid CXXThisRegions from appearing, but it might be not that simple.

456–483 ↗(On Diff #162669)

I mean not the this-region of the object, but the CXXThisRegion itself, in which this-region is stored. It is definitely not aliased across stack frames.

Szelethus added a comment.Aug 31 2018, 2:16 AM

Would you be comfortable me commiting this without that assert, or should I come up with a more risk-free solution?

Szelethus updated this revision to Diff 163813.Sep 4 2018, 7:28 AM

Fixed a crash where the returned region's type wasn't CXXRecordDecl. I'm not even sure how this is possible -- and unfortunately I've been unable to create a minimal (not) working example for this, and I wasn't even able to recreate the error locally. However, on the server where I could repeatedly cause a crash with the analysis of lib/AST/Expr.cpp, this fix resolved the issue.

Note that this assert failure didn't happen inside willBeAnalyzedLater, where getConstructedRegion is used with a different CXXConstructorDecl then the one on top of the stack frame.

NoQ added a comment.Sep 4 2018, 10:37 AM
In D51300#1220537, @Szelethus wrote:

Would you be comfortable me commiting this without that assert

Yup sure.

In D51300#1223042, @Szelethus wrote:

I'm not even sure how this is possible -- and unfortunately I've been unable to create a minimal (not) working example for this, and I wasn't even able to recreate the error locally.

Sounds like a test case would be great to have. Consider extracting a preprocessed file and running it under creduce, that's a great generic method for obtaining small reproducers for crashes and regressions (but not for false positives). As far as i understand, it's a crash on llvm codebase, which should be easy to re-analyze locally, even just one file, because llvm is built with cmake and dumps compilation databases, so just use clang-check on a single file, or simply append --analyze to the compilation database run-line.

This specific problem sounds elusive because it's a problem with pointer casts, and pointer casts are currently a mess. I cannot state for sure that typed this-region type must always be a record, but it's definitely a bad smell when it is't. So i recommend a quick investigation of whether the region in question is (1) well-formed and (2) correctly reflects the semantics of the program.

Szelethus planned changes to this revision.Sep 5 2018, 11:11 AM

Sounds like a test case would be great to have.

Aye. I'd be good to land this with that testcase. There are a variety of other projects I'm working on (related to the checker), and none of them depend on this patch, so I'll commit this once I figure out how to use creduce ><

NoQ added a comment.Sep 5 2018, 11:47 AM

Very easy:

  1. Put preprocessed file that crashes into repro.cpp (.c, .m, whatever).
  2. Write repro.sh as follows:
#!/bin/bash
blah/blah/path/to/clang -cc1 -analyze -blah-blah-arguments-you-need-to-cause-a-crash repro.cpp 2>&1 | grep "Any assertion message or whatever"
  1. Do:
creduce repro.sh repro.cpp
  1. Wait until it finishes.
  2. repro.cpp now contains the reduced test case.

Tip for speed:

  • The repro.sh script should be as fast as possible. Use a release+asserts build of clang.
  • Also -analyze-function top_function_that_we_analyze_when_we_crash is a great flag to add to the run-line if possible, because it'll make the test much faster; see -analyzer-display-progress to figure out how to specify the function; if it's a lambda or a block you're out of luck because you'll need to specify line number which would change during reduce; you may also fail because top-level analyses are interacting a bit, so it may fail to crash if you restrict to a function.
Szelethus added a comment.EditedSep 10 2018, 10:34 AM

There are some nasty environment issues I'm dealing with, so the main problem is the lack of a well functioning creduce, but I'll get it done eventually.

Szelethus updated this revision to Diff 168775.Oct 9 2018, 3:56 AM

Finally managed to run creduce. I added the test that caused a crash on our server, but as I said, I couldn't replicate it elsewhere.

This revision is now accepted and ready to land.Oct 9 2018, 3:56 AM
Szelethus added a comment.Oct 9 2018, 3:59 AM

Since a good amount of time passed since this patch was made, I'll re-analyze the LLVM project with this patch rebased on trunk just to be sure that nothing breaks.

Closed by commit rL344879: [analyzer][UninitializedObjectChecker] No longer using nonloc::LazyCompoundVal (authored by Szelethus). · Explain WhyOct 21 2018, 4:32 PM
This revision was automatically updated to reflect the committed changes.
Herald added subscribers: llvm-commits, dkrupp, donat.nagy. · View Herald TranscriptOct 21 2018, 4:32 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
UninitializedObject/
51 lines

Diff 170361

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp

Show First 20 LinesShow All 90 Lines▼ Show 20 Linespublic:
virtual bool isBase() const override { return true; } virtual bool isBase() const override { return true; }
}; };
} // end of anonymous namespace } // end of anonymous namespace
// Utility function declarations. // Utility function declarations.
/// Returns the object that was constructed by CtorDecl, or None if that isn't /// Returns the region that was constructed by CtorDecl, or nullptr if that
/// possible. /// isn't possible.
// TODO: Refactor this function so that it returns the constructed object's static const TypedValueRegion *
// region. getConstructedRegion(const CXXConstructorDecl *CtorDecl,
static Optional<nonloc::LazyCompoundVal> CheckerContext &Context);
getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context);
/// Checks whether the object constructed by \p Ctor will be analyzed later /// Checks whether the object constructed by \p Ctor will be analyzed later
/// (e.g. if the object is a field of another object, in which case we'd check /// (e.g. if the object is a field of another object, in which case we'd check
/// it multiple times). /// it multiple times).
static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor, static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor,
CheckerContext &Context); CheckerContext &Context);
/// Checks whether RD contains a field with a name or type name that matches /// Checks whether RD contains a field with a name or type name that matches
Show All 17 Linesvoid UninitializedObjectChecker::checkEndFunction(
if (CtorDecl->getParent()->isUnion()) if (CtorDecl->getParent()->isUnion())
return; return;
// This avoids essentially the same error being reported multiple times. // This avoids essentially the same error being reported multiple times.
if (willObjectBeAnalyzedLater(CtorDecl, Context)) if (willObjectBeAnalyzedLater(CtorDecl, Context))
return; return;
Optional<nonloc::LazyCompoundVal> Object = getObjectVal(CtorDecl, Context); const TypedValueRegion *R = getConstructedRegion(CtorDecl, Context);
if (!Object) if (!R)
return; return;
FindUninitializedFields F(Context.getState(), Object->getRegion(), Opts); FindUninitializedFields F(Context.getState(), R, Opts);
const UninitFieldMap &UninitFields = F.getUninitFields(); const UninitFieldMap &UninitFields = F.getUninitFields();
if (UninitFields.empty()) if (UninitFields.empty())
return; return;
// There are uninitialized fields in the record. // There are uninitialized fields in the record.
▲ Show 20 LinesShow All 244 Lines▼ Show 20 Linesstatic void printTail(llvm::raw_ostream &Out,
L.getHead().printNode(Out); L.getHead().printNode(Out);
L.getHead().printSeparator(Out); L.getHead().printSeparator(Out);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static Optional<nonloc::LazyCompoundVal> static const TypedValueRegion *
getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context) { getConstructedRegion(const CXXConstructorDecl *CtorDecl,
CheckerContext &Context) {
Loc ThisLoc = Context.getSValBuilder().getCXXThis(CtorDecl->getParent(), Loc ThisLoc = Context.getSValBuilder().getCXXThis(CtorDecl,
Context.getStackFrame()); Context.getStackFrame());
// Getting the value for 'this'.
SVal This = Context.getState()->getSVal(ThisLoc);
// Getting the value for '*this'. SVal ObjectV = Context.getState()->getSVal(ThisLoc);
SVal Object = Context.getState()->getSVal(This.castAs<Loc>());
auto *R = ObjectV.getAsRegion()->getAs<TypedValueRegion>();
if (R && !R->getValueType()->getAsCXXRecordDecl())
return nullptr;
return Object.getAs<nonloc::LazyCompoundVal>(); return R;
} }
static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor, static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor,
CheckerContext &Context) { CheckerContext &Context) {
Optional<nonloc::LazyCompoundVal> CurrentObject = getObjectVal(Ctor, Context); const TypedValueRegion *CurrRegion = getConstructedRegion(Ctor, Context);
if (!CurrentObject) if (!CurrRegion)
return false; return false;
const LocationContext *LC = Context.getLocationContext(); const LocationContext *LC = Context.getLocationContext();
while ((LC = LC->getParent())) { while ((LC = LC->getParent())) {
// If \p Ctor was called by another constructor. // If \p Ctor was called by another constructor.
const auto *OtherCtor = dyn_cast<CXXConstructorDecl>(LC->getDecl()); const auto *OtherCtor = dyn_cast<CXXConstructorDecl>(LC->getDecl());
if (!OtherCtor) if (!OtherCtor)
continue; continue;
Optional<nonloc::LazyCompoundVal> OtherObject = const TypedValueRegion *OtherRegion =
getObjectVal(OtherCtor, Context); getConstructedRegion(OtherCtor, Context);
if (!OtherObject) if (!OtherRegion)
continue; continue;
// If the CurrentObject is a subregion of OtherObject, it will be analyzed // If the CurrRegion is a subregion of OtherRegion, it will be analyzed
// during the analysis of OtherObject. // during the analysis of OtherRegion.
if (CurrentObject->getRegion()->isSubRegionOf(OtherObject->getRegion())) if (CurrRegion->isSubRegionOf(OtherRegion))
return true; return true;
} }
return false; return false;
} }
static bool shouldIgnoreRecord(const RecordDecl *RD, StringRef Pattern) { static bool shouldIgnoreRecord(const RecordDecl *RD, StringRef Pattern) {
llvm::Regex R(Pattern); llvm::Regex R(Pattern);
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines