This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
MoveChecker.cpp
-
test/Analysis/
-
Analysis/
6
use-after-move.cpp

Differential D54563

[analyzer] MoveChecker Pt.4: Add a few more state reset methods.
ClosedPublic

Authored by NoQ on Nov 14 2018, 6:57 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs
Szelethus

Commits

rGf3f036629618: [analyzer] MoveChecker: Add more common state resetting methods.
rL348235: [analyzer] MoveChecker: Add more common state resetting methods.
rC348235: [analyzer] MoveChecker: Add more common state resetting methods.

Summary

This covers methods that may reset the state depending on the value of the argument: resize(), shrink_to_fit(), and shrink(). The latter is something i've seen on a custom collection; we don't have to hardcode those, but i guess it's a good safe way to be a bit better out of the box. As a TODO, we might want to warn anyway when the value of the argument is not 0.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Nov 14 2018, 6:57 PM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 2 others. · View Herald TranscriptNov 14 2018, 6:57 PM

NoQ added a parent revision: D54560: [analyzer] MoveChecker Pt.3: Improve warning messages a bit..Nov 14 2018, 6:57 PM

How about std::list<T>::splice?

This revision is now accepted and ready to land.Nov 15 2018, 7:52 AM

In D54563#1299918, @Szelethus wrote:

How about std::list<T>::splice?

Hmm, you mean that it leaves its argument empty? Interesting, i guess we may need a separate facility for that. I wonder how many other state-reset methods are we forgetting.

In D54563#1301893, @NoQ wrote:

In D54563#1299918, @Szelethus wrote:

How about std::list<T>::splice?

Hmm, you mean that it leaves its argument empty? Interesting, i guess we may need a separate facility for that.

I looked it up, and this is what I found: (source: http://eel.is/c++draft/list.ops)

list provides three splice operations that destructively move elements from one list to another. The behavior of splice operations is undefined if get_allocator() != x.get_allocator().
void splice(const_iterator position, list& x);
void splice(const_iterator position, list&& x);
Effects: Inserts the contents of x before position and x becomes empty. Pointers and references to the moved elements of x now refer to those same elements but as members of *this. Iterators referring to the moved >elements will continue to refer to their elements, but they now behave as iterators into *this, not into x.

This suggests to me that list1.splice(list1.begin(), std::move(list2)) leaves list2 in a valid, well-defined, but empty state.

I wonder how many other state-reset methods are we forgetting.

merge does something similar too for map, multimap, set, multiset, as well as their unordered counterparts.

As a TODO, we might want to warn anyway when the value of the argument is not 0.

Maybe leave a TODO in the code as well? ^-^

In D54563#1306358, @Szelethus wrote:

This suggests to me that list1.splice(list1.begin(), std::move(list2)) leaves list2 in a valid, well-defined, but empty state.

Wait, i think this should work automagically. Because list2 is passed by non-const reference (eg., rvalue reference) into an unknown function, it will be invalidated when the call is modeled conservatively, and therefore we will stop tracking it in the checkRegionChanges callback.

Add a TODO.

Can you add tests for that just in case? :)

test/Analysis/use-after-move.cpp
330–331	Because `list2` is passed by non-const reference (eg., rvalue reference) into an unknown function, it will be invalidated when the call is modeled conservatively, and therefore we will stop tracking it in the `checkRegionChanges` callback. Hmmm. Doesn't this check something similar, but still cause an warning?

NoQ added inline comments.Dec 3 2018, 4:43 PM

test/Analysis/use-after-move.cpp
260–262	This would have been the test for our case, but in this test the function has a body and will not be evaluated conservatively.
330–331	In this case `a` is passed by value. Therefore a move-constructor is called, and then the function does not have access to `a`.
597–615	This would have been the test for our case, but the `&&` case isn't tested.

Okay, I submit! :D

test/Analysis/use-after-move.cpp
260–262	Hmm, since those are all STL containers, we should be able to have their definition? Or only with `c++-container-inlining=true`? Take this as more of a question than anything else.

I'm glad you brought this stuff up, found two more bugs to fix.

In D54563#1317678, @Szelethus wrote:

Can you add tests for that just in case? :)

The test works, but i noticed that we aren't respecting const references. That is, we believe that passing the object by const reference or pointer may reset it. I guess i'll make a separate commit.

test/Analysis/use-after-move.cpp
260–262	Yeah, assuming that we only need containers. As usual, i expect only good things to happen when we inline them. Say, if a field is overwritten in the inlined call, this would also trigger `checkRegionChanges`. And i doubt that in these examples there will be a path through the function that leaves the object entirely untouched. As a side note, i doubt that we'll actually react to field assignment, because this checker's `checkRegionChanges` callback doesn't account for that: it only iterates through explicit regions. I guess this needs fixing.

Hmm, i shouldn't have included shrink_to_fit. It definitely keeps the object in unspecified state if it is already in unspecified state.

Closed by commit rC348235: [analyzer] MoveChecker: Add more common state resetting methods. (authored by NoQ). · Explain WhyDec 3 2018, 7:41 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

MoveChecker.cpp

5 lines

test/

Analysis/

use-after-move.cpp

10 lines

Diff 176537

lib/StaticAnalyzer/Checkers/MoveChecker.cpp

	Show First 20 Lines • Show All 337 Lines • ▼ Show 20 Lines

	bool MoveChecker::isStateResetMethod(const CXXMethodDecl *MethodDec) const {			bool MoveChecker::isStateResetMethod(const CXXMethodDecl *MethodDec) const {
	if (!MethodDec)			if (!MethodDec)
	return false;			return false;
	if (MethodDec->hasAttr<ReinitializesAttr>())			if (MethodDec->hasAttr<ReinitializesAttr>())
	return true;			return true;
	if (MethodDec->getDeclName().isIdentifier()) {			if (MethodDec->getDeclName().isIdentifier()) {
	std::string MethodName = MethodDec->getName().lower();			std::string MethodName = MethodDec->getName().lower();
				// TODO: Some of these methods (eg., resize) are not always resetting
				// the state, so we should consider looking at the arguments.
	if (MethodName == "reset" \|\| MethodName == "clear" \|\|			if (MethodName == "reset" \|\| MethodName == "clear" \|\|
	MethodName == "destroy")			MethodName == "destroy" \|\| MethodName == "resize" \|\|
				MethodName == "shrink")
	return true;			return true;
	}			}
	return false;			return false;
	}			}

	// Don't report an error inside a move related operation.			// Don't report an error inside a move related operation.
	// We assume that the programmer knows what she does.			// We assume that the programmer knows what she does.
	bool MoveChecker::isInMoveSafeContext(const LocationContext *LC) const {			bool MoveChecker::isInMoveSafeContext(const LocationContext *LC) const {
	▲ Show 20 Lines • Show All 209 Lines • Show Last 20 Lines

test/Analysis/use-after-move.cpp

Show All 9 Lines
// RUN: -analyzer-config alpha.cplusplus.Move:Aggressive=true -DAGGRESSIVE		// RUN: -analyzer-config alpha.cplusplus.Move:Aggressive=true -DAGGRESSIVE
// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.cplusplus.Move -verify %s\		// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.cplusplus.Move -verify %s\
// RUN: -std=c++11 -analyzer-output=text -analyzer-config eagerly-assume=false\		// RUN: -std=c++11 -analyzer-output=text -analyzer-config eagerly-assume=false\
// RUN: -analyzer-config exploration_strategy=dfs -DDFS=1\		// RUN: -analyzer-config exploration_strategy=dfs -DDFS=1\
// RUN: -analyzer-config alpha.cplusplus.Move:Aggressive=true -DAGGRESSIVE		// RUN: -analyzer-config alpha.cplusplus.Move:Aggressive=true -DAGGRESSIVE

namespace std {		namespace std {

		typedef __typeof(sizeof(int)) size_t;

template <typename>		template <typename>
struct remove_reference;		struct remove_reference;

template <typename _Tp>		template <typename _Tp>
struct remove_reference { typedef _Tp type; };		struct remove_reference { typedef _Tp type; };

template <typename _Tp>		template <typename _Tp>
struct remove_reference<_Tp &> { typedef _Tp type; };		struct remove_reference<_Tp &> { typedef _Tp type; };
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines	void operator=(A &&other) {
return;		return;
}		}
int getI() { return i; }		int getI() { return i; }
int foo() const;		int foo() const;
void bar() const;		void bar() const;
void reset();		void reset();
void destroy();		void destroy();
void clear();		void clear();
		void resize(std::size_t);
bool empty() const;		bool empty() const;
bool isEmpty() const;		bool isEmpty() const;
operator bool() const;		operator bool() const;
};		};

int bignum();		int bignum();

void moveInsideFunctionCall(A a) {		void moveInsideFunctionCall(A a) {
▲ Show 20 Lines • Show All 128 Lines • ▼ Show 20 Lines	void decltypeIsNotUseTest() {
A a;		A a;
// A b(std::move(a));		// A b(std::move(a));
decltype(a) other_a; // no-warning		decltype(a) other_a; // no-warning
}		}

void loopTest() {		void loopTest() {
{		{
A a;		A a;
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is false. Execution jumps to the end of the function}}		for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is false. Execution jumps to the end of the function}}
rightRefCall(std::move(a)); // no-warning		rightRefCall(std::move(a)); // no-warning
}		}
		NoQAuthorUnsubmitted Not Done Reply Inline Actions This would have been the test for our case, but in this test the function has a body and will not be evaluated conservatively. NoQ: This would have been the test for our case, but in this test the function has a body and will…
		SzelethusUnsubmitted Not Done Reply Inline Actions Hmm, since those are all STL containers, we should be able to have their definition? Or only with `c++-container-inlining=true`? Take this as more of a question than anything else. Szelethus: Hmm, since those are all STL containers, we should be able to have their definition? Or only…
		NoQAuthorUnsubmitted Not Done Reply Inline Actions Yeah, assuming that we only need containers. As usual, i expect only good things to happen when we inline them. Say, if a field is overwritten in the inlined call, this would also trigger `checkRegionChanges`. And i doubt that in these examples there will be a path through the function that leaves the object entirely untouched. As a side note, i doubt that we'll actually react to field assignment, because this checker's `checkRegionChanges` callback doesn't account for that: it only iterates through explicit regions. I guess this needs fixing. NoQ: Yeah, assuming that we only need containers. As usual, i expect only good things to happen…
}		}
{		{
A a;		A a;
for (int i = 0; i < 2; i++) { // expected-note {{Loop condition is true. Entering loop body}}		for (int i = 0; i < 2; i++) { // expected-note {{Loop condition is true. Entering loop body}}
//expected-note@-1 {{Loop condition is true. Entering loop body}}		//expected-note@-1 {{Loop condition is true. Entering loop body}}
//expected-note@-2 {{Loop condition is false. Execution jumps to the end of the function}}		//expected-note@-2 {{Loop condition is false. Execution jumps to the end of the function}}
rightRefCall(std::move(a)); // no-warning		rightRefCall(std::move(a)); // no-warning
}		}
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines	void loopTest() {
for (int i = 0; i < 2; i++) { // expected-note {{Loop condition is true.}}		for (int i = 0; i < 2; i++) { // expected-note {{Loop condition is true.}}
//expected-note@-1 {{Loop condition is true. Entering loop body}}		//expected-note@-1 {{Loop condition is true. Entering loop body}}
//expected-note@-2 {{Loop condition is false. Execution jumps to the end of the function}}		//expected-note@-2 {{Loop condition is false. Execution jumps to the end of the function}}
copyOrMoveCall(a); // no-warning		copyOrMoveCall(a); // no-warning
}		}
}		}
{		{
A a;		A a;
for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is true. Entering loop body}} expected-note {{Loop condition is true. Entering loop body}}		for (int i = 0; i < bignum(); i++) { // expected-note {{Loop condition is true. Entering loop body}} expected-note {{Loop condition is true. Entering loop body}}
constCopyOrMoveCall(std::move(a)); // expected-warning {{Moved-from object 'a' is moved}} expected-note {{Moved-from object 'a' is moved}}		constCopyOrMoveCall(std::move(a)); // expected-warning {{Moved-from object 'a' is moved}} expected-note {{Moved-from object 'a' is moved}}
		SzelethusUnsubmitted Not Done Reply Inline Actions Because `list2` is passed by non-const reference (eg., rvalue reference) into an unknown function, it will be invalidated when the call is modeled conservatively, and therefore we will stop tracking it in the `checkRegionChanges` callback. Hmmm. Doesn't this check something similar, but still cause an warning? Szelethus: >Because `list2` is passed by non-const reference (eg., rvalue reference) into an unknown…
		NoQAuthorUnsubmitted Not Done Reply Inline Actions In this case `a` is passed by value. Therefore a move-constructor is called, and then the function does not have access to `a`. NoQ: In this case `a` is passed by value. Therefore a move-constructor is called, and then the…
// expected-note@-1 {{Object 'a' is moved}}		// expected-note@-1 {{Object 'a' is moved}}
}		}
}		}

// Don't warn if we return after the move.		// Don't warn if we return after the move.
{		{
A a;		A a;
for (int i = 0; i < 3; ++i) {		for (int i = 0; i < 3; ++i) {
▲ Show 20 Lines • Show All 61 Lines • ▼ Show 20 Lines	void moveStateResetFunctionsTest() {
}		}
{		{
A a;		A a;
A b = std::move(a);		A b = std::move(a);
a.clear(); // no-warning		a.clear(); // no-warning
a.foo(); // no-warning		a.foo(); // no-warning
a.b.foo(); // no-warning		a.b.foo(); // no-warning
}		}
		{
		A a;
		A b = std::move(a);
		a.resize(0); // no-warning
		a.foo(); // no-warning
		a.b.foo(); // no-warning
		}
}		}

// Moves or uses that occur as part of template arguments.		// Moves or uses that occur as part of template arguments.
template <int>		template <int>
class ClassTemplate {		class ClassTemplate {
public:		public:
void foo(A a);		void foo(A a);
};		};
▲ Show 20 Lines • Show All 165 Lines • ▼ Show 20 Lines	void paramEvaluateOrderTest() {
A a;		A a;
foobar(std::move(a), a.getI()); // expected-warning {{Method called on moved-from object 'a'}} expected-note {{Method called on moved-from object 'a'}}		foobar(std::move(a), a.getI()); // expected-warning {{Method called on moved-from object 'a'}} expected-note {{Method called on moved-from object 'a'}}
// expected-note@-1 {{Object 'a' is moved}}		// expected-note@-1 {{Object 'a' is moved}}

//FALSE NEGATIVE since parameters evaluate order is undefined		//FALSE NEGATIVE since parameters evaluate order is undefined
foobar(a.getI(), std::move(a)); //no-warning		foobar(a.getI(), std::move(a)); //no-warning
}		}

void not_known(A &a);		void not_known(A &a);
void not_known(A *a);		void not_known(A *a);

void regionAndPointerEscapeTest() {		void regionAndPointerEscapeTest() {
{		{
A a;		A a;
A b;		A b;
b = std::move(a);		b = std::move(a);
not_known(a);		not_known(a);
a.foo(); //no-warning		a.foo(); //no-warning
}		}
{		{
A a;		A a;
A b;		A b;
b = std::move(a);		b = std::move(a);
not_known(&a);		not_known(&a);
a.foo(); // no-warning		a.foo(); // no-warning
}		}
}		}
		NoQAuthorUnsubmitted Not Done Reply Inline Actions This would have been the test for our case, but the `&&` case isn't tested. NoQ: This would have been the test for our case, but the `&&` case isn't tested.

// A declaration statement containing multiple declarations sequences the		// A declaration statement containing multiple declarations sequences the
// initializer expressions.		// initializer expressions.
void declarationSequenceTest() {		void declarationSequenceTest() {
{		{
A a;		A a;
A a1 = a, a2 = std::move(a); // no-warning		A a1 = a, a2 = std::move(a); // no-warning
}		}
▲ Show 20 Lines • Show All 186 Lines • Show Last 20 Lines