This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
ExprEngineC.cpp
-
unittests/StaticAnalyzer/
-
StaticAnalyzer/
-
RegisterCustomCheckersTest.cpp

Differential D55701

[analyzer] Pass the correct loc Expr from VisitIncDecOp to evalStore
ClosedPublic

Authored by r.stahl on Dec 14 2018, 3:42 AM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
george.karpenkov

Commits

rGcc19f921b579: [analyzer] Pass the correct loc Expr from VisitIncDecOp to evalStore
rL350528: [analyzer] Pass the correct loc Expr from VisitIncDecOp to evalStore
rC350528: [analyzer] Pass the correct loc Expr from VisitIncDecOp to evalStore

Summary

The LocationE parameter of evalStore is documented as "The location expression that is stored to". When storing from an increment / decrement operator this was not satisfied. In user code this causes an inconsistency between the SVal and Stmt parameters of checkLocation.

Diff Detail

Repository: rC Clang

Event Timeline

r.stahl created this revision.Dec 14 2018, 3:42 AM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptDec 14 2018, 3:42 AM

Harbormaster completed remote builds in B26025: Diff 178215.Dec 14 2018, 3:42 AM

cfe-dev thread with short discussion: http://lists.llvm.org/pipermail/cfe-dev/2018-April/057562.html

Thanks! Neat test.

Can we now assert(LocationE->isGLValue()) in evalStore()? What about evalLoad()?

Also, were no other checkers affected? Like, will null pointer dereference checker now warn upon something like (*0)++ or ++(*0)?

You can commit the patch, but i would also love to see these questions investigated.

This revision is now accepted and ready to land.Dec 14 2018, 2:23 PM

rebased

Harbormaster completed remote builds in B26446: Diff 180487.Jan 7 2019, 7:08 AM

Closed by commit rC350528: [analyzer] Pass the correct loc Expr from VisitIncDecOp to evalStore (authored by r.stahl). · Explain WhyJan 7 2019, 7:10 AM

This revision was automatically updated to reflect the committed changes.

I tried adding isGLValue to evalStore and the test suite didn't complain. For evalLoad (on BoundEx) it failed in pretty much every test. Should the evalStore assert also go into trunk?

Since the analyzer behavior itself remains unchanged, I don't believe any other checker should be affected.

For myself it was pretty obvious that there is something weird going on when I didn't get the expected Stmt in my checker callback. So I added the following workaround. With this patch, the workaround is safely skipped.

The only change that this patch might cause "in the wild" is when someone used the Stmt as location, but didn't test with IncDecOps. However, as far as I can tell this should only have positive outcome.

Do I have any other means to check if other checkers were affected than to run the test suite?

// Workaround for an inconsistency with IncDecOps: The statement is not the location expr.
if (auto unaryE = dyn_cast<UnaryOperator>(S))
{
  if (unaryE->isIncrementDecrementOp())
  {
    S = unaryE->getSubExpr();
  }
}

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

ExprEngineC.cpp

4 lines

unittests/

StaticAnalyzer/

RegisterCustomCheckersTest.cpp

55 lines

Diff 180489

lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 Lines • Show All 1,046 Lines • ▼ Show 20 Lines	for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end();I!=E;++I) {

// Propagate unknown and undefined values.		// Propagate unknown and undefined values.
if (V2_untested.isUnknownOrUndef()) {		if (V2_untested.isUnknownOrUndef()) {
state = state->BindExpr(U, LCtx, V2_untested);		state = state->BindExpr(U, LCtx, V2_untested);

// Perform the store, so that the uninitialized value detection happens.		// Perform the store, so that the uninitialized value detection happens.
Bldr.takeNodes(*I);		Bldr.takeNodes(*I);
ExplodedNodeSet Dst3;		ExplodedNodeSet Dst3;
evalStore(Dst3, U, U, *I, state, loc, V2_untested);		evalStore(Dst3, U, Ex, *I, state, loc, V2_untested);
Bldr.addNodes(Dst3);		Bldr.addNodes(Dst3);

continue;		continue;
}		}
DefinedSVal V2 = V2_untested.castAs<DefinedSVal>();		DefinedSVal V2 = V2_untested.castAs<DefinedSVal>();

// Handle all other values.		// Handle all other values.
BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;		BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines	for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end();I!=E;++I) {
if (U->isGLValue())		if (U->isGLValue())
state = state->BindExpr(U, LCtx, loc);		state = state->BindExpr(U, LCtx, loc);
else		else
state = state->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);		state = state->BindExpr(U, LCtx, U->isPostfix() ? V2 : Result);

// Perform the store.		// Perform the store.
Bldr.takeNodes(*I);		Bldr.takeNodes(*I);
ExplodedNodeSet Dst3;		ExplodedNodeSet Dst3;
evalStore(Dst3, U, U, *I, state, loc, Result);		evalStore(Dst3, U, Ex, *I, state, loc, Result);
Bldr.addNodes(Dst3);		Bldr.addNodes(Dst3);
}		}
Dst.insert(Dst2);		Dst.insert(Dst2);
}		}

unittests/StaticAnalyzer/RegisterCustomCheckersTest.cpp

Show All 15 Lines
#include "clang/StaticAnalyzer/Frontend/CheckerRegistry.h"		#include "clang/StaticAnalyzer/Frontend/CheckerRegistry.h"
#include "clang/Tooling/Tooling.h"		#include "clang/Tooling/Tooling.h"
#include "gtest/gtest.h"		#include "gtest/gtest.h"

namespace clang {		namespace clang {
namespace ento {		namespace ento {
namespace {		namespace {

class CustomChecker : public Checker<check::ASTCodeBody> {		template <typename CheckerT>
public:
void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
BugReporter &BR) const {
BR.EmitBasicReport(D, this, "Custom diagnostic", categories::LogicError,
"Custom diagnostic description",
PathDiagnosticLocation(D, Mgr.getSourceManager()), {});
}
};

class TestAction : public ASTFrontendAction {		class TestAction : public ASTFrontendAction {
class DiagConsumer : public PathDiagnosticConsumer {		class DiagConsumer : public PathDiagnosticConsumer {
llvm::raw_ostream &Output;		llvm::raw_ostream &Output;

public:		public:
DiagConsumer(llvm::raw_ostream &Output) : Output(Output) {}		DiagConsumer(llvm::raw_ostream &Output) : Output(Output) {}
void FlushDiagnosticsImpl(std::vector<const PathDiagnostic *> &Diags,		void FlushDiagnosticsImpl(std::vector<const PathDiagnostic *> &Diags,
FilesMade *filesMade) override {		FilesMade *filesMade) override {
Show All 12 Lines	public:
std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,		std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,
StringRef File) override {		StringRef File) override {
std::unique_ptr<AnalysisASTConsumer> AnalysisConsumer =		std::unique_ptr<AnalysisASTConsumer> AnalysisConsumer =
CreateAnalysisConsumer(Compiler);		CreateAnalysisConsumer(Compiler);
AnalysisConsumer->AddDiagnosticConsumer(new DiagConsumer(DiagsOutput));		AnalysisConsumer->AddDiagnosticConsumer(new DiagConsumer(DiagsOutput));
Compiler.getAnalyzerOpts()->CheckersControlList = {		Compiler.getAnalyzerOpts()->CheckersControlList = {
{"custom.CustomChecker", true}};		{"custom.CustomChecker", true}};
AnalysisConsumer->AddCheckerRegistrationFn([](CheckerRegistry &Registry) {		AnalysisConsumer->AddCheckerRegistrationFn([](CheckerRegistry &Registry) {
Registry.addChecker<CustomChecker>("custom.CustomChecker", "Description",		Registry.addChecker<CheckerT>("custom.CustomChecker", "Description", "");
"");
});		});
return std::move(AnalysisConsumer);		return std::move(AnalysisConsumer);
}		}
};		};

		template <typename CheckerT>
		bool runCheckerOnCode(const std::string &Code, std::string &Diags) {
		llvm::raw_string_ostream OS(Diags);
		return tooling::runToolOnCode(new TestAction<CheckerT>(OS), Code);
		}
		template <typename CheckerT>
		bool runCheckerOnCode(const std::string &Code) {
		std::string Diags;
		return runCheckerOnCode<CheckerT>(Code, Diags);
		}


		class CustomChecker : public Checker<check::ASTCodeBody> {
		public:
		void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
		BugReporter &BR) const {
		BR.EmitBasicReport(D, this, "Custom diagnostic", categories::LogicError,
		"Custom diagnostic description",
		PathDiagnosticLocation(D, Mgr.getSourceManager()), {});
		}
		};

TEST(RegisterCustomCheckers, RegisterChecker) {		TEST(RegisterCustomCheckers, RegisterChecker) {
std::string Diags;		std::string Diags;
{		EXPECT_TRUE(runCheckerOnCode<CustomChecker>("void f() {;}", Diags));
llvm::raw_string_ostream OS(Diags);
EXPECT_TRUE(tooling::runToolOnCode(new TestAction(OS), "void f() {;}"));
}
EXPECT_EQ(Diags, "custom.CustomChecker:Custom diagnostic description");		EXPECT_EQ(Diags, "custom.CustomChecker:Custom diagnostic description");
}		}

		class LocIncDecChecker : public Checker<check::Location> {
		public:
		void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,
		CheckerContext &C) const {
		auto UnaryOp = dyn_cast<UnaryOperator>(S);
		if (UnaryOp && !IsLoad)
		EXPECT_FALSE(UnaryOp->isIncrementOp());
		}
		};

		TEST(RegisterCustomCheckers, CheckLocationIncDec) {
		EXPECT_TRUE(
		runCheckerOnCode<LocIncDecChecker>("void f() { int p; (p)++; }"));
		}

}		}
}		}
}		}