This is an archive of the discontinued LLVM Phabricator instance.

Differential D56632

[analyzer] Track region liveness only through base regions.
ClosedPublic

Authored by NoQ on Jan 11 2019, 7:16 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
george.karpenkov
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Commits
rG2ed0e79bb8ef: [analyzer] Make sure base-region and its sub-regions are either all alive or…
rL351499: [analyzer] Make sure base-region and its sub-regions are either all alive or…
rC351499: [analyzer] Make sure base-region and its sub-regions are either all alive or…
Summary

This is a follow-up to D56042.

When a memory region is live, all its sub-regions and super-regions are automatically live (and vice versa), so it is only necessary to track liveness of base regions. This is exactly how we imagined this to work, but it turns out that it didn't.

The reason why it works correctly most of the time because the reachable symbol scanner is automatically marks all parent regions as reachable - and therefore they are marked as live by adding all of them to region roots every time a sub-region is marked as live. However, enumerating all *child* regions this way is problematic (there may be infinitely many of them).

In the test from D56042, the symbol for p.x dies because when .get() is called for the last time only p is kept alive by the Environment, but not p.x. Due to that, reg_$0<p.x> is believed to be dead - recall that SymbolRegionValue is kept alive by its parent region, and additionally notice that there are no explicit bindings anywhere else to keep it alive (because SymbolRegionValue is simply assumed to be there as long as the parent region is alive, rather than bound explicitly).

Now, when the RegionRoots test fails, isLiveRegion() falls through to see if the region is "lexically" alive. Here it correctly jumps to the base region p and looks if live variables analysis thinks it's alive. It doesn't! Because there's no need to compute expression 'p' anymore anywhere in the program.

What isLiveRegion() should have done is look up the base region in RegionRoots. But it doesn't. Hence the patch.

The newly added test_A demonstrates the problem even more clearly: having the symbol for a.x die before the call to a.foo() is definitely incorrect.

The other test, test_B, is an attempt to figure out whether the problem is also there "in the opposite direction". That is, when b.a is marked live, is b marked live automatically? Otherwise the lookup in RegionRoots would still fail.

The answer is yes, it does work correctly, because scanReachableSymbols always scans the whole super-region chain of every region. Which means that every time the Environment or the Store marks a region as live, all of its super-regions are added to RegionRoots. However, i would still like to add conversion to the base region into markLive(), because this behavior is something that should be guaranteed by SymbolReaper rather implied by callers manually, even if the callers have to do that anyway.

So for now the change in markLive() does not affect functionality at all, but it will be important when checkers use the checkLiveSymbols() functionality more aggressively. Additionally it slightly decreases the size of the RegionRoots map for faster lookups but adds an extra time overhead for marking something as live (need to ascend to the base region). I didn't try to figure out whether it gives a net gain in performance.

For that reason the unit test as well. Also a few convenient getters were added to ExprEngine in order to make the test more concise.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Jan 11 2019, 7:16 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 3 others. · View Herald TranscriptJan 11 2019, 7:16 PM
NoQ updated this revision to Diff 181419.Jan 11 2019, 7:56 PM
NoQ marked an inline comment as done.

Prettify the unittest a bit, especially the ASTMatcher part of it.

baloghadamsoftware added a comment.Jan 14 2019, 7:31 AM

This seems to be an important fix. Thank you!

Did you measure decrease in the false-positive rate or an increase in the true-positive rate on real code? I expect some.

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
390

Is this comment intentionally deleted?

Szelethus accepted this revision.Jan 14 2019, 7:49 AM

Awesome detective work! I glanced over the code, it looks great. I'd love to dedicate more time to your liveness-related patches, but university is a thing, so finding typos and the like is the best I can do for a while.

Wild thought, would debug.DumpLiveStmts be of any use here?

test/Analysis/symbol-reaper.cpp
2

Core intentionally left out?

32

N00b question: What does SYMBOL DEAD mean here exactly?

unittests/StaticAnalyzer/CMakeLists.txt
8

Woohoo!

This revision is now accepted and ready to land.Jan 14 2019, 7:49 AM
xazax.hun added a comment.EditedJan 14 2019, 8:33 AM

I really like all this detective work and it would be sad to have it forgotten. I would love to see some of your comments in the documentation of symbol reaper.
More specifically:

When a memory region is live, all its sub-regions and super-regions are automatically live (and vice versa), so it is only necessary to track liveness of base regions.

I think this is non-obvious. If we had all the information it would make perfect sense to have a dead field in an alive struct. But since the liveness analysis is intraprocedural and we cannot know what happens to a struct when it escapes we have no choice but keep the field alive. A more sophisticated analysis (which is also likely to be more expensive) could have dead fields in an alive struct in case the struct never escapes.

The answer is yes, it does work correctly, because scanReachableSymbols always scans the whole super-region chain of every region. Which means that every time the Environment or the Store marks a region as live, all of its super-regions are added to RegionRoots. However, i would still like to add conversion to the base region into markLive(), because this behavior is something that should be guaranteed by SymbolReaper rather implied by callers manually, even if the callers have to do that anyway.

I did not really follow, but probably my understanding of how memory regions work is not correct. If we work with base regions, why do we still need to scan the whole super-region chain?

a_sidorin added a comment.Jan 14 2019, 1:23 PM

Hi Artem,
This looks perfect, just some stylish issues.

test/Analysis/symbol-reaper.cpp
14

//FIXME?

unittests/StaticAnalyzer/SymbolReaperTest.cpp
53

It looks like selectFirst helper is what you need here.

54

This loop will be executed one time only.

98

Nit: const auto *D : DG

NoQ updated this revision to Diff 181961.EditedJan 15 2019, 6:13 PM
NoQ marked 12 inline comments as done.

Fix stuff.

In D56632#1356163, @baloghadamsoftware wrote:

Did you measure decrease in the false-positive rate or an increase in the true-positive rate on real code? I expect some.

In progress :)

In D56632#1356249, @xazax.hun wrote:

When a memory region is live, all its sub-regions and super-regions are automatically live (and vice versa), so it is only necessary to track liveness of base regions.

I think this is non-obvious. If we had all the information it would make perfect sense to have a dead field in an alive struct. But since the liveness analysis is intraprocedural and we cannot know what happens to a struct when it escapes we have no choice but keep the field alive. A more sophisticated analysis (which is also likely to be more expensive) could have dead fields in an alive struct in case the struct never escapes.

Great point indeed! I vaguely remember that some other tools do actually work that way. If a field is not referenced anywhere in the path and there's no weird pointer arithmetic going on upon the variable, we can actually diagnose a leak of the value within the field *before* the variable itself dies. Even intraprocedurally, we can just handle escapes and still do slightly better than we do now. This gets really valuable when the variable is, say, a non-escaping static (local or global). The variable never dies, but there may still be no deallocation for the field anywhere in the code and we may be able to see this within the translation unit. This doesn't have to have anything to do with fields though, the variable itself may carry the leaking pointer. Same with private fields regardless of storage. Neat food for thought.

Added a comment. Is there anything else worth documenting here, other than "the whole damn thing"?

The answer is yes, it does work correctly, because scanReachableSymbols always scans the whole super-region chain of every region. Which means that every time the Environment or the Store marks a region as live, all of its super-regions are added to RegionRoots. However, i would still like to add conversion to the base region into markLive(), because this behavior is something that should be guaranteed by SymbolReaper rather implied by callers manually, even if the callers have to do that anyway.

I did not really follow, but probably my understanding of how memory regions work is not correct. If we work with base regions, why do we still need to scan the whole super-region chain?

It's just that scanReachableSymbols is written that way, and it's used everywhere for these kind of purposes. I.e., we (i.e., SymbolReaper) don't (i.e., doesn't) need to scan the whole chain of regions (apart from the markElementIndicesLive() thing... wait a minute, does it work in the opposite direction? - i.e., if an array-typed region is live, does it automatically mean that all index symbols in all element regions within it are actually treated as live everywhere in the program state? - need to check), but this behavior is re-used from other users scanReachableSymbols (wait a minute, do any of the other users actually need that? - i'm not immediately seeing any user actually need that, it seems that *everybody* operates on base regions only - but probably it's anyway not that much slower than jumping to the base region directly - need to check).

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
390

Yeah, i don't think anybody remembers what was that about and there doesn't seem to be an immediate need in something like that.

Hmm, why did i delete it as part of that revision? I guess because i was moving these helper methods around. Let me bring them back because this place is actually better, now that i think about it.

Also i wonder if anybody ever uses this const getter two lines below (or even passes ExprEngine by const reference anywhere). Hmm, seems to compile without it.

test/Analysis/symbol-reaper.cpp
2

Thx ^.^ No, just still have this habit since before it was decided to make it mandatory >.<

14

Yeah, i guess it's a more polite way of expressing it :)

32

It's a warning produced by clang_analyzer_warnOnDeadSymbol(a.x) when the value that was in a.x (that was there when that function was called) dies. This is an ExprInspection utility that was created in order to test SymbolReaper more directly. See symbol-reaper.c for more such tests.

unittests/StaticAnalyzer/SymbolReaperTest.cpp
53

Wow, this one's handy.

98

Fxd^^

xazax.hun accepted this revision.EditedJan 16 2019, 3:59 AM

Thanks, LGTM! It is interesting to see if we need to traverse all the super regions in scanReachableSymbols, but if we need to change something there, I would prefer that to be in a separate patch.
If visiting the whole super region chain proved to be redundant I would recommend removing it for clarity regardless of having a performance impact.

If you find out the reason why we need markElementIndicesLive, documenting that would also be useful. But it is also independent of this change.
Maybe something like we could learn new information regarding the indices after they are dead?
Like:

void f(int i, char *c) {
    char e = c[i];
    if (strlen(c) == 5) {
         // The value of `i` is no longer used, could be dead
         // but we did learn something new. Assuming no UB, `i <= 5` (if null terminated).
         // So maybe having symbols for indices around for representing the info above is useful?
        use(c);
    }
}

One fundamental question is, do we have one property here or two?
Maybe the liveness analysis we use for leaks (and other purposes?),
and the garbage collection of symbols are inherently two different kind of things that are only slightly related?

Szelethus added inline comments.Jan 16 2019, 4:48 AM
test/Analysis/symbol-reaper.cpp
32

Oooh right. I thought it's produced by clang_analyzer_eval(glob);. Thanks!

NoQ added a comment.Jan 16 2019, 1:46 PM
In D56632#1359576, @xazax.hun wrote:

If you find out the reason why we need markElementIndicesLive, documenting that would also be useful. But it is also independent of this change.
Maybe something like we could learn new information regarding the indices after they are dead?
Like:

void f(int i, char *c) {
    char e = c[i];
    if (strlen(c) == 5) {
         // The value of `i` is no longer used, could be dead
         // but we did learn something new. Assuming no UB, `i <= 5` (if null terminated).
         // So maybe having symbols for indices around for representing the info above is useful?
        use(c);
    }
}

Yep, that was pretty much the original motivation behind adding this functionality in D12726.

A more ridiculous example:

struct rlimit rlim;
getrlimit(RLIMIT_NOFILE, &lim); // Max file descriptor on the system.
int *arr = calloc(rlim.rlim_cur, sizeof(int)); // An expensive but fast map from FDs to ints.
arr[open("foo.txt", O_RDONLY)] = 1; // Remember that this descriptor is open.

After that even though the file descriptor is otherwise dead, as long as arr is alive and its contents are more or less preserved, you can close the file as follows:

for (int i = 0; i < rlim.lim_cur; ++i)
  if (arr[i] == 1)
    close(i);

Therefore, we kinda should not diagnose a file descriptor leak here.

One fundamental question is, do we have one property here or two?
Maybe the liveness analysis we use for leaks (and other purposes?),
and the garbage collection of symbols are inherently two different kind of things that are only slightly related?

This constantly bothers me, but surprisingly, i don't see any reasonable counter-examples to them being the same thing.

One of the brightest examples i have is that if the parent region of a LazyCompoundVal is an ElementRegion with symbolic index, constraints on its index ideally need to be kept alive in order to access the data within the LazyCompoundVal as accurately as possible, but it's not really accessible from within the program because the parent region of a LazyCompoundVal is entirely immaterial. However, this is merely a weird implementation detail of our LazyCompoundVals: we could have implemented "eager" compound values instead, and in that case it wouldn't have been a problem anymore. Note that it is not a sufficient solution to simply make LazyCompoundVal capture constraints together with the store, because constraints might have improved since then (and then dropped, and only then we're trying to load the value).

So i believe that as long as our state is not over-saturated with information (i.e., it looks kinda like a normalized database), then the amount of information we need to track is going to be exactly as much as the programmer is able to extract from memory in run-time.

george.karpenkov accepted this revision.Jan 17 2019, 3:07 PM
NoQ added a comment.Jan 17 2019, 3:15 PM
In D56632#1359215, @NoQ wrote:
In D56632#1356163, @baloghadamsoftware wrote:

Did you measure decrease in the false-positive rate or an increase in the true-positive rate on real code? I expect some.

In progress :)

Moderately surprisingly, i found no changes at all. I guess it's pretty rare that the object dies out from Environment last in such manner while its original field symbol values are still important. Still worth fixing though - might have been worse, you never know... also peace of mind.

Closed by commit rC351499: [analyzer] Make sure base-region and its sub-regions are either all alive or… (authored by NoQ). · Explain WhyJan 17 2019, 4:12 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
11 lines
lib/
StaticAnalyzer/
Core/
4 lines
10 lines
test/
Analysis/
diagnostics/
19 lines
60 lines
unittests/
StaticAnalyzer/
1 line
121 lines

Diff 182410

include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 125 Lines▼ Show 20 Linesprivate:
ExplodedGraph &G; ExplodedGraph &G;
/// StateMgr - Object that manages the data for all created states. /// StateMgr - Object that manages the data for all created states.
ProgramStateManager StateMgr; ProgramStateManager StateMgr;
/// SymMgr - Object that manages the symbol information. /// SymMgr - Object that manages the symbol information.
SymbolManager &SymMgr; SymbolManager &SymMgr;
/// MRMgr - MemRegionManager object that creates memory regions.
MemRegionManager &MRMgr;
/// svalBuilder - SValBuilder object that creates SVals from expressions. /// svalBuilder - SValBuilder object that creates SVals from expressions.
SValBuilder &svalBuilder; SValBuilder &svalBuilder;
unsigned int currStmtIdx = 0; unsigned int currStmtIdx = 0;
const NodeBuilderContext *currBldrCtx = nullptr; const NodeBuilderContext *currBldrCtx = nullptr;
/// Helper object to determine if an Objective-C message expression /// Helper object to determine if an Objective-C message expression
/// implicitly never returns. /// implicitly never returns.
Show All 33 Lines bool ExecuteWorkListWithInitialState(const LocationContext *L, unsigned Steps,
return Engine.ExecuteWorkListWithInitialState(L, Steps, InitState, Dst); return Engine.ExecuteWorkListWithInitialState(L, Steps, InitState, Dst);
} }
/// getContext - Return the ASTContext associated with this analysis. /// getContext - Return the ASTContext associated with this analysis.
ASTContext &getContext() const { return AMgr.getASTContext(); } ASTContext &getContext() const { return AMgr.getASTContext(); }
AnalysisManager &getAnalysisManager() override { return AMgr; } AnalysisManager &getAnalysisManager() override { return AMgr; }
AnalysisDeclContextManager &getAnalysisDeclContextManager() {
return AMgr.getAnalysisDeclContextManager();
}
CheckerManager &getCheckerManager() const { CheckerManager &getCheckerManager() const {
return *AMgr.getCheckerManager(); return *AMgr.getCheckerManager();
} }
SValBuilder &getSValBuilder() { return svalBuilder; } SValBuilder &getSValBuilder() { return svalBuilder; }
BugReporter &getBugReporter() { return BR; } BugReporter &getBugReporter() { return BR; }
▲ Show 20 LinesShow All 191 Lines▼ Show 20 Lines ConstraintManager &getConstraintManager() {
return StateMgr.getConstraintManager(); return StateMgr.getConstraintManager();
} }
// FIXME: Remove when we migrate over to just using SValBuilder. // FIXME: Remove when we migrate over to just using SValBuilder.
BasicValueFactory &getBasicVals() { BasicValueFactory &getBasicVals() {
return StateMgr.getBasicVals(); return StateMgr.getBasicVals();
} }
// FIXME: Remove when we migrate over to just using ValueManager.
baloghadamsoftwareUnsubmitted
Done
ReplyInline Actions

Is this comment intentionally deleted?

baloghadamsoftware: Is this comment intentionally deleted?
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, i don't think anybody remembers what was that about and there doesn't seem to be an immediate need in something like that.

Hmm, why did i delete it as part of that revision? I guess because i was moving these helper methods around. Let me bring them back because this place is actually better, now that i think about it.

Also i wonder if anybody ever uses this const getter two lines below (or even passes ExprEngine by const reference anywhere). Hmm, seems to compile without it.

NoQ: Yeah, i don't think anybody remembers what was that about and there doesn't seem to be an…
SymbolManager &getSymbolManager() { return SymMgr; } SymbolManager &getSymbolManager() { return SymMgr; }
const SymbolManager &getSymbolManager() const { return SymMgr; } MemRegionManager &getRegionManager() { return MRMgr; }
// Functions for external checking of whether we have unfinished work // Functions for external checking of whether we have unfinished work
bool wasBlocksExhausted() const { return Engine.wasBlocksExhausted(); } bool wasBlocksExhausted() const { return Engine.wasBlocksExhausted(); }
bool hasEmptyWorkList() const { return !Engine.getWorkList()->hasWork(); } bool hasEmptyWorkList() const { return !Engine.getWorkList()->hasWork(); }
bool hasWorkRemaining() const { return Engine.hasWorkRemaining(); } bool hasWorkRemaining() const { return Engine.hasWorkRemaining(); }
const CoreEngine &getCoreEngine() const { return Engine; } const CoreEngine &getCoreEngine() const { return Engine; }
▲ Show 20 LinesShow All 442 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 192 Lines▼ Show 20 LinesExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
InliningModes HowToInlineIn) InliningModes HowToInlineIn)
: CTU(CTU), AMgr(mgr), : CTU(CTU), AMgr(mgr),
AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()), AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()), Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()),
StateMgr(getContext(), mgr.getStoreManagerCreator(), StateMgr(getContext(), mgr.getStoreManagerCreator(),
mgr.getConstraintManagerCreator(), G.getAllocator(), mgr.getConstraintManagerCreator(), G.getAllocator(),
this), this),
SymMgr(StateMgr.getSymbolManager()), SymMgr(StateMgr.getSymbolManager()),
svalBuilder(StateMgr.getSValBuilder()), ObjCNoRet(mgr.getASTContext()), MRMgr(StateMgr.getRegionManager()),
svalBuilder(StateMgr.getSValBuilder()),
ObjCNoRet(mgr.getASTContext()),
BR(mgr, *this), BR(mgr, *this),
VisitedCallees(VisitedCalleesIn), HowToInline(HowToInlineIn) { VisitedCallees(VisitedCalleesIn), HowToInline(HowToInlineIn) {
unsigned TrimInterval = mgr.options.GraphTrimInterval; unsigned TrimInterval = mgr.options.GraphTrimInterval;
if (TrimInterval != 0) { if (TrimInterval != 0) {
// Enable eager node reclamation when constructing the ExplodedGraph. // Enable eager node reclamation when constructing the ExplodedGraph.
G.enableNodeReclamation(TrimInterval); G.enableNodeReclamation(TrimInterval);
} }
} }
▲ Show 20 LinesShow All 2,906 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/SymbolManager.cpp

Show First 20 LinesShow All 399 Lines▼ Show 20 Lines
} }
void SymbolReaper::markLive(SymbolRef sym) { void SymbolReaper::markLive(SymbolRef sym) {
TheLiving[sym] = NotProcessed; TheLiving[sym] = NotProcessed;
markDependentsLive(sym); markDependentsLive(sym);
} }
void SymbolReaper::markLive(const MemRegion *region) { void SymbolReaper::markLive(const MemRegion *region) {
RegionRoots.insert(region); RegionRoots.insert(region->getBaseRegion());
markElementIndicesLive(region); markElementIndicesLive(region);
} }
void SymbolReaper::markElementIndicesLive(const MemRegion *region) { void SymbolReaper::markElementIndicesLive(const MemRegion *region) {
for (auto SR = dyn_cast<SubRegion>(region); SR; for (auto SR = dyn_cast<SubRegion>(region); SR;
SR = dyn_cast<SubRegion>(SR->getSuperRegion())) { SR = dyn_cast<SubRegion>(SR->getSuperRegion())) {
if (const auto ER = dyn_cast<ElementRegion>(SR)) { if (const auto ER = dyn_cast<ElementRegion>(SR)) {
SVal Idx = ER->getIndex(); SVal Idx = ER->getIndex();
for (auto SI = Idx.symbol_begin(), SE = Idx.symbol_end(); SI != SE; ++SI) for (auto SI = Idx.symbol_begin(), SE = Idx.symbol_end(); SI != SE; ++SI)
markLive(*SI); markLive(*SI);
} }
} }
} }
void SymbolReaper::markInUse(SymbolRef sym) { void SymbolReaper::markInUse(SymbolRef sym) {
if (isa<SymbolMetadata>(sym)) if (isa<SymbolMetadata>(sym))
MetadataInUse.insert(sym); MetadataInUse.insert(sym);
} }
bool SymbolReaper::isLiveRegion(const MemRegion *MR) { bool SymbolReaper::isLiveRegion(const MemRegion *MR) {
// TODO: For now, liveness of a memory region is equivalent to liveness of its
// base region. In fact we can do a bit better: say, if a particular FieldDecl
// is not used later in the path, we can diagnose a leak of a value within
// that field earlier than, say, the variable that contains the field dies.
MR = MR->getBaseRegion();
if (RegionRoots.count(MR)) if (RegionRoots.count(MR))
return true; return true;
MR = MR->getBaseRegion();
if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) if (const auto *SR = dyn_cast<SymbolicRegion>(MR))
return isLive(SR->getSymbol()); return isLive(SR->getSymbol());
if (const auto *VR = dyn_cast<VarRegion>(MR)) if (const auto *VR = dyn_cast<VarRegion>(MR))
return isLive(VR, true); return isLive(VR, true);
// FIXME: This is a gross over-approximation. What we really need is a way to // FIXME: This is a gross over-approximation. What we really need is a way to
// tell if anything still refers to this region. Unlike SymbolicRegions, // tell if anything still refers to this region. Unlike SymbolicRegions,
▲ Show 20 LinesShow All 126 LinesShow Last 20 Lines

test/Analysis/diagnostics/dtors.cpp

// RUN: %clang_analyze_cc1 -w -analyzer-checker=core,cplusplus -verify %s // RUN: %clang_analyze_cc1 -w -analyzer-checker=core,cplusplus -analyzer-output=text -verify %s
// expected-no-diagnostics
namespace no_crash_on_delete_dtor { namespace no_crash_on_delete_dtor {
// We were crashing when producing diagnostics for this code. // We were crashing when producing diagnostics for this code, but not for the
// report that it currently emits. Instead, Static Analyzer was thinking that
// p.get()->foo() is a null dereference because it was dropping
// constraints over x too early and took a different branch next time
// we call .get().
struct S { struct S {
void foo(); void foo();
~S(); ~S();
}; };
struct smart_ptr { struct smart_ptr {
int x; int x;
S *s; S *s;
smart_ptr(S *); smart_ptr(S *);
S *get() { S *get() {
return (x || 0) ? nullptr : s; return (x || 0) ? nullptr : s; // expected-note{{Left side of '||' is false}}
// expected-note@-1{{'?' condition is false}}
// expected-warning@-2{{Use of memory after it is freed}}
// expected-note@-3{{Use of memory after it is freed}}
} }
}; };
void bar(smart_ptr p) { void bar(smart_ptr p) {
delete p.get(); delete p.get(); // expected-note{{Memory is released}}
p.get()->foo(); p.get()->foo(); // expected-note{{Calling 'smart_ptr::get'}}
} }
} // namespace no_crash_on_delete_dtor } // namespace no_crash_on_delete_dtor

test/Analysis/symbol-reaper.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
SzelethusUnsubmitted
Done
ReplyInline Actions

Core intentionally left out?

Szelethus: Core intentionally left out?
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Thx ^.^ No, just still have this habit since before it was decided to make it mandatory >.<

NoQ: Thx ^.^ No, just still have this habit since before it was decided to make it mandatory >.<
void clang_analyzer_eval(int);
void clang_analyzer_warnOnDeadSymbol(int);
namespace test_dead_region_with_live_subregion_in_environment {
int glob;
struct A {
int x;
void foo() {
// FIXME: Maybe just let clang_analyzer_eval() work within callees already?
// The glob variable shouldn't keep our symbol alive because
a_sidorinUnsubmitted
Done
ReplyInline Actions

//FIXME?

a_sidorin: //FIXME?
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, i guess it's a more polite way of expressing it :)

NoQ: Yeah, i guess it's a more polite way of expressing it :)
// 'x != 0' is concrete 'true'.
glob = (x != 0);
}
};
void test_A(A a) {
if (a.x == 0)
return;
clang_analyzer_warnOnDeadSymbol(a.x);
// What we're testing is that a.x is alive until foo() exits.
a.foo(); // no-warning // (i.e., no 'SYMBOL DEAD' yet)
// Let's see if constraints on a.x were known within foo().
clang_analyzer_eval(glob); // expected-warning{{TRUE}}
// expected-warning@-1{{SYMBOL DEAD}}
}
SzelethusUnsubmitted
Not Done
ReplyInline Actions

N00b question: What does SYMBOL DEAD mean here exactly?

Szelethus: N00b question: What does `SYMBOL DEAD` mean here exactly?
NoQAuthorUnsubmitted
Done
ReplyInline Actions

It's a warning produced by clang_analyzer_warnOnDeadSymbol(a.x) when the value that was in a.x (that was there when that function was called) dies. This is an ExprInspection utility that was created in order to test SymbolReaper more directly. See symbol-reaper.c for more such tests.

NoQ: It's a warning produced by `clang_analyzer_warnOnDeadSymbol(a.x)` when the value that was in `a.
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Oooh right. I thought it's produced by clang_analyzer_eval(glob);. Thanks!

Szelethus: Oooh right. I thought it's produced by `clang_analyzer_eval(glob);`. Thanks!
struct B {
A a;
int y;
};
A &noop(A &a) {
// This function ensures that the 'b' expression within its argument
// would be cleaned up before its call, so that only 'b.a' remains
// in the Environment.
return a;
}
void test_B(B b) {
if (b.a.x == 0)
return;
clang_analyzer_warnOnDeadSymbol(b.a.x);
// What we're testing is that b.a.x is alive until foo() exits.
noop(b.a).foo(); // no-warning // (i.e., no 'SYMBOL DEAD' yet)
// Let's see if constraints on a.x were known within foo().
clang_analyzer_eval(glob); // expected-warning{{TRUE}}
// expected-warning@-1{{SYMBOL DEAD}}
}
} // namespace test_dead_region_with_live_subregion_in_environment

unittests/StaticAnalyzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
Support Support
) )
add_clang_unittest(StaticAnalysisTests add_clang_unittest(StaticAnalysisTests
AnalyzerOptionsTest.cpp AnalyzerOptionsTest.cpp
RegisterCustomCheckersTest.cpp RegisterCustomCheckersTest.cpp
SymbolReaperTest.cpp
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Woohoo!

Szelethus: Woohoo!
) )
target_link_libraries(StaticAnalysisTests target_link_libraries(StaticAnalysisTests
PRIVATE PRIVATE
clangBasic clangBasic
clangAnalysis clangAnalysis
clangFrontend clangFrontend
clangSerialization clangSerialization
clangStaticAnalyzerCore clangStaticAnalyzerCore
clangStaticAnalyzerFrontend clangStaticAnalyzerFrontend
clangTooling clangTooling
) )

unittests/StaticAnalyzer/SymbolReaperTest.cpp

//===- unittests/StaticAnalyzer/SymbolReaperTest.cpp ----------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Frontend/CompilerInstance.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/CrossTU/CrossTranslationUnit.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h"
#include "clang/Tooling/Tooling.h"
#include "gtest/gtest.h"
namespace clang {
namespace ento {
namespace {
using namespace ast_matchers;
// A re-usable consumer that constructs ExprEngine out of CompilerInvocation.
// TODO: Actually re-use it when we write our second test.
class ExprEngineConsumer : public ASTConsumer {
protected:
CompilerInstance &C;
private:
// We need to construct all of these in order to construct ExprEngine.
CheckerManager ChkMgr;
cross_tu::CrossTranslationUnitContext CTU;
PathDiagnosticConsumers Consumers;
AnalysisManager AMgr;
SetOfConstDecls VisitedCallees;
FunctionSummariesTy FS;
protected:
ExprEngine Eng;
// Find a declaration in the current AST by name. This has nothing to do
// with ExprEngine but turns out to be handy.
// TODO: There's probably a better place for it.
template <typename T>
const T *findDeclByName(const Decl *Where, StringRef Name) {
auto Matcher = decl(hasDescendant(namedDecl(hasName(Name)).bind("d")));
auto Matches = match(Matcher, *Where, Eng.getContext());
assert(Matches.size() == 1 && "Ambiguous name!");
const T *Node = selectFirst<T>("d", Matches);
assert(Node && "Name not found!");
a_sidorinUnsubmitted
Done
ReplyInline Actions

It looks like selectFirst helper is what you need here.

a_sidorin: It looks like `selectFirst` helper is what you need here.
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Wow, this one's handy.

NoQ: Wow, this one's handy.
return Node;
a_sidorinUnsubmitted
Done
ReplyInline Actions

This loop will be executed one time only.

a_sidorin: This loop will be executed one time only.
}
public:
ExprEngineConsumer(CompilerInstance &C)
: C(C), ChkMgr(C.getASTContext(), *C.getAnalyzerOpts()), CTU(C),
Consumers(),
AMgr(C.getASTContext(), C.getDiagnostics(), Consumers,
CreateRegionStoreManager, CreateRangeConstraintManager, &ChkMgr,
*C.getAnalyzerOpts()),
VisitedCallees(), FS(),
Eng(CTU, AMgr, &VisitedCallees, &FS, ExprEngine::Inline_Regular) {}
};
class SuperRegionLivenessConsumer : public ExprEngineConsumer {
void performTest(const Decl *D) {
const auto *FD = findDeclByName<FieldDecl>(D, "x");
const auto *VD = findDeclByName<VarDecl>(D, "s");
assert(FD && VD);
// The variable must belong to a stack frame,
// otherwise SymbolReaper would think it's a global.
const StackFrameContext *SFC =
Eng.getAnalysisDeclContextManager().getStackFrame(D);
// Create regions for 's' and 's.x'.
const VarRegion *VR = Eng.getRegionManager().getVarRegion(VD, SFC);
const FieldRegion *FR = Eng.getRegionManager().getFieldRegion(FD, VR);
// Pass a null location context to the SymbolReaper so that
// it was thinking that the variable is dead.
SymbolReaper SymReaper((StackFrameContext *)nullptr, (Stmt *)nullptr,
Eng.getSymbolManager(), Eng.getStoreManager());
SymReaper.markLive(FR);
EXPECT_TRUE(SymReaper.isLiveRegion(VR));
}
public:
SuperRegionLivenessConsumer(CompilerInstance &C) : ExprEngineConsumer(C) {}
~SuperRegionLivenessConsumer() override {}
bool HandleTopLevelDecl(DeclGroupRef DG) override {
for (const auto *D : DG)
performTest(D);
a_sidorinUnsubmitted
Done
ReplyInline Actions

Nit: const auto *D : DG

a_sidorin: Nit: `const auto *D : DG`
NoQAuthorUnsubmitted
Done
ReplyInline Actions

Fxd^^

NoQ: Fxd^^
return true;
}
};
class SuperRegionLivenessAction: public ASTFrontendAction {
public:
SuperRegionLivenessAction() {}
std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,
StringRef File) override {
auto Consumer = llvm::make_unique<SuperRegionLivenessConsumer>(Compiler);
return Consumer;
}
};
// Test that marking s.x as live would also make s live.
TEST(SymbolReaper, SuperRegionLiveness) {
EXPECT_TRUE(tooling::runToolOnCode(new SuperRegionLivenessAction,
"void foo() { struct S { int x; } s; }"));
}
} // namespace
} // namespace ento
} // namespace clang