This is an archive of the discontinued LLVM Phabricator instance.

Differential D58206

[analyzer] ConditionBRVisitor: MemberExpr support
ClosedPublic

Authored by Charusso on Feb 13 2019, 1:44 PM.

Details

Reviewers
NoQ
george.karpenkov
Commits
rGd1f0ec3f6430: [analyzer] ConditionBRVisitor: MemberExpr support
rC362026: [analyzer] ConditionBRVisitor: MemberExpr support
rL362026: [analyzer] ConditionBRVisitor: MemberExpr support
Summary

-

Diff Detail

Repository
rC Clang

Event Timeline

Charusso created this revision.Feb 13 2019, 1:44 PM
Herald added subscribers: dkrupp, donat.nagy, Szelethus and 5 others. · View Herald TranscriptFeb 13 2019, 1:44 PM
Charusso added a parent revision: D58199: [analyzer] ConditionBRVisitor: Remove duplicated code.Feb 13 2019, 1:44 PM
Charusso added a child revision: D58207: [analyzer] ConditionBRVisitor: Boolean support.
george.karpenkov added inline comments.Feb 18 2019, 4:23 PM
test/Analysis/uninit-vals.m
222

What happened to "assuming"?

Charusso updated this revision to Diff 187396.Feb 19 2019, 9:42 AM
Charusso marked 2 inline comments as done.
Charusso added inline comments.
test/Analysis/uninit-vals.m
222

I just cannot copy-paste properly.

NoQ added inline comments.Mar 6 2019, 6:49 PM
lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
2102–2104

I'm a bit worried that this source range can get veeeeeeeeery long because the object on which the member is taken may be relatively complicated to compute.

Why don't we just say field 'f' - i.e., something like Assuming field 'f' is null - either always, or when the sub-expression turns out to be too long to display?

2287–2291

...and then de-duplicate this code snippet into a function(?)

2298–2299

Is this a common thing to happen? Why don't other overrides of VisitTrueTest have such checks?

Charusso updated this revision to Diff 189924.Mar 8 2019, 1:59 PM
Charusso marked 4 inline comments as done.
  • Rebased and addressed comments.
lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
2298–2299

It is rare of course. I do not know why this is happening but it is a straightforward way to bypass such errors.

If I remove this Loc validation:

  • Analysis/call_once.cpp fails at:
UnaryOperator 0x55e6814f8770 'int' prefix '!' cannot overflow
`-ImplicitCastExpr 0x55e6814f8758 'unsigned long' <IntegralToBoolean>
  `-ImplicitCastExpr 0x55e6814f8740 'unsigned long' <LValueToRValue>
    `-MemberExpr 0x55e6814f8710 'unsigned long' lvalue .__state_ 0x55e6814cc710
      `-DeclRefExpr 0x55e6814f86f0 'std::once_flag':'struct std::once_flag_s' lvalue ParmVar 0x55e6814ecbe0 'o' 'std::once_flag &'
  • Analysis/html_diagnostics/relevant_lines/synthesized_body.cpp fails at:
UnaryOperator 0x556bdac7cf80 'int' prefix '!' cannot overflow
`-ImplicitCastExpr 0x556bdac7cf68 'int' <IntegralToBoolean>
  `-ImplicitCastExpr 0x556bdac7cf50 'int' <LValueToRValue>
    `-MemberExpr 0x556bdac7cf20 'int' lvalue ._M_once 0x556bdac39b90
      `-DeclRefExpr 0x556bdac64440 'std::once_flag':'struct std::once_flag_s' lvalue ParmVar 0x556bdac63cc0 'o' 'std::once_flag &'
NoQ accepted this revision.Mar 25 2019, 2:23 PM

Looks great, thanks!

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
2298–2299

Hmm, body farms, okay. I guess nobody really knows what's going on in body farms, so let's keep it as is until we see more crashes. I'd expect other overrides of VisitTrueTest to grow such checks in the future.

This revision is now accepted and ready to land.Mar 25 2019, 2:23 PM
Charusso updated this revision to Diff 195073.Apr 14 2019, 9:05 AM
Charusso marked an inline comment as done.
  • Rebased
Charusso set the repository for this revision to rC Clang.May 29 2019, 1:22 PM
Herald added a subscriber: cfe-commits. · View Herald TranscriptMay 29 2019, 1:22 PM
Closed by commit rC362026: [analyzer] ConditionBRVisitor: MemberExpr support (authored by Charusso). · Explain WhyMay 29 2019, 1:27 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
8 lines
lib/
StaticAnalyzer/
Core/
69 lines
test/
Analysis/
Inputs/
expected-plists/
62 lines
diagnostics/
Inputs/
expected-plists/
8 lines
8 lines
9 lines
inlining/
Inputs/
expected-plists/
4 lines
2 lines
2 lines
8 lines
17 lines

Diff 202044

include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 197 Lines▼ Show 20 Lines VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR,
bool TookTrue, bool IsAssuming); bool TookTrue, bool IsAssuming);
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr, VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr,
BugReporterContext &BRC, BugReport &R, const ExplodedNode *N, BugReporterContext &BRC, BugReport &R, const ExplodedNode *N,
bool TookTrue, bool IsAssuming); bool TookTrue, bool IsAssuming);
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
VisitTrueTest(const Expr *Cond, const MemberExpr *ME, BugReporterContext &BRC,
BugReport &R, const ExplodedNode *N, bool TookTrue,
bool IsAssuming);
std::shared_ptr<PathDiagnosticPiece>
VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr, VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr,
BugReporterContext &BRC, BugReport &R, BugReporterContext &BRC, BugReport &R,
const ExplodedNode *N, bool TookTrue); const ExplodedNode *N, bool TookTrue);
/// Tries to print the value of the given expression. /// Tries to print the value of the given expression.
/// ///
/// \param CondVarExpr The expression to print its value. /// \param CondVarExpr The expression to print its value.
/// \param Out The stream to print. /// \param Out The stream to print.
/// \param N The node where we encountered the condition. /// \param N The node where we encountered the condition.
/// \param TookTrue Whether we took the \c true branch of the condition. /// \param TookTrue Whether we took the \c true branch of the condition.
/// ///
/// \return Whether the print was successful. (The printing is successful if /// \return Whether the print was successful. (The printing is successful if
/// we model the value and we could obtain it.) /// we model the value and we could obtain it.)
bool printValue(const Expr *CondVarExpr, raw_ostream &Out, bool printValue(const Expr *CondVarExpr, raw_ostream &Out,
const ExplodedNode *N, bool TookTrue, bool IsAssuming); const ExplodedNode *N, bool TookTrue, bool IsAssuming);
bool patternMatch(const Expr *Ex, bool patternMatch(const Expr *Ex,
const Expr *ParentEx, const Expr *ParentEx,
raw_ostream &Out, raw_ostream &Out,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &R, BugReport &R,
const ExplodedNode *N, const ExplodedNode *N,
Optional<bool> &prunable); Optional<bool> &prunable,
bool IsSameFieldName);
static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece); static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece);
}; };
/// Suppress reports that might lead to known false positives. /// Suppress reports that might lead to known false positives.
/// ///
/// Currently this suppresses reports based on locations of bugs. /// Currently this suppresses reports based on locations of bugs.
class LikelyFalsePositiveSuppressionBRVisitor final class LikelyFalsePositiveSuppressionBRVisitor final
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 1,985 Lines▼ Show 20 Lines switch (CondTmp->getStmtClass()) {
BRC, R, N, TookTrueTmp, IsAssuming)) BRC, R, N, TookTrueTmp, IsAssuming))
return P; return P;
break; break;
case Stmt::DeclRefExprClass: case Stmt::DeclRefExprClass:
if (auto P = VisitTrueTest(Cond, cast<DeclRefExpr>(CondTmp), if (auto P = VisitTrueTest(Cond, cast<DeclRefExpr>(CondTmp),
BRC, R, N, TookTrueTmp, IsAssuming)) BRC, R, N, TookTrueTmp, IsAssuming))
return P; return P;
break; break;
case Stmt::MemberExprClass:
if (auto P = VisitTrueTest(Cond, cast<MemberExpr>(CondTmp),
BRC, R, N, TookTrueTmp, IsAssuming))
return P;
break;
case Stmt::UnaryOperatorClass: { case Stmt::UnaryOperatorClass: {
const auto *UO = cast<UnaryOperator>(CondTmp); const auto *UO = cast<UnaryOperator>(CondTmp);
if (UO->getOpcode() == UO_LNot) { if (UO->getOpcode() == UO_LNot) {
TookTrueTmp = !TookTrueTmp; TookTrueTmp = !TookTrueTmp;
CondTmp = UO->getSubExpr(); CondTmp = UO->getSubExpr();
continue; continue;
} }
break; break;
Show All 18 Lines
} }
bool ConditionBRVisitor::patternMatch(const Expr *Ex, bool ConditionBRVisitor::patternMatch(const Expr *Ex,
const Expr *ParentEx, const Expr *ParentEx,
raw_ostream &Out, raw_ostream &Out,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &report, BugReport &report,
const ExplodedNode *N, const ExplodedNode *N,
Optional<bool> &prunable) { Optional<bool> &prunable,
bool IsSameFieldName) {
const Expr *OriginalExpr = Ex; const Expr *OriginalExpr = Ex;
Ex = Ex->IgnoreParenCasts(); Ex = Ex->IgnoreParenCasts();
if (isa<GNUNullExpr>(Ex) || isa<ObjCBoolLiteralExpr>(Ex) || if (isa<GNUNullExpr>(Ex) || isa<ObjCBoolLiteralExpr>(Ex) ||
isa<CXXBoolLiteralExpr>(Ex) || isa<IntegerLiteral>(Ex) || isa<CXXBoolLiteralExpr>(Ex) || isa<IntegerLiteral>(Ex) ||
isa<FloatingLiteral>(Ex)) { isa<FloatingLiteral>(Ex)) {
// Use heuristics to determine if the expression is a macro // Use heuristics to determine if the expression is a macro
// expanding to a literal and if so, use the macro's name. // expanding to a literal and if so, use the macro's name.
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines else if (OriginalTy->isObjCObjectPointerType()) {
return false; return false;
} }
} }
Out << IL->getValue(); Out << IL->getValue();
return false; return false;
} }
if (const auto *ME = dyn_cast<MemberExpr>(Ex)) {
if (!IsSameFieldName)
Out << "field '" << ME->getMemberDecl()->getName() << '\'';
else
Out << '\''
NoQUnsubmitted
Done
ReplyInline Actions

I'm a bit worried that this source range can get veeeeeeeeery long because the object on which the member is taken may be relatively complicated to compute.

Why don't we just say field 'f' - i.e., something like Assuming field 'f' is null - either always, or when the sub-expression turns out to be too long to display?

NoQ: I'm a bit worried that this source range can get veeeeeeeeery long because the object on which…
<< Lexer::getSourceText(
CharSourceRange::getTokenRange(Ex->getSourceRange()),
BRC.getSourceManager(), BRC.getASTContext().getLangOpts(), 0)
<< '\'';
}
return false; return false;
} }
std::shared_ptr<PathDiagnosticPiece> ConditionBRVisitor::VisitTrueTest( std::shared_ptr<PathDiagnosticPiece> ConditionBRVisitor::VisitTrueTest(
const Expr *Cond, const BinaryOperator *BExpr, BugReporterContext &BRC, const Expr *Cond, const BinaryOperator *BExpr, BugReporterContext &BRC,
BugReport &R, const ExplodedNode *N, bool TookTrue, bool IsAssuming) { BugReport &R, const ExplodedNode *N, bool TookTrue, bool IsAssuming) {
bool shouldInvert = false; bool shouldInvert = false;
Optional<bool> shouldPrune; Optional<bool> shouldPrune;
// Check if the field name of the MemberExprs is ambiguous. Example:
// " 'a.d' is equal to 'h.d' " in 'test/Analysis/null-deref-path-notes.cpp'.
bool IsSameFieldName = false;
if (const auto *LhsME =
dyn_cast<MemberExpr>(BExpr->getLHS()->IgnoreParenCasts()))
if (const auto *RhsME =
dyn_cast<MemberExpr>(BExpr->getRHS()->IgnoreParenCasts()))
IsSameFieldName = LhsME->getMemberDecl()->getName() ==
RhsME->getMemberDecl()->getName();
SmallString<128> LhsString, RhsString; SmallString<128> LhsString, RhsString;
{ {
llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString); llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString);
const bool isVarLHS = patternMatch(BExpr->getLHS(), BExpr, OutLHS, const bool isVarLHS = patternMatch(BExpr->getLHS(), BExpr, OutLHS, BRC, R,
BRC, R, N, shouldPrune); N, shouldPrune, IsSameFieldName);
const bool isVarRHS = patternMatch(BExpr->getRHS(), BExpr, OutRHS, const bool isVarRHS = patternMatch(BExpr->getRHS(), BExpr, OutRHS, BRC, R,
BRC, R, N, shouldPrune); N, shouldPrune, IsSameFieldName);
shouldInvert = !isVarLHS && isVarRHS; shouldInvert = !isVarLHS && isVarRHS;
} }
BinaryOperator::Opcode Op = BExpr->getOpcode(); BinaryOperator::Opcode Op = BExpr->getOpcode();
if (BinaryOperator::isAssignmentOp(Op)) { if (BinaryOperator::isAssignmentOp(Op)) {
// For assignment operators, all that we care about is that the LHS // For assignment operators, all that we care about is that the LHS
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines default:
Out << BinaryOperator::getOpcodeStr(Op) << ' '; Out << BinaryOperator::getOpcodeStr(Op) << ' ';
break; break;
} }
Out << (shouldInvert ? LhsString : RhsString); Out << (shouldInvert ? LhsString : RhsString);
const LocationContext *LCtx = N->getLocationContext(); const LocationContext *LCtx = N->getLocationContext();
PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx); PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
// Convert 'field ...' to 'Field ...' if it is a MemberExpr.
std::string Message = Out.str();
Message[0] = toupper(Message[0]);
// If we know the value create a pop-up note. // If we know the value create a pop-up note.
if (!IsAssuming) if (!IsAssuming)
return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str()); return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Message);
auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Message);
if (shouldPrune.hasValue()) if (shouldPrune.hasValue())
event->setPrunable(shouldPrune.getValue()); event->setPrunable(shouldPrune.getValue());
return event; return event;
} }
std::shared_ptr<PathDiagnosticPiece> ConditionBRVisitor::VisitConditionVariable( std::shared_ptr<PathDiagnosticPiece> ConditionBRVisitor::VisitConditionVariable(
StringRef LhsString, const Expr *CondVarExpr, BugReporterContext &BRC, StringRef LhsString, const Expr *CondVarExpr, BugReporterContext &BRC,
BugReport &report, const ExplodedNode *N, bool TookTrue) { BugReport &report, const ExplodedNode *N, bool TookTrue) {
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines else {
SVal V = state->getSVal(R); SVal V = state->getSVal(R);
if (report.isInteresting(V)) if (report.isInteresting(V))
event->setPrunable(false); event->setPrunable(false);
} }
} }
return std::move(event); return std::move(event);
} }
std::shared_ptr<PathDiagnosticPiece> ConditionBRVisitor::VisitTrueTest(
const Expr *Cond, const MemberExpr *ME, BugReporterContext &BRC,
BugReport &report, const ExplodedNode *N, bool TookTrue, bool IsAssuming) {
SmallString<256> Buf;
llvm::raw_svector_ostream Out(Buf);
Out << (IsAssuming ? "Assuming field '" : "Field '")
<< ME->getMemberDecl()->getName() << "' is ";
if (!printValue(ME, Out, N, TookTrue, IsAssuming))
return nullptr;
NoQUnsubmitted
Done
ReplyInline Actions

...and then de-duplicate this code snippet into a function(?)

NoQ: ...and then de-duplicate this code snippet into a function(?)
const LocationContext *LCtx = N->getLocationContext();
PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
if (!Loc.isValid() || !Loc.asLocation().isValid())
return nullptr;
// If we know the value create a pop-up note.
if (!IsAssuming)
return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str());
NoQUnsubmitted
Done
ReplyInline Actions

Is this a common thing to happen? Why don't other overrides of VisitTrueTest have such checks?

NoQ: Is this a common thing to happen? Why don't other overrides of `VisitTrueTest` have such checks?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

It is rare of course. I do not know why this is happening but it is a straightforward way to bypass such errors.

If I remove this Loc validation:

  • Analysis/call_once.cpp fails at:
UnaryOperator 0x55e6814f8770 'int' prefix '!' cannot overflow
`-ImplicitCastExpr 0x55e6814f8758 'unsigned long' <IntegralToBoolean>
  `-ImplicitCastExpr 0x55e6814f8740 'unsigned long' <LValueToRValue>
    `-MemberExpr 0x55e6814f8710 'unsigned long' lvalue .__state_ 0x55e6814cc710
      `-DeclRefExpr 0x55e6814f86f0 'std::once_flag':'struct std::once_flag_s' lvalue ParmVar 0x55e6814ecbe0 'o' 'std::once_flag &'
  • Analysis/html_diagnostics/relevant_lines/synthesized_body.cpp fails at:
UnaryOperator 0x556bdac7cf80 'int' prefix '!' cannot overflow
`-ImplicitCastExpr 0x556bdac7cf68 'int' <IntegralToBoolean>
  `-ImplicitCastExpr 0x556bdac7cf50 'int' <LValueToRValue>
    `-MemberExpr 0x556bdac7cf20 'int' lvalue ._M_once 0x556bdac39b90
      `-DeclRefExpr 0x556bdac64440 'std::once_flag':'struct std::once_flag_s' lvalue ParmVar 0x556bdac63cc0 'o' 'std::once_flag &'
Charusso: It is rare of course. I do not know why this is happening but it is a straightforward way to…
NoQUnsubmitted
Done
ReplyInline Actions

Hmm, body farms, okay. I guess nobody really knows what's going on in body farms, so let's keep it as is until we see more crashes. I'd expect other overrides of VisitTrueTest to grow such checks in the future.

NoQ: Hmm, body farms, okay. I guess nobody really knows what's going on in body farms, so let's keep…
return std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str());
}
bool ConditionBRVisitor::printValue(const Expr *CondVarExpr, raw_ostream &Out, bool ConditionBRVisitor::printValue(const Expr *CondVarExpr, raw_ostream &Out,
const ExplodedNode *N, bool TookTrue, const ExplodedNode *N, bool TookTrue,
bool IsAssuming) { bool IsAssuming) {
QualType Ty = CondVarExpr->getType(); QualType Ty = CondVarExpr->getType();
if (Ty->isPointerType()) { if (Ty->isPointerType()) {
Out << (TookTrue ? "non-null" : "null"); Out << (TookTrue ? "non-null" : "null");
return true; return true;
▲ Show 20 LinesShow All 255 LinesShow Last 20 Lines

test/Analysis/Inputs/expected-plists/edges-new.mm.plist

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 22,224 Lines▼ Show 20 Lines <key>edges</key>
<key>line</key><integer>587</integer> <key>line</key><integer>587</integer>
<key>col</key><integer>8</integer> <key>col</key><integer>8</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
</array> </array>
<key>end</key> <key>end</key>
<array> <array>
<dict> <dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</dict>
</array>
</dict>
<dict>
<key>kind</key><string>pop-up</string>
<key>location</key>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
<key>ranges</key>
<array>
<array>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>16</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
</array>
<key>extended_message</key>
<string>Field &apos;b&apos; is equal to 2</string>
<key>message</key>
<string>Field &apos;b&apos; is equal to 2</string>
</dict>
<dict>
<key>kind</key><string>control</string>
<key>edges</key>
<array>
<dict>
<key>start</key>
<array>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
<dict>
<key>line</key><integer>587</integer>
<key>col</key><integer>11</integer>
<key>file</key><integer>0</integer>
</dict>
</array>
<key>end</key>
<array>
<dict>
<key>line</key><integer>588</integer> <key>line</key><integer>588</integer>
<key>col</key><integer>9</integer> <key>col</key><integer>9</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
<dict> <dict>
<key>line</key><integer>588</integer> <key>line</key><integer>588</integer>
<key>col</key><integer>9</integer> <key>col</key><integer>9</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines

test/Analysis/diagnostics/Inputs/expected-plists/deref-track-symbolic-region.c.plist

Show First 20 LinesShow All 159 Lines▼ Show 20 Lines <array>
<key>line</key><integer>17</integer> <key>line</key><integer>17</integer>
<key>col</key><integer>11</integer> <key>col</key><integer>11</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
</array> </array>
</array> </array>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;x&apos; is null</string>
<key>message</key> <key>message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;x&apos; is null</string>
</dict> </dict>
<dict> <dict>
<key>kind</key><string>control</string> <key>kind</key><string>control</string>
<key>edges</key> <key>edges</key>
<array> <array>
<dict> <dict>
<key>start</key> <key>start</key>
<array> <array>
▲ Show 20 LinesShow All 270 Lines▼ Show 20 Lines <array>
<key>line</key><integer>32</integer> <key>line</key><integer>32</integer>
<key>col</key><integer>11</integer> <key>col</key><integer>11</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
</array> </array>
</array> </array>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;x&apos; is null</string>
<key>message</key> <key>message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;x&apos; is null</string>
</dict> </dict>
<dict> <dict>
<key>kind</key><string>control</string> <key>kind</key><string>control</string>
<key>edges</key> <key>edges</key>
<array> <array>
<dict> <dict>
<key>start</key> <key>start</key>
<array> <array>
▲ Show 20 LinesShow All 190 LinesShow Last 20 Lines

test/Analysis/diagnostics/deref-track-symbolic-region.c

Show All 9 Lines
int *foo(); int *foo();
void test(struct S syz, int *pp) { void test(struct S syz, int *pp) {
int m = 0; int m = 0;
syz.x = foo(); // expected-note{{Value assigned to 'syz.x'}} syz.x = foo(); // expected-note{{Value assigned to 'syz.x'}}
struct S *ps = &syz; struct S *ps = &syz;
if (ps->x) if (ps->x)
//expected-note@-1{{Taking false branch}} //expected-note@-1{{Assuming field 'x' is null}}
//expected-note@-2{{Assuming pointer value is null}} //expected-note@-2{{Taking false branch}}
m++; m++;
m += *syz.x; // expected-warning{{Dereference of null pointer (loaded from field 'x')}} m += *syz.x; // expected-warning{{Dereference of null pointer (loaded from field 'x')}}
// expected-note@-1{{Dereference of null pointer (loaded from field 'x')}} // expected-note@-1{{Dereference of null pointer (loaded from field 'x')}}
} }
void testTrackConstraintBRVisitorIsTrackingTurnedOn(struct S syz, int *pp) { void testTrackConstraintBRVisitorIsTrackingTurnedOn(struct S syz, int *pp) {
int m = 0; int m = 0;
syz.x = foo(); // expected-note{{Value assigned to 'syz.x'}} syz.x = foo(); // expected-note{{Value assigned to 'syz.x'}}
struct S *ps = &syz; struct S *ps = &syz;
if (ps->x) if (ps->x)
//expected-note@-1{{Taking false branch}} //expected-note@-1{{Assuming field 'x' is null}}
//expected-note@-2{{Assuming pointer value is null}} //expected-note@-2{{Taking false branch}}
m++; m++;
int *p = syz.x; //expected-note {{'p' initialized to a null pointer value}} int *p = syz.x; //expected-note {{'p' initialized to a null pointer value}}
m = *p; // expected-warning {{Dereference of null pointer (loaded from variable 'p')}} m = *p; // expected-warning {{Dereference of null pointer (loaded from variable 'p')}}
// expected-note@-1 {{Dereference of null pointer (loaded from variable 'p')}} // expected-note@-1 {{Dereference of null pointer (loaded from variable 'p')}}
} }

test/Analysis/diagnostics/dtors.cpp

Show All 10 Linesstruct S {
~S(); ~S();
}; };
struct smart_ptr { struct smart_ptr {
int x; int x;
S *s; S *s;
smart_ptr(S *); smart_ptr(S *);
S *get() { S *get() {
return (x || 0) ? nullptr : s; // expected-note{{Left side of '||' is false}} return (x || 0) ? nullptr : s; // expected-note{{Field 'x' is 0}}
// expected-note@-1{{'?' condition is false}} // expected-note@-1{{Left side of '||' is false}}
// expected-warning@-2{{Use of memory after it is freed}} // expected-note@-2{{'?' condition is false}}
// expected-note@-3{{Use of memory after it is freed}} // expected-warning@-3{{Use of memory after it is freed}}
// expected-note@-4{{Use of memory after it is freed}}
} }
}; };
void bar(smart_ptr p) { void bar(smart_ptr p) {
delete p.get(); // expected-note{{Memory is released}} delete p.get(); // expected-note{{Memory is released}}
p.get()->foo(); // expected-note{{Calling 'smart_ptr::get'}} p.get()->foo(); // expected-note{{Calling 'smart_ptr::get'}}
} }
} // namespace no_crash_on_delete_dtor } // namespace no_crash_on_delete_dtor

test/Analysis/inlining/Inputs/expected-plists/path-notes.cpp.plist

Show First 20 LinesShow All 4,265 Lines▼ Show 20 Lines <array>
<key>line</key><integer>234</integer> <key>line</key><integer>234</integer>
<key>col</key><integer>8</integer> <key>col</key><integer>8</integer>
<key>file</key><integer>0</integer> <key>file</key><integer>0</integer>
</dict> </dict>
</array> </array>
</array> </array>
<key>depth</key><integer>0</integer> <key>depth</key><integer>0</integer>
<key>extended_message</key> <key>extended_message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;arr&apos; is null</string>
<key>message</key> <key>message</key>
<string>Assuming pointer value is null</string> <string>Assuming field &apos;arr&apos; is null</string>
</dict> </dict>
<dict> <dict>
<key>kind</key><string>control</string> <key>kind</key><string>control</string>
<key>edges</key> <key>edges</key>
<array> <array>
<dict> <dict>
<key>start</key> <key>start</key>
<array> <array>
▲ Show 20 LinesShow All 943 LinesShow Last 20 Lines

test/Analysis/inlining/path-notes.cpp

Show First 20 LinesShow All 225 Lines▼ Show 20 Linesstruct Owner {
struct Wrapper { struct Wrapper {
int x; int x;
}; };
Wrapper *arr; Wrapper *arr;
void testGetDerefExprOnMemberExprWithADot(); void testGetDerefExprOnMemberExprWithADot();
}; };
void Owner::testGetDerefExprOnMemberExprWithADot() { void Owner::testGetDerefExprOnMemberExprWithADot() {
if (arr) // expected-note {{Assuming pointer value is null}} if (arr) // expected-note {{Assuming field 'arr' is null}}
// expected-note@-1 {{Taking false branch}} // expected-note@-1 {{Taking false branch}}
; ;
arr[1].x = 1; //expected-warning {{Dereference of null pointer}} arr[1].x = 1; //expected-warning {{Dereference of null pointer}}
//expected-note@-1 {{Dereference of null pointer}} //expected-note@-1 {{Dereference of null pointer}}
} }
void testGetDerefExprOnMemberExprWithADot() { void testGetDerefExprOnMemberExprWithADot() {
Owner::Wrapper *arr; // expected-note {{'arr' declared without an initial value}} Owner::Wrapper *arr; // expected-note {{'arr' declared without an initial value}}
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines

test/Analysis/null-deref-path-notes.cpp

Show All 13 Lines
// Properly track the null pointer in the array field back to the default // Properly track the null pointer in the array field back to the default
// constructor of 'h'. // constructor of 'h'.
void c::f(B &g, int &i) { void c::f(B &g, int &i) {
e(g.d[9], i); // expected-warning{{Array access (via field 'd') results in a null pointer dereference}} e(g.d[9], i); // expected-warning{{Array access (via field 'd') results in a null pointer dereference}}
// expected-note@-1{{Array access (via field 'd') results in a null pointer dereference}} // expected-note@-1{{Array access (via field 'd') results in a null pointer dereference}}
B h, a; // expected-note{{Value assigned to 'h.d'}} B h, a; // expected-note{{Value assigned to 'h.d'}}
a.d == __null; // expected-note{{Assuming the condition is true}} a.d == __null; // expected-note{{Assuming the condition is true}}
a.d != h.d; // expected-note{{Assuming pointer value is null}} a.d != h.d; // expected-note{{Assuming 'a.d' is equal to 'h.d'}}
f(h, b); // expected-note{{Calling 'c::f'}} f(h, b); // expected-note{{Calling 'c::f'}}
} }
} }

test/Analysis/osobject-retain-release.cpp

Show First 20 LinesShow All 595 Lines▼ Show 20 Lines
using OSObjectPtr = os::smart_ptr<OSObject>; using OSObjectPtr = os::smart_ptr<OSObject>;
void test_smart_ptr_uaf() { void test_smart_ptr_uaf() {
OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}} OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}}
{ {
OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}} OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}}
// expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}} // expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}}
// expected-note@os_smart_ptr.h:13{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:13{{Taking true branch}} // expected-note@os_smart_ptr.h:13{{Taking true branch}}
// expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}}
// expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}} // expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}}
// expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}}
} // expected-note{{Calling '~smart_ptr'}} } // expected-note{{Calling '~smart_ptr'}}
// expected-note@os_smart_ptr.h:35{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:35{{Taking true branch}} // expected-note@os_smart_ptr.h:35{{Taking true branch}}
// expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}}
// expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}} // expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}}
// expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}}
// expected-note@-5{{Returning from '~smart_ptr'}} // expected-note@-6{{Returning from '~smart_ptr'}}
obj->release(); // expected-note{{Object released}} obj->release(); // expected-note{{Object released}}
obj->release(); // expected-warning{{Reference-counted object is used after it is released}} obj->release(); // expected-warning{{Reference-counted object is used after it is released}}
// expected-note@-1{{Reference-counted object is used after it is released}} // expected-note@-1{{Reference-counted object is used after it is released}}
} }
void test_smart_ptr_leak() { void test_smart_ptr_leak() {
OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}} OSObject *obj = new OSObject; // expected-note{{Operator 'new' returns an OSObject of type 'OSObject' with a +1 retain count}}
{ {
OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}} OSObjectPtr p(obj); // expected-note{{Calling constructor for 'smart_ptr<OSObject>'}}
// expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}} // expected-note@-1{{Returning from constructor for 'smart_ptr<OSObject>'}}
// expected-note@os_smart_ptr.h:13{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:13{{Taking true branch}} // expected-note@os_smart_ptr.h:13{{Taking true branch}}
// expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Calling 'smart_ptr::_retain'}}
// expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}} // expected-note@os_smart_ptr.h:71{{Reference count incremented. The object now has a +2 retain count}}
// expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}} // expected-note@os_smart_ptr.h:14{{Returning from 'smart_ptr::_retain'}}
} // expected-note{{Calling '~smart_ptr'}} } // expected-note{{Calling '~smart_ptr'}}
// expected-note@os_smart_ptr.h:35{{Field 'pointer' is non-null}}
// expected-note@os_smart_ptr.h:35{{Taking true branch}} // expected-note@os_smart_ptr.h:35{{Taking true branch}}
// expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Calling 'smart_ptr::_release'}}
// expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}} // expected-note@os_smart_ptr.h:76{{Reference count decremented. The object now has a +1 retain count}}
// expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}} // expected-note@os_smart_ptr.h:36{{Returning from 'smart_ptr::_release'}}
// expected-note@-5{{Returning from '~smart_ptr'}} // expected-note@-6{{Returning from '~smart_ptr'}}
} // expected-warning{{Potential leak of an object stored into 'obj'}} } // expected-warning{{Potential leak of an object stored into 'obj'}}
// expected-note@-1{{Object leaked: object allocated and stored into 'obj' is not referenced later in this execution path and has a retain count of +1}} // expected-note@-1{{Object leaked: object allocated and stored into 'obj' is not referenced later in this execution path and has a retain count of +1}}
void test_smart_ptr_no_leak() { void test_smart_ptr_no_leak() {
OSObject *obj = new OSObject; OSObject *obj = new OSObject;
{ {
OSObjectPtr p(obj); OSObjectPtr p(obj);
} }
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

test/Analysis/uninit-vals.m

Show First 20 LinesShow All 158 Lines▼ Show 20 Lines
void PR14765_test() { void PR14765_test() {
Circle *testObj = calloc(sizeof(Circle), 1); Circle *testObj = calloc(sizeof(Circle), 1);
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
testObj->origin = makePoint(0.0, 0.0); testObj->origin = makePoint(0.0, 0.0);
if (testObj->size > 0) { ; } // expected-note{{Assuming the condition is false}} if (testObj->size > 0) { ; } // expected-note{{Assuming field 'size' is <= 0}}
// expected-note@-1{{Taking false branch}} // expected-note@-1{{Taking false branch}}
// FIXME: Assigning to 'testObj->origin' kills the default binding for the // FIXME: Assigning to 'testObj->origin' kills the default binding for the
// whole region, meaning that we've forgotten that testObj->size should also // whole region, meaning that we've forgotten that testObj->size should also
// default to 0. Tracked by <rdar://problem/12701038>. // default to 0. Tracked by <rdar://problem/12701038>.
// This should be TRUE. // This should be TRUE.
clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}}
// expected-note@-1{{UNKNOWN}} // expected-note@-1{{UNKNOWN}}
Show All 38 Linesvoid PR14765_test_int() {
clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.z == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint(1, 2); testObj->origin = makeIntPoint(1, 2);
if (testObj->size > 0) { ; } // expected-note{{Assuming the condition is false}} if (testObj->size > 0) { ; } // expected-note{{Assuming field 'size' is <= 0}}
george.karpenkovUnsubmitted
Done
ReplyInline Actions

What happened to "assuming"?

george.karpenkov: What happened to "assuming"?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I just cannot copy-paste properly.

Charusso: I just cannot copy-paste properly.
// expected-note@-1{{Taking false branch}} // expected-note@-1{{Taking false branch}}
// expected-note@-2{{Assuming the condition is false}} // expected-note@-2{{Assuming field 'size' is <= 0}}
// expected-note@-3{{Taking false branch}} // expected-note@-3{{Taking false branch}}
// expected-note@-4{{Assuming the condition is false}} // expected-note@-4{{Assuming field 'size' is <= 0}}
// expected-note@-5{{Taking false branch}} // expected-note@-5{{Taking false branch}}
// expected-note@-6{{Assuming the condition is false}} // expected-note@-6{{Assuming field 'size' is <= 0}}
// expected-note@-7{{Taking false branch}} // expected-note@-7{{Taking false branch}}
// FIXME: Assigning to 'testObj->origin' kills the default binding for the // FIXME: Assigning to 'testObj->origin' kills the default binding for the
// whole region, meaning that we've forgotten that testObj->size should also // whole region, meaning that we've forgotten that testObj->size should also
// default to 0. Tracked by <rdar://problem/12701038>. // default to 0. Tracked by <rdar://problem/12701038>.
// This should be TRUE. // This should be TRUE.
clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{UNKNOWN}}
// expected-note@-1{{UNKNOWN}} // expected-note@-1{{UNKNOWN}}
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Linesvoid testSmallStructInLargerStruct() {
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
testObj->origin = makeIntPoint2D(1, 2); testObj->origin = makeIntPoint2D(1, 2);
if (testObj->size > 0) { ; } // expected-note{{Taking false branch}} if (testObj->size > 0) { ; } // expected-note{{Field 'size' is <= 0}}
// expected-note@-1{{Taking false branch}} // expected-note@-1{{Taking false branch}}
// expected-note@-2{{Taking false branch}} // expected-note@-2{{Field 'size' is <= 0}}
// expected-note@-3{{Taking false branch}}
// expected-note@-4{{Field 'size' is <= 0}}
// expected-note@-5{{Taking false branch}}
clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->size == 0); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.x == 1); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}} clang_analyzer_eval(testObj->origin.y == 2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
▲ Show 20 LinesShow All 96 LinesShow Last 20 Lines