This is an archive of the discontinued LLVM Phabricator instance.

Differential D59054

[analyzer] C++17: PR40022: Support aggregate initialization with compound values in presence of base classes.
ClosedPublic

Authored by NoQ on Mar 6 2019, 2:36 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
alexfh
Commits
rG06451368d2f0: [analyzer] Support C++17 aggregates with bases without constructors.
rC356222: [analyzer] Support C++17 aggregates with bases without constructors.
rL356222: [analyzer] Support C++17 aggregates with bases without constructors.
Summary

I'll add more tests soon, to see if it is actually initialized *correctly* now, but for now here's the code that fixes the crash in https://bugs.llvm.org/show_bug.cgi?id=40022 .

It turns out that C++17 aggregate initialization with base classes wasn't really ever implemented for the case when it *doesn't* involve calling any sub-object constructors. That it, when the aggregate is initialized with a simple initializer list and the resulting value is a nonloc::CompoundVal, we simply didn't know that we need to perform the store bind for the base classes as well. Now it should work.

The original bug report causes us to crash when there's a flexible array at the end of the structure (which is a non-standard thing), which made me underestimate the problem a bit :)

The case where we *do* have constructors in base classes is, of course, still unimplemented; it was last touched in D40841.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Mar 6 2019, 2:36 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 6 2019, 2:36 PM
Herald added subscribers: cfe-commits, Charusso, jdoerfert and 4 others. · View Herald Transcript
alexfh added a subscriber: alexfh.Mar 7 2019, 5:37 AM

LG in general. A couple of comments.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2348 ↗(On Diff #189594)

Should this be const auto&?

2349 ↗(On Diff #189594)

!B.isVirtual()

Consider also adding && "more details about this assertion".

Szelethus added a comment.Mar 7 2019, 7:21 AM

At first glance this looks OK, but I'll take the time to understand the infrastructure behind it and give a proper review.

clang/test/Analysis/array-struct-region.cpp
3 ↗(On Diff #189594)

I didn't see -analyzer-config c++-inlining=constructors in the bugreport -- why is it needed?

NoQ updated this revision to Diff 189781.Mar 7 2019, 2:15 PM
NoQ marked 5 inline comments as done.

Thx! Also added the more direct test.

I'll take the time to understand the infrastructure behind it

Well, roughly, the CompoundVal kind of value is used very rarely, unlike LazyCompoundVal. The raw CompoundVal is essentially a symbolic InitListExpr: an (immutable) list of other values. It appears pretty much only when there's an actual initializer list expression in the program, and the analyzer tries to unwrap it as soon as possible.

This code is where such unwrap happens: when the compound value is put into the object that it was supposed to initialize (it's an *initializer* list, after all), instead of binding the whole value to the whole object, we bind sub-values to sub-objects. Sub-values may themselves be compound values, and in this case the procedure becomes recursive.

The annoying part about compound values is that they don't carry any sort of information about which value corresponds to which sub-object. It's simply a list of values in the middle of nowhere; the Store expects to match them to sub-objects, essentially, by *index*: first value binds to the first field, second value binds to the second field, etc. The crash was occuring when it was accidentally trying to bind a base-class value to a field object - because it simply didn't know that base objects are a thing.

NoQ added inline comments.Mar 7 2019, 2:25 PM
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2348 ↗(On Diff #189594)

Whoops. Also i still somehow hate it that these aren't pointers :)

clang/test/Analysis/array-struct-region.cpp
3 ↗(On Diff #189594)

Hmm, right, these flags are outdated long time ago. Wiped them out from this test.

Szelethus added a comment.Mar 7 2019, 2:29 PM

Ooooh you explained that very well, I'm clear on what's happening then :D Still, I'll poke the code here and there to learn about this part of the analyzer, I might even come up with some meaningful feedback (or a meaningful patch acceptance).

NoQ updated this revision to Diff 189791.Mar 7 2019, 3:28 PM

Added this as a comment.

If the patch is not obvious at a glance, feel free to demand comments! Every second you spend trying to figure out how the code works is multiplied by the number of people who will have to do the same in the future.

alexfh accepted this revision.Mar 7 2019, 3:34 PM

LG

This revision is now accepted and ready to land.Mar 7 2019, 3:34 PM
Szelethus accepted this revision.Mar 11 2019, 5:21 AM

LGTM!

Closed by commit rL356222: [analyzer] Support C++17 aggregates with bases without constructors. (authored by NoQ). · Explain WhyMar 14 2019, 5:21 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptMar 14 2019, 5:21 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
NoQ mentioned this in D59573: [analyzer] C++17: PR41142: Ignore transparent InitListExprs when finding construction contexts..Mar 19 2019, 6:28 PM
NoQ mentioned this in D60988: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil..Apr 22 2019, 6:19 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
47 lines
test/
Analysis/
67 lines

Diff 190760

cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 2,328 Lines▼ Show 20 Lines if (V.getAs<nonloc::SymbolVal>())
return bindAggregate(B, R, V); return bindAggregate(B, R, V);
// We may get non-CompoundVal accidentally due to imprecise cast logic or // We may get non-CompoundVal accidentally due to imprecise cast logic or
// that we are binding symbolic struct value. Kill the field values, and if // that we are binding symbolic struct value. Kill the field values, and if
// the value is symbolic go and bind it as a "default" binding. // the value is symbolic go and bind it as a "default" binding.
if (V.isUnknown() || !V.getAs<nonloc::CompoundVal>()) if (V.isUnknown() || !V.getAs<nonloc::CompoundVal>())
return bindAggregate(B, R, UnknownVal()); return bindAggregate(B, R, UnknownVal());
// The raw CompoundVal is essentially a symbolic InitListExpr: an (immutable)
// list of other values. It appears pretty much only when there's an actual
// initializer list expression in the program, and the analyzer tries to
// unwrap it as soon as possible.
// This code is where such unwrap happens: when the compound value is put into
// the object that it was supposed to initialize (it's an *initializer* list,
// after all), instead of binding the whole value to the whole object, we bind
// sub-values to sub-objects. Sub-values may themselves be compound values,
// and in this case the procedure becomes recursive.
// FIXME: The annoying part about compound values is that they don't carry
// any sort of information about which value corresponds to which sub-object.
// It's simply a list of values in the middle of nowhere; we expect to match
// them to sub-objects, essentially, "by index": first value binds to
// the first field, second value binds to the second field, etc.
// It would have been much safer to organize non-lazy compound values as
// a mapping from fields/bases to values.
const nonloc::CompoundVal& CV = V.castAs<nonloc::CompoundVal>(); const nonloc::CompoundVal& CV = V.castAs<nonloc::CompoundVal>();
nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end(); nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();
RecordDecl::field_iterator FI, FE;
RegionBindingsRef NewB(B); RegionBindingsRef NewB(B);
// In C++17 aggregates may have base classes, handle those as well.
// They appear before fields in the initializer list / compound value.
if (const auto *CRD = dyn_cast<CXXRecordDecl>(RD)) {
assert(CRD->isAggregate() &&
"Non-aggregates are constructed with a constructor!");
for (const auto &B : CRD->bases()) {
// (Multiple inheritance is fine though.)
assert(!B.isVirtual() && "Aggregates cannot have virtual base classes!");
if (VI == VE)
break;
QualType BTy = B.getType();
assert(BTy->isStructureOrClassType() && "Base classes must be classes!");
const CXXRecordDecl *BRD = BTy->getAsCXXRecordDecl();
assert(BRD && "Base classes must be C++ classes!");
const CXXBaseObjectRegion *BR =
MRMgr.getCXXBaseObjectRegion(BRD, R, /*IsVirtual=*/false);
NewB = bindStruct(NewB, BR, *VI);
++VI;
}
}
RecordDecl::field_iterator FI, FE;
for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) { for (FI = RD->field_begin(), FE = RD->field_end(); FI != FE; ++FI) {
if (VI == VE) if (VI == VE)
break; break;
// Skip any unnamed bitfields to stay in sync with the initializers. // Skip any unnamed bitfields to stay in sync with the initializers.
if (FI->isUnnamedBitfield()) if (FI->isUnnamedBitfield())
continue; continue;
▲ Show 20 LinesShow All 216 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/array-struct-region.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -verify -x c %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -verify -x c++ -analyzer-config c++-inlining=constructors %s // RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -DINLINE -verify -x c %s // RUN: -x c %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -DINLINE -verify -x c++ -analyzer-config c++-inlining=constructors %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: -x c++ -std=c++14 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: -x c++ -std=c++17 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: -DINLINE -x c %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: -DINLINE -x c++ -std=c++14 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core\
// RUN: -analyzer-checker=debug.ExprInspection -verify\
// RUN: -DINLINE -x c++ -std=c++17 %s
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
struct S { struct S {
int field; int field;
#if __cplusplus #if __cplusplus
const struct S *getThis() const { return this; } const struct S *getThis() const { return this; }
▲ Show 20 LinesShow All 178 Lines▼ Show 20 Linesnamespace EmptyClass {
// There used to be a warning here, because analyzer treated Derived as empty. // There used to be a warning here, because analyzer treated Derived as empty.
int test() { int test() {
int a; int a;
ref(a) = 42; ref(a) = 42;
return a; // no warning return a; // no warning
} }
} }
#if __cplusplus >= 201703L
namespace aggregate_inheritance_cxx17 {
struct A {
int x;
};
struct B {
int y;
};
struct C: B {
int z;
};
struct D: A, C {
int w;
};
void foo() {
D d{1, 2, 3, 4};
clang_analyzer_eval(d.x == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(d.y == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(d.z == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(d.w == 4); // expected-warning{{TRUE}}
}
} // namespace aggregate_inheritance_cxx17
#endif
namespace flex_array_inheritance_cxx17 {
struct A {
int flexible_array[];
};
struct B {
long cookie;
};
struct C : B {
A a;
};
void foo() {
C c{}; // no-crash
}
} // namespace flex_array_inheritance_cxx17
#endif #endif