This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
ExprEngineCXX.cpp
-
test/Analysis/
-
Analysis/
-
copy-elision.mm

Differential D61545

[analyzer] Fix a crash in RVO from within blocks.
ClosedPublic

Authored by NoQ on May 3 2019, 6:40 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso

Commits

rZORG65a22675b8b1: [analyzer] Fix a crash when doing RVO from within blocks.
rZORGc5e817544868: [analyzer] Fix a crash when doing RVO from within blocks.
rG65a22675b8b1: [analyzer] Fix a crash when doing RVO from within blocks.
rGc5e817544868: [analyzer] Fix a crash when doing RVO from within blocks.
rGb3fc9df48190: [analyzer] Fix a crash when doing RVO from within blocks.
rL360202: [analyzer] Fix a crash when doing RVO from within blocks.
rC360202: [analyzer] Fix a crash when doing RVO from within blocks.

Summary

While blocks are an Apple extension to C, i'm adding everybody because my mistake that i'm fixing here may hurt us more when we add more kinds of location contexts, so we shouldn't be making it anywhere.

In the attached test case, getA() returns an object by value, and therefore requires a construction context. Its construction context is that of a value that's immediately* returned (by value, without any sort of conversion), so copy elision (namely, RVO) applies. This means that we unwind the stack of LocationContexts in order to see where is the current callee called from. This way we obtain the construction context for the call site, and from that we can figure out what object is constructed. In this case it's going to be the first-and-only argument of use(). This is all good.

In this case RVO is applied to a return value of an anonymous block that's declared only to be immediately called and discarded. The Static Analyzer models block calls by putting two location contexts on the stack: a BlockInvocationContext followed by the actual StackFrameContext. I don't really know why it does that :) but that's not important, because if we introduce more kinds of location contexts, it'll look similarly anyway.

Therefore the correct idiom for obtaining the parent stack frame is to first obtain the parent, and then don't forget to obtain its stack frame, which is not necessarily the parent itself. This is the mistake that i made in my RVO code that i'm fixing here.

The code was crashing because it was looking up the call site in a CFGStmtMap for the wrong CFG (obtained from a wrong location context). This was happening in CallEvent::getCalleeStackFrame().

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.May 3 2019, 6:40 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 3 2019, 6:40 PM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 2 others. · View Herald Transcript

I think the entire LocationContext stuff is a huge design issue, and you used its functionality without any hack. If you would rename the getStackFrame to getNextStackFrame or something, it is clear it is not a getter and traversing every frame until the top-frame.

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
203 ↗	(On Diff #198121)	The smallest the scope between the definition and its usage, the better the code. Could you put the new code immediately before the return statement?

This revision is now accepted and ready to land.May 4 2019, 12:04 AM

a_sidorin accepted this revision.May 4 2019, 12:21 PM

No, this is all wrong. We shouldn't unwrap to the parent stack frame here. We should end up exactly in the location context in which the call has happened. But we should still unwrap the block invocation context, as an exception, because it's just a weird location context that goes before the stack frame but still has its corresponding AnalysisDeclContext tied to the *callee* stack frame.

These block invocation contexts are used, like, once, to help modeling captures. I should probably try to get rid of them entirely.

Remove unused declaration from the test.

Looks good to me.

Closed by commit rC360202: [analyzer] Fix a crash when doing RVO from within blocks. (authored by NoQ). · Explain WhyMay 7 2019, 3:33 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

ExprEngineCXX.cpp

6 lines

test/

Analysis/

copy-elision.mm

18 lines

Diff 198555

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 Lines • Show All 190 Lines • ▼ Show 20 Lines	case ConstructionContext::CXX17ElidedCopyReturnedValueKind: {
auto RTC = (*SFC->getCallSiteBlock())[SFC->getIndex()]		auto RTC = (*SFC->getCallSiteBlock())[SFC->getIndex()]
.getAs<CFGCXXRecordTypedCall>();		.getAs<CFGCXXRecordTypedCall>();
if (!RTC) {		if (!RTC) {
// We were unable to find the correct construction context for the		// We were unable to find the correct construction context for the
// call in the parent stack frame. This is equivalent to not being		// call in the parent stack frame. This is equivalent to not being
// able to find construction context at all.		// able to find construction context at all.
break;		break;
}		}
		if (isa<BlockInvocationContext>(CallerLCtx)) {
		// Unwrap block invocation contexts. They're mostly part of
		// the current stack frame.
		CallerLCtx = CallerLCtx->getParent();
		assert(!isa<BlockInvocationContext>(CallerLCtx));
		}
return prepareForObjectConstruction(		return prepareForObjectConstruction(
cast<Expr>(SFC->getCallSite()), State, CallerLCtx,		cast<Expr>(SFC->getCallSite()), State, CallerLCtx,
RTC->getConstructionContext(), CallOpts);		RTC->getConstructionContext(), CallOpts);
} else {		} else {
// We are on the top frame of the analysis. We do not know where is the		// We are on the top frame of the analysis. We do not know where is the
// object returned to. Conjure a symbolic region for the return value.		// object returned to. Conjure a symbolic region for the return value.
// TODO: We probably need a new MemRegion kind to represent the storage		// TODO: We probably need a new MemRegion kind to represent the storage
// of that SymbolicRegion, so that we cound produce a fancy symbol		// of that SymbolicRegion, so that we cound produce a fancy symbol
▲ Show 20 Lines • Show All 714 Lines • Show Last 20 Lines

test/Analysis/copy-elision.mm

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -fblocks -verify %s

				// expected-no-diagnostics

				namespace block_rvo_crash {
				struct A {};

				A getA();
				void use(A a) {}

				void foo() {
				// This used to crash when finding construction context for getA()
				// (which is use()'s argument due to RVO).
				use(^{
				return getA(); // no-crash
				}());
				}
				} // namespace block_rvo_crash