This is an archive of the discontinued LLVM Phabricator instance.

Differential D62556

[analyzer] NFC: CallDescription: Implement describing C library functions.
ClosedPublic

Authored by NoQ on May 28 2019, 4:37 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso
Commits
rGf301096f5113: [analyzer] NFC: CallDescription: Implement describing C library functions.
rC364867: [analyzer] NFC: CallDescription: Implement describing C library functions.
rL364867: [analyzer] NFC: CallDescription: Implement describing C library functions.
Summary

When matching C standard library functions in the checker, it's easy to forget that they are often implemented as macros that are expanded to compiler builtins. Such builtins would have a different name, so matching the callee identifier would fail, or may sometimes have more arguments than expected (so matching the exact number of arguments would fail, but this is fine as long as we have all the arguments that we need in their respective places.

This patch adds a set of flags to the CallDescription class so that to handle various special matching rules, and adds the first flag into this set, which enables a more fuzzy matching for functions that may be implemented as builtins.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.May 28 2019, 4:37 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 28 2019, 4:38 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 2 others. · View Herald Transcript
NoQ added a parent revision: D62441: [analyzer] NFC: Introduce a convenient CallDescriptionMap class..May 28 2019, 4:38 PM
NoQ added a child revision: D62557: [analyzer] Modernize CStringChecker to use CallDescriptions..May 28 2019, 4:49 PM
a_sidorin added a comment.Jun 3 2019, 2:57 PM

Hi Artem,
Looks mostly good, but I have some comments inline.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1064 ↗(On Diff #201785)

Not for this review, but why do we have a vector of const char *, not StringRefs?

1066 ↗(On Diff #201785)

Is it a good idea to make Flags a bitfield structure?

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
379 ↗(On Diff #201785)

!II is never false due to the newly-introduced early return.

Szelethus added a comment.EditedJun 4 2019, 5:51 PM

I like the idea, but will need more time to get familiar with CallEvent to formally accept.

When matching C standard library functions in the checker, it's easy to forget that they are often implemented as macros that are expanded to compiler builtins. Such builtins would have a different name, so matching the callee identifier would fail, or may sometimes have more arguments than expected (so matching the exact number of arguments would fail, but this is fine as long as we have all the arguments that we need in their respective places.

Just a name an issue that came up recently, in the case of D59812, we probably shouldn't need to strip "__builtin_" off.

xazax.hun accepted this revision.Jun 5 2019, 1:46 AM

Once Aleksei's comments are resolved it is good to go. My comments are notes and not requests.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1052 ↗(On Diff #201785)

I wonder if this is the right name. Do checker authors know the relationship between a standard library function and builtins? Maybe something like CDF_IsCStandardLibFunc would be more prescriptive when to set this? Or do we have non standard library builtins that we might want to match using this facility? The comment above is great, I just wonder if checker authors will read that. In case it does show up in the doxygen feel free to leave the name as is.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
368 ↗(On Diff #201785)

In case this happens to be a performance problem we could cache the builtin id in the future. This is just a note, do not need to optimize this prematurely.

This revision is now accepted and ready to land.Jun 5 2019, 1:46 AM
NoQ updated this revision to Diff 206978.Jun 27 2019, 5:44 PM
NoQ marked 4 inline comments as done.

Fxd.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1064 ↗(On Diff #201785)

The constructor accepts ArrayRef<const char *> rather than ArrayRef<StringRef> because { "foo", "bar" } is not a valid initializer for ArrayRef<StringRef>. The field is the same for simplicity, as converting ArrayRef<const char *> to a vector<StringRef> is annoying and not really useful. See also D51390.

1066 ↗(On Diff #201785)

This would prevent us from passing the flags into the constructor as CDF_Foo | CDF_Bar etc.- we'll have to specify every field on every line. I wanted to make the initializers as concise as possible to avoid line breaks in code like D62557.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
379 ↗(On Diff #201785)

Right!

Charusso accepted this revision.Jul 1 2019, 10:15 AM

I have not seen any problem. Thanks!

Charusso added a child revision: D63915: [analyzer] ReturnValueChecker: Model the guaranteed boolean return value of function calls.Jul 1 2019, 10:19 AM
NoQ updated this revision to Diff 207406.Jul 1 2019, 2:08 PM

Rebase!

Closed by commit rL364867: [analyzer] NFC: CallDescription: Implement describing C library functions. (authored by NoQ). · Explain WhyJul 1 2019, 4:03 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJul 1 2019, 4:03 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
17 lines
lib/
StaticAnalyzer/
Core/
22 lines
unittests/
StaticAnalyzer/
12 lines

Diff 207431

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 LinesShow All 1,038 Lines▼ Show 20 Linespublic:
Kind getKind() const override { return CE_ObjCMessage; } Kind getKind() const override { return CE_ObjCMessage; }
static bool classof(const CallEvent *CA) { static bool classof(const CallEvent *CA) {
return CA->getKind() == CE_ObjCMessage; return CA->getKind() == CE_ObjCMessage;
} }
}; };
enum CallDescriptionFlags : int {
/// Describes a C standard function that is sometimes implemented as a macro
/// that expands to a compiler builtin with some __builtin prefix.
/// The builtin may as well have a few extra arguments on top of the requested
/// number of arguments.
CDF_MaybeBuiltin = 1 << 0,
};
/// This class represents a description of a function call using the number of /// This class represents a description of a function call using the number of
/// arguments and the name of the function. /// arguments and the name of the function.
class CallDescription { class CallDescription {
friend CallEvent; friend CallEvent;
mutable IdentifierInfo *II = nullptr; mutable IdentifierInfo *II = nullptr;
mutable bool IsLookupDone = false; mutable bool IsLookupDone = false;
// The list of the qualified names used to identify the specified CallEvent, // The list of the qualified names used to identify the specified CallEvent,
// e.g. "{a, b}" represent the qualified names, like "a::b". // e.g. "{a, b}" represent the qualified names, like "a::b".
std::vector<const char *> QualifiedName; std::vector<const char *> QualifiedName;
Optional<unsigned> RequiredArgs; Optional<unsigned> RequiredArgs;
int Flags;
public: public:
/// Constructs a CallDescription object. /// Constructs a CallDescription object.
/// ///
/// @param QualifiedName The list of the name qualifiers of the function that /// @param QualifiedName The list of the name qualifiers of the function that
/// will be matched. The user is allowed to skip any of the qualifiers. /// will be matched. The user is allowed to skip any of the qualifiers.
/// For example, {"std", "basic_string", "c_str"} would match both /// For example, {"std", "basic_string", "c_str"} would match both
/// std::basic_string<...>::c_str() and std::__1::basic_string<...>::c_str(). /// std::basic_string<...>::c_str() and std::__1::basic_string<...>::c_str().
/// ///
/// @param RequiredArgs The number of arguments that is expected to match a /// @param RequiredArgs The number of arguments that is expected to match a
/// call. Omit this parameter to match every occurrence of call with a given /// call. Omit this parameter to match every occurrence of call with a given
/// name regardless the number of arguments. /// name regardless the number of arguments.
CallDescription(int Flags, ArrayRef<const char *> QualifiedName,
Optional<unsigned> RequiredArgs = None)
: QualifiedName(QualifiedName), RequiredArgs(RequiredArgs),
Flags(Flags) {}
/// Construct a CallDescription with default flags.
CallDescription(ArrayRef<const char *> QualifiedName, CallDescription(ArrayRef<const char *> QualifiedName,
Optional<unsigned> RequiredArgs = None) Optional<unsigned> RequiredArgs = None)
: QualifiedName(QualifiedName), RequiredArgs(RequiredArgs) {} : CallDescription(0, QualifiedName, RequiredArgs) {}
/// Get the name of the function that this object matches. /// Get the name of the function that this object matches.
StringRef getFunctionName() const { return QualifiedName.back(); } StringRef getFunctionName() const { return QualifiedName.back(); }
}; };
/// An immutable map from CallDescriptions to arbitrary data. Provides a unified /// An immutable map from CallDescriptions to arbitrary data. Provides a unified
/// way for checkers to react on function calls. /// way for checkers to react on function calls.
template <typename T> class CallDescriptionMap { template <typename T> class CallDescriptionMap {
▲ Show 20 LinesShow All 181 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 350 Lines▼ Show 20 Lines if (IsPreVisit)
return PreImplicitCall(D, Loc, getLocationContext(), Tag); return PreImplicitCall(D, Loc, getLocationContext(), Tag);
return PostImplicitCall(D, Loc, getLocationContext(), Tag); return PostImplicitCall(D, Loc, getLocationContext(), Tag);
} }
bool CallEvent::isCalled(const CallDescription &CD) const { bool CallEvent::isCalled(const CallDescription &CD) const {
// FIXME: Add ObjC Message support. // FIXME: Add ObjC Message support.
if (getKind() == CE_ObjCMessage) if (getKind() == CE_ObjCMessage)
return false; return false;
const IdentifierInfo *II = getCalleeIdentifier();
if (!II)
return false;
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
if (!FD)
return false;
if (CD.Flags & CDF_MaybeBuiltin) {
return CheckerContext::isCLibraryFunction(FD, CD.getFunctionName()) &&
(!CD.RequiredArgs || CD.RequiredArgs <= getNumArgs());
}
if (!CD.IsLookupDone) { if (!CD.IsLookupDone) {
CD.IsLookupDone = true; CD.IsLookupDone = true;
CD.II = &getState()->getStateManager().getContext().Idents.get( CD.II = &getState()->getStateManager().getContext().Idents.get(
CD.getFunctionName()); CD.getFunctionName());
} }
const IdentifierInfo *II = getCalleeIdentifier();
if (!II || II != CD.II) if (II != CD.II)
return false; return false;
const Decl *D = getDecl();
// If CallDescription provides prefix names, use them to improve matching // If CallDescription provides prefix names, use them to improve matching
// accuracy. // accuracy.
if (CD.QualifiedName.size() > 1 && D) { if (CD.QualifiedName.size() > 1 && FD) {
const DeclContext *Ctx = D->getDeclContext(); const DeclContext *Ctx = FD->getDeclContext();
// See if we'll be able to match them all. // See if we'll be able to match them all.
size_t NumUnmatched = CD.QualifiedName.size() - 1; size_t NumUnmatched = CD.QualifiedName.size() - 1;
for (; Ctx && isa<NamedDecl>(Ctx); Ctx = Ctx->getParent()) { for (; Ctx && isa<NamedDecl>(Ctx); Ctx = Ctx->getParent()) {
if (NumUnmatched == 0) if (NumUnmatched == 0)
break; break;
if (const auto *ND = dyn_cast<NamespaceDecl>(Ctx)) { if (const auto *ND = dyn_cast<NamespaceDecl>(Ctx)) {
if (ND->getName() == CD.QualifiedName[NumUnmatched - 1]) if (ND->getName() == CD.QualifiedName[NumUnmatched - 1])
▲ Show 20 LinesShow All 1,042 LinesShow Last 20 Lines

cfe/trunk/unittests/StaticAnalyzer/CallDescriptionTest.cpp

Show First 20 LinesShow All 137 Lines▼ Show 20 LinesTEST(CallEvent, CallDescription) {
// A negative test for qualified names. // A negative test for qualified names.
EXPECT_TRUE(tooling::runToolOnCode( EXPECT_TRUE(tooling::runToolOnCode(
new CallDescriptionAction({ new CallDescriptionAction({
{{{"foo", "bar"}}, false}, {{{"foo", "bar"}}, false},
{{{"bar", "foo"}}, false}, {{{"bar", "foo"}}, false},
{{"foo"}, true}, {{"foo"}, true},
}), "void foo(); struct bar { void foo(); }; void test() { foo(); }")); }), "void foo(); struct bar { void foo(); }; void test() { foo(); }"));
// Test CDF_MaybeBuiltin - a flag that allows matching weird builtins.
EXPECT_TRUE(tooling::runToolOnCode(
new CallDescriptionAction({
{{"memset", 3}, false},
{{CDF_MaybeBuiltin, "memset", 3}, true}
}),
"void foo() {"
" int x;"
" __builtin___memset_chk(&x, 0, sizeof(x),"
" __builtin_object_size(&x, 0));"
"}"));
} }
} // namespace } // namespace
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang