This is an archive of the discontinued LLVM Phabricator instance.

Differential D63968

[analyzer] Fix target region invalidation when returning into a ctor initializer.
ClosedPublic

Authored by NoQ on Jun 28 2019, 6:00 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
Szelethus
baloghadamsoftware
Charusso
Commits
rGceb639dbeea9: [analyzer] Fix invalidation when returning into a ctor initializer.
rC364870: [analyzer] Fix invalidation when returning into a ctor initializer.
rL364870: [analyzer] Fix invalidation when returning into a ctor initializer.
Summary

Enabling pointer escape notification for the return value invalidation when conservatively evaluating calls that return C++ objects by value was supposed to be pointless. Indeed, we're looking at a freshly conjured value; why would any checker already track it at this point? Yet it does cause a change in results, so i decided to reduce and investigate a reproducer @Charusso sent me.

When i was thinking about it previously (as of D44131), i was imagining a function that constructs a temporary that would later be copied to its target destination. In this case there's indeed no need to notify checkers of pointer escape.

However, once RVO was implemented (D47671), the target region is no longer necessarily a temporary; it may be an arbitrary memory region. In particular, it may be a non-base region, such as FieldRegion if the construction context is a ConstructorInitializerConstructionContext. In this case the invalidation covers not only the target region but its whole base region that may already contain some values that might as well be tracked by the checkers.

The right solution, therefore, is to restrict invalidation so that it didn't propagate to the base region, but only wipe the target region itself. It probably doesn't work perfectly because RegionStore doesn't enjoy this sort of stuff, but it should be something.

In the newly added test case the previous behavior was to immediately forget about b1.p and b2.p, therefore evals on lines 21 and 23 yielded both TRUE and FALSE each (due to eagerly-assume) and the leak was diagnosed on line 22 (even though the pointer is used later).

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Jun 28 2019, 6:00 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 28 2019, 6:00 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 3 others. · View Herald Transcript
Charusso accepted this revision.Jun 28 2019, 6:18 PM

You have made a great use of that mistake by me. So that is why everything is so perfect, because it fires, just it should fire later. Thanks you!

This revision is now accepted and ready to land.Jun 28 2019, 6:18 PM
xazax.hun accepted this revision.Jul 1 2019, 10:26 AM

LG! Thanks!

Closed by commit rL364870: [analyzer] Fix invalidation when returning into a ctor initializer. (authored by NoQ). · Explain WhyJul 1 2019, 4:03 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptJul 1 2019, 4:03 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
17 lines
test/
Analysis/
25 lines

Diff 207434

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 628 Lines▼ Show 20 LinesProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) { if (auto RTC = getCurrentCFGElement().getAs<CFGCXXRecordTypedCall>()) {
// Conjure a temporary if the function returns an object by value. // Conjure a temporary if the function returns an object by value.
SVal Target; SVal Target;
assert(RTC->getStmt() == Call.getOriginExpr()); assert(RTC->getStmt() == Call.getOriginExpr());
EvalCallOptions CallOpts; // FIXME: We won't really need those. EvalCallOptions CallOpts; // FIXME: We won't really need those.
std::tie(State, Target) = std::tie(State, Target) =
prepareForObjectConstruction(Call.getOriginExpr(), State, LCtx, prepareForObjectConstruction(Call.getOriginExpr(), State, LCtx,
RTC->getConstructionContext(), CallOpts); RTC->getConstructionContext(), CallOpts);
assert(Target.getAsRegion()); const MemRegion *TargetR = Target.getAsRegion();
// Invalidate the region so that it didn't look uninitialized. Don't notify assert(TargetR);
// the checkers. // Invalidate the region so that it didn't look uninitialized. If this is
State = State->invalidateRegions(Target.getAsRegion(), E, Count, LCtx, // a field or element constructor, we do not want to invalidate
// the whole structure. Pointer escape is meaningless because
// the structure is a product of conservative evaluation
// and therefore contains nothing interesting at this point.
RegionAndSymbolInvalidationTraits ITraits;
ITraits.setTrait(TargetR,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
State = State->invalidateRegions(TargetR, E, Count, LCtx,
/* CausedByPointerEscape=*/false, nullptr, /* CausedByPointerEscape=*/false, nullptr,
&Call, nullptr); &Call, &ITraits);
R = State->getSVal(Target.castAs<Loc>(), E->getType()); R = State->getSVal(Target.castAs<Loc>(), E->getType());
} else { } else {
// Conjure a symbol if the return value is unknown. // Conjure a symbol if the return value is unknown.
// See if we need to conjure a heap pointer instead of // See if we need to conjure a heap pointer instead of
// a regular unknown pointer. // a regular unknown pointer.
bool IsHeapPointer = false; bool IsHeapPointer = false;
▲ Show 20 LinesShow All 449 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/rvo.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker core,cplusplus \
// RUN: -analyzer-checker debug.ExprInspection -verify %s
void clang_analyzer_eval(bool);
struct A {
int x;
};
A getA();
struct B {
int *p;
A a;
B(int *p) : p(p), a(getA()) {}
};
void foo() {
B b1(nullptr);
clang_analyzer_eval(b1.p == nullptr); // expected-warning{{TRUE}}
B b2(new int); // No leak yet!
clang_analyzer_eval(b2.p == nullptr); // expected-warning{{FALSE}}
// expected-warning@-1{{Potential leak of memory pointed to by 'b2.p'}}
}