This is an archive of the discontinued LLVM Phabricator instance.

Differential D64271

[analyzer] Don't track the right hand side of the last store for conditions
AbandonedPublic

Authored by Szelethus on Jul 5 2019, 2:51 PM.

Details

Reviewers
NoQ
xazax.hun
baloghadamsoftware
rnkovacs
Charusso
dcoughlin
Summary

Exactly what it says on the tin!

Diff Detail

Event Timeline

Szelethus created this revision.Jul 5 2019, 2:51 PM
Herald added subscribers: cfe-commits, gamesh411, dkrupp and 5 others. · View Herald TranscriptJul 5 2019, 2:51 PM
Szelethus added a parent revision: D64270: [analyzer][NFC] Prepare visitors for different tracking kinds.Jul 5 2019, 2:51 PM
Szelethus added a child revision: D64272: [analyzer] Note last writes to a condition only in a nested stackframe.Jul 5 2019, 2:55 PM
NoQ added a comment.Jul 5 2019, 10:05 PM

Consider:

int flag;
bool coin();

void foo() {
  flag = coin();
}

void test() {
  int *x = 0;
  int local_flag;
  flag = 1;

  foo();
  local_flag = flag;
  if (local_flag)
    x = new int;

  foo();
  local_flag = flag;
  if (local_flag)
    *x = 5;
}

I'd rather track flag when i reach local_flag. I believe that we must track the RHS, but only as long as it's an overwrite on its own (or it's the value that participated in the collapse).

This is why the heuristic that i suggested was "track normally until the *last* out-of-frame overwrite point or until the collapse point".

Szelethus mentioned this in D64287: [analyzer] Track the right hand side of the last store regardless of its value.Jul 6 2019, 9:34 AM
Szelethus abandoned this revision.EditedJul 6 2019, 9:39 AM

You're right. If condition tracking only adds necessary information, this shouldn't hurt that much anyways.

Szelethus mentioned this in D64272: [analyzer] Note last writes to a condition only in a nested stackframe.Jul 6 2019, 9:46 AM
Szelethus removed a child revision: D64272: [analyzer] Note last writes to a condition only in a nested stackframe.
NoQ added a comment.Jul 9 2019, 12:54 PM

I'd rather not abandon this patch, because it looks like a strict improvement over the lack of condition tracking, and it might as well still be an improvement over "zealous" condition tracking, as my counterexample is fairly artificial. It indicates that a slightly more sophisticated algorithm is necessary (i'm not sure if it's single-pass or even linear). But i'll be perfectly happy with simply adding it as a FIXME test.

Szelethus added a comment.Jul 14 2019, 10:50 AM
In D64271#1576872, @NoQ wrote:

I'd rather not abandon this patch, because it looks like a strict improvement over the lack of condition tracking, and it might as well still be an improvement over "zealous" condition tracking, as my counterexample is fairly artificial. It indicates that a slightly more sophisticated algorithm is necessary (i'm not sure if it's single-pass or even linear). But i'll be perfectly happy with simply adding it as a FIXME test.

My other patches actually deal with this far more nicely. D64272 + D64232 combined almost achieve the same thing, but I'm running analyses to find gather some real world experience.
.

Szelethus removed a parent revision: D64270: [analyzer][NFC] Prepare visitors for different tracking kinds.Jul 17 2019, 8:26 AM
Szelethus mentioned this in rL368773: [analyzer] Track the right hand side of the last store regardless of its value.Aug 13 2019, 4:49 PM
Szelethus mentioned this in rG0df9c8c57802: [analyzer] Track the right hand side of the last store regardless of its value.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
3 lines
lib/
StaticAnalyzer/
Core/
22 lines
test/
Analysis/
18 lines

Diff 208242

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 132 Lines▼ Show 20 Linespublic:
static void registerStatementVarDecls(BugReport &BR, const Stmt *S, static void registerStatementVarDecls(BugReport &BR, const Stmt *S,
bool EnableNullFPSuppression, bool EnableNullFPSuppression,
TrackingKind TKind); TrackingKind TKind);
/// \param V We're searching for the store where \c R received this value. /// \param V We're searching for the store where \c R received this value.
/// \param R The region we're tracking. /// \param R The region we're tracking.
/// \param EnableNullFPSuppression Whether we should employ false positive /// \param EnableNullFPSuppression Whether we should employ false positive
/// suppression (inlined defensive checks, returned null). /// suppression (inlined defensive checks, returned null).
/// \param TKind May limit the amount of notes added to the bug report. /// \param TKind May limit the amount of notes added to the bug report. For
/// conditions, ignores the initialization point.
FindLastStoreBRVisitor(KnownSVal V, const MemRegion *R, FindLastStoreBRVisitor(KnownSVal V, const MemRegion *R,
bool InEnableNullFPSuppression, bool InEnableNullFPSuppression,
TrackingKind TKind) TrackingKind TKind)
: R(R), V(V), EnableNullFPSuppression(InEnableNullFPSuppression), : R(R), V(V), EnableNullFPSuppression(InEnableNullFPSuppression),
TKind(TKind) { TKind(TKind) {
assert(R); assert(R);
} }
▲ Show 20 LinesShow All 246 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 1,419 Lines▼ Show 20 LinesFindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
} }
if (!StoreSite) if (!StoreSite)
return nullptr; return nullptr;
Satisfied = true; Satisfied = true;
// If we have an expression that provided the value, try to track where it // If we have an expression that provided the value, try to track where it
// came from. // came from.
// For tracked conditions, this isn't really important, it would pollute the
// bug report far too much.
if (TKind != TrackingKind::ConditionTracking) {
if (InitE) { if (InitE) {
if (V.isUndef() || if (V.isUndef() ||
V.getAs<loc::ConcreteInt>() || V.getAs<nonloc::ConcreteInt>()) { V.getAs<loc::ConcreteInt>() || V.getAs<nonloc::ConcreteInt>()) {
if (!IsParam) if (!IsParam)
InitE = InitE->IgnoreParenCasts(); InitE = InitE->IgnoreParenCasts();
bugreporter::trackExpressionValue(StoreSite, InitE, BR, bugreporter::trackExpressionValue(StoreSite, InitE, BR,
EnableNullFPSuppression); EnableNullFPSuppression);
} }
ReturnVisitor::addVisitorIfNecessary(StoreSite, InitE->IgnoreParenCasts(), ReturnVisitor::addVisitorIfNecessary(StoreSite, InitE->IgnoreParenCasts(),
BR, EnableNullFPSuppression); BR, EnableNullFPSuppression);
} }
}
// Okay, we've found the binding. Emit an appropriate message. // Okay, we've found the binding. Emit an appropriate message.
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) { if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) {
const Stmt *S = PS->getStmt(); const Stmt *S = PS->getStmt();
const char *action = nullptr; const char *action = nullptr;
▲ Show 20 LinesShow All 1,375 LinesShow Last 20 Lines

clang/test/Analysis/track-control-dependency-conditions.cpp

Show First 20 LinesShow All 113 Lines▼ Show 20 Lines if (flag) // expected-note {{Assuming 'flag' is not equal to 0}}
// expected-note@-1{{Dereference of null pointer}} // expected-note@-1{{Dereference of null pointer}}
} }
} // end of namespace global_variable_invalidation } // end of namespace global_variable_invalidation
namespace variable_declaration_in_condition { namespace variable_declaration_in_condition {
bool coin(); bool coin();
bool foo() { bool foo() {
return coin(); // tracking-note{{Returning value}} return coin();
} }
int bar; int bar;
void test() { void test() {
int *x = 0; // expected-note{{'x' initialized to a null pointer value}} int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
if (int flag = foo()) // tracking-note{{Calling 'foo'}} if (int flag = foo()) // tracking-note{{'flag' initialized here}}
// tracking-note@-1{{Returning from 'foo'}} // debug-note@-1{{Tracking condition 'flag'}}
// tracking-note@-2{{'flag' initialized here}} // expected-note@-2{{Assuming 'flag' is not equal to 0}}
// debug-note@-3{{Tracking condition 'flag'}} // expected-note@-3{{Taking true branch}}
// expected-note@-4{{Assuming 'flag' is not equal to 0}}
// expected-note@-5{{Taking true branch}}
*x = 5; // expected-warning{{Dereference of null pointer}} *x = 5; // expected-warning{{Dereference of null pointer}}
// expected-note@-1{{Dereference of null pointer}} // expected-note@-1{{Dereference of null pointer}}
} }
} // end of namespace variable_declaration_in_condition } // end of namespace variable_declaration_in_condition
namespace conversion_to_bool { namespace conversion_to_bool {
bool coin(); bool coin();
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Lines
} }
} // end of namespace tracked_condition_is_only_initialized } // end of namespace tracked_condition_is_only_initialized
namespace tracked_condition_written_in_same_stackframe { namespace tracked_condition_written_in_same_stackframe {
int flag; int flag;
int getInt(); int getInt();
void f(int y) { void f(int y) {
y = 1; // tracking-note{{The value 1 is assigned to 'y'}} y = 1;
flag = y; // tracking-note{{The value 1 is assigned to 'flag'}} flag = y; // tracking-note{{The value 1 is assigned to 'flag'}}
int *x = 0; // expected-note{{'x' initialized to a null pointer value}} int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
if (flag) // expected-note{{'flag' is 1}} if (flag) // expected-note{{'flag' is 1}}
// expected-note@-1{{Taking true branch}} // expected-note@-1{{Taking true branch}}
// debug-note@-2{{Tracking condition 'flag'}} // debug-note@-2{{Tracking condition 'flag'}}
*x = 5; // expected-warning{{Dereference of null pointer}} *x = 5; // expected-warning{{Dereference of null pointer}}
// expected-note@-1{{Dereference of null pointer}} // expected-note@-1{{Dereference of null pointer}}
} }
} // end of namespace tracked_condition_written_in_same_stackframe } // end of namespace tracked_condition_written_in_same_stackframe
namespace tracked_condition_written_in_nested_stackframe { namespace tracked_condition_written_in_nested_stackframe {
int flag; int flag;
int getInt(); int getInt();
void foo() { void foo() {
int y; int y;
y = 1; // tracking-note{{The value 1 is assigned to 'y'}} y = 1;
flag = y; // tracking-note{{The value 1 is assigned to 'flag'}} flag = y; // tracking-note{{The value 1 is assigned to 'flag'}}
} }
void f(int y) { void f(int y) {
int *x = 0; // expected-note{{'x' initialized to a null pointer value}} int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
foo(); // tracking-note{{Calling 'foo'}} foo(); // tracking-note{{Calling 'foo'}}
// tracking-note@-1{{Returning from 'foo'}} // tracking-note@-1{{Returning from 'foo'}}
▲ Show 20 LinesShow All 59 LinesShow Last 20 Lines