This is an archive of the discontinued LLVM Phabricator instance.

Differential D66325

[analyzer] CastValueChecker: Store the dynamic types and casts
ClosedPublic

Authored by Charusso on Aug 15 2019, 5:24 PM.

Details

Reviewers
NoQ
xazax.hun
Commits
rG0202c3596c52: [analyzer] CastValueChecker: Store the dynamic types and casts
rC369605: [analyzer] CastValueChecker: Store the dynamic types and casts
rL369605: [analyzer] CastValueChecker: Store the dynamic types and casts
Summary

This patch introduces DynamicCastInfo similar to DynamicTypeInfo which
is stored in CastSets which are storing the dynamic cast informations of
objects based on memory regions. It could be used to store and check the
casts and prevent infeasible paths.

Diff Detail

Event Timeline

Charusso created this revision.Aug 15 2019, 5:24 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptAug 15 2019, 5:24 PM
Charusso added a comment.Aug 15 2019, 5:25 PM

@xazax.hun It is somehow performance critical code as we have too many casts in the LLVM. I would really appreciate it if you could review it.

Charusso added a parent revision: D66267: [analyzer] TrackConstraintBRVisitor: Do not track unknown values.Aug 15 2019, 5:26 PM
Charusso updated this revision to Diff 215893.EditedAug 19 2019, 7:34 AM
Charusso retitled this revision from [analyzer] CastValueChecker: Store the dynamic types in DynamicTypeMap to [analyzer] CastValueChecker: Store the dynamic types and casts.
  • From now we use a set to store the casts.
  • Added a way to dump out the cast informations.
Charusso edited the summary of this revision. (Show Details)Aug 19 2019, 7:36 AM
Charusso added a child revision: D66423: [analyzer] CastValueChecker: Model isa(), isa_and_nonnull().Aug 19 2019, 9:03 AM
NoQ added a comment.Aug 19 2019, 3:11 PM

Yay! I understand the rough idea and it looks perfectly reasonable to start with. Please add FIXMEs/TODOs on how we eventually want to support more complicated inheritance hierarchies.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h
4

Emm, so you're saving successes and failures of all casts regardless of which object is getting casted? That's definitely not sufficient. If X is a Stmt that isn't an Expr, you can't automatically infer that Y is a Stmt that isn't an Expr for any object Y other than X . This information needs to be per-object. Then you'll need to clean it up in checkDeadSymbols.

Charusso added inline comments.Aug 19 2019, 3:20 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h
4

I have two implementations, the other is set factory based on memory regions. Is it would be a good idea to go through all the regions every time and all their casts to know every possible cast-assumption? I have made it, and I felt like it is overcomplicated as the DynamicTypeMap could be used for asking what is the type now and whether we have better precision and update that information therefore we could update the cast-set as well.

NoQ added inline comments.Aug 19 2019, 3:30 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h
4

It's about correctness, we don't have much choice here. The current data structure simply cannot work correctly because there's a "one vs many" problem in it: for every pair of types (T₁, T₂) there are *many* possible outcomes of a cast from T₁ to T₂ (depending on the object that's being casted) but the current data structure only has room for *one* such outcome. Your data structure is basically saying "Oh, this shape turned out to be a circle, let's from now on forever believe that triangles don't exist" (?)

Charusso added inline comments.Aug 19 2019, 3:36 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h
4

Well, let me swap then with the set factory. I think I could handle that in the current shape, but I cannot say no to your clear idea. Thanks for the factory idea! It does the same at the moment.

Charusso updated this revision to Diff 216023.Aug 19 2019, 4:55 PM
Charusso edited the summary of this revision. (Show Details)
  • Use a set factory to store a dynamic cast information set per memory region.
Charusso added a comment.Aug 19 2019, 4:57 PM
In D66325#1636091, @NoQ wrote:

Yay! I understand the rough idea and it looks perfectly reasonable to start with. Please add FIXMEs/TODOs on how we eventually want to support more complicated inheritance hierarchies.

I have not decided yet. This only one successful cast allowance is the smallest possible solution, then we need a very great design to do better without exponential path-splitting. I have added a tiny TODO section.

NoQ added inline comments.Aug 19 2019, 5:47 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h
20

I suggest enum CastResult { Success, Failure } ("a fail" is slang, also "result" because it's basically a result).

Also TODO: The success information should ideally go straight into the dynamic type map.

32–33

succeeds(), fails() (valid English).

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h
0

Can we move these macros into the cpp file so that they were only accessed by the fancy accessors?

Also i don't remember whether these macros do actually work correctly in headers. The original code was doing the trait manually because it had GDMIndex() defined in the cpp file, but if we put these macros into the header we'll have a static variable defined in multiple translation units, which may cause it to have different addresses in different dynamically loaded libraries that include this header.

You might need to merge your checkDeadSymbols() into the existing checkDeadSymbols().

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
83–93

Most of the time we should know exactly how many pointer/reference types we need to unwrap. I really prefer we hard-assert this knowledge instead of blindly unwrapping as many pointer/reference types as we want. Because every time we have an unexpected number of unwraps it's an indication that something went horribly wrong. So it's good to have the extra sanity checking.

117–131

To think: in D66423 you added this fancy feature when you dump the current dynamic type of the object instead of the static type. I think this is super cool and we should do it here as well, because the dynamic type is pretty much the only thing that you won't be able to figure out by looking at the source.

We could give the same message as for isa, say, Assuming the object is a 'Circle' etc.

133

It would have been much easier for me to read if this variable was called CastInfo.

136

Just CastSucceeds (valid English).

clang/lib/StaticAnalyzer/Core/DynamicTypeMap.cpp
18–21

My favorite way of writing this stuff:

const CastSet *SetPtr = State->get<DynamicCastMap>(MR);
CastSet Set = SetPtr ? *SetPTr : F.getEmptySet();
NoQ added a comment.Aug 19 2019, 5:51 PM

Also thanks, everything makes sense now!

Do we already have a test that will cover the necessity for having a map from regions to cast results? Eg.:

void foo(Shape *C, Shape *T) {
  if (isa<Circle>(S) && !isa<Circle>(T))
    clang_analyzer_warnIfReached(); // expected-warning{{TRUE}}
}
clang/test/Analysis/cast-value-state-dump.cpp
31

We're not assuming it, right? We already know it's gonna fail because we already know that it's a circle.

Charusso updated this revision to Diff 216246.Aug 20 2019, 2:04 PM
Charusso marked 15 inline comments as done.
  • Fix.
Herald added a subscriber: mgorny. · View Herald TranscriptAug 20 2019, 2:04 PM
Charusso mentioned this in D66423: [analyzer] CastValueChecker: Model isa(), isa_and_nonnull().Aug 20 2019, 2:04 PM
NoQ added a comment.Aug 20 2019, 2:16 PM

Something went wrong with message generation, can you take a look?

clang/test/Analysis/cast-value-notes.cpp
25

A circle is always a shape.

Assuming 'S' is a 'Shape' that is not a 'Circle' sounds about right.

Or just Assuming 'S' is not a 'Circle'.

35

A circle is always a circle.

56

The not a 'Circle' part is suspiciously specific.

Charusso updated this revision to Diff 216250.Aug 20 2019, 2:17 PM
  • Added a new test case and refactored that test file.
Charusso updated this revision to Diff 216312.Aug 20 2019, 6:50 PM
Charusso marked 3 inline comments as done.
  • Fix more and publish the previously forgotten comments.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h
20

The successful cast is going to the type map, and the failure will not. Why would we need to store the failing casts in the type map? Therefore no differentiation is necessary I believe so that nor TODO.

clang/test/Analysis/cast-value-state-dump.cpp
31

We have no knowledge what is what. At the top we see that: Shape -> Circle, and then Triangle -> Circle is something new, so we have to assume that. It is an implementation detail we are allowing only one cast to be succeed. From the user point of view it is an assumption as the current state of the checker could not provide more/better information. It is the same logic from the ConditionBRVisitor.

Charusso marked an inline comment as done.Aug 20 2019, 6:51 PM
Charusso added inline comments.
clang/test/Analysis/cast-value-notes.cpp
35

I have removed that contradiction test case as being silly, but yes, that was the no-warning test properly.

Charusso updated this revision to Diff 216314.Aug 20 2019, 7:02 PM
  • Remove CastFromTy finally from the getNoteTag() API as it was uninformative.
Charusso updated this revision to Diff 216317.Aug 20 2019, 7:12 PM
  • Make the check-clang pass and simplify a test case.
NoQ added a comment.Aug 21 2019, 11:08 AM

Thanks!! Here's the last couple of nits that i have.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
83–93

I think this one is still forgotten. Maybe a FIXME?

95–111

I'm worried that this may occasionally get too long and/or contain line breaks. Let's do the usual pattern matching instead: say 'X' for a DeclRefExpr to 'X', say 'field Y' for a MemberExpr made with field 'Y', say "the object" in other cases.

NoQ added inline comments.Aug 21 2019, 11:09 AM
clang/test/Analysis/cast-value-state-dump.cpp
31

Yeah, but it's not the observable behavior we'll be trying to preserve, so i suggest a FIXME.

Charusso updated this revision to Diff 216509.Aug 21 2019, 3:45 PM
Charusso marked 4 inline comments as done and an inline comment as not done.
  • Fix
NoQ added inline comments.Aug 21 2019, 3:48 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
126

"The" should be capitalized if there's no "Assuming" before it.

Charusso updated this revision to Diff 216513.Aug 21 2019, 3:58 PM
  • Fix printing.
Charusso marked an inline comment as done.Aug 21 2019, 3:58 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
83–93

Now I pattern-match that rule in the evalCall(), therefore we cannot try to evaluate nested references. Would you like to see more checks?

NoQ added a comment.Aug 21 2019, 4:29 PM

Let's land this then!~~

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
83–93

Oh, i see, you removed the recursion. Great.

NoQ accepted this revision.Aug 21 2019, 4:29 PM
This revision is now accepted and ready to land.Aug 21 2019, 4:29 PM
Charusso marked 6 inline comments as done.Aug 21 2019, 5:15 PM

Thanks for the review! The build-bots will fire with that QualType fix (1028 TU on its own). I will look into the exploded-graph-rewriter.py after GSoC to fix every stuff like that patch and also invoke my HTML simplification idea.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
83–93

I was dumb enough to do not publish my comment six times, sorry.

Closed by commit rL369605: [analyzer] CastValueChecker: Store the dynamic types and casts (authored by Charusso). · Explain WhyAug 21 2019, 5:20 PM
This revision was automatically updated to reflect the committed changes.
Charusso marked an inline comment as done.
Herald added a project: Restricted Project. · View Herald TranscriptAug 21 2019, 5:20 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
thakis added a subscriber: thakis.Aug 21 2019, 5:27 PM

It looks like this renamed DynamicTypeMap.h but didn't update all users, see all the files in Checkers at http://llvm-cs.pcc.me.uk/?q=include.*dynamictypemap.h for example.

Which targets did you try to build locally?

thakis added a comment.Aug 21 2019, 5:28 PM

See e.g. http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-gn/builds/4344/steps/ninja%20/logs/stdio for errors; I'm guessing most other bots on http://lab.llvm.org:8011/console will turn red in a bit too.

Charusso added a comment.EditedAug 21 2019, 5:36 PM
In D66325#1640426, @thakis wrote:

It looks like this renamed DynamicTypeMap.h but didn't update all users, see all the files in Checkers at http://llvm-cs.pcc.me.uk/?q=include.*dynamictypemap.h for example.

Which targets did you try to build locally?

Well, the errors are in the Static Analyzer, and I have not got any warnings, but now I realized that this header has plenty of injections. Thanks for the fast response! I have fixed it in rL369607.

thakis added a comment.Aug 21 2019, 6:53 PM

Thanks! Looks like it builds fine now, but the tests are failing: http://lab.llvm.org:8011/builders/llvm-clang-x86_64-expensive-checks-win/builds/19297/steps/test-check-all/logs/stdio

FAIL: Clang :: Analysis/cast-value-state-dump.cpp (4352 of 48515)
******************** TEST 'Clang :: Analysis/cast-value-state-dump.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';   c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\clang.exe -cc1 -internal-isystem c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\lib\clang\10.0.0\include -nostdsysteminc -analyze -analyzer-constraints=range   -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection  -analyzer-output=text -verify C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-state-dump.cpp 2>&1 | c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\filecheck.exe C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-state-dump.cpp
--
Exit Code: 1

Command Output (stdout):
--
$ ":" "RUN: at line 1"
$ "c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\clang.exe" "-cc1" "-internal-isystem" "c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\lib\clang\10.0.0\include" "-nostdsysteminc" "-analyze" "-analyzer-constraints=range" "-analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection" "-analyzer-output=text" "-verify" "C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-state-dump.cpp"
note: command had no output on stdout or stderr
error: command failed with exit status: 1
$ "c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\filecheck.exe" "C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-state-dump.cpp"

--

********************
PASS: Clang :: Analysis/castexpr-callback.c (4353 of 48515)
PASS: Clang :: Analysis/bool-assignment.c (4354 of 48515)
PASS: Clang :: Analysis/builtin-functions.cpp (4355 of 48515)
PASS: Clang :: Analysis/cfg-indirect-goto-determinism.cpp (4356 of 48515)
PASS: Clang :: Analysis/casts.m (4357 of 48515)
FAIL: Clang :: Analysis/cast-value-notes.cpp (4358 of 48515)
******************** TEST 'Clang :: Analysis/cast-value-notes.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';   c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\clang.exe -cc1 -internal-isystem c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\lib\clang\10.0.0\include -nostdsysteminc -analyze -analyzer-constraints=range   -analyzer-checker=core,apiModeling.llvm.CastValue   -analyzer-output=text -verify C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp
--
Exit Code: 1

Command Output (stdout):
--
$ ":" "RUN: at line 1"
$ "c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\bin\clang.exe" "-cc1" "-internal-isystem" "c:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\build\lib\clang\10.0.0\include" "-nostdsysteminc" "-analyze" "-analyzer-constraints=range" "-analyzer-checker=core,apiModeling.llvm.CastValue" "-analyzer-output=text" "-verify" "C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp"
# command stderr:
error: 'note' diagnostics expected but not seen: 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 23 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:24): Assuming 'S' is not a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 30 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:31): Assuming 'S' is a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 34 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:35): 'C' is a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 40 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:41): Assuming 'C' is not a 'Triangle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 46 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:47): 'C' is not a 'Triangle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 59 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:60): 'S' is a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 63 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:64): 'C' is a 'Triangle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 76 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:77): Assuming 'S' is not a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 79 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:80): Assuming 'S' is a 'Triangle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 103 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:104): 'S' is a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 114 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:115): 'S' is a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 125 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:126): Assuming 'S' is not a 'Circle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 129 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:130): Assuming 'S' is a 'Triangle'

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 135 (directive at C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp:136): 'S' is a 'Triangle'

error: 'note' diagnostics seen but not expected: 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 23: h2/ 6aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 30: h2/ 6a

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 34: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 40: h2/06aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 46: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 59: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 63: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 76: h2/ 6aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 79: h2/ 6aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 103: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 114: h2/ 

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 125: h2/ 6aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 129: h2/ 6aM6

  File C:\ps4-buildslave2\llvm-clang-x86_64-expensive-checks-win\llvm\tools\clang\test\Analysis\cast-value-notes.cpp Line 135: h2/ 

28 errors generated.


error: command failed with exit status: 1

--

...

Failing Tests (2):
    Clang :: Analysis/cast-value-notes.cpp
    Clang :: Analysis/cast-value-state-dump.cpp
Charusso added a comment.Aug 21 2019, 7:06 PM
In D66325#1640483, @thakis wrote:

Thanks! Looks like it builds fine now, but the tests are failing: http://lab.llvm.org:8011/builders/llvm-clang-x86_64-expensive-checks-win/builds/19297/steps/test-check-all/logs/stdio
Failing Tests (2):

Clang :: Analysis/cast-value-notes.cpp
Clang :: Analysis/cast-value-state-dump.cpp

I have noticed something is broken other than the first fix, just I am not that professional C++ developer to immediately catch the error. I am totally on it, thanks!

Charusso added a comment.Aug 21 2019, 7:29 PM
   return C.getNoteTag(
-      [=] {
+      [=]() -> std::string {
         SmallString<128> Msg;

That was the fix by rL369609. Somehow it converted to a temporary object therefore that was an issue:

[175/176] Running the Clang regression tests
llvm-lit: /b/sanitizer-x86_64-linux-fast/build/llvm/utils/lit/lit/llvm/config.py:340: note: using clang: /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang
-- Testing: 15399 tests, 64 threads --
Testing: 0 
FAIL: Clang :: Analysis/cast-value-notes.cpp (355 of 15399)
******************** TEST 'Clang :: Analysis/cast-value-notes.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';   /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang -cc1 -internal-isystem /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/lib/clang/10.0.0/include -nostdsysteminc -analyze -analyzer-constraints=range   -analyzer-checker=core,apiModeling.llvm.CastValue   -analyzer-output=text -verify /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/test/Analysis/cast-value-notes.cpp
--
Exit Code: 1

Command Output (stderr):
--
=================================================================
==43337==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fa639ecfa30 at pc 0x000000c7ac85 bp 0x7fff83887490 sp 0x7fff83886c40
READ of size 19 at 0x7fa639ecfa30 thread T0
    #0 0xc7ac84 in __asan_memcpy /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
    #1 0xa328415 in copy /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__string:225:50
    #2 0xa328415 in __init /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1792
    #3 0xa328415 in basic_string /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1813
    #4 0xa328415 in str /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:220
    #5 0xa328415 in operator basic_string /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:247
    #6 0xa328415 in __call<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp:113:7) &> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
    #7 0xa328415 in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
    #8 0xa328415 in std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&, clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*, bool, bool)::$_0, std::__1::allocator<getNoteTag(clang::ento::CheckerContext&, clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*, bool, bool)::$_0>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
    #9 0xa32751d in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
    #10 0xa32751d in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
    #11 0xa32751d in operator() /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259
    #12 0xa32751d in __invoke<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23) &, clang::ento::BugReporterContext &, clang::ento::BugReport &> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/type_traits:3501
    #13 0xa32751d in __call<(lambda at /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23) &, clang::ento::BugReporterContext &, clang::ento::BugReport &> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
    #14 0xa32751d in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
    #15 0xa32751d in std::__1::__function::__func<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&, bool)::'lambda'(clang::ento::BugReporterContext&, clang::ento::BugReport&), std::__1::allocator<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&, bool)::'lambda'(clang::ento::BugReporterContext&, clang::ento::BugReport&)>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > (clang::ento::BugReporterContext&, clang::ento::BugReport&)>::operator()(clang::ento::BugReporterContext&, clang::ento::BugReport&) /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
    #16 0xa990926 in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
    #17 0xa990926 in operator() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
    #18 0xa990926 in generateMessage /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h:572
    #19 0xa990926 in clang::ento::TagVisitor::VisitNode(clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&, clang::ento::BugReport&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp:2879
    #20 0xa94b59f in generateVisitorsDiagnostics(clang::ento::BugReport*, clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2634:19
    #21 0xa9417b3 in findValidReport /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2674:9
    #22 0xa9417b3 in clang::ento::PathSensitiveBugReporter::generatePathDiagnostics(llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>, llvm::ArrayRef<clang::ento::BugReport*>&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2708
    #23 0xa948006 in clang::ento::BugReporter::generateDiagnosticForConsumerMap(clang::ento::BugReport*, llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>, llvm::ArrayRef<clang::ento::BugReport*>) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:3032:5
    #24 0xa93c090 in clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2893:7
    #25 0xa93a72e in clang::ento::BugReporter::FlushReports() /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2308:5
    #26 0xa23ec21 in RunPathSensitiveChecks /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:816:24
    #27 0xa23ec21 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:774
    #28 0xa1f6203 in HandleDeclsCallGraph /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:556:5
    #29 0xa1f6203 in runAnalysisOnTranslationUnit /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:607
    #30 0xa1f6203 in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:637
    #31 0xad37ae0 in clang::ParseAST(clang::Sema&, bool, bool) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:171:13
    #32 0x7ad09b9 in clang::FrontendAction::Execute() /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:935:8
    #33 0x79ae417 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:946:33
    #34 0x7d27c53 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:291:25
    #35 0xcc5084 in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:250:15
    #36 0xcbcadc in ExecuteCC1Tool /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
    #37 0xcbcadc in main /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
    #38 0x7fa63d18f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #39 0xbed7c9 in _start (/b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang-10+0xbed7c9)

Address 0x7fa639ecfa30 is located in stack of thread T0 at offset 48 in frame
    #0 0xa32780f in std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&, clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*, bool, bool)::$_0, std::__1::allocator<getNoteTag(clang::ento::CheckerContext&, clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*, bool, bool)::$_0>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()() /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1713

  This frame has 4 object(s):
    [32, 176) 'Msg.i.i.i.i' <== Memory access at offset 48 is inside this variable
    [240, 288) 'Out.i.i.i.i'
    [320, 344) 'ref.tmp.i.i.i.i'
    [384, 408) 'ref.tmp14.i.i.i.i'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0ff5473d1ef0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5473d1f00: f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
  0x0ff5473d1f10: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8
  0x0ff5473d1f20: f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x0ff5473d1f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff5473d1f40: f1 f1 f1 f1 f8 f8[f8]f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff5473d1f50: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8
  0x0ff5473d1f60: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
  0x0ff5473d1f70: f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x0ff5473d1f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0ff5473d1f90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==43337==ABORTING

--

Thanks for your notes! Also @xazax.hun may you are interested in this lifetime issue.

NoQ mentioned this in D66847: [analyzer] Fix analyzer warnings..Aug 27 2019, 5:54 PM

Revision Contents

PathSize
clang/
include/
clang/
AST/
3 lines
StaticAnalyzer/
Core/
PathSensitive/
15 lines
55 lines
73 lines
46 lines
lib/
StaticAnalyzer/
Checkers/
276 lines
15 lines
Core/
2 lines
223 lines
2 lines
test/
Analysis/
Inputs/
19 lines
128 lines
144 lines
47 lines
3 lines
1 line

Diff 216509

clang/include/clang/AST/Type.h

Show First 20 LinesShow All 966 Lines▼ Show 20 Linespublic:
/// Indicate whether the specified types and qualifiers are identical. /// Indicate whether the specified types and qualifiers are identical.
friend bool operator==(const QualType &LHS, const QualType &RHS) { friend bool operator==(const QualType &LHS, const QualType &RHS) {
return LHS.Value == RHS.Value; return LHS.Value == RHS.Value;
} }
friend bool operator!=(const QualType &LHS, const QualType &RHS) { friend bool operator!=(const QualType &LHS, const QualType &RHS) {
return LHS.Value != RHS.Value; return LHS.Value != RHS.Value;
} }
friend bool operator<(const QualType &LHS, const QualType &RHS) {
return LHS.Value < RHS.Value;
}
static std::string getAsString(SplitQualType split, static std::string getAsString(SplitQualType split,
const PrintingPolicy &Policy) { const PrintingPolicy &Policy) {
return getAsString(split.Ty, split.Quals, Policy); return getAsString(split.Ty, split.Quals, Policy);
} }
static std::string getAsString(const Type *ty, Qualifiers qs, static std::string getAsString(const Type *ty, Qualifiers qs,
const PrintingPolicy &Policy); const PrintingPolicy &Policy);
▲ Show 20 LinesShow All 5,944 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h

Show First 20 LinesShow All 228 Lines▼ Show 20 Linespublic:
/// @param IsPrunable Whether the note is prunable. It allows BugReporter /// @param IsPrunable Whether the note is prunable. It allows BugReporter
/// to omit the note from the report if it would make the displayed /// to omit the note from the report if it would make the displayed
/// bug path significantly shorter. /// bug path significantly shorter.
const NoteTag *getNoteTag(NoteTag::Callback &&Cb, bool IsPrunable = false) { const NoteTag *getNoteTag(NoteTag::Callback &&Cb, bool IsPrunable = false) {
return Eng.getNoteTags().makeNoteTag(std::move(Cb), IsPrunable); return Eng.getNoteTags().makeNoteTag(std::move(Cb), IsPrunable);
} }
/// A shorthand version of getNoteTag that doesn't require you to accept /// A shorthand version of getNoteTag that doesn't require you to accept
/// the BugReporterContext arguments when you don't need it. /// the 'BugReporterContext' argument when you don't need it.
/// ///
/// @param Cb Callback only with 'BugReport &' parameter. /// @param Cb Callback only with 'BugReport &' parameter.
/// @param IsPrunable Whether the note is prunable. It allows BugReporter /// @param IsPrunable Whether the note is prunable. It allows BugReporter
/// to omit the note from the report if it would make the displayed /// to omit the note from the report if it would make the displayed
/// bug path significantly shorter. /// bug path significantly shorter.
const NoteTag *getNoteTag(std::function<std::string(BugReport &)> &&Cb, const NoteTag *getNoteTag(std::function<std::string(BugReport &)> &&Cb,
bool IsPrunable = false) { bool IsPrunable = false) {
return getNoteTag( return getNoteTag(
[Cb](BugReporterContext &, BugReport &BR) { return Cb(BR); }, [Cb](BugReporterContext &, BugReport &BR) { return Cb(BR); },
IsPrunable); IsPrunable);
} }
/// A shorthand version of getNoteTag that doesn't require you to accept
/// the arguments when you don't need it.
///
/// @param Cb Callback without parameters.
/// @param IsPrunable Whether the note is prunable. It allows BugReporter
/// to omit the note from the report if it would make the displayed
/// bug path significantly shorter.
const NoteTag *getNoteTag(std::function<std::string()> &&Cb,
bool IsPrunable = false) {
return getNoteTag([Cb](BugReporterContext &, BugReport &) { return Cb(); },
IsPrunable);
}
/// A shorthand version of getNoteTag that accepts a plain note. /// A shorthand version of getNoteTag that accepts a plain note.
/// ///
/// @param Note The note. /// @param Note The note.
/// @param IsPrunable Whether the note is prunable. It allows BugReporter /// @param IsPrunable Whether the note is prunable. It allows BugReporter
/// to omit the note from the report if it would make the displayed /// to omit the note from the report if it would make the displayed
/// bug path significantly shorter. /// bug path significantly shorter.
const NoteTag *getNoteTag(StringRef Note, bool IsPrunable = false) { const NoteTag *getNoteTag(StringRef Note, bool IsPrunable = false) {
return getNoteTag( return getNoteTag(
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h

  • This file was added.
//===- DynamicCastInfo.h - Runtime cast information -------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H
#include "clang/AST/Type.h"
namespace clang {
namespace ento {
class DynamicCastInfo {
public:
enum CastResult { Success, Failure };
NoQUnsubmitted
Done
ReplyInline Actions

I suggest enum CastResult { Success, Failure } ("a fail" is slang, also "result" because it's basically a result).

Also TODO: The success information should ideally go straight into the dynamic type map.

NoQ: I suggest `enum CastResult { Success, Failure }` ("a fail" is slang, also "result" because it's…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

The successful cast is going to the type map, and the failure will not. Why would we need to store the failing casts in the type map? Therefore no differentiation is necessary I believe so that nor TODO.

Charusso: The successful cast is going to the type map, and the failure will not. Why would we need to…
DynamicCastInfo(QualType from, QualType to, CastResult resultKind)
: From(from), To(to), ResultKind(resultKind) {}
QualType from() const { return From; }
QualType to() const { return To; }
bool equals(QualType from, QualType to) const {
return From == from && To == to;
}
bool succeeds() const { return ResultKind == CastResult::Success; }
bool fails() const { return ResultKind == CastResult::Failure; }
NoQUnsubmitted
Done
ReplyInline Actions

succeeds(), fails() (valid English).

NoQ: `succeeds()`, `fails()` (valid English).
bool operator==(const DynamicCastInfo &RHS) const {
return From == RHS.From && To == RHS.To;
}
bool operator<(const DynamicCastInfo &RHS) const {
return From < RHS.From && To < RHS.To;
}
void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(From);
ID.Add(To);
ID.AddInteger(ResultKind);
}
private:
QualType From, To;
CastResult ResultKind;
};
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h

  • This file was added.
//===- DynamicType.h - Dynamic type related APIs ----------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic type information. This
// information can be used to devirtualize calls during the symbolic execution
// or do type checking.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H
#include "clang/AST/Type.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/ImmutableMap.h"
#include "llvm/ADT/Optional.h"
#include <utility>
namespace clang {
namespace ento {
/// Get dynamic type information for the region \p MR.
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR);
/// Get raw dynamic type information for the region \p MR.
const DynamicTypeInfo *getRawDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR);
/// Get dynamic cast information from \p CastFromTy to \p CastToTy of \p MR.
const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy);
/// Set dynamic type information of the region; return the new state.
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy);
/// Set dynamic type information of the region; return the new state.
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
QualType NewTy, bool CanBeSubClassed = true);
/// Set dynamic type and cast information of the region; return the new state.
ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy, QualType ResultTy,
bool IsCastSucceeds);
/// Removes the dead type informations from \p State.
ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR);
/// Removes the dead cast informations from \p State.
ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR);
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL = "\n", unsigned int Space = 0,
bool IsDot = false);
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h

//== DynamicTypeInfo.h - Runtime type information ----------------*- C++ -*--=// //===- DynamicTypeInfo.h - Runtime type information -------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
/// Stores the currently inferred strictest bound on the runtime type /// Stores the currently inferred strictest bound on the runtime type
/// of a region in a given state along the analysis path. /// of a region in a given state along the analysis path.
class DynamicTypeInfo { class DynamicTypeInfo {
private:
QualType T;
bool CanBeASubClass;
public: public:
DynamicTypeInfo() : DynTy(QualType()) {}
DynamicTypeInfo() : T(QualType()) {} DynamicTypeInfo(QualType Ty, bool CanBeSub = true)
DynamicTypeInfo(QualType WithType, bool CanBeSub = true) : DynTy(Ty), CanBeASubClass(CanBeSub) {}
: T(WithType), CanBeASubClass(CanBeSub) {}
/// Returns false if the type information is precise (the type 'DynTy' is
/// the only type in the lattice), true otherwise.
bool canBeASubClass() const { return CanBeASubClass; }
/// Return false if no dynamic type info is available. /// Returns true if the dynamic type info is available.
bool isValid() const { return !T.isNull(); } bool isValid() const { return !DynTy.isNull(); }
/// Returns the currently inferred upper bound on the runtime type. /// Returns the currently inferred upper bound on the runtime type.
QualType getType() const { return T; } QualType getType() const { return DynTy; }
/// Returns false if the type information is precise (the type T is bool operator==(const DynamicTypeInfo &RHS) const {
/// the only type in the lattice), true otherwise. return DynTy == RHS.DynTy && CanBeASubClass == RHS.CanBeASubClass;
bool canBeASubClass() const { return CanBeASubClass; } }
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(T); ID.Add(DynTy);
ID.AddInteger((unsigned)CanBeASubClass); ID.AddBoolean(CanBeASubClass);
}
bool operator==(const DynamicTypeInfo &X) const {
return T == X.T && CanBeASubClass == X.CanBeASubClass;
} }
private:
QualType DynTy;
bool CanBeASubClass;
}; };
} // end ento } // namespace ento
} // end clang } // namespace clang
#endif #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h

  • This file was deleted.
//===- DynamicTypeMap.h - Dynamic type map ----------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file provides APIs for tracking dynamic type information.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEMAP_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEMAP_H
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "llvm/ADT/ImmutableMap.h"
#include "clang/AST/Type.h"
namespace clang {
namespace ento {
class MemRegion;
/// The GDM component containing the dynamic type info. This is a map from a
/// symbol to its most likely type.
struct DynamicTypeMap {};
using DynamicTypeMapTy = llvm::ImmutableMap<const MemRegion *, DynamicTypeInfo>;
template <>
struct ProgramStateTrait<DynamicTypeMap>
: public ProgramStatePartialTrait<DynamicTypeMapTy> {
static void *GDMIndex();
};
/// Get dynamic type information for a region.
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State,
const MemRegion *Reg);
/// Set dynamic type information of the region; return the new state.
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *Reg,
DynamicTypeInfo NewTy);
/// Set dynamic type information of the region; return the new state.
inline ProgramStateRef setDynamicTypeInfo(ProgramStateRef State,
const MemRegion *Reg, QualType NewTy,
bool CanBeSubClassed = true) {
return setDynamicTypeInfo(State, Reg,
DynamicTypeInfo(NewTy, CanBeSubClassed));
}
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL = "\n", unsigned int Space = 0,
bool IsDot = false);
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEMAP_H

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

//===- CastValueChecker - Model implementation of custom RTTIs --*- C++ -*-===// //===- CastValueChecker - Model implementation of custom RTTIs --*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines CastValueChecker which models casts of custom RTTIs. // This defines CastValueChecker which models casts of custom RTTIs.
// //
// TODO list:
// - It only allows one succesful cast between two types however in the wild
// the object could be casted to multiple types.
// - It needs to check the most likely type information from the dynamic type
// map to increase precision of dynamic casting.
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class CastValueChecker : public Checker<eval::Call> { class CastValueChecker : public Checker<eval::Call> {
enum class CastKind { Function, Method }; enum class CallKind { Function, Method };
using CastCheck = using CastCheck =
std::function<void(const CastValueChecker *, const CallExpr *, std::function<void(const CastValueChecker *, const CallEvent &Call,
DefinedOrUnknownSVal, CheckerContext &)>; DefinedOrUnknownSVal, CheckerContext &)>;
using CheckKindPair = std::pair<CastCheck, CastKind>;
public: public:
// We have five cases to evaluate a cast: // We have five cases to evaluate a cast:
// 1) The parameter is non-null, the return value is non-null // 1) The parameter is non-null, the return value is non-null.
// 2) The parameter is non-null, the return value is null // 2) The parameter is non-null, the return value is null.
// 3) The parameter is null, the return value is null // 3) The parameter is null, the return value is null.
// cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3. // cast: 1; dyn_cast: 1, 2; cast_or_null: 1, 3; dyn_cast_or_null: 1, 2, 3.
// //
// 4) castAs: has no parameter, the return value is non-null. // 4) castAs: Has no parameter, the return value is non-null.
// 5) getAs: has no parameter, the return value is null or non-null. // 5) getAs: Has no parameter, the return value is null or non-null.
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
private: private:
// These are known in the LLVM project. The pairs are in the following form: // These are known in the LLVM project. The pairs are in the following form:
// {{{namespace, call}, argument-count}, {callback, kind}} // {{{namespace, call}, argument-count}, {callback, kind}}
const CallDescriptionMap<CheckKindPair> CDM = { const CallDescriptionMap<std::pair<CastCheck, CallKind>> CDM = {
{{{"llvm", "cast"}, 1}, {{{"llvm", "cast"}, 1},
{&CastValueChecker::evalCast, CastKind::Function}}, {&CastValueChecker::evalCast, CallKind::Function}},
{{{"llvm", "dyn_cast"}, 1}, {{{"llvm", "dyn_cast"}, 1},
{&CastValueChecker::evalDynCast, CastKind::Function}}, {&CastValueChecker::evalDynCast, CallKind::Function}},
{{{"llvm", "cast_or_null"}, 1}, {{{"llvm", "cast_or_null"}, 1},
{&CastValueChecker::evalCastOrNull, CastKind::Function}}, {&CastValueChecker::evalCastOrNull, CallKind::Function}},
{{{"llvm", "dyn_cast_or_null"}, 1}, {{{"llvm", "dyn_cast_or_null"}, 1},
{&CastValueChecker::evalDynCastOrNull, CastKind::Function}}, {&CastValueChecker::evalDynCastOrNull, CallKind::Function}},
{{{"clang", "castAs"}, 0}, {{{"clang", "castAs"}, 0},
{&CastValueChecker::evalCastAs, CastKind::Method}}, {&CastValueChecker::evalCastAs, CallKind::Method}},
{{{"clang", "getAs"}, 0}, {{{"clang", "getAs"}, 0},
{&CastValueChecker::evalGetAs, CastKind::Method}}}; {&CastValueChecker::evalGetAs, CallKind::Method}}};
void evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalCast(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalDynCast(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalCastOrNull(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalDynCastOrNull(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalDynCastOrNull(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalCastAs(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV, void evalGetAs(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
}; };
} // namespace } // namespace
static std::string getCastName(const Expr *Cast) { static QualType getRecordType(QualType Ty) {
QualType Ty = Cast->getType(); Ty = Ty.getCanonicalType();
if (const CXXRecordDecl *RD = Ty->getAsCXXRecordDecl())
return RD->getNameAsString(); if (Ty->isPointerType())
Ty = Ty->getPointeeType();
if (Ty->isReferenceType())
Ty = Ty.getNonReferenceType();
return Ty->getPointeeCXXRecordDecl()->getNameAsString(); return Ty.getUnqualifiedType();
} }
NoQUnsubmitted
Done
ReplyInline Actions

Most of the time we should know exactly how many pointer/reference types we need to unwrap. I really prefer we hard-assert this knowledge instead of blindly unwrapping as many pointer/reference types as we want. Because every time we have an unexpected number of unwraps it's an indication that something went horribly wrong. So it's good to have the extra sanity checking.

NoQ: Most of the time we should know exactly how many pointer/reference types we need to unwrap. I…
NoQUnsubmitted
Done
ReplyInline Actions

I think this one is still forgotten. Maybe a FIXME?

NoQ: I think this one is still forgotten. Maybe a FIXME?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Now I pattern-match that rule in the evalCall(), therefore we cannot try to evaluate nested references. Would you like to see more checks?

Charusso: Now I pattern-match that rule in the `evalCall()`, therefore we cannot try to evaluate nested…
NoQUnsubmitted
Done
ReplyInline Actions

Oh, i see, you removed the recursion. Great.

NoQ: Oh, i see, you removed the recursion. Great.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I was dumb enough to do not publish my comment six times, sorry.

Charusso: I was dumb enough to do not publish my comment six times, sorry.
static const NoteTag *getCastTag(bool IsNullReturn, const CallExpr *CE, static bool isInfeasibleCast(const DynamicCastInfo *CastInfo,
CheckerContext &C, bool CastSucceeds) {
bool IsCheckedCast = false) { if (!CastInfo)
Optional<std::string> CastFromName = (CE->getNumArgs() > 0) return false;
? getCastName(CE->getArg(0))
: Optional<std::string>(); return CastSucceeds ? CastInfo->fails() : CastInfo->succeeds();
std::string CastToName = getCastName(CE); }
static const NoteTag *getNoteTag(CheckerContext &C,
const DynamicCastInfo *CastInfo,
QualType CastToTy, const Expr *Object,
bool CastSucceeds, bool IsKnownCast) {
std::string CastToName =
CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
: CastToTy->getAsCXXRecordDecl()->getNameAsString();
Object = Object->IgnoreParenImpCasts();
NoQUnsubmitted
Done
ReplyInline Actions

I'm worried that this may occasionally get too long and/or contain line breaks. Let's do the usual pattern matching instead: say 'X' for a DeclRefExpr to 'X', say 'field Y' for a MemberExpr made with field 'Y', say "the object" in other cases.

NoQ: I'm worried that this may occasionally get too long and/or contain line breaks. Let's do the…
return C.getNoteTag( return C.getNoteTag(
[CastFromName, CastToName, IsNullReturn, [=] {
IsCheckedCast](BugReport &) -> std::string {
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << (!IsCheckedCast ? "Assuming dynamic cast " : "Checked cast "); if (!IsKnownCast)
if (CastFromName) Out << "Assuming ";
Out << "from '" << *CastFromName << "' ";
Out << "to '" << CastToName << "' " if (const auto *DRE = dyn_cast<DeclRefExpr>(Object)) {
<< (!IsNullReturn ? "succeeds" : "fails"); Out << '\'' << DRE->getDecl()->getNameAsString() << '\'';
} else if (const auto *ME = dyn_cast<MemberExpr>(Object)) {
Out << (IsKnownCast ? "field '" : "Field '")
<< ME->getMemberDecl()->getNameAsString() << '\'';
} else {
Out << "the object";
NoQUnsubmitted
Done
ReplyInline Actions

"The" should be capitalized if there's no "Assuming" before it.

NoQ: "The" should be capitalized if there's no "Assuming" before it.
}
Out << ' ' << (CastSucceeds ? "is a" : "is not a") << " '" << CastToName
<< '\'';
NoQUnsubmitted
Done
ReplyInline Actions

To think: in D66423 you added this fancy feature when you dump the current dynamic type of the object instead of the static type. I think this is super cool and we should do it here as well, because the dynamic type is pretty much the only thing that you won't be able to figure out by looking at the source.

We could give the same message as for isa, say, Assuming the object is a 'Circle' etc.

NoQ: To think: in D66423 you added this fancy feature when you dump the current dynamic type of the…
return Out.str(); return Out.str();
}, },
NoQUnsubmitted
Done
ReplyInline Actions

It would have been much easier for me to read if this variable was called CastInfo.

NoQ: It would have been much easier for me to read if this variable was called `CastInfo`.
/*IsPrunable=*/true); /*IsPrunable=*/true);
} }
NoQUnsubmitted
Done
ReplyInline Actions

Just CastSucceeds (valid English).

NoQ: Just `CastSucceeds` (valid English).
static ProgramStateRef getState(bool IsNullReturn, //===----------------------------------------------------------------------===//
DefinedOrUnknownSVal ReturnDV, // Main logic to evaluate a cast.
const CallExpr *CE, ProgramStateRef State, //===----------------------------------------------------------------------===//
CheckerContext &C) {
return State->BindExpr( static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV,
CE, C.getLocationContext(), CheckerContext &C, bool IsNonNullParam,
IsNullReturn ? C.getSValBuilder().makeNull() : ReturnDV, false); bool IsNonNullReturn,
bool IsCheckedCast = false) {
ProgramStateRef State = C.getState()->assume(DV, IsNonNullParam);
if (!State)
return;
const Expr *Object;
QualType CastFromTy;
QualType CastToTy = getRecordType(Call.getResultType());
if (Call.getNumArgs() > 0) {
Object = Call.getArgExpr(0);
CastFromTy = getRecordType(Call.parameters()[0]->getType());
} else {
Object = cast<CXXInstanceCall>(&Call)->getCXXThisExpr();
CastFromTy = getRecordType(Object->getType());
}
const MemRegion *MR = DV.getAsRegion();
const DynamicCastInfo *CastInfo =
getDynamicCastInfo(State, MR, CastFromTy, CastToTy);
// We assume that every checked cast succeeds.
bool CastSucceeds = IsCheckedCast || CastFromTy == CastToTy;
if (!CastSucceeds) {
if (CastInfo)
CastSucceeds = IsNonNullReturn && CastInfo->succeeds();
else
CastSucceeds = IsNonNullReturn;
}
// Check for infeasible casts.
if (isInfeasibleCast(CastInfo, CastSucceeds)) {
C.generateSink(State, C.getPredecessor());
return;
}
// Store the type and the cast information.
bool IsKnownCast = CastInfo || IsCheckedCast || CastFromTy == CastToTy;
if (!IsKnownCast || IsCheckedCast)
State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,
Call.getResultType(), CastSucceeds);
SVal V = CastSucceeds ? DV : C.getSValBuilder().makeNull();
C.addTransition(
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), V, false),
getNoteTag(C, CastInfo, CastToTy, Object, CastSucceeds, IsKnownCast));
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null. // Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static void evalNonNullParamNonNullReturn(const CallExpr *CE, static void evalNonNullParamNonNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
CheckerContext &C, CheckerContext &C,
bool IsCheckedCast = false) { bool IsCheckedCast = false) {
bool IsNullReturn = false; addCastTransition(Call, DV, C, /*IsNonNullParam=*/true,
if (ProgramStateRef State = C.getState()->assume(DV, true)) /*IsNonNullReturn=*/true, IsCheckedCast);
C.addTransition(getState(IsNullReturn, DV, CE, State, C),
getCastTag(IsNullReturn, CE, C, IsCheckedCast));
} }
static void evalNonNullParamNullReturn(const CallExpr *CE, static void evalNonNullParamNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
CheckerContext &C) { CheckerContext &C) {
bool IsNullReturn = true; addCastTransition(Call, DV, C, /*IsNonNullParam=*/true,
if (ProgramStateRef State = C.getState()->assume(DV, true)) /*IsNonNullReturn=*/false);
C.addTransition(getState(IsNullReturn, DV, CE, State, C),
getCastTag(IsNullReturn, CE, C));
} }
static void evalNullParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV, static void evalNullParamNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV,
CheckerContext &C) { CheckerContext &C) {
if (ProgramStateRef State = C.getState()->assume(DV, false)) if (ProgramStateRef State = C.getState()->assume(DV, false))
C.addTransition(getState(/*IsNullReturn=*/true, DV, CE, State, C), C.addTransition(State->BindExpr(Call.getOriginExpr(),
C.getLocationContext(),
C.getSValBuilder().makeNull(), false),
C.getNoteTag("Assuming null pointer is passed into cast", C.getNoteTag("Assuming null pointer is passed into cast",
/*IsPrunable=*/true)); /*IsPrunable=*/true));
} }
void CastValueChecker::evalCast(const CallExpr *CE, DefinedOrUnknownSVal DV, void CastValueChecker::evalCast(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true); evalNonNullParamNonNullReturn(Call, DV, C, /*IsCheckedCast=*/true);
} }
void CastValueChecker::evalDynCast(const CallExpr *CE, DefinedOrUnknownSVal DV, void CastValueChecker::evalDynCast(const CallEvent &Call,
DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, DV, C); evalNonNullParamNonNullReturn(Call, DV, C);
evalNonNullParamNullReturn(CE, DV, C); evalNonNullParamNullReturn(Call, DV, C);
} }
void CastValueChecker::evalCastOrNull(const CallExpr *CE, void CastValueChecker::evalCastOrNull(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, DV, C); evalNonNullParamNonNullReturn(Call, DV, C);
evalNullParamNullReturn(CE, DV, C); evalNullParamNullReturn(Call, DV, C);
} }
void CastValueChecker::evalDynCastOrNull(const CallExpr *CE, void CastValueChecker::evalDynCastOrNull(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalNonNullParamNonNullReturn(CE, DV, C); evalNonNullParamNonNullReturn(Call, DV, C);
evalNonNullParamNullReturn(CE, DV, C); evalNonNullParamNullReturn(Call, DV, C);
evalNullParamNullReturn(CE, DV, C); evalNullParamNullReturn(Call, DV, C);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating castAs, getAs. // Evaluating castAs, getAs.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static void evalZeroParamNonNullReturn(const CallExpr *CE, static void evalZeroParamNonNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
CheckerContext &C, CheckerContext &C,
bool IsCheckedCast = false) { bool IsCheckedCast = false) {
bool IsNullReturn = false; addCastTransition(Call, DV, C, /*IsNonNullParam=*/true,
if (ProgramStateRef State = C.getState()->assume(DV, true)) /*IsNonNullReturn=*/true, IsCheckedCast);
C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C),
getCastTag(IsNullReturn, CE, C, IsCheckedCast));
} }
static void evalZeroParamNullReturn(const CallExpr *CE, DefinedOrUnknownSVal DV, static void evalZeroParamNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV,
CheckerContext &C) { CheckerContext &C) {
bool IsNullReturn = true; addCastTransition(Call, DV, C, /*IsNonNullParam=*/true,
if (ProgramStateRef State = C.getState()->assume(DV, true)) /*IsNonNullReturn=*/false);
C.addTransition(getState(IsNullReturn, DV, CE, C.getState(), C),
getCastTag(IsNullReturn, CE, C));
} }
void CastValueChecker::evalCastAs(const CallExpr *CE, DefinedOrUnknownSVal DV, void CastValueChecker::evalCastAs(const CallEvent &Call,
DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalZeroParamNonNullReturn(CE, DV, C, /*IsCheckedCast=*/true); evalZeroParamNonNullReturn(Call, DV, C, /*IsCheckedCast=*/true);
} }
void CastValueChecker::evalGetAs(const CallExpr *CE, DefinedOrUnknownSVal DV, void CastValueChecker::evalGetAs(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const { CheckerContext &C) const {
evalZeroParamNonNullReturn(CE, DV, C); evalZeroParamNonNullReturn(Call, DV, C);
evalZeroParamNullReturn(CE, DV, C); evalZeroParamNullReturn(Call, DV, C);
} }
//===----------------------------------------------------------------------===//
// Main logic to evaluate a call.
//===----------------------------------------------------------------------===//
bool CastValueChecker::evalCall(const CallEvent &Call, bool CastValueChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const auto *Lookup = CDM.lookup(Call); const auto *Lookup = CDM.lookup(Call);
if (!Lookup) if (!Lookup)
return false; return false;
// If we cannot obtain the call's class we cannot be sure how to model it. // We need to obtain the record type of the call's result to model it.
QualType ResultTy = Call.getResultType(); if (!getRecordType(Call.getResultType())->isRecordType())
if (!ResultTy->getPointeeCXXRecordDecl())
return false; return false;
const CastCheck &Check = Lookup->first; const CastCheck &Check = Lookup->first;
CastKind Kind = Lookup->second; CallKind Kind = Lookup->second;
const auto *CE = cast<CallExpr>(Call.getOriginExpr());
Optional<DefinedOrUnknownSVal> DV; Optional<DefinedOrUnknownSVal> DV;
switch (Kind) { switch (Kind) {
case CastKind::Function: { case CallKind::Function: {
// If we cannot obtain the arg's class we cannot be sure how to model it. // We need to obtain the record type of the call's parameter to model it.
QualType ArgTy = Call.parameters()[0]->getType(); if (!getRecordType(Call.parameters()[0]->getType())->isRecordType())
if (!ArgTy->getAsCXXRecordDecl() && !ArgTy->getPointeeCXXRecordDecl())
return false; return false;
DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>(); DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>();
break; break;
} }
case CastKind::Method: case CallKind::Method:
// If we cannot obtain the 'InstanceCall' we cannot be sure how to model it.
const auto *InstanceCall = dyn_cast<CXXInstanceCall>(&Call); const auto *InstanceCall = dyn_cast<CXXInstanceCall>(&Call);
if (!InstanceCall) if (!InstanceCall)
return false; return false;
DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>(); DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>();
break; break;
} }
if (!DV) if (!DV)
return false; return false;
Check(this, CE, *DV, C); Check(this, Call, *DV, C);
return true; return true;
} }
void CastValueChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const {
C.addTransition(removeDeadCasts(C.getState(), SR));
}
void ento::registerCastValueChecker(CheckerManager &Mgr) { void ento::registerCastValueChecker(CheckerManager &Mgr) {
Mgr.registerChecker<CastValueChecker>(); Mgr.registerChecker<CastValueChecker>();
} }
bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) { bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

Show All 14 Lines
// //
// Generics Checker for Objective-C: // Generics Checker for Objective-C:
// This checker tries to find type errors that the compiler is not able to catch // This checker tries to find type errors that the compiler is not able to catch
// due to the implicit conversions that were introduced for backward // due to the implicit conversions that were introduced for backward
// compatibility. // compatibility.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/AST/RecursiveASTVisitor.h" #include "clang/AST/RecursiveASTVisitor.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
// ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is // ProgramState trait - The type inflation is tracked by DynamicTypeMap. This is
// an auxiliary map that tracks more information about generic types, because in // an auxiliary map that tracks more information about generic types, because in
// some cases the most derived type is not the most informative one about the // some cases the most derived type is not the most informative one about the
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Linespublic:
/// This value is set to true, when the Generics checker is turned on. /// This value is set to true, when the Generics checker is turned on.
DefaultBool CheckGenerics; DefaultBool CheckGenerics;
}; };
} // end anonymous namespace } // end anonymous namespace
void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR, void DynamicTypePropagation::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = removeDeadTypes(C.getState(), SR);
DynamicTypeMapTy TypeMap = State->get<DynamicTypeMap>();
for (DynamicTypeMapTy::iterator I = TypeMap.begin(), E = TypeMap.end();
I != E; ++I) {
if (!SR.isLiveRegion(I->first)) {
State = State->remove<DynamicTypeMap>(I->first);
}
}
MostSpecializedTypeArgsMapTy TyArgMap = MostSpecializedTypeArgsMapTy TyArgMap =
State->get<MostSpecializedTypeArgsMap>(); State->get<MostSpecializedTypeArgsMap>();
for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(), for (MostSpecializedTypeArgsMapTy::iterator I = TyArgMap.begin(),
E = TyArgMap.end(); E = TyArgMap.end();
I != E; ++I) { I != E; ++I) {
if (SR.isDead(I->first)) { if (SR.isDead(I->first)) {
State = State->remove<MostSpecializedTypeArgsMap>(I->first); State = State->remove<MostSpecializedTypeArgsMap>(I->first);
▲ Show 20 LinesShow All 745 Lines▼ Show 20 Linesvoid DynamicTypePropagation::checkPostObjCMessage(const ObjCMethodCall &M,
if (ResultType.isNull()) if (ResultType.isNull())
return; return;
const MemRegion *RetRegion = M.getReturnValue().getAsRegion(); const MemRegion *RetRegion = M.getReturnValue().getAsRegion();
ExplodedNode *Pred = C.getPredecessor(); ExplodedNode *Pred = C.getPredecessor();
// When there is an entry available for the return symbol in DynamicTypeMap, // When there is an entry available for the return symbol in DynamicTypeMap,
// the call was inlined, and the information in the DynamicTypeMap is should // the call was inlined, and the information in the DynamicTypeMap is should
// be precise. // be precise.
if (RetRegion && !State->get<DynamicTypeMap>(RetRegion)) { if (RetRegion && !getRawDynamicTypeInfo(State, RetRegion)) {
// TODO: we have duplicated information in DynamicTypeMap and // TODO: we have duplicated information in DynamicTypeMap and
// MostSpecializedTypeArgsMap. We should only store anything in the later if // MostSpecializedTypeArgsMap. We should only store anything in the later if
// the stored data differs from the one stored in the former. // the stored data differs from the one stored in the former.
State = setDynamicTypeInfo(State, RetRegion, ResultType, State = setDynamicTypeInfo(State, RetRegion, ResultType,
/*CanBeSubClassed=*/true); /*CanBeSubClassed=*/true);
Pred = C.addTransition(State); Pred = C.addTransition(State);
} }
▲ Show 20 LinesShow All 109 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/CMakeLists.txt

Show All 10 Linesadd_clang_library(clangStaticAnalyzerCore
CallEvent.cpp CallEvent.cpp
Checker.cpp Checker.cpp
CheckerContext.cpp CheckerContext.cpp
CheckerHelpers.cpp CheckerHelpers.cpp
CheckerManager.cpp CheckerManager.cpp
CommonBugCategories.cpp CommonBugCategories.cpp
ConstraintManager.cpp ConstraintManager.cpp
CoreEngine.cpp CoreEngine.cpp
DynamicTypeMap.cpp DynamicType.cpp
Environment.cpp Environment.cpp
ExplodedGraph.cpp ExplodedGraph.cpp
ExprEngine.cpp ExprEngine.cpp
ExprEngineC.cpp ExprEngineC.cpp
ExprEngineCXX.cpp ExprEngineCXX.cpp
ExprEngineCallAndReturn.cpp ExprEngineCallAndReturn.cpp
ExprEngineObjC.cpp ExprEngineObjC.cpp
FunctionSummary.cpp FunctionSummary.cpp
Show All 33 Lines

clang/lib/StaticAnalyzer/Core/DynamicType.cpp

  • This file was added.
//===- DynamicType.cpp - Dynamic type related APIs --------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic type information. This
// information can be used to devirtualize calls during the symbolic execution
// or do type checking.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/Basic/JsonSupport.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/raw_ostream.h"
#include <cassert>
/// The GDM component containing the dynamic type info. This is a map from a
/// symbol to its most likely type.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicTypeMap, const clang::ento::MemRegion *,
clang::ento::DynamicTypeInfo)
/// A set factory of dynamic cast informations.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicCastInfo)
/// A map from symbols to cast informations.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicCastMap, const clang::ento::MemRegion *,
CastSet)
namespace clang {
namespace ento {
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR) {
MR = MR->StripCasts();
// Look up the dynamic type in the GDM.
if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))
return *DTI;
// Otherwise, fall back to what we know about the region.
if (const auto *TR = dyn_cast<TypedRegion>(MR))
return DynamicTypeInfo(TR->getLocationType(), /*CanBeSub=*/false);
if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) {
SymbolRef Sym = SR->getSymbol();
return DynamicTypeInfo(Sym->getType());
}
return {};
}
const DynamicTypeInfo *getRawDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR) {
return State->get<DynamicTypeMap>(MR);
}
const DynamicCastInfo *getDynamicCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy) {
const auto *Lookup = State->get<DynamicCastMap>().lookup(MR);
if (!Lookup)
return nullptr;
for (const DynamicCastInfo &Cast : *Lookup)
if (Cast.equals(CastFromTy, CastToTy))
return &Cast;
return nullptr;
}
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy) {
State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy);
assert(State);
return State;
}
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
QualType NewTy, bool CanBeSubClassed) {
return setDynamicTypeInfo(State, MR, DynamicTypeInfo(NewTy, CanBeSubClassed));
}
ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State,
const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy, QualType ResultTy,
bool CastSucceeds) {
if (CastSucceeds)
State = State->set<DynamicTypeMap>(MR, ResultTy);
DynamicCastInfo::CastResult ResultKind =
CastSucceeds ? DynamicCastInfo::CastResult::Success
: DynamicCastInfo::CastResult::Failure;
CastSet::Factory &F = State->get_context<CastSet>();
const CastSet *TempSet = State->get<DynamicCastMap>(MR);
CastSet Set = TempSet ? *TempSet : F.getEmptySet();
Set = F.add(Set, {CastFromTy, CastToTy, ResultKind});
State = State->set<DynamicCastMap>(MR, Set);
assert(State);
return State;
}
template <typename MapTy>
ProgramStateRef removeDead(ProgramStateRef State, const MapTy &Map,
SymbolReaper &SR) {
for (const auto &Elem : Map)
if (!SR.isLiveRegion(Elem.first))
State = State->remove<DynamicCastMap>(Elem.first);
return State;
}
ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicTypeMap>(), SR);
}
ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicCastMap>(), SR);
}
static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space,
bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_types\": ";
const DynamicTypeMapTy &Map = State->get<DynamicTypeMap>();
if (Map.isEmpty()) {
Out << "null," << NL;
return;
}
++Space;
Out << '[' << NL;
for (DynamicTypeMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {
const MemRegion *MR = I->first;
const DynamicTypeInfo &DTI = I->second;
Indent(Out, Space, IsDot)
<< "{ \"region\": \"" << MR << "\", \"dyn_type\": ";
if (!DTI.isValid()) {
Out << "null";
} else {
Out << '\"' << DTI.getType()->getPointeeType().getAsString()
<< "\", \"sub_classable\": "
<< (DTI.canBeASubClass() ? "true" : "false");
}
Out << " }";
if (std::next(I) != Map.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << "]," << NL;
}
static void printDynamicCastsJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space,
bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_casts\": ";
const DynamicCastMapTy &Map = State->get<DynamicCastMap>();
if (Map.isEmpty()) {
Out << "null," << NL;
return;
}
++Space;
Out << '[' << NL;
for (DynamicCastMapTy::iterator I = Map.begin(); I != Map.end(); ++I) {
const MemRegion *MR = I->first;
const CastSet &Set = I->second;
Indent(Out, Space, IsDot) << "{ \"region\": \"" << MR << "\", \"casts\": ";
if (Set.isEmpty()) {
Out << "null ";
} else {
++Space;
Out << '[' << NL;
for (CastSet::iterator SI = Set.begin(); SI != Set.end(); ++SI) {
Indent(Out, Space, IsDot)
<< "{ \"from\": \"" << SI->from().getAsString() << "\", \"to\": \""
<< SI->to().getAsString() << "\", \"kind\": \""
<< (SI->succeeds() ? "success" : "fail") << "\" }";
if (std::next(SI) != Set.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << ']';
}
Out << '}';
if (std::next(I) != Map.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << "]," << NL;
}
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, bool IsDot) {
printDynamicTypesJson(Out, State, NL, Space, IsDot);
printDynamicCastsJson(Out, State, NL, Space, IsDot);
}
} // namespace ento
} // namespace clang

clang/lib/StaticAnalyzer/Core/DynamicTypeMap.cpp

  • This file was deleted.
//===- DynamicTypeMap.cpp - Dynamic Type Info related APIs ----------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines APIs that track and query dynamic type information. This
// information can be used to devirtualize calls during the symbolic execution
// or do type checking.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
#include "clang/Basic/JsonSupport.h"
#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/raw_ostream.h"
#include <cassert>
namespace clang {
namespace ento {
DynamicTypeInfo getDynamicTypeInfo(ProgramStateRef State,
const MemRegion *Reg) {
Reg = Reg->StripCasts();
// Look up the dynamic type in the GDM.
const DynamicTypeInfo *GDMType = State->get<DynamicTypeMap>(Reg);
if (GDMType)
return *GDMType;
// Otherwise, fall back to what we know about the region.
if (const auto *TR = dyn_cast<TypedRegion>(Reg))
return DynamicTypeInfo(TR->getLocationType(), /*CanBeSub=*/false);
if (const auto *SR = dyn_cast<SymbolicRegion>(Reg)) {
SymbolRef Sym = SR->getSymbol();
return DynamicTypeInfo(Sym->getType());
}
return {};
}
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *Reg,
DynamicTypeInfo NewTy) {
Reg = Reg->StripCasts();
ProgramStateRef NewState = State->set<DynamicTypeMap>(Reg, NewTy);
assert(NewState);
return NewState;
}
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_types\": ";
const DynamicTypeMapTy &DTM = State->get<DynamicTypeMap>();
if (DTM.isEmpty()) {
Out << "null," << NL;
return;
}
++Space;
Out << '[' << NL;
for (DynamicTypeMapTy::iterator I = DTM.begin(); I != DTM.end(); ++I) {
const MemRegion *MR = I->first;
const DynamicTypeInfo &DTI = I->second;
Out << "{ \"region\": \"" << MR << "\", \"dyn_type\": ";
if (DTI.isValid()) {
Out << '\"' << DTI.getType()->getPointeeType().getAsString()
<< "\", \"sub_classable\": "
<< (DTI.canBeASubClass() ? "true" : "false");
} else {
Out << "null"; // Invalid type info
}
Out << "}";
if (std::next(I) != DTM.end())
Out << ',';
Out << NL;
}
--Space;
Indent(Out, Space, IsDot) << "]," << NL;
}
void *ProgramStateTrait<DynamicTypeMap>::GDMIndex() {
static int index = 0;
return &index;
}
} // namespace ento
} // namespace clang

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

Show All 9 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "clang/Basic/JsonSupport.h" #include "clang/Basic/JsonSupport.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SubEngine.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace clang { namespace ento { namespace clang { namespace ento {
▲ Show 20 LinesShow All 620 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/llvm.h

  • This file was added.
#pragma clang system_header
namespace llvm {
template <class X, class Y>
const X *cast(Y Value);
template <class X, class Y>
const X *dyn_cast(Y *Value);
template <class X, class Y>
const X &dyn_cast(Y &Value);
template <class X, class Y>
const X *cast_or_null(Y Value);
template <class X, class Y>
const X *dyn_cast_or_null(Y *Value);
template <class X, class Y>
const X *dyn_cast_or_null(Y &Value);
} // namespace llvm

clang/test/Analysis/cast-value-logic.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify %s
#include "Inputs/llvm.h"
void clang_analyzer_numTimesReached();
void clang_analyzer_warnIfReached();
void clang_analyzer_eval(bool);
namespace clang {
struct Shape {
template <typename T>
const T *castAs() const;
template <typename T>
const T *getAs() const;
};
class Triangle : public Shape {};
class Circle : public Shape {};
} // namespace clang
using namespace llvm;
using namespace clang;
void test_regions(const Shape *A, const Shape *B) {
if (dyn_cast<Circle>(A) && !dyn_cast<Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
namespace test_cast {
void evalLogic(const Shape *S) {
const Circle *C = cast<Circle>(S);
clang_analyzer_numTimesReached(); // expected-warning {{1}}
if (S && C)
clang_analyzer_eval(C == S); // expected-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_cast
namespace test_dyn_cast {
void evalLogic(const Shape *S) {
const Circle *C = dyn_cast<Circle>(S);
clang_analyzer_numTimesReached(); // expected-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S); // expected-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_dyn_cast
namespace test_cast_or_null {
void evalLogic(const Shape *S) {
const Circle *C = cast_or_null<Circle>(S);
clang_analyzer_numTimesReached(); // expected-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S); // expected-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_eval(!C); // expected-warning {{TRUE}}
}
} // namespace test_cast_or_null
namespace test_dyn_cast_or_null {
void evalLogic(const Shape *S) {
const Circle *C = dyn_cast_or_null<Circle>(S);
clang_analyzer_numTimesReached(); // expected-warning {{3}}
if (S && C)
clang_analyzer_eval(C == S); // expected-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
if (!S)
clang_analyzer_eval(!C); // expected-warning {{TRUE}}
}
} // namespace test_dyn_cast_or_null
namespace test_cast_as {
void evalLogic(const Shape *S) {
const Circle *C = S->castAs<Circle>();
clang_analyzer_numTimesReached(); // expected-warning {{1}}
if (S && C)
clang_analyzer_eval(C == S);
// expected-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_cast_as
namespace test_get_as {
void evalLogic(const Shape *S) {
const Circle *C = S->getAs<Circle>();
clang_analyzer_numTimesReached(); // expected-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S);
// expected-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_get_as

clang/test/Analysis/cast-value-notes.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue \
// RUN: -analyzer-output=text -verify %s
#include "Inputs/llvm.h"
namespace clang {
struct Shape {
template <typename T>
const T *castAs() const;
template <typename T>
const T *getAs() const;
};
class Triangle : public Shape {};
class Circle : public Shape {};
} // namespace clang
using namespace llvm;
using namespace clang;
void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
// expected-note@-2 {{Dereference of null pointer}}
NoQUnsubmitted
Done
ReplyInline Actions

A circle is always a shape.

Assuming 'S' is a 'Shape' that is not a 'Circle' sounds about right.

Or just Assuming 'S' is not a 'Circle'.

NoQ: A circle is always a shape. `Assuming 'S' is a 'Shape' that is not a 'Circle'` sounds about…
// expected-warning@-3 {{Dereference of null pointer}}
}
void evalNonNullParamNonNullReturnReference(const Shape &S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}}
NoQUnsubmitted
Done
ReplyInline Actions

A circle is always a circle.

NoQ: A circle is always a circle.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I have removed that contradiction test case as being silly, but yes, that was the no-warning test properly.

Charusso: I have removed that contradiction test case as being silly, but yes, that was the `no-warning`…
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}
NoQUnsubmitted
Done
ReplyInline Actions

The not a 'Circle' part is suspiciously specific.

NoQ: The `not a 'Circle'` part is suspiciously specific.
void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S);
// expected-note@-1 {{'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}}
if (!cast<Triangle>(C)) {
// expected-note@-1 {{'C' is a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}
void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
// expected-note@-2 {{'T' initialized here}}
// expected-note@-3 {{'T' is non-null}}
// expected-note@-4 {{Taking true branch}}
(void)(1 / !T);
// expected-note@-1 {{'T' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}
}
void evalNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming null pointer is passed into cast}}
// expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}}
}
void evalZeroParamNonNullReturnPointer(const Shape *S) {
const auto *C = S->castAs<Circle>();
// expected-note@-1 {{'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}
void evalZeroParamNonNullReturn(const Shape &S) {
const auto *C = S.castAs<Circle>();
// expected-note@-1 {{'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}
void evalZeroParamNullReturn(const Shape &S) {
const auto *C = S.getAs<Circle>();
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
// expected-note@-2 {{'C' initialized to a null pointer value}}
if (!dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (!dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{'S' is a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
(void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}}
}

clang/test/Analysis/cast-value-state-dump.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -analyzer-output=text -verify %s 2>&1 | FileCheck %s
#include "Inputs/llvm.h"
void clang_analyzer_printState();
namespace clang {
struct Shape {};
class Triangle : public Shape {};
class Circle : public Shape {};
class Square : public Shape {};
} // namespace clang
using namespace llvm;
using namespace clang;
void evalNonNullParamNonNullReturnReference(const Shape &S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}}
// FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
if (dyn_cast_or_null<Square>(S)) {
// expected-note@-1 {{Assuming 'S' is not a 'Square'}}
// expected-note@-2 {{Taking false branch}}
return;
}
clang_analyzer_printState();
NoQUnsubmitted
Done
ReplyInline Actions

We're not assuming it, right? We already know it's gonna fail because we already know that it's a circle.

NoQ: We're not assuming it, right? We already know it's gonna fail because we already know that it's…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

We have no knowledge what is what. At the top we see that: Shape -> Circle, and then Triangle -> Circle is something new, so we have to assume that. It is an implementation detail we are allowing only one cast to be succeed. From the user point of view it is an assumption as the current state of the checker could not provide more/better information. It is the same logic from the ConditionBRVisitor.

Charusso: We have no knowledge what is what. At the top we see that: `Shape -> Circle`, and then…
NoQUnsubmitted
Done
ReplyInline Actions

Yeah, but it's not the observable behavior we'll be trying to preserve, so i suggest a FIXME.

NoQ: Yeah, but it's not the observable behavior we'll be trying to preserve, so i suggest a FIXME.
// CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "dyn_type": "const class clang::Circle", "sub_classable": true }
// CHECK-NEXT: ],
// CHECK-NEXT: "dynamic_casts": [
// CHECK: { "region": "SymRegion{reg_$0<const struct clang::Shape & S>}", "casts": [
// CHECK-NEXT: { "from": "struct clang::Shape", "to": "class clang::Circle", "kind": "success" },
// CHECK-NEXT: { "from": "struct clang::Shape", "to": "class clang::Square", "kind": "fail" }
// CHECK-NEXT: ]}
(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
}

clang/test/Analysis/cast-value.cpp

  • This file was deleted.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify=logic %s
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue \
// RUN: -analyzer-output=text -verify %s
void clang_analyzer_numTimesReached();
void clang_analyzer_warnIfReached();
void clang_analyzer_eval(bool);
namespace llvm {
template <class X, class Y>
const X *cast(Y Value);
template <class X, class Y>
const X *dyn_cast(Y *Value);
template <class X, class Y>
const X &dyn_cast(Y &Value);
template <class X, class Y>
const X *cast_or_null(Y Value);
template <class X, class Y>
const X *dyn_cast_or_null(Y *Value);
template <class X, class Y>
const X *dyn_cast_or_null(Y &Value);
} // namespace llvm
namespace clang {
struct Shape {
template <typename T>
const T *castAs() const;
template <typename T>
const T *getAs() const;
};
class Triangle : public Shape {};
class Circle : public Shape {};
} // namespace clang
using namespace llvm;
using namespace clang;
namespace test_cast {
void evalLogic(const Shape *S) {
const Circle *C = cast<Circle>(S);
clang_analyzer_numTimesReached(); // logic-warning {{1}}
if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_cast
namespace test_dyn_cast {
void evalLogic(const Shape *S) {
const Circle *C = dyn_cast<Circle>(S);
clang_analyzer_numTimesReached(); // logic-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}}
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_dyn_cast
namespace test_cast_or_null {
void evalLogic(const Shape *S) {
const Circle *C = cast_or_null<Circle>(S);
clang_analyzer_numTimesReached(); // logic-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_eval(!C); // logic-warning {{TRUE}}
}
} // namespace test_cast_or_null
namespace test_dyn_cast_or_null {
void evalLogic(const Shape *S) {
const Circle *C = dyn_cast_or_null<Circle>(S);
clang_analyzer_numTimesReached(); // logic-warning {{3}}
if (S && C)
clang_analyzer_eval(C == S); // logic-warning {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}}
if (!S)
clang_analyzer_eval(!C); // logic-warning {{TRUE}}
}
} // namespace test_dyn_cast_or_null
namespace test_cast_as {
void evalLogic(const Shape *S) {
const Circle *C = S->castAs<Circle>();
clang_analyzer_numTimesReached(); // logic-warning {{1}}
if (S && C)
clang_analyzer_eval(C == S);
// logic-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // no-warning
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_cast_as
namespace test_get_as {
void evalLogic(const Shape *S) {
const Circle *C = S->getAs<Circle>();
clang_analyzer_numTimesReached(); // logic-warning {{2}}
if (S && C)
clang_analyzer_eval(C == S);
// logic-warning@-1 {{TRUE}}
if (S && !C)
clang_analyzer_warnIfReached(); // logic-warning {{REACHABLE}}
if (!S)
clang_analyzer_warnIfReached(); // no-warning
}
} // namespace test_get_as
namespace test_notes {
void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}}
// expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}}
// logic-warning@-4 {{Dereference of null pointer}}
}
void evalNonNullParamNonNullReturnReference(const Shape &S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' succeeds}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S);
// expected-note@-1 {{Checked cast from 'Shape' to 'Circle' succeeds}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Circle' fails}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming dynamic cast from 'Shape' to 'Triangle' succeeds}}
// expected-note@-2 {{'T' initialized here}}
// expected-note@-3 {{'T' is non-null}}
// expected-note@-4 {{Taking true branch}}
(void)(1 / !T);
// expected-note@-1 {{'T' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
}
void evalNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming null pointer is passed into cast}}
// expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}}
// logic-warning@-3 {{Division by zero}}
}
void evalZeroParamNonNullReturnPointer(const Shape *S) {
const auto *C = S->castAs<Circle>();
// expected-note@-1 {{Checked cast to 'Circle' succeeds}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalZeroParamNonNullReturn(const Shape &S) {
const auto *C = S.castAs<Circle>();
// expected-note@-1 {{Checked cast to 'Circle' succeeds}}
// expected-note@-2 {{'C' initialized here}}
(void)(1 / !(bool)C);
// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}
// logic-warning@-4 {{Division by zero}}
}
void evalZeroParamNullReturn(const Shape &S) {
const auto *C = S.getAs<Circle>();
// expected-note@-1 {{Assuming dynamic cast to 'Circle' fails}}
// expected-note@-2 {{'C' initialized to a null pointer value}}
(void)(1 / (bool)C);
// expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}}
// logic-warning@-3 {{Division by zero}}
}
} // namespace test_notes

clang/test/Analysis/dump_egraph.cpp

Show All 18 Lines
} }
// CHECK: \"location_context\": \"#0 Call\", \"calling\": \"foo\", \"location\": null, \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"stmt_id\": {{[0-9]+}}, \"kind\": \"construct into local variable\", \"argument_index\": null, \"pretty\": \"T t;\", \"value\": \"&t\" // CHECK: \"location_context\": \"#0 Call\", \"calling\": \"foo\", \"location\": null, \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"stmt_id\": {{[0-9]+}}, \"kind\": \"construct into local variable\", \"argument_index\": null, \"pretty\": \"T t;\", \"value\": \"&t\"
// CHECK: \"location_context\": \"#0 Call\", \"calling\": \"T::T\", \"location\": \{ \"line\": 16, \"column\": 5, \"file\": \"{{.*}}dump_egraph.cpp\" \}, \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"init_id\": {{[0-9]+}}, \"kind\": \"construct into member variable\", \"argument_index\": null, \"pretty\": \"s\", \"value\": \"&t-\>s\" // CHECK: \"location_context\": \"#0 Call\", \"calling\": \"T::T\", \"location\": \{ \"line\": 16, \"column\": 5, \"file\": \"{{.*}}dump_egraph.cpp\" \}, \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"init_id\": {{[0-9]+}}, \"kind\": \"construct into member variable\", \"argument_index\": null, \"pretty\": \"s\", \"value\": \"&t-\>s\"
// CHECK: \"cluster\": \"t\", \"pointer\": \"{{0x[0-9a-f]+}}\", \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"kind\": \"Default\", \"offset\": 0, \"value\": \"conj_$2\{int, LC5, no stmt, #1\}\" // CHECK: \"cluster\": \"t\", \"pointer\": \"{{0x[0-9a-f]+}}\", \"items\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"kind\": \"Default\", \"offset\": 0, \"value\": \"conj_$2\{int, LC5, no stmt, #1\}\"
// CHECK: \"dynamic_types\": [\l\{ \"region\": \"HeapSymRegion\{conj_$1\{struct S *, LC1, S{{[0-9]+}}, #1\}\}\", \"dyn_type\": \"struct S\", \"sub_classable\": false\}\l // CHECK: \"dynamic_types\": [\l&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\{ \"region\": \"HeapSymRegion\{conj_$1\{struct S *, LC1, S{{[0-9]+}}, #1\}\}\", \"dyn_type\": \"struct S\", \"sub_classable\": false \}\l

clang/test/Analysis/expr-inspection.c

Show All 32 Lines
// CHECK-NEXT: { "lctx_id": 1, "location_context": "#0 Call", "calling": "foo", "location": null, "items": [ // CHECK-NEXT: { "lctx_id": 1, "location_context": "#0 Call", "calling": "foo", "location": null, "items": [
// CHECK-NEXT: { "stmt_id": {{[0-9]+}}, "pretty": "clang_analyzer_printState", "value": "&code{clang_analyzer_printState}" } // CHECK-NEXT: { "stmt_id": {{[0-9]+}}, "pretty": "clang_analyzer_printState", "value": "&code{clang_analyzer_printState}" }
// CHECK-NEXT: ]} // CHECK-NEXT: ]}
// CHECK-NEXT: ]}, // CHECK-NEXT: ]},
// CHECK-NEXT: "constraints": [ // CHECK-NEXT: "constraints": [
// CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" } // CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" }
// CHECK-NEXT: ], // CHECK-NEXT: ],
// CHECK-NEXT: "dynamic_types": null, // CHECK-NEXT: "dynamic_types": null,
// CHECK-NEXT: "dynamic_casts": null,
// CHECK-NEXT: "constructing_objects": null, // CHECK-NEXT: "constructing_objects": null,
// CHECK-NEXT: "checker_messages": null // CHECK-NEXT: "checker_messages": null
// CHECK-NEXT: } // CHECK-NEXT: }
clang/test/Analysis/cast-value-state-dump.cpp