This is an archive of the discontinued LLVM Phabricator instance.

Differential D66460

[analyzer] Remove BugReporter.BugTypes.
ClosedPublic

Authored by NoQ on Aug 19 2019, 7:50 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
Szelethus
baloghadamsoftware
Charusso
Summary

I'm slowly cleaning up BugReporter as a preparation for porting clang-tidy to use it exclusively as discussed in http://lists.llvm.org/pipermail/cfe-dev/2019-August/063092.html . Basically, we'll need to make a BugReport and a BugReporter that both can be compiled with CLANG_ENABLE_STATIC_ANALYZER=OFF: no "error nodes", no nothing. So we'll most likely make a clear separation between a basic bug report(er) and a path-sensitive bug report(er), having them inherit from common bug report(er) classes.

While figuring out which field/method goes where, i already made a couple of trivial commits (rC369319, rC369320). This one, however, is relatively interesting.

The BugTypes field is basically unused, and it definitely doesn't need to be implemented as an immutable set (if at all). But once i removed it i started noticing a bunch of null dereferences in generateDiagnosticForConsumerMap():

3060	  std::unique_ptr<DiagnosticForConsumerMapTy> Out =
3061	      generatePathDiagnostics(consumers, bugReports);
3062	 
3063	  if (Out->empty())   // <== crash: Out is null!
3064	    return Out;

This was fun to debug because it's obvious by looking at PathSensitiveBugReporter::generatePathDiagnostics() that it never returns null:

2643 std::unique_ptr<DiagnosticForConsumerMapTy>
2644 PathSensitiveBugReporter::generatePathDiagnostics(...) {
...
2649   auto Out = llvm::make_unique<DiagnosticForConsumerMapTy>();
...
2658   return Out;
2659 }

The debugger was also sure that we're dealing with a path-sensitive bug reporter here. The answer turned out to be related to this tiny discussion. Or, rather, here's a report that's worth a thousand words:

report-f2e935.html537 KBDownload

So i decided to avoid the destructor minefield entirely, even if it means calling flush manually.

Also, ugh, why is CloneChecker subscribed to check::EndOfTranslationUnit which is a path-sensitive callback? :/

Diff Detail

Event Timeline

NoQ created this revision.Aug 19 2019, 7:50 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 19 2019, 7:50 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 3 others. · View Herald Transcript
Szelethus accepted this revision.Aug 19 2019, 10:39 PM

So we'll most likely make a clear separation between a basic bug report(er) and a path-sensitive bug report(er), having them inherit from common bug report(er) classes.

That sounds terrific! Clang-tidy this or that, the analyzer itself would benefit from this greatly, we do have syntactic only checks.

This revision is now accepted and ready to land.Aug 19 2019, 10:39 PM
NoQ mentioned this in D66473: [analyzer] Removed some dead code in BugReporter and related files.Aug 20 2019, 7:23 AM
xazax.hun accepted this revision.Aug 20 2019, 2:00 PM

LG!

NoQ closed this revision.Aug 28 2019, 11:02 AM

Committed as rC369451 but forgot to add a phabricator link.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
19 lines
lib/
StaticAnalyzer/
Core/
16 lines
Frontend/
4 lines

Diff 216041

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h

Show First 20 LinesShow All 400 Lines▼ Show 20 Lines
/// and flush the corresponding diagnostics. /// and flush the corresponding diagnostics.
/// ///
/// The base class is used for generating path-insensitive /// The base class is used for generating path-insensitive
class BugReporter { class BugReporter {
public: public:
enum Kind { BasicBRKind, PathSensitiveBRKind }; enum Kind { BasicBRKind, PathSensitiveBRKind };
private: private:
using BugTypesTy = llvm::ImmutableSet<BugType *>;
BugTypesTy::Factory F;
BugTypesTy BugTypes;
const Kind kind; const Kind kind;
BugReporterData& D; BugReporterData& D;
/// Generate and flush the diagnostics for the given bug report. /// Generate and flush the diagnostics for the given bug report.
void FlushReport(BugReportEquivClass& EQ); void FlushReport(BugReportEquivClass& EQ);
/// Generate the diagnostics for the given bug report. /// Generate the diagnostics for the given bug report.
std::unique_ptr<DiagnosticForConsumerMapTy> std::unique_ptr<DiagnosticForConsumerMapTy>
generateDiagnosticForConsumerMap(BugReport *exampleReport, generateDiagnosticForConsumerMap(BugReport *exampleReport,
ArrayRef<PathDiagnosticConsumer *> consumers, ArrayRef<PathDiagnosticConsumer *> consumers,
ArrayRef<BugReport *> bugReports); ArrayRef<BugReport *> bugReports);
/// The set of bug reports tracked by the BugReporter. /// The set of bug reports tracked by the BugReporter.
llvm::FoldingSet<BugReportEquivClass> EQClasses; llvm::FoldingSet<BugReportEquivClass> EQClasses;
/// A vector of BugReports for tracking the allocated pointers and cleanup. /// A vector of BugReports for tracking the allocated pointers and cleanup.
std::vector<BugReportEquivClass *> EQClassesVector; std::vector<BugReportEquivClass *> EQClassesVector;
protected: protected:
BugReporter(BugReporterData& d, Kind k) BugReporter(BugReporterData& d, Kind k)
: BugTypes(F.getEmptySet()), kind(k), D(d) {} : kind(k), D(d) {}
public: public:
BugReporter(BugReporterData& d) BugReporter(BugReporterData &d) : kind(BasicBRKind), D(d) {}
: BugTypes(F.getEmptySet()), kind(BasicBRKind), D(d) {}
virtual ~BugReporter(); virtual ~BugReporter();
/// Generate and flush diagnostics for all bug reports. /// Generate and flush diagnostics for all bug reports.
void FlushReports(); void FlushReports();
Kind getKind() const { return kind; } Kind getKind() const { return kind; }
DiagnosticsEngine& getDiagnostic() { DiagnosticsEngine& getDiagnostic() {
return D.getDiagnostic(); return D.getDiagnostic();
} }
ArrayRef<PathDiagnosticConsumer*> getPathDiagnosticConsumers() { ArrayRef<PathDiagnosticConsumer*> getPathDiagnosticConsumers() {
return D.getPathDiagnosticConsumers(); return D.getPathDiagnosticConsumers();
} }
/// Iterator over the set of BugTypes tracked by the BugReporter.
using iterator = BugTypesTy::iterator;
iterator begin() { return BugTypes.begin(); }
iterator end() { return BugTypes.end(); }
/// Iterator over the set of BugReports tracked by the BugReporter. /// Iterator over the set of BugReports tracked by the BugReporter.
using EQClasses_iterator = llvm::FoldingSet<BugReportEquivClass>::iterator; using EQClasses_iterator = llvm::FoldingSet<BugReportEquivClass>::iterator;
EQClasses_iterator EQClasses_begin() { return EQClasses.begin(); } EQClasses_iterator EQClasses_begin() { return EQClasses.begin(); }
EQClasses_iterator EQClasses_end() { return EQClasses.end(); } EQClasses_iterator EQClasses_end() { return EQClasses.end(); }
ASTContext &getContext() { return D.getASTContext(); } ASTContext &getContext() { return D.getASTContext(); }
const SourceManager &getSourceManager() { return D.getSourceManager(); } const SourceManager &getSourceManager() { return D.getSourceManager(); }
const AnalyzerOptions &getAnalyzerOptions() { return D.getAnalyzerOptions(); } const AnalyzerOptions &getAnalyzerOptions() { return D.getAnalyzerOptions(); }
virtual std::unique_ptr<DiagnosticForConsumerMapTy> virtual std::unique_ptr<DiagnosticForConsumerMapTy>
generatePathDiagnostics(ArrayRef<PathDiagnosticConsumer *> consumers, generatePathDiagnostics(ArrayRef<PathDiagnosticConsumer *> consumers,
ArrayRef<BugReport *> &bugReports) { ArrayRef<BugReport *> &bugReports) {
return {}; return {};
} }
void Register(const BugType *BT);
/// Add the given report to the set of reports tracked by BugReporter. /// Add the given report to the set of reports tracked by BugReporter.
/// ///
/// The reports are usually generated by the checkers. Further, they are /// The reports are usually generated by the checkers. Further, they are
/// folded based on the profile value, which is done to coalesce similar /// folded based on the profile value, which is done to coalesce similar
/// reports. /// reports.
void emitReport(std::unique_ptr<BugReport> R); void emitReport(std::unique_ptr<BugReport> R);
void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker, void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker,
Show All 18 Lines
/// GRBugReporter is used for generating path-sensitive reports. /// GRBugReporter is used for generating path-sensitive reports.
class PathSensitiveBugReporter : public BugReporter { class PathSensitiveBugReporter : public BugReporter {
ExprEngine& Eng; ExprEngine& Eng;
public: public:
PathSensitiveBugReporter(BugReporterData& d, ExprEngine& eng) PathSensitiveBugReporter(BugReporterData& d, ExprEngine& eng)
: BugReporter(d, PathSensitiveBRKind), Eng(eng) {} : BugReporter(d, PathSensitiveBRKind), Eng(eng) {}
~PathSensitiveBugReporter() override = default;
/// getGraph - Get the exploded graph created by the analysis engine /// getGraph - Get the exploded graph created by the analysis engine
/// for the analyzed method or function. /// for the analyzed method or function.
const ExplodedGraph &getGraph() const; const ExplodedGraph &getGraph() const;
/// getStateManager - Return the state manager used by the analysis /// getStateManager - Return the state manager used by the analysis
/// engine. /// engine.
ProgramStateManager &getStateManager(); ProgramStateManager &getStateManager();
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,215 Lines▼ Show 20 LinesProgramStateManager &PathSensitiveBugReporter::getStateManager() {
return Eng.getStateManager(); return Eng.getStateManager();
} }
ProgramStateManager &PathSensitiveBugReporter::getStateManager() const { ProgramStateManager &PathSensitiveBugReporter::getStateManager() const {
return Eng.getStateManager(); return Eng.getStateManager();
} }
BugReporter::~BugReporter() { BugReporter::~BugReporter() {
FlushReports(); // Make sure reports are flushed.
assert(StrBugTypes.empty() &&
"Destroying BugReporter before diagnostics are emitted!");
// Free the bug reports we are tracking. // Free the bug reports we are tracking.
for (const auto I : EQClassesVector) for (const auto I : EQClassesVector)
delete I; delete I;
} }
void BugReporter::FlushReports() { void BugReporter::FlushReports() {
if (BugTypes.isEmpty())
return;
// We need to flush reports in deterministic order to ensure the order // We need to flush reports in deterministic order to ensure the order
// of the reports is consistent between runs. // of the reports is consistent between runs.
for (const auto EQ : EQClassesVector) for (const auto EQ : EQClassesVector)
FlushReport(*EQ); FlushReport(*EQ);
// BugReporter owns and deletes only BugTypes created implicitly through // BugReporter owns and deletes only BugTypes created implicitly through
// EmitBasicReport. // EmitBasicReport.
// FIXME: There are leaks from checkers that assume that the BugTypes they // FIXME: There are leaks from checkers that assume that the BugTypes they
// create will be destroyed by the BugReporter. // create will be destroyed by the BugReporter.
llvm::DeleteContainerSeconds(StrBugTypes); llvm::DeleteContainerSeconds(StrBugTypes);
// Remove all references to the BugType objects.
BugTypes = F.getEmptySet();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// PathDiagnostics generation. // PathDiagnostics generation.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
▲ Show 20 LinesShow All 397 Lines▼ Show 20 LinesPathSensitiveBugReporter::generatePathDiagnostics(
if (PDB) if (PDB)
for (PathDiagnosticConsumer *PC : consumers) for (PathDiagnosticConsumer *PC : consumers)
(*Out)[PC] = PDB->generate(PC); (*Out)[PC] = PDB->generate(PC);
return Out; return Out;
} }
void BugReporter::Register(const BugType *BT) {
BugTypes = F.add(BugTypes, BT);
}
void BugReporter::emitReport(std::unique_ptr<BugReport> R) { void BugReporter::emitReport(std::unique_ptr<BugReport> R) {
if (const ExplodedNode *E = R->getErrorNode()) { if (const ExplodedNode *E = R->getErrorNode()) {
// An error node must either be a sink or have a tag, otherwise // An error node must either be a sink or have a tag, otherwise
// it could get reclaimed before the path diagnostic is created. // it could get reclaimed before the path diagnostic is created.
assert((E->isSink() || E->getLocation().getTag()) && assert((E->isSink() || E->getLocation().getTag()) &&
"Error node must either be a sink or have a tag"); "Error node must either be a sink or have a tag");
const AnalysisDeclContext *DeclCtx = const AnalysisDeclContext *DeclCtx =
Show All 14 Linesvoid BugReporter::emitReport(std::unique_ptr<BugReport> R) {
if (!ValidSourceLoc) if (!ValidSourceLoc)
return; return;
// Compute the bug report's hash to determine its equivalence class. // Compute the bug report's hash to determine its equivalence class.
llvm::FoldingSetNodeID ID; llvm::FoldingSetNodeID ID;
R->Profile(ID); R->Profile(ID);
// Lookup the equivance class. If there isn't one, create it. // Lookup the equivance class. If there isn't one, create it.
const BugType& BT = R->getBugType();
Register(&BT);
void *InsertPos; void *InsertPos;
BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos);
if (!EQ) { if (!EQ) {
EQ = new BugReportEquivClass(std::move(R)); EQ = new BugReportEquivClass(std::move(R));
EQClasses.InsertNode(EQ, InsertPos); EQClasses.InsertNode(EQ, InsertPos);
EQClassesVector.push_back(EQ); EQClassesVector.push_back(EQ);
} else } else
▲ Show 20 LinesShow All 407 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Show First 20 LinesShow All 603 Lines▼ Show 20 Linesvoid AnalysisConsumer::runAnalysisOnTranslationUnit(ASTContext &C) {
} }
if (Mgr->shouldInlineCall()) if (Mgr->shouldInlineCall())
HandleDeclsCallGraph(LocalTUDeclsSize); HandleDeclsCallGraph(LocalTUDeclsSize);
// After all decls handled, run checkers on the entire TranslationUnit. // After all decls handled, run checkers on the entire TranslationUnit.
checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
BR.FlushReports();
RecVisitorBR = nullptr; RecVisitorBR = nullptr;
} }
void AnalysisConsumer::reportAnalyzerProgress(StringRef S) { void AnalysisConsumer::reportAnalyzerProgress(StringRef S) {
if (Opts->AnalyzerDisplayProgress) if (Opts->AnalyzerDisplayProgress)
llvm::errs() << S; llvm::errs() << S;
} }
▲ Show 20 LinesShow All 141 Lines▼ Show 20 Linesvoid AnalysisConsumer::HandleCode(Decl *D, AnalysisMode Mode,
if (Mode & AM_Syntax) { if (Mode & AM_Syntax) {
if (SyntaxCheckTimer) if (SyntaxCheckTimer)
SyntaxCheckTimer->startTimer(); SyntaxCheckTimer->startTimer();
checkerMgr->runCheckersOnASTBody(D, *Mgr, BR); checkerMgr->runCheckersOnASTBody(D, *Mgr, BR);
if (SyntaxCheckTimer) if (SyntaxCheckTimer)
SyntaxCheckTimer->stopTimer(); SyntaxCheckTimer->stopTimer();
} }
BR.FlushReports();
if ((Mode & AM_Path) && checkerMgr->hasPathSensitiveCheckers()) { if ((Mode & AM_Path) && checkerMgr->hasPathSensitiveCheckers()) {
RunPathSensitiveChecks(D, IMode, VisitedCallees); RunPathSensitiveChecks(D, IMode, VisitedCallees);
if (IMode != ExprEngine::Inline_Minimal) if (IMode != ExprEngine::Inline_Minimal)
NumFunctionsAnalyzed++; NumFunctionsAnalyzed++;
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 57 LinesShow Last 20 Lines