This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
1/1
CastValueChecker.cpp
-
Core/
2/2
CallEvent.cpp
1/1
ExprEngine.cpp
1/1
MemRegion.cpp
-
test/Analysis/
-
Analysis/
-
cast-value-notes.cpp

Differential D66593

[analyzer] CastValueChecker: Fix some assertions
AbandonedPublic

Authored by Charusso on Aug 22 2019, 7:27 AM.

Download Raw Diff

Details

Reviewers

NoQ

Summary

Diff Detail

Event Timeline

Charusso created this revision.Aug 22 2019, 7:27 AM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptAug 22 2019, 7:27 AM

I am not sure how would I fix them, so I just commented them out.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
102	May it is more explicit.

These assertions are fundamental, so we can't remove them; i believe we messed up modeling at some point. I'll pick this up to address some nasty regressions quickly; i managed to reproduce the crashes and i already have 4 creduces running.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
743–751	I don't think this does anything: 505 QualType Type::getPointeeType() const { 506 if (const auto PT = getAs<PointerType>()) 507 return PT->getPointeeType(); 508 if (const auto OPT = getAs<ObjCObjectPointerType>()) 509 return OPT->getPointeeType(); 510 if (const auto BPT = getAs<BlockPointerType>()) 511 return BPT->getPointeeType(); 512 if (const auto RT = getAs<ReferenceType>()) 513 return RT->getPointeeType(); 514 if (const auto MPT = getAs<MemberPointerType>()) 515 return MPT->getPointeeType(); 516 if (const auto DT = getAs<DecayedType>()) 517 return DT->getPointeeType(); 518 return {}; 519 } This getter usually works very reliably for both pointers and references.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
118–122 ↗	(On Diff #216615)	We shouldn't put null regions into our maps.
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
329–336	This usually fails when we mess up lvalue/rvalue vs. loc/nonloc invariants in our modeling.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
1079–1080	Ugh, i suspect that we can't pass through the original pointer in our cast modeling; we need to actually model pointer casts, which is annoying but necessary, given that the cast doesn't necessarily yield the same pointer value even in run-time (see multiple inheritance).

The null MemRegion is a 0 (Loc), try to avoid to store it.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
743–751	I have measured each assertion failure one-by-one, so all of the hotfixes are necessary in order to reduce the crash-counter to zero. I have not got time to go in-depth, and have a great talk about them, sorry.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
118–122 ↗	(On Diff #216615)	Yes, but that is problematic. I have updated the diff.

Pushed my own emergency hotfixes as rC369726, rC369727, rC369728, rC369729; reduced tests included.

Wow, it is great you could address every of the edge cases. Thanks you so much! I believe only one problem left: we need to return false instead of plain return in order to let the Analyzer model the function call. I could fix it easily, thanks!

In D66593#1642253, @Charusso wrote:

Wow, it is great you could address every of the edge cases. Thanks you so much! I believe only one problem left: we need to return false instead of plain return in order to let the Analyzer model the function call. I could fix it easily, thanks!

Well, not really. I have tested out and there is no difference. Thanks for the fixes!

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

CastValueChecker.cpp

6 lines

Core/

CallEvent.cpp

10 lines

ExprEngine.cpp

6 lines

MemRegion.cpp

9 lines

test/

Analysis/

cast-value-notes.cpp

9 lines

Diff 216737

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show First 20 Lines • Show All 92 Lines • ▼ Show 20 Lines
};		};
} // namespace		} // namespace

static QualType getRecordType(QualType Ty) {		static QualType getRecordType(QualType Ty) {
Ty = Ty.getCanonicalType();		Ty = Ty.getCanonicalType();

if (Ty->isPointerType())		if (Ty->isPointerType())
Ty = Ty->getPointeeType();		Ty = Ty->getPointeeType();
		else if (Ty->isReferenceType())
if (Ty->isReferenceType())
Ty = Ty.getNonReferenceType();		Ty = Ty.getNonReferenceType();
		CharussoAuthorUnsubmitted Done Reply Inline Actions May it is more explicit. Charusso: May it is more explicit.

return Ty.getUnqualifiedType();		return Ty.getUnqualifiedType();
}		}

static bool isInfeasibleCast(const DynamicCastInfo *CastInfo,		static bool isInfeasibleCast(const DynamicCastInfo *CastInfo,
bool CastSucceeds) {		bool CastSucceeds) {
if (!CastInfo)		if (!CastInfo)
return false;		return false;
▲ Show 20 Lines • Show All 294 Lines • ▼ Show 20 Lines	case CallKind::Method:

DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>();		DV = InstanceCall->getCXXThisVal().getAs<DefinedOrUnknownSVal>();
break;		break;
}		}

if (!DV)		if (!DV)
return false;		return false;

		if (!DV->getAsRegion())
		return false;

Check(this, Call, *DV, C);		Check(this, Call, *DV, C);
return true;		return true;
}		}

void CastValueChecker::checkDeadSymbols(SymbolReaper &SR,		void CastValueChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const {		CheckerContext &C) const {
C.addTransition(removeDeadCasts(C.getState(), SR));		C.addTransition(removeDeadCasts(C.getState(), SR));
}		}

void ento::registerCastValueChecker(CheckerManager &Mgr) {		void ento::registerCastValueChecker(CheckerManager &Mgr) {
Mgr.registerChecker<CastValueChecker>();		Mgr.registerChecker<CastValueChecker>();
}		}

bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) {		bool ento::shouldRegisterCastValueChecker(const LangOptions &LO) {
return true;		return true;
}		}

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 734 Lines • ▼ Show 20 Lines	if (!R)
return {};		return {};

// Do we know anything about the type of 'this'?		// Do we know anything about the type of 'this'?
DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);		DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
if (!DynType.isValid())		if (!DynType.isValid())
return {};		return {};

// Is the type a C++ class? (This is mostly a defensive check.)		// Is the type a C++ class? (This is mostly a defensive check.)
QualType RegionType = DynType.getType()->getPointeeType();		QualType RegionType = DynType.getType();
assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");		if (RegionType->isPointerType())
		RegionType = RegionType->getPointeeType();
		else
		RegionType = RegionType.getNonReferenceType();

		assert(!RegionType.isNull() &&
		"DynamicTypeInfo should always be a pointer or a reference.");

		NoQUnsubmitted Done Reply Inline Actions I don't think this does anything: 505 QualType Type::getPointeeType() const { 506 if (const auto PT = getAs<PointerType>()) 507 return PT->getPointeeType(); 508 if (const auto OPT = getAs<ObjCObjectPointerType>()) 509 return OPT->getPointeeType(); 510 if (const auto BPT = getAs<BlockPointerType>()) 511 return BPT->getPointeeType(); 512 if (const auto RT = getAs<ReferenceType>()) 513 return RT->getPointeeType(); 514 if (const auto MPT = getAs<MemberPointerType>()) 515 return MPT->getPointeeType(); 516 if (const auto DT = getAs<DecayedType>()) 517 return DT->getPointeeType(); 518 return {}; 519 } This getter usually works very reliably for both pointers and references. NoQ: I don't think this does anything: ```lang=c++ 505 QualType Type::getPointeeType() const {…
		CharussoAuthorUnsubmitted Done Reply Inline Actions I have measured each assertion failure one-by-one, so all of the hotfixes are necessary in order to reduce the crash-counter to zero. I have not got time to go in-depth, and have a great talk about them, sorry. Charusso: I have measured each assertion failure one-by-one, so all of the hotfixes are necessary in…
const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();		const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
if (!RD \|\| !RD->hasDefinition())		if (!RD \|\| !RD->hasDefinition())
return {};		return {};

// Find the decl for this method in that class.		// Find the decl for this method in that class.
const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);		const CXXMethodDecl *Result = MD->getCorrespondingMethodInClass(RD, true);
if (!Result) {		if (!Result) {
// We might not even get the original statically-resolved method due to		// We might not even get the original statically-resolved method due to
▲ Show 20 Lines • Show All 686 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 Lines • Show All 319 Lines • ▼ Show 20 Lines	if (!Result) {
// If we don't have an explicit result expression, we're in "if needed"		// If we don't have an explicit result expression, we're in "if needed"
// mode. Only create a region if the current value is a NonLoc.		// mode. Only create a region if the current value is a NonLoc.
if (!InitValWithAdjustments.getAs<NonLoc>()) {		if (!InitValWithAdjustments.getAs<NonLoc>()) {
if (OutRegionWithAdjustments)		if (OutRegionWithAdjustments)
*OutRegionWithAdjustments = nullptr;		*OutRegionWithAdjustments = nullptr;
return State;		return State;
}		}
Result = InitWithAdjustments;		Result = InitWithAdjustments;
} else {		}
		// FIXME: Make this assertion great again.
		/* else {
// We need to create a region no matter what. For sanity, make sure we don't		// We need to create a region no matter what. For sanity, make sure we don't
// try to stuff a Loc into a non-pointer temporary region.		// try to stuff a Loc into a non-pointer temporary region.
assert(!InitValWithAdjustments.getAs<Loc>() \|\|		assert(!InitValWithAdjustments.getAs<Loc>() \|\|
Loc::isLocType(Result->getType()) \|\|		Loc::isLocType(Result->getType()) \|\|
Result->getType()->isMemberPointerType());		Result->getType()->isMemberPointerType());
}		}*/
		NoQUnsubmitted Done Reply Inline Actions This usually fails when we mess up lvalue/rvalue vs. loc/nonloc invariants in our modeling. NoQ: This usually fails when we mess up lvalue/rvalue vs. loc/nonloc invariants in our modeling.

ProgramStateManager &StateMgr = State->getStateManager();		ProgramStateManager &StateMgr = State->getStateManager();
MemRegionManager &MRMgr = StateMgr.getRegionManager();		MemRegionManager &MRMgr = StateMgr.getRegionManager();
StoreManager &StoreMgr = StateMgr.getStoreManager();		StoreManager &StoreMgr = StateMgr.getStoreManager();

// MaterializeTemporaryExpr may appear out of place, after a few field and		// MaterializeTemporaryExpr may appear out of place, after a few field and
// base-class accesses have been made to the object, even though semantically		// base-class accesses have been made to the object, even though semantically
// it is the whole object that gets materialized and lifetime-extended.		// it is the whole object that gets materialized and lifetime-extended.
▲ Show 20 Lines • Show All 2,826 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

	Show First 20 Lines • Show All 1,042 Lines • ▼ Show 20 Lines
	const CXXTempObjectRegion*			const CXXTempObjectRegion*
	MemRegionManager::getCXXTempObjectRegion(Expr const *E,			MemRegionManager::getCXXTempObjectRegion(Expr const *E,
	LocationContext const *LC) {			LocationContext const *LC) {
	const StackFrameContext *SFC = LC->getStackFrame();			const StackFrameContext *SFC = LC->getStackFrame();
	assert(SFC);			assert(SFC);
	return getSubRegion<CXXTempObjectRegion>(E, getStackLocalsRegion(SFC));			return getSubRegion<CXXTempObjectRegion>(E, getStackLocalsRegion(SFC));
	}			}

	/// Checks whether \p BaseClass is a valid virtual or direct non-virtual base			/*/// Checks whether \p BaseClass is a valid virtual or direct non-virtual base
	/// class of the type of \p Super.			/// class of the type of \p Super.
	static bool isValidBaseClass(const CXXRecordDecl *BaseClass,			static bool isValidBaseClass(const CXXRecordDecl *BaseClass,
	const TypedValueRegion *Super,			const TypedValueRegion *Super,
	bool IsVirtual) {			bool IsVirtual) {
	BaseClass = BaseClass->getCanonicalDecl();			BaseClass = BaseClass->getCanonicalDecl();

	const CXXRecordDecl *Class = Super->getValueType()->getAsCXXRecordDecl();			const CXXRecordDecl *Class = Super->getValueType()->getAsCXXRecordDecl();
	if (!Class)			if (!Class)
	return true;			return true;

	if (IsVirtual)			if (IsVirtual)
	return Class->isVirtuallyDerivedFrom(BaseClass);			return Class->isVirtuallyDerivedFrom(BaseClass);

	for (const auto &I : Class->bases()) {			for (const auto &I : Class->bases()) {
	if (I.getType()->getAsCXXRecordDecl()->getCanonicalDecl() == BaseClass)			if (I.getType()->getAsCXXRecordDecl()->getCanonicalDecl() == BaseClass)
	return true;			return true;
	}			}

	return false;			return false;
	}			}*/

	const CXXBaseObjectRegion *			const CXXBaseObjectRegion *
	MemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *RD,			MemRegionManager::getCXXBaseObjectRegion(const CXXRecordDecl *RD,
	const SubRegion *Super,			const SubRegion *Super,
	bool IsVirtual) {			bool IsVirtual) {
	if (isa<TypedValueRegion>(Super)) {			if (isa<TypedValueRegion>(Super)) {
	assert(isValidBaseClass(RD, dyn_cast<TypedValueRegion>(Super), IsVirtual));			// FIXME: Make this assertion great again.
	(void)&isValidBaseClass;			/*assert(isValidBaseClass(RD, dyn_cast<TypedValueRegion>(Super), IsVirtual));
				(void)&isValidBaseClass;*/
				NoQUnsubmitted Done Reply Inline Actions Ugh, i suspect that we can't pass through the original pointer in our cast modeling; we need to actually model pointer casts, which is annoying but necessary, given that the cast doesn't necessarily yield the same pointer value even in run-time (see multiple inheritance). NoQ: Ugh, i suspect that we can't pass through the original pointer in our cast modeling; we need to…

	if (IsVirtual) {			if (IsVirtual) {
	// Virtual base regions should not be layered, since the layout rules			// Virtual base regions should not be layered, since the layout rules
	// are different.			// are different.
	while (const auto *Base = dyn_cast<CXXBaseObjectRegion>(Super))			while (const auto *Base = dyn_cast<CXXBaseObjectRegion>(Super))
	Super = cast<SubRegion>(Base->getSuperRegion());			Super = cast<SubRegion>(Base->getSuperRegion());
	assert(Super && !isa<MemSpaceRegion>(Super));			assert(Super && !isa<MemSpaceRegion>(Super));
	}			}
	▲ Show 20 Lines • Show All 533 Lines • Show Last 20 Lines

clang/test/Analysis/cast-value-notes.cpp

Show First 20 Lines • Show All 79 Lines • ▼ Show 20 Lines	void evalNonNullParamNonNullReturn(const Shape *S) {
(void)(1 / !C);		(void)(1 / !C);
// expected-note@-1 {{'C' is non-null}}		// expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}}		// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}		// expected-warning@-3 {{Division by zero}}
}		}

void evalNonNullParamNullReturn(const Shape *S) {		void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S);		const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}}		// expected-note@-1 {{Assuming null pointer is passed into cast}}

if (const auto *T = dyn_cast_or_null<Triangle>(S)) {		if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}}		// expected-note@-1 {{'T' initialized here}}
// expected-note@-2 {{'T' initialized here}}		// expected-note@-2 {{'T' is non-null}}
// expected-note@-3 {{'T' is non-null}}		// expected-note@-3 {{Taking true branch}}
// expected-note@-4 {{Taking true branch}}

(void)(1 / !T);		(void)(1 / !T);
// expected-note@-1 {{'T' is non-null}}		// expected-note@-1 {{'T' is non-null}}
// expected-note@-2 {{Division by zero}}		// expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}}		// expected-warning@-3 {{Division by zero}}
}		}
}		}

▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines