This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/
-
clang/
-
AST/
-
Expr.h
-
StaticAnalyzer/Core/
-
Core/
2/4
AnalyzerOptions.def
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1
UndefBranchChecker.cpp
2/2
UndefResultChecker.cpp
-
test/Analysis/
-
Analysis/
-
analyzer-config.c

Differential D66721

[analyzer] Analysis: Prevent bitwise operation false positives
Needs ReviewPublic

Authored by Charusso on Aug 25 2019, 11:50 AM.

Download Raw Diff

Details

Reviewers

NoQ

Summary

This patch introduces a new analyzer-config configuration:
-analyzer-config check-bitwise=true
which could be used to toggle whether the bitwise (and shift) operations
should be checked. It by default set to true.

Diff Detail

Event Timeline

Charusso created this revision.Aug 25 2019, 11:50 AM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptAug 25 2019, 11:50 AM

No-no, you're disabling the checkers here but you should be silencing them. This will be crashing because modeling is disabled.

I also recommend checker options, even if they apply to multiple checkers (@Szelethus mentioned that package options are a thing, you might use these if you don't want to make multiple options).

clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
83–89	Ugh. This part is also wrong for the same reason.

NoQ added inline comments.Aug 25 2019, 1:30 PM

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
305	We didn't do enough debugging to demonstrate that the problems are specific to the checker. I suggest we keep this on by default and only disable it on LLVM as an overfitting effort.

Fix.

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
305	Well, okay.
clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
83–89	If I do not return here then `clang/test/Analysis/uninit-vals.m:113: Returning from 'swap'` related notes are gone, so I will leave it untouched.

Now you're silencing the *whole* checker. This is equivalent to passing an -analyzer-silence-checker flag.

In D66721#1644531, @NoQ wrote:

Now you're silencing the *whole* checker. This is equivalent to passing an -analyzer-silence-checker flag.

I am silencing the *whole* checker if and only if a bitwise operation or a shift operation occurs. That is the correct behavior which is not equal to -analyzer-silence-checker which disables the *whole* checker during the *whole* analysis.

In D66721#1644514, @NoQ wrote:

No-no, you're disabling the checkers here but you should be silencing them. This will be crashing because modeling is disabled.

I also recommend checker options, even if they apply to multiple checkers (@Szelethus mentioned that package options are a thing, you might use these if you don't want to make multiple options).

Just to be clear, I object to nothing as long as it is an off-by-default developer-only feature.

clang/lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp
66	This is one of the reasons why I believe `AnalyzerOptions` should be immutable once analysis begins. Say that you'd like to list the checkers currently enabled with `-analyzer-list-enabled-checkers`, and that list is compiled around the time `CheckerRegistry` is active (which is a very brief period during the initialization of `CheckerManager`). Wouldn't it be super infuriating to learn that this lislt may change during analysis? I feel somewhat the same way about this, this should either be moved to `shouldRegister*()` or be handled outside the analyzer.

Until we do enough debugging to understand the nature of these false positives, i recommend silencing the checker when it has false positives. Later we can improve the granularity of our checkers, so that to be able to disable smaller portions of them, or make constraint solver improvements, depending on what we see.

MaskRay added a subscriber: MaskRay.Aug 25 2019, 5:58 PM

MaskRay added inline comments.

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
308	typo: unsigned

NoQ added inline comments.Aug 25 2019, 6:02 PM

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
308	Yup, see also :)

Revision Contents

Path

Size

clang/

include/

clang/

AST/

Expr.h

5 lines

StaticAnalyzer/

Core/

AnalyzerOptions.def

12 lines

lib/

StaticAnalyzer/

Checkers/

UndefBranchChecker.cpp

5 lines

UndefResultChecker.cpp

4 lines

test/

Analysis/

analyzer-config.c

3 lines

Diff 217062

clang/include/clang/AST/Expr.h

Show First 20 Lines • Show All 3,479 Lines • ▼ Show 20 Lines	public:
static bool isAdditiveOp(Opcode Opc) { return Opc == BO_Add \|\| Opc==BO_Sub; }		static bool isAdditiveOp(Opcode Opc) { return Opc == BO_Add \|\| Opc==BO_Sub; }
bool isAdditiveOp() const { return isAdditiveOp(getOpcode()); }		bool isAdditiveOp() const { return isAdditiveOp(getOpcode()); }
static bool isShiftOp(Opcode Opc) { return Opc == BO_Shl \|\| Opc == BO_Shr; }		static bool isShiftOp(Opcode Opc) { return Opc == BO_Shl \|\| Opc == BO_Shr; }
bool isShiftOp() const { return isShiftOp(getOpcode()); }		bool isShiftOp() const { return isShiftOp(getOpcode()); }

static bool isBitwiseOp(Opcode Opc) { return Opc >= BO_And && Opc <= BO_Or; }		static bool isBitwiseOp(Opcode Opc) { return Opc >= BO_And && Opc <= BO_Or; }
bool isBitwiseOp() const { return isBitwiseOp(getOpcode()); }		bool isBitwiseOp() const { return isBitwiseOp(getOpcode()); }

		static bool isBitwiseOrShiftOp(Opcode Opc) {
		return isBitwiseOp(Opc) \|\| isShiftOp(Opc);
		}
		bool isBitwiseOrShiftOp() const { return isBitwiseOrShiftOp(getOpcode()); }

static bool isRelationalOp(Opcode Opc) { return Opc >= BO_LT && Opc<=BO_GE; }		static bool isRelationalOp(Opcode Opc) { return Opc >= BO_LT && Opc<=BO_GE; }
bool isRelationalOp() const { return isRelationalOp(getOpcode()); }		bool isRelationalOp() const { return isRelationalOp(getOpcode()); }

static bool isEqualityOp(Opcode Opc) { return Opc == BO_EQ \|\| Opc == BO_NE; }		static bool isEqualityOp(Opcode Opc) { return Opc == BO_EQ \|\| Opc == BO_NE; }
bool isEqualityOp() const { return isEqualityOp(getOpcode()); }		bool isEqualityOp() const { return isEqualityOp(getOpcode()); }

static bool isComparisonOp(Opcode Opc) { return Opc >= BO_Cmp && Opc<=BO_NE; }		static bool isComparisonOp(Opcode Opc) { return Opc >= BO_Cmp && Opc<=BO_NE; }
bool isComparisonOp() const { return isComparisonOp(getOpcode()); }		bool isComparisonOp() const { return isComparisonOp(getOpcode()); }
▲ Show 20 Lines • Show All 2,458 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

Show First 20 Lines • Show All 294 Lines • ▼ Show 20 Lines	ANALYZER_OPTION(bool, ShouldTrackConditions, "track-conditions",
"Whether to track conditions that are a control dependency of "		"Whether to track conditions that are a control dependency of "
"an already tracked variable.",		"an already tracked variable.",
true)		true)

ANALYZER_OPTION(bool, ShouldTrackConditionsDebug, "track-conditions-debug",		ANALYZER_OPTION(bool, ShouldTrackConditionsDebug, "track-conditions-debug",
"Whether to place an event at each tracked condition.",		"Whether to place an event at each tracked condition.",
false)		false)

		ANALYZER_OPTION(bool, CheckBitwise, "check-bitwise",
		"Whether the bitwise (and shift) operations should be checked.",
		true)
		NoQUnsubmitted Done Reply Inline Actions We didn't do enough debugging to demonstrate that the problems are specific to the checker. I suggest we keep this on by default and only disable it on LLVM as an overfitting effort. NoQ: We didn't do enough debugging to demonstrate that the problems are specific to the checker. I…
		CharussoAuthorUnsubmitted Done Reply Inline Actions Well, okay. Charusso: Well, okay.

		//===----------------------------------------------------------------------===//
		// Unsinged analyzer options.
		MaskRayUnsubmitted Not Done Reply Inline Actions typo: unsigned MaskRay: typo: unsigned
		NoQUnsubmitted Not Done Reply Inline Actions Yup, see also :) NoQ: Yup, [[ https://reviews.llvm.org/D65182?id=214462#inline-591158 \| see also ]] :)
		//===----------------------------------------------------------------------===//

ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold",		ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold",
"The maximal amount of translation units that is considered "		"The maximal amount of translation units that is considered "
"for import when inlining functions during CTU analysis. "		"for import when inlining functions during CTU analysis. "
"Lowering this threshold can alleviate the memory burder of "		"Lowering this threshold can alleviate the memory burder of "
"analysis with many interdependent definitions located in "		"analysis with many interdependent definitions located in "
"various translation units.",		"various translation units.",
100u)		100u)

//===----------------------------------------------------------------------===//
// Unsinged analyzer options.
//===----------------------------------------------------------------------===//

ANALYZER_OPTION(		ANALYZER_OPTION(
unsigned, AlwaysInlineSize, "ipa-always-inline-size",		unsigned, AlwaysInlineSize, "ipa-always-inline-size",
"The size of the functions (in basic blocks), which should be considered "		"The size of the functions (in basic blocks), which should be considered "
"to be small enough to always inline.",		"to be small enough to always inline.",
3)		3)

ANALYZER_OPTION(		ANALYZER_OPTION(
unsigned, GraphTrimInterval, "graph-trim-interval",		unsigned, GraphTrimInterval, "graph-trim-interval",
▲ Show 20 Lines • Show All 81 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp

	Show First 20 Lines • Show All 54 Lines • ▼ Show 20 Lines
	};			};

	}			}

	void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,			void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
	CheckerContext &Ctx) const {			CheckerContext &Ctx) const {
	SVal X = Ctx.getSVal(Condition);			SVal X = Ctx.getSVal(Condition);
	if (X.isUndef()) {			if (X.isUndef()) {
				AnalyzerOptions &Opts = Ctx.getAnalysisManager().getAnalyzerOptions();
				if (const auto *BO = dyn_cast<BinaryOperator>(Condition))
				if (BO->isBitwiseOrShiftOp() && !Opts.CheckBitwise)
				Opts.SilencedCheckersAndPackages.push_back("core.uninitialized.Branch");
				SzelethusUnsubmitted Not Done Reply Inline Actions This is one of the reasons why I believe `AnalyzerOptions` should be immutable once analysis begins. Say that you'd like to list the checkers currently enabled with `-analyzer-list-enabled-checkers`, and that list is compiled around the time `CheckerRegistry` is active (which is a very brief period during the initialization of `CheckerManager`). Wouldn't it be super infuriating to learn that this lislt may change during analysis? I feel somewhat the same way about this, this should either be moved to `shouldRegister()` or be handled outside the analyzer. Szelethus:* This is one of the reasons why I believe `AnalyzerOptions` should be immutable once analysis…

	// Generate a sink node, which implicitly marks both outgoing branches as			// Generate a sink node, which implicitly marks both outgoing branches as
	// infeasible.			// infeasible.
	ExplodedNode *N = Ctx.generateErrorNode();			ExplodedNode *N = Ctx.generateErrorNode();
	if (N) {			if (N) {
	if (!BT)			if (!BT)
	BT.reset(new BuiltinBug(			BT.reset(new BuiltinBug(
	this, "Branch condition evaluates to a garbage value"));			this, "Branch condition evaluates to a garbage value"));

	▲ Show 20 Lines • Show All 44 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show First 20 Lines • Show All 69 Lines • ▼ Show 20 Lines	static bool isLeftShiftResultUnrepresentable(const BinaryOperator *B,
const llvm::APSInt *RHS = SB.getKnownValue(State, C.getSVal(B->getRHS()));		const llvm::APSInt *RHS = SB.getKnownValue(State, C.getSVal(B->getRHS()));
assert(LHS && RHS && "Values unknown, inconsistent state");		assert(LHS && RHS && "Values unknown, inconsistent state");
return (unsigned)RHS->getZExtValue() > LHS->countLeadingZeros();		return (unsigned)RHS->getZExtValue() > LHS->countLeadingZeros();
}		}

void UndefResultChecker::checkPostStmt(const BinaryOperator *B,		void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
CheckerContext &C) const {		CheckerContext &C) const {
if (C.getSVal(B).isUndef()) {		if (C.getSVal(B).isUndef()) {
		AnalyzerOptions &Opts = C.getAnalysisManager().getAnalyzerOptions();
		if (B->isBitwiseOrShiftOp() && !Opts.CheckBitwise)
		Opts.SilencedCheckersAndPackages.push_back(
		"core.UndefinedBinaryOperatorResult");

// Do not report assignments of uninitialized values inside swap functions.		// Do not report assignments of uninitialized values inside swap functions.
// This should allow to swap partially uninitialized structs		// This should allow to swap partially uninitialized structs
// (radar://14129997)		// (radar://14129997)
if (const FunctionDecl *EnclosingFunctionDecl =		if (const FunctionDecl *EnclosingFunctionDecl =
dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))		dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
if (C.getCalleeName(EnclosingFunctionDecl) == "swap")		if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
return;		return;
		NoQUnsubmitted Done Reply Inline Actions Ugh. This part is also wrong for the same reason. NoQ: Ugh. This part is also wrong for the same reason.
		CharussoAuthorUnsubmitted Done Reply Inline Actions If I do not return here then `clang/test/Analysis/uninit-vals.m:113: Returning from 'swap'` related notes are gone, so I will leave it untouched. Charusso: If I do not return here then `clang/test/Analysis/uninit-vals.m:113: Returning from 'swap'`…

// Generate an error node.		// Generate an error node.
ExplodedNode *N = C.generateErrorNode();		ExplodedNode *N = C.generateErrorNode();
if (!N)		if (!N)
return;		return;

if (!BT)		if (!BT)
BT.reset(		BT.reset(
▲ Show 20 Lines • Show All 98 Lines • Show Last 20 Lines

clang/test/Analysis/analyzer-config.c

	Show All 19 Lines
	// CHECK-NEXT: c++-template-inlining = true			// CHECK-NEXT: c++-template-inlining = true
	// CHECK-NEXT: cfg-conditional-static-initializers = true			// CHECK-NEXT: cfg-conditional-static-initializers = true
	// CHECK-NEXT: cfg-implicit-dtors = true			// CHECK-NEXT: cfg-implicit-dtors = true
	// CHECK-NEXT: cfg-lifetime = false			// CHECK-NEXT: cfg-lifetime = false
	// CHECK-NEXT: cfg-loopexit = false			// CHECK-NEXT: cfg-loopexit = false
	// CHECK-NEXT: cfg-rich-constructors = true			// CHECK-NEXT: cfg-rich-constructors = true
	// CHECK-NEXT: cfg-scopes = false			// CHECK-NEXT: cfg-scopes = false
	// CHECK-NEXT: cfg-temporary-dtors = true			// CHECK-NEXT: cfg-temporary-dtors = true
				// CHECK-NEXT: check-bitwise = true
	// CHECK-NEXT: cplusplus.Move:WarnOn = KnownsAndLocals			// CHECK-NEXT: cplusplus.Move:WarnOn = KnownsAndLocals
	// CHECK-NEXT: crosscheck-with-z3 = false			// CHECK-NEXT: crosscheck-with-z3 = false
	// CHECK-NEXT: ctu-dir = ""			// CHECK-NEXT: ctu-dir = ""
	// CHECK-NEXT: ctu-import-threshold = 100			// CHECK-NEXT: ctu-import-threshold = 100
	// CHECK-NEXT: ctu-index-name = externalDefMap.txt			// CHECK-NEXT: ctu-index-name = externalDefMap.txt
	// CHECK-NEXT: debug.AnalysisOrder:* = false			// CHECK-NEXT: debug.AnalysisOrder:* = false
	// CHECK-NEXT: debug.AnalysisOrder:Bind = false			// CHECK-NEXT: debug.AnalysisOrder:Bind = false
	// CHECK-NEXT: debug.AnalysisOrder:EndFunction = false			// CHECK-NEXT: debug.AnalysisOrder:EndFunction = false
	▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
	// CHECK-NEXT: suppress-inlined-defensive-checks = true			// CHECK-NEXT: suppress-inlined-defensive-checks = true
	// CHECK-NEXT: suppress-null-return-paths = true			// CHECK-NEXT: suppress-null-return-paths = true
	// CHECK-NEXT: track-conditions = true			// CHECK-NEXT: track-conditions = true
	// CHECK-NEXT: track-conditions-debug = false			// CHECK-NEXT: track-conditions-debug = false
	// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false			// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false
	// CHECK-NEXT: unroll-loops = false			// CHECK-NEXT: unroll-loops = false
	// CHECK-NEXT: widen-loops = false			// CHECK-NEXT: widen-loops = false
	// CHECK-NEXT: [stats]			// CHECK-NEXT: [stats]
	// CHECK-NEXT: num-entries = 90			// CHECK-NEXT: num-entries = 91