This is an archive of the discontinued LLVM Phabricator instance.

Differential D67079

[analyzer] CastValueChecker: Model inheritance
Needs ReviewPublic

Authored by Charusso on Sep 2 2019, 8:09 AM.

Details

Reviewers
NoQ
Summary

The key is CXXRecordDecl::isDerivedFrom().

Diff Detail

Event Timeline

Charusso created this revision.Sep 2 2019, 8:09 AM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptSep 2 2019, 8:09 AM
Charusso marked 2 inline comments as done.Sep 2 2019, 8:14 AM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
216

That could be helpful, but I am not sure.

244–245

Previously possible false positives happened because we kept flow the modeling.

clang/lib/StaticAnalyzer/Core/DynamicType.cpp
46

Probably a consistent way of MemRegion handling is more appropriate.

NoQ added inline comments.Sep 3 2019, 1:43 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h
24

Ty(Ty) is the idiom here.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
153

Counterexample:

struct A {};
struct B : A {};
struct C : A, B {};

Downcast from C to B should succeed, even though they have a common ancestor A (which has the same CXXRecordDecl but currently isn't the same object within C, but can be, if B declares A as a virtual base).

201

Omg lol nice. Did you try to figure out how do other people normally do it?

NoQ added inline comments.Sep 3 2019, 1:44 PM
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
46

Pointer casts are quite a can of worms. I suggest ignoring it for now and dealing with it as needed. I.e., your code looks good... for now.

Szelethus added inline comments.Sep 3 2019, 2:10 PM
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
46

*cries in pointer chasing*

Charusso updated this revision to Diff 219391.Sep 9 2019, 10:34 AM
Charusso marked 5 inline comments as done.
  • Fix.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h
24

Good to know, thanks!

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
153

So, even it is some kind of anti-pattern as a warning arrive immediately, now I allow B to C downcasts. Could you explain me more about that virtual idea, please? Based on this possible use-case in my mind two classes are on the same level as every of their bases/vbases are equals.

201

There is no function for that in ADT/StringExtras.h + grep did not help, so I realized it is a common way to match vowels. Do you know a better solution?

NoQ added inline comments.Sep 9 2019, 7:57 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
154

Using a flag here is unnecessary because you're returning true without doing anything else whenever the flag is set.

So, basically, your code says "if at least one current base is different from at least one previous base, the cast succeeds".

In particular, this function would return true whenever CurrentRD and PreviousRD are from completely unrelated class hierarchies. It sounds like whatever isSucceededDowncast() was supposed to do, it's not doing it right.

201

I just realized that this is actually incorrect and the correct solution is pretty hard to implement because the actual "a vs. an" rule deals with sounds, not letters. Eg.:

Clang is an "LLVM native" C/C++/Objective-C compiler

has an "an" because it's read as "an el-el-vee-am".

NoQ added inline comments.Sep 9 2019, 8:14 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
153

Could you explain me more about that virtual idea, please?

In the following variation:

struct A {};
struct B : virtual A {};
struct C : A, B {};

we have C contain only one instance of A: the layout of B within C would merely refer to the instance of A within C instead of making its own copy. In particular, the constructor of B within the constructor of C would not initialize C's instance of A because the constructor of C will invoke the constructor of A directly (cf. D61816).

Charusso updated this revision to Diff 221070.Sep 20 2019, 11:03 AM
Charusso marked 9 inline comments as done.
  • Try to do the math.
  • Create a consistent dynamic type API.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
153

That is a cool example, thanks you!

201

That is a cool idea, I will adjust StringExtras.h after that patch, for now please let us use that simple heuristic.

Szelethus added inline comments.Sep 20 2019, 11:24 AM
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
99

Hmm, I think this function answers the question, at least in the standard library sense, whether Y std::is_base_of of X, whereas "is derived from?" is another term that is used by clang and seems to not allow equality of types. Should we rename this to isBaseOf?

Charusso added a parent revision: D68199: [analyzer] DynamicTypeInfo: Simplify the API.Sep 30 2019, 1:37 AM
Charusso updated this revision to Diff 222370.EditedSep 30 2019, 1:44 AM
Charusso marked 2 inline comments as done.
  • When we have no information whether the cast succeeds or not we assume both.
  • CastVisitor is the new facility which decides whether the assumptions are appropriate.
  • Removed the vowels-related string-formatting.
  • Moved the API changes to D68199.
  • The math is still WIP.
clang/lib/StaticAnalyzer/Core/DynamicType.cpp
99

I have left the equality by a mistake. It is wanted to be a wrapper of isDerivedFrom(), which does not allow equality. Thanks for the notice!

NoQ added a comment.Sep 30 2019, 1:06 PM
In D67079#1687577, @Charusso wrote:
  • CastVisitor is the new facility which decides whether the assumptions are appropriate.
  • The math is still WIP.

You need the math to decide whether delaying the decision to a visitor is the right approach.

clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

Why is (isa<B>(a) && isa<C>(a)) deemed possible in the first test but not in the second test? o_o

Charusso marked 2 inline comments as done.Sep 30 2019, 1:13 PM
In D67079#1688648, @NoQ wrote:
In D67079#1687577, @Charusso wrote:
  • CastVisitor is the new facility which decides whether the assumptions are appropriate.
  • The math is still WIP.

You need the math to decide whether delaying the decision to a visitor is the right approach.

Yes, Soon(tm).

clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

In test_downcast() we assume that a is a record type of D where D is a B and D is a C. However in test_downcast_infeasible() if a is not a record type of D is cannot be both B and C at the same time. That is the purpose of CastVisitor.

NoQ added inline comments.Sep 30 2019, 1:17 PM
clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

I mean, it contradicts to how the program *actually* works, so we should either not do that, or provide a reeeeeaaaaaallly compelling explanation of why we do this (as in "Extraordinary Claims Require Extraordinary Evidence").

Charusso marked 3 inline comments as done.Sep 30 2019, 1:39 PM
Charusso added inline comments.
clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

Are you sure it does not model the program? I have an Apple class and I have a Pen class, until it is not defining an ApplePen class it is a false assumption to say they are defining an ApplePen class. I wanted to prefetch that information before the modeling starts, but it was an impossible challenge for me, so I have picked that CastVisitor-based post-elimination idea. In the real world I have removed only two false assumptions with the visitor from 1200 reports of LLVM so an ApplePen is very rare (https://www.youtube.com/watch?v=Ct6BUPvE2sM).

NoQ added inline comments.Sep 30 2019, 1:44 PM
clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

I'm sure that the possibility of taking a true branch in if (x) only depends on the value of x, not on the contents of the branch.

NoQ added inline comments.Sep 30 2019, 2:03 PM
clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

I.e., i see the point that you're trying to make (roughly), but it still requires extraordinary evindence and the way you've written the test clearly demonstrates why it needs an extraordinary evidence.

What you were trying to say is "imagine there's no class D, then we probably shouldn't consider the situation that it exists". But in this test the class exists, and you've just written a test about it, and then you're telling me that it doesn't exist. Which is exactly the problem with not considering that D exists. And this is exactly why choosing such approach requires a discussion.

One reason why i doubt the visitor-based solution is that the existence of D is not a path-sensitive fact; it either exists or not, it is irrelevant whether it was mentioned in the current path. Therefore scanning all classes in the translation unit, as opposed to classes mentioned on the current path, seems more precise.

Charusso marked 4 inline comments as done.Sep 30 2019, 2:13 PM
Charusso added inline comments.
clang/test/Analysis/cast-value-hierarchy-fp-suppression.cpp
25–27 ↗(On Diff #222370)

Well, that is a better idea, yes. I really like your observation about if (x), thanks for them! During the Summer I have learnt a lot, but a lot about the issue of the one translation unit, so that is why I was very afraid of using it. Let us give it a try.

Charusso updated this revision to Diff 222685.Oct 1 2019, 1:33 PM
Charusso marked an inline comment as done.
  • Use the TU's Decls instead of the gathered casts' Decls.
  • The math is still missing.
Charusso updated this revision to Diff 222931.Oct 2 2019, 4:15 PM
  • Rebase.
Charusso updated this revision to Diff 222932.Oct 2 2019, 4:19 PM
  • Rebase properly.
Charusso added a comment.Oct 2 2019, 4:22 PM

Well, the rebase is a little-bit weird, sorry for the inconvenience.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
21 lines
PathSensitive/
37 lines
20 lines
lib/
StaticAnalyzer/
Checkers/
200 lines
Core/
1 line
76 lines
163 lines
test/
Analysis/
47 lines
44 lines
73 lines
20 lines
30 lines
4 lines

Diff 222932

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show All 14 Lines
#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H #define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include <memory> #include <memory>
namespace clang { namespace clang {
class BinaryOperator; class BinaryOperator;
class CFGBlock; class CFGBlock;
class DeclRefExpr; class DeclRefExpr;
▲ Show 20 LinesShow All 354 Lines▼ Show 20 Lines PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
PathSensitiveBugReport &BR) override; PathSensitiveBugReport &BR) override;
void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode, void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
PathSensitiveBugReport &BR) override; PathSensitiveBugReport &BR) override;
}; };
/// The visitor detects NoteTags and displays the event notes they contain. /// The visitor detects NoteTags and displays the event notes they contain.
class TagVisitor : public BugReporterVisitor { class TagVisitor final : public BugReporterVisitor {
public: public:
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC, BugReporterContext &BRC,
PathSensitiveBugReport &R) override; PathSensitiveBugReport &R) override;
}; };
/// It detects evaluated casts and suppresses false assumption based reports.
class CastVisitor final : public BugReporterVisitor {
using RegionSetTy = llvm::SmallSet<const MemRegion *, 32>;
RegionSetTy RegionSet;
public:
static void *getTag();
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
PathSensitiveBugReport &R) override;
void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N,
PathSensitiveBugReport &BR) override;
void Profile(llvm::FoldingSetNodeID &ID) const override;
};
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h

  • This file was deleted.
//===- DynamicCastInfo.h - Runtime cast information -------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H
#include "clang/AST/Type.h"
namespace clang {
namespace ento {
class DynamicCastInfo {
public:
enum CastResult { Success, Failure };
DynamicCastInfo(QualType from, QualType to, CastResult resultKind)
: From(from), To(to), ResultKind(resultKind) {}
QualType from() const { return From; }
QualType to() const { return To; }
bool equals(QualType from, QualType to) const {
return From == from && To == to;
}
bool succeeds() const { return ResultKind == CastResult::Success; }
bool fails() const { return ResultKind == CastResult::Failure; }
bool operator==(const DynamicCastInfo &RHS) const {
return From == RHS.From && To == RHS.To;
}
bool operator<(const DynamicCastInfo &RHS) const {
return From < RHS.From && To < RHS.To;
}
void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(From);
ID.Add(To);
ID.AddInteger(ResultKind);
}
private:
QualType From, To;
CastResult ResultKind;
};
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICCASTINFO_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h

Show All 10 Lines
// or do type checking. // or do type checking.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H
#include "clang/AST/Type.h" #include "clang/AST/Type.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicCastInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/ImmutableMap.h" #include "llvm/ADT/ImmutableMap.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
#include <vector>
namespace clang { namespace clang {
namespace ento { namespace ento {
/// Get dynamic type information for the region \p MR. /// \returns Whether the record of type \p X is derived from the record of type
/// \p Y.
bool isDerivedFrom(QualType X, QualType Y);
/// \returns Whether the record of type \p X is equal to the record of type \p
/// Y or one record is derived from the other record.
bool isOneEqualOrDerivedFromOther(QualType X, QualType Y);
/// \returns Whether an infeasible cast found.
bool isInfeasibleCastFound(ProgramStateRef State, const MemRegion *MR,
const std::vector<const CXXRecordDecl *> &Records);
Optional<DynamicTypeInfo> getDynamicTypeInfo(ProgramStateRef State, Optional<DynamicTypeInfo> getDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR); const MemRegion *MR);
/// Get the stored dynamic type information for the region \p MR. /// Get the stored dynamic type information for the region \p MR.
Optional<DynamicTypeInfo> getStoredDynamicTypeInfo(ProgramStateRef State, Optional<DynamicTypeInfo> getStoredDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR); const MemRegion *MR);
/// Get dynamic cast information from \p CastFromTy to \p CastToTy of \p MR. /// Get dynamic type information of the failed cast for the region \p MR.
Optional<DynamicCastInfo> getDynamicCastInfo(ProgramStateRef State, /// The cast failed whether the current casting to \p CastToTy has a record type
/// which derives from a previously stored cast's record type.
Optional<DynamicTypeInfo> getFailedCastInfo(ProgramStateRef State,
const MemRegion *MR, const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy); QualType CastToTy);
/// Set dynamic type information of the region; return the new state. /// Set dynamic type information of the region; return the new state.
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy); DynamicTypeInfo NewTy);
/// Set dynamic type information of the region; return the new state. /// Set dynamic type information of the region; return the new state.
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
QualType NewTy, bool CanBeSubClassed = true); QualType NewTy, bool CanBeSubClassed = true);
/// Set dynamic type and cast information of the region; return the new state. /// Set dynamic type and cast information of the region; return the new state.
ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State, /// It stores the largest set what is the record of the given type \p CastToTy
const MemRegion *MR, /// cannot be, and what is the most-derived class which the record could be.
QualType CastFromTy, /// It also stores the succeeded casts.
QualType CastToTy, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
bool IsCastSucceeds); QualType CastToTy, bool CastSucceeds,
Optional<DynamicTypeInfo> CastInfo);
/// Removes the dead type informations from \p State. /// Removes the dead type informations from \p State.
ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR); ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR);
/// Removes the dead cast informations from \p State. /// Removes the dead cast informations from \p State.
ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR); ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR);
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State, void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL = "\n", unsigned int Space = 0, const char *NL = "\n", unsigned int Space = 0,
bool IsDot = false); bool IsDot = false);
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPE_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h

Show All 12 Lines
namespace clang { namespace clang {
namespace ento { namespace ento {
/// Stores the currently inferred strictest bound on the runtime type /// Stores the currently inferred strictest bound on the runtime type
/// of a region in a given state along the analysis path. /// of a region in a given state along the analysis path.
class DynamicTypeInfo { class DynamicTypeInfo {
public: public:
DynamicTypeInfo() : DynTy(QualType()) {} DynamicTypeInfo() : Ty(QualType()) {}
DynamicTypeInfo(QualType Ty, bool CanBeSub = true) DynamicTypeInfo(QualType Ty, bool CanBeASubClass = true)
: DynTy(Ty), CanBeASubClass(CanBeSub) {} : Ty(Ty), CanBeASubClass(CanBeASubClass) {}
NoQUnsubmitted
Done
ReplyInline Actions

Ty(Ty) is the idiom here.

NoQ: `Ty(Ty)` is the idiom here.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Good to know, thanks!

Charusso: Good to know, thanks!
/// Returns false if the type information is precise (the type 'DynTy' is /// Returns false if the type information is precise (the type 'Ty' is
/// the only type in the lattice), true otherwise. /// the only type in the lattice), true otherwise.
bool canBeASubClass() const { return CanBeASubClass; } bool canBeASubClass() const { return CanBeASubClass; }
/// Returns true if the dynamic type info is available.
bool isValid() const { return !DynTy.isNull(); }
/// Returns the currently inferred upper bound on the runtime type. /// Returns the currently inferred upper bound on the runtime type.
QualType getType() const { return DynTy; } QualType getType() const { return Ty; }
bool operator==(const DynamicTypeInfo &RHS) const { bool operator==(const DynamicTypeInfo &RHS) const {
return DynTy == RHS.DynTy && CanBeASubClass == RHS.CanBeASubClass; return Ty == RHS.Ty && CanBeASubClass == RHS.CanBeASubClass;
} }
bool operator<(const DynamicTypeInfo &RHS) const { return Ty < RHS.Ty; }
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(DynTy); ID.Add(Ty);
ID.AddBoolean(CanBeASubClass); ID.AddBoolean(CanBeASubClass);
} }
private: private:
QualType DynTy; QualType Ty;
bool CanBeASubClass; bool CanBeASubClass;
}; };
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICTYPEINFO_H

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

//===- CastValueChecker - Model implementation of custom RTTIs --*- C++ -*-===// //===- CastValueChecker - Model implementation of custom RTTIs --*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines CastValueChecker which models casts of custom RTTIs. // This defines CastValueChecker which models casts of custom RTTIs.
// //
// TODO list:
// - It only allows one succesful cast between two types however in the wild
// the object could be casted to multiple types.
// - It needs to check the most likely type information from the dynamic type
// map to increase precision of dynamic casting.
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/AST/DeclTemplate.h" #include "clang/AST/DeclTemplate.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Lines void evalGetAs(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalIsa(const CallEvent &Call, DefinedOrUnknownSVal DV, void evalIsa(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
void evalIsaAndNonNull(const CallEvent &Call, DefinedOrUnknownSVal DV, void evalIsaAndNonNull(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C) const; CheckerContext &C) const;
}; };
} // namespace } // namespace
static bool isInfeasibleCast(Optional<DynamicCastInfo> CastInfo, // Dynamic type: Denote 'r' the 'MemoryRegion' which we try to cast. We store
bool CastSucceeds) { // the most derived record type information in the 'DynamicTypeMap' for the
if (!CastInfo) // given 'r'. We store the record types which the given 'r' cannot be casted
// to in 'FailedCastMap'. Every 'MemoryRegion' is typeless from the checker's
// point of view, because it waits for a cast expression to denote the object
// with an appropriate type.
// Denote 'S(r)' a 'MemoryRegion' 'r' entry in 'DynamicTypeMap', and
// denote 'F(r)' a 'MemoryRegion' 'r' entry in 'FailedCastMap'.
//
// Record: For the given 'MemoryRegion' 'r' we obtain the records from the AST
// using the cast expression's and the object's static types and also the
// dynamically known types using 'S(r)' and 'F(r)'.
//
// Inheritance: for two given records 'X' and 'Y' let us call 'X' inherits from
// 'Y' if there exists at least one directed path from 'X' to 'Y'.
// Denote it by 'X -> Y'.
//
// Related records: for two given records 'X' and 'Y' let us call them related
// if either X = Y, or 'X' inherits from 'Y', or 'Y' inherits from 'X'.
// Denote it by 'X <-> Y'. ('X <-> Y' <=> 'X -> Y' ∧ 'X <- Y'.)
//
// Cast: for two given related records 'X' and 'Y' (X <-> Y) we define two
// types of casts: the downcast: 'X -> Y', and the upcast: 'X <- Y'.
//
// Succeeded-cast path: For the given static type of a given MemoryRegion 'r'
// we try to chain the succeeded casts to form a directed path from the
// static type to the most derived record type information in 'S(r)'.
//
// An 'X -> Y' downcast/upcast succeeds for an 'r' 'MemoryRegion' iff
// - 'X <-> Y' and,
// - 'Y' ∉ 'F(r)' and:
// - If ∄S(r): it succeeds as a first entry.
// - If ∃S(r):
// - If ∃'S(r) <-> Y': it succeeds as the succeeded-cast path continues.
// - If ∄'S(r) <-> Y': we could assume that it succeeds as 'Y' could create
// a succeeded-cast path later during the execution.
//
// Here the known static types are \p CastFromTy and \p CastToTy. The 'S(r)'
// entry is \p SucceededCastInfo and the 'F(r)' entry is \p FailedCastInfo.
static Optional<bool>
isSuccededCast(Optional<DynamicTypeInfo> SucceededCastInfo,
Optional<DynamicTypeInfo> FailedCastInfo, QualType CastFromTy,
QualType CastToTy) {
if (FailedCastInfo || !isOneEqualOrDerivedFromOther(CastFromTy, CastToTy))
return false; return false;
return CastSucceeds ? CastInfo->fails() : CastInfo->succeeds(); if (!SucceededCastInfo)
return true;
if (isOneEqualOrDerivedFromOther(SucceededCastInfo->getType(), CastToTy))
return true;
return None;
}
namespace {
struct CastContext {
CastContext(ProgramStateRef State, const MemRegion *MR, QualType CastFromTy,
QualType CastToTy, bool Assumption, bool IsCheckedCast) {
Optional<DynamicTypeInfo> SucceededCastInfo =
getStoredDynamicTypeInfo(State, MR);
Optional<DynamicTypeInfo> FailedCastInfo =
getFailedCastInfo(State, MR, CastToTy);
NoQUnsubmitted
Done
ReplyInline Actions

Counterexample:

struct A {};
struct B : A {};
struct C : A, B {};

Downcast from C to B should succeed, even though they have a common ancestor A (which has the same CXXRecordDecl but currently isn't the same object within C, but can be, if B declares A as a virtual base).

NoQ: Counterexample: ``` struct A {}; struct B : A {}; struct C : A, B {}; ``` Downcast from `C`…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

So, even it is some kind of anti-pattern as a warning arrive immediately, now I allow B to C downcasts. Could you explain me more about that virtual idea, please? Based on this possible use-case in my mind two classes are on the same level as every of their bases/vbases are equals.

Charusso: So, even it is some kind of anti-pattern as a warning arrive immediately, now I allow `B` to…
NoQUnsubmitted
Done
ReplyInline Actions

Could you explain me more about that virtual idea, please?

In the following variation:

struct A {};
struct B : virtual A {};
struct C : A, B {};

we have C contain only one instance of A: the layout of B within C would merely refer to the instance of A within C instead of making its own copy. In particular, the constructor of B within the constructor of C would not initialize C's instance of A because the constructor of C will invoke the constructor of A directly (cf. D61816).

NoQ: > Could you explain me more about that virtual idea, please? In the following variation: ```…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

That is a cool example, thanks you!

Charusso: That is a cool example, thanks you!
// We assume that every checked cast (cast<>) succeeds.
NoQUnsubmitted
Done
ReplyInline Actions

Using a flag here is unnecessary because you're returning true without doing anything else whenever the flag is set.

So, basically, your code says "if at least one current base is different from at least one previous base, the cast succeeds".

In particular, this function would return true whenever CurrentRD and PreviousRD are from completely unrelated class hierarchies. It sounds like whatever isSucceededDowncast() was supposed to do, it's not doing it right.

NoQ: Using a flag here is unnecessary because you're returning true without doing anything else…
bool IsAlwaysSucceeds =
IsCheckedCast || CastFromTy->getPointeeCXXRecordDecl() ==
CastToTy->getPointeeCXXRecordDecl();
if (IsAlwaysSucceeds) {
CastSucceeds = true;
IsKnownCast = true;
} else if (Optional<bool> TempCastSucceeds = isSuccededCast(
SucceededCastInfo, FailedCastInfo, CastFromTy, CastToTy)) {
CastSucceeds = Assumption && *TempCastSucceeds;
IsKnownCast = (CastSucceeds && SucceededCastInfo &&
isDerivedFrom(SucceededCastInfo->getType(), CastToTy)) ||
(!CastSucceeds && FailedCastInfo &&
isDerivedFrom(FailedCastInfo->getType(), CastToTy));
} else {
CastSucceeds = Assumption;
IsKnownCast = false;
}
CastInfo = CastSucceeds ? SucceededCastInfo : FailedCastInfo;
} }
static const NoteTag *getNoteTag(CheckerContext &C, bool CastSucceeds, IsKnownCast;
Optional<DynamicCastInfo> CastInfo, Optional<DynamicTypeInfo> CastInfo;
QualType CastToTy, const Expr *Object, };
bool CastSucceeds, bool IsKnownCast) { } // namespace
static const NoteTag *getNoteTag(CheckerContext &C, const Expr *Object,
QualType CastToTy, CastContext &CastCtx) {
QualType KnownCastToTy;
if (CastCtx.CastInfo && CastCtx.IsKnownCast)
KnownCastToTy = CastCtx.CastInfo->getType();
std::string CastToName = std::string CastToName =
CastInfo ? CastInfo->to()->getPointeeCXXRecordDecl()->getNameAsString() CastCtx.CastInfo && CastCtx.IsKnownCast
? KnownCastToTy->getPointeeCXXRecordDecl()->getNameAsString()
: CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
Object = Object->IgnoreParenImpCasts(); Object = Object->IgnoreParenImpCasts();
return C.getNoteTag( return C.getNoteTag(
[=]() -> std::string { [=]() -> std::string {
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
if (!IsKnownCast) if (!CastCtx.IsKnownCast)
Out << "Assuming "; Out << "Assuming ";
NoQUnsubmitted
Done
ReplyInline Actions

Omg lol nice. Did you try to figure out how do other people normally do it?

NoQ: Omg lol nice. Did you try to figure out how do other people normally do it?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

There is no function for that in ADT/StringExtras.h + grep did not help, so I realized it is a common way to match vowels. Do you know a better solution?

Charusso: There is no function for that in `ADT/StringExtras.h` + `grep` did not help, so I realized it…
NoQUnsubmitted
Done
ReplyInline Actions

I just realized that this is actually incorrect and the correct solution is pretty hard to implement because the actual "a vs. an" rule deals with sounds, not letters. Eg.:

Clang is an "LLVM native" C/C++/Objective-C compiler

has an "an" because it's read as "an el-el-vee-am".

NoQ: I just realized that this is actually incorrect and the correct solution is pretty hard to…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

That is a cool idea, I will adjust StringExtras.h after that patch, for now please let us use that simple heuristic.

Charusso: That is a cool idea, I will adjust `StringExtras.h` after that patch, for now please let us use…
if (const auto *DRE = dyn_cast<DeclRefExpr>(Object)) { if (const auto *DRE = dyn_cast<DeclRefExpr>(Object)) {
Out << '\'' << DRE->getDecl()->getNameAsString() << '\''; Out << '\'' << DRE->getDecl()->getNameAsString() << '\'';
} else if (const auto *ME = dyn_cast<MemberExpr>(Object)) { } else if (const auto *ME = dyn_cast<MemberExpr>(Object)) {
Out << (IsKnownCast ? "Field '" : "field '") Out << (CastCtx.IsKnownCast ? "Field '" : "field '")
<< ME->getMemberDecl()->getNameAsString() << '\''; << ME->getMemberDecl()->getNameAsString() << '\'';
} else { } else {
Out << (IsKnownCast ? "The object" : "the object"); Out << (CastCtx.IsKnownCast ? "The object" : "the object");
} }
Out << ' ' << (CastSucceeds ? "is a" : "is not a") << " '" << CastToName Out << ' ' << (CastCtx.CastSucceeds ? "is" : "is not") << " a '"
<< '\''; << CastToName << '\'';
return Out.str(); return Out.str();
}, },
/*IsPrunable=*/true); /*IsPrunable=*/!CastCtx.CastSucceeds);
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

That could be helpful, but I am not sure.

Charusso: That could be helpful, but I am not sure.
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Main logic to evaluate a cast. // Main logic to evaluate a cast.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static QualType alignReferenceTypes(QualType toAlign, QualType alignTowards, static QualType alignReferenceTypes(QualType toAlign, QualType alignTowards,
ASTContext &ACtx) { ASTContext &ACtx) {
Show All 9 Linesstatic QualType alignReferenceTypes(QualType toAlign, QualType alignTowards,
llvm_unreachable("Must align towards a reference type!"); llvm_unreachable("Must align towards a reference type!");
} }
static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV, static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV,
CheckerContext &C, bool IsNonNullParam, CheckerContext &C, bool IsNonNullParam,
bool IsNonNullReturn, bool IsNonNullReturn,
bool IsCheckedCast = false) { bool IsCheckedCast = false) {
ProgramStateRef State = C.getState()->assume(DV, IsNonNullParam); ProgramStateRef State = C.getState()->assume(DV, IsNonNullParam);
if (!State) if (!State) {
C.generateSink(C.getState(), C.getPredecessor());
return; return;
}
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Previously possible false positives happened because we kept flow the modeling.

Charusso: Previously possible false positives happened because we kept flow the modeling.
const Expr *Object; const Expr *Object;
QualType CastFromTy; QualType CastFromTy;
QualType CastToTy = Call.getResultType(); QualType CastToTy = Call.getResultType();
if (Call.getNumArgs() > 0) { if (Call.getNumArgs() > 0) {
Object = Call.getArgExpr(0); Object = Call.getArgExpr(0);
CastFromTy = Call.parameters()[0]->getType(); CastFromTy = Call.parameters()[0]->getType();
} else { } else {
Object = cast<CXXInstanceCall>(&Call)->getCXXThisExpr(); Object = cast<CXXInstanceCall>(&Call)->getCXXThisExpr();
CastFromTy = Object->getType(); CastFromTy = Object->getType();
if (CastToTy->isPointerType()) { if (CastToTy->isPointerType()) {
if (!CastFromTy->isPointerType()) if (!CastFromTy->isPointerType())
return; return;
} else { } else {
if (!CastFromTy->isReferenceType()) if (!CastFromTy->isReferenceType())
return; return;
CastFromTy = alignReferenceTypes(CastFromTy, CastToTy, C.getASTContext()); CastFromTy = alignReferenceTypes(CastFromTy, CastToTy, C.getASTContext());
} }
} }
const MemRegion *MR = DV.getAsRegion(); const MemRegion *MR = DV.getAsRegion();
Optional<DynamicCastInfo> CastInfo = CastContext CastCtx(State, MR, CastFromTy, CastToTy,
getDynamicCastInfo(State, MR, CastFromTy, CastToTy); /*Assumption=*/IsNonNullReturn, IsCheckedCast);
// We assume that every checked cast succeeds.
bool CastSucceeds = IsCheckedCast || CastFromTy == CastToTy;
if (!CastSucceeds) {
if (CastInfo)
CastSucceeds = IsNonNullReturn && CastInfo->succeeds();
else
CastSucceeds = IsNonNullReturn;
}
// Check for infeasible casts.
if (isInfeasibleCast(CastInfo, CastSucceeds)) {
C.generateSink(State, C.getPredecessor());
return;
}
// Store the type and the cast information. State = setDynamicTypeInfo(State, MR, CastToTy, CastCtx.CastSucceeds,
bool IsKnownCast = CastInfo || IsCheckedCast || CastFromTy == CastToTy; CastCtx.CastInfo);
if (!IsKnownCast || IsCheckedCast)
State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,
CastSucceeds);
SVal V = CastSucceeds ? C.getSValBuilder().evalCast(DV, CastToTy, CastFromTy) SVal V = CastCtx.CastSucceeds
? C.getSValBuilder().evalCast(DV, CastToTy, CastFromTy)
: C.getSValBuilder().makeNull(); : C.getSValBuilder().makeNull();
C.addTransition( C.addTransition(
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), V, false), State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), V, false),
getNoteTag(C, CastInfo, CastToTy, Object, CastSucceeds, IsKnownCast)); getNoteTag(C, Object, CastToTy, CastCtx));
} }
static void addInstanceOfTransition(const CallEvent &Call, static void addInstanceOfTransition(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
ProgramStateRef State, CheckerContext &C, ProgramStateRef State, CheckerContext &C,
bool IsInstanceOf) { bool IsInstanceOf) {
const FunctionDecl *FD = Call.getDecl()->getAsFunction(); const FunctionDecl *FD = Call.getDecl()->getAsFunction();
QualType CastFromTy = Call.parameters()[0]->getType(); QualType CastFromTy = Call.parameters()[0]->getType().getCanonicalType();
QualType CastToTy = FD->getTemplateSpecializationArgs()->get(0).getAsType(); QualType CastToTy = FD->getTemplateSpecializationArgs()->get(0).getAsType();
if (CastFromTy->isPointerType()) if (CastFromTy->isPointerType())
CastToTy = C.getASTContext().getPointerType(CastToTy); CastToTy = C.getASTContext().getPointerType(CastToTy);
else if (CastFromTy->isReferenceType()) else if (CastFromTy->isReferenceType())
CastToTy = alignReferenceTypes(CastToTy, CastFromTy, C.getASTContext()); CastToTy = alignReferenceTypes(CastToTy, CastFromTy, C.getASTContext());
else else
return; return;
const MemRegion *MR = DV.getAsRegion(); const MemRegion *MR = DV.getAsRegion();
Optional<DynamicCastInfo> CastInfo = CastContext CastCtx(State, MR, CastFromTy, CastToTy,
getDynamicCastInfo(State, MR, CastFromTy, CastToTy); /*Assumption=*/IsInstanceOf, /*IsCheckedCast=*/false);
bool CastSucceeds;
if (CastInfo)
CastSucceeds = IsInstanceOf && CastInfo->succeeds();
else
CastSucceeds = IsInstanceOf || CastFromTy == CastToTy;
if (isInfeasibleCast(CastInfo, CastSucceeds)) {
C.generateSink(State, C.getPredecessor());
return;
}
// Store the type and the cast information. State = setDynamicTypeInfo(State, MR, CastToTy, CastCtx.CastSucceeds,
bool IsKnownCast = CastInfo || CastFromTy == CastToTy; CastCtx.CastInfo);
if (!IsKnownCast)
State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,
IsInstanceOf);
C.addTransition( C.addTransition(
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeTruthVal(CastSucceeds)), C.getSValBuilder().makeTruthVal(CastCtx.CastSucceeds)),
getNoteTag(C, CastInfo, CastToTy, Call.getArgExpr(0), CastSucceeds, getNoteTag(C, Call.getArgExpr(0), CastToTy, CastCtx));
IsKnownCast));
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null. // Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static void evalNonNullParamNonNullReturn(const CallEvent &Call, static void evalNonNullParamNonNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
▲ Show 20 LinesShow All 129 Lines▼ Show 20 Linesbool CastValueChecker::evalCall(const CallEvent &Call,
Optional<DefinedOrUnknownSVal> DV; Optional<DefinedOrUnknownSVal> DV;
switch (Kind) { switch (Kind) {
case CallKind::Function: { case CallKind::Function: {
// We only model casts from pointers to pointers or from references // We only model casts from pointers to pointers or from references
// to references. Other casts are most likely specialized and we // to references. Other casts are most likely specialized and we
// cannot model them. // cannot model them.
QualType ParamT = Call.parameters()[0]->getType(); QualType ParamTy = Call.parameters()[0]->getType();
QualType ResultT = Call.getResultType(); QualType ResultTy = Call.getResultType();
if (!(ParamT->isPointerType() && ResultT->isPointerType()) && if (!(ParamTy->isPointerType() && ResultTy->isPointerType()) &&
!(ParamT->isReferenceType() && ResultT->isReferenceType())) !(ParamTy->isReferenceType() && ResultTy->isReferenceType()))
return false; return false;
DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>(); DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>();
break; break;
} }
case CallKind::InstanceOf: { case CallKind::InstanceOf: {
// We need to obtain the only template argument to determinte the type. // We need to obtain the only template argument to determinte the type.
const FunctionDecl *FD = Call.getDecl()->getAsFunction(); const FunctionDecl *FD = Call.getDecl()->getAsFunction();
Show All 29 Lines

clang/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,760 Lines▼ Show 20 Lines while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) {
// Register refutation visitors first, if they mark the bug invalid no // Register refutation visitors first, if they mark the bug invalid no
// further analysis is required // further analysis is required
R->addVisitor(std::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); R->addVisitor(std::make_unique<LikelyFalsePositiveSuppressionBRVisitor>());
// Register additional node visitors. // Register additional node visitors.
R->addVisitor(std::make_unique<NilReceiverBRVisitor>()); R->addVisitor(std::make_unique<NilReceiverBRVisitor>());
R->addVisitor(std::make_unique<ConditionBRVisitor>()); R->addVisitor(std::make_unique<ConditionBRVisitor>());
R->addVisitor(std::make_unique<TagVisitor>()); R->addVisitor(std::make_unique<TagVisitor>());
R->addVisitor(std::make_unique<CastVisitor>());
BugReporterContext BRC(Reporter); BugReporterContext BRC(Reporter);
// Run all visitors on a given graph, once. // Run all visitors on a given graph, once.
std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes = std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes =
generateVisitorsDiagnostics(R, ErrorNode, BRC); generateVisitorsDiagnostics(R, ErrorNode, BRC);
if (R->isValid()) { if (R->isValid()) {
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show All 31 Lines
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceLocation.h" #include "clang/Basic/SourceLocation.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
Show All 10 Lines
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <cassert> #include <cassert>
#include <deque> #include <deque>
#include <memory> #include <memory>
#include <string> #include <string>
#include <utility> #include <utility>
#include <vector>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 2,820 Lines▼ Show 20 Lines PathDiagnosticLocation Loc =
PathDiagnosticLocation::create(PP, BRC.getSourceManager()); PathDiagnosticLocation::create(PP, BRC.getSourceManager());
auto Piece = std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg); auto Piece = std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg);
Piece->setPrunable(T->isPrunable()); Piece->setPrunable(T->isPrunable());
return Piece; return Piece;
} }
return nullptr; return nullptr;
} }
//===----------------------------------------------------------------------===//
// Implementation of CastVisitor.
//===----------------------------------------------------------------------===//
void CastVisitor::Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddPointer(getTag());
}
void *CastVisitor::getTag() {
static int Tag = 0;
return static_cast<void *>(&Tag);
}
PathDiagnosticPieceRef CastVisitor::VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
PathSensitiveBugReport &R) {
ProgramPoint PP = N->getLocation();
if (!dyn_cast_or_null<NoteTag>(PP.getTag()))
return nullptr;
auto PS = PP.getAs<PostStmt>();
if (!PS)
return nullptr;
ProgramStateRef State = N->getState();
const LocationContext *LCtx = N->getLocationContext();
CallEventRef<> Call = BRC.getStateManager().getCallEventManager().getCall(
PS->getStmt(), State, LCtx);
if (!Call)
return nullptr;
DefinedOrUnknownSVal DV = UnknownVal();
if (Call->getNumArgs() == 1) {
DV = Call->getArgSVal(0).castAs<DefinedOrUnknownSVal>();
} else if (const auto *InstanceCall = dyn_cast<CXXInstanceCall>(Call)) {
DV = InstanceCall->getCXXThisVal().castAs<DefinedOrUnknownSVal>();
} else {
return nullptr;
}
RegionSet.insert(DV.getAsRegion());
return nullptr;
}
void CastVisitor::finalizeVisitor(BugReporterContext &BRC,
const ExplodedNode *N,
PathSensitiveBugReport &R) {
if (RegionSet.empty())
return;
bool IsFalsePositive = false;
ProgramStateRef State = N->getState();
std::vector<const CXXRecordDecl *> Records;
using namespace ast_matchers;
constexpr llvm::StringLiteral RecordName = "record";
auto Matches = match(cxxRecordDecl().bind(RecordName), BRC.getASTContext());
for (BoundNodes &Match : Matches) {
if (const auto *RD = Match.getNodeAs<CXXRecordDecl>(RecordName)) {
if (RD->hasDefinition()) {
Records.push_back(RD);
}
}
}
for (const MemRegion *MR : RegionSet) {
if ((IsFalsePositive = isInfeasibleCastFound(State, MR, Records)))
break;
}
if (IsFalsePositive)
R.markInvalid(getTag(), nullptr);
}

clang/lib/StaticAnalyzer/Core/DynamicType.cpp

Show All 21 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <cassert> #include <cassert>
/// The GDM component containing the dynamic type info. This is a map from a /// The GDM component containing the dynamic type info. This is a map from a
/// symbol to its most likely type. /// symbol to its most likely type.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicTypeMap, const clang::ento::MemRegion *, REGISTER_MAP_WITH_PROGRAMSTATE(DynamicTypeMap, const clang::ento::MemRegion *,
clang::ento::DynamicTypeInfo) clang::ento::DynamicTypeInfo)
/// A set factory of dynamic cast informations. /// A set factory of dynamic cast informations as type informations.
REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicCastInfo) REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(CastSet, clang::ento::DynamicTypeInfo)
/// A map from symbols to cast informations. /// A map from symbols to succeeded cast informations.
REGISTER_MAP_WITH_PROGRAMSTATE(DynamicCastMap, const clang::ento::MemRegion *, REGISTER_MAP_WITH_PROGRAMSTATE(SucceededCastMap, const clang::ento::MemRegion *,
CastSet)
/// A map from symbols to failed cast informations.
REGISTER_MAP_WITH_PROGRAMSTATE(FailedCastMap, const clang::ento::MemRegion *,
CastSet) CastSet)
namespace clang { namespace clang {
namespace ento { namespace ento {
static const MemRegion *getSimplifiedRegion(const MemRegion *MR) {
return MR->StripCasts();
}
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Probably a consistent way of MemRegion handling is more appropriate.

Charusso: Probably a consistent way of `MemRegion` handling is more appropriate.
NoQUnsubmitted
Done
ReplyInline Actions

Pointer casts are quite a can of worms. I suggest ignoring it for now and dealing with it as needed. I.e., your code looks good... for now.

NoQ: Pointer casts are quite a can of worms. I suggest ignoring it for now and dealing with it as…
SzelethusUnsubmitted
Done
ReplyInline Actions

*cries in pointer chasing*

Szelethus: //*cries in pointer chasing*//
bool isDerivedFrom(QualType X, QualType Y) {
const CXXRecordDecl *XRD = X->getPointeeCXXRecordDecl();
const CXXRecordDecl *YRD = Y->getPointeeCXXRecordDecl();
if (!XRD || !YRD)
return false;
return XRD->isDerivedFrom(YRD);
}
bool isOneEqualOrDerivedFromOther(QualType X, QualType Y) {
if (X->getPointeeCXXRecordDecl() == Y->getPointeeCXXRecordDecl())
return true;
return isDerivedFrom(X, Y) || isDerivedFrom(Y, X);
}
bool isInfeasibleCastFound(ProgramStateRef State, const MemRegion *MR,
const std::vector<const CXXRecordDecl *> &Records) {
const CastSet *SucceededSet = State->get<SucceededCastMap>().lookup(MR);
if (!SucceededSet)
return false;
for (const DynamicTypeInfo &I : *SucceededSet) {
for (const DynamicTypeInfo &J : *SucceededSet) {
// Pick two disjunct records (there is no direct path between them).
if (!isOneEqualOrDerivedFromOther(I.getType(), J.getType())) {
for (const CXXRecordDecl *RD : Records) {
// If the picked two records have a common descendant the cast is
// feasible into that descendant record.
if (RD->isDerivedFrom(I.getType()->getPointeeCXXRecordDecl()) &&
RD->isDerivedFrom(J.getType()->getPointeeCXXRecordDecl())) {
return false;
}
}
// If the picked two records does not have a common descendant the cast
// is infeasible as the object could not be casted into both of them.
return true;
}
}
}
return false;
}
Optional<DynamicTypeInfo> getDynamicTypeInfo(ProgramStateRef State, Optional<DynamicTypeInfo> getDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR) { const MemRegion *MR) {
MR = MR->StripCasts(); MR = getSimplifiedRegion(MR);
// Look up the dynamic type in the GDM. // Look up the dynamic type in the GDM.
if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR)) if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))
return *DTI; return *DTI;
SzelethusUnsubmitted
Done
ReplyInline Actions

Hmm, I think this function answers the question, at least in the standard library sense, whether Y std::is_base_of of X, whereas "is derived from?" is another term that is used by clang and seems to not allow equality of types. Should we rename this to isBaseOf?

Szelethus: Hmm, I think this function answers the question, at least in the standard library sense…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I have left the equality by a mistake. It is wanted to be a wrapper of isDerivedFrom(), which does not allow equality. Thanks for the notice!

Charusso: I have left the equality by a mistake. It is wanted to be a wrapper of `isDerivedFrom()`, which…
// Otherwise, fall back to what we know about the region. // Otherwise, fall back to what we know about the region.
if (const auto *TR = dyn_cast<TypedRegion>(MR)) if (const auto *TR = dyn_cast<TypedRegion>(MR))
return DynamicTypeInfo(TR->getLocationType(), /*CanBeSub=*/false); return DynamicTypeInfo(TR->getLocationType(), /*CanBeSub=*/false);
if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) { if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) {
SymbolRef Sym = SR->getSymbol(); SymbolRef Sym = SR->getSymbol();
return DynamicTypeInfo(Sym->getType()); return DynamicTypeInfo(Sym->getType());
} }
return None; return None;
} }
Optional<DynamicTypeInfo> getStoredDynamicTypeInfo(ProgramStateRef State, Optional<DynamicTypeInfo> getStoredDynamicTypeInfo(ProgramStateRef State,
const MemRegion *MR) { const MemRegion *MR) {
if (!MR)
return None;
MR = getSimplifiedRegion(MR);
if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR)) if (const DynamicTypeInfo *DTI = State->get<DynamicTypeMap>(MR))
return *DTI; return *DTI;
return None; return None;
} }
Optional<DynamicCastInfo> getDynamicCastInfo(ProgramStateRef State, Optional<DynamicTypeInfo> getFailedCastInfo(ProgramStateRef State,
const MemRegion *MR, const MemRegion *MR,
QualType CastFromTy,
QualType CastToTy) { QualType CastToTy) {
const auto *Lookup = State->get<DynamicCastMap>().lookup(MR); if (!MR)
return None;
MR = getSimplifiedRegion(MR);
const auto *Lookup = State->get<FailedCastMap>().lookup(MR);
if (!Lookup) if (!Lookup)
return None; return None;
for (const DynamicCastInfo &Cast : *Lookup) for (const DynamicTypeInfo &Cast : *Lookup) {
if (Cast.equals(CastFromTy, CastToTy)) QualType FailedCastTy = Cast.getType();
if (FailedCastTy->getPointeeCXXRecordDecl() ==
CastToTy->getPointeeCXXRecordDecl() ||
isDerivedFrom(CastToTy, FailedCastTy)) {
return Cast; return Cast;
}
}
return None; return None;
} }
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
DynamicTypeInfo NewTy) { DynamicTypeInfo NewTy) {
State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy); State = State->set<DynamicTypeMap>(MR->StripCasts(), NewTy);
assert(State); assert(State);
return State; return State;
} }
ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
QualType NewTy, bool CanBeSubClassed) { QualType NewTy, bool CanBeSubClassed) {
return setDynamicTypeInfo(State, MR, DynamicTypeInfo(NewTy, CanBeSubClassed)); return setDynamicTypeInfo(State, MR, DynamicTypeInfo(NewTy, CanBeSubClassed));
} }
ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State, ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR,
const MemRegion *MR, QualType CastToTy, bool CastSucceeds,
QualType CastFromTy, Optional<DynamicTypeInfo> CastInfo) {
QualType CastToTy,
bool CastSucceeds) {
if (!MR) if (!MR)
return State; return State;
if (CastSucceeds) { MR = getSimplifiedRegion(MR);
assert((CastToTy->isAnyPointerType() || CastToTy->isReferenceType()) &&
"DynamicTypeInfo should always be a pointer.");
State = State->set<DynamicTypeMap>(MR, CastToTy);
}
DynamicCastInfo::CastResult ResultKind =
CastSucceeds ? DynamicCastInfo::CastResult::Success
: DynamicCastInfo::CastResult::Failure;
CastSet::Factory &F = State->get_context<CastSet>(); CastSet::Factory &F = State->get_context<CastSet>();
const CastSet *TempSet;
TempSet = CastSucceeds ? State->get<SucceededCastMap>(MR)
: State->get<FailedCastMap>(MR);
const CastSet *TempSet = State->get<DynamicCastMap>(MR);
CastSet Set = TempSet ? *TempSet : F.getEmptySet(); CastSet Set = TempSet ? *TempSet : F.getEmptySet();
Set = F.add(Set, CastToTy);
Set = F.add(Set, {CastFromTy, CastToTy, ResultKind}); if (CastSucceeds) {
State = State->set<DynamicCastMap>(MR, Set); // If there is no 'CastInfo' or the 'CastToTy' is a downcast store it.
// Downcast gives more precision what is the current most derived class.
if (!CastInfo || isDerivedFrom(CastToTy, CastInfo->getType())) {
State = setDynamicTypeInfo(State, MR, CastToTy);
}
} else {
// Upcast gives more precision what is the largest set the class cannot be.
if (CastInfo && isDerivedFrom(CastInfo->getType(), CastToTy)) {
Set = F.remove(Set, *CastInfo);
}
}
State = CastSucceeds ? State->set<SucceededCastMap>(MR, Set)
: State->set<FailedCastMap>(MR, Set);
assert(State); assert(State);
return State; return State;
} }
template <typename MapTy> template <typename MapTy>
ProgramStateRef removeDead(ProgramStateRef State, const MapTy &Map, ProgramStateRef removeDead(ProgramStateRef State, const MapTy &Map,
SymbolReaper &SR) { SymbolReaper &SR) {
for (const auto &Elem : Map) for (const auto &Elem : Map)
if (!SR.isLiveRegion(Elem.first)) if (!SR.isLiveRegion(Elem.first))
State = State->remove<DynamicCastMap>(Elem.first); State = State->remove<FailedCastMap>(Elem.first);
return State; return State;
} }
ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) { ProgramStateRef removeDeadTypes(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicTypeMap>(), SR); return removeDead(State, State->get<DynamicTypeMap>(), SR);
} }
ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) { ProgramStateRef removeDeadCasts(ProgramStateRef State, SymbolReaper &SR) {
return removeDead(State, State->get<DynamicCastMap>(), SR); return removeDead(State, State->get<FailedCastMap>(), SR);
} }
static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State, static void printDynamicTypesJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, const char *NL, unsigned int Space,
bool IsDot) { bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_types\": "; Indent(Out, Space, IsDot) << "\"dynamic_types\": ";
const DynamicTypeMapTy &Map = State->get<DynamicTypeMap>(); const DynamicTypeMapTy &Map = State->get<DynamicTypeMap>();
Show All 22 Lines if (std::next(I) != Map.end())
Out << ','; Out << ',';
Out << NL; Out << NL;
} }
--Space; --Space;
Indent(Out, Space, IsDot) << "]," << NL; Indent(Out, Space, IsDot) << "]," << NL;
} }
static void printDynamicCastsJson(raw_ostream &Out, ProgramStateRef State, template <typename MapTy>
const char *NL, unsigned int Space, static void printCastsJson(raw_ostream &Out, ProgramStateRef State,
const MapTy &Map, const char *NL, unsigned int Space,
bool IsDot) { bool IsDot) {
Indent(Out, Space, IsDot) << "\"dynamic_casts\": ";
const DynamicCastMapTy &Map = State->get<DynamicCastMap>();
if (Map.isEmpty()) { if (Map.isEmpty()) {
Out << "null," << NL; Out << "null," << NL;
return; return;
} }
++Space; ++Space;
Out << '[' << NL; Out << '[' << NL;
for (DynamicCastMapTy::iterator I = Map.begin(); I != Map.end(); ++I) { for (typename MapTy::iterator I = Map.begin(); I != Map.end(); ++I) {
const MemRegion *MR = I->first; const MemRegion *MR = I->first;
const CastSet &Set = I->second; const CastSet &Set = I->second;
Indent(Out, Space, IsDot) << "{ \"region\": \"" << MR << "\", \"casts\": "; Indent(Out, Space, IsDot) << "{ \"region\": \"" << MR << "\", \"casts\": ";
if (Set.isEmpty()) { if (Set.isEmpty()) {
Out << "null "; Out << "null ";
} else { } else {
++Space; ++Space;
Out << '[' << NL; Out << '[' << NL;
Indent(Out, Space, IsDot);
for (CastSet::iterator SI = Set.begin(); SI != Set.end(); ++SI) { for (CastSet::iterator SI = Set.begin(); SI != Set.end(); ++SI) {
Indent(Out, Space, IsDot) Out << '\"' << SI->getType().getAsString() << '\"';
<< "{ \"from\": \"" << SI->from().getAsString() << "\", \"to\": \""
<< SI->to().getAsString() << "\", \"kind\": \""
<< (SI->succeeds() ? "success" : "fail") << "\" }";
if (std::next(SI) != Set.end()) if (std::next(SI) != Set.end())
Out << ','; Out << ", ";
Out << NL;
} }
Out << NL;
--Space; --Space;
Indent(Out, Space, IsDot) << ']'; Indent(Out, Space, IsDot) << ']';
} }
Out << '}'; Out << '}';
if (std::next(I) != Map.end()) if (std::next(I) != Map.end())
Out << ','; Out << ',';
Out << NL; Out << NL;
} }
--Space; --Space;
Indent(Out, Space, IsDot) << "]," << NL; Indent(Out, Space, IsDot) << "]," << NL;
} }
void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State, void printDynamicTypeInfoJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, unsigned int Space, bool IsDot) { const char *NL, unsigned int Space, bool IsDot) {
printDynamicTypesJson(Out, State, NL, Space, IsDot); printDynamicTypesJson(Out, State, NL, Space, IsDot);
printDynamicCastsJson(Out, State, NL, Space, IsDot);
Indent(Out, Space, IsDot) << "\"succeeded_casts\": ";
printCastsJson(Out, State, State->get<SucceededCastMap>(), NL, Space, IsDot);
Indent(Out, Space, IsDot) << "\"failed_casts\": ";
printCastsJson(Out, State, State->get<FailedCastMap>(), NL, Space, IsDot);
} }
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang

clang/test/Analysis/cast-value-hierarchy-failures-set.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify %s 2>&1 | FileCheck %s
// expected-no-diagnostics
#include "Inputs/llvm.h"
using namespace llvm;
void clang_analyzer_printState();
struct A {}; // A
struct B : A {}; // `-B
struct C : B {}; // `-C
struct D : C {}; // `-D
void test_downcast(const A *a) {
if (isa<C>(a))
return;
clang_analyzer_printState();
// CHECK: "failed_casts": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "casts": [
// CHECK-NEXT: "struct C *"
// CHECK-NEXT: ]}
// A failed upcast gives more precision what the type cannot be.
if (isa<B>(a))
return;
clang_analyzer_printState();
// CHECK: "failed_casts": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "casts": [
// CHECK-NEXT: "struct B *"
// CHECK-NEXT: ]}
// A failed downcast does not give more information.
if (isa<D>(a))
return;
clang_analyzer_printState();
// CHECK: "failed_casts": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "casts": [
// CHECK-NEXT: "struct B *"
// CHECK-NEXT: ]}
}

clang/test/Analysis/cast-value-hierarchy-succeeds.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify %s 2>&1 | FileCheck %s
// expected-no-diagnostics
#include "Inputs/llvm.h"
using namespace llvm;
void clang_analyzer_printState();
struct A {}; // A
struct B : A {}; // `-B
struct C : B {}; // `-C
struct D : C {}; // `-D
void test_downcast(const A *a) {
clang_analyzer_printState();
// CHECK: "dynamic_types": null
if (!isa<C>(a))
return;
clang_analyzer_printState();
// CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "dyn_type": "struct C", "sub_classable": true }
if (!isa<D>(a))
return;
// A succeeded cast gives more precision what is the most-derived class.
clang_analyzer_printState();
// CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "dyn_type": "struct D", "sub_classable": true }
if (!isa<B>(a))
return;
// A succeeded upcast does not give more information.
clang_analyzer_printState();
// CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct A * a>}", "dyn_type": "struct D", "sub_classable": true }
}

clang/test/Analysis/cast-value-hierarchy.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -verify %s
#include "Inputs/llvm.h"
using namespace llvm;
void clang_analyzer_warnIfReached();
// X
struct X {}; // / \.
struct Y : X {}; // Y-. \.
struct Z : X, Y {}; // `-Z
// expected-warning@-1 {{direct base 'X' is inaccessible due to ambiguity:\n struct Z -> struct X\n struct Z -> struct Y -> struct X}}
void test_triangle_feasible(const X *x) {
if (isa<Y>(x))
if (isa<Z>(x))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
void test_triangle_infeasible(const X *x) {
if (!isa<Y>(x))
if (isa<Z>(x))
clang_analyzer_warnIfReached(); // no-warning
}
struct A {}; // A
struct B : virtual A {}; // / \.
struct C : virtual A {}; // B C
struct D : B, C {}; // \ / \.
struct E : C {}; // D E
void test_failures_set(const A *a) {
if (isa<B>(a) || isa<C>(a))
if (isa<D>(a))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
void test_faiures_set_infeasible(const A *a) {
if (!isa<B>(a) && isa<C>(a))
if (isa<D>(a))
clang_analyzer_warnIfReached(); // no-warning
}
void test_downcast(const A *a) {
if (isa<B>(a)) {
if (isa<D>(a))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
}
// Here 'a' could be a 'D'.
void test_downcast_wonky(const A *a) {
if (isa<B>(a))
if (isa<C>(a))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
void test_upcast(const A *a) {
if (isa<D>(a) && isa<B>(a)) {
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
if (isa<C>(a))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
}
void test_downcast_chaining_infeasible(const A *a) {
if (isa<B>(a) && !isa<C>(a))
if (isa<D>(a) || isa<E>(a))
clang_analyzer_warnIfReached(); // no-warning
}

clang/test/Analysis/cast-value-notes.cpp

// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\ // RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -analyzer-output=text -verify %s // RUN: -analyzer-output=text -verify %s
#include "Inputs/llvm.h" #include "Inputs/llvm.h"
namespace clang { namespace clang {
struct Shape { struct Shape {
template <typename T> template <typename T>
const T *castAs() const; const T *castAs() const;
template <typename T> template <typename T>
const T *getAs() const; const T *getAs() const;
}; };
class Triangle : public Shape {}; struct Triangle : Shape {};
class Circle : public Shape {}; struct Circle : Shape {};
} // namespace clang } // namespace clang
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
} }
void evalNonNullParamNonNullReturnReference(const Shape &S) { void evalNonNullParamNonNullReturnReference(const Shape &S) {
// Unmodeled cast from reference to pointer. // Unmodeled cast from reference to pointer.
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{'C' initialized here}} // expected-note@-1 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{'C' is not a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (isa<Circle>(C)) { if (isa<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking true branch}} // expected-note@-2 {{Taking true branch}}
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
} }
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S); const auto *C = cast<Circle>(S);
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
if (!isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (!isa<Triangle>(C)) {
// expected-note@-1 {{'C' is a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
▲ Show 20 LinesShow All 72 LinesShow Last 20 Lines

clang/test/Analysis/cast-value-state-dump.cpp

// RUN: %clang_analyze_cc1 \ // RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\ // RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -analyzer-output=text -verify %s 2>&1 | FileCheck %s // RUN: -analyzer-output=text -verify %s 2>&1 | FileCheck %s
#include "Inputs/llvm.h" #include "Inputs/llvm.h"
void clang_analyzer_printState(); void clang_analyzer_printState();
namespace clang { namespace clang {
struct Shape {}; struct Shape {};
class Triangle : public Shape {}; struct Circle : Shape {};
class Circle : public Shape {}; struct Square : Shape {};
class Square : public Shape {}; struct Octagram : Shape {};
} // namespace clang } // namespace clang
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
if (isa<Octagram>(S)) {
// expected-note@-1 {{Assuming 'S' is not a 'Octagram'}}
// expected-note@-2 {{Taking false branch}}
return;
}
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is a 'Circle'}} // expected-note@-1 {{Assuming 'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
// FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
if (dyn_cast_or_null<Square>(S)) { if (dyn_cast_or_null<Square>(S)) {
// expected-note@-1 {{Assuming 'S' is not a 'Square'}} // expected-note@-1 {{'S' is not a 'Square'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
clang_analyzer_printState(); clang_analyzer_printState();
// CHECK: "dynamic_types": [ // CHECK: "dynamic_types": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const class clang::Circle", "sub_classable": true } // CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "dyn_type": "const struct clang::Circle", "sub_classable": true }
// CHECK-NEXT: ], // CHECK-NEXT: ],
// CHECK-NEXT: "dynamic_casts": [ // CHECK-NEXT: "succeeded_casts": [
// CHECK: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "casts": [ // CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "casts": [
// CHECK-NEXT: { "from": "const struct clang::Shape *", "to": "const class clang::Circle *", "kind": "success" }, // CHECK-NEXT: "const struct clang::Circle *"
// CHECK-NEXT: { "from": "const struct clang::Shape *", "to": "const class clang::Square *", "kind": "fail" }
// CHECK-NEXT: ]} // CHECK-NEXT: ]}
// CHECK-NEXT: ],
// CHECK-NEXT: "failed_casts": [
// CHECK-NEXT: { "region": "SymRegion{reg_$0<const struct clang::Shape * S>}", "casts": [
// CHECK-NEXT: "const struct clang::Square *", "struct clang::Octagram *"
// CHECK-NEXT: ]}
// CHECK-NEXT: ],
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }

clang/test/Analysis/expr-inspection.c

Show All 32 Lines
// CHECK-NEXT: { "lctx_id": 1, "location_context": "#0 Call", "calling": "foo", "location": null, "items": [ // CHECK-NEXT: { "lctx_id": 1, "location_context": "#0 Call", "calling": "foo", "location": null, "items": [
// CHECK-NEXT: { "stmt_id": {{[0-9]+}}, "pretty": "clang_analyzer_printState", "value": "&code{clang_analyzer_printState}" } // CHECK-NEXT: { "stmt_id": {{[0-9]+}}, "pretty": "clang_analyzer_printState", "value": "&code{clang_analyzer_printState}" }
// CHECK-NEXT: ]} // CHECK-NEXT: ]}
// CHECK-NEXT: ]}, // CHECK-NEXT: ]},
// CHECK-NEXT: "constraints": [ // CHECK-NEXT: "constraints": [
// CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" } // CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" }
// CHECK-NEXT: ], // CHECK-NEXT: ],
// CHECK-NEXT: "dynamic_types": null, // CHECK-NEXT: "dynamic_types": null,
// CHECK-NEXT: "dynamic_casts": null, // CHECK-NEXT: "succeeded_casts": null,
// CHECK-NEXT: "failed_casts": null,
// CHECK-NEXT: "constructing_objects": null, // CHECK-NEXT: "constructing_objects": null,
// CHECK-NEXT: "checker_messages": null // CHECK-NEXT: "checker_messages": null
// CHECK-NEXT: } // CHECK-NEXT: }
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h