This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
1/3
BugReporterVisitors.cpp
-
test/Analysis/
-
Analysis/
-
NSContainers.m

Differential D67932

[analyzer] Fix accidentally skipping the call during inlined defensive check suppression.
ClosedPublic

Authored by NoQ on Sep 23 2019, 2:22 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a_sidorin
rnkovacs
Szelethus
baloghadamsoftware
Charusso

Commits

rGe4da37e8a0a3: [analyzer] Fix skipping the call during inlined defensive check suppression.

Summary

Got myself distracted with a tiny fix for the inlined defensive check suppression.

When bugreporter::trackExpressionValue() is invoked on a DeclRefExpr, it tries to do most of its computations over the node in which this DeclRefExpr is computed, rather than on the error node (or whatever node is stuffed into it). I'm quite confused about the idea behind it and i highly doubt that it actually works correctly, but one reason why we can't simply use the error node may be that the binding to that variable might have already disappeared from the state by the time the bug is found.

This time i noticed that for the inlined defensive checks visitor the DeclRefExpr node is in fact sometimes too early: the call in which the inlined defensive check has happened might have not been entered yet.

Therefore i change the visitor to be fine with tracking dead symbols (which it is totally capable of - the collapse point for the symbol is still well-defined), and fire it up directly on the error node. I still use "LVState" to find out which value should we be tracking, so there shouldn't be any problems with accidentally loading an ill-formed value from a dead variable.

I hope it's one tiny piece of understanding that'll bring us to a better architecture of this code.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

NoQ created this revision.Sep 23 2019, 2:22 PM

Herald added a project: Restricted Project. · View Herald TranscriptSep 23 2019, 2:23 PM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 3 others. · View Herald Transcript

Hmm, so before this patch, we just used LVNode everywhere and ignored InputNode. It may not have made much sense, but its still not as confusing as using both if the creation of LVNode is unnecessary overall. Could we just remove it?

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1917–1927	When `bugreporter::trackExpressionValue()` is invoked on a `DeclRefExpr`, it tries to do most of its computations over the node in which this `DeclRefExpr` is computed, rather than on the error node (or whatever node is stuffed into it). I'm quite confused about the idea behind it and i highly doubt that it actually works correctly, but one reason why we can't simply use the error node may be that the binding to that variable might have already disappeared from the state by the time the bug is found. So, its possible that this function, and its uses in `trackExpressionValue` is completely unnecessary?
2012–2014	Too late in terms of too close to the root of the `ExplodedGraph`, or the other way around? This is a bitconfusing since visitors are inspecting the graph in reverse.

Yeah, i think we should avoid such peeking and instead try to do everything in one pass. I.e., if we need to peek at the node above us, just make a visitor that delays the decision until it has precisely the information it needs. I guess i'll be slooowly moving in this direction.

Also every time i see special handling of DeclRefExprs i get pretty worried. It usually means that this code almost never works.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1917–1927	Of course it's necessary! Why would you ever write a system of mutually recursive visitors and then never implement an ad-hoc visitor within one of these visitors that allows you to quadratically visit nodes while you visit nodes, before actually visiting them in the real visitor? (/sarcasm)

If you could change that, it would be awesome! But since this revision has its own side effect, let's commit as-is. LGTM!

This revision is now accepted and ready to land.Sep 24 2019, 1:59 AM

[...] one reason why we can't simply use the error node may be that the binding to that variable might have already disappeared from the state by the time the bug is found.

Yes, that is pretty interesting. I have found error nodes which after the purge program point, so when we arbitrarily pick the last node to prevent false alarms we could pick the last node which has more information, 2-3 nodes earlier on the path. I am not sure whether this new approach would be useful here, other than that I like the idea.

Closed by commit rGe4da37e8a0a3: [analyzer] Fix skipping the call during inlined defensive check suppression. (authored by dergachev.a). · Explain WhyNov 8 2019, 6:30 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

BugReporterVisitors.cpp

23 lines

test/

Analysis/

NSContainers.m

13 lines

Diff 228552

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 Lines • Show All 1,600 Lines • ▼ Show 20 Lines

SuppressInlineDefensiveChecksVisitor::		SuppressInlineDefensiveChecksVisitor::
SuppressInlineDefensiveChecksVisitor(DefinedSVal Value, const ExplodedNode *N)		SuppressInlineDefensiveChecksVisitor(DefinedSVal Value, const ExplodedNode *N)
: V(Value) {		: V(Value) {
// Check if the visitor is disabled.		// Check if the visitor is disabled.
AnalyzerOptions &Options = N->getState()->getAnalysisManager().options;		AnalyzerOptions &Options = N->getState()->getAnalysisManager().options;
if (!Options.ShouldSuppressInlinedDefensiveChecks)		if (!Options.ShouldSuppressInlinedDefensiveChecks)
IsSatisfied = true;		IsSatisfied = true;

assert(N->getState()->isNull(V).isConstrainedTrue() &&
"The visitor only tracks the cases where V is constrained to 0");
}		}

void SuppressInlineDefensiveChecksVisitor::Profile(		void SuppressInlineDefensiveChecksVisitor::Profile(
llvm::FoldingSetNodeID &ID) const {		llvm::FoldingSetNodeID &ID) const {
static int id = 0;		static int id = 0;
ID.AddPointer(&id);		ID.AddPointer(&id);
ID.Add(V);		ID.Add(V);
}		}
Show All 14 Lines	SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ,
if (!IsTrackingTurnedOn)		if (!IsTrackingTurnedOn)
if (Succ->getState()->isNull(V).isConstrainedTrue())		if (Succ->getState()->isNull(V).isConstrainedTrue())
IsTrackingTurnedOn = true;		IsTrackingTurnedOn = true;
if (!IsTrackingTurnedOn)		if (!IsTrackingTurnedOn)
return nullptr;		return nullptr;

// Check if in the previous state it was feasible for this value		// Check if in the previous state it was feasible for this value
// to not be null.		// to not be null.
if (!Pred->getState()->isNull(V).isConstrainedTrue()) {		if (!Pred->getState()->isNull(V).isConstrainedTrue() &&
		Succ->getState()->isNull(V).isConstrainedTrue()) {
IsSatisfied = true;		IsSatisfied = true;

assert(Succ->getState()->isNull(V).isConstrainedTrue());

// Check if this is inlined defensive checks.		// Check if this is inlined defensive checks.
const LocationContext *CurLC =Succ->getLocationContext();		const LocationContext *CurLC = Succ->getLocationContext();
const LocationContext *ReportLC = BR.getErrorNode()->getLocationContext();		const LocationContext *ReportLC = BR.getErrorNode()->getLocationContext();
if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC)) {		if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC)) {
BR.markInvalid("Suppress IDC", CurLC);		BR.markInvalid("Suppress IDC", CurLC);
return nullptr;		return nullptr;
}		}

// Treat defensive checks in function-like macros as if they were an inlined		// Treat defensive checks in function-like macros as if they were an inlined
// defensive check. If the bug location is not in a macro and the		// defensive check. If the bug location is not in a macro and the
▲ Show 20 Lines • Show All 256 Lines • ▼ Show 20 Lines	if (auto *UO = dyn_cast<UnaryOperator>(Ex)) {
if (UO->getOpcode() == UO_AddrOf && UO->getSubExpr()->isLValue())		if (UO->getOpcode() == UO_AddrOf && UO->getSubExpr()->isLValue())
if (const Expr *DerefEx = bugreporter::getDerefExpr(UO->getSubExpr()))		if (const Expr *DerefEx = bugreporter::getDerefExpr(UO->getSubExpr()))
return peelOffOuterExpr(DerefEx, N);		return peelOffOuterExpr(DerefEx, N);
}		}

return Ex;		return Ex;
}		}

/// Find the ExplodedNode where the lvalue (the value of 'Ex')		/// Find the ExplodedNode where the lvalue (the value of 'Ex')
/// was computed.		/// was computed.
static const ExplodedNode* findNodeForExpression(const ExplodedNode *N,		static const ExplodedNode* findNodeForExpression(const ExplodedNode *N,
const Expr *Inner) {		const Expr *Inner) {
while (N) {		while (N) {
if (N->getStmtForDiagnostics() == Inner)		if (N->getStmtForDiagnostics() == Inner)
return N;		return N;
N = N->getFirstPred();		N = N->getFirstPred();
}		}
return N;		return N;
}		}
		SzelethusUnsubmitted Not Done Reply Inline Actions When `bugreporter::trackExpressionValue()` is invoked on a `DeclRefExpr`, it tries to do most of its computations over the node in which this `DeclRefExpr` is computed, rather than on the error node (or whatever node is stuffed into it). I'm quite confused about the idea behind it and i highly doubt that it actually works correctly, but one reason why we can't simply use the error node may be that the binding to that variable might have already disappeared from the state by the time the bug is found. So, its possible that this function, and its uses in `trackExpressionValue` is completely unnecessary? Szelethus: > When `bugreporter::trackExpressionValue()` is invoked on a `DeclRefExpr`, it tries to do most…
		NoQAuthorUnsubmitted Done Reply Inline Actions Of course it's necessary! Why would you ever write a system of mutually recursive visitors and then never implement an ad-hoc visitor within one of these visitors that allows you to quadratically visit nodes while you visit nodes, before actually visiting them in the real visitor? (/sarcasm) NoQ: Of course it's necessary! Why would you ever write a system of mutually recursive visitors and…

bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,		bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
const Expr *E,		const Expr *E,
PathSensitiveBugReport &report,		PathSensitiveBugReport &report,
bugreporter::TrackingKind TKind,		bugreporter::TrackingKind TKind,
bool EnableNullFPSuppression) {		bool EnableNullFPSuppression) {

if (!E \|\| !InputNode)		if (!E \|\| !InputNode)
▲ Show 20 Lines • Show All 67 Lines • ▼ Show 20 Lines	if (R) {
// If the contents are symbolic and null, find out when they became null.		// If the contents are symbolic and null, find out when they became null.
if (V.getAsLocSymbol(/IncludeBaseRegions=/true))		if (V.getAsLocSymbol(/IncludeBaseRegions=/true))
if (LVState->isNull(V).isConstrainedTrue())		if (LVState->isNull(V).isConstrainedTrue())
report.addVisitor(std::make_unique<TrackConstraintBRVisitor>(		report.addVisitor(std::make_unique<TrackConstraintBRVisitor>(
V.castAs<DefinedSVal>(), false));		V.castAs<DefinedSVal>(), false));

// Add visitor, which will suppress inline defensive checks.		// Add visitor, which will suppress inline defensive checks.
if (auto DV = V.getAs<DefinedSVal>())		if (auto DV = V.getAs<DefinedSVal>())
if (!DV->isZeroConstant() && LVState->isNull(*DV).isConstrainedTrue() &&		if (!DV->isZeroConstant() && EnableNullFPSuppression) {
EnableNullFPSuppression)		// Note that LVNode may be too late (i.e., too far from the InputNode)
		// because the lvalue may have been computed before the inlined call
		// was evaluated. InputNode may as well be too early here, because
		SzelethusUnsubmitted Not Done Reply Inline Actions Too late in terms of too close to the root of the `ExplodedGraph`, or the other way around? This is a bitconfusing since visitors are inspecting the graph in reverse. Szelethus: Too late in terms of too close to the root of the `ExplodedGraph`, or the other way around?
		// the symbol is already dead; this, however, is fine because we can
		// still find the node in which it collapsed to null previously.
report.addVisitor(		report.addVisitor(
std::make_unique<SuppressInlineDefensiveChecksVisitor>(*DV,		std::make_unique<SuppressInlineDefensiveChecksVisitor>(
LVNode));		*DV, InputNode));
		}

if (auto KV = V.getAs<KnownSVal>())		if (auto KV = V.getAs<KnownSVal>())
report.addVisitor(std::make_unique<FindLastStoreBRVisitor>(		report.addVisitor(std::make_unique<FindLastStoreBRVisitor>(
*KV, R, EnableNullFPSuppression, TKind, SFC));		*KV, R, EnableNullFPSuppression, TKind, SFC));
return true;		return true;
}		}
}		}

▲ Show 20 Lines • Show All 881 Lines • Show Last 20 Lines

clang/test/Analysis/NSContainers.m

// RUN: %clang_analyze_cc1 -Wno-objc-literal-conversion -analyzer-checker=core,osx.cocoa.NonNilReturnValue,osx.cocoa.NilArg,osx.cocoa.Loops,debug.ExprInspection -verify -Wno-objc-root-class %s		// RUN: %clang_analyze_cc1 -Wno-objc-literal-conversion -analyzer-checker=core,osx.cocoa.NonNilReturnValue,osx.cocoa.NilArg,osx.cocoa.Loops,debug.ExprInspection -verify -Wno-objc-root-class %s

void clang_analyzer_eval(int);		void clang_analyzer_eval(int);

		#define nil ((id)0)

typedef unsigned long NSUInteger;		typedef unsigned long NSUInteger;
typedef signed char BOOL;		typedef signed char BOOL;
typedef struct _NSZone NSZone;		typedef struct _NSZone NSZone;
@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;		@class NSInvocation, NSMethodSignature, NSCoder, NSString, NSEnumerator;
@protocol NSObject		@protocol NSObject
@end		@end
@protocol NSCopying		@protocol NSCopying
- (id)copyWithZone:(NSZone *)zone;		- (id)copyWithZone:(NSZone *)zone;
▲ Show 20 Lines • Show All 292 Lines • ▼ Show 20 Lines	void testNoReportWhenReceiverNil(NSMutableArray *array, int b) {
}		}

MyView *view = b ? [[MyView alloc] init] : 0;		MyView *view = b ? [[MyView alloc] init] : 0;
NSMutableArray *subviews = [[view subviews] mutableCopy];		NSMutableArray *subviews = [[view subviews] mutableCopy];
// When view is nil, subviews is also nil so there should be no warning		// When view is nil, subviews is also nil so there should be no warning
// here either.		// here either.
[subviews addObject:view]; // no-warning		[subviews addObject:view]; // no-warning
}		}

		NSString getStringFromString(NSString string) {
		if (!string)
		return nil;
		return @"New String";
		}
		void testInlinedDefensiveCheck(NSMutableDictionary *dict, id obj) {
		// The check in getStringFromString() is not a good indication
		// that 'obj' can be nil in this context.
		dict[obj] = getStringFromString(obj); // no-warning
		}