This is an archive of the discontinued LLVM Phabricator instance.

Differential D69308

[analyzer] Test cases for the unsupported features for Clang Static Analyzer
ClosedPublic

Authored by dkrupp on Oct 22 2019, 8:47 AM.

Details

Reviewers
NoQ
Szelethus
baloghadamsoftware
gamesh411
Commits
rG5e0fb6484207: [analyzer] Add test cases for the unsupported C++ constructor modeling.
Summary

These test cases demonstrate some of the missing features of the Clang Static Analyzer.

In this patch 2 missing C++ features are demonstrated from https://clang-analyzer.llvm.org/open_projects.html

  1. Handle constructors within new[]
  2. Handle constructors for default arguments

Diff Detail

Event Timeline

dkrupp created this revision.Oct 22 2019, 8:47 AM
Herald added subscribers: cfe-commits, Charusso, gamesh411 and 8 others. · View Herald TranscriptOct 22 2019, 8:47 AM
dkrupp added reviewers: baloghadamsoftware, gamesh411.Oct 25 2019, 1:23 AM
NoQ added a comment.Oct 25 2019, 7:48 PM

Thanks for the tests!

Both of these features are relatively hard.

Operator new[] requires invoking multiple (potentially unknown) amount of constructors with the same construct-expression. Apart from the technical difficulties of juggling program points around correctly to avoid accidentally merging paths together, you'll have to be a judge on when to exit the loop and how to widen it. Given that the constructor is going to be a default constructor, a nice 95% solution might be to execute exactly one constructor and then default-bind the resulting LazyCompoundVal to the whole array; it'll work whenever the default constructor doesn't touch global state but only initializes the object to various default values. But if, say, you're making an array of strings, depending on the implementation you might have to allocate a new buffer for each string, and in this case default-binding won't cut it. You might want to come up with an auxiliary analysis in order to perform widening of these simple loops more precisely.

Default arguments are annoying because the initializer expression is evaluated at the call site but doesn't syntactically belong to the caller's AST; instead it belongs to the ParmVarDecl for the default parameter. This can lead to situations when the same expression has to carry different values simultaneously - when multiple instances of the same function are evaluated as part of the same full-expression without specifying the default arguments. Even simply calling the function twice (not necessarily within the same full-expression) may lead to program points agglutinating because it's the same expression. There are some nasty test cases already in temporaries.cpp (struct DefaultParam and so on). I recommend adding a new LocationContext kind specifically to deal with this problem. It'll also help you figure out the construction context when you evaluate the construct-expression (though you might still need to do some additional CFG work to get construction contexts right).

clang/test/Analysis/clangsa_unsupported_features/handle_constructors_for_default_arguments.cpp
3–6

I prefer our FIXME-tests to keep running while documenting incorrect results, so that people were informed when they fix something. Eg.:

// FIXME: Should be TRUE.
clang_analyzer_eval(x); // expected-warning{{UNKNOWN}}

I doubt that the whole file of tests will be fixed by a single commit, so they'll have to change this anyway.

It's also nice to inform people that they accidentally changed something they didn't expect to change.

58

Note that default arguments may also be of reference type, eg.:

void foo(const X &x = X(1, 2, 3));
void bar(Y &&y = Y(4, 5, 6));
Szelethus added a comment.EditedOct 30 2019, 8:02 AM

LGTM given that the inlines are fixed.

In D69308#1722139, @NoQ wrote:

Thanks for the tests!

Both of these features are relatively hard.

...

Would love to see this comment in its entirety on the open projects page :^)

Szelethus accepted this revision.Oct 30 2019, 8:02 AM
This revision is now accepted and ready to land.Oct 30 2019, 8:02 AM
NoQ added a comment.Oct 30 2019, 12:08 PM
In D69308#1727108, @Szelethus wrote:

Would love to see this comment in its entirety on the open projects page :^)

I'd rather have a mention that @dkrupp is already working on this project, so that if somebody wanted to help out they could cooperate nicely.

clang/test/Analysis/clangsa_unsupported_features/handle_constructors_for_default_arguments.cpp
3–6

Also let's not put it to "unsupported_features" so that we didn't have to move it (and lose history / or forget to move) later.

NoQ added a comment.Oct 30 2019, 12:23 PM

Another interesting problem that we forgot to mention on the open projects page is the modeling of C++17 bindings and decompositions: https://bugs.llvm.org/show_bug.cgi?id=43042

Also, in my opinion, out of all construction context problems mentioned on the open projects page, the NRVO problem is probably the easiest. It might as well be the least rewarding of them, but i think it is the friendliest possible problem to start with, as it doesn't force you to invent large new facilities.

dkrupp updated this revision to Diff 227714.Nov 4 2019, 8:25 AM
dkrupp marked 2 inline comments as done.

Thanks for your comments @NoQ
I fixed them. Also added your implementation hints to the open projects page.

dkrupp added a comment.Nov 4 2019, 8:48 AM
In D69308#1727587, @NoQ wrote:
In D69308#1727108, @Szelethus wrote:

Would love to see this comment in its entirety on the open projects page :^)

I'd rather have a mention that @dkrupp is already working on this project, so that if somebody wanted to help out they could cooperate nicely.

I am not working on this yet. First I would like to explore with these test cases what exactly is not working as expected.

dkrupp added a comment.Nov 4 2019, 8:50 AM
In D69308#1727625, @NoQ wrote:

Another interesting problem that we forgot to mention on the open projects page is the modeling of C++17 bindings and decompositions: https://bugs.llvm.org/show_bug.cgi?id=43042

Also, in my opinion, out of all construction context problems mentioned on the open projects page, the NRVO problem is probably the easiest. It might as well be the least rewarding of them, but i think it is the friendliest possible problem to start with, as it doesn't force you to invent large new facilities.

Thanks. I will try to create a simple reproducer for this too and add this to the open projects page (in another patch).

NoQ accepted this revision.Nov 4 2019, 10:11 AM

Thanks!

Closed by commit rG5e0fb6484207: [analyzer] Add test cases for the unsupported C++ constructor modeling. (authored by dergachev.a). · Explain WhyNov 7 2019, 5:23 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
test/
Analysis/
clangsa_unsupported_features/
86 lines
81 lines
www/
analyzer/
2 lines

Diff 226053

clang/test/Analysis/clangsa_unsupported_features/handle_constructors_for_default_arguments.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only -analyze \
// RUN: -analyzer-checker=core,debug.ExprInspection %s -verify
// REQUIRES: non-existing-system
// These test cases demonstrate lack of Static Analyzer features.
// Remove REQUIRES line, when the feature gets implemented.
NoQUnsubmitted
Done
ReplyInline Actions

I prefer our FIXME-tests to keep running while documenting incorrect results, so that people were informed when they fix something. Eg.:

// FIXME: Should be TRUE.
clang_analyzer_eval(x); // expected-warning{{UNKNOWN}}

I doubt that the whole file of tests will be fixed by a single commit, so they'll have to change this anyway.

It's also nice to inform people that they accidentally changed something they didn't expect to change.

NoQ: I prefer our FIXME-tests to keep running while documenting incorrect results, so that people…
NoQUnsubmitted
Not Done
ReplyInline Actions

Also let's not put it to "unsupported_features" so that we didn't have to move it (and lose history / or forget to move) later.

NoQ: Also let's not put it to "unsupported_features" so that we didn't have to move it (and lose…
// Handle constructors for default arguments
// Default arguments in C++ are recomputed at every call,
// and are therefore local, and not static, variables.
void clang_analyzer_eval(bool);
void clang_analyzer_warnIfReached();
struct init_with_list {
int a;
init_with_list() : a(1) {}
};
struct init_in_body {
int a;
init_in_body() { a = 1; }
};
struct init_default_member {
int a = 1;
};
struct basic_struct {
int a;
};
//top-level analyzed function
void top_f(init_with_list l = init_with_list()) {
//We expect that the analyzer doesn't assume anything about the parameter
clang_analyzer_eval(l.a == 1); // expected-warning {{TRUE}} expected-warning {{FALSE}}
}
void top_g(init_in_body l = init_in_body()) {
//We expect that the analyzer doesn't assume anything about the parameter
clang_analyzer_eval(l.a == 1); // expected-warning {{TRUE}} expected-warning {{FALSE}}
}
void top_h(init_default_member l = init_default_member()) {
//We expect that the analyzer doesn't assume anything about the parameter
clang_analyzer_eval(l.a == 1); // expected-warning {{TRUE}} expected-warning {{FALSE}}
}
// not-top level analyze functions
int called_f(init_with_list l = init_with_list()) {
return l.a;
}
int called_g(init_in_body l = init_in_body()) {
//We expect that the analyzer assumes the default value (call site test2)
return l.a;
}
int called_h(init_default_member l = init_default_member()) {
NoQUnsubmitted
Done
ReplyInline Actions

Note that default arguments may also be of reference type, eg.:

void foo(const X &x = X(1, 2, 3));
void bar(Y &&y = Y(4, 5, 6));
NoQ: Note that default arguments may also be of reference type, eg.: ```lang=c++ void foo(const X &x…
//We expect that the analyzer assumes the default value (call site test3)
return l.a;
}
int plain_parameter_passing(basic_struct l) {
return l.a;
}
void test1() {
basic_struct b;
b.a = 1;
clang_analyzer_eval(plain_parameter_passing(b) == 1); //expected-warning {{TRUE}}
}
void test2() {
//We expect that the analyzer assumes the default value
clang_analyzer_eval(called_f() == 1); //expected-warning {{TRUE}}
}
void test3() {
//We expect that the analyzer assumes the default value
clang_analyzer_eval(called_g() == 1); //expected-warning {{TRUE}}
}
void test4() {
//We expect that the analyzer assumes the default value
clang_analyzer_eval(called_h() == 1); //expected-warning {{TRUE}}
}

clang/test/Analysis/clangsa_unsupported_features/handle_constructors_with_new_array.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only -analyze \
// RUN: -analyzer-checker=core,debug.ExprInspection %s -verify
// REQUIRES: non-existing-system
// These test cases demonstrate lack of Static Analyzer features.
// Remove REQUIRES line, when the feature gets implemented.
// Handle constructors within new[]
// When an array of objects is allocated using the operator new[],
// constructors for all elements of the array are called.
// We should model (potentially some of) such evaluations,
// and the same applies for destructors called from operator delete[].
void clang_analyzer_eval(bool);
struct init_with_list {
int a;
init_with_list() : a(1) {}
};
struct init_in_body {
int a;
init_in_body() { a = 1; }
};
struct init_default_member {
int a = 1;
};
void test_automatic() {
init_with_list a1;
init_in_body a2;
init_default_member a3;
clang_analyzer_eval(a1.a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a2.a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a3.a == 1); // expected-warning {{TRUE}}
}
void test_dynamic() {
auto *a1 = new init_with_list;
auto *a2 = new init_in_body;
auto *a3 = new init_default_member;
clang_analyzer_eval(a1->a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a2->a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a3->a == 1); // expected-warning {{TRUE}}
delete a1;
delete a2;
delete a3;
}
void test_automatic_aggregate() {
init_with_list a1[1];
init_in_body a2[1];
init_default_member a3[1];
clang_analyzer_eval(a1[0].a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a2[0].a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a3[0].a == 1); // expected-warning {{TRUE}}
}
void test_dynamic_aggregate() {
auto *a1 = new init_with_list[1];
auto *a2 = new init_in_body[1];
auto *a3 = new init_default_member[1];
clang_analyzer_eval(a1[0].a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a2[0].a == 1); // expected-warning {{TRUE}}
clang_analyzer_eval(a3[0].a == 1); // expected-warning {{TRUE}}
delete[] a1;
delete[] a2;
delete[] a3;
}

clang/www/analyzer/open_projects.html

Show First 20 LinesShow All 89 Lines▼ Show 20 Lines <ul>
</li> </li>
<li>Handle constructors within <code>new[]</code> <li>Handle constructors within <code>new[]</code>
<p>When an array of objects is allocated using the <code>operator new[]</code>, <p>When an array of objects is allocated using the <code>operator new[]</code>,
constructors for all elements of the array are called. constructors for all elements of the array are called.
We should model (potentially some of) such evaluations, We should model (potentially some of) such evaluations,
and the same applies for destructors called from and the same applies for destructors called from
<code>operator delete[]</code>. <code>operator delete[]</code>.
See tests cases in <a href="https://github.com/llvm/llvm-project/tree/master/clang/test/Analysis/clangsa_unsupported_features/handle_constructors_with_new_array.cpp">handle_constructors_with_new_array.cpp</a>.
</p> </p>
</li> </li>
<li>Handle constructors that can be elided due to Named Return Value Optimization (NRVO) <li>Handle constructors that can be elided due to Named Return Value Optimization (NRVO)
<p>Local variables which are returned by values on all return statements <p>Local variables which are returned by values on all return statements
may be stored directly at the address for the return value, may be stored directly at the address for the return value,
eliding the copy or move constructor call. eliding the copy or move constructor call.
Such variables can be identified using the AST call <code>VarDecl::isNRVOVariable</code>. Such variables can be identified using the AST call <code>VarDecl::isNRVOVariable</code>.
</p> </p>
</li> </li>
<li>Handle constructors of lambda captures <li>Handle constructors of lambda captures
<p>Variables which are captured by value into a lambda require a call to <p>Variables which are captured by value into a lambda require a call to
a copy constructor. a copy constructor.
This call is not currently modeled. This call is not currently modeled.
</p> </p>
</li> </li>
<li>Handle constructors for default arguments <li>Handle constructors for default arguments
<p>Default arguments in C++ are recomputed at every call, <p>Default arguments in C++ are recomputed at every call,
and are therefore local, and not static, variables. and are therefore local, and not static, variables.
</p> </p>
See tests cases in <a href="https://github.com/llvm/llvm-project/tree/master/clang/test/Analysis/clangsa_unsupported_features/handle_constructors_for_default_arguments.cpp">handle_constructors_for_default_arguments.cpp</a>.
</li> </li>
<li>Enhance the modeling of the standard library. <li>Enhance the modeling of the standard library.
<p>The analyzer needs a better understanding of STL in order to be more <p>The analyzer needs a better understanding of STL in order to be more
useful on C++ codebases. useful on C++ codebases.
While full library modeling is not an easy task, While full library modeling is not an easy task,
large gains can be achieved by supporting only a few cases: large gains can be achieved by supporting only a few cases:
e.g. calling <code>.length()</code> on an empty e.g. calling <code>.length()</code> on an empty
▲ Show 20 LinesShow All 104 LinesShow Last 20 Lines