This is an archive of the discontinued LLVM Phabricator instance.

Differential D76590

[Analyzer] Model `empty()` member function of containers
Needs ReviewPublic

Authored by baloghadamsoftware on Mar 23 2020, 12:07 AM.

Details

Reviewers
NoQ
Szelethus
Summary

Modeling the empty() method of containers both improves iterator range checking and enables the possibility to create new checkers for containers.

Diff Detail

Event Timeline

baloghadamsoftware created this revision.Mar 23 2020, 12:07 AM
Herald added subscribers: ASDenysPetrov, martong, steakhal and 10 others. · View Herald TranscriptMar 23 2020, 12:07 AM
baloghadamsoftware added a comment.Mar 23 2020, 12:08 AM

Supersedes D62688.

baloghadamsoftware mentioned this in D62688: [Analyzer] Iterator Checkers - Model `empty()` method of containers.Mar 23 2020, 12:09 AM
baloghadamsoftware marked 3 inline comments as done.Mar 23 2020, 12:14 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
492

Maybe I should move these lines into a separate function in the library to avoid repetition.

511–512

This is way longer than the previously used processComparison() but I am reluctant to pass CheckerContext to a non-member function. (And especially add transitions there. Even worse, to a function in a common library.)

Harbormaster failed remote builds in B50071: Diff 251953!Mar 23 2020, 1:06 AM
baloghadamsoftware added a child revision: D76604: [Analyzer] Model `size()` member function of containers.Mar 23 2020, 6:06 AM
martong added inline comments.Mar 23 2020, 8:17 AM
clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
34–75

Perhaps it would be easier to read these functions if we had a documentation for their parameters. Maybe we could have some of them documented in one comment since many seem to have similar params.
Or maybe just renaming Cont to Container would help also.

56

I understand that the container SVal is no longer const, but why did the iterator loose its constness?

85–86

Just a nit, if we are at counting below (one, two) then perhaps Zero would be more coherent with the other typedefs?

270–271

Why do we skip the const qualifiers here?

432

Is there really no sense to continue the analysis here? In what state we are here exactly? Is there an inconsistency between the begin , end and the return value?

clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
21

Docs, docs, docs.

312

Perhaps we should guard Op with an assert, I mean it should be either == or !=.

314

Could we spare the if with just keeping the declaration of State and then

return std::make_pair(State, nullptr);

?

315–316

This is hard to read for me. Also, Isn't it enough just to write TruthVal->getValue() ?

328

Why do we assume here again? We already had an assume in relateSymbols, hadn't we?

339

Please explain in the comment what is the problem with the current impl.

351–352

Could we merge the declaration of the new state into the parens of the if?

clang/lib/StaticAnalyzer/Checkers/Iterator.h
182

Documentation would be helpful.

clang/test/Analysis/container-modeling.cpp
19

It seems like we don't use it anywhere.

martong added inline comments.Mar 23 2020, 8:42 AM
clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
335

Would assumeEqual be a better name?

baloghadamsoftware updated this revision to Diff 278832.Jul 17 2020, 10:17 AM

Rebased, updated.

baloghadamsoftware added a parent revision: D77229: [Analyzer][NFC] Avoid handling of LazyCompundVals in IteratorModeling.Jul 17 2020, 10:17 AM
baloghadamsoftware marked 2 inline comments as done.Aug 4 2020, 6:55 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
56

We passed it earlier as a constant reference, but SVal is small, it should be passed by value.

270–271

Do you mean for SVal? See above.

432

Yes, see the comment I added. If data about emptiness based on the difference of begin and and and the return value of empty() contradict each other then we are on an impossible branch.

clang/lib/StaticAnalyzer/Checkers/Iterator.cpp
21

This function is moved here, it is nothing new.

312

Actually, this works for any comparison operator. So it is enough to assume that Op is a comparison operator.

328

In relateSymbols we assumed the comparison of the two symbols. Here we assume the RetVal. The new states are nullptr if we cannot assume the same for both.

335

This method is just moved from another source file.

339

Ditto. The community requested a future refactoring.

351–352

No, because we use it later in the function. (See below.)

clang/test/Analysis/container-modeling.cpp
19

We use this in the definition of the assert() macro. And we use that macro in the new test cases.

baloghadamsoftware updated this revision to Diff 282909.Aug 4 2020, 7:05 AM

Updated according to the comments.

baloghadamsoftware updated this revision to Diff 282914.Aug 4 2020, 7:11 AM
baloghadamsoftware marked 2 inline comments as done.

Minor fix.

baloghadamsoftware marked an inline comment as done.Aug 4 2020, 7:12 AM
baloghadamsoftware updated this revision to Diff 289981.Sep 4 2020, 9:18 AM

isIterator() updated because it did not work perfectly with the refactored handleBegin() after rebase. (Why did it work before the rebase?) The problem was that it only looked for the necessary operators in the actual class but not in its bases.

Szelethus added a comment.Sep 7 2020, 3:19 AM

I'm in favor of most, if not all of the changes, though I will admit that this patch seems pretty cluttered, you are doing a lot of refactoring under the same hood. You're moving, adding, removing and changing helper functions and their invocations. Would be possible to make this patch a bit leaner?

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
36

Hmm, this was changed to an optional, unnamed parameter without docs... Might be a bit cryptic :) Also, this seems to be orthogonal to the patch, is it not? Does the modeling of empty() change something that affects this function?

420

assumpotions > assumptions

420–427

You will have to help me out here -- if the analyzer couldn't return a sensible symbol, is it okay to just create one? When does UnknownVal even happen, does it ever happen? Also, if we're doing this anyways, wouldn't using evalCall be more appropriate?

clang/unittests/StaticAnalyzer/TestReturnValueUnderConstruction.cpp
71 ↗(On Diff #289981)

Did you mean to upload changed to this file from D85351 to this patch as well?

baloghadamsoftware updated this revision to Diff 290248.Sep 7 2020, 4:51 AM

Wrong diff uploaded previously. (Accidentally compared to master instead of the prerequisite.)

baloghadamsoftware marked an inline comment as done.Sep 7 2020, 5:01 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
36

We discussed with @NoQ a few patches earlier that UnknownVal is not a nullptr-like value for SVals. That time I changed this bad practice in my code everywhere, only forgot this particular place. I do not think that this deserves its own patch, it is really a tiny thing.

420–427

Actually, both UnknownVal and SymbolVal containing a SymbolConjured without constraints are unknown. The main difference (for us) is that we cannot assign constraints to UnknownVal but we can for SymbolConjured. This is the reason for replacing it. However, this is not new. We do it in comparison too. The best would be to change the infrastructure to never return UnknownVal but conjure a new symbol instead if we known nothing about the return value. Maybe I will put a FIXME there. evalCall() is not an option, because we do not want to lose the possibility that the implementation of empty() is inlined by the engine.

clang/unittests/StaticAnalyzer/TestReturnValueUnderConstruction.cpp
71 ↗(On Diff #289981)

No, I just uploaded the wrong diff here.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
312 lines
8 lines
133 lines
69 lines
test/
Analysis/
Inputs/
8 lines
40 lines
diagnostics/
2 lines
2 lines

Diff 290248

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp

Show All 25 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace iterator; using namespace iterator;
namespace { namespace {
class ContainerModeling class ContainerModeling
: public Checker<check::PostCall, check::LiveSymbols, check::DeadSymbols> { : public Checker<check::PostCall, check::LiveSymbols, check::DeadSymbols> {
void handleBegin(CheckerContext &C, const Expr *CE, SVal RetVal, void handleAssignment(CheckerContext &C, const Expr *CE, SVal Cont,
SVal Cont) const; Optional<SVal> = None) const;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Hmm, this was changed to an optional, unnamed parameter without docs... Might be a bit cryptic :) Also, this seems to be orthogonal to the patch, is it not? Does the modeling of empty() change something that affects this function?

Szelethus: Hmm, this was changed to an optional, unnamed parameter without docs... Might be a bit cryptic…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

We discussed with @NoQ a few patches earlier that UnknownVal is not a nullptr-like value for SVals. That time I changed this bad practice in my code everywhere, only forgot this particular place. I do not think that this deserves its own patch, it is really a tiny thing.

baloghadamsoftware: We discussed with @NoQ a few patches earlier that `UnknownVal` is not a `nullptr`-like value…
void handleEnd(CheckerContext &C, const Expr *CE, SVal RetVal,
SVal Cont) const; // Handler functions for different container operations.
void handleAssignment(CheckerContext &C, SVal Cont, const Expr *CE = nullptr, // SVal Parameters:
SVal OldCont = UndefinedVal()) const; // - Cont: The affected container (*this)
void handleAssign(CheckerContext &C, SVal Cont, const Expr *ContE) const; // - RetVal: Return value of the operation
void handleClear(CheckerContext &C, SVal Cont, const Expr *ContE) const; // - Iter (or Iter1 and Iter2): Iterator parameters
void handlePushBack(CheckerContext &C, SVal Cont, const Expr *ContE) const;
void handlePopBack(CheckerContext &C, SVal Cont, const Expr *ContE) const; void handleBegin(CheckerContext &C, const Expr *CE, const Expr *ContE,
void handlePushFront(CheckerContext &C, SVal Cont, const Expr *ContE) const; SVal Cont, SVal RetVal) const;
void handlePopFront(CheckerContext &C, SVal Cont, const Expr *ContE) const; void handleEnd(CheckerContext &C, const Expr *CE, const Expr *ContE,
void handleInsert(CheckerContext &C, SVal Cont, SVal Iter) const; SVal Cont, SVal RetVal) const;
void handleErase(CheckerContext &C, SVal Cont, SVal Iter) const; void handleEmpty(CheckerContext &C, const Expr *CE, const Expr *ContE,
void handleErase(CheckerContext &C, SVal Cont, SVal Iter1, SVal Iter2) const; SVal Cont, SVal RetVal) const;
void handleEraseAfter(CheckerContext &C, SVal Cont, SVal Iter) const; void handleAssign(CheckerContext &C, const Expr *CE, const Expr *ContE,
void handleEraseAfter(CheckerContext &C, SVal Cont, SVal Iter1, SVal Cont, SVal RetVal) const;
SVal Iter2) const; void handleClear(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal RetVal) const;
void handlePushBack(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal RetVal) const;
void handlePopBack(CheckerContext &C, const Expr *CE, const Expr *ContE,
martongUnsubmitted
Not Done
ReplyInline Actions

I understand that the container SVal is no longer const, but why did the iterator loose its constness?

martong: I understand that the container SVal is no longer `const`, but why did the iterator loose its…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

We passed it earlier as a constant reference, but SVal is small, it should be passed by value.

baloghadamsoftware: We passed it earlier as a constant reference, but `SVal` is small, it should be passed by value.
SVal Cont, SVal RetVal) const;
void handlePushFront(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal RetVal) const;
void handlePopFront(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal RetVal) const;
void handleInsert(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal Iter, SVal RetVal) const;
void handleErase(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal Iter, SVal RetVal) const;
void handleErase(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal Iter1, SVal Iter2, SVal RetVal) const;
void handleEraseAfter(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal Iter, SVal RetVal) const;
void handleEraseAfter(CheckerContext &C, const Expr *CE, const Expr *ContE,
SVal Cont, SVal Iter1, SVal Iter2, SVal RetVal) const;
const NoteTag *getChangeTag(CheckerContext &C, StringRef Text, const NoteTag *getChangeTag(CheckerContext &C, StringRef Text,
const MemRegion *ContReg, const MemRegion *ContReg,
const Expr *ContE) const; const Expr *ContE) const;
martongUnsubmitted
Done
ReplyInline Actions

Perhaps it would be easier to read these functions if we had a documentation for their parameters. Maybe we could have some of them documented in one comment since many seem to have similar params.
Or maybe just renaming Cont to Container would help also.

martong: Perhaps it would be easier to read these functions if we had a documentation for their…
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override; const char *Sep) const override;
public: public:
ContainerModeling() = default; ContainerModeling() = default;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
using NoItParamFn = void (ContainerModeling::*)(CheckerContext &, SVal, using ZeroItParamFn =
martongUnsubmitted
Done
ReplyInline Actions

Just a nit, if we are at counting below (one, two) then perhaps Zero would be more coherent with the other typedefs?

martong: Just a nit, if we are at counting below (one, two) then perhaps `Zero` would be more coherent…
const Expr *) const; void (ContainerModeling::*)(CheckerContext &, const Expr *, const Expr *,
using OneItParamFn = void (ContainerModeling::*)(CheckerContext &, SVal, SVal, SVal) const;
SVal) const; using OneItParamFn =
using TwoItParamFn = void (ContainerModeling::*)(CheckerContext &, SVal, SVal, void (ContainerModeling::*)(CheckerContext &, const Expr *, const Expr *,
SVal) const; SVal, SVal, SVal) const;
using TwoItParamFn =
CallDescriptionMap<NoItParamFn> NoIterParamFunctions = { void (ContainerModeling::*)(CheckerContext &, const Expr *, const Expr *,
{{0, "clear", 0}, SVal, SVal, SVal, SVal) const;
&ContainerModeling::handleClear},
{{0, "assign", 2}, CallDescriptionMap<ZeroItParamFn> ZeroIterParamFunctions = {
&ContainerModeling::handleAssign}, // Iterators
{{0, "push_back", 1}, {{0, "cbegin", 0}, &ContainerModeling::handleBegin},
&ContainerModeling::handlePushBack}, {{0, "cend", 0}, &ContainerModeling::handleEnd},
{{0, "emplace_back", 1}, {{0, "begin", 0}, &ContainerModeling::handleBegin},
&ContainerModeling::handlePushBack}, {{0, "end", 0}, &ContainerModeling::handleEnd},
{{0, "pop_back", 0},
&ContainerModeling::handlePopBack}, // Capacity
{{0, "push_front", 1}, {{0, "empty", 0}, &ContainerModeling::handleEmpty},
&ContainerModeling::handlePushFront},
{{0, "emplace_front", 1}, // Modifiers
&ContainerModeling::handlePushFront}, {{0, "clear", 0}, &ContainerModeling::handleClear},
{{0, "pop_front", 0}, {{0, "assign", 2}, &ContainerModeling::handleAssign},
&ContainerModeling::handlePopFront}, {{0, "push_back", 1}, &ContainerModeling::handlePushBack},
{{0, "emplace_back", 1}, &ContainerModeling::handlePushBack},
{{0, "pop_back", 0}, &ContainerModeling::handlePopBack},
{{0, "push_front", 1}, &ContainerModeling::handlePushFront},
{{0, "emplace_front", 1}, &ContainerModeling::handlePushFront},
{{0, "pop_front", 0}, &ContainerModeling::handlePopFront},
}; };
CallDescriptionMap<OneItParamFn> OneIterParamFunctions = { CallDescriptionMap<OneItParamFn> OneIterParamFunctions = {
{{0, "insert", 2}, {{0, "insert", 2}, &ContainerModeling::handleInsert},
&ContainerModeling::handleInsert}, {{0, "emplace", 2}, &ContainerModeling::handleInsert},
{{0, "emplace", 2}, {{0, "erase", 1}, &ContainerModeling::handleErase},
&ContainerModeling::handleInsert}, {{0, "erase_after", 1}, &ContainerModeling::handleEraseAfter},
{{0, "erase", 1},
&ContainerModeling::handleErase},
{{0, "erase_after", 1},
&ContainerModeling::handleEraseAfter},
}; };
CallDescriptionMap<TwoItParamFn> TwoIterParamFunctions = { CallDescriptionMap<TwoItParamFn> TwoIterParamFunctions = {
{{0, "erase", 2}, {{0, "erase", 2}, &ContainerModeling::handleErase},
&ContainerModeling::handleErase}, {{0, "erase_after", 2}, &ContainerModeling::handleEraseAfter},
{{0, "erase_after", 2},
&ContainerModeling::handleEraseAfter},
}; };
}; };
bool isBeginCall(const FunctionDecl *Func);
bool isEndCall(const FunctionDecl *Func);
bool hasSubscriptOperator(ProgramStateRef State, const MemRegion *Reg); bool hasSubscriptOperator(ProgramStateRef State, const MemRegion *Reg);
bool frontModifiable(ProgramStateRef State, const MemRegion *Reg); bool frontModifiable(ProgramStateRef State, const MemRegion *Reg);
bool backModifiable(ProgramStateRef State, const MemRegion *Reg); bool backModifiable(ProgramStateRef State, const MemRegion *Reg);
SymbolRef getContainerBegin(ProgramStateRef State, const MemRegion *Cont); SymbolRef getContainerBegin(ProgramStateRef State, const MemRegion *Cont);
SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont); SymbolRef getContainerEnd(ProgramStateRef State, const MemRegion *Cont);
ProgramStateRef createContainerBegin(ProgramStateRef State, ProgramStateRef createContainerBegin(ProgramStateRef State,
const MemRegion *Cont, const Expr *E, const MemRegion *Cont, const Expr *E,
QualType T, const LocationContext *LCtx, QualType T, const LocationContext *LCtx,
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines if (!Func)
return; return;
if (Func->isOverloadedOperator()) { if (Func->isOverloadedOperator()) {
const auto Op = Func->getOverloadedOperator(); const auto Op = Func->getOverloadedOperator();
if (Op == OO_Equal) { if (Op == OO_Equal) {
// Overloaded 'operator=' must be a non-static member function. // Overloaded 'operator=' must be a non-static member function.
const auto *InstCall = cast<CXXInstanceCall>(&Call); const auto *InstCall = cast<CXXInstanceCall>(&Call);
if (cast<CXXMethodDecl>(Func)->isMoveAssignmentOperator()) { if (cast<CXXMethodDecl>(Func)->isMoveAssignmentOperator()) {
handleAssignment(C, InstCall->getCXXThisVal(), Call.getOriginExpr(), handleAssignment(C, Call.getOriginExpr(), InstCall->getCXXThisVal(),
Call.getArgSVal(0)); Call.getArgSVal(0));
return; return;
} }
handleAssignment(C, InstCall->getCXXThisVal()); handleAssignment(C, Call.getOriginExpr(), InstCall->getCXXThisVal());
return; return;
} }
} else if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) { } else if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
const auto *OrigExpr = Call.getOriginExpr(); const auto *OrigExpr = Call.getOriginExpr();
if (!OrigExpr) if (!OrigExpr)
return; return;
if (isBeginCall(Func)) { SVal RetVal = Call.getReturnValue();
handleBegin(C, OrigExpr, getReturnIterator(Call), if (isIteratorType(Call.getResultType()))
InstCall->getCXXThisVal()); RetVal = getReturnIterator(Call);
return;
}
if (isEndCall(Func)) {
handleEnd(C, OrigExpr, getReturnIterator(Call),
InstCall->getCXXThisVal());
return;
}
const NoItParamFn *Handler0 = NoIterParamFunctions.lookup(Call); const ZeroItParamFn *Handler0 = ZeroIterParamFunctions.lookup(Call);
if (Handler0) { if (Handler0) {
(this->**Handler0)(C, InstCall->getCXXThisVal(), (this->**Handler0)(C, OrigExpr, InstCall->getCXXThisExpr(),
InstCall->getCXXThisExpr()); InstCall->getCXXThisVal(), RetVal);
return; return;
} }
if (Call.getNumArgs() < 1)
return;
SVal Arg0 = getIteratorArg(Call, 0, C.blockCount());
const OneItParamFn *Handler1 = OneIterParamFunctions.lookup(Call); const OneItParamFn *Handler1 = OneIterParamFunctions.lookup(Call);
if (Handler1) { if (Handler1) {
(this->**Handler1)(C, InstCall->getCXXThisVal(), Arg0); SVal Arg0 = getIteratorArg(Call, 0, C.blockCount());
(this->**Handler1)(C, OrigExpr, InstCall->getCXXThisExpr(),
InstCall->getCXXThisVal(), Arg0, RetVal);
return; return;
} }
if (Call.getNumArgs() < 2)
return;
SVal Arg1 = getIteratorArg(Call, 1, C.blockCount());
const TwoItParamFn *Handler2 = TwoIterParamFunctions.lookup(Call); const TwoItParamFn *Handler2 = TwoIterParamFunctions.lookup(Call);
if (Handler2) { if (Handler2) {
(this->**Handler2)(C, InstCall->getCXXThisVal(), Arg0, Arg1); SVal Arg0 = getIteratorArg(Call, 0, C.blockCount());
SVal Arg1 = getIteratorArg(Call, 1, C.blockCount());
(this->**Handler2)(C, OrigExpr, InstCall->getCXXThisExpr(),
InstCall->getCXXThisVal(), Arg0, Arg1, RetVal);
return; return;
} }
} }
} }
void ContainerModeling::checkLiveSymbols(ProgramStateRef State, void ContainerModeling::checkLiveSymbols(ProgramStateRef State,
SymbolReaper &SR) const { SymbolReaper &SR) const {
// Keep symbolic expressions of container begins and ends alive // Keep symbolic expressions of container begins and ends alive
Show All 28 Lines if (!SR.isLiveRegion(Cont.first)) {
} }
} }
} }
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleBegin(CheckerContext &C, const Expr *CE, void ContainerModeling::handleBegin(CheckerContext &C, const Expr *CE,
SVal RetVal, SVal Cont) const { const Expr *, SVal Cont,
SVal RetVal) const {
martongUnsubmitted
Not Done
ReplyInline Actions

Why do we skip the const qualifiers here?

martong: Why do we skip the `const` qualifiers here?
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Do you mean for SVal? See above.

baloghadamsoftware: Do you mean for `SVal`? See above.
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// If the container already has a begin symbol then use it. Otherwise first // If the container already has a begin symbol then use it. Otherwise first
// create a new one. // create a new one.
auto State = C.getState(); auto State = C.getState();
auto BeginSym = getContainerBegin(State, ContReg); auto BeginSym = getContainerBegin(State, ContReg);
if (!BeginSym) { if (!BeginSym) {
State = createContainerBegin(State, ContReg, CE, C.getASTContext().LongTy, State = createContainerBegin(State, ContReg, CE, C.getASTContext().LongTy,
C.getLocationContext(), C.blockCount()); C.getLocationContext(), C.blockCount());
BeginSym = getContainerBegin(State, ContReg); BeginSym = getContainerBegin(State, ContReg);
} }
State = setIteratorPosition(State, RetVal, State = setIteratorPosition(State, RetVal,
IteratorPosition::getPosition(ContReg, BeginSym)); IteratorPosition::getPosition(ContReg, BeginSym));
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleEnd(CheckerContext &C, const Expr *CE, void ContainerModeling::handleEnd(CheckerContext &C, const Expr *CE,
SVal RetVal, SVal Cont) const { const Expr *, SVal Cont, SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// If the container already has an end symbol then use it. Otherwise first // If the container already has an end symbol then use it. Otherwise first
// create a new one. // create a new one.
auto State = C.getState(); auto State = C.getState();
auto EndSym = getContainerEnd(State, ContReg); auto EndSym = getContainerEnd(State, ContReg);
if (!EndSym) { if (!EndSym) {
State = createContainerEnd(State, ContReg, CE, C.getASTContext().LongTy, State = createContainerEnd(State, ContReg, CE, C.getASTContext().LongTy,
C.getLocationContext(), C.blockCount()); C.getLocationContext(), C.blockCount());
EndSym = getContainerEnd(State, ContReg); EndSym = getContainerEnd(State, ContReg);
} }
State = setIteratorPosition(State, RetVal, State = setIteratorPosition(State, RetVal,
IteratorPosition::getPosition(ContReg, EndSym)); IteratorPosition::getPosition(ContReg, EndSym));
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleAssignment(CheckerContext &C, SVal Cont, void ContainerModeling::handleAssignment(CheckerContext &C, const Expr *CE,
const Expr *CE, SVal OldCont) const { SVal Cont,
Optional<SVal> OldCont) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// Assignment of a new value to a container always invalidates all its // Assignment of a new value to a container always invalidates all its
// iterators // iterators
auto State = C.getState(); auto State = C.getState();
const auto CData = getContainerData(State, ContReg); const auto CData = getContainerData(State, ContReg);
if (CData) { if (CData) {
State = invalidateAllIteratorPositions(State, ContReg); State = invalidateAllIteratorPositions(State, ContReg);
} }
// In case of move, iterators of the old container (except the past-end // In case of move, iterators of the old container (except the past-end
// iterators) remain valid but refer to the new container // iterators) remain valid but refer to the new container
if (!OldCont.isUndef()) { if (OldCont.hasValue()) {
const auto *OldContReg = OldCont.getAsRegion(); const auto *OldContReg = OldCont->getAsRegion();
if (OldContReg) { if (OldContReg) {
OldContReg = OldContReg->getMostDerivedObjectRegion(); OldContReg = OldContReg->getMostDerivedObjectRegion();
const auto OldCData = getContainerData(State, OldContReg); const auto OldCData = getContainerData(State, OldContReg);
if (OldCData) { if (OldCData) {
if (const auto OldEndSym = OldCData->getEnd()) { if (const auto OldEndSym = OldCData->getEnd()) {
// If we already assigned an "end" symbol to the old container, then // If we already assigned an "end" symbol to the old container, then
// first reassign all iterator positions to the new container which // first reassign all iterator positions to the new container which
// are not past the container (thus not greater or equal to the // are not past the container (thus not greater or equal to the
Show All 40 Lines if (OldContReg) {
// container, so reassign all iterator positions to the new container. // container, so reassign all iterator positions to the new container.
State = reassignAllIteratorPositions(State, OldContReg, ContReg); State = reassignAllIteratorPositions(State, OldContReg, ContReg);
} }
} }
} }
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleAssign(CheckerContext &C, SVal Cont, void ContainerModeling::handleEmpty(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion();
if (!ContReg)
return;
ContReg = ContReg->getMostDerivedObjectRegion();
// If the container already has a begin symbol then use it. Otherwise first
// create a new one.
auto State = C.getState();
auto *LCtx = C.getLocationContext();
auto BeginSym = getContainerBegin(State, ContReg);
if (!BeginSym) {
State = createContainerBegin(State, ContReg, CE, C.getASTContext().LongTy,
LCtx, C.blockCount());
BeginSym = getContainerBegin(State, ContReg);
}
auto EndSym = getContainerEnd(State, ContReg);
if (!EndSym) {
State = createContainerEnd(State, ContReg, CE, C.getASTContext().LongTy,
LCtx, C.blockCount());
EndSym = getContainerEnd(State, ContReg);
}
// We cannot make assumpotions on `UnknownVal`. Let us conjure a symbol
SzelethusUnsubmitted
Not Done
ReplyInline Actions

assumpotions > assumptions

Szelethus: assumpotions > assumptions
// instead.
if (RetVal.isUnknown()) {
auto &SymMgr = C.getSymbolManager();
RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol(
CE, LCtx, C.getASTContext().BoolTy, C.blockCount()));
State = State->BindExpr(CE, LCtx, RetVal);
}
SzelethusUnsubmitted
Not Done
ReplyInline Actions

You will have to help me out here -- if the analyzer couldn't return a sensible symbol, is it okay to just create one? When does UnknownVal even happen, does it ever happen? Also, if we're doing this anyways, wouldn't using evalCall be more appropriate?

Szelethus: You will have to help me out here -- if the analyzer couldn't return a sensible symbol, is it…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Actually, both UnknownVal and SymbolVal containing a SymbolConjured without constraints are unknown. The main difference (for us) is that we cannot assign constraints to UnknownVal but we can for SymbolConjured. This is the reason for replacing it. However, this is not new. We do it in comparison too. The best would be to change the infrastructure to never return UnknownVal but conjure a new symbol instead if we known nothing about the return value. Maybe I will put a FIXME there. evalCall() is not an option, because we do not want to lose the possibility that the implementation of empty() is inlined by the engine.

baloghadamsoftware: Actually, both `UnknownVal` and `SymbolVal` containing a `SymbolConjured` without constraints…
if (const auto DefRetVal = RetVal.getAs<DefinedSVal>()) {
ProgramStateRef StateEmpty, StateNonEmpty;
std::tie(StateEmpty, StateNonEmpty) =
assumeComparison(State, BeginSym, EndSym, *DefRetVal, OO_EqualEqual);
martongUnsubmitted
Not Done
ReplyInline Actions

Is there really no sense to continue the analysis here? In what state we are here exactly? Is there an inconsistency between the begin , end and the return value?

martong: Is there really no sense to continue the analysis here? In what state we are here exactly? Is…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Yes, see the comment I added. If data about emptiness based on the difference of begin and and and the return value of empty() contradict each other then we are on an impossible branch.

baloghadamsoftware: Yes, see the comment I added. If data about emptiness based on the difference of begin and and…
if (!StateEmpty && !StateNonEmpty) {
// The return value of the `empty()` call contradicts the emptyness of
// the container.
C.generateSink(State, C.getPredecessor());
return;
}
if (StateEmpty)
C.addTransition(StateEmpty);
if (StateNonEmpty)
C.addTransition(StateNonEmpty);
}
}
void ContainerModeling::handleAssign(CheckerContext &C, const Expr *CE,
const Expr *, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// The assign() operation invalidates all the iterators // The assign() operation invalidates all the iterators
auto State = C.getState(); auto State = C.getState();
State = invalidateAllIteratorPositions(State, ContReg); State = invalidateAllIteratorPositions(State, ContReg);
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleClear(CheckerContext &C, SVal Cont, void ContainerModeling::handleClear(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *ContE, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// The clear() operation invalidates all the iterators, except the past-end // The clear() operation invalidates all the iterators, except the past-end
// iterators of list-like containers // iterators of list-like containers
Show All 11 Lines if (!hasSubscriptOperator(State, ContReg) ||
} }
} }
const NoteTag *ChangeTag = const NoteTag *ChangeTag =
getChangeTag(C, "became empty", ContReg, ContE); getChangeTag(C, "became empty", ContReg, ContE);
State = invalidateAllIteratorPositions(State, ContReg); State = invalidateAllIteratorPositions(State, ContReg);
C.addTransition(State, ChangeTag); C.addTransition(State, ChangeTag);
} }
void ContainerModeling::handlePushBack(CheckerContext &C, SVal Cont, void ContainerModeling::handlePushBack(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *ContE, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// For deque-like containers invalidate all iterator positions // For deque-like containers invalidate all iterator positions
auto State = C.getState(); auto State = C.getState();
Show All 22 Lines const auto newEndSym =
SymMgr.getType(EndSym)).getAsSymbol(); SymMgr.getType(EndSym)).getAsSymbol();
const NoteTag *ChangeTag = const NoteTag *ChangeTag =
getChangeTag(C, "extended to the back by 1 position", ContReg, ContE); getChangeTag(C, "extended to the back by 1 position", ContReg, ContE);
State = setContainerData(State, ContReg, CData->newEnd(newEndSym)); State = setContainerData(State, ContReg, CData->newEnd(newEndSym));
C.addTransition(State, ChangeTag); C.addTransition(State, ChangeTag);
} }
} }
void ContainerModeling::handlePopBack(CheckerContext &C, SVal Cont, void ContainerModeling::handlePopBack(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *ContE, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
auto State = C.getState(); auto State = C.getState();
const auto CData = getContainerData(State, ContReg); const auto CData = getContainerData(State, ContReg);
Show All 22 Lines if (hasSubscriptOperator(State, ContReg) &&
State = invalidateIteratorPositions(State, BackSym, BO_EQ); State = invalidateIteratorPositions(State, BackSym, BO_EQ);
} }
auto newEndSym = BackSym; auto newEndSym = BackSym;
State = setContainerData(State, ContReg, CData->newEnd(newEndSym)); State = setContainerData(State, ContReg, CData->newEnd(newEndSym));
C.addTransition(State, ChangeTag); C.addTransition(State, ChangeTag);
} }
} }
void ContainerModeling::handlePushFront(CheckerContext &C, SVal Cont, void ContainerModeling::handlePushFront(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *ContE, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
// For deque-like containers invalidate all iterator positions // For deque-like containers invalidate all iterator positions
auto State = C.getState(); auto State = C.getState();
Show All 17 Lines if (const auto BeginSym = CData->getBegin()) {
const NoteTag *ChangeTag = const NoteTag *ChangeTag =
getChangeTag(C, "extended to the front by 1 position", ContReg, ContE); getChangeTag(C, "extended to the front by 1 position", ContReg, ContE);
State = setContainerData(State, ContReg, CData->newBegin(newBeginSym)); State = setContainerData(State, ContReg, CData->newBegin(newBeginSym));
C.addTransition(State, ChangeTag); C.addTransition(State, ChangeTag);
} }
} }
} }
void ContainerModeling::handlePopFront(CheckerContext &C, SVal Cont, void ContainerModeling::handlePopFront(CheckerContext &C, const Expr *CE,
const Expr *ContE) const { const Expr *ContE, SVal Cont,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
auto State = C.getState(); auto State = C.getState();
const auto CData = getContainerData(State, ContReg); const auto CData = getContainerData(State, ContReg);
Show All 18 Lines const auto newBeginSym =
SymMgr.getType(BeginSym)).getAsSymbol(); SymMgr.getType(BeginSym)).getAsSymbol();
const NoteTag *ChangeTag = const NoteTag *ChangeTag =
getChangeTag(C, "shrank from the front by 1 position", ContReg, ContE); getChangeTag(C, "shrank from the front by 1 position", ContReg, ContE);
State = setContainerData(State, ContReg, CData->newBegin(newBeginSym)); State = setContainerData(State, ContReg, CData->newBegin(newBeginSym));
C.addTransition(State, ChangeTag); C.addTransition(State, ChangeTag);
} }
} }
void ContainerModeling::handleInsert(CheckerContext &C, SVal Cont, void ContainerModeling::handleInsert(CheckerContext &C, const Expr *CE,
SVal Iter) const { const Expr *, SVal Cont, SVal Iter,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, Iter); const auto *Pos = getIteratorPosition(State, Iter);
Show All 13 Lines if (const auto *CData = getContainerData(State, ContReg)) {
State = invalidateIteratorPositions(State, EndSym, BO_GE); State = invalidateIteratorPositions(State, EndSym, BO_GE);
State = setContainerData(State, ContReg, CData->newEnd(nullptr)); State = setContainerData(State, ContReg, CData->newEnd(nullptr));
} }
} }
C.addTransition(State); C.addTransition(State);
} }
} }
void ContainerModeling::handleErase(CheckerContext &C, SVal Cont, void ContainerModeling::handleErase(CheckerContext &C, const Expr *CE,
SVal Iter) const { const Expr *, SVal Cont, SVal Iter,
SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, Iter); const auto *Pos = getIteratorPosition(State, Iter);
Show All 16 Lines if (const auto *CData = getContainerData(State, ContReg)) {
} }
} }
} else { } else {
State = invalidateIteratorPositions(State, Pos->getOffset(), BO_EQ); State = invalidateIteratorPositions(State, Pos->getOffset(), BO_EQ);
} }
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleErase(CheckerContext &C, SVal Cont, SVal Iter1, void ContainerModeling::handleErase(CheckerContext &C, const Expr *CE,
SVal Iter2) const { const Expr *, SVal Cont, SVal Iter1,
SVal Iter2, SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion(); const auto *ContReg = Cont.getAsRegion();
if (!ContReg) if (!ContReg)
return; return;
ContReg = ContReg->getMostDerivedObjectRegion(); ContReg = ContReg->getMostDerivedObjectRegion();
auto State = C.getState(); auto State = C.getState();
const auto *Pos1 = getIteratorPosition(State, Iter1); const auto *Pos1 = getIteratorPosition(State, Iter1);
const auto *Pos2 = getIteratorPosition(State, Iter2); const auto *Pos2 = getIteratorPosition(State, Iter2);
Show All 18 Lines if (hasSubscriptOperator(State, ContReg) && backModifiable(State, ContReg)) {
} }
} else { } else {
State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GE, State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GE,
Pos2->getOffset(), BO_LT); Pos2->getOffset(), BO_LT);
} }
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleEraseAfter(CheckerContext &C, SVal Cont, void ContainerModeling::handleEraseAfter(CheckerContext &C, const Expr *CE,
SVal Iter) const { const Expr *, SVal Cont, SVal Iter,
SVal RetVal) const {
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, Iter); const auto *Pos = getIteratorPosition(State, Iter);
if (!Pos) if (!Pos)
return; return;
// Invalidate the deleted iterator position, which is the position of the // Invalidate the deleted iterator position, which is the position of the
// parameter plus one. // parameter plus one.
auto &SymMgr = C.getSymbolManager(); auto &SymMgr = C.getSymbolManager();
auto &BVF = SymMgr.getBasicVals(); auto &BVF = SymMgr.getBasicVals();
auto &SVB = C.getSValBuilder(); auto &SVB = C.getSValBuilder();
const auto NextSym = const auto NextSym =
SVB.evalBinOp(State, BO_Add, SVB.evalBinOp(State, BO_Add,
nonloc::SymbolVal(Pos->getOffset()), nonloc::SymbolVal(Pos->getOffset()),
nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))), nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))),
SymMgr.getType(Pos->getOffset())).getAsSymbol(); SymMgr.getType(Pos->getOffset())).getAsSymbol();
State = invalidateIteratorPositions(State, NextSym, BO_EQ); State = invalidateIteratorPositions(State, NextSym, BO_EQ);
C.addTransition(State); C.addTransition(State);
} }
void ContainerModeling::handleEraseAfter(CheckerContext &C, SVal Cont, void ContainerModeling::handleEraseAfter(CheckerContext &C, const Expr *CE,
SVal Iter1, SVal Iter2) const { const Expr *, SVal Cont, SVal Iter1,
SVal Iter2, SVal RetVal) const {
auto State = C.getState(); auto State = C.getState();
const auto *Pos1 = getIteratorPosition(State, Iter1); const auto *Pos1 = getIteratorPosition(State, Iter1);
const auto *Pos2 = getIteratorPosition(State, Iter2); const auto *Pos2 = getIteratorPosition(State, Iter2);
if (!Pos1 || !Pos2) if (!Pos1 || !Pos2)
return; return;
// Invalidate the deleted iterator position range (first..last) // Invalidate the deleted iterator position range (first..last)
State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GT, State = invalidateIteratorPositions(State, Pos1->getOffset(), BO_GT,
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines for (const auto &Cont : ContMap) {
Out << "<Unknown>"; Out << "<Unknown>";
Out << " ]"; Out << " ]";
} }
} }
} }
namespace { namespace {
bool isBeginCall(const FunctionDecl *Func) {
const auto *IdInfo = Func->getIdentifier();
if (!IdInfo)
return false;
return IdInfo->getName().endswith_lower("begin");
}
bool isEndCall(const FunctionDecl *Func) {
const auto *IdInfo = Func->getIdentifier();
if (!IdInfo)
return false;
return IdInfo->getName().endswith_lower("end");
}
const CXXRecordDecl *getCXXRecordDecl(ProgramStateRef State, const CXXRecordDecl *getCXXRecordDecl(ProgramStateRef State,
const MemRegion *Reg) { const MemRegion *Reg) {
auto TI = getDynamicTypeInfo(State, Reg); auto TI = getDynamicTypeInfo(State, Reg);
if (!TI.isValid()) if (!TI.isValid())
return nullptr; return nullptr;
auto Type = TI.getType(); auto Type = TI.getType();
if (const auto *RefT = Type->getAs<ReferenceType>()) { if (const auto *RefT = Type->getAs<ReferenceType>()) {
▲ Show 20 LinesShow All 300 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.h

Show First 20 LinesShow All 173 Lines▼ Show 20 LinesProgramStateRef createIteratorPosition(ProgramStateRef State, const SVal &Val,
const LocationContext *LCtx, const LocationContext *LCtx,
unsigned blockCount); unsigned blockCount);
ProgramStateRef advancePosition(ProgramStateRef State, ProgramStateRef advancePosition(ProgramStateRef State,
const SVal &Iter, const SVal &Iter,
OverloadedOperatorKind Op, OverloadedOperatorKind Op,
const SVal &Distance); const SVal &Distance);
ProgramStateRef assumeNoOverflow(ProgramStateRef State, SymbolRef Sym, ProgramStateRef assumeNoOverflow(ProgramStateRef State, SymbolRef Sym,
long Scale); long Scale);
martongUnsubmitted
Not Done
ReplyInline Actions

Documentation would be helpful.

martong: Documentation would be helpful.
// Returns states with comparison results assumed to `true` and `false`. If
// only one of them is possible then the second value of the pair is `nullptr`.
// If none is possible then both values are `nullptr`.
std::pair<ProgramStateRef, ProgramStateRef>
assumeComparison(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
DefinedSVal RetVal, OverloadedOperatorKind Op);
bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2, bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
BinaryOperator::Opcode Opc); BinaryOperator::Opcode Opc);
bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2, bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,
BinaryOperator::Opcode Opc); BinaryOperator::Opcode Opc);
// Returns the value of the iterator argument if it non-class value (a pointer // Returns the value of the iterator argument if it non-class value (a pointer
// or a reference). Otherwise it returns the iterator parameter location (see // or a reference). Otherwise it returns the iterator parameter location (see
// CallEvent::getParameterLocation()). // CallEvent::getParameterLocation()).
Show All 13 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.cpp

Show All 12 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "Iterator.h" #include "Iterator.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
namespace iterator { namespace iterator {
ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
martongUnsubmitted
Not Done
ReplyInline Actions

Docs, docs, docs.

martong: Docs, docs, docs.
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

This function is moved here, it is nothing new.

baloghadamsoftware: This function is moved here, it is nothing new.
SymbolRef Sym2, bool Equal);
bool isIteratorType(const QualType &Type) { bool isIteratorType(const QualType &Type) {
if (Type->isPointerType()) if (Type->isPointerType())
return true; return true;
const auto *CRD = Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl(); const auto *CRD = Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
return isIterator(CRD); return isIterator(CRD);
} }
static bool hasOperator(const CXXRecordDecl *CRD, OverloadedOperatorKind Op,
unsigned NumParams) {
for (const auto *Method : CRD->methods()) {
if (!Method->isOverloadedOperator())
continue;
if (Method->getOverloadedOperator() == Op &&
Method->getNumParams() == NumParams)
return true;
}
for (auto Base : CRD->bases()) {
const auto *BaseCRD =
Base.getType()->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
if (BaseCRD && hasOperator(BaseCRD, Op, NumParams))
return true;
}
return false;
}
bool isIterator(const CXXRecordDecl *CRD) { bool isIterator(const CXXRecordDecl *CRD) {
if (!CRD) if (!CRD)
return false; return false;
const auto Name = CRD->getName(); const auto Name = CRD->getName();
if (!(Name.endswith_lower("iterator") || Name.endswith_lower("iter") || if (!(Name.endswith_lower("iterator") || Name.endswith_lower("iter") ||
Name.endswith_lower("it"))) Name.endswith_lower("it")))
return false; return false;
bool HasCopyCtor = false, HasCopyAssign = true, HasDtor = false, if ((!CRD->hasSimpleCopyConstructor() &&
HasPreIncrOp = false, HasPostIncrOp = false, HasDerefOp = false; !CRD->hasUserDeclaredCopyConstructor()) ||
for (const auto *Method : CRD->methods()) { (!CRD->hasSimpleCopyAssignment() &&
if (const auto *Ctor = dyn_cast<CXXConstructorDecl>(Method)) { !CRD->hasUserDeclaredCopyAssignment()) ||
if (Ctor->isCopyConstructor()) { (!CRD->hasSimpleDestructor() &&
HasCopyCtor = !Ctor->isDeleted() && Ctor->getAccess() == AS_public; !CRD->hasUserDeclaredDestructor()))
} return false;
continue;
} // Operator Prefix ++
if (const auto *Dtor = dyn_cast<CXXDestructorDecl>(Method)) { if (!hasOperator(CRD, OO_PlusPlus, 0))
HasDtor = !Dtor->isDeleted() && Dtor->getAccess() == AS_public; return false;
continue;
} // Operator Postfix ++
if (Method->isCopyAssignmentOperator()) { if (!hasOperator(CRD, OO_PlusPlus, 1))
HasCopyAssign = !Method->isDeleted() && Method->getAccess() == AS_public; return false;
continue;
}
if (!Method->isOverloadedOperator())
continue;
const auto OPK = Method->getOverloadedOperator();
if (OPK == OO_PlusPlus) {
HasPreIncrOp = HasPreIncrOp || (Method->getNumParams() == 0);
HasPostIncrOp = HasPostIncrOp || (Method->getNumParams() == 1);
continue;
}
if (OPK == OO_Star) {
HasDerefOp = (Method->getNumParams() == 0);
continue;
}
}
return HasCopyCtor && HasCopyAssign && HasDtor && HasPreIncrOp && // Operator *
HasPostIncrOp && HasDerefOp; if (!hasOperator(CRD, OO_Star, 0))
return false;
return true;
} }
bool isComparisonOperator(OverloadedOperatorKind OK) { bool isComparisonOperator(OverloadedOperatorKind OK) {
return OK == OO_EqualEqual || OK == OO_ExclaimEqual || OK == OO_Less || return OK == OO_EqualEqual || OK == OO_ExclaimEqual || OK == OO_Less ||
OK == OO_LessEqual || OK == OO_Greater || OK == OO_GreaterEqual; OK == OO_LessEqual || OK == OO_Greater || OK == OO_GreaterEqual;
} }
bool isInsertCall(const FunctionDecl *Func) { bool isInsertCall(const FunctionDecl *Func) {
▲ Show 20 LinesShow All 210 Lines▼ Show 20 Lines if (auto DV = IsCappedFromBelow.getAs<DefinedSVal>()) {
NewState = NewState->assume(*DV, true); NewState = NewState->assume(*DV, true);
if (!NewState) if (!NewState)
return State; return State;
} }
return NewState; return NewState;
} }
std::pair<ProgramStateRef, ProgramStateRef>
assumeComparison(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
DefinedSVal RetVal, OverloadedOperatorKind Op) {
martongUnsubmitted
Done
ReplyInline Actions

Perhaps we should guard Op with an assert, I mean it should be either == or !=.

martong: Perhaps we should guard `Op` with an assert, I mean it should be either == or !=.
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Actually, this works for any comparison operator. So it is enough to assume that Op is a comparison operator.

baloghadamsoftware: Actually, this works for any comparison operator. So it is enough to assume that `Op` is a…
assert(CXXOperatorCallExpr::isComparisonOp(Op) &&
"`Op` must be a comparison operator");
martongUnsubmitted
Done
ReplyInline Actions

Could we spare the if with just keeping the declaration of State and then

return std::make_pair(State, nullptr);

?

martong: Could we spare the `if` with just keeping the declaration of `State` and then ``` return std…
if (const auto TruthVal = RetVal.getAs<nonloc::ConcreteInt>()) {
State = relateSymbols(State, Sym1, Sym2,
martongUnsubmitted
Done
ReplyInline Actions

This is hard to read for me. Also, Isn't it enough just to write TruthVal->getValue() ?

martong: This is hard to read for me. Also, Isn't it enough just to write `TruthVal->getValue()` ?
(Op == OO_EqualEqual) == TruthVal->getValue());
return std::make_pair(State, nullptr);
}
ProgramStateRef StateTrue =
relateSymbols(State, Sym1, Sym2, Op == OO_EqualEqual);
ProgramStateRef StateFalse =
relateSymbols(State, Sym1, Sym2, Op != OO_EqualEqual);
if (StateTrue)
StateTrue = StateTrue->assume(RetVal, true);
if (StateFalse)
martongUnsubmitted
Not Done
ReplyInline Actions

Why do we assume here again? We already had an assume in relateSymbols, hadn't we?

martong: Why do we `assume` here again? We already had an assume in `relateSymbols`, hadn't we?
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

In relateSymbols we assumed the comparison of the two symbols. Here we assume the RetVal. The new states are nullptr if we cannot assume the same for both.

baloghadamsoftware: In `relateSymbols` we assumed the comparison of the two symbols. Here we assume the `RetVal`.
StateFalse = StateFalse->assume(RetVal, false);
return std::make_pair(StateTrue, StateFalse);
}
ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
SymbolRef Sym2, bool Equal) {
martongUnsubmitted
Not Done
ReplyInline Actions

Would assumeEqual be a better name?

martong: Would `assumeEqual` be a better name?
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

This method is just moved from another source file.

baloghadamsoftware: This method is just moved from another source file.
auto &SVB = State->getStateManager().getSValBuilder();
// FIXME: This code should be reworked as follows:
// 1. Subtract the operands using evalBinOp().
martongUnsubmitted
Not Done
ReplyInline Actions

Please explain in the comment what is the problem with the current impl.

martong: Please explain in the comment what is the problem with the current impl.
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Ditto. The community requested a future refactoring.

baloghadamsoftware: Ditto. The community requested a future refactoring.
// 2. Assume that the result doesn't overflow.
// 3. Compare the result to 0.
// 4. Assume the result of the comparison.
const auto comparison =
SVB.evalBinOp(State, BO_EQ, nonloc::SymbolVal(Sym1),
nonloc::SymbolVal(Sym2), SVB.getConditionType());
assert(comparison.getAs<DefinedSVal>() &&
"Symbol comparison must be a `DefinedSVal`");
auto NewState = State->assume(comparison.castAs<DefinedSVal>(), Equal);
if (!NewState)
return nullptr;
martongUnsubmitted
Not Done
ReplyInline Actions

Could we merge the declaration of the new state into the parens of the if?

martong: Could we merge the declaration of the new state into the parens of the `if`?
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

No, because we use it later in the function. (See below.)

baloghadamsoftware: No, because we use it later in the function. (See below.)
if (const auto CompSym = comparison.getAsSymbol()) {
assert(isa<SymIntExpr>(CompSym) &&
"Symbol comparison must be a `SymIntExpr`");
assert(BinaryOperator::isComparisonOp(
cast<SymIntExpr>(CompSym)->getOpcode()) &&
"Symbol comparison must be a comparison");
return assumeNoOverflow(NewState, cast<SymIntExpr>(CompSym)->getLHS(), 2);
}
return NewState;
}
bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2, bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
BinaryOperator::Opcode Opc) { BinaryOperator::Opcode Opc) {
return compare(State, nonloc::SymbolVal(Sym1), nonloc::SymbolVal(Sym2), Opc); return compare(State, nonloc::SymbolVal(Sym1), nonloc::SymbolVal(Sym2), Opc);
} }
bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2, bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,
BinaryOperator::Opcode Opc) { BinaryOperator::Opcode Opc) {
auto &SVB = State->getStateManager().getSValBuilder(); auto &SVB = State->getStateManager().getSValBuilder();
Show All 36 Lines

clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp

Show First 20 LinesShow All 151 Lines▼ Show 20 Linespublic:
void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
}; };
bool isSimpleComparisonOperator(OverloadedOperatorKind OK); bool isSimpleComparisonOperator(OverloadedOperatorKind OK);
bool isSimpleComparisonOperator(BinaryOperatorKind OK); bool isSimpleComparisonOperator(BinaryOperatorKind OK);
ProgramStateRef removeIteratorPosition(ProgramStateRef State, SVal Val); ProgramStateRef removeIteratorPosition(ProgramStateRef State, SVal Val);
ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
SymbolRef Sym2, bool Equal);
const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call); const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call);
} // namespace } // namespace
void IteratorModeling::checkPostCall(const CallEvent &Call, void IteratorModeling::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Record new iterator positions and iterator position changes // Record new iterator positions and iterator position changes
const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
▲ Show 20 LinesShow All 316 Lines▼ Show 20 Linesvoid IteratorModeling::handleComparison(CheckerContext &C, const Expr *CE,
// We cannot make assumptions on `UnknownVal`. Let us conjure a symbol // We cannot make assumptions on `UnknownVal`. Let us conjure a symbol
// instead. // instead.
if (RetVal.isUnknown()) { if (RetVal.isUnknown()) {
auto &SymMgr = C.getSymbolManager(); auto &SymMgr = C.getSymbolManager();
auto *LCtx = C.getLocationContext(); auto *LCtx = C.getLocationContext();
RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol( RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol(
CE, LCtx, C.getASTContext().BoolTy, C.blockCount())); CE, LCtx, C.getASTContext().BoolTy, C.blockCount()));
State = State->BindExpr(CE, LCtx, RetVal); State = State->BindExpr(CE, LCtx, RetVal);
} }
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Maybe I should move these lines into a separate function in the library to avoid repetition.

baloghadamsoftware: Maybe I should move these lines into a separate function in the library to avoid repetition.
processComparison(C, State, LPos->getOffset(), RPos->getOffset(), RetVal, Op); if (const auto DefRetVal = RetVal.getAs<DefinedSVal>()) {
} ProgramStateRef StateEqual, StateNonEqual;
std::tie(StateEqual, StateNonEqual) =
assumeComparison(State, LPos->getOffset(), RPos->getOffset(), *DefRetVal,
Op);
void IteratorModeling::processComparison(CheckerContext &C, if (!StateEqual && !StateNonEqual) {
ProgramStateRef State, SymbolRef Sym1,
SymbolRef Sym2, SVal RetVal,
OverloadedOperatorKind Op) const {
if (const auto TruthVal = RetVal.getAs<nonloc::ConcreteInt>()) {
if ((State = relateSymbols(State, Sym1, Sym2,
(Op == OO_EqualEqual) ==
(TruthVal->getValue() != 0)))) {
C.addTransition(State);
} else {
C.generateSink(State, C.getPredecessor()); C.generateSink(State, C.getPredecessor());
}
return; return;
} }
const auto ConditionVal = RetVal.getAs<DefinedSVal>(); if (StateEqual)
if (!ConditionVal) C.addTransition(StateEqual);
return;
if (auto StateTrue = relateSymbols(State, Sym1, Sym2, Op == OO_EqualEqual)) { if (StateNonEqual)
StateTrue = StateTrue->assume(*ConditionVal, true); C.addTransition(StateNonEqual);
C.addTransition(StateTrue);
} }
if (auto StateFalse = relateSymbols(State, Sym1, Sym2, Op != OO_EqualEqual)) {
StateFalse = StateFalse->assume(*ConditionVal, false);
C.addTransition(StateFalse);
}
} }
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

This is way longer than the previously used processComparison() but I am reluctant to pass CheckerContext to a non-member function. (And especially add transitions there. Even worse, to a function in a common library.)

baloghadamsoftware: This is way longer than the previously used `processComparison()` but I am reluctant to pass…
void IteratorModeling::handleIncrement(CheckerContext &C, SVal RetVal, void IteratorModeling::handleIncrement(CheckerContext &C, SVal RetVal,
SVal Iter, bool Postfix) const { SVal Iter, bool Postfix) const {
// Increment the symbolic expressions which represents the position of the // Increment the symbolic expressions which represents the position of the
// iterator // iterator
auto State = C.getState(); auto State = C.getState();
auto &BVF = C.getSymbolManager().getBasicVals(); auto &BVF = C.getSymbolManager().getBasicVals();
▲ Show 20 LinesShow All 236 Lines▼ Show 20 Lines if (auto Reg = Val.getAsRegion()) {
Reg = Reg->getMostDerivedObjectRegion(); Reg = Reg->getMostDerivedObjectRegion();
return State->remove<IteratorRegionMap>(Reg); return State->remove<IteratorRegionMap>(Reg);
} else if (const auto Sym = Val.getAsSymbol()) { } else if (const auto Sym = Val.getAsSymbol()) {
return State->remove<IteratorSymbolMap>(Sym); return State->remove<IteratorSymbolMap>(Sym);
} }
return State; return State;
} }
ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
SymbolRef Sym2, bool Equal) {
auto &SVB = State->getStateManager().getSValBuilder();
// FIXME: This code should be reworked as follows:
// 1. Subtract the operands using evalBinOp().
// 2. Assume that the result doesn't overflow.
// 3. Compare the result to 0.
// 4. Assume the result of the comparison.
const auto comparison =
SVB.evalBinOp(State, BO_EQ, nonloc::SymbolVal(Sym1),
nonloc::SymbolVal(Sym2), SVB.getConditionType());
assert(comparison.getAs<DefinedSVal>() &&
"Symbol comparison must be a `DefinedSVal`");
auto NewState = State->assume(comparison.castAs<DefinedSVal>(), Equal);
if (!NewState)
return nullptr;
if (const auto CompSym = comparison.getAsSymbol()) {
assert(isa<SymIntExpr>(CompSym) &&
"Symbol comparison must be a `SymIntExpr`");
assert(BinaryOperator::isComparisonOp(
cast<SymIntExpr>(CompSym)->getOpcode()) &&
"Symbol comparison must be a comparison");
return assumeNoOverflow(NewState, cast<SymIntExpr>(CompSym)->getLHS(), 2);
}
return NewState;
}
const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call) { const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call) {
while (Node) { while (Node) {
ProgramPoint PP = Node->getLocation(); ProgramPoint PP = Node->getLocation();
if (auto Enter = PP.getAs<CallEnter>()) { if (auto Enter = PP.getAs<CallEnter>()) {
if (Enter->getCallExpr() == Call) if (Enter->getCallExpr() == Call)
break; break;
} }
Show All 15 Lines

clang/test/Analysis/Inputs/system-header-simulator-cxx.h

Show First 20 LinesShow All 338 Lines▼ Show 20 Lines public:
const_iterator cbegin() const { return const_iterator(_start); } const_iterator cbegin() const { return const_iterator(_start); }
iterator end() { return iterator(_finish); } iterator end() { return iterator(_finish); }
const_iterator end() const { return const_iterator(_finish); } const_iterator end() const { return const_iterator(_finish); }
const_iterator cend() const { return const_iterator(_finish); } const_iterator cend() const { return const_iterator(_finish); }
T& front() { return *begin(); } T& front() { return *begin(); }
const T& front() const { return *begin(); } const T& front() const { return *begin(); }
T& back() { return *(end() - 1); } T& back() { return *(end() - 1); }
const T& back() const { return *(end() - 1); } const T& back() const { return *(end() - 1); }
bool empty() const;
}; };
template<typename T> template<typename T>
class list { class list {
struct __item { struct __item {
T data; T data;
__item *prev, *next; __item *prev, *next;
} *_start, *_finish; } *_start, *_finish;
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines public:
iterator end() { return iterator(_finish); } iterator end() { return iterator(_finish); }
const_iterator end() const { return const_iterator(_finish); } const_iterator end() const { return const_iterator(_finish); }
const_iterator cend() const { return const_iterator(_finish); } const_iterator cend() const { return const_iterator(_finish); }
T& front() { return *begin(); } T& front() { return *begin(); }
const T& front() const { return *begin(); } const T& front() const { return *begin(); }
T& back() { return *--end(); } T& back() { return *--end(); }
const T& back() const { return *--end(); } const T& back() const { return *--end(); }
bool empty() const;
}; };
template<typename T> template<typename T>
class deque { class deque {
T *_start; T *_start;
T *_finish; T *_finish;
T *_end_of_storage; T *_end_of_storage;
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Lines public:
const_iterator cbegin() const { return const_iterator(_start); } const_iterator cbegin() const { return const_iterator(_start); }
iterator end() { return iterator(_finish); } iterator end() { return iterator(_finish); }
const_iterator end() const { return const_iterator(_finish); } const_iterator end() const { return const_iterator(_finish); }
const_iterator cend() const { return const_iterator(_finish); } const_iterator cend() const { return const_iterator(_finish); }
T& front() { return *begin(); } T& front() { return *begin(); }
const T& front() const { return *begin(); } const T& front() const { return *begin(); }
T& back() { return *(end() - 1); } T& back() { return *(end() - 1); }
const T& back() const { return *(end() - 1); } const T& back() const { return *(end() - 1); }
bool empty() const;
}; };
template<typename T> template<typename T>
class forward_list { class forward_list {
struct __item { struct __item {
T data; T data;
__item *next; __item *next;
} *_start; } *_start;
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Lines public:
const_iterator begin() const { return const_iterator(_start); } const_iterator begin() const { return const_iterator(_start); }
const_iterator cbegin() const { return const_iterator(_start); } const_iterator cbegin() const { return const_iterator(_start); }
iterator end() { return iterator(); } iterator end() { return iterator(); }
const_iterator end() const { return const_iterator(); } const_iterator end() const { return const_iterator(); }
const_iterator cend() const { return const_iterator(); } const_iterator cend() const { return const_iterator(); }
T& front() { return *begin(); } T& front() { return *begin(); }
const T& front() const { return *begin(); } const T& front() const { return *begin(); }
bool empty() const;
}; };
template <typename CharT> template <typename CharT>
class basic_string { class basic_string {
public: public:
basic_string(); basic_string();
basic_string(const CharT *s); basic_string(const CharT *s);
▲ Show 20 LinesShow All 572 LinesShow Last 20 Lines

clang/test/Analysis/container-modeling.cpp

Show All 10 Lines
template <typename Container> template <typename Container>
long clang_analyzer_container_end(const Container&); long clang_analyzer_container_end(const Container&);
void clang_analyzer_denote(long, const char*); void clang_analyzer_denote(long, const char*);
void clang_analyzer_express(long); void clang_analyzer_express(long);
void clang_analyzer_eval(bool); void clang_analyzer_eval(bool);
void clang_analyzer_warnIfReached(); void clang_analyzer_warnIfReached();
extern void __assert_fail (__const char *__assertion, __const char *__file,
martongUnsubmitted
Not Done
ReplyInline Actions

It seems like we don't use it anywhere.

martong: It seems like we don't use it anywhere.
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

We use this in the definition of the assert() macro. And we use that macro in the new test cases.

baloghadamsoftware: We use this in the definition of the `assert()` macro. And we use that macro in the new test…
unsigned int __line, __const char *__function)
__attribute__ ((__noreturn__));
#define assert(expr) \
((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
void begin(const std::vector<int> &V) { void begin(const std::vector<int> &V) {
V.begin(); V.begin();
clang_analyzer_denote(clang_analyzer_container_begin(V), "$V.begin()"); clang_analyzer_denote(clang_analyzer_container_begin(V), "$V.begin()");
clang_analyzer_express(clang_analyzer_container_begin(V)); // expected-warning{{$V.begin()}} clang_analyzer_express(clang_analyzer_container_begin(V)); // expected-warning{{$V.begin()}}
// expected-note@-1{{$V.begin()}} // expected-note@-1{{$V.begin()}}
} }
Show All 26 Linesvoid move_assignment(std::vector<int> &V1, std::vector<int> &V2) {
clang_analyzer_eval(clang_analyzer_container_begin(V1) == B2); // expected-warning{{TRUE}} clang_analyzer_eval(clang_analyzer_container_begin(V1) == B2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
clang_analyzer_eval(clang_analyzer_container_end(V2) == E2); // expected-warning{{TRUE}} clang_analyzer_eval(clang_analyzer_container_end(V2) == E2); // expected-warning{{TRUE}}
// expected-note@-1{{TRUE}} // expected-note@-1{{TRUE}}
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
/// ///
/// C O N T A I N E R C A P A C I T Y
///
////////////////////////////////////////////////////////////////////////////////
/// empty()
void empty(const std::vector<int> &V) {
for (auto n: V) {}
clang_analyzer_eval(clang_analyzer_container_begin(V) ==
clang_analyzer_container_end(V));
// expected-warning@-2{{TRUE}} expected-warning@-2{{FALSE}}
// expected-note@-3 {{TRUE}} expected-note@-3 {{FALSE}}
}
void non_empty1(const std::vector<int> &V) {
assert(!V.empty()); // expected-note{{'?' condition is true}}
for (auto n: V) {}
clang_analyzer_eval(clang_analyzer_container_begin(V) ==
clang_analyzer_container_end(V));
// expected-warning@-2{{FALSE}}
// expected-note@-3 {{FALSE}}
}
void non_empty2(const std::vector<int> &V) {
for (auto n: V) {}
assert(!V.empty()); // expected-note{{'?' condition is true}}
clang_analyzer_eval(clang_analyzer_container_begin(V) ==
clang_analyzer_container_end(V));
// expected-warning@-2{{FALSE}}
// expected-note@-3 {{FALSE}}
}
////////////////////////////////////////////////////////////////////////////////
///
/// C O N T A I N E R M O D I F I E R S /// C O N T A I N E R M O D I F I E R S
/// ///
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
/// push_back() /// push_back()
/// ///
/// Design decision: extends containers to the ->BACK-> (i.e. the /// Design decision: extends containers to the ->BACK-> (i.e. the
/// past-the-end position of the container is incremented). /// past-the-end position of the container is incremented).
▲ Show 20 LinesShow All 197 LinesShow Last 20 Lines

clang/test/Analysis/diagnostics/explicit-suppression.cpp

Show All 13 Linesclass C {
// The virtual function is to make C not trivially copy assignable so that we call the // The virtual function is to make C not trivially copy assignable so that we call the
// variant of std::copy() that does not defer to memmove(). // variant of std::copy() that does not defer to memmove().
virtual int f(); virtual int f();
}; };
void testCopyNull(C *I, C *E) { void testCopyNull(C *I, C *E) {
std::copy(I, E, (C *)0); std::copy(I, E, (C *)0);
#ifndef SUPPRESSED #ifndef SUPPRESSED
// expected-warning@../Inputs/system-header-simulator-cxx.h:709 {{Called C++ object pointer is null}} // expected-warning@../Inputs/system-header-simulator-cxx.h:717 {{Called C++ object pointer is null}}
#endif #endif
} }

clang/test/Analysis/smart-ptr-text-output.cpp

Show First 20 LinesShow All 74 Lines▼ Show 20 Linesvoid derefOnSwappedNullPtr() {
(*P).foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} (*P).foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'P'}} // expected-note@-1{{Dereference of null smart pointer 'P'}}
} }
// FIXME: Fix this test when "std::swap" is modeled seperately. // FIXME: Fix this test when "std::swap" is modeled seperately.
void derefOnStdSwappedNullPtr() { void derefOnStdSwappedNullPtr() {
std::unique_ptr<A> P; // expected-note {{Default constructed smart pointer 'P' is null}} std::unique_ptr<A> P; // expected-note {{Default constructed smart pointer 'P' is null}}
std::unique_ptr<A> PNull; // expected-note {{Default constructed smart pointer 'PNull' is null}} std::unique_ptr<A> PNull; // expected-note {{Default constructed smart pointer 'PNull' is null}}
std::swap(P, PNull); // expected-note@Inputs/system-header-simulator-cxx.h:979 {{Swapped null smart pointer 'PNull' with smart pointer 'P'}} std::swap(P, PNull); // expected-note@Inputs/system-header-simulator-cxx.h:987 {{Swapped null smart pointer 'PNull' with smart pointer 'P'}}
// expected-note@-1 {{Calling 'swap<A>'}} // expected-note@-1 {{Calling 'swap<A>'}}
// expected-note@-2 {{Returning from 'swap<A>'}} // expected-note@-2 {{Returning from 'swap<A>'}}
P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}} P->foo(); // expected-warning {{Dereference of null smart pointer 'P' [alpha.cplusplus.SmartPtr]}}
// expected-note@-1{{Dereference of null smart pointer 'P'}} // expected-note@-1{{Dereference of null smart pointer 'P'}}
} }
struct StructWithSmartPtr { // expected-note {{Default constructed smart pointer 'S.P' is null}} struct StructWithSmartPtr { // expected-note {{Default constructed smart pointer 'S.P' is null}}
std::unique_ptr<A> P; std::unique_ptr<A> P;
▲ Show 20 LinesShow All 215 LinesShow Last 20 Lines