This is an archive of the discontinued LLVM Phabricator instance.

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
456	Just out of curiosity: How do we handle containers that do not have a contiguous memory region? Balanced trees, bucketed hash-maps, etc.
482–483	How? I don't see how does it access the `size`.
492	What if we have both `RetSize` and `CalcSize`? Should we check their values for consistency? (And perhaps adding another sink node if we have inconsistency?)

Szelethus added inline comments.Mar 24 2020, 9:03 AM

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
456	I suspect that this is referring to the memory address of the container object, not the storage of the elements.

Rebased.

Fixes.

baloghadamsoftware added inline comments.Sep 8 2020, 12:12 AM

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
456	Yes. The region just serves to identify the container. It is not necessarily the region where the data is stored.
482–483	As explained between the parenthesis, the actual size of the container is the difference between its `begin()` and its `end()`. If we have this difference, then we know the actual size. The other value we may have is the return value of the `size()` function. We either have one of them, both or none. If we have one, then we adjust the other. If we have both, then we check for consistency, and generated a sink if they are inconsistent. If we have none, then we do nothing.
492	This is handled in the `if` branch: having `CalcSize` means that we know the difference between the `begin()` and the `end()`, thus inconsistency between `RetSize` and `CalcSize` is the same as inconstistency between `CalcEnd` and `EndSym`. The comment above explains that if there is such inconsistency, then `relateSymbols()` returns a null pointer which we assign to `State`. At the end of this functions we generate a sink whenever `State` is a null pointer.

This basically looks good to me.

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
482–483	Ok, makes sense.
492	Ok. Perhpas we could move the relevant comment just right about the call of `relateSymbols()`.

This revision is now accepted and ready to land.Sep 8 2020, 6:22 AM

New test cases added.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ContainerModeling.cpp

105 lines

Iterator.h

2 lines

Iterator.cpp

3 lines

test/

Analysis/

container-modeling.cpp

34 lines

Diff 290413

clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp

Show First 20 Lines • Show All 41 Lines • ▼ Show 20 Lines	class ContainerModeling
// - Iter (or Iter1 and Iter2): Iterator parameters		// - Iter (or Iter1 and Iter2): Iterator parameters

void handleBegin(CheckerContext &C, const Expr CE, const Expr ContE,		void handleBegin(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
void handleEnd(CheckerContext &C, const Expr CE, const Expr ContE,		void handleEnd(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
void handleEmpty(CheckerContext &C, const Expr CE, const Expr ContE,		void handleEmpty(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
		void handleSize(CheckerContext &C, const Expr CE, const Expr ContE,
		SVal Cont, SVal RetVal) const;
void handleAssign(CheckerContext &C, const Expr CE, const Expr ContE,		void handleAssign(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
void handleClear(CheckerContext &C, const Expr CE, const Expr ContE,		void handleClear(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
void handlePushBack(CheckerContext &C, const Expr CE, const Expr ContE,		void handlePushBack(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
void handlePopBack(CheckerContext &C, const Expr CE, const Expr ContE,		void handlePopBack(CheckerContext &C, const Expr CE, const Expr ContE,
SVal Cont, SVal RetVal) const;		SVal Cont, SVal RetVal) const;
Show All 39 Lines	CallDescriptionMap<ZeroItParamFn> ZeroIterParamFunctions = {
// Iterators		// Iterators
{{0, "cbegin", 0}, &ContainerModeling::handleBegin},		{{0, "cbegin", 0}, &ContainerModeling::handleBegin},
{{0, "cend", 0}, &ContainerModeling::handleEnd},		{{0, "cend", 0}, &ContainerModeling::handleEnd},
{{0, "begin", 0}, &ContainerModeling::handleBegin},		{{0, "begin", 0}, &ContainerModeling::handleBegin},
{{0, "end", 0}, &ContainerModeling::handleEnd},		{{0, "end", 0}, &ContainerModeling::handleEnd},

// Capacity		// Capacity
{{0, "empty", 0}, &ContainerModeling::handleEmpty},		{{0, "empty", 0}, &ContainerModeling::handleEmpty},
		{{0, "size", 0}, &ContainerModeling::handleSize},

// Modifiers		// Modifiers
{{0, "clear", 0}, &ContainerModeling::handleClear},		{{0, "clear", 0}, &ContainerModeling::handleClear},
{{0, "assign", 2}, &ContainerModeling::handleAssign},		{{0, "assign", 2}, &ContainerModeling::handleAssign},
{{0, "push_back", 1}, &ContainerModeling::handlePushBack},		{{0, "push_back", 1}, &ContainerModeling::handlePushBack},
{{0, "emplace_back", 1}, &ContainerModeling::handlePushBack},		{{0, "emplace_back", 1}, &ContainerModeling::handlePushBack},
{{0, "pop_back", 0}, &ContainerModeling::handlePopBack},		{{0, "pop_back", 0}, &ContainerModeling::handlePopBack},
{{0, "push_front", 1}, &ContainerModeling::handlePushFront},		{{0, "push_front", 1}, &ContainerModeling::handlePushFront},
▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	ProgramStateRef reassignAllIteratorPositionsUnless(ProgramStateRef State,
SymbolRef Offset,		SymbolRef Offset,
BinaryOperator::Opcode Opc);		BinaryOperator::Opcode Opc);
ProgramStateRef rebaseSymbolInIteratorPositionsIf(		ProgramStateRef rebaseSymbolInIteratorPositionsIf(
ProgramStateRef State, SValBuilder &SVB, SymbolRef OldSym,		ProgramStateRef State, SValBuilder &SVB, SymbolRef OldSym,
SymbolRef NewSym, SymbolRef CondSym, BinaryOperator::Opcode Opc);		SymbolRef NewSym, SymbolRef CondSym, BinaryOperator::Opcode Opc);
SymbolRef rebaseSymbol(ProgramStateRef State, SValBuilder &SVB, SymbolRef Expr,		SymbolRef rebaseSymbol(ProgramStateRef State, SValBuilder &SVB, SymbolRef Expr,
SymbolRef OldSym, SymbolRef NewSym);		SymbolRef OldSym, SymbolRef NewSym);
bool hasLiveIterators(ProgramStateRef State, const MemRegion *Cont);		bool hasLiveIterators(ProgramStateRef State, const MemRegion *Cont);
		const llvm::APSInt* calculateSize(ProgramStateRef State, SymbolRef Begin,
		SymbolRef End);

} // namespace		} // namespace

void ContainerModeling::checkPostCall(const CallEvent &Call,		void ContainerModeling::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {
const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());		const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!Func)		if (!Func)
return;		return;
▲ Show 20 Lines • Show All 260 Lines • ▼ Show 20 Lines	if (const auto DefRetVal = RetVal.getAs<DefinedSVal>()) {
if (StateEmpty)		if (StateEmpty)
C.addTransition(StateEmpty);		C.addTransition(StateEmpty);

if (StateNonEmpty)		if (StateNonEmpty)
C.addTransition(StateNonEmpty);		C.addTransition(StateNonEmpty);
}		}
}		}

		void ContainerModeling::handleSize(CheckerContext &C, const Expr *CE,
		const Expr *, SVal Cont, SVal RetVal) const {
		const auto *ContReg = Cont.getAsRegion();
		martongUnsubmitted Not Done Reply Inline Actions Just out of curiosity: How do we handle containers that do not have a contiguous memory region? Balanced trees, bucketed hash-maps, etc. martong: Just out of curiosity: How do we handle containers that do not have a contiguous memory region?
		SzelethusUnsubmitted Not Done Reply Inline Actions I suspect that this is referring to the memory address of the container object, not the storage of the elements. Szelethus: I suspect that this is referring to the memory address of the container object, not the storage…
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions Yes. The region just serves to identify the container. It is not necessarily the region where the data is stored. baloghadamsoftware: Yes. The region just serves to identify the container. It is not necessarily the region where…
		if (!ContReg)
		return;

		ContReg = ContReg->getMostDerivedObjectRegion();

		auto State = C.getState();

		State = createContainerBegin(State, ContReg, CE, C.getASTContext().LongTy,
		C.getLocationContext(), C.blockCount());
		auto BeginSym = getContainerBegin(State, ContReg);
		State = createContainerEnd(State, ContReg, CE, C.getASTContext().LongTy,
		C.getLocationContext(), C.blockCount());
		auto EndSym = getContainerEnd(State, ContReg);
		const llvm::APSInt *CalcSize = calculateSize(State, BeginSym, EndSym);

		auto &SVB = C.getSValBuilder();
		auto &BVF = State->getBasicVals();
		const llvm::APSInt *RetSize = nullptr;
		if (const auto *KnownSize = SVB.getKnownValue(State, RetVal)) {
		RetSize = &BVF.Convert(C.getASTContext().LongTy, *KnownSize);
		}

		if (RetSize) {
		// If the return value is a concrete integer, then try to adjust the size
		// of the container (the difference between its `begin()` and `end()` to
		// this size. Function `relateSymbols()` returns null if it contradits
		// the current size.
		martongUnsubmitted Not Done Reply Inline Actions How? I don't see how does it access the `size`. martong: How? I don't see how does it access the `size`.
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions As explained between the parenthesis, the actual size of the container is the difference between its `begin()` and its `end()`. If we have this difference, then we know the actual size. The other value we may have is the return value of the `size()` function. We either have one of them, both or none. If we have one, then we adjust the other. If we have both, then we check for consistency, and generated a sink if they are inconsistent. If we have none, then we do nothing. baloghadamsoftware: As explained between the parenthesis, the actual size of the container is the difference…
		martongUnsubmitted Not Done Reply Inline Actions Ok, makes sense. martong: Ok, makes sense.
		const auto CalcEnd =
		SVB.evalBinOp(State, BO_Add, nonloc::SymbolVal(BeginSym),
		nonloc::ConcreteInt(*RetSize), C.getASTContext().LongTy)
		.getAsSymbol();
		if (CalcEnd) {
		State = relateSymbols(State, EndSym, CalcEnd, true);
		}
		} else {
		if (CalcSize) {
		martongUnsubmitted Not Done Reply Inline Actions What if we have both `RetSize` and `CalcSize`? Should we check their values for consistency? (And perhaps adding another sink node if we have inconsistency?) martong: What if we have both `RetSize` and `CalcSize`? Should we check their values for consistency?
		baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions This is handled in the `if` branch: having `CalcSize` means that we know the difference between the `begin()` and the `end()`, thus inconsistency between `RetSize` and `CalcSize` is the same as inconstistency between `CalcEnd` and `EndSym`. The comment above explains that if there is such inconsistency, then `relateSymbols()` returns a null pointer which we assign to `State`. At the end of this functions we generate a sink whenever `State` is a null pointer. baloghadamsoftware: This is handled in the `if` branch: having `CalcSize` means that we know the difference between…
		martongUnsubmitted Not Done Reply Inline Actions Ok. Perhpas we could move the relevant comment just right about the call of `relateSymbols()`. martong: Ok. Perhpas we could move the relevant comment just right about the call of `relateSymbols()`.
		// If the current size is a concrete integer, bind this to the return
		// value of the function instead of the current one.
		auto CSize = nonloc::ConcreteInt(BVF.Convert(CE->getType(), *CalcSize));
		State = State->BindExpr(CE, C.getLocationContext(), CSize);
		} else {
		// If neither the returned nor the current size is a concrete integer,
		// replace the return value with the symbolic difference of the
		// container's `begin()` and `end()` symbols.
		auto Size = SVB.evalBinOp(State, BO_Sub, nonloc::SymbolVal(EndSym),
		nonloc::SymbolVal(BeginSym),
		C.getASTContext().LongTy);
		if (Size.isUnknown())
		return;

		auto CastedSize = SVB.evalCast(Size, CE->getType(),
		C.getASTContext().LongTy);
		State = State->BindExpr(CE, C.getLocationContext(), CastedSize);
		}
		}

		if (State) {
		C.addTransition(State);
		} else {
		C.generateSink(State, C.getPredecessor());
		}
		}

void ContainerModeling::handleAssign(CheckerContext &C, const Expr *CE,		void ContainerModeling::handleAssign(CheckerContext &C, const Expr *CE,
const Expr *, SVal Cont,		const Expr *, SVal Cont,
SVal RetVal) const {		SVal RetVal) const {
const auto *ContReg = Cont.getAsRegion();		const auto *ContReg = Cont.getAsRegion();
if (!ContReg)		if (!ContReg)
return;		return;

ContReg = ContReg->getMostDerivedObjectRegion();		ContReg = ContReg->getMostDerivedObjectRegion();
▲ Show 20 Lines • Show All 667 Lines • ▼ Show 20 Lines	bool hasLiveIterators(ProgramStateRef State, const MemRegion *Cont) {
for (const auto &Sym : SymbolMap) {		for (const auto &Sym : SymbolMap) {
if (Sym.second.getContainer() == Cont)		if (Sym.second.getContainer() == Cont)
return true;		return true;
}		}

return false;		return false;
}		}

		const llvm::APSInt* calculateSize(ProgramStateRef State, SymbolRef Begin,
		SymbolRef End) {
		if (!Begin \|\| !End)
		return nullptr;

		auto &SVB = State->getStateManager().getSValBuilder();
		auto &SymMgr = State->getSymbolManager();
		auto Size = SVB.evalBinOp(State, BO_Sub, nonloc::SymbolVal(End),
		nonloc::SymbolVal(Begin),
		SymMgr.getType(End)).getAsSymbol();
		if (!Size)
		return nullptr;

		llvm::APSInt Diff = llvm::APSInt::get(0);
		if (const auto *SizeExpr = dyn_cast<SymIntExpr>(Size)) {
		assert(BinaryOperator::isAdditiveOp(SizeExpr->getOpcode()) &&
		"Symbolic positions must be additive expressions");
		if (SizeExpr->getOpcode() == BO_Add) {
		Diff = SizeExpr->getRHS();
		} else {
		Diff = -SizeExpr->getRHS();
		}
		Size = SizeExpr->getLHS();
		}

		auto &CM = State->getConstraintManager();
		if (const auto *SizeInt = CM.getSymVal(State, Size)) {
		auto &BVF = SymMgr.getBasicVals();
		return &BVF.getValue(Diff + *SizeInt);
		}

		return nullptr;
		}

} // namespace		} // namespace

void ento::registerContainerModeling(CheckerManager &mgr) {		void ento::registerContainerModeling(CheckerManager &mgr) {
mgr.registerChecker<ContainerModeling>();		mgr.registerChecker<ContainerModeling>();
}		}

bool ento::shouldRegisterContainerModeling(const CheckerManager &mgr) {		bool ento::shouldRegisterContainerModeling(const CheckerManager &mgr) {
if (!mgr.getLangOpts().CPlusPlus)		if (!mgr.getLangOpts().CPlusPlus)
Show All 11 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.h

	Show First 20 Lines • Show All 181 Lines • ▼ Show 20 Lines

	// Returns states with comparison results assumed to `true` and `false`. If			// Returns states with comparison results assumed to `true` and `false`. If
	// only one of them is possible then the second value of the pair is `nullptr`.			// only one of them is possible then the second value of the pair is `nullptr`.
	// If none is possible then both values are `nullptr`.			// If none is possible then both values are `nullptr`.
	std::pair<ProgramStateRef, ProgramStateRef>			std::pair<ProgramStateRef, ProgramStateRef>
	assumeComparison(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,			assumeComparison(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
	DefinedSVal RetVal, OverloadedOperatorKind Op);			DefinedSVal RetVal, OverloadedOperatorKind Op);

				ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
				SymbolRef Sym2, bool Equal);
	bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,			bool compare(ProgramStateRef State, SymbolRef Sym1, SymbolRef Sym2,
	BinaryOperator::Opcode Opc);			BinaryOperator::Opcode Opc);
	bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,			bool compare(ProgramStateRef State, NonLoc NL1, NonLoc NL2,
	BinaryOperator::Opcode Opc);			BinaryOperator::Opcode Opc);

	// Returns the value of the iterator argument if it non-class value (a pointer			// Returns the value of the iterator argument if it non-class value (a pointer
	// or a reference). Otherwise it returns the iterator parameter location (see			// or a reference). Otherwise it returns the iterator parameter location (see
	// CallEvent::getParameterLocation()).			// CallEvent::getParameterLocation()).
	Show All 13 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.cpp

	Show All 12 Lines
	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

	#include "Iterator.h"			#include "Iterator.h"

	namespace clang {			namespace clang {
	namespace ento {			namespace ento {
	namespace iterator {			namespace iterator {

	ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
	SymbolRef Sym2, bool Equal);

	bool isIteratorType(const QualType &Type) {			bool isIteratorType(const QualType &Type) {
	if (Type->isPointerType())			if (Type->isPointerType())
	return true;			return true;

	const auto *CRD = Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();			const auto *CRD = Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
	return isIterator(CRD);			return isIterator(CRD);
	}			}

	▲ Show 20 Lines • Show All 378 Lines • Show Last 20 Lines

clang/test/Analysis/container-modeling.cpp

Show First 20 Lines • Show All 90 Lines • ▼ Show 20 Lines	void non_empty2(const std::vector<int> &V) {
for (auto n: V) {}		for (auto n: V) {}
assert(!V.empty()); // expected-note{{'?' condition is true}}		assert(!V.empty()); // expected-note{{'?' condition is true}}
clang_analyzer_eval(clang_analyzer_container_begin(V) ==		clang_analyzer_eval(clang_analyzer_container_begin(V) ==
clang_analyzer_container_end(V));		clang_analyzer_container_end(V));
// expected-warning@-2{{FALSE}}		// expected-warning@-2{{FALSE}}
// expected-note@-3 {{FALSE}}		// expected-note@-3 {{FALSE}}
}		}

		// size()

		void size0(const std::vector<int>& V) {
		assert(V.size() == 0); // expected-note{{'?' condition is true}}
		// expected-note@-1{{Assuming the condition is true}}

		clang_analyzer_eval(clang_analyzer_container_end(V) ==
		clang_analyzer_container_begin(V));
		// expected-warning@-2{{TRUE}}
		// expected-note@-3 {{TRUE}}
		}

		void size1(const std::vector<int>& V) {
		assert(V.size() == 1); // expected-note{{'?' condition is true}}
		// expected-note@-1{{Assuming the condition is true}}

		clang_analyzer_eval(clang_analyzer_container_end(V) ==
		clang_analyzer_container_begin(V) + 1);
		// expected-warning@-2{{TRUE}}
		// expected-note@-3 {{TRUE}}
		}

		void size12(std::vector<int>& V) {
		assert(V.size() == 1); // expected-note{{'?' condition is true}}
		// expected-note@-1{{Assuming the condition is true}}

		V.push_back(1);

		clang_analyzer_eval(clang_analyzer_container_end(V) ==
		clang_analyzer_container_begin(V) + 2);
		// expected-warning@-2{{TRUE}}
		// expected-note@-3 {{TRUE}}
		}

////////////////////////////////////////////////////////////////////////////////		////////////////////////////////////////////////////////////////////////////////
///		///
/// C O N T A I N E R M O D I F I E R S		/// C O N T A I N E R M O D I F I E R S
///		///
////////////////////////////////////////////////////////////////////////////////		////////////////////////////////////////////////////////////////////////////////

/// push_back()		/// push_back()
///		///
▲ Show 20 Lines • Show All 199 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[Analyzer] Model `size()` member function of containersAcceptedPublic

Details

Diff Detail