This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
ExplodedGraph.cpp
-
test/Analysis/
-
Analysis/
1/2
CheckThatArraySubsciptNodeIsNotCollected.cpp

Differential D78638

[analyzer] Consider array subscripts to be interesting lvalues
ClosedPublic

Authored by vsavchenko on Apr 22 2020, 7:30 AM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
Szelethus

Commits

rGb443f42ec606: [analyzer] Consider array subscripts to be interesting lvalues.
rGa88025672f89: [analyzer] Consider array subscripts to be interesting lvalues.

Summary

Static analyzer has a mechanism of clearing redundant nodes when
analysis hits a certain threshold with a number of nodes in exploded
graph (default is 1000). It is similar to GC and aims removing nodes
not useful for analysis. Unfortunately nodes corresponding to array
subscript expressions (that actively participate in data propagation)
get removed during the cleanup. This might prevent the analyzer from
generating useful notes about where it thinks the data came from.

This fix is pretty much consistent with the way analysis works
already. Lvalue "interestingness" stands for the analyzer's
possibility of tracking values through them.

rdar://problem/53280338

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vsavchenko created this revision.Apr 22 2020, 7:30 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2020, 7:30 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 9 others. · View Herald Transcript

Harbormaster failed remote builds in B54244: Diff 259283!Apr 22 2020, 8:38 AM

martong added inline comments.Apr 22 2020, 9:17 AM

clang/test/Analysis/PR53280338.cpp
1 ↗	(On Diff #259283)	AFAIK rdar is not accessible outside Apple. So, for the rest of the open source developers any rdar info is totally useless. Thus, could you please copy the relevant parts of the bug description from there into the test file? Would be even better if we could just mention the rdar link in the test file and the filename itself was better explaining the nature of the bug.

vsavchenko marked an inline comment as done.Apr 22 2020, 10:58 AM

vsavchenko added inline comments.

clang/test/Analysis/PR53280338.cpp
1 ↗	(On Diff #259283)	It is a fair point, I'll make it more clear what exactly we are testing here.

Add more clarity on what we test

vsavchenko marked an inline comment as done.Apr 22 2020, 11:15 AM

Harbormaster failed remote builds in B54278: Diff 259341!Apr 22 2020, 11:58 AM

How come rGe20b388e2f923bfc98f63a13fea9fc19aeaec425 doesn't solve this? Or, rather, how come it even worked if this patch is needed? Is the index being a global variable the issue? The change looks great, but I'm a bit confused.

In D78638#1997576, @Szelethus wrote:

How come rGe20b388e2f923bfc98f63a13fea9fc19aeaec425 doesn't solve this? Or, rather, how come it even worked if this patch is needed? Is the index being a global variable the issue? The change looks great, but I'm a bit confused.

Hey, thanks! So, I've tried to cover it in the comment and in the commit message.

In this test, both do while and the global index help to reproduce the erroneous behaviour. Usually, the analyzer tracks through array subscript expressions and it adds notes like expected in the test ("Assuming pointer value is null"). But in the test snippet, it was not adding those. The main reason is not in trackExpressionValue, it works fine! trackExpressionValue starts with finding an exploded node, where the lvalue is defined, and such node was not found. A little bit of digging later I found out that the node collector (aka garbage collector) threw those nodes away (check ExplodedGraph::shouldCollect and ExplodedGraph::reclaimRecentlyAllocatedNodes)! Because of the do while loop and the global index, the number of exploded nodes is pretty large. This fact causes GC to kick in and remove the nodes that we need for trackExpressionValue to work. Interesting nodes are on the other hand not deleted and this what helped with the problem.

I hope this clears it a bit!

Everything's clear! Nice detective work!

This revision is now accepted and ready to land.Apr 22 2020, 1:22 PM

Yup. Yet another epic bug!

clang/test/Analysis/CheckThatArraySubsciptNodeIsNotCollected.cpp
19–20	I'm still curious why `index` being global actually matters here. Like, how does it increase the number of nodes in the graph?

vsavchenko marked an inline comment as done.Apr 23 2020, 7:02 AM

vsavchenko added inline comments.

clang/test/Analysis/CheckThatArraySubsciptNodeIsNotCollected.cpp
19–20	It does not simply increase the number of nodes, it increases it by thousands!

Closed by commit rGa88025672f89: [analyzer] Consider array subscripts to be interesting lvalues. (authored by vsavchenko, committed by dergachev.a). · Explain WhyApr 23 2020, 10:17 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

ExplodedGraph.cpp

5 lines

test/

Analysis/

CheckThatArraySubsciptNodeIsNotCollected.cpp

40 lines

Diff 259623

clang/lib/StaticAnalyzer/Core/ExplodedGraph.cpp

	Show First 20 Lines • Show All 44 Lines • ▼ Show 20 Lines

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// Node reclamation.			// Node reclamation.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	bool ExplodedGraph::isInterestingLValueExpr(const Expr *Ex) {			bool ExplodedGraph::isInterestingLValueExpr(const Expr *Ex) {
	if (!Ex->isLValue())			if (!Ex->isLValue())
	return false;			return false;
	return isa<DeclRefExpr>(Ex) \|\|			return isa<DeclRefExpr>(Ex) \|\| isa<MemberExpr>(Ex) \|\|
	isa<MemberExpr>(Ex) \|\|			isa<ObjCIvarRefExpr>(Ex) \|\| isa<ArraySubscriptExpr>(Ex);
	isa<ObjCIvarRefExpr>(Ex);
	}			}

	bool ExplodedGraph::shouldCollect(const ExplodedNode *node) {			bool ExplodedGraph::shouldCollect(const ExplodedNode *node) {
	// First, we only consider nodes for reclamation of the following			// First, we only consider nodes for reclamation of the following
	// conditions apply:			// conditions apply:
	//			//
	// (1) 1 predecessor (that has one successor)			// (1) 1 predecessor (that has one successor)
	// (2) 1 successor (that has one predecessor)			// (2) 1 successor (that has one predecessor)
	▲ Show 20 Lines • Show All 479 Lines • Show Last 20 Lines

clang/test/Analysis/CheckThatArraySubsciptNodeIsNotCollected.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-output=text -verify %s

				class A {
				public:
				int method();
				};

				A *foo();
				void bar(A *);

				int index;

				// We want to check here that the notes about the origins of the null pointer
				// (array[index] = foo()) will get to the final report.
				//
				// The analyzer used to drop exploded nodes for array subscripts when it was
				// time to collect redundant nodes. This GC-like mechanism kicks in only when
				// the exploded graph is large enough (>1K nodes). For this reason, 'index'
				// is a global variable, and the sink point is inside of a loop.

				NoQUnsubmitted Not Done Reply Inline Actions I'm still curious why `index` being global actually matters here. Like, how does it increase the number of nodes in the graph? NoQ: I'm still curious why `index` being global actually matters here. Like, how does it increase…
				vsavchenkoAuthorUnsubmitted Done Reply Inline Actions It does not simply increase the number of nodes, it increases it by thousands! vsavchenko: It does not simply increase the number of nodes, it increases it by thousands!
				void test() {
				A *array[42];
				A *found;

				for (index = 0; (array[index] = foo()); ++index) { // expected-note {{Loop condition is false. Execution continues on line 34}}
				// expected-note@-1 {{Value assigned to 'index'}}
				// expected-note@-2 {{Assigning value}}
				// expected-note@-3 {{Assuming pointer value is null}}
				if (array[0])
				break;
				}

				do {
				found = array[index]; // expected-note {{Null pointer value stored to 'found'}}

				if (found->method()) // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}}
				// expected-note@-1 {{Called C++ object pointer is null}}
				bar(found);
				} while (--index);
				}