This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
1/1
CallEvent.cpp
-
test/Analysis/
-
Analysis/
1/1
explain-svals.cpp
1/3
temporaries.cpp
-
unittests/StaticAnalyzer/
-
StaticAnalyzer/
2/3
ParamRegionTest.cpp

Differential D80286

[Analyzer] Allow creation of stack frame for functions without definition
ClosedPublic

Authored by baloghadamsoftware on May 20 2020, 3:28 AM.

Download Raw Diff

Details

Reviewers

NoQ
Szelethus
martong

Commits

rG5419a3121522: [Analyzer] Allow creation of stack frame for functions without definition

Summary

Retrieving the parameter location of functions was disabled because it may causes crashes due to the fact that functions may have multiple declarations and without definition it is difficult to ensure that always the same declration is used. Now parameters are stored in ParamRegions which are independent of the declaration of the function, therefore the same parameters always have the same regions, independently of the function declaration used actually. This allows us to remove the limitation described above.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

baloghadamsoftware created this revision.May 20 2020, 3:28 AM

Herald added subscribers: ASDenysPetrov, martong, steakhal and 10 others. · View Herald TranscriptMay 20 2020, 3:28 AM

baloghadamsoftware added a parent revision: D79704: [Analyzer] [NFC] Parameter Regions.May 20 2020, 3:29 AM

I tested this on several open-source projects: BitCoin, CURL, OpenSLL, PostGreS, TMux, Xerces and even on LLVM itself with most of the projects enabled. No new crash and no change in findings. So it seems to be stable.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
179	We introduced `ParamRegion`s to overcome this, but please provide me the tests that crash when deleting these lines without `ParamRegions` you mentioned D49443#1193290.
clang/test/Analysis/temporaries.cpp
893	I wonder whether `clang_analyzer_checkInlined()` works correctly with this patch: it seems it only checks for stack frame which now any function with definition can have.

Harbormaster failed remote builds in B57359: Diff 265196!May 20 2020, 4:18 AM

Retrieving the parameter location of functions was disabled because it may causes crashes due to the fact that functions may have multiple declarations and without definition it is difficult to ensure that always the same declration is used. Now parameters are stored in ParamRegions which are independent of the declaration of the function, therefore the same parameters always have the same regions, independently of the function declaration used actually. This allows us to remove the limitation described above.

I am not sure if this "summary" for the patch is aligned with its title. I think the title says it all, I'd just skip this summary, it is way too blurry for me.
Because:

it may causes crashes

We still need the test cases for that, and I am not sure if we will ever get one.

without definition it is difficult to ensure that always the same declration is used.

That is not difficult in other parts of the compiler infrastructure (e.g in ASTImporter), this statement is just a vague allusion to one or several hypothetical bugs in the analyzer.

the same parameters always have the same regions, independently of the function declaration used actually.

You mentioned personally to me already, but don't forget to add test cases for that.

clang/test/Analysis/temporaries.cpp
893	So, why not try that in a test with a function that does not have a definition?

martong added a reviewer: martong.May 20 2020, 5:45 AM

Added unittest for checking the sameness for the regions of same params with different redeclarations.

martong added inline comments.May 20 2020, 8:01 AM

clang/unittests/StaticAnalyzer/ParamRegionTest.cpp
22	I am concerned about the redeclaration chain of ParmVarDecls. In the following example: void foo(int a); void foo(int a); we have the prev decl set only for the FunctionDecls and not for the ParmVarDecl (please double check). So in the test we should go through the redecls() of the FunctionDecl of the ParmVarDecl. And we should get a PVD from each redeclaration by the index.
84	I think a raw string literal with clang-formatted code in it would make the test more valuable.

This looks straightforward, thanks!

clang/test/Analysis/explain-svals.cpp
101	Wonderful! I think "parameter 1" would make a bit more sense. Or, even better, "1st parameter" like in regular warnings. (this probably needs to be fixed in an older patch)
clang/test/Analysis/temporaries.cpp
893	it seems it only checks for stack frame which now any function with definition can have Before that, it checks that `clang_analyzer_checkInlined()` was evaluated during analysis. You can't evaluate this line if you didn't analyze `~C()` either as top-level function or through inlining.
clang/unittests/StaticAnalyzer/ParamRegionTest.cpp
84	I also think it's going to be valuable to test what's going to happen if the forward-declaration is after the definition; that's where we were previously confused.

This revision is now accepted and ready to land.May 22 2020, 4:50 AM

SVal explanation changed to Xth parameter format. Unit test changed: there is redeclaration after the definition now, all test code in raw string.

baloghadamsoftware marked 3 inline comments as done.May 25 2020, 9:21 AM

baloghadamsoftware edited parent revisions, added: D80522: [Analyzer] [NFC] Parameter Regions; removed: D79704: [Analyzer] [NFC] Parameter Regions.Jun 8 2020, 8:24 AM

Closed by commit rG5419a3121522: [Analyzer] Allow creation of stack frame for functions without definition (authored by baloghadamsoftware). · Explain WhyJun 9 2020, 3:16 AM

This revision was automatically updated to reflect the committed changes.

Unfortunately, after this change there are several variables only used in asserts, which creates build failures when assertions are disabled.

I will be submitting https://reviews.llvm.org/D81522 shortly to fix.

In D80286#2083753, @saugustine wrote:

Unfortunately, after this change there are several variables only used in asserts, which creates build failures when assertions are disabled.

I will be submitting https://reviews.llvm.org/D81522 shortly to fix.

What is the point of building unit tests with assertions disabled? To me this looks like a CMake configuration problem. Unit tests should always be built with assertions enabled since they are based on assertions. They are just tests, they do not decrease the performance of the production code.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

CallEvent.cpp

14 lines

test/

Analysis/

explain-svals.cpp

2 lines

temporaries.cpp

14 lines

unittests/

StaticAnalyzer/

ParamRegionTest.cpp

22 lines

Diff 269478

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 166 Lines • ▼ Show 20 Lines	bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
return CheckerContext::isCLibraryFunction(FD, FunctionName);		return CheckerContext::isCLibraryFunction(FD, FunctionName);
}		}

AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {		AnalysisDeclContext *CallEvent::getCalleeAnalysisDeclContext() const {
const Decl *D = getDecl();		const Decl *D = getDecl();
if (!D)		if (!D)
return nullptr;		return nullptr;

// TODO: For now we skip functions without definitions, even if we have
// our own getDecl(), because it's hard to find out which re-declaration
// is going to be used, and usually clients don't really care about this
// situation because there's a loss of precision anyway because we cannot
// inline the call.
baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions We introduced `ParamRegion`s to overcome this, but please provide me the tests that crash when deleting these lines without `ParamRegions` you mentioned D49443#1193290. baloghadamsoftware: We introduced `ParamRegion`s to overcome this, but please provide me the tests that crash when…
RuntimeDefinition RD = getRuntimeDefinition();
if (!RD.getDecl())
return nullptr;

AnalysisDeclContext *ADC =		AnalysisDeclContext *ADC =
LCtx->getAnalysisDeclContext()->getManager()->getContext(D);		LCtx->getAnalysisDeclContext()->getManager()->getContext(D);

// TODO: For now we skip virtual functions, because this also rises
// the problem of which decl to use, but now it's across different classes.
if (RD.mayHaveOtherDefinitions() \|\| RD.getDecl() != ADC->getDecl())
return nullptr;

return ADC;		return ADC;
}		}

const StackFrameContext *		const StackFrameContext *
CallEvent::getCalleeStackFrame(unsigned BlockCount) const {		CallEvent::getCalleeStackFrame(unsigned BlockCount) const {
AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();		AnalysisDeclContext *ADC = getCalleeAnalysisDeclContext();
if (!ADC)		if (!ADC)
return nullptr;		return nullptr;
▲ Show 20 Lines • Show All 1,271 Lines • Show Last 20 Lines

clang/test/Analysis/explain-svals.cpp

Show First 20 Lines • Show All 92 Lines • ▼ Show 20 Lines	void test_5(int i) {
clang_analyzer_explain(this); // expected-warning-re{{{{^pointer to 'this' object$}}}}		clang_analyzer_explain(this); // expected-warning-re{{{{^pointer to 'this' object$}}}}
clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}}		clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}}
clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca$i$'$}}}}		clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca$i$'$}}}}
}		}
};		};
} // end of anonymous namespace		} // end of anonymous namespace

void test_6() {		void test_6() {
clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S'$}}}}		clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of 1st parameter of function 'clang_analyzer_explain'$}}}}
		NoQUnsubmitted Done Reply Inline Actions Wonderful! I think "parameter 1" would make a bit more sense. Or, even better, "1st parameter" like in regular warnings. (this probably needs to be fixed in an older patch) NoQ: Wonderful! I think "parameter 1" would make a bit more sense. Or, even better, "1st parameter"…
clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from $symbol of type 'int' conjured at statement 'conjure_S\($'\) for field 'z' of temporary object constructed at statement 'conjure_S'$}}}}		clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from $symbol of type 'int' conjured at statement 'conjure_S\($'\) for field 'z' of temporary object constructed at statement 'conjure_S'$}}}}
}		}

class C_top_level {		class C_top_level {
public:		public:
C_top_level(int param) {		C_top_level(int param) {
clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}		clang_analyzer_explain(&param); // expected-warning-re{{{{^pointer to parameter 'param'$}}}}
}		}
Show All 21 Lines

clang/test/Analysis/temporaries.cpp

	Show First 20 Lines • Show All 884 Lines • ▼ Show 20 Lines

	namespace dont_forget_destructor_around_logical_op {			namespace dont_forget_destructor_around_logical_op {
	int glob;			int glob;

	class C {			class C {
	public:			public:
	~C() {			~C() {
	glob = 1;			glob = 1;
	// FIXME: Why is destructor not inlined in C++17
	clang_analyzer_checkInlined(true);			clang_analyzer_checkInlined(true);
				baloghadamsoftwareAuthorUnsubmitted Done Reply Inline Actions I wonder whether `clang_analyzer_checkInlined()` works correctly with this patch: it seems it only checks for stack frame which now any function with definition can have. baloghadamsoftware: I wonder whether `clang_analyzer_checkInlined()` works correctly with this patch: it seems it…
				martongUnsubmitted Not Done Reply Inline Actions So, why not try that in a test with a function that does not have a definition? martong: So, why not try that in a test with a function that does not have a definition?
				NoQUnsubmitted Not Done Reply Inline Actions it seems it only checks for stack frame which now any function with definition can have Before that, it checks that `clang_analyzer_checkInlined()` was evaluated during analysis. You can't evaluate this line if you didn't analyze `~C()` either as top-level function or through inlining. NoQ: > it seems it only checks for stack frame which now any function with definition can have…
	#ifdef TEMPORARY_DTORS			#ifdef TEMPORARY_DTORS
	#if __cplusplus < 201703L			// expected-warning@-2{{TRUE}}
	// expected-warning@-3{{TRUE}}
	#endif
	#endif			#endif
	}			}
	};			};

	C get();			C get();

	bool is(C);			bool is(C);


	void test(int coin) {			void test(int coin) {
	// Here temporaries are being cleaned up after && is evaluated. There are two			// Here temporaries are being cleaned up after && is evaluated. There are two
	// temporaries: the return value of get() and the elidable copy constructor			// temporaries: the return value of get() and the elidable copy constructor
	// of that return value into is(). According to the CFG, we need to cleanup			// of that return value into is(). According to the CFG, we need to cleanup
	// both of them depending on whether the temporary corresponding to the			// both of them depending on whether the temporary corresponding to the
	// return value of get() was initialized. However, we didn't track			// return value of get() was initialized. However, we didn't track
	// temporaries returned from functions, so we took the wrong branch.			// temporaries returned from functions, so we took the wrong branch.
	coin && is(get()); // no-crash			coin && is(get()); // no-crash
	if (coin) {			if (coin) {
	// FIXME: Why is destructor not inlined in C++17
	clang_analyzer_eval(glob);			clang_analyzer_eval(glob);
	#ifdef TEMPORARY_DTORS			#ifdef TEMPORARY_DTORS
	#if __cplusplus < 201703L			// expected-warning@-2{{TRUE}}
	// expected-warning@-3{{TRUE}}
	#else
	// expected-warning@-5{{UNKNOWN}}
	#endif
	#else			#else
	// expected-warning@-8{{UNKNOWN}}			// expected-warning@-4{{UNKNOWN}}
	#endif			#endif
	} else {			} else {
	// The destructor is not called on this branch.			// The destructor is not called on this branch.
	clang_analyzer_eval(glob); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(glob); // expected-warning{{UNKNOWN}}
	}			}
	}			}
	} // namespace dont_forget_destructor_around_logical_op			} // namespace dont_forget_destructor_around_logical_op

	▲ Show 20 Lines • Show All 315 Lines • Show Last 20 Lines

clang/unittests/StaticAnalyzer/ParamRegionTest.cpp

	Show All 10 Lines
	#include "clang/Tooling/Tooling.h"			#include "clang/Tooling/Tooling.h"
	#include "gtest/gtest.h"			#include "gtest/gtest.h"

	namespace clang {			namespace clang {
	namespace ento {			namespace ento {
	namespace {			namespace {

	class ParamRegionTestConsumer : public ExprEngineConsumer {			class ParamRegionTestConsumer : public ExprEngineConsumer {
				void checkForSameParamRegions(MemRegionManager &MRMgr,
				const StackFrameContext *SFC,
				const ParmVarDecl *PVD) {
				for (const auto *D2: PVD->redecls()) {
				martongUnsubmitted Not Done Reply Inline Actions I am concerned about the redeclaration chain of ParmVarDecls. In the following example: void foo(int a); void foo(int a); we have the prev decl set only for the FunctionDecls and not for the ParmVarDecl (please double check). So in the test we should go through the redecls() of the FunctionDecl of the ParmVarDecl. And we should get a PVD from each redeclaration by the index. martong: I am concerned about the redeclaration chain of ParmVarDecls. In the following example: ```…
				const auto *PVD2 = cast<ParmVarDecl>(D2);
				assert(MRMgr.getVarRegion(PVD, SFC) == MRMgr.getVarRegion(PVD2, SFC));
				}
				}

	void performTest(const Decl *D) {			void performTest(const Decl *D) {
	StoreManager &StMgr = Eng.getStoreManager();			StoreManager &StMgr = Eng.getStoreManager();
	MemRegionManager &MRMgr = StMgr.getRegionManager();			MemRegionManager &MRMgr = StMgr.getRegionManager();
	const StackFrameContext *SFC =			const StackFrameContext *SFC =
	Eng.getAnalysisDeclContextManager().getStackFrame(D);			Eng.getAnalysisDeclContextManager().getStackFrame(D);

	if (const auto *FD = dyn_cast<FunctionDecl>(D)) {			if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
	for (const auto *P : FD->parameters()) {			for (const auto *P : FD->parameters()) {
	const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);			const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);
	if (SFC->inTopFrame())			if (SFC->inTopFrame())
	assert(isa<NonParamVarRegion>(Reg));			assert(isa<NonParamVarRegion>(Reg));
	else			else
	assert(isa<ParamVarRegion>(Reg));			assert(isa<ParamVarRegion>(Reg));
				checkForSameParamRegions(MRMgr, SFC, P);
	}			}
	} else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D)) {			} else if (const auto *CD = dyn_cast<CXXConstructorDecl>(D)) {
	for (const auto *P : CD->parameters()) {			for (const auto *P : CD->parameters()) {
	const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);			const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);
	if (SFC->inTopFrame())			if (SFC->inTopFrame())
	assert(isa<NonParamVarRegion>(Reg));			assert(isa<NonParamVarRegion>(Reg));
	else			else
	assert(isa<ParamVarRegion>(Reg));			assert(isa<ParamVarRegion>(Reg));
				checkForSameParamRegions(MRMgr, SFC, P);
	}			}
	} else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) {			} else if (const auto *MD = dyn_cast<ObjCMethodDecl>(D)) {
	for (const auto *P : MD->parameters()) {			for (const auto *P : MD->parameters()) {
	const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);			const TypedValueRegion *Reg = MRMgr.getVarRegion(P, SFC);
	if (SFC->inTopFrame())			if (SFC->inTopFrame())
	assert(isa<NonParamVarRegion>(Reg));			assert(isa<NonParamVarRegion>(Reg));
	else			else
	assert(isa<ParamVarRegion>(Reg));			assert(isa<ParamVarRegion>(Reg));
				checkForSameParamRegions(MRMgr, SFC, P);
	}			}
	}			}
	}			}

	public:			public:
	ParamRegionTestConsumer(CompilerInstance &C) : ExprEngineConsumer(C) {}			ParamRegionTestConsumer(CompilerInstance &C) : ExprEngineConsumer(C) {}

	bool HandleTopLevelDecl(DeclGroupRef DG) override {			bool HandleTopLevelDecl(DeclGroupRef DG) override {
	for (const auto *D : DG) {			for (const auto *D : DG) {
	performTest(D);			performTest(D);
	}			}
	return true;			return true;
	}			}
	};			};

	class ParamRegionTestAction : public ASTFrontendAction {			class ParamRegionTestAction : public ASTFrontendAction {
	public:			public:
	std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,			std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &Compiler,
	StringRef File) override {			StringRef File) override {
	return std::make_unique<ParamRegionTestConsumer>(Compiler);			return std::make_unique<ParamRegionTestConsumer>(Compiler);
	}			}
	};			};

	TEST(ParamRegion, ParamRegionTest) {			TEST(ParamRegion, ParamRegionTest) {
	EXPECT_TRUE(			EXPECT_TRUE(
				martongUnsubmitted Done Reply Inline Actions I think a raw string literal with clang-formatted code in it would make the test more valuable. martong: I think a raw string literal with clang-formatted code in it would make the test more valuable.
				NoQUnsubmitted Done Reply Inline Actions I also think it's going to be valuable to test what's going to happen if the forward-declaration is after the definition; that's where we were previously confused. NoQ: I also think it's going to be valuable to test what's going to happen if the forward…
	tooling::runToolOnCode(std::make_unique<ParamRegionTestAction>(),			tooling::runToolOnCode(std::make_unique<ParamRegionTestAction>(),
	R"(void foo(int n) {			R"(void foo(int n);
				void baz(int p);

				void foo(int n) {
	auto lambda = [n](int m) {			auto lambda = [n](int m) {
	return n + m;			return n + m;
	};			};

	int k = lambda(2);			int k = lambda(2);
	}			}

	void bar(int l) {			void bar(int l) {
	foo(l);			foo(l);
	}			}

	struct S {			struct S {
	int n;			int n;
	S(int nn): n(nn) {}			S(int nn): n(nn) {}
	};			};

	void baz(int p) {			void baz(int p) {
	S s(p);			S s(p);
	})"));			}

				void bar(int l);
				void baz(int p);)"));
	EXPECT_TRUE(			EXPECT_TRUE(
	tooling::runToolOnCode(std::make_unique<ParamRegionTestAction>(),			tooling::runToolOnCode(std::make_unique<ParamRegionTestAction>(),
	R"(@interface O			R"(@interface O
	+ alloc;			+ alloc;
	- initWithInt:(int)q;			- initWithInt:(int)q;
	@end			@end

	void qix(int r) {			void qix(int r) {
	O *o = [[O alloc] initWithInt:r];			O *o = [[O alloc] initWithInt:r];
	})",			})",
	"input.m"));			"input.m"));
	}			}

	} // namespace			} // namespace
	} // namespace ento			} // namespace ento
	} // namespace clang			} // namespace clang