This is an archive of the discontinued LLVM Phabricator instance.

Differential D82185

[Analyzer] Handle pointer implemented as iterators in iterator checkers
ClosedPublic

Authored by baloghadamsoftware on Jun 19 2020, 7:03 AM.

Details

Reviewers
NoQ
Szelethus
martong
gamesh411
Commits
rG9e63b190af76: [Analyzer] Handle pointer implemented as iterators in iterator checkers
Summary

Iterators are an abstraction of pointers and in some data structures iterators may be implemented by pointers. This patch adds support for iterators implemented as pointers in all the iterator checkers (including iterator modeling).

Diff Detail

Event Timeline

baloghadamsoftware created this revision.Jun 19 2020, 7:03 AM
Herald added subscribers: ASDenysPetrov, steakhal, Charusso and 8 others. · View Herald TranscriptJun 19 2020, 7:03 AM
baloghadamsoftware marked an inline comment as done.Jun 19 2020, 7:12 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
256

This is the problematic point which is not working. I left the comments intentionally in the code.

The problem is that in postStmt we are after the operation. Thus the value of the operand (SubExpr) is not i anymore, but the former value of i (a pointer to a symbolic region initially). Instead, the result is i in case of prefix operators, but also the former value in case of postfix operators. This is correct, of course, because here, after the call the value of i was changed, thus it is not equal to the parameter. However, we need the region of i here and/or the new value bound to it (e.g. the pointer to an element region which is usually the result of a ++ or -- on a pointer to a symbolic region). How to reach that? Of course, in preStmt the operand is i as it should be. The same is true for binary operators += and -=.

Harbormaster failed remote builds in B61017: Diff 272058!Jun 19 2020, 8:08 AM
baloghadamsoftware marked an inline comment as done.Jun 19 2020, 9:57 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
256

Of course, I know it is all wrong to increment the former value. This is also not the goal, probably I cannot reuse handleIncrement() and the like here. The question is how to get the region of the variable or even better the new region (e.g. the pointer to element region) bound to it? In the prefix case I have the variable, but is there a generic way to get the region bound to it? By generic I mean that I hope that I do not have to branch on all possible lvalue expressions.

baloghadamsoftware marked an inline comment as done.Jun 21 2020, 10:34 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
256

Wait! I know the solution! I will try it tomorrow.

baloghadamsoftware updated this revision to Diff 272469.Jun 22 2020, 9:29 AM
baloghadamsoftware retitled this revision from [Analyzer][WIP] Handle pointer implemented as iterators in iterator checkers to [Analyzer] Handle pointer implemented as iterators in iterator checkers.
baloghadamsoftware edited the summary of this revision. (Show Details)

Working.

gamesh411 added inline comments.Jun 24 2020, 1:02 AM
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
625

Same as in the other patch. I think variable name TempState is too generic, should be AdvancedState or something more descriptive.

clang/test/Analysis/iterator-modeling.cpp
1880

Just being annoying here, but I saw you use // expected (with a space between the slash and expected) consistently elsewhere. Could you please also use that here in these tests as well? Being uniform with those helps spot other errors and typos IMHO.

baloghadamsoftware updated this revision to Diff 272973.Jun 24 2020, 4:21 AM

Updated according to the comments.

baloghadamsoftware marked 2 inline comments as done.Jun 24 2020, 4:21 AM
gamesh411 accepted this revision.Jun 30 2020, 9:02 AM

Thanks, it LGTM now!

This revision is now accepted and ready to land.Jun 30 2020, 9:02 AM
Closed by commit rG9e63b190af76: [Analyzer] Handle pointer implemented as iterators in iterator checkers (authored by baloghadamsoftware). · Explain WhyJul 1 2020, 12:30 AM
This revision was automatically updated to reflect the committed changes.
thakis added a subscriber: thakis.Jul 1 2020, 3:15 AM

This (or a follow-up) broke tests on windows: http://45.33.8.238/win/18877/step_7.txt

Please take a look and revert for now if it takes a while to fix.

baloghadamsoftware added a comment.Jul 1 2020, 3:52 AM
In D82185#2124948, @thakis wrote:

This (or a follow-up) broke tests on windows: http://45.33.8.238/win/18877/step_7.txt

Please take a look and revert for now if it takes a while to fix.

It was this one: D82385. I reverted that test function so one of the fixes now remains untested.

NoQ mentioned this in D85424: [Analyzer] Crash fix for alpha.cplusplus.IteratorRange.Sep 21 2020, 11:16 PM
NoQ mentioned this in D77229: [Analyzer][NFC] Avoid handling of LazyCompundVals in IteratorModeling.Sep 22 2020, 12:59 AM

Revision Contents

Diff 274700

clang/lib/StaticAnalyzer/Checkers/InvalidatedIteratorChecker.cpp

Show All 20 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace iterator; using namespace iterator;
namespace { namespace {
class InvalidatedIteratorChecker class InvalidatedIteratorChecker
: public Checker<check::PreCall> { : public Checker<check::PreCall, check::PreStmt<UnaryOperator>,
check::PreStmt<BinaryOperator>,
check::PreStmt<ArraySubscriptExpr>,
check::PreStmt<MemberExpr>> {
std::unique_ptr<BugType> InvalidatedBugType; std::unique_ptr<BugType> InvalidatedBugType;
void verifyAccess(CheckerContext &C, const SVal &Val) const; void verifyAccess(CheckerContext &C, const SVal &Val) const;
void reportBug(const StringRef &Message, const SVal &Val, void reportBug(const StringRef &Message, const SVal &Val,
CheckerContext &C, ExplodedNode *ErrNode) const; CheckerContext &C, ExplodedNode *ErrNode) const;
public: public:
InvalidatedIteratorChecker(); InvalidatedIteratorChecker();
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const UnaryOperator *UO, CheckerContext &C) const;
void checkPreStmt(const BinaryOperator *BO, CheckerContext &C) const;
void checkPreStmt(const ArraySubscriptExpr *ASE, CheckerContext &C) const;
void checkPreStmt(const MemberExpr *ME, CheckerContext &C) const;
}; };
} //namespace } //namespace
InvalidatedIteratorChecker::InvalidatedIteratorChecker() { InvalidatedIteratorChecker::InvalidatedIteratorChecker() {
InvalidatedBugType.reset( InvalidatedBugType.reset(
new BugType(this, "Iterator invalidated", "Misuse of STL APIs")); new BugType(this, "Iterator invalidated", "Misuse of STL APIs"));
Show All 12 Lines if (Func->isOverloadedOperator() &&
if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) { if (const auto *InstCall = dyn_cast<CXXInstanceCall>(&Call)) {
verifyAccess(C, InstCall->getCXXThisVal()); verifyAccess(C, InstCall->getCXXThisVal());
} else { } else {
verifyAccess(C, Call.getArgSVal(0)); verifyAccess(C, Call.getArgSVal(0));
} }
} }
} }
void InvalidatedIteratorChecker::checkPreStmt(const UnaryOperator *UO,
CheckerContext &C) const {
if (isa<CXXThisExpr>(UO->getSubExpr()))
return;
ProgramStateRef State = C.getState();
UnaryOperatorKind OK = UO->getOpcode();
SVal SubVal = State->getSVal(UO->getSubExpr(), C.getLocationContext());
if (isAccessOperator(OK)) {
verifyAccess(C, SubVal);
}
}
void InvalidatedIteratorChecker::checkPreStmt(const BinaryOperator *BO,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
BinaryOperatorKind OK = BO->getOpcode();
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
if (isAccessOperator(OK)) {
verifyAccess(C, LVal);
}
}
void InvalidatedIteratorChecker::checkPreStmt(const ArraySubscriptExpr *ASE,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal LVal = State->getSVal(ASE->getLHS(), C.getLocationContext());
verifyAccess(C, LVal);
}
void InvalidatedIteratorChecker::checkPreStmt(const MemberExpr *ME,
CheckerContext &C) const {
if (!ME->isArrow() || ME->isImplicitAccess())
return;
ProgramStateRef State = C.getState();
SVal BaseVal = State->getSVal(ME->getBase(), C.getLocationContext());
verifyAccess(C, BaseVal);
}
void InvalidatedIteratorChecker::verifyAccess(CheckerContext &C, const SVal &Val) const { void InvalidatedIteratorChecker::verifyAccess(CheckerContext &C, const SVal &Val) const {
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, Val); const auto *Pos = getIteratorPosition(State, Val);
if (Pos && !Pos->isValid()) { if (Pos && !Pos->isValid()) {
auto *N = C.generateErrorNode(State); auto *N = C.generateErrorNode(State);
if (!N) { if (!N) {
return; return;
} }
Show All 20 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.h

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines void Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(End); ID.Add(End);
} }
}; };
class IteratorSymbolMap {}; class IteratorSymbolMap {};
class IteratorRegionMap {}; class IteratorRegionMap {};
class ContainerMap {}; class ContainerMap {};
using IteratorSymbolMapTy = CLANG_ENTO_PROGRAMSTATE_MAP(SymbolRef, IteratorPosition); using IteratorSymbolMapTy =
using IteratorRegionMapTy = CLANG_ENTO_PROGRAMSTATE_MAP(const MemRegion *, IteratorPosition); CLANG_ENTO_PROGRAMSTATE_MAP(SymbolRef, IteratorPosition);
using ContainerMapTy = CLANG_ENTO_PROGRAMSTATE_MAP(const MemRegion *, ContainerData); using IteratorRegionMapTy =
CLANG_ENTO_PROGRAMSTATE_MAP(const MemRegion *, IteratorPosition);
using ContainerMapTy =
CLANG_ENTO_PROGRAMSTATE_MAP(const MemRegion *, ContainerData);
} // namespace iterator } // namespace iterator
template<> template<>
struct ProgramStateTrait<iterator::IteratorSymbolMap> struct ProgramStateTrait<iterator::IteratorSymbolMap>
: public ProgramStatePartialTrait<iterator::IteratorSymbolMapTy> { : public ProgramStatePartialTrait<iterator::IteratorSymbolMapTy> {
static void *GDMIndex() { static int Index; return &Index; } static void *GDMIndex() { static int Index; return &Index; }
}; };
Show All 15 Lines
bool isIteratorType(const QualType &Type); bool isIteratorType(const QualType &Type);
bool isIterator(const CXXRecordDecl *CRD); bool isIterator(const CXXRecordDecl *CRD);
bool isComparisonOperator(OverloadedOperatorKind OK); bool isComparisonOperator(OverloadedOperatorKind OK);
bool isInsertCall(const FunctionDecl *Func); bool isInsertCall(const FunctionDecl *Func);
bool isEraseCall(const FunctionDecl *Func); bool isEraseCall(const FunctionDecl *Func);
bool isEraseAfterCall(const FunctionDecl *Func); bool isEraseAfterCall(const FunctionDecl *Func);
bool isEmplaceCall(const FunctionDecl *Func); bool isEmplaceCall(const FunctionDecl *Func);
bool isAccessOperator(OverloadedOperatorKind OK); bool isAccessOperator(OverloadedOperatorKind OK);
bool isAccessOperator(UnaryOperatorKind OK);
bool isAccessOperator(BinaryOperatorKind OK);
bool isDereferenceOperator(OverloadedOperatorKind OK); bool isDereferenceOperator(OverloadedOperatorKind OK);
bool isDereferenceOperator(UnaryOperatorKind OK);
bool isDereferenceOperator(BinaryOperatorKind OK);
bool isIncrementOperator(OverloadedOperatorKind OK); bool isIncrementOperator(OverloadedOperatorKind OK);
bool isIncrementOperator(UnaryOperatorKind OK);
bool isDecrementOperator(OverloadedOperatorKind OK); bool isDecrementOperator(OverloadedOperatorKind OK);
bool isDecrementOperator(UnaryOperatorKind OK);
bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK); bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK);
bool isRandomIncrOrDecrOperator(BinaryOperatorKind OK);
const ContainerData *getContainerData(ProgramStateRef State, const ContainerData *getContainerData(ProgramStateRef State,
const MemRegion *Cont); const MemRegion *Cont);
const IteratorPosition *getIteratorPosition(ProgramStateRef State, const IteratorPosition *getIteratorPosition(ProgramStateRef State,
const SVal &Val); const SVal &Val);
ProgramStateRef setIteratorPosition(ProgramStateRef State, const SVal &Val, ProgramStateRef setIteratorPosition(ProgramStateRef State, const SVal &Val,
const IteratorPosition &Pos); const IteratorPosition &Pos);
ProgramStateRef createIteratorPosition(ProgramStateRef State, const SVal &Val, ProgramStateRef createIteratorPosition(ProgramStateRef State, const SVal &Val,
const MemRegion *Cont, const Stmt* S, const MemRegion *Cont, const Stmt* S,
Show All 18 Lines

clang/lib/StaticAnalyzer/Checkers/Iterator.cpp

Show First 20 LinesShow All 122 Lines▼ Show 20 Linesbool isEraseAfterCall(const FunctionDecl *Func) {
return IdInfo->getName() == "erase_after"; return IdInfo->getName() == "erase_after";
} }
bool isAccessOperator(OverloadedOperatorKind OK) { bool isAccessOperator(OverloadedOperatorKind OK) {
return isDereferenceOperator(OK) || isIncrementOperator(OK) || return isDereferenceOperator(OK) || isIncrementOperator(OK) ||
isDecrementOperator(OK) || isRandomIncrOrDecrOperator(OK); isDecrementOperator(OK) || isRandomIncrOrDecrOperator(OK);
} }
bool isAccessOperator(UnaryOperatorKind OK) {
return isDereferenceOperator(OK) || isIncrementOperator(OK) ||
isDecrementOperator(OK);
}
bool isAccessOperator(BinaryOperatorKind OK) {
return isDereferenceOperator(OK) || isRandomIncrOrDecrOperator(OK);
}
bool isDereferenceOperator(OverloadedOperatorKind OK) { bool isDereferenceOperator(OverloadedOperatorKind OK) {
return OK == OO_Star || OK == OO_Arrow || OK == OO_ArrowStar || return OK == OO_Star || OK == OO_Arrow || OK == OO_ArrowStar ||
OK == OO_Subscript; OK == OO_Subscript;
} }
bool isDereferenceOperator(UnaryOperatorKind OK) {
return OK == UO_Deref;
}
bool isDereferenceOperator(BinaryOperatorKind OK) {
return OK == BO_PtrMemI;
}
bool isIncrementOperator(OverloadedOperatorKind OK) { bool isIncrementOperator(OverloadedOperatorKind OK) {
return OK == OO_PlusPlus; return OK == OO_PlusPlus;
} }
bool isIncrementOperator(UnaryOperatorKind OK) {
return OK == UO_PreInc || OK == UO_PostInc;
}
bool isDecrementOperator(OverloadedOperatorKind OK) { bool isDecrementOperator(OverloadedOperatorKind OK) {
return OK == OO_MinusMinus; return OK == OO_MinusMinus;
} }
bool isDecrementOperator(UnaryOperatorKind OK) {
return OK == UO_PreDec || OK == UO_PostDec;
}
bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK) { bool isRandomIncrOrDecrOperator(OverloadedOperatorKind OK) {
return OK == OO_Plus || OK == OO_PlusEqual || OK == OO_Minus || return OK == OO_Plus || OK == OO_PlusEqual || OK == OO_Minus ||
OK == OO_MinusEqual; OK == OO_MinusEqual;
} }
bool isRandomIncrOrDecrOperator(BinaryOperatorKind OK) {
return OK == BO_Add || OK == BO_AddAssign ||
OK == BO_Sub || OK == BO_SubAssign;
}
const ContainerData *getContainerData(ProgramStateRef State, const ContainerData *getContainerData(ProgramStateRef State,
const MemRegion *Cont) { const MemRegion *Cont) {
return State->get<ContainerMap>(Cont); return State->get<ContainerMap>(Cont);
} }
const IteratorPosition *getIteratorPosition(ProgramStateRef State, const IteratorPosition *getIteratorPosition(ProgramStateRef State,
const SVal &Val) { const SVal &Val) {
if (auto Reg = Val.getAsRegion()) { if (auto Reg = Val.getAsRegion()) {
▲ Show 20 LinesShow All 133 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp

Show First 20 LinesShow All 77 Lines▼ Show 20 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace iterator; using namespace iterator;
namespace { namespace {
class IteratorModeling class IteratorModeling
: public Checker<check::PostCall, check::PostStmt<MaterializeTemporaryExpr>, : public Checker<check::PostCall, check::PostStmt<UnaryOperator>,
check::PostStmt<BinaryOperator>,
check::PostStmt<MaterializeTemporaryExpr>,
check::Bind, check::LiveSymbols, check::DeadSymbols> { check::Bind, check::LiveSymbols, check::DeadSymbols> {
using AdvanceFn = void (IteratorModeling::*)(CheckerContext &, const Expr *, using AdvanceFn = void (IteratorModeling::*)(CheckerContext &, const Expr *,
SVal, SVal, SVal) const; SVal, SVal, SVal) const;
void handleOverloadedOperator(CheckerContext &C, const CallEvent &Call, void handleOverloadedOperator(CheckerContext &C, const CallEvent &Call,
OverloadedOperatorKind Op) const; OverloadedOperatorKind Op) const;
void handleAdvanceLikeFunction(CheckerContext &C, const CallEvent &Call, void handleAdvanceLikeFunction(CheckerContext &C, const CallEvent &Call,
const Expr *OrigExpr, const Expr *OrigExpr,
const AdvanceFn *Handler) const; const AdvanceFn *Handler) const;
void handleComparison(CheckerContext &C, const Expr *CE, SVal RetVal, void handleComparison(CheckerContext &C, const Expr *CE, SVal RetVal,
const SVal &LVal, const SVal &RVal, const SVal &LVal, const SVal &RVal,
OverloadedOperatorKind Op) const; OverloadedOperatorKind Op) const;
void processComparison(CheckerContext &C, ProgramStateRef State, void processComparison(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym1, SymbolRef Sym2, const SVal &RetVal, SymbolRef Sym1, SymbolRef Sym2, const SVal &RetVal,
OverloadedOperatorKind Op) const; OverloadedOperatorKind Op) const;
void handleIncrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter, void handleIncrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
bool Postfix) const; bool Postfix) const;
void handleDecrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter, void handleDecrement(CheckerContext &C, const SVal &RetVal, const SVal &Iter,
bool Postfix) const; bool Postfix) const;
void handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE, void handleRandomIncrOrDecr(CheckerContext &C, const Expr *CE,
OverloadedOperatorKind Op, const SVal &RetVal, OverloadedOperatorKind Op, const SVal &RetVal,
const SVal &LHS, const SVal &RHS) const; const SVal &LHS, const SVal &RHS) const;
void handlePtrIncrOrDecr(CheckerContext &C, const Expr *Iterator,
OverloadedOperatorKind OK, SVal Offset) const;
void handleAdvance(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter, void handleAdvance(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
SVal Amount) const; SVal Amount) const;
void handlePrev(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter, void handlePrev(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
SVal Amount) const; SVal Amount) const;
void handleNext(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter, void handleNext(CheckerContext &C, const Expr *CE, SVal RetVal, SVal Iter,
SVal Amount) const; SVal Amount) const;
void assignToContainer(CheckerContext &C, const Expr *CE, const SVal &RetVal, void assignToContainer(CheckerContext &C, const Expr *CE, const SVal &RetVal,
const MemRegion *Cont) const; const MemRegion *Cont) const;
Show All 20 Lines CallDescriptionMap<AdvanceFn> AdvanceLikeFunctions = {
{{{"std", "next"}, 2}, &IteratorModeling::handleNext}, {{{"std", "next"}, 2}, &IteratorModeling::handleNext},
}; };
public: public:
IteratorModeling() = default; IteratorModeling() = default;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const; void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
void checkPostStmt(const UnaryOperator *UO, CheckerContext &C) const;
void checkPostStmt(const BinaryOperator *BO, CheckerContext &C) const;
void checkPostStmt(const CXXConstructExpr *CCE, CheckerContext &C) const; void checkPostStmt(const CXXConstructExpr *CCE, CheckerContext &C) const;
void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPostStmt(const DeclStmt *DS, CheckerContext &C) const;
void checkPostStmt(const MaterializeTemporaryExpr *MTE, void checkPostStmt(const MaterializeTemporaryExpr *MTE,
CheckerContext &C) const; CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const; void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
}; };
bool isSimpleComparisonOperator(OverloadedOperatorKind OK); bool isSimpleComparisonOperator(OverloadedOperatorKind OK);
bool isSimpleComparisonOperator(BinaryOperatorKind OK);
ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val); ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val);
ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1, ProgramStateRef relateSymbols(ProgramStateRef State, SymbolRef Sym1,
SymbolRef Sym2, bool Equal); SymbolRef Sym2, bool Equal);
bool isBoundThroughLazyCompoundVal(const Environment &Env, bool isBoundThroughLazyCompoundVal(const Environment &Env,
const MemRegion *Reg); const MemRegion *Reg);
const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call); const ExplodedNode *findCallEnter(const ExplodedNode *Node, const Expr *Call);
} // namespace } // namespace
Show All 38 Lines if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(0))) {
State = removeIteratorPosition(State, Call.getArgSVal(0)); State = removeIteratorPosition(State, Call.getArgSVal(0));
} }
C.addTransition(State); C.addTransition(State);
return; return;
} }
} }
// Assumption: if return value is an iterator which is not yet bound to a // Assumption: if return value is an iterator which is not yet bound to a
// container, then look for the first iterator argument, and // container, then look for the first iterator argument of the
// bind the return value to the same container. This approach // same type as the return value and bind the return value to
// works for STL algorithms. // the same container. This approach works for STL algorithms.
// FIXME: Add a more conservative mode // FIXME: Add a more conservative mode
for (unsigned i = 0; i < Call.getNumArgs(); ++i) { for (unsigned i = 0; i < Call.getNumArgs(); ++i) {
if (isIteratorType(Call.getArgExpr(i)->getType())) { if (isIteratorType(Call.getArgExpr(i)->getType()) &&
Call.getArgExpr(i)->getType().getNonReferenceType().getDesugaredType(
C.getASTContext()).getTypePtr() ==
Call.getResultType().getDesugaredType(C.getASTContext()).getTypePtr()) {
if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(i))) { if (const auto *Pos = getIteratorPosition(State, Call.getArgSVal(i))) {
assignToContainer(C, OrigExpr, Call.getReturnValue(), assignToContainer(C, OrigExpr, Call.getReturnValue(),
Pos->getContainer()); Pos->getContainer());
return; return;
} }
} }
} }
} }
Show All 9 Lines if (Pos) {
const auto *OldPos = getIteratorPosition(State, Loc); const auto *OldPos = getIteratorPosition(State, Loc);
if (OldPos) { if (OldPos) {
State = removeIteratorPosition(State, Loc); State = removeIteratorPosition(State, Loc);
C.addTransition(State); C.addTransition(State);
} }
} }
} }
void IteratorModeling::checkPostStmt(const UnaryOperator *UO,
CheckerContext &C) const {
UnaryOperatorKind OK = UO->getOpcode();
if (!isIncrementOperator(OK) && !isDecrementOperator(OK))
return;
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

This is the problematic point which is not working. I left the comments intentionally in the code.

The problem is that in postStmt we are after the operation. Thus the value of the operand (SubExpr) is not i anymore, but the former value of i (a pointer to a symbolic region initially). Instead, the result is i in case of prefix operators, but also the former value in case of postfix operators. This is correct, of course, because here, after the call the value of i was changed, thus it is not equal to the parameter. However, we need the region of i here and/or the new value bound to it (e.g. the pointer to an element region which is usually the result of a ++ or -- on a pointer to a symbolic region). How to reach that? Of course, in preStmt the operand is i as it should be. The same is true for binary operators += and -=.

baloghadamsoftware: This is the problematic point which is not working. I left the comments intentionally in the…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Of course, I know it is all wrong to increment the former value. This is also not the goal, probably I cannot reuse handleIncrement() and the like here. The question is how to get the region of the variable or even better the new region (e.g. the pointer to element region) bound to it? In the prefix case I have the variable, but is there a generic way to get the region bound to it? By generic I mean that I hope that I do not have to branch on all possible lvalue expressions.

baloghadamsoftware: Of course, I know it is all wrong to increment the //former// value. This is also not the goal…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Wait! I know the solution! I will try it tomorrow.

baloghadamsoftware: Wait! I know the solution! I will try it tomorrow.
auto &SVB = C.getSValBuilder();
handlePtrIncrOrDecr(C, UO->getSubExpr(),
isIncrementOperator(OK) ? OO_Plus : OO_Minus,
SVB.makeArrayIndex(1));
}
void IteratorModeling::checkPostStmt(const BinaryOperator *BO,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
BinaryOperatorKind OK = BO->getOpcode();
SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext());
if (isSimpleComparisonOperator(BO->getOpcode())) {
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
SVal Result = State->getSVal(BO, C.getLocationContext());
handleComparison(C, BO, Result, LVal, RVal,
BinaryOperator::getOverloadedOperator(OK));
} else if (isRandomIncrOrDecrOperator(OK)) {
handlePtrIncrOrDecr(C, BO->getLHS(),
BinaryOperator::getOverloadedOperator(OK), RVal);
}
}
void IteratorModeling::checkPostStmt(const MaterializeTemporaryExpr *MTE, void IteratorModeling::checkPostStmt(const MaterializeTemporaryExpr *MTE,
CheckerContext &C) const { CheckerContext &C) const {
/* Transfer iterator state to temporary objects */ /* Transfer iterator state to temporary objects */
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, C.getSVal(MTE->getSubExpr())); const auto *Pos = getIteratorPosition(State, C.getSVal(MTE->getSubExpr()));
if (!Pos) if (!Pos)
return; return;
State = setIteratorPosition(State, C.getSVal(MTE), *Pos); State = setIteratorPosition(State, C.getSVal(MTE), *Pos);
▲ Show 20 LinesShow All 302 Lines▼ Show 20 Lines if (AdvancedState) {
State = setIteratorPosition(State, TgtVal, *NewPos); State = setIteratorPosition(State, TgtVal, *NewPos);
C.addTransition(State); C.addTransition(State);
} else { } else {
assignToContainer(C, CE, TgtVal, Pos->getContainer()); assignToContainer(C, CE, TgtVal, Pos->getContainer());
} }
} }
void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C,
const Expr *Iterator,
OverloadedOperatorKind OK,
SVal Offset) const {
QualType PtrType = Iterator->getType();
if (!PtrType->isPointerType())
return;
QualType ElementType = PtrType->getPointeeType();
ProgramStateRef State = C.getState();
SVal OldVal = State->getSVal(Iterator, C.getLocationContext());
const IteratorPosition *OldPos = getIteratorPosition(State, OldVal);
if (!OldPos)
return;
SVal NewVal;
if (OK == OO_Plus || OK == OO_PlusEqual)
NewVal = State->getLValue(ElementType, Offset, OldVal);
else {
const llvm::APSInt &OffsetInt =
Offset.castAs<nonloc::ConcreteInt>().getValue();
auto &BVF = C.getSymbolManager().getBasicVals();
SVal NegatedOffset = nonloc::ConcreteInt(BVF.getValue(-OffsetInt));
NewVal = State->getLValue(ElementType, NegatedOffset, OldVal);
}
// `AdvancedState` is a state where the position of `Old` is advanced. We
gamesh411Unsubmitted
Done
ReplyInline Actions

Same as in the other patch. I think variable name TempState is too generic, should be AdvancedState or something more descriptive.

gamesh411: Same as in the other patch. I think variable name `TempState` is too generic, should be…
// only need this state to retrieve the new position, but we do not want
// ever to change the position of `OldVal`.
auto AdvancedState = advancePosition(State, OldVal, OK, Offset);
if (AdvancedState) {
const IteratorPosition *NewPos = getIteratorPosition(AdvancedState, OldVal);
assert(NewPos &&
"Iterator should have position after successful advancement");
ProgramStateRef NewState = setIteratorPosition(State, NewVal, *NewPos);
C.addTransition(NewState);
} else {
assignToContainer(C, Iterator, NewVal, OldPos->getContainer());
}
}
void IteratorModeling::handleAdvance(CheckerContext &C, const Expr *CE, void IteratorModeling::handleAdvance(CheckerContext &C, const Expr *CE,
SVal RetVal, SVal Iter, SVal RetVal, SVal Iter,
SVal Amount) const { SVal Amount) const {
handleRandomIncrOrDecr(C, CE, OO_PlusEqual, RetVal, Iter, Amount); handleRandomIncrOrDecr(C, CE, OO_PlusEqual, RetVal, Iter, Amount);
} }
void IteratorModeling::handlePrev(CheckerContext &C, const Expr *CE, void IteratorModeling::handlePrev(CheckerContext &C, const Expr *CE,
SVal RetVal, SVal Iter, SVal Amount) const { SVal RetVal, SVal Iter, SVal Amount) const {
▲ Show 20 LinesShow All 80 Lines▼ Show 20 Lines
} }
namespace { namespace {
bool isSimpleComparisonOperator(OverloadedOperatorKind OK) { bool isSimpleComparisonOperator(OverloadedOperatorKind OK) {
return OK == OO_EqualEqual || OK == OO_ExclaimEqual; return OK == OO_EqualEqual || OK == OO_ExclaimEqual;
} }
bool isSimpleComparisonOperator(BinaryOperatorKind OK) {
return OK == BO_EQ || OK == BO_NE;
}
ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val) { ProgramStateRef removeIteratorPosition(ProgramStateRef State, const SVal &Val) {
if (auto Reg = Val.getAsRegion()) { if (auto Reg = Val.getAsRegion()) {
Reg = Reg->getMostDerivedObjectRegion(); Reg = Reg->getMostDerivedObjectRegion();
return State->remove<IteratorRegionMap>(Reg); return State->remove<IteratorRegionMap>(Reg);
} else if (const auto Sym = Val.getAsSymbol()) { } else if (const auto Sym = Val.getAsSymbol()) {
return State->remove<IteratorSymbolMap>(Sym); return State->remove<IteratorSymbolMap>(Sym);
} else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) { } else if (const auto LCVal = Val.getAs<nonloc::LazyCompoundVal>()) {
return State->remove<IteratorRegionMap>(LCVal->getRegion()); return State->remove<IteratorRegionMap>(LCVal->getRegion());
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/IteratorRangeChecker.cpp

Show All 21 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace iterator; using namespace iterator;
namespace { namespace {
class IteratorRangeChecker class IteratorRangeChecker
: public Checker<check::PreCall> { : public Checker<check::PreCall, check::PreStmt<UnaryOperator>,
check::PreStmt<BinaryOperator>,
check::PreStmt<ArraySubscriptExpr>,
check::PreStmt<MemberExpr>> {
std::unique_ptr<BugType> OutOfRangeBugType; std::unique_ptr<BugType> OutOfRangeBugType;
void verifyDereference(CheckerContext &C, SVal Val) const; void verifyDereference(CheckerContext &C, SVal Val) const;
void verifyIncrement(CheckerContext &C, SVal Iter) const; void verifyIncrement(CheckerContext &C, SVal Iter) const;
void verifyDecrement(CheckerContext &C, SVal Iter) const; void verifyDecrement(CheckerContext &C, SVal Iter) const;
void verifyRandomIncrOrDecr(CheckerContext &C, OverloadedOperatorKind Op, void verifyRandomIncrOrDecr(CheckerContext &C, OverloadedOperatorKind Op,
SVal LHS, SVal RHS) const; SVal LHS, SVal RHS) const;
void verifyAdvance(CheckerContext &C, SVal LHS, SVal RHS) const; void verifyAdvance(CheckerContext &C, SVal LHS, SVal RHS) const;
void verifyPrev(CheckerContext &C, SVal LHS, SVal RHS) const; void verifyPrev(CheckerContext &C, SVal LHS, SVal RHS) const;
void verifyNext(CheckerContext &C, SVal LHS, SVal RHS) const; void verifyNext(CheckerContext &C, SVal LHS, SVal RHS) const;
void reportBug(const StringRef &Message, SVal Val, CheckerContext &C, void reportBug(const StringRef &Message, SVal Val, CheckerContext &C,
ExplodedNode *ErrNode) const; ExplodedNode *ErrNode) const;
public: public:
IteratorRangeChecker(); IteratorRangeChecker();
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const UnaryOperator *UO, CheckerContext &C) const;
void checkPreStmt(const BinaryOperator *BO, CheckerContext &C) const;
void checkPreStmt(const ArraySubscriptExpr *ASE, CheckerContext &C) const;
void checkPreStmt(const MemberExpr *ME, CheckerContext &C) const;
using AdvanceFn = void (IteratorRangeChecker::*)(CheckerContext &, SVal, using AdvanceFn = void (IteratorRangeChecker::*)(CheckerContext &, SVal,
SVal) const; SVal) const;
CallDescriptionMap<AdvanceFn> AdvanceFunctions = { CallDescriptionMap<AdvanceFn> AdvanceFunctions = {
{{{"std", "advance"}, 2}, &IteratorRangeChecker::verifyAdvance}, {{{"std", "advance"}, 2}, &IteratorRangeChecker::verifyAdvance},
{{{"std", "prev"}, 2}, &IteratorRangeChecker::verifyPrev}, {{{"std", "prev"}, 2}, &IteratorRangeChecker::verifyPrev},
{{{"std", "next"}, 2}, &IteratorRangeChecker::verifyNext}, {{{"std", "next"}, 2}, &IteratorRangeChecker::verifyNext},
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Lines if (Verifier) {
(this->**Verifier)( (this->**Verifier)(
C, Call.getArgSVal(0), C, Call.getArgSVal(0),
nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1)))); nonloc::ConcreteInt(BVF.getValue(llvm::APSInt::get(1))));
} }
} }
} }
} }
void IteratorRangeChecker::checkPreStmt(const UnaryOperator *UO,
CheckerContext &C) const {
if (isa<CXXThisExpr>(UO->getSubExpr()))
return;
ProgramStateRef State = C.getState();
UnaryOperatorKind OK = UO->getOpcode();
SVal SubVal = State->getSVal(UO->getSubExpr(), C.getLocationContext());
if (isDereferenceOperator(OK)) {
verifyDereference(C, SubVal);
} else if (isIncrementOperator(OK)) {
verifyIncrement(C, SubVal);
} else if (isDecrementOperator(OK)) {
verifyDecrement(C, SubVal);
}
}
void IteratorRangeChecker::checkPreStmt(const BinaryOperator *BO,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
BinaryOperatorKind OK = BO->getOpcode();
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
if (isDereferenceOperator(OK)) {
verifyDereference(C, LVal);
} else if (isRandomIncrOrDecrOperator(OK)) {
SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext());
verifyRandomIncrOrDecr(C, BinaryOperator::getOverloadedOperator(OK), LVal,
RVal);
}
}
void IteratorRangeChecker::checkPreStmt(const ArraySubscriptExpr *ASE,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal LVal = State->getSVal(ASE->getLHS(), C.getLocationContext());
verifyDereference(C, LVal);
}
void IteratorRangeChecker::checkPreStmt(const MemberExpr *ME,
CheckerContext &C) const {
if (!ME->isArrow() || ME->isImplicitAccess())
return;
ProgramStateRef State = C.getState();
SVal BaseVal = State->getSVal(ME->getBase(), C.getLocationContext());
verifyDereference(C, BaseVal);
}
void IteratorRangeChecker::verifyDereference(CheckerContext &C, void IteratorRangeChecker::verifyDereference(CheckerContext &C,
SVal Val) const { SVal Val) const {
auto State = C.getState(); auto State = C.getState();
const auto *Pos = getIteratorPosition(State, Val); const auto *Pos = getIteratorPosition(State, Val);
if (Pos && isPastTheEnd(State, *Pos)) { if (Pos && isPastTheEnd(State, *Pos)) {
auto *N = C.generateErrorNode(State); auto *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
▲ Show 20 LinesShow All 170 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MismatchedIteratorChecker.cpp

Show All 22 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace iterator; using namespace iterator;
namespace { namespace {
class MismatchedIteratorChecker class MismatchedIteratorChecker
: public Checker<check::PreCall> { : public Checker<check::PreCall, check::PreStmt<BinaryOperator>> {
std::unique_ptr<BugType> MismatchedBugType; std::unique_ptr<BugType> MismatchedBugType;
void verifyMatch(CheckerContext &C, const SVal &Iter, void verifyMatch(CheckerContext &C, const SVal &Iter,
const MemRegion *Cont) const; const MemRegion *Cont) const;
void verifyMatch(CheckerContext &C, const SVal &Iter1, void verifyMatch(CheckerContext &C, const SVal &Iter1,
const SVal &Iter2) const; const SVal &Iter2) const;
void reportBug(const StringRef &Message, const SVal &Val1, void reportBug(const StringRef &Message, const SVal &Val1,
const SVal &Val2, CheckerContext &C, const SVal &Val2, CheckerContext &C,
ExplodedNode *ErrNode) const; ExplodedNode *ErrNode) const;
void reportBug(const StringRef &Message, const SVal &Val, void reportBug(const StringRef &Message, const SVal &Val,
const MemRegion *Reg, CheckerContext &C, const MemRegion *Reg, CheckerContext &C,
ExplodedNode *ErrNode) const; ExplodedNode *ErrNode) const;
public: public:
MismatchedIteratorChecker(); MismatchedIteratorChecker();
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const BinaryOperator *BO, CheckerContext &C) const;
}; };
} // namespace } // namespace
MismatchedIteratorChecker::MismatchedIteratorChecker() { MismatchedIteratorChecker::MismatchedIteratorChecker() {
MismatchedBugType.reset( MismatchedBugType.reset(
new BugType(this, "Iterator(s) mismatched", "Misuse of STL APIs", new BugType(this, "Iterator(s) mismatched", "Misuse of STL APIs",
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines if (Func->isOverloadedOperator() &&
// works on multiple containers using iterators takes different // works on multiple containers using iterators takes different
// template parameters for different containers. So we can safely // template parameters for different containers. So we can safely
// assume that passing iterators of different containers as arguments // assume that passing iterators of different containers as arguments
// whose type replaces the same template parameter is a bug. // whose type replaces the same template parameter is a bug.
// //
// Example: // Example:
// template<typename I1, typename I2> // template<typename I1, typename I2>
// void f(I1 first1, I1 last1, I2 first2, I2 last2); // void f(I1 first1, I1 last1, I2 first2, I2 last2);
// //
// In this case the first two arguments to f() must be iterators must belong // In this case the first two arguments to f() must be iterators must belong
// to the same container and the last to also to the same container but // to the same container and the last to also to the same container but
// not necessarily to the same as the first two. // not necessarily to the same as the first two.
const auto *Templ = Func->getPrimaryTemplate(); const auto *Templ = Func->getPrimaryTemplate();
if (!Templ) if (!Templ)
return; return;
Show All 30 Lines for (size_t I = 0; I < TParams->size(); ++I) {
} else { } else {
verifyMatch(C, LHS, Call.getArgSVal(J)); verifyMatch(C, LHS, Call.getArgSVal(J));
} }
} }
} }
} }
} }
void MismatchedIteratorChecker::checkPreStmt(const BinaryOperator *BO,
CheckerContext &C) const {
if (!BO->isComparisonOp())
return;
ProgramStateRef State = C.getState();
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext());
verifyMatch(C, LVal, RVal);
}
void MismatchedIteratorChecker::verifyMatch(CheckerContext &C, const SVal &Iter, void MismatchedIteratorChecker::verifyMatch(CheckerContext &C, const SVal &Iter,
const MemRegion *Cont) const { const MemRegion *Cont) const {
// Verify match between a container and the container of an iterator // Verify match between a container and the container of an iterator
Cont = Cont->getMostDerivedObjectRegion(); Cont = Cont->getMostDerivedObjectRegion();
if (const auto *ContSym = Cont->getSymbolicBase()) { if (const auto *ContSym = Cont->getSymbolicBase()) {
if (isa<SymbolConjured>(ContSym->getSymbol())) if (isa<SymbolConjured>(ContSym->getSymbol()))
return; return;
▲ Show 20 LinesShow All 97 LinesShow Last 20 Lines

clang/test/Analysis/invalidated-iterator.cpp

Show First 20 LinesShow All 114 Lines▼ Show 20 Linesvoid invalidated_subscript(std::vector<int> &V) {
i[1]; // expected-warning{{Invalidated iterator accessed}} i[1]; // expected-warning{{Invalidated iterator accessed}}
} }
void assignment(std::vector<int> &V) { void assignment(std::vector<int> &V) {
auto i = V.cbegin(); auto i = V.cbegin();
V.erase(i); V.erase(i);
auto j = V.cbegin(); // no-warning auto j = V.cbegin(); // no-warning
} }
template<typename T>
struct cont_with_ptr_iterator {
T *begin() const;
T *end() const;
T &operator[](size_t);
void push_back(const T&);
T* erase(T*);
};
void invalidated_dereference_end_ptr_iterator(cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
(void) *i; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_prefix_increment_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
++i; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_prefix_decrement_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin() + 1;
C.erase(i);
--i; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_postfix_increment_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
i++; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_postfix_decrement_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin() + 1;
C.erase(i);
i--; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_increment_by_2_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
i += 2; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_increment_by_2_copy_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
auto j = i + 2; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_decrement_by_2_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
i -= 2; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_decrement_by_2_copy_end_ptr_iterator(
cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
auto j = i - 2; // expected-warning{{Invalidated iterator accessed}}
}
void invalidated_subscript_end_ptr_iterator(cont_with_ptr_iterator<int> &C) {
auto i = C.begin();
C.erase(i);
(void) i[1]; // expected-warning{{Invalidated iterator accessed}}
}

clang/test/Analysis/iterator-modeling.cpp

Show All 12 Lines
#include "Inputs/system-header-simulator-cxx.h" #include "Inputs/system-header-simulator-cxx.h"
template <typename Container> template <typename Container>
long clang_analyzer_container_begin(const Container&); long clang_analyzer_container_begin(const Container&);
template <typename Container> template <typename Container>
long clang_analyzer_container_end(const Container&); long clang_analyzer_container_end(const Container&);
template <typename Iterator> template <typename Iterator>
long clang_analyzer_iterator_position(const Iterator&); long clang_analyzer_iterator_position(const Iterator&);
long clang_analyzer_iterator_position(int*);
template <typename Iterator> template <typename Iterator>
void* clang_analyzer_iterator_container(const Iterator&); void* clang_analyzer_iterator_container(const Iterator&);
template <typename Iterator> template <typename Iterator>
bool clang_analyzer_iterator_validity(const Iterator&); bool clang_analyzer_iterator_validity(const Iterator&);
void clang_analyzer_denote(long, const char*); void clang_analyzer_denote(long, const char*);
void clang_analyzer_express(long); void clang_analyzer_express(long);
void clang_analyzer_eval(bool); void clang_analyzer_eval(bool);
▲ Show 20 LinesShow All 1,830 Lines▼ Show 20 Linesvoid non_std_find(std::vector<int> &V, int e) {
clang_analyzer_eval(clang_analyzer_container_end(V) == clang_analyzer_eval(clang_analyzer_container_end(V) ==
clang_analyzer_iterator_position(first)); // expected-warning@-1{{FALSE}} expected-warning@-1{{TRUE}} clang_analyzer_iterator_position(first)); // expected-warning@-1{{FALSE}} expected-warning@-1{{TRUE}}
if (V.end() != first) { if (V.end() != first) {
clang_analyzer_eval(clang_analyzer_container_end(V) == clang_analyzer_eval(clang_analyzer_container_end(V) ==
clang_analyzer_iterator_position(first)); // expected-warning@-1{{FALSE}} clang_analyzer_iterator_position(first)); // expected-warning@-1{{FALSE}}
} }
} }
template<typename T>
struct cont_with_ptr_iterator {
typedef T* iterator;
T* begin() const;
T* end() const;
};
void begin_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.begin();
clang_analyzer_eval(clang_analyzer_iterator_container(i) == &c); // expected-warning{{TRUE}}
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.begin()}}
gamesh411Unsubmitted
Done
ReplyInline Actions

Just being annoying here, but I saw you use // expected (with a space between the slash and expected) consistently elsewhere. Could you please also use that here in these tests as well? Being uniform with those helps spot other errors and typos IMHO.

gamesh411: Just being annoying here, but I saw you use `// expected` (with a space between the slash and…
if (i != c.begin()) {
clang_analyzer_warnIfReached();
}
}
void prefix_increment_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.begin();
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
auto j = ++i;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.begin() + 1}}
clang_analyzer_express(clang_analyzer_iterator_position(j)); // expected-warning{{$c.begin() + 1}}
}
void prefix_decrement_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.end();
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
auto j = --i;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.end() - 1}}
clang_analyzer_express(clang_analyzer_iterator_position(j)); // expected-warning{{$c.end() - 1}}
}
void postfix_increment_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.begin();
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
auto j = i++;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.begin() + 1}}
clang_analyzer_express(clang_analyzer_iterator_position(j)); // expected-warning{{$c.begin()}}
}
void postfix_decrement_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.end();
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
auto j = i--;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.end() - 1}}
clang_analyzer_express(clang_analyzer_iterator_position(j)); // expected-warning{{$c.end()}}
}
void plus_equal_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.begin();
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
i += 2;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.begin() + 2}}
}
void minus_equal_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i = c.end();
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
i -= 2;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.end() - 2}}
}
void plus_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i1 = c.begin();
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
auto i2 = i1 + 2;
clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}}
clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.begin()}}
clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.begin() + 2}}
}
void minus_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i1 = c.end();
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
auto i2 = i1 - 2;
clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}}
clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.end()}}
clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.end() - 2}}
}
void clang_analyzer_printState(); void clang_analyzer_printState();
void print_state(std::vector<int> &V) { void print_state(std::vector<int> &V) {
const auto i0 = V.cbegin(); const auto i0 = V.cbegin();
const auto i1 = V.cbegin() + 1; const auto i1 = V.cbegin() + 1;
clang_analyzer_printState(); clang_analyzer_printState();
// CHECK: "checker_messages": [ // CHECK: "checker_messages": [
Show All 19 Lines

clang/test/Analysis/iterator-range.cpp

Show First 20 LinesShow All 848 Lines▼ Show 20 Lines
void deref_end_after_pop_back(std::vector<int> &V) { void deref_end_after_pop_back(std::vector<int> &V) {
const auto i = --V.end(); const auto i = --V.end();
V.pop_back(); // expected-note{{Container 'V' shrank from the back by 1 position}} V.pop_back(); // expected-note{{Container 'V' shrank from the back by 1 position}}
*i; // expected-warning{{Past-the-end iterator dereferenced}} *i; // expected-warning{{Past-the-end iterator dereferenced}}
// expected-note@-1{{Past-the-end iterator dereferenced}} // expected-note@-1{{Past-the-end iterator dereferenced}}
} }
template<typename T>
struct cont_with_ptr_iterator {
T* begin() const;
T* end() const;
};
void deref_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
(void) *i; // expected-warning{{Past-the-end iterator dereferenced}}
// expected-note@-1{{Past-the-end iterator dereferenced}}
}
void array_deref_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
(void) i[0]; // expected-warning{{Past-the-end iterator dereferenced}}
// expected-note@-1{{Past-the-end iterator dereferenced}}
}
void arrow_deref_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
(void) i->n; // expected-warning{{Past-the-end iterator dereferenced}}
// expected-note@-1{{Past-the-end iterator dereferenced}}
}
void arrow_star_deref_end_ptr_iterator(const cont_with_ptr_iterator<S> &c,
int S::*p) {
auto i = c.end();
(void)(i->*p); // expected-warning{{Past-the-end iterator dereferenced}}
// expected-note@-1{{Past-the-end iterator dereferenced}}
}
void prefix_incr_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
++i; // expected-warning{{Iterator incremented behind the past-the-end iterator}}
// expected-note@-1{{Iterator incremented behind the past-the-end iterator}}
}
void postfix_incr_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
i++; // expected-warning{{Iterator incremented behind the past-the-end iterator}}
// expected-note@-1{{Iterator incremented behind the past-the-end iterator}}
}
void prefix_decr_begin_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.begin();
--i; // expected-warning{{Iterator decremented ahead of its valid range}}
// expected-note@-1{{Iterator decremented ahead of its valid range}}
}
void postfix_decr_begin_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.begin();
i--; // expected-warning{{Iterator decremented ahead of its valid range}}
// expected-note@-1{{Iterator decremented ahead of its valid range}}
}
void prefix_add_2_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
(void)(i + 2); // expected-warning{{Iterator incremented behind the past-the-end iterator}}
// expected-note@-1{{Iterator incremented behind the past-the-end iterator}}
}
void postfix_add_assign_2_end_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.end();
i += 2; // expected-warning{{Iterator incremented behind the past-the-end iterator}}
// expected-note@-1{{Iterator incremented behind the past-the-end iterator}}
}
void prefix_minus_2_begin_ptr_iterator(const cont_with_ptr_iterator<S> &c) {
auto i = c.begin();
(void)(i - 2); // expected-warning{{Iterator decremented ahead of its valid range}}
// expected-note@-1{{Iterator decremented ahead of its valid range}}
}
void postfix_minus_assign_2_begin_ptr_iterator(
const cont_with_ptr_iterator<S> &c) {
auto i = c.begin();
i -= 2; // expected-warning{{Iterator decremented ahead of its valid range}}
// expected-note@-1{{Iterator decremented ahead of its valid range}}
}

clang/test/Analysis/mismatched-iterator.cpp

Show First 20 LinesShow All 112 Lines▼ Show 20 Linesvoid ignore_conjured1() {
V2.erase(V1.cbegin()); // no-warning V2.erase(V1.cbegin()); // no-warning
} }
void ignore_conjured2() { void ignore_conjured2() {
std::vector<int> &V1 = return_vector_ref(), &V2 = return_vector_ref(); std::vector<int> &V1 = return_vector_ref(), &V2 = return_vector_ref();
if (V1.cbegin() == V2.cbegin()) {} //no-warning if (V1.cbegin() == V2.cbegin()) {} //no-warning
} }
template<typename T>
struct cont_with_ptr_iterator {
T *begin() const;
T *end() const;
};
void comparison_ptr_iterator(cont_with_ptr_iterator<int> &C1,
cont_with_ptr_iterator<int> &C2) {
if (C1.begin() != C2.end()) {} // expected-warning{{Iterators of different containers used where the same container is expected}}
}