This is an archive of the discontinued LLVM Phabricator instance.

Differential D82837

[Analyzer][WebKit] UncountedLambdaCaptureChecker
ClosedPublic

Authored by jkorous on Jun 29 2020, 9:37 PM.

Details

Reviewers
NoQ
vsavchenko
Commits
rG820e8d8656ec: [Analyzer][WebKit] UncountedLambdaCaptureChecker

Diff Detail

Event Timeline

jkorous created this revision.Jun 29 2020, 9:37 PM
Herald added subscribers: ASDenysPetrov, martong, Charusso and 10 others. · View Herald TranscriptJun 29 2020, 9:37 PM
NoQ added a comment.Jun 29 2020, 10:41 PM

Normally this isn't a big deal but in case of this checker i'm veeery curious about the highlighted columns (not just lines) and source ranges. Especially for the implicit case: like, how obvious is it which specific captured variable is problematic? I don't see a better way to test that than making a few FileCheck tests with those ^~~~~~ thingies but i think it's worth at least a couple of such test cases.

You can also add extra source ranges manually with BugReport::addRange.

It's probably also worth it to include the name of the captured variable in the warning message.

jkorous added a comment.Jul 9 2020, 4:29 PM

I know what you mean - actionability of these warnings was my major concern too.

jkorous updated this revision to Diff 276869.Jul 9 2020, 4:31 PM
  • There's actually no reason to not print the name of the variable in either case.
  • I added a test for each explicit/implicit capture and made tests more specific overall.
jkorous updated this revision to Diff 276877.Jul 9 2020, 5:10 PM
jkorous edited the summary of this revision. (Show Details)
  • added documentation
NoQ added a comment.Jul 9 2020, 7:16 PM

That looks much better, thanks! I've a few more tiny annoying nits.

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLambdaCapturesChecker.cpp
27

I recommend re-using this string because it's used by multiple checkers already.

We usually keep those in CommonBugCategories.h and CommonBugCategories.cpp.

82

I think it should be fairly easy to automatically figure out whether it's a raw pointer or a reference (?) I think we should get this polished in this patch if possible, because we're instantly turning the checker on by default.

clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp
9–10

Oh my, i see what you did here!

I wonder if the second line actually tests the exact position of ^. Because by default {{xxx}} checks that xxx is a substring of the actual warning (in this case, notice). Might need regex matching to actually match the beginning and the end of the line.

16

So it points to the opening brace? I guess that's good enough with the name of the variable present in the warning text but there's room for experimentation - for instance, with some effort we could probably point to the first use of the variable; i'm not sure it's actually going to be much better but at least it'd point to the actual offending code.

35

Maybe let's put this comment inside so that nobody thought that it applies to the rest of the file :)

jkorous marked 2 inline comments as done.Jul 9 2020, 11:30 PM

Oh no - nits are welcome as always!

I agree with you on all of account and will work on it in the morning.

clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp
9–10

Oh my, now I see it too :(

More in the response below.

16

Oh no ... [facepalm]

You just proved your point that I am matching just a substring here - in reality (all the handful of cases I've seen) the caret point to the start of the identifier.

I'd be inclined to say that now that we're printing the name of the variable the snippet isn't critical anymore and we might not necessarily have tests for it. But to be honest I am actually not sure if the current behavior (the caret points to the first occurrence of the implicitly captured variable) is defined or not.

I'll think about it - would prefer to not use multi-line regex magic if possible. Maybe I could somehow use serialized diagnostics here?

NoQ added inline comments.Jul 13 2020, 4:55 PM
clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp
16

multi-line regex magic

Mmm, i'm thinking of [[ https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html | the usual -verify regex machinery ]], something like // expected-notice-re{{{{^}} ^{{$}}}}.

jkorous updated this revision to Diff 278287.Jul 15 2020, 1:03 PM

I didn't figure out how to match the code snippet with the caret by using -verify. IIUC it supports only {error,warning,remark,note} diagnostics while the code snippet is neither of these.
I took inspiration from clang/test/Misc/caret-diags-multiline.cpp and just use FileCheck %s --strict-whitespace.

jkorous marked 5 inline comments as done.Jul 15 2020, 4:38 PM
jkorous added inline comments.
clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLambdaCapturesChecker.cpp
27

I'll do this in a separate patch as I need to touch all the other WebKit checkers too.

jkorous updated this revision to Diff 278336.Jul 15 2020, 4:44 PM

distinguish between raw-ptr & reference

jkorous added a comment.Aug 4 2020, 1:24 PM

Friendly ping

NoQ accepted this revision.Aug 4 2020, 7:25 PM
NoQ added a reviewer: vsavchenko.

Whoops! Looks great now, i have no further comments, let's land :)

This revision is now accepted and ready to land.Aug 4 2020, 7:25 PM
Closed by commit rG820e8d8656ec: [Analyzer][WebKit] UncountedLambdaCaptureChecker (authored by jkorous). · Explain WhyAug 5 2020, 4:24 PM
This revision was automatically updated to reflect the committed changes.
jkorous added a commit: rG820e8d8656ec: [Analyzer][WebKit] UncountedLambdaCaptureChecker.
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2020, 4:24 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
docs/
analyzer/
19 lines
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
1 line
WebKit/
106 lines
test/
Analysis/
Checkers/
WebKit/
44 lines

Diff 283439

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,417 Lines▼ Show 20 Lines
}; };
struct Foo { struct Foo {
RefCntbl * ptr; // warn RefCntbl * ptr; // warn
RefCntbl & ptr; // warn RefCntbl & ptr; // warn
// ... // ...
}; };
.. _webkit-UncountedLambdaCapturesChecker:
webkit.UncountedLambdaCapturesChecker
"""""""""""""""""""""""""""""""""""""
Raw pointers and references to uncounted types can't be captured in lambdas. Only ref-counted types are allowed.
.. code-block:: cpp
struct RefCntbl {
void ref() {}
void deref() {}
};
void foo(RefCntbl* a, RefCntbl& b) {
[&, a](){ // warn about 'a'
do_something(b); // warn about 'b'
};
};
.. _alpha-checkers: .. _alpha-checkers:
Experimental Checkers Experimental Checkers
--------------------- ---------------------
*These are checkers with known issues or limitations that keep them from being on by default. They are likely to have false positives. Bug reports and especially patches are welcome.* *These are checkers with known issues or limitations that keep them from being on by default. They are likely to have false positives. Bug reports and especially patches are welcome.*
alpha.clone alpha.clone
▲ Show 20 LinesShow All 1,148 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 1,648 Lines▼ Show 20 Lines
def RefCntblBaseVirtualDtorChecker : Checker<"RefCntblBaseVirtualDtor">, def RefCntblBaseVirtualDtorChecker : Checker<"RefCntblBaseVirtualDtor">,
HelpText<"Check for any ref-countable base class having virtual destructor.">, HelpText<"Check for any ref-countable base class having virtual destructor.">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def NoUncountedMemberChecker : Checker<"NoUncountedMemberChecker">, def NoUncountedMemberChecker : Checker<"NoUncountedMemberChecker">,
HelpText<"Check for no uncounted member variables.">, HelpText<"Check for no uncounted member variables.">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def UncountedLambdaCapturesChecker : Checker<"UncountedLambdaCapturesChecker">,
HelpText<"Check uncounted lambda captures.">,
Documentation<HasDocumentation>;
} // end webkit } // end webkit
let ParentPackage = WebKitAlpha in { let ParentPackage = WebKitAlpha in {
def UncountedCallArgsChecker : Checker<"UncountedCallArgsChecker">, def UncountedCallArgsChecker : Checker<"UncountedCallArgsChecker">,
HelpText<"Check uncounted call arguments.">, HelpText<"Check uncounted call arguments.">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end alpha.webkit } // end alpha.webkit

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 121 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
VLASizeChecker.cpp VLASizeChecker.cpp
ValistChecker.cpp ValistChecker.cpp
VirtualCallChecker.cpp VirtualCallChecker.cpp
WebKit/NoUncountedMembersChecker.cpp WebKit/NoUncountedMembersChecker.cpp
WebKit/ASTUtils.cpp WebKit/ASTUtils.cpp
WebKit/PtrTypesSemantics.cpp WebKit/PtrTypesSemantics.cpp
WebKit/RefCntblBaseVirtualDtorChecker.cpp WebKit/RefCntblBaseVirtualDtorChecker.cpp
WebKit/UncountedCallArgsChecker.cpp WebKit/UncountedCallArgsChecker.cpp
WebKit/UncountedLambdaCapturesChecker.cpp
LINK_LIBS LINK_LIBS
clangAST clangAST
clangASTMatchers clangASTMatchers
clangAnalysis clangAnalysis
clangBasic clangBasic
clangLex clangLex
clangStaticAnalyzerCore clangStaticAnalyzerCore
DEPENDS DEPENDS
omp_gen omp_gen
) )

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLambdaCapturesChecker.cpp

  • This file was added.
//=======- UncountedLambdaCapturesChecker.cpp --------------------*- C++ -*-==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "DiagOutputUtils.h"
#include "PtrTypesSemantics.h"
#include "clang/AST/CXXInheritance.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
using namespace clang;
using namespace ento;
namespace {
class UncountedLambdaCapturesChecker
: public Checker<check::ASTDecl<TranslationUnitDecl>> {
private:
BugType Bug{this, "Lambda capture of uncounted variable",
"WebKit coding guidelines"};
mutable BugReporter *BR;
NoQUnsubmitted
Not Done
ReplyInline Actions

I recommend re-using this string because it's used by multiple checkers already.

We usually keep those in CommonBugCategories.h and CommonBugCategories.cpp.

NoQ: I recommend re-using this string because it's used by multiple checkers already. We usually…
jkorousAuthorUnsubmitted
Done
ReplyInline Actions

I'll do this in a separate patch as I need to touch all the other WebKit checkers too.

jkorous: I'll do this in a separate patch as I need to touch all the other WebKit checkers too.
public:
void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
BugReporter &BRArg) const {
BR = &BRArg;
// The calls to checkAST* from AnalysisConsumer don't
// visit template instantiations or lambda classes. We
// want to visit those, so we make our own RecursiveASTVisitor.
struct LocalVisitor : public RecursiveASTVisitor<LocalVisitor> {
const UncountedLambdaCapturesChecker *Checker;
explicit LocalVisitor(const UncountedLambdaCapturesChecker *Checker)
: Checker(Checker) {
assert(Checker);
}
bool shouldVisitTemplateInstantiations() const { return true; }
bool shouldVisitImplicitCode() const { return false; }
bool VisitLambdaExpr(LambdaExpr *L) {
Checker->visitLambdaExpr(L);
return true;
}
};
LocalVisitor visitor(this);
visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD));
}
void visitLambdaExpr(LambdaExpr *L) const {
for (const LambdaCapture &C : L->captures()) {
if (C.capturesVariable()) {
VarDecl *CapturedVar = C.getCapturedVar();
if (auto *CapturedVarType = CapturedVar->getType().getTypePtrOrNull()) {
if (isUncountedPtr(CapturedVarType)) {
reportBug(C, CapturedVar, CapturedVarType);
}
}
}
}
}
void reportBug(const LambdaCapture &Capture, VarDecl *CapturedVar,
const Type *T) const {
assert(CapturedVar);
SmallString<100> Buf;
llvm::raw_svector_ostream Os(Buf);
if (Capture.isExplicit()) {
Os << "Captured ";
} else {
Os << "Implicitly captured ";
}
if (T->isPointerType()) {
NoQUnsubmitted
Done
ReplyInline Actions

I think it should be fairly easy to automatically figure out whether it's a raw pointer or a reference (?) I think we should get this polished in this patch if possible, because we're instantly turning the checker on by default.

NoQ: I think it should be fairly easy to automatically figure out whether it's a raw pointer or a…
Os << "raw-pointer ";
} else {
assert(T->isReferenceType());
Os << "reference ";
}
printQuotedQualifiedName(Os, Capture.getCapturedVar());
Os << " to uncounted type is unsafe.";
PathDiagnosticLocation BSLoc(Capture.getLocation(), BR->getSourceManager());
auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
BR->emitReport(std::move(Report));
}
};
} // namespace
void ento::registerUncountedLambdaCapturesChecker(CheckerManager &Mgr) {
Mgr.registerChecker<UncountedLambdaCapturesChecker>();
}
bool ento::shouldRegisterUncountedLambdaCapturesChecker(
const CheckerManager &mgr) {
return true;
}

clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=webkit.UncountedLambdaCapturesChecker %s 2>&1 | FileCheck %s --strict-whitespace
#include "mock-types.h"
void raw_ptr() {
RefCountable* ref_countable = nullptr;
auto foo1 = [ref_countable](){};
// CHECK: warning: Captured raw-pointer 'ref_countable' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
// CHECK-NEXT:{{^}} auto foo1 = [ref_countable](){};
// CHECK-NEXT:{{^}} ^
auto foo2 = [&ref_countable](){};
NoQUnsubmitted
Not Done
ReplyInline Actions

Oh my, i see what you did here!

I wonder if the second line actually tests the exact position of ^. Because by default {{xxx}} checks that xxx is a substring of the actual warning (in this case, notice). Might need regex matching to actually match the beginning and the end of the line.

NoQ: Oh my, i see what you did here! I wonder if the second line actually tests the exact position…
jkorousAuthorUnsubmitted
Done
ReplyInline Actions

Oh my, now I see it too :(

More in the response below.

jkorous: Oh my, now I see it too :( More in the response below.
// CHECK: warning: Captured raw-pointer 'ref_countable' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
auto foo3 = [&](){ ref_countable = nullptr; };
// CHECK: warning: Implicitly captured raw-pointer 'ref_countable' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
// CHECK-NEXT:{{^}} auto foo3 = [&](){ ref_countable = nullptr; };
// CHECK-NEXT:{{^}} ^
auto foo4 = [=](){ (void) ref_countable; };
NoQUnsubmitted
Done
ReplyInline Actions

So it points to the opening brace? I guess that's good enough with the name of the variable present in the warning text but there's room for experimentation - for instance, with some effort we could probably point to the first use of the variable; i'm not sure it's actually going to be much better but at least it'd point to the actual offending code.

NoQ: So it points to the opening brace? I guess that's good enough with the name of the variable…
jkorousAuthorUnsubmitted
Done
ReplyInline Actions

Oh no ... [facepalm]

You just proved your point that I am matching just a substring here - in reality (all the handful of cases I've seen) the caret point to the start of the identifier.

I'd be inclined to say that now that we're printing the name of the variable the snippet isn't critical anymore and we might not necessarily have tests for it. But to be honest I am actually not sure if the current behavior (the caret points to the first occurrence of the implicitly captured variable) is defined or not.

I'll think about it - would prefer to not use multi-line regex magic if possible. Maybe I could somehow use serialized diagnostics here?

jkorous: Oh no ... [facepalm] You just proved your point that I am matching just a substring here - in…
NoQUnsubmitted
Done
ReplyInline Actions

multi-line regex magic

Mmm, i'm thinking of [[ https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html | the usual -verify regex machinery ]], something like // expected-notice-re{{{{^}} ^{{$}}}}.

NoQ: > multi-line regex magic Mmm, i'm thinking of [[ https://clang.llvm.
// CHECK: warning: Implicitly captured raw-pointer 'ref_countable' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
}
void references() {
RefCountable automatic;
RefCountable& ref_countable_ref = automatic;
auto foo1 = [ref_countable_ref](){};
// CHECK: warning: Captured reference 'ref_countable_ref' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
auto foo2 = [&ref_countable_ref](){};
// CHECK: warning: Captured reference 'ref_countable_ref' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
auto foo3 = [&](){ (void) ref_countable_ref; };
// CHECK: warning: Implicitly captured reference 'ref_countable_ref' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
auto foo4 = [=](){ (void) ref_countable_ref; };
// CHECK: warning: Implicitly captured reference 'ref_countable_ref' to uncounted type is unsafe [webkit.UncountedLambdaCapturesChecker]
}
void quiet() {
// This code is not expected to trigger any warnings.
NoQUnsubmitted
Done
ReplyInline Actions

Maybe let's put this comment inside so that nobody thought that it applies to the rest of the file :)

NoQ: Maybe let's put this comment inside so that nobody thought that it applies to the rest of the…
{
RefCountable automatic;
RefCountable &ref_countable_ref = automatic;
}
auto foo3 = [&]() {};
auto foo4 = [=]() {};
RefCountable *ref_countable = nullptr;
}