This is an archive of the discontinued LLVM Phabricator instance.

Differential D84494

[Analyzer] Use of BugType in DereferenceChecker (NFC).
ClosedPublic

Authored by balazske on Jul 24 2020, 12:23 AM.

Details

Reviewers
Szelethus
martong
NoQ
vsavchenko
Commits
rGb22b97b3d0c0: [Analyzer] Use of BugType in DereferenceChecker (NFC).
Summary

Use of BuiltinBug is replaced by BugType.
Class BuiltinBug seems to have no benefits and is confusing.

Diff Detail

Event Timeline

balazske created this revision.Jul 24 2020, 12:23 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 24 2020, 12:23 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript
Harbormaster failed remote builds in B65500: Diff 280345!Jul 24 2020, 12:54 AM
balazske updated this revision to Diff 280385.Jul 24 2020, 3:24 AM

Fixed failed tests because change of bug category from "Logic error" to "Memory error".

Harbormaster completed remote builds in B65523: Diff 280385.Jul 24 2020, 4:27 AM
balazske added a child revision: D84520: [Analyzer] Improve invalid dereference bug reporting in DereferenceChecker..Jul 24 2020, 5:17 AM
martong accepted this revision.Jul 27 2020, 9:07 AM

AFAIK, BuiltinBug is deprecated and we should be using BugType anyway.
LGTM!

This revision is now accepted and ready to land.Jul 27 2020, 9:07 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 27 2020, 9:07 AM
Szelethus accepted this revision.Jul 28 2020, 1:13 AM
Szelethus added reviewers: NoQ, vsavchenko.

Lets make sure that we invite others from the community to participate, here and on other patches as well. Otherwise, LGTM.

vsavchenko added inline comments.Jul 28 2020, 1:24 AM
clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
214

Maybe "is definitely null" here? Otherwise it can be pretty confusing with a double negation.

clang/test/Analysis/Inputs/expected-plists/conditional-path-notes.c.plist
270 ↗(On Diff #280385)

I might've missed some discussions on that matter, so please correct me on that.
In my opinion, null pointer dereference is not a memory error. Null address is not a correct memory and never was, so it is a logic error that a special value is being interpreted as the pointer to something.

balazske added inline comments.Jul 28 2020, 2:43 AM
clang/test/Analysis/Inputs/expected-plists/conditional-path-notes.c.plist
270 ↗(On Diff #280385)

I can not decide which is better, "logic error" can be said for almost every possible bug. Here the problem is at least related to memory handling. The reference of undefined pointer value is "logic error" too (it is known that the value was not initialized) but a memory error (try to access invalid or valid but wrong address). Probably "pointer handling error" is better?
(One value for bug category is not a good approach, it is never possible to classify a bug to exactly one.)

NoQ added a comment.Jul 28 2020, 7:04 PM

BuiltinBug is deprecated and we should be using BugType anyway

Like, i've never heard of BuiltinBug being deprecated but i'm pretty happy that it gets removed :)

clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
214

Also this entire comment should be inside the if-statement, on the same level as the next comment.

clang/test/Analysis/Inputs/expected-plists/conditional-path-notes.c.plist
270 ↗(On Diff #280385)

Maybe let's not change it then, if there are no clear pros or cons? Users already got used to it.

balazske updated this revision to Diff 281631.Jul 29 2020, 9:15 AM

Changed MemoryError back to LogicError.
Improved placement and text of changed comment.

balazske marked 2 inline comments as done.Jul 29 2020, 9:17 AM

The category string seems to be not really important, better not to change it.

vsavchenko accepted this revision.Jul 29 2020, 10:12 AM

Awesome, thanks!

NoQ accepted this revision.Jul 29 2020, 10:13 AM

Thank you!

Harbormaster completed remote builds in B66233: Diff 281631.Jul 29 2020, 10:18 AM
Closed by commit rGb22b97b3d0c0: [Analyzer] Use of BugType in DereferenceChecker (NFC). (authored by balazske). · Explain WhyJul 29 2020, 11:30 PM
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rGb22b97b3d0c0: [Analyzer] Use of BugType in DereferenceChecker (NFC)..

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
21 lines

Diff 281805

clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Show All 24 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class DereferenceChecker class DereferenceChecker
: public Checker< check::Location, : public Checker< check::Location,
check::Bind, check::Bind,
EventDispatcher<ImplicitNullDerefEvent> > { EventDispatcher<ImplicitNullDerefEvent> > {
mutable std::unique_ptr<BuiltinBug> BT_null; BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
mutable std::unique_ptr<BuiltinBug> BT_undef; BugType BT_Undef{this, "Dereference of undefined pointer value",
categories::LogicError};
void reportBug(ProgramStateRef State, const Stmt *S, CheckerContext &C) const; void reportBug(ProgramStateRef State, const Stmt *S, CheckerContext &C) const;
public: public:
void checkLocation(SVal location, bool isLoad, const Stmt* S, void checkLocation(SVal location, bool isLoad, const Stmt* S,
CheckerContext &C) const; CheckerContext &C) const;
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
▲ Show 20 LinesShow All 75 Lines▼ Show 20 Lines
void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S, void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
CheckerContext &C) const { CheckerContext &C) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateErrorNode(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
// We know that 'location' cannot be non-null. This is what
// we call an "explicit" null dereference.
if (!BT_null)
BT_null.reset(new BuiltinBug(this, "Dereference of null pointer"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SmallVector<SourceRange, 2> Ranges; SmallVector<SourceRange, 2> Ranges;
switch (S->getStmtClass()) { switch (S->getStmtClass()) {
case Stmt::ArraySubscriptExprClass: { case Stmt::ArraySubscriptExprClass: {
os << "Array access"; os << "Array access";
Show All 36 Lines AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext(), true); State.get(), N->getLocationContext(), true);
break; break;
} }
default: default:
break; break;
} }
auto report = std::make_unique<PathSensitiveBugReport>( auto report = std::make_unique<PathSensitiveBugReport>(
*BT_null, buf.empty() ? BT_null->getDescription() : StringRef(buf), N); BT_Null, buf.empty() ? BT_Null.getDescription() : StringRef(buf), N);
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
for (SmallVectorImpl<SourceRange>::iterator for (SmallVectorImpl<SourceRange>::iterator
I = Ranges.begin(), E = Ranges.end(); I!=E; ++I) I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
report->addRange(*I); report->addRange(*I);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
CheckerContext &C) const { CheckerContext &C) const {
// Check for dereference of an undefined value. // Check for dereference of an undefined value.
if (l.isUndef()) { if (l.isUndef()) {
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_undef)
BT_undef.reset(
new BuiltinBug(this, "Dereference of undefined pointer value"));
auto report = std::make_unique<PathSensitiveBugReport>( auto report = std::make_unique<PathSensitiveBugReport>(
*BT_undef, BT_undef->getDescription(), N); BT_Undef, BT_Undef.getDescription(), N);
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
return; return;
} }
DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
// Check for null dereferences. // Check for null dereferences.
if (!location.getAs<Loc>()) if (!location.getAs<Loc>())
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
ProgramStateRef notNullState, nullState; ProgramStateRef notNullState, nullState;
std::tie(notNullState, nullState) = state->assume(location); std::tie(notNullState, nullState) = state->assume(location);
// The explicit NULL case.
if (nullState) { if (nullState) {
vsavchenkoUnsubmitted
Done
ReplyInline Actions

Maybe "is definitely null" here? Otherwise it can be pretty confusing with a double negation.

vsavchenko: Maybe "is definitely null" here? Otherwise it can be pretty confusing with a double negation.
NoQUnsubmitted
Done
ReplyInline Actions

Also this entire comment should be inside the if-statement, on the same level as the next comment.

NoQ: Also this entire comment should be inside the if-statement, on the same level as the next…
if (!notNullState) { if (!notNullState) {
// We know that 'location' can only be null. This is what
// we call an "explicit" null dereference.
const Expr *expr = getDereferenceExpr(S); const Expr *expr = getDereferenceExpr(S);
if (!suppressReport(expr)) { if (!suppressReport(expr)) {
reportBug(nullState, expr, C); reportBug(nullState, expr, C);
return; return;
} }
} }
// Otherwise, we have the case where the location could either be // Otherwise, we have the case where the location could either be
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines