This is an archive of the discontinued LLVM Phabricator instance.

Differential D85351

[Analyzer] Fix for `ExprEngine::computeObjectUnderConstruction()` for base and delegating consturctor initializers
ClosedPublic

Authored by baloghadamsoftware on Aug 5 2020, 12:45 PM.

Details

Reviewers
NoQ
vsavchenko
Szelethus
Commits
rGfacad21b2983: [Analyzer] Fix for `ExprEngine::computeObjectUnderConstruction()` for base and…
Summary

For /C++/ constructor initializers ExprEngine:computeUnderConstruction() asserts that they are all member initializers. This is not neccessarily true when this function is used to get the return value for the construction context thus attempts to fetch return values of base and delegating constructor initializers result in assertions. This small patch fixes this issue.

Diff Detail

Event Timeline

baloghadamsoftware created this revision.Aug 5 2020, 12:45 PM
Herald added a reviewer: Szelethus. · View Herald TranscriptAug 5 2020, 12:45 PM
Herald added subscribers: ASDenysPetrov, martong, steakhal and 9 others. · View Herald Transcript
baloghadamsoftware requested review of this revision.Aug 5 2020, 12:45 PM
baloghadamsoftware added a child revision: D77229: [Analyzer][NFC] Avoid handling of LazyCompundVals in IteratorModeling.
Harbormaster completed remote builds in B67174: Diff 283355.Aug 5 2020, 2:16 PM
baloghadamsoftware added a comment.Aug 13 2020, 4:09 AM

@NoQ Could you please take a look on this one? It is a fix of my earlier work.

Szelethus added a comment.Aug 13 2020, 6:05 AM

Shouldn't we create a new test care for this, instead of expanding an existing one? Btw, this looks great, but I lack the confidence to accept.

baloghadamsoftware added a comment.Aug 31 2020, 1:27 AM
In D85351#2215547, @Szelethus wrote:

Shouldn't we create a new test care for this, instead of expanding an existing one? Btw, this looks great, but I lack the confidence to accept.

Why should we? This is just a fix for cases not covered, but it is the same functionality (retrieving the return value under construction). I added the missed cases to the test of this exact functionality.

Herald added a subscriber: danielkiss. · View Herald TranscriptAug 31 2020, 1:27 AM
Szelethus added a comment.Aug 31 2020, 2:43 AM
In D85351#2247037, @baloghadamsoftware wrote:
In D85351#2215547, @Szelethus wrote:

Shouldn't we create a new test care for this, instead of expanding an existing one? Btw, this looks great, but I lack the confidence to accept.

Why should we? This is just a fix for cases not covered, but it is the same functionality (retrieving the return value under construction). I added the missed cases to the test of this exact functionality.

I think its a bad experience if you break something while developing. Instead of getting a test failure for "delegating constructor initializers", you'll have to deal with a test that handles a variety of things at once, and are forced to tease it apart to find what just broke. When the introduced assert fires, this wouldn't be an issue, but in any non-crashing case it might be.

baloghadamsoftware added a comment.Sep 2 2020, 7:12 AM
In D85351#2247095, @Szelethus wrote:

I think its a bad experience if you break something while developing. Instead of getting a test failure for "delegating constructor initializers", you'll have to deal with a test that handles a variety of things at once, and are forced to tease it apart to find what just broke. When the introduced assert fires, this wouldn't be an issue, but in any non-crashing case it might be.

This is a crashing case.

baloghadamsoftware added a comment.Sep 2 2020, 7:13 AM

@NoQ could you please take a look on this short fix?

baloghadamsoftware updated this revision to Diff 289703.Sep 3 2020, 6:31 AM

Tests separated.

Szelethus added a comment.Sep 7 2020, 1:24 AM

The tests look great, thanks! I still lack the confidence to accept, unfortunately.

Szelethus mentioned this in D76590: [Analyzer] Model `empty()` member function of containers.Sep 7 2020, 3:19 AM
NoQ added inline comments.Sep 8 2020, 12:43 PM
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
138–139

For base initializer you probably want the base class region. It may have a non-trivial offset and it also has the correct type and extent.

baloghadamsoftware updated this revision to Diff 290917.Sep 10 2020, 2:51 AM

Fix for base constructors, test extended.

baloghadamsoftware marked an inline comment as done.Sep 10 2020, 2:53 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
138–139

Thank you for noticing this! You are completely right! Now I extended the tests with comparing the type of the returned region with the type of the expression. It failed when I just returned ThisVal but it passes with the fixed code.

NoQ accepted this revision.Sep 21 2020, 10:50 PM

Aha, yup, thanks, this looks good!

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
146

Whitespace?

378

Let's add some reasoning, eg. "Base and delegating initializers handled above"?

This revision is now accepted and ready to land.Sep 21 2020, 10:50 PM
Closed by commit rGfacad21b2983: [Analyzer] Fix for `ExprEngine::computeObjectUnderConstruction()` for base and… (authored by baloghadamsoftware). · Explain WhySep 25 2020, 4:28 AM
This revision was automatically updated to reflect the committed changes.
baloghadamsoftware marked an inline comment as done.
baloghadamsoftware added a commit: rGfacad21b2983: [Analyzer] Fix for `ExprEngine::computeObjectUnderConstruction()` for base and….

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
17 lines
unittests/
StaticAnalyzer/
83 lines

Diff 294273

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 126 Lines▼ Show 20 Lines case ConstructionContext::SimpleVariableKind: {
QualType Ty = Var->getType(); QualType Ty = Var->getType();
return makeZeroElementRegion(State, State->getLValue(Var, LCtx), Ty, return makeZeroElementRegion(State, State->getLValue(Var, LCtx), Ty,
CallOpts.IsArrayCtorOrDtor); CallOpts.IsArrayCtorOrDtor);
} }
case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind:
case ConstructionContext::SimpleConstructorInitializerKind: { case ConstructionContext::SimpleConstructorInitializerKind: {
const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC); const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC);
const auto *Init = ICC->getCXXCtorInitializer(); const auto *Init = ICC->getCXXCtorInitializer();
assert(Init->isAnyMemberInitializer());
const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl()); const CXXMethodDecl *CurCtor = cast<CXXMethodDecl>(LCtx->getDecl());
Loc ThisPtr = SVB.getCXXThis(CurCtor, LCtx->getStackFrame()); Loc ThisPtr = SVB.getCXXThis(CurCtor, LCtx->getStackFrame());
SVal ThisVal = State->getSVal(ThisPtr); SVal ThisVal = State->getSVal(ThisPtr);
if (Init->isBaseInitializer()) {
const auto *ThisReg = cast<SubRegion>(ThisVal.getAsRegion());
NoQUnsubmitted
Done
ReplyInline Actions

For base initializer you probably want the base class region. It may have a non-trivial offset and it also has the correct type and extent.

NoQ: For base initializer you probably want the base class region. It may have a non-trivial offset…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Thank you for noticing this! You are completely right! Now I extended the tests with comparing the type of the returned region with the type of the expression. It failed when I just returned ThisVal but it passes with the fixed code.

baloghadamsoftware: Thank you for noticing this! You are completely right! Now I extended the tests with comparing…
const CXXRecordDecl *BaseClass =
Init->getBaseClass()->getAsCXXRecordDecl();
const auto *BaseReg =
MRMgr.getCXXBaseObjectRegion(BaseClass, ThisReg,
Init->isBaseVirtual());
return SVB.makeLoc(BaseReg);
}
NoQUnsubmitted
Not Done
ReplyInline Actions

Whitespace?

NoQ: Whitespace?
if (Init->isDelegatingInitializer())
return ThisVal;
const ValueDecl *Field; const ValueDecl *Field;
SVal FieldVal; SVal FieldVal;
if (Init->isIndirectMemberInitializer()) { if (Init->isIndirectMemberInitializer()) {
Field = Init->getIndirectMember(); Field = Init->getIndirectMember();
FieldVal = State->getLValue(Init->getIndirectMember(), ThisVal); FieldVal = State->getLValue(Init->getIndirectMember(), ThisVal);
} else { } else {
Field = Init->getMember(); Field = Init->getMember();
▲ Show 20 LinesShow All 212 Lines▼ Show 20 LinesProgramStateRef ExprEngine::updateObjectsUnderConstruction(
case ConstructionContext::CXX17ElidedCopyVariableKind: case ConstructionContext::CXX17ElidedCopyVariableKind:
case ConstructionContext::SimpleVariableKind: { case ConstructionContext::SimpleVariableKind: {
const auto *DSCC = cast<VariableConstructionContext>(CC); const auto *DSCC = cast<VariableConstructionContext>(CC);
return addObjectUnderConstruction(State, DSCC->getDeclStmt(), LCtx, V); return addObjectUnderConstruction(State, DSCC->getDeclStmt(), LCtx, V);
} }
case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind: case ConstructionContext::CXX17ElidedCopyConstructorInitializerKind:
case ConstructionContext::SimpleConstructorInitializerKind: { case ConstructionContext::SimpleConstructorInitializerKind: {
const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC); const auto *ICC = cast<ConstructorInitializerConstructionContext>(CC);
const auto *Init = ICC->getCXXCtorInitializer();
// Base and delegating initializers handled above
NoQUnsubmitted
Not Done
ReplyInline Actions

Let's add some reasoning, eg. "Base and delegating initializers handled above"?

NoQ: Let's add some reasoning, eg. "Base and delegating initializers handled above"?
assert(Init->isAnyMemberInitializer() &&
"Base and delegating initializers should have been handled by"
"computeObjectUnderConstruction()");
return addObjectUnderConstruction(State, ICC->getCXXCtorInitializer(), return addObjectUnderConstruction(State, ICC->getCXXCtorInitializer(),
LCtx, V); LCtx, V);
} }
case ConstructionContext::NewAllocatedObjectKind: { case ConstructionContext::NewAllocatedObjectKind: {
return State; return State;
} }
case ConstructionContext::SimpleReturnedValueKind: case ConstructionContext::SimpleReturnedValueKind:
case ConstructionContext::CXX17ElidedCopyReturnedValueKind: { case ConstructionContext::CXX17ElidedCopyReturnedValueKind: {
▲ Show 20 LinesShow All 651 LinesShow Last 20 Lines

clang/unittests/StaticAnalyzer/TestReturnValueUnderConstruction.cpp

Show All 17 Lines
namespace clang { namespace clang {
namespace ento { namespace ento {
namespace { namespace {
class TestReturnValueUnderConstructionChecker class TestReturnValueUnderConstructionChecker
: public Checker<check::PostCall> { : public Checker<check::PostCall> {
public: public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const { void checkPostCall(const CallEvent &Call, CheckerContext &C) const {
// Only calls with origin expression are checked. These are `returnC()` // Only calls with origin expression are checked. These are `returnC()`,
// and C::C(). // `returnD()`, C::C() and D::D().
if (!Call.getOriginExpr()) if (!Call.getOriginExpr())
return; return;
// Since `returnC` returns an object by value, the invocation results // Since `returnC` returns an object by value, the invocation results
// in an object of type `C` constructed into variable `c`. Thus the // in an object of type `C` constructed into variable `c`. Thus the
// return value of `CallEvent::getReturnValueUnderConstruction()` must // return value of `CallEvent::getReturnValueUnderConstruction()` must
// be non-empty and has to be a `MemRegion`. // be non-empty and has to be a `MemRegion`.
Optional<SVal> RetVal = Call.getReturnValueUnderConstruction(); Optional<SVal> RetVal = Call.getReturnValueUnderConstruction();
ASSERT_TRUE(RetVal); ASSERT_TRUE(RetVal);
ASSERT_TRUE(RetVal->getAsRegion()); ASSERT_TRUE(RetVal->getAsRegion());
const auto *RetReg = cast<TypedValueRegion>(RetVal->getAsRegion());
const Expr *OrigExpr = Call.getOriginExpr();
ASSERT_EQ(OrigExpr->getType(), RetReg->getValueType());
} }
}; };
void addTestReturnValueUnderConstructionChecker( void addTestReturnValueUnderConstructionChecker(
AnalysisASTConsumer &AnalysisConsumer, AnalyzerOptions &AnOpts) { AnalysisASTConsumer &AnalysisConsumer, AnalyzerOptions &AnOpts) {
AnOpts.CheckersAndPackages = AnOpts.CheckersAndPackages =
{{"test.TestReturnValueUnderConstruction", true}}; {{"test.TestReturnValueUnderConstruction", true}};
AnalysisConsumer.AddCheckerRegistrationFn([](CheckerRegistry &Registry) { AnalysisConsumer.AddCheckerRegistrationFn([](CheckerRegistry &Registry) {
Registry.addChecker<TestReturnValueUnderConstructionChecker>( Registry.addChecker<TestReturnValueUnderConstructionChecker>(
"test.TestReturnValueUnderConstruction", "", ""); "test.TestReturnValueUnderConstruction", "", "");
}); });
} }
TEST(TestReturnValueUnderConstructionChecker, TEST(TestReturnValueUnderConstructionChecker,
ReturnValueUnderConstructionChecker) { ReturnValueUnderConstructionChecker) {
EXPECT_TRUE(runCheckerOnCode<addTestReturnValueUnderConstructionChecker>( EXPECT_TRUE(runCheckerOnCode<addTestReturnValueUnderConstructionChecker>(
R"(class C { R"(class C {
public: public:
C(int nn): n(nn) {} C(int nn): n(nn) {}
virtual ~C() {} virtual ~C() {}
private: private:
int n; int n;
}; };
C returnC(int m) { C returnC(int m) {
C c(m); C c(m);
return c; return c;
} }
void foo() { void foo() {
C c = returnC(1); C c = returnC(1);
})")); })"));
EXPECT_TRUE(runCheckerOnCode<addTestReturnValueUnderConstructionChecker>(
R"(class C {
public:
C(int nn): n(nn) {}
explicit C(): C(0) {}
virtual ~C() {}
private:
int n;
};
C returnC() {
C c;
return c;
}
void foo() {
C c = returnC();
})"));
EXPECT_TRUE(runCheckerOnCode<addTestReturnValueUnderConstructionChecker>(
R"(class C {
public:
C(int nn): n(nn) {}
virtual ~C() {}
private:
int n;
};
class D: public C {
public:
D(int nn): C(nn) {}
virtual ~D() {}
};
D returnD(int m) {
D d(m);
return d;
}
void foo() {
D d = returnD(1);
})"));
} }
} // namespace } // namespace
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang