This is an archive of the discontinued LLVM Phabricator instance.

Differential D85728

[Analyzer] Support for the new variadic isa<> and isa_and_not_null<> in CastValueChecker
ClosedPublic

Authored by baloghadamsoftware on Aug 11 2020, 6:28 AM.

Details

Reviewers
NoQ
Charusso
Szelethus
Commits
rG4448affede51: [analyzer] pr47037: CastValueChecker: Support for the new variadic isa<>.
Summary

llvm::isa<>() and llvm::isa_and_not_null<>() template functions recently became variadic. Unfortunately this causes crashes in case of isa_and_not_null<>() and incorrect behavior in isa<>(). This patch fixes this issue (47037).

Diff Detail

Event Timeline

baloghadamsoftware created this revision.Aug 11 2020, 6:28 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptAug 11 2020, 6:28 AM
Herald added subscribers: ASDenysPetrov, martong, steakhal and 10 others. · View Herald Transcript
baloghadamsoftware requested review of this revision.Aug 11 2020, 6:28 AM
baloghadamsoftware added a comment.EditedAug 11 2020, 6:30 AM

This patch intends to fix bug 47037. It is still work in progress with lots of debug printouts.

I described the issue with this patch at the bug report:

The variadic tests fail because the whole Dyanamic Type library is extremely poor design: it stores the pointers and references as they are instead of the underlying types. Unfortunately, cast<> functions which can take pointers have pointers to SubstTemplateTypeParmType but isa<> functions take everything by reference. Thus they have a reference to a SubstTemplateTypeParmType which contains the pointer. The two will never match even if I unpack the reference for the isa<> functions and get to the pointer itself because I cannot create a new pointer type in the cast<> functions where SubstTemplateTypeParmType is inside the pointer. I did not found any method to remove SubstTemplateTypeParmType from a pointer either.

This results that the test evalNonNullParamNonNullReturnReference() passes only by chance in the original version. Even if I fix the parameter which should have been pointer instead of reference the early exit blocks which use dyn_cast<> store a different "from" type for the casts that we retrieve later at the isa<> calls. This way both true and false branches for the isa<> blocks remain alive. If I extend the tests for variadic templates we are not lucky anymore, the tests fail.

whisperity edited the summary of this revision. (Show Details)Aug 11 2020, 6:30 AM
baloghadamsoftware added a comment.Aug 11 2020, 6:39 AM

My proposal is the following: do not store the casing info between pointers and references but the underlying types themselves. There are two ways to implement this: in the checkers using it (currently only this one) or behind the API of DynamicCastInfo. Maybe the latter is more appropriate.

To be fully correct we should not only change the DynamicCastInfo but also the DynamicTypeInfo: if the dynamic type of an object behind a pointer is known, then it remains the same also if we get a reference from the pointer or substitute a type for a template type parameter with it. (We can create new pointer or reference type using ASTContext.)

baloghadamsoftware retitled this revision from [Analyzer][WIP] Support for the new variadic isa<> and isa_and_nod_null<> in CastValueChecker to [Analyzer][WIP] Support for the new variadic isa<> and isa_and_not_null<> in CastValueChecker.Aug 11 2020, 6:41 AM
Harbormaster completed remote builds in B67888: Diff 284688.Aug 11 2020, 7:50 AM
baloghadamsoftware updated this revision to Diff 284801.Aug 11 2020, 9:54 AM
baloghadamsoftware retitled this revision from [Analyzer][WIP] Support for the new variadic isa<> and isa_and_not_null<> in CastValueChecker to [Analyzer] Support for the new variadic isa<> and isa_and_not_null<> in CastValueChecker.
baloghadamsoftware edited the summary of this revision. (Show Details)

Working version. Debug printouts removed.

baloghadamsoftware added a parent revision: D85752: [Analyzer] Store the pointed/referenced type for dynamic casts.Aug 11 2020, 9:55 AM
NoQ added a comment.Aug 11 2020, 11:18 AM

Thanks!!

Could you also unforget the diff context? >.<

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
270–272

We shouldn't crash when code under analysis doesn't match our expectation.

315

Let's return immediately after the transition instead. Like, generally, it's a good practice to return immediately after a transition if you don't plan any more state splits, because otherwise it's too easy to accidentally introduce unwanted state splits.

482

Looks like a leftover debug print.

gamesh411 added inline comments.Aug 12 2020, 1:10 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
265

Do we intentionally skip the last arg with this loop boundary, or is the loop variable just off-by-one?

baloghadamsoftware updated this revision to Diff 285047.Aug 12 2020, 5:16 AM

Updated according to the comments.

baloghadamsoftware marked 3 inline comments as done.Aug 12 2020, 5:19 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
270–272

The question is whether we can get any other template argument kind for llvm::isa<>() and llvm::isa_and_nonnull<>() than Type or Pack?

315

Now I inserted a return but only if this is a known conversion. If this is an assumption, the we should assume every type in the template argument list.

martong added inline comments.Aug 12 2020, 6:48 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
270–272

I think it is worth to ponder about the below case. What if isa is used in a dependent context (i.e. it is used inside another template)?

/// The template argument is an expression, and we've not resolved it to one
/// of the other forms yet, either because it's dependent or because we're
/// representing a non-canonical template argument (for instance, in a
/// TemplateSpecializationType).
Expression,
NoQ accepted this revision.Aug 12 2020, 2:13 PM
NoQ added inline comments.
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
270–272

Aha, yup, that's better, thanks.

The question is whether we can get any other template argument kind for llvm::isa<>() and llvm::isa_and_nonnull<>() than Type or Pack?

It's a more general problem: what about a completely unrelated template function that is accidentally called llvm::isa<>() or llvm::isa_and_nonnull<>()? Or what if llvm::isa<>()'s/ llvm::isa_and_nonnull<>()'s implementation changes again? If it's at all possible in any template function, we should take it into account and at least provide an early return, we shouldn't rule out that possibility by looking at the name only.

I think it is worth to ponder about the below case. What if isa is used in a dependent context (i.e. it is used inside another template)?

Ok, this one probably doesn't happen, because we don't ever try to symbolically execute templated ASTs (that aren't fully instantiated).

289

Hmm, is this phabricator's way of displaying tabs?

This revision is now accepted and ready to land.Aug 12 2020, 2:13 PM
whisperity added inline comments.Aug 13 2020, 2:16 AM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
289

I believe it is not displaying tabs, but rather just indicating that the current line changed in a way that only the indentation has changed... instead of marking the old side of the diff red. The HTML element is span.depth-in. A span.depth-out is red, and the arrow points the other way.

But I agree this is a new thing since the version update.

baloghadamsoftware marked 2 inline comments as done.Aug 13 2020, 4:08 AM

@NoQ Thank you for the review. Please also review D85752 after my update and tell me what I have to change there if it is not acceptable yet. This patch depends on that one.

NoQ added inline comments.Aug 15 2020, 3:01 PM
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
289

Aha, ok, nice!

NoQ added a comment.Aug 25 2020, 12:14 PM

Hans is pinging us on Bugzilla because this patch is marked as a release blocker (and i believe that it indeed is). I think we should land these patches.

steakhal added a comment.Aug 25 2020, 12:19 PM
In D85728#2237006, @NoQ wrote:

Hans is pinging us on Bugzilla because this patch is marked as a release blocker (and i believe that it indeed is). I think we should land these patches.

I believe @baloghadamsoftware is on vacation.
I'm sure he won't be mad if you commit on his behalf.

Closed by commit rG4448affede51: [analyzer] pr47037: CastValueChecker: Support for the new variadic isa<>. (authored by baloghadamsoftware, committed by dergachev.a). · Explain WhyAug 27 2020, 12:15 PM
This revision was automatically updated to reflect the committed changes.
dergachev.a added a commit: rG4448affede51: [analyzer] pr47037: CastValueChecker: Support for the new variadic isa<>..
baloghadamsoftware added a comment.Sep 3 2020, 3:15 AM

I was indeed on vacation, so thanks for committing it, @NoQ! I was waiting for agreement for the prerequisite patch then I forgot to notify you that I was going on vacation.

whisperity mentioned this in D71199: [clang-tidy] New check cppcoreguidelines-prefer-member-initializer.Sep 14 2020, 2:50 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
136 lines
test/
Analysis/
Inputs/
18 lines
19 lines
80 lines

Diff 288420

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp

Show First 20 LinesShow All 129 Lines▼ Show 20 Lines return C.getNoteTag(
Out << ' ' << (CastSucceeds ? "is a" : "is not a") << " '" << CastToName Out << ' ' << (CastSucceeds ? "is a" : "is not a") << " '" << CastToName
<< '\''; << '\'';
return std::string(Out.str()); return std::string(Out.str());
}, },
/*IsPrunable=*/true); /*IsPrunable=*/true);
} }
static const NoteTag *getNoteTag(CheckerContext &C,
SmallVector<QualType, 4> CastToTyVec,
const Expr *Object,
bool IsKnownCast) {
Object = Object->IgnoreParenImpCasts();
return C.getNoteTag(
[=]() -> std::string {
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
if (!IsKnownCast)
Out << "Assuming ";
if (const auto *DRE = dyn_cast<DeclRefExpr>(Object)) {
Out << '\'' << DRE->getDecl()->getNameAsString() << '\'';
} else if (const auto *ME = dyn_cast<MemberExpr>(Object)) {
Out << (IsKnownCast ? "Field '" : "field '")
<< ME->getMemberDecl()->getNameAsString() << '\'';
} else {
Out << (IsKnownCast ? "The object" : "the object");
}
Out << " is";
bool First = true;
for (QualType CastToTy: CastToTyVec) {
std::string CastToName =
CastToTy->getAsCXXRecordDecl() ?
CastToTy->getAsCXXRecordDecl()->getNameAsString() :
CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
Out << ' ' << ((CastToTyVec.size() == 1) ? "not" :
(First ? "neither" : "nor")) << " a '" << CastToName
<< '\'';
First = false;
}
return std::string(Out.str());
},
/*IsPrunable=*/true);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Main logic to evaluate a cast. // Main logic to evaluate a cast.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static QualType alignReferenceTypes(QualType toAlign, QualType alignTowards, static QualType alignReferenceTypes(QualType toAlign, QualType alignTowards,
ASTContext &ACtx) { ASTContext &ACtx) {
if (alignTowards->isLValueReferenceType() && if (alignTowards->isLValueReferenceType() &&
alignTowards.isConstQualified()) { alignTowards.isConstQualified()) {
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines
} }
static void addInstanceOfTransition(const CallEvent &Call, static void addInstanceOfTransition(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
ProgramStateRef State, CheckerContext &C, ProgramStateRef State, CheckerContext &C,
bool IsInstanceOf) { bool IsInstanceOf) {
const FunctionDecl *FD = Call.getDecl()->getAsFunction(); const FunctionDecl *FD = Call.getDecl()->getAsFunction();
QualType CastFromTy = Call.parameters()[0]->getType(); QualType CastFromTy = Call.parameters()[0]->getType();
QualType CastToTy = FD->getTemplateSpecializationArgs()->get(0).getAsType(); SmallVector<QualType, 4> CastToTyVec;
for (unsigned idx = 0; idx < FD->getTemplateSpecializationArgs()->size() - 1;
gamesh411Unsubmitted
Not Done
ReplyInline Actions

Do we intentionally skip the last arg with this loop boundary, or is the loop variable just off-by-one?

gamesh411: Do we intentionally skip the last arg with this loop boundary, or is the loop variable just off…
++idx) {
TemplateArgument CastToTempArg =
FD->getTemplateSpecializationArgs()->get(idx);
switch (CastToTempArg.getKind()) {
default:
return;
case TemplateArgument::Type:
NoQUnsubmitted
Done
ReplyInline Actions

We shouldn't crash when code under analysis doesn't match our expectation.

NoQ: We shouldn't crash when code under analysis doesn't match our expectation.
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

The question is whether we can get any other template argument kind for llvm::isa<>() and llvm::isa_and_nonnull<>() than Type or Pack?

baloghadamsoftware: The question is whether we can get any other template argument kind for `llvm::isa<>()` and…
martongUnsubmitted
Not Done
ReplyInline Actions

I think it is worth to ponder about the below case. What if isa is used in a dependent context (i.e. it is used inside another template)?

/// The template argument is an expression, and we've not resolved it to one
/// of the other forms yet, either because it's dependent or because we're
/// representing a non-canonical template argument (for instance, in a
/// TemplateSpecializationType).
Expression,
martong: I think it is worth to ponder about the below case. What if `isa` is used in a dependent…
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha, yup, that's better, thanks.

The question is whether we can get any other template argument kind for llvm::isa<>() and llvm::isa_and_nonnull<>() than Type or Pack?

It's a more general problem: what about a completely unrelated template function that is accidentally called llvm::isa<>() or llvm::isa_and_nonnull<>()? Or what if llvm::isa<>()'s/ llvm::isa_and_nonnull<>()'s implementation changes again? If it's at all possible in any template function, we should take it into account and at least provide an early return, we shouldn't rule out that possibility by looking at the name only.

I think it is worth to ponder about the below case. What if isa is used in a dependent context (i.e. it is used inside another template)?

Ok, this one probably doesn't happen, because we don't ever try to symbolically execute templated ASTs (that aren't fully instantiated).

NoQ: Aha, yup, that's better, thanks. > The question is whether we can get any other template…
CastToTyVec.push_back(CastToTempArg.getAsType());
break;
case TemplateArgument::Pack:
for (TemplateArgument ArgInPack: CastToTempArg.pack_elements())
CastToTyVec.push_back(ArgInPack.getAsType());
break;
}
}
const MemRegion *MR = DV.getAsRegion();
if (MR && CastFromTy->isReferenceType())
MR = State->getSVal(DV.castAs<Loc>()).getAsRegion();
bool Success = false;
bool IsAnyKnown = false;
for (QualType CastToTy: CastToTyVec) {
if (CastFromTy->isPointerType()) if (CastFromTy->isPointerType())
NoQUnsubmitted
Not Done
ReplyInline Actions

Hmm, is this phabricator's way of displaying tabs?

NoQ: Hmm, is this phabricator's way of displaying tabs?
whisperityUnsubmitted
Not Done
ReplyInline Actions

I believe it is not displaying tabs, but rather just indicating that the current line changed in a way that only the indentation has changed... instead of marking the old side of the diff red. The HTML element is span.depth-in. A span.depth-out is red, and the arrow points the other way.

But I agree this is a new thing since the version update.

whisperity: I believe it is not displaying tabs, but rather just indicating that the current line changed…
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha, ok, nice!

NoQ: Aha, ok, nice!
CastToTy = C.getASTContext().getPointerType(CastToTy); CastToTy = C.getASTContext().getPointerType(CastToTy);
else if (CastFromTy->isReferenceType()) else if (CastFromTy->isReferenceType())
CastToTy = alignReferenceTypes(CastToTy, CastFromTy, C.getASTContext()); CastToTy = alignReferenceTypes(CastToTy, CastFromTy, C.getASTContext());
else else
return; return;
const MemRegion *MR = DV.getAsRegion();
const DynamicCastInfo *CastInfo = const DynamicCastInfo *CastInfo =
getDynamicCastInfo(State, MR, CastFromTy, CastToTy); getDynamicCastInfo(State, MR, CastFromTy, CastToTy);
bool CastSucceeds; bool CastSucceeds;
if (CastInfo) if (CastInfo)
CastSucceeds = IsInstanceOf && CastInfo->succeeds(); CastSucceeds = IsInstanceOf && CastInfo->succeeds();
else else
CastSucceeds = IsInstanceOf || CastFromTy == CastToTy; CastSucceeds = IsInstanceOf || CastFromTy == CastToTy;
if (isInfeasibleCast(CastInfo, CastSucceeds)) {
C.generateSink(State, C.getPredecessor());
return;
}
// Store the type and the cast information. // Store the type and the cast information.
bool IsKnownCast = CastInfo || CastFromTy == CastToTy; bool IsKnownCast = CastInfo || CastFromTy == CastToTy;
IsAnyKnown = IsAnyKnown || IsKnownCast;
ProgramStateRef NewState = State;
if (!IsKnownCast) if (!IsKnownCast)
State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy, NewState = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy,
IsInstanceOf); IsInstanceOf);
if (CastSucceeds) {
Success = true;
C.addTransition( C.addTransition(
NoQUnsubmitted
Done
ReplyInline Actions

Let's return immediately after the transition instead. Like, generally, it's a good practice to return immediately after a transition if you don't plan any more state splits, because otherwise it's too easy to accidentally introduce unwanted state splits.

NoQ: Let's return immediately after the transition instead. Like, generally, it's a good practice to…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

Now I inserted a return but only if this is a known conversion. If this is an assumption, the we should assume every type in the template argument list.

baloghadamsoftware: Now I inserted a return but only if this is a known conversion. If this is an assumption, the…
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), NewState->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeTruthVal(CastSucceeds)), C.getSValBuilder().makeTruthVal(true)),
getNoteTag(C, CastInfo, CastToTy, Call.getArgExpr(0), CastSucceeds, getNoteTag(C, CastInfo, CastToTy, Call.getArgExpr(0), true,
IsKnownCast)); IsKnownCast));
if (IsKnownCast)
return;
} else if (CastInfo && CastInfo->succeeds()) {
C.generateSink(NewState, C.getPredecessor());
return;
}
}
if (!Success) {
C.addTransition(
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeTruthVal(false)),
getNoteTag(C, CastToTyVec, Call.getArgExpr(0), IsAnyKnown));
}
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null. // Evaluating cast, dyn_cast, cast_or_null, dyn_cast_or_null.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static void evalNonNullParamNonNullReturn(const CallEvent &Call, static void evalNonNullParamNonNullReturn(const CallEvent &Call,
DefinedOrUnknownSVal DV, DefinedOrUnknownSVal DV,
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Linesbool CastValueChecker::evalCall(const CallEvent &Call,
switch (Kind) { switch (Kind) {
case CallKind::Function: { case CallKind::Function: {
// We only model casts from pointers to pointers or from references // We only model casts from pointers to pointers or from references
// to references. Other casts are most likely specialized and we // to references. Other casts are most likely specialized and we
// cannot model them. // cannot model them.
QualType ParamT = Call.parameters()[0]->getType(); QualType ParamT = Call.parameters()[0]->getType();
QualType ResultT = Call.getResultType(); QualType ResultT = Call.getResultType();
if (!(ParamT->isPointerType() && ResultT->isPointerType()) && if (!(ParamT->isPointerType() && ResultT->isPointerType()) &&
!(ParamT->isReferenceType() && ResultT->isReferenceType())) !(ParamT->isReferenceType() && ResultT->isReferenceType())) {
NoQUnsubmitted
Done
ReplyInline Actions

Looks like a leftover debug print.

NoQ: Looks like a leftover debug print.
return false; return false;
}
DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>(); DV = Call.getArgSVal(0).getAs<DefinedOrUnknownSVal>();
break; break;
} }
case CallKind::InstanceOf: { case CallKind::InstanceOf: {
// We need to obtain the only template argument to determinte the type. // We need to obtain the only template argument to determinte the type.
const FunctionDecl *FD = Call.getDecl()->getAsFunction(); const FunctionDecl *FD = Call.getDecl()->getAsFunction();
if (!FD || !FD->getTemplateSpecializationArgs()) if (!FD || !FD->getTemplateSpecializationArgs())
Show All 33 Lines

clang/test/Analysis/Inputs/llvm.h

Show All 13 Lines
template <class X, class Y> template <class X, class Y>
const X *cast_or_null(Y Value); const X *cast_or_null(Y Value);
template <class X, class Y> template <class X, class Y>
const X *dyn_cast_or_null(Y *Value); const X *dyn_cast_or_null(Y *Value);
template <class X, class Y> template <class X, class Y>
const X *dyn_cast_or_null(Y &Value); const X *dyn_cast_or_null(Y &Value);
template <class X, class Y> template <class X, class Y> inline bool isa(const Y &Val);
bool isa(Y Value);
template <class X, class Y> template <typename First, typename Second, typename... Rest, typename Y>
bool isa_and_nonnull(Y Value); inline bool isa(const Y &Val) {
return isa<First>(Val) || isa<Second, Rest...>(Val);
}
template <typename... X, class Y>
inline bool isa_and_nonnull(const Y &Val) {
if (!Val)
return false;
return isa<X...>(Val);
}
template <typename X, typename Y> template <typename X, typename Y>
std::unique_ptr<X> cast(std::unique_ptr<Y> &&Value); std::unique_ptr<X> cast(std::unique_ptr<Y> &&Value);
} // namespace llvm } // namespace llvm

clang/test/Analysis/cast-value-logic.cpp

Show All 13 Linesstruct Shape {
const T *castAs() const; const T *castAs() const;
template <typename T> template <typename T>
const T *getAs() const; const T *getAs() const;
virtual double area(); virtual double area();
}; };
class Triangle : public Shape {}; class Triangle : public Shape {};
class Rectangle : public Shape {};
class Hexagon : public Shape {};
class Circle : public Shape { class Circle : public Shape {
public: public:
~Circle(); ~Circle();
}; };
class SuspiciouslySpecificCircle : public Circle {}; class SuspiciouslySpecificCircle : public Circle {};
} // namespace clang } // namespace clang
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void test_regions_dyn_cast(const Shape *A, const Shape *B) { void test_regions_dyn_cast(const Shape *A, const Shape *B) {
if (dyn_cast<Circle>(A) && !dyn_cast<Circle>(B)) if (dyn_cast<Circle>(A) && !dyn_cast<Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
} }
void test_regions_isa(const Shape *A, const Shape *B) { void test_regions_isa(const Shape *A, const Shape *B) {
if (isa<Circle>(A) && !isa<Circle>(B)) if (isa<Circle>(A) && !isa<Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
} }
void test_regions_isa_variadic(const Shape *A, const Shape *B) {
if (isa<Triangle, Rectangle, Hexagon>(A) &&
!isa<Rectangle, Hexagon, Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
void test_regions_isa_and_nonnull(const Shape *A, const Shape *B) {
if (isa_and_nonnull<Circle>(A) && !isa_and_nonnull<Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
void test_regions_isa_and_nonnull_variadic(const Shape *A, const Shape *B) {
if (isa_and_nonnull<Triangle, Rectangle, Hexagon>(A) &&
!isa_and_nonnull<Rectangle, Hexagon, Circle>(B))
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
}
namespace test_cast { namespace test_cast {
void evalLogic(const Shape *S) { void evalLogic(const Shape *S) {
const Circle *C = cast<Circle>(S); const Circle *C = cast<Circle>(S);
clang_analyzer_numTimesReached(); // expected-warning {{1}} clang_analyzer_numTimesReached(); // expected-warning {{1}}
if (S && C) if (S && C)
clang_analyzer_eval(C == S); // expected-warning {{TRUE}} clang_analyzer_eval(C == S); // expected-warning {{TRUE}}
▲ Show 20 LinesShow All 113 LinesShow Last 20 Lines

clang/test/Analysis/cast-value-notes.cpp

// RUN: %clang_analyze_cc1 -std=c++14 \ // RUN: %clang_analyze_cc1 -std=c++14 \
// RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\ // RUN: -analyzer-checker=core,apiModeling.llvm.CastValue,debug.ExprInspection\
// RUN: -analyzer-output=text -verify %s // RUN: -analyzer-output=text -verify %s
#include "Inputs/llvm.h" #include "Inputs/llvm.h"
namespace clang { namespace clang {
struct Shape { struct Shape {
template <typename T> template <typename T>
const T *castAs() const; const T *castAs() const;
template <typename T> template <typename T>
const T *getAs() const; const T *getAs() const;
}; };
class Triangle : public Shape {}; class Triangle : public Shape {};
class Rectangle : public Shape {};
class Hexagon : public Shape {};
class Circle : public Shape {}; class Circle : public Shape {};
} // namespace clang } // namespace clang
using namespace llvm; using namespace llvm;
using namespace clang; using namespace clang;
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
} }
void evalNonNullParamNonNullReturnReference(const Shape &S) { void evalNonNullParamNonNullReturnReference(const Shape &S) {
// Unmodeled cast from reference to pointer.
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{'C' initialized here}} // expected-note@-1 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) { if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{'C' is not a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (isa<Circle>(C)) { if (isa<Triangle, Rectangle>(C)) {
// expected-note@-1 {{'C' is neither a 'Triangle' nor a 'Rectangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Triangle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is neither a 'Triangle' nor a 'Rectangle' nor a 'Hexagon'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Circle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking true branch}} // expected-note@-2 {{Taking true branch}}
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
} }
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S); const auto *C = cast<Circle>(S);
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'Circle'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
if (!isa<Triangle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{Assuming 'C' is a 'Triangle'}} // expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (!isa<Triangle>(C)) { if (isa<Triangle>(C)) {
// expected-note@-1 {{'C' is a 'Triangle'}} // expected-note@-1 {{'C' is not a 'Triangle'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (isa<Triangle, Rectangle>(C)) {
// expected-note@-1 {{'C' is neither a 'Triangle' nor a 'Rectangle'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Triangle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is neither a 'Triangle' nor a 'Rectangle' nor a 'Hexagon'}}
// expected-note@-2 {{Taking false branch}}
return;
}
if (isa<Circle, Rectangle, Hexagon>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}}
// expected-note@-2 {{Taking true branch}}
(void)(1 / !C); (void)(1 / !C);
// expected-note@-1 {{'C' is non-null}} // expected-note@-1 {{'C' is non-null}}
// expected-note@-2 {{Division by zero}} // expected-note@-2 {{Division by zero}}
// expected-warning@-3 {{Division by zero}} // expected-warning@-3 {{Division by zero}}
} }
}
void evalNonNullParamNullReturn(const Shape *S) { void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) { if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}} // expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
// expected-note@-2 {{'T' initialized here}} // expected-note@-2 {{'T' initialized here}}
▲ Show 20 LinesShow All 63 LinesShow Last 20 Lines