This is an archive of the discontinued LLVM Phabricator instance.

void foo(std::unique_ptr<A> p) {
  A *x = p.get();
  A *y = p.get();
  clang_analyzer_eval(x == y); // expected-warning{{TRUE}}
  if (!x) {
    y->foo(); // expected-warning{{Called C++ object pointer is null}}
  }
}

This revision is now accepted and ready to land.Aug 15 2020, 6:33 PM

xazax.hun accepted this revision.Aug 17 2020, 3:55 AM

xazax.hun added inline comments.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
362–363	You mean the case where we do not have an inner pointer registered in the state yet, right? I believe we might also have to handle similar cases for `operator bool()` as well.

Using conjureSymbolVal in case of missing inner pointer value

vrnithinkumar marked 2 inline comments as done.Aug 19 2020, 3:36 PM

vrnithinkumar added inline comments.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
362–363	Added the above test case. Using conjureSymbolVal in case of missing inner pointer value
362–363	void foo(std::unique_ptr<A> P) { A X = P.get(); if (!X) { P->foo(); // expected-warning {{Dereference of null smart pointer 'Pl' [alpha.cplusplus.SmartPtr]}} } } I was trying to add the above use case. Since we are using conjureSymbolVal in case of missing inner pointer value. But still the inner pointer value is constrained to [0, 0] in false branch, `InnerPointVal->isZeroConstant()` returning false. Also I tried `State->isNull(InnerPointVal).isConstrainedTrue();` This is also not working. How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0, 0]?

Harbormaster completed remote builds in B68954: Diff 286675.Aug 19 2020, 3:59 PM

This patch looks correct to me at a glance. I think we should land it as is and debug/improve later.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
362–363	How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0, 0]? View exploded graphs. That's literally the only reasonable answer to every such question. In particular, it shows you constraints for all symbols at every moment of time, and given that you implemented `printState()` it also shows you inner pointer values that you keep track of at every moment of time. Check if it's still the same symbol. Check that the symbol lives long enough - or does it get forgotten about in the middle? - if so you might need to get your `checkLiveSymbols` callback right. Please let us know if you still can't seem to debug it on your own.

Closed by commit rG55208f5a2126: [analyzer] Add modeling for unque_ptr::get() (authored by vrnithinkumar). · Explain WhyAug 23 2020, 5:51 AM

This revision was automatically updated to reflect the committed changes.

vrnithinkumar added a commit: rG55208f5a2126: [analyzer] Add modeling for unque_ptr::get().

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

SmartPtrModeling.cpp

31 lines

test/

Analysis/

smart-ptr-text-output.cpp

15 lines

smart-ptr.cpp

24 lines

Diff 287253

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

Show First 20 Lines • Show All 50 Lines • ▼ Show 20 Lines	checkRegionChanges(ProgramStateRef State,
ArrayRef<const MemRegion *> ExplicitRegions,		ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions,		ArrayRef<const MemRegion *> Regions,
const LocationContext LCtx, const CallEvent Call) const;		const LocationContext LCtx, const CallEvent Call) const;

private:		private:
void handleReset(const CallEvent &Call, CheckerContext &C) const;		void handleReset(const CallEvent &Call, CheckerContext &C) const;
void handleRelease(const CallEvent &Call, CheckerContext &C) const;		void handleRelease(const CallEvent &Call, CheckerContext &C) const;
void handleSwap(const CallEvent &Call, CheckerContext &C) const;		void handleSwap(const CallEvent &Call, CheckerContext &C) const;
		void handleGet(const CallEvent &Call, CheckerContext &C) const;

using SmartPtrMethodHandlerFn =		using SmartPtrMethodHandlerFn =
void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;		void (SmartPtrModeling::*)(const CallEvent &Call, CheckerContext &) const;
CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{		CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{
{{"reset"}, &SmartPtrModeling::handleReset},		{{"reset"}, &SmartPtrModeling::handleReset},
{{"release"}, &SmartPtrModeling::handleRelease},		{{"release"}, &SmartPtrModeling::handleRelease},
{{"swap", 1}, &SmartPtrModeling::handleSwap}};		{{"swap", 1}, &SmartPtrModeling::handleSwap},
		{{"get"}, &SmartPtrModeling::handleGet}};
};		};
} // end of anonymous namespace		} // end of anonymous namespace

REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)		REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)

// Define the inter-checker API.		// Define the inter-checker API.
namespace clang {		namespace clang {
namespace ento {		namespace ento {
▲ Show 20 Lines • Show All 266 Lines • ▼ Show 20 Lines	C.addTransition(
BR.markInteresting(ArgRegion);		BR.markInteresting(ArgRegion);
OS << "Swapped null smart pointer ";		OS << "Swapped null smart pointer ";
ArgRegion->printPretty(OS);		ArgRegion->printPretty(OS);
OS << " with smart pointer ";		OS << " with smart pointer ";
ThisRegion->printPretty(OS);		ThisRegion->printPretty(OS);
}));		}));
}		}

		void SmartPtrModeling::handleGet(const CallEvent &Call,
		CheckerContext &C) const {
		ProgramStateRef State = C.getState();
		const auto *IC = dyn_cast<CXXInstanceCall>(&Call);
		if (!IC)
		return;

		const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
		if (!ThisRegion)
		return;

		SVal InnerPointerVal;
		if (const auto *InnerValPtr = State->get<TrackedRegionMap>(ThisRegion)) {
		InnerPointerVal = *InnerValPtr;
		NoQUnsubmitted Done Reply Inline Actions You'll have to actively handle this case, sooner or later. Consider the following test cases that won't work until you do: void foo(std::unique_ptr<A> p) { A x = p.get(); A y = p.get(); clang_analyzer_eval(x == y); // expected-warning{{TRUE}} if (!x) { y->foo(); // expected-warning{{Called C++ object pointer is null}} } } NoQ: You'll have to actively handle this case, sooner or later. Consider the following test cases…
		xazax.hunUnsubmitted Done Reply Inline Actions You mean the case where we do not have an inner pointer registered in the state yet, right? I believe we might also have to handle similar cases for `operator bool()` as well. xazax.hun: You mean the case where we do not have an inner pointer registered in the state yet, right? I…
		vrnithinkumarAuthorUnsubmitted Done Reply Inline Actions Added the above test case. Using conjureSymbolVal in case of missing inner pointer value vrnithinkumar: Added the above test case. Using conjureSymbolVal in case of missing inner pointer value
		vrnithinkumarAuthorUnsubmitted Done Reply Inline Actions void foo(std::unique_ptr<A> P) { A X = P.get(); if (!X) { P->foo(); // expected-warning {{Dereference of null smart pointer 'Pl' [alpha.cplusplus.SmartPtr]}} } } I was trying to add the above use case. Since we are using conjureSymbolVal in case of missing inner pointer value. But still the inner pointer value is constrained to [0, 0] in false branch, `InnerPointVal->isZeroConstant()` returning false. Also I tried `State->isNull(InnerPointVal).isConstrainedTrue();` This is also not working. How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0, 0]? vrnithinkumar: ``` void foo(std::unique_ptr<A> P) { A *X = P.get(); if (!X) { P->foo(); // expected…
		NoQUnsubmitted Not Done Reply Inline Actions How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0, 0]? View exploded graphs. That's literally the only reasonable answer to every such question. In particular, it shows you constraints for all symbols at every moment of time, and given that you implemented `printState()` it also shows you inner pointer values that you keep track of at every moment of time. Check if it's still the same symbol. Check that the symbol lives long enough - or does it get forgotten about in the middle? - if so you might need to get your `checkLiveSymbols` callback right. Please let us know if you still can't seem to debug it on your own. NoQ: > How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0…
		} else {
		const auto *CallExpr = Call.getOriginExpr();
		InnerPointerVal = C.getSValBuilder().conjureSymbolVal(
		CallExpr, C.getLocationContext(), Call.getResultType(), C.blockCount());
		State = State->set<TrackedRegionMap>(ThisRegion, InnerPointerVal);
		}

		State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
		InnerPointerVal);
		// TODO: Add NoteTag, for how the raw pointer got using 'get' method.
		C.addTransition(State);
		}

void ento::registerSmartPtrModeling(CheckerManager &Mgr) {		void ento::registerSmartPtrModeling(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<SmartPtrModeling>();		auto *Checker = Mgr.registerChecker<SmartPtrModeling>();
Checker->ModelSmartPtrDereference =		Checker->ModelSmartPtrDereference =
Mgr.getAnalyzerOptions().getCheckerBooleanOption(		Mgr.getAnalyzerOptions().getCheckerBooleanOption(
Checker, "ModelSmartPtrDereference");		Checker, "ModelSmartPtrDereference");
}		}

bool ento::shouldRegisterSmartPtrModeling(const CheckerManager &mgr) {		bool ento::shouldRegisterSmartPtrModeling(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();		const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;		return LO.CPlusPlus;
}		}

clang/test/Analysis/smart-ptr-text-output.cpp

	Show First 20 Lines • Show All 110 Lines • ▼ Show 20 Lines

	void noNoteTagsForNonMatchingBugType() {			void noNoteTagsForNonMatchingBugType() {
	std::unique_ptr<A> P; // No note.			std::unique_ptr<A> P; // No note.
	std::unique_ptr<A> P1; // No note.			std::unique_ptr<A> P1; // No note.
	P1 = std::move(P); // expected-note {{Smart pointer 'P' of type 'std::unique_ptr' is reset to null when moved from}}			P1 = std::move(P); // expected-note {{Smart pointer 'P' of type 'std::unique_ptr' is reset to null when moved from}}
	P->foo(); // expected-warning {{Dereference of null smart pointer 'P' of type 'std::unique_ptr' [cplusplus.Move]}}			P->foo(); // expected-warning {{Dereference of null smart pointer 'P' of type 'std::unique_ptr' [cplusplus.Move]}}
	// expected-note@-1 {{Dereference of null smart pointer 'P' of type 'std::unique_ptr'}}			// expected-note@-1 {{Dereference of null smart pointer 'P' of type 'std::unique_ptr'}}
	}			}

				void derefOnRawPtrFromGetOnNullPtr() {
				std::unique_ptr<A> P; // FIXME: add note "Default constructed smart pointer 'P' is null"
				P.get()->foo(); // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}}
				// expected-note@-1 {{Called C++ object pointer is null}}
				}

				void derefOnRawPtrFromGetOnValidPtr() {
				std::unique_ptr<A> P(new A());
				P.get()->foo(); // No warning.
				}

				void derefOnRawPtrFromGetOnUnknownPtr(std::unique_ptr<A> P) {
				P.get()->foo(); // No warning.
				}

clang/test/Analysis/smart-ptr.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection\		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection\
// RUN: -analyzer-checker cplusplus.Move,alpha.cplusplus.SmartPtr\		// RUN: -analyzer-checker cplusplus.Move,alpha.cplusplus.SmartPtr\
// RUN: -analyzer-config cplusplus.SmartPtrModeling:ModelSmartPtrDereference=true\		// RUN: -analyzer-config cplusplus.SmartPtrModeling:ModelSmartPtrDereference=true\
// RUN: -std=c++11 -verify %s		// RUN: -std=c++11 -verify %s

#include "Inputs/system-header-simulator-cxx.h"		#include "Inputs/system-header-simulator-cxx.h"

void clang_analyzer_warnIfReached();		void clang_analyzer_warnIfReached();
void clang_analyzer_numTimesReached();		void clang_analyzer_numTimesReached();
		void clang_analyzer_eval(bool);

void derefAfterMove(std::unique_ptr<int> P) {		void derefAfterMove(std::unique_ptr<int> P) {
std::unique_ptr<int> Q = std::move(P);		std::unique_ptr<int> Q = std::move(P);
if (Q)		if (Q)
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}		clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
*Q.get() = 1; // no-warning		*Q.get() = 1; // no-warning
if (P)		if (P)
clang_analyzer_warnIfReached(); // no-warning		clang_analyzer_warnIfReached(); // no-warning
▲ Show 20 Lines • Show All 229 Lines • ▼ Show 20 Lines	void derefOnSwappedValidPtr() {
std::unique_ptr<A> PValid(new A());		std::unique_ptr<A> PValid(new A());
P.swap(PValid);		P.swap(PValid);
(*P).foo(); // No warning.		(*P).foo(); // No warning.
PValid->foo(); // No warning.		PValid->foo(); // No warning.
std::swap(P, PValid);		std::swap(P, PValid);
P->foo(); // No warning.		P->foo(); // No warning.
PValid->foo(); // No warning.		PValid->foo(); // No warning.
}		}

		void derefOnRawPtrFromGetOnNullPtr() {
		std::unique_ptr<A> P;
		P.get()->foo(); // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}}
		}

		void derefOnRawPtrFromGetOnValidPtr() {
		std::unique_ptr<A> P(new A());
		P.get()->foo(); // No warning.
		}

		void derefOnRawPtrFromGetOnUnknownPtr(std::unique_ptr<A> P) {
		P.get()->foo(); // No warning.
		}

		void derefOnRawPtrFromMultipleGetOnUnknownPtr(std::unique_ptr<A> P) {
		A *X = P.get();
		A *Y = P.get();
		clang_analyzer_eval(X == Y); // expected-warning{{TRUE}}
		if (!X) {
		Y->foo(); // expected-warning {{Called C++ object pointer is null [core.CallAndMessage]}}
		}
		}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Add modeling for unque_ptr::get()ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 287253

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

clang/test/Analysis/smart-ptr-text-output.cpp

clang/test/Analysis/smart-ptr.cpp

[analyzer] Add modeling for unque_ptr::get()
ClosedPublic