This is an archive of the discontinued LLVM Phabricator instance.

Differential D89638

[Analyzer][WebKit] Add attributes to suppress specific checkers
AbandonedPublic

Authored by jkorous on Oct 17 2020, 8:35 PM.

Details

Reviewers
NoQ
vsavchenko
aaron.ballman
Summary

One thing I am not quite sure is naming. I started with the convention of "No" prefix but it gets weird in some cases - any ideas are welcome!

Diff Detail

Event Timeline

jkorous created this revision.Oct 17 2020, 8:35 PM
Herald added a reviewer: aaron.ballman. · View Herald TranscriptOct 17 2020, 8:35 PM
Herald added subscribers: steakhal, ASDenysPetrov, martong and 10 others. · View Herald Transcript
jkorous requested review of this revision.Oct 17 2020, 8:35 PM
vsavchenko added a comment.Oct 19 2020, 2:23 AM

Great job, I think it's awesome to have more control over the analyzer with the language itself.

The naming does seem pretty tough, I agree. In the majority of cases, it seems like a mouthful ☹️ . It can also negatively impact discoverability of these attributes.

I noticed that they (for the most part) do not overlap in terms of their AST nodes. And it got me thinking, is it possible to rethink current solution with just one attribute? I think it can be easier for the end user.

clang/include/clang/Basic/Attr.td
3579

This got me thinking here, what about IndirectFieldDecl? Not only in terms of the attribute, of course, but for the checker as well.

clang/lib/Sema/SemaDeclAttr.cpp
7975

This looks confusing to me. I do get that uniformity is good, but it's good for the purposes of clarity and clarity here is arguable. Maybe we can change the name here?
It's not critical or smith, but I want to hear what other folks think about this matter.

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedCallArgsChecker.cpp
80–82

Should it go then?

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLambdaCapturesChecker.cpp
61–62

It looks like a new case! Do we have a test for that?

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor.cpp
16

Can you please put a // no warning comment, so everyone gets that this is expected.
The same goes to other tests as well.

clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp
52

Whoops 😅

aaron.ballman requested changes to this revision.Oct 19 2020, 8:18 AM
aaron.ballman added inline comments.
clang/include/clang/Basic/Attr.td
3565

I'm worried that this will lead to an explosion of one-off attributes. Rather than introduce new attributes to suppress diagnostics in a one-off manner, I think a better approach is to extend the existing attribute related to diagnostic suppression. See the Suppress attribute, which is currently only exposed with the name gsl::suppress. I think this attribute could be given an additional spelling Clang<"suppress"> and be used to cover this same functionality but in a more extensible way.

This revision now requires changes to proceed.Oct 19 2020, 8:18 AM
vsavchenko added inline comments.Oct 19 2020, 8:38 AM
clang/include/clang/Basic/Attr.td
3565

This is exactly what we plan to do! And it's awesome to hear that you believe it's the right approach!
There is one problem with that approach though, we want to have an option for the use to suppress one particular diagnostic. However, there is no one good looking identifier type for checkers that the end user can see and use. Straight up checker names are too verbose and can change, diagnostic messages can be pretty long and also susceptible to changes. I guess we need to open some sort of discussion here.

I see a few options here:
The first option is to implement suppress that suppresses whatever warning is there, without warning identifiers for now. This is a bigger effort though and has larger scope than what Jan is doing here.
The second option is to support suppress for uncounted checkers. So, we start small and don't ask Jan to do everything in this patch. The problem here is with identifier (again). We probably need to choose a good identifier/set of identifiers for this group of checkers that will persist even when we proceed with other checkers.
And, finally, the third option is to introduce a separate attribute that suppresses all the checks from that group. In this case, it should be probably decoupled from the checker, meaning that it should tell something to the person reading this code. Sorta like volatile refcountable.

What do you think?

aaron.ballman added inline comments.Oct 19 2020, 9:47 AM
clang/include/clang/Basic/Attr.td
3565

This is exactly what we plan to do! And it's awesome to hear that you believe it's the right approach!

Excellent!

There is one problem with that approach though, we want to have an option for the use to suppress one particular diagnostic. However, there is no one good looking identifier type for checkers that the end user can see and use. Straight up checker names are too verbose and can change, diagnostic messages can be pretty long and also susceptible to changes. I guess we need to open some sort of discussion here.

I agree, this should be done in a broader community discussion. The typical way this is handled by other tools is to come up with a stable identifier for each rule so that users can use the stable identifier for suppression even if the rule title or other aspects change.

The first option is to implement suppress that suppresses whatever warning is there, without warning identifiers for now. This is a bigger effort though and has larger scope than what Jan is doing here.

Agreed -- also, IIRC, the static analyzer already supports // NOLINT comments, so I don't think this gets us a whole lot that we don't already have today.

The second option is to support suppress for uncounted checkers. So, we start small and don't ask Jan to do everything in this patch. The problem here is with identifier (again). We probably need to choose a good identifier/set of identifiers for this group of checkers that will persist even when we proceed with other checkers.
And, finally, the third option is to introduce a separate attribute that suppresses all the checks from that group. In this case, it should be probably decoupled from the checker, meaning that it should tell something to the person reading this code. Sorta like volatile refcountable.

There may be a fourth option here -- come up with an RFC and start a discussion about how to suppress analyzer diagnostics by name. There are a few different approaches to consider there -- do you want to suppress just one aspect of a given check or do you want to suppress the check as a whole? Do you want to be able to suppress multiple different checks using a single attribute or should that require multiple attributes? Should there be a warning flag specific to this attribute so that users can opt in to warning when the suppression attribute is being used? Should there be a warning flag the user can opt in to/out of warning when the suppress attribute is used but there is no diagnostic to suppress?

vsavchenko added inline comments.Oct 19 2020, 10:19 AM
clang/include/clang/Basic/Attr.td
3565

Agreed -- also, IIRC, the static analyzer already supports // NOLINT comments, so I don't think this gets us a whole lot that we don't already have today.

AFAIK only clang-tidy supports those, but maybe I missed it somehow.

There may be a fourth option here -- come up with an RFC and start a discussion about how to suppress analyzer diagnostics by name. There are a few different approaches to consider there -- do you want to suppress just one aspect of a given check or do you want to suppress the check as a whole? Do you want to be able to suppress multiple different checks using a single attribute or should that require multiple attributes? Should there be a warning flag specific to this attribute so that users can opt in to warning when the suppression attribute is being used? Should there be a warning flag the user can opt in to/out of warning when the suppress attribute is used but there is no diagnostic to suppress?

This is actually the reason why I suggest options 2 and 3. It's a lot of questions to answer! We also need to come up with a stable identifier. And I suggest to do something that is maybe not an awesome and all around generalized solution, but that is not a hacky solution "for the time being" either. We can start moving in the right direction here and also initiate the conversation at the same time.

Szelethus added a comment.Oct 19 2020, 12:09 PM

I'll just add a generic comment because I don't know much (==anything) about webkit checkers. Do you expect to stumble across false positives regularly enough so that an attribute like this would be necessary? Do these checkers rely on some heuristic?

dexonsmith removed a subscriber: dexonsmith.Oct 19 2020, 5:33 PM
martong added a comment.Oct 20 2020, 8:06 AM

I was thinking about an alternative approach (5th approach (?), yeah, I think we need an RFC).

What if we had just one attribute with a StringArgument ?
Actually, we already have that with the annotate attribute.
How do you like this?

struct [[clang::annotate("CSA:supress:RefCntblBaseVirtualDtor")]] Derived2
    : RefCntblBase{};

Disadvantages: we must process strings whenever a node has the annotate attr attached, we have to come up with a "DSL".
Advantages: total flexibility.
WDYT?

aaron.ballman added a comment.Oct 20 2020, 8:09 AM
In D89638#2341855, @martong wrote:

I was thinking about an alternative approach (5th approach (?), yeah, I think we need an RFC).

What if we had just one attribute with a StringArgument ?
Actually, we already have that with the annotate attribute.
How do you like this?

struct [[clang::annotate("CSA:supress:RefCntblBaseVirtualDtor")]] Derived2
    : RefCntblBase{};

Disadvantages: we must process strings whenever a node has the annotate attr attached, we have to come up with a "DSL".
Advantages: total flexibility.
WDYT?

This is along the lines of what I was envisioning, except I'd name the attribute better rather than re-use annotate for this. e.g.,

[[clang::suppress("analyzer.somecheck.somefunctionality")]]
[[clang::suppress("compiler.warning.12345")]]
[[clang::suppress("tidy.check-name.whatever")]]
etc.

vsavchenko added a comment.Oct 20 2020, 8:38 AM
In D89638#2341855, @martong wrote:

I was thinking about an alternative approach (5th approach (?), yeah, I think we need an RFC).

What if we had just one attribute with a StringArgument ?
Actually, we already have that with the annotate attribute.
How do you like this?

struct [[clang::annotate("CSA:supress:RefCntblBaseVirtualDtor")]] Derived2
    : RefCntblBase{};

Disadvantages: we must process strings whenever a node has the annotate attr attached, we have to come up with a "DSL".
Advantages: total flexibility.
WDYT?

Honestly, I think that "CSA:supress:RefCntblBaseVirtualDtor" is way too verbose. It is incredibly easy to make mistakes, it seems hard to use and it is hell a lot to put in the actual code. It also doesn't resolve the issue with what unique identifier we should use. Imagine we decide that we should use Bug type as that unique identifier. It means that "CSA:supress:RefCntblBaseVirtualDtor" should get changed, but it is already in the user's code! It is quite important to settle on a solution that will still be available when we land a more general solution.

In D89638#2341859, @aaron.ballman wrote:

This is along the lines of what I was envisioning, except I'd name the attribute better rather than re-use annotate for this. e.g.,

[[clang::suppress("analyzer.somecheck.somefunctionality")]]
[[clang::suppress("compiler.warning.12345")]]
[[clang::suppress("tidy.check-name.whatever")]]
etc.

Yes, I agree, this syntax is superior IMO. It is cleaner and more clear in its intentions.

martong added a comment.Oct 20 2020, 8:50 AM
In D89638#2341923, @vsavchenko wrote:
In D89638#2341855, @martong wrote:

I was thinking about an alternative approach (5th approach (?), yeah, I think we need an RFC).

What if we had just one attribute with a StringArgument ?
Actually, we already have that with the annotate attribute.
How do you like this?

struct [[clang::annotate("CSA:supress:RefCntblBaseVirtualDtor")]] Derived2
    : RefCntblBase{};

Disadvantages: we must process strings whenever a node has the annotate attr attached, we have to come up with a "DSL".
Advantages: total flexibility.
WDYT?

Honestly, I think that "CSA:supress:RefCntblBaseVirtualDtor" is way too verbose. It is incredibly easy to make mistakes, it seems hard to use and it is hell a lot to put in the actual code. It also doesn't resolve the issue with what unique identifier we should use. Imagine we decide that we should use Bug type as that unique identifier. It means that "CSA:supress:RefCntblBaseVirtualDtor" should get changed, but it is already in the user's code! It is quite important to settle on a solution that will still be available when we land a more general solution.

Yes, absolutely, I agree.
I just launched an RFC on cfe-dev about this. And about that this could be a possible approach for providing summaries and taint analysis notations as well. Please take a look: http://lists.llvm.org/pipermail/cfe-dev/2020-October/067074.html

jkorous abandoned this revision.Jan 21 2022, 3:51 PM
Herald added a subscriber: manas. · View Herald TranscriptJan 21 2022, 3:51 PM

Revision Contents

Diff 298860

clang/include/clang/Basic/Attr.td

Show First 20 LinesShow All 3,555 Lines▼ Show 20 Lines
def Builtin : InheritableAttr { def Builtin : InheritableAttr {
let Spellings = []; let Spellings = [];
let Args = [UnsignedArgument<"ID">]; let Args = [UnsignedArgument<"ID">];
let Subjects = SubjectList<[Function]>; let Subjects = SubjectList<[Function]>;
let SemaHandler = 0; let SemaHandler = 0;
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
def NoRefCntblBaseVirtualDtor : InheritableAttr {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'm worried that this will lead to an explosion of one-off attributes. Rather than introduce new attributes to suppress diagnostics in a one-off manner, I think a better approach is to extend the existing attribute related to diagnostic suppression. See the Suppress attribute, which is currently only exposed with the name gsl::suppress. I think this attribute could be given an additional spelling Clang<"suppress"> and be used to cover this same functionality but in a more extensible way.

aaron.ballman: I'm worried that this will lead to an explosion of one-off attributes. Rather than introduce…
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

This is exactly what we plan to do! And it's awesome to hear that you believe it's the right approach!
There is one problem with that approach though, we want to have an option for the use to suppress one particular diagnostic. However, there is no one good looking identifier type for checkers that the end user can see and use. Straight up checker names are too verbose and can change, diagnostic messages can be pretty long and also susceptible to changes. I guess we need to open some sort of discussion here.

I see a few options here:
The first option is to implement suppress that suppresses whatever warning is there, without warning identifiers for now. This is a bigger effort though and has larger scope than what Jan is doing here.
The second option is to support suppress for uncounted checkers. So, we start small and don't ask Jan to do everything in this patch. The problem here is with identifier (again). We probably need to choose a good identifier/set of identifiers for this group of checkers that will persist even when we proceed with other checkers.
And, finally, the third option is to introduce a separate attribute that suppresses all the checks from that group. In this case, it should be probably decoupled from the checker, meaning that it should tell something to the person reading this code. Sorta like volatile refcountable.

What do you think?

vsavchenko: This is exactly what we plan to do! And it's awesome to hear that you believe it's the right…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

This is exactly what we plan to do! And it's awesome to hear that you believe it's the right approach!

Excellent!

There is one problem with that approach though, we want to have an option for the use to suppress one particular diagnostic. However, there is no one good looking identifier type for checkers that the end user can see and use. Straight up checker names are too verbose and can change, diagnostic messages can be pretty long and also susceptible to changes. I guess we need to open some sort of discussion here.

I agree, this should be done in a broader community discussion. The typical way this is handled by other tools is to come up with a stable identifier for each rule so that users can use the stable identifier for suppression even if the rule title or other aspects change.

The first option is to implement suppress that suppresses whatever warning is there, without warning identifiers for now. This is a bigger effort though and has larger scope than what Jan is doing here.

Agreed -- also, IIRC, the static analyzer already supports // NOLINT comments, so I don't think this gets us a whole lot that we don't already have today.

The second option is to support suppress for uncounted checkers. So, we start small and don't ask Jan to do everything in this patch. The problem here is with identifier (again). We probably need to choose a good identifier/set of identifiers for this group of checkers that will persist even when we proceed with other checkers.
And, finally, the third option is to introduce a separate attribute that suppresses all the checks from that group. In this case, it should be probably decoupled from the checker, meaning that it should tell something to the person reading this code. Sorta like volatile refcountable.

There may be a fourth option here -- come up with an RFC and start a discussion about how to suppress analyzer diagnostics by name. There are a few different approaches to consider there -- do you want to suppress just one aspect of a given check or do you want to suppress the check as a whole? Do you want to be able to suppress multiple different checks using a single attribute or should that require multiple attributes? Should there be a warning flag specific to this attribute so that users can opt in to warning when the suppression attribute is being used? Should there be a warning flag the user can opt in to/out of warning when the suppress attribute is used but there is no diagnostic to suppress?

aaron.ballman: > This is exactly what we plan to do! And it's awesome to hear that you believe it's the right…
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Agreed -- also, IIRC, the static analyzer already supports // NOLINT comments, so I don't think this gets us a whole lot that we don't already have today.

AFAIK only clang-tidy supports those, but maybe I missed it somehow.

There may be a fourth option here -- come up with an RFC and start a discussion about how to suppress analyzer diagnostics by name. There are a few different approaches to consider there -- do you want to suppress just one aspect of a given check or do you want to suppress the check as a whole? Do you want to be able to suppress multiple different checks using a single attribute or should that require multiple attributes? Should there be a warning flag specific to this attribute so that users can opt in to warning when the suppression attribute is being used? Should there be a warning flag the user can opt in to/out of warning when the suppress attribute is used but there is no diagnostic to suppress?

This is actually the reason why I suggest options 2 and 3. It's a lot of questions to answer! We also need to come up with a stable identifier. And I suggest to do something that is maybe not an awesome and all around generalized solution, but that is not a hacky solution "for the time being" either. We can start moving in the right direction here and also initiate the conversation at the same time.

vsavchenko: > Agreed -- also, IIRC, the static analyzer already supports `// NOLINT` comments, so I don't…
let Spellings = [Clang<"NoRefCntblBaseVirtualDtor">];
let Subjects = SubjectList<[CXXRecord]>;
let Documentation = [Undocumented];
}
def NoUncountedLambdaCaptures : InheritableAttr {
let Spellings = [Clang<"NoUncountedLambdaCaptures">];
let Subjects = SubjectList<[Var]>;
let Documentation = [Undocumented];
}
def NoNoUncountedMember : InheritableAttr {
let Spellings = [Clang<"NoNoUncountedMember">];
let Subjects = SubjectList<[Field]>;
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

This got me thinking here, what about IndirectFieldDecl? Not only in terms of the attribute, of course, but for the checker as well.

vsavchenko: This got me thinking here, what about `IndirectFieldDecl`? Not only in terms of the attribute…
let Documentation = [Undocumented];
}
def NoUncountedLocalVars : InheritableAttr {
let Spellings = [Clang<"NoUncountedLocalVars">];
let Subjects = SubjectList<[Var]>;
let Documentation = [Undocumented];
}
def NoUncountedCallArgs : InheritableAttr {
let Spellings = [Clang<"NoUncountedCallArgs">];
let Subjects = SubjectList<[ParmVar]>;
let Documentation = [Undocumented];
}

clang/lib/Sema/SemaDeclAttr.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 7,957 Lines▼ Show 20 Linesstatic void ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D,
case ParsedAttr::AT_ReleaseHandle: case ParsedAttr::AT_ReleaseHandle:
handleHandleAttr<ReleaseHandleAttr>(S, D, AL); handleHandleAttr<ReleaseHandleAttr>(S, D, AL);
break; break;
case ParsedAttr::AT_UseHandle: case ParsedAttr::AT_UseHandle:
handleHandleAttr<UseHandleAttr>(S, D, AL); handleHandleAttr<UseHandleAttr>(S, D, AL);
break; break;
case ParsedAttr::AT_NoRefCntblBaseVirtualDtor:
handleSimpleAttribute<NoRefCntblBaseVirtualDtorAttr>(S, D, AL);
break;
case ParsedAttr::AT_NoUncountedLambdaCaptures:
handleSimpleAttribute<NoUncountedLambdaCapturesAttr>(S, D, AL);
break;
case ParsedAttr::AT_NoNoUncountedMember:
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

This looks confusing to me. I do get that uniformity is good, but it's good for the purposes of clarity and clarity here is arguable. Maybe we can change the name here?
It's not critical or smith, but I want to hear what other folks think about this matter.

vsavchenko: This looks confusing to me. I do get that uniformity is good, but it's good for the purposes…
handleSimpleAttribute<NoNoUncountedMemberAttr>(S, D, AL);
break;
case ParsedAttr::AT_NoUncountedLocalVars:
handleSimpleAttribute<NoUncountedLocalVarsAttr>(S, D, AL);
break;
case ParsedAttr::AT_NoUncountedCallArgs:
handleSimpleAttribute<NoUncountedCallArgsAttr>(S, D, AL);
break;
} }
} }
/// ProcessDeclAttributeList - Apply all the decl attributes in the specified /// ProcessDeclAttributeList - Apply all the decl attributes in the specified
/// attribute list to the specified decl, ignoring any type attributes. /// attribute list to the specified decl, ignoring any type attributes.
void Sema::ProcessDeclAttributeList(Scope *S, Decl *D, void Sema::ProcessDeclAttributeList(Scope *S, Decl *D,
const ParsedAttributesView &AttrList, const ParsedAttributesView &AttrList,
bool IncludeCXX11Attributes) { bool IncludeCXX11Attributes) {
▲ Show 20 LinesShow All 377 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/WebKit/NoUncountedMembersChecker.cpp

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines void visitRecordDecl(const RecordDecl *RD) const {
if (shouldSkipDecl(RD)) if (shouldSkipDecl(RD))
return; return;
for (auto Member : RD->fields()) { for (auto Member : RD->fields()) {
const Type *MemberType = Member->getType().getTypePtrOrNull(); const Type *MemberType = Member->getType().getTypePtrOrNull();
if (!MemberType) if (!MemberType)
continue; continue;
if (Member->hasAttr<NoNoUncountedMemberAttr>())
continue;
if (auto *MemberCXXRD = MemberType->getPointeeCXXRecordDecl()) { if (auto *MemberCXXRD = MemberType->getPointeeCXXRecordDecl()) {
// If we don't see the definition we just don't know. // If we don't see the definition we just don't know.
if (MemberCXXRD->hasDefinition()) { if (MemberCXXRD->hasDefinition()) {
llvm::Optional<bool> isRCAble = isRefCountable(MemberCXXRD); llvm::Optional<bool> isRCAble = isRefCountable(MemberCXXRD);
if (isRCAble && *isRCAble) if (isRCAble && *isRCAble)
reportBug(Member, MemberType, MemberCXXRD, RD); reportBug(Member, MemberType, MemberCXXRD, RD);
} }
} }
▲ Show 20 LinesShow All 74 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/WebKit/RefCntblBaseVirtualDtorChecker.cpp

Show First 20 LinesShow All 116 Lines▼ Show 20 Lines bool shouldSkipDecl(const CXXRecordDecl *RD) const {
if (Kind != TTK_Struct && Kind != TTK_Class) if (Kind != TTK_Struct && Kind != TTK_Class)
return true; return true;
// Ignore CXXRecords that come from system headers. // Ignore CXXRecords that come from system headers.
if (BR->getSourceManager().getFileCharacteristic(RDLocation) != if (BR->getSourceManager().getFileCharacteristic(RDLocation) !=
SrcMgr::C_User) SrcMgr::C_User)
return true; return true;
if (RD->hasAttr<NoRefCntblBaseVirtualDtorAttr>())
return true;
return false; return false;
} }
void reportBug(const CXXRecordDecl *DerivedClass, void reportBug(const CXXRecordDecl *DerivedClass,
const CXXBaseSpecifier *BaseSpec, const CXXBaseSpecifier *BaseSpec,
const CXXRecordDecl *ProblematicBaseClass) const { const CXXRecordDecl *ProblematicBaseClass) const {
assert(DerivedClass); assert(DerivedClass);
assert(BaseSpec); assert(BaseSpec);
Show All 31 Lines

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedCallArgsChecker.cpp

Show First 20 LinesShow All 71 Lines▼ Show 20 Lines if (auto *F = CE->getDirectCallee()) {
isa<CXXOperatorCallExpr>(CE) && dyn_cast_or_null<CXXMethodDecl>(F); isa<CXXOperatorCallExpr>(CE) && dyn_cast_or_null<CXXMethodDecl>(F);
for (auto P = F->param_begin(); for (auto P = F->param_begin();
// FIXME: Also check variadic function parameters. // FIXME: Also check variadic function parameters.
// FIXME: Also check default function arguments. Probably a different // FIXME: Also check default function arguments. Probably a different
// checker. In case there are default arguments the call can have // checker. In case there are default arguments the call can have
// fewer arguments than the callee has parameters. // fewer arguments than the callee has parameters.
P < F->param_end() && ArgIdx < CE->getNumArgs(); ++P, ++ArgIdx) { P < F->param_end() && ArgIdx < CE->getNumArgs(); ++P, ++ArgIdx) {
// TODO: attributes. // TODO: attributes.
// if ((*P)->hasAttr<SafeRefCntblRawPtrAttr>()) // if ((*P)->hasAttr<SafeRefCntblRawPtrAttr>())
// continue; // continue;
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Should it go then?

vsavchenko: Should it go then?
if ((*P)->hasAttr<NoUncountedCallArgsAttr>())
continue;
const auto *ArgType = (*P)->getType().getTypePtrOrNull(); const auto *ArgType = (*P)->getType().getTypePtrOrNull();
if (!ArgType) if (!ArgType)
continue; // FIXME? Should we bail? continue; // FIXME? Should we bail?
// FIXME: more complex types (arrays, references to raw pointers, etc) // FIXME: more complex types (arrays, references to raw pointers, etc)
Optional<bool> IsUncounted = isUncountedPtr(ArgType); Optional<bool> IsUncounted = isUncountedPtr(ArgType);
if (!IsUncounted || !(*IsUncounted)) if (!IsUncounted || !(*IsUncounted))
continue; continue;
▲ Show 20 LinesShow All 105 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLambdaCapturesChecker.cpp

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
LocalVisitor visitor(this); LocalVisitor visitor(this);
visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD)); visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD));
} }
void visitLambdaExpr(LambdaExpr *L) const { void visitLambdaExpr(LambdaExpr *L) const {
for (const LambdaCapture &C : L->captures()) { for (const LambdaCapture &C : L->captures()) {
if (C.capturesVariable()) { if (C.capturesVariable()) {
VarDecl *CapturedVar = C.getCapturedVar(); VarDecl *CapturedVar = C.getCapturedVar();
if (!CapturedVar)
continue;
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

It looks like a new case! Do we have a test for that?

vsavchenko: It looks like a new case! Do we have a test for that?
if (CapturedVar->hasAttr<NoUncountedLambdaCapturesAttr>())
continue;
if (auto *CapturedVarType = CapturedVar->getType().getTypePtrOrNull()) { if (auto *CapturedVarType = CapturedVar->getType().getTypePtrOrNull()) {
Optional<bool> IsUncountedPtr = isUncountedPtr(CapturedVarType); Optional<bool> IsUncountedPtr = isUncountedPtr(CapturedVarType);
if (IsUncountedPtr && *IsUncountedPtr) { if (IsUncountedPtr && *IsUncountedPtr) {
reportBug(C, CapturedVar, CapturedVarType); reportBug(C, CapturedVar, CapturedVarType);
} }
} }
} }
} }
Show All 39 Lines

clang/lib/StaticAnalyzer/Checkers/WebKit/UncountedLocalVarsChecker.cpp

Show First 20 LinesShow All 216 Lines▼ Show 20 Linespublic:
bool shouldSkipVarDecl(const VarDecl *V) const { bool shouldSkipVarDecl(const VarDecl *V) const {
assert(V); assert(V);
if (!V->isLocalVarDecl()) if (!V->isLocalVarDecl())
return true; return true;
if (isDeclaredInForOrIf(V)) if (isDeclaredInForOrIf(V))
return true; return true;
if (V->hasAttr<NoUncountedLocalVarsAttr>())
return true;
return false; return false;
} }
void reportBug(const VarDecl *V) const { void reportBug(const VarDecl *V) const {
assert(V); assert(V);
SmallString<100> Buf; SmallString<100> Buf;
llvm::raw_svector_ostream Os(Buf); llvm::raw_svector_ostream Os(Buf);
Show All 19 Lines

clang/test/Analysis/Checkers/WebKit/call-args.cpp

Show First 20 LinesShow All 336 Lines▼ Show 20 Lines void foo() {
f + global; f + global;
// expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}} // expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}}
f - global; f - global;
// expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}} // expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}}
f(global); f(global);
// expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}} // expected-warning@-1{{Call argument for parameter 'bad' is uncounted and unsafe}}
} }
} }
namespace suppression {
void consume_refcntbl_unsafe([[clang::NoUncountedCallArgs]] RefCountable*) {}
void foo() {
consume_refcntbl_unsafe(provide());
}
}

clang/test/Analysis/Checkers/WebKit/ref-cntbl-base-virtual-dtor.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=webkit.RefCntblBaseVirtualDtor -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=webkit.RefCntblBaseVirtualDtor -verify %s
struct RefCntblBase { struct RefCntblBase {
void ref() {} void ref() {}
void deref() {} void deref() {}
}; };
struct Derived : RefCntblBase { }; struct Derived : RefCntblBase { };
// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'Derived' but doesn't have virtual destructor}} // expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'Derived' but doesn't have virtual destructor}}
struct DerivedWithVirtualDtor : RefCntblBase { struct DerivedWithVirtualDtor : RefCntblBase {
// expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedWithVirtualDtor' but doesn't have virtual destructor}} // expected-warning@-1{{Struct 'RefCntblBase' is used as a base of struct 'DerivedWithVirtualDtor' but doesn't have virtual destructor}}
virtual ~DerivedWithVirtualDtor() {} virtual ~DerivedWithVirtualDtor() {}
}; };
struct [[clang::NoRefCntblBaseVirtualDtor]] Derived2 : RefCntblBase { };
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Can you please put a // no warning comment, so everyone gets that this is expected.
The same goes to other tests as well.

vsavchenko: Can you please put a `// no warning` comment, so everyone gets that this is expected. The same…
template<class T> template<class T>
struct DerivedClassTmpl : T { }; struct DerivedClassTmpl : T { };
typedef DerivedClassTmpl<RefCntblBase> Foo; typedef DerivedClassTmpl<RefCntblBase> Foo;
struct RandomBase {}; struct RandomBase {};
Show All 29 Lines

clang/test/Analysis/Checkers/WebKit/uncounted-lambda-captures.cpp

Show All 36 Lines// This code is not expected to trigger any warnings.
RefCountable automatic; RefCountable automatic;
RefCountable &ref_countable_ref = automatic; RefCountable &ref_countable_ref = automatic;
} }
auto foo3 = [&]() {}; auto foo3 = [&]() {};
auto foo4 = [=]() {}; auto foo4 = [=]() {};
RefCountable *ref_countable = nullptr; RefCountable *ref_countable = nullptr;
} }
void suppressed() {
RefCountable patatino;
RefCountable& ref_countable_ref [[clang::NoUncountedLambdaCaptures]] = patatino;
auto foo1 = [ref_countable_ref](){};
}
No newline at end of file
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

Whoops 😅

vsavchenko: Whoops 😅

clang/test/Analysis/Checkers/WebKit/uncounted-local-vars.cpp

Show First 20 LinesShow All 91 Lines▼ Show 20 Lines
void foo() { void foo() {
// no warnings // no warnings
if (RefCountable *a = provide_ref_ctnbl()) { } if (RefCountable *a = provide_ref_ctnbl()) { }
for (RefCountable *a = provide_ref_ctnbl(); a != nullptr;) { } for (RefCountable *a = provide_ref_ctnbl(); a != nullptr;) { }
RefCountable *array[1]; RefCountable *array[1];
for (RefCountable *a : array) { } for (RefCountable *a : array) { }
} }
} // namespace ignore_for_if } // namespace ignore_for_if
namespace suppression {
void foo_ref() {
RefCountable automatic;
RefCountable &bar [[clang::NoUncountedLocalVars]] = automatic;
}
}

clang/test/Analysis/Checkers/WebKit/uncounted-members.cpp

Show All 35 Linesnamespace ignore_unions {
template<class T> template<class T>
union RefPtr { union RefPtr {
T* a; T* a;
}; };
void forceTmplToInstantiate(RefPtr<RefCountable>) {} void forceTmplToInstantiate(RefPtr<RefCountable>) {}
} }
namespace suppression {
struct Foo {
RefCountable* a [[clang::NoNoUncountedMember]] = nullptr;
};
}