This is an archive of the discontinued LLVM Phabricator instance.

Differential D99262

[analyzer] Fix dead store checker false positive
ClosedPublic

Authored by vsavchenko on Mar 24 2021, 6:53 AM.

Details

Reviewers
NoQ
steakhal
xazax.hun
ASDenysPetrov
Commits
rG9f0d8bac144c: [analyzer] Fix dead store checker false positive
Summary

It is common to zero-initialize not only scalar variables,
but also structs. This is also defensive programming and
we shouldn't complain about that.

rdar://34122265

Diff Detail

Event Timeline

vsavchenko created this revision.Mar 24 2021, 6:53 AM
Herald added subscribers: martong, Charusso, dkrupp and 7 others. · View Herald TranscriptMar 24 2021, 6:53 AM
vsavchenko requested review of this revision.Mar 24 2021, 6:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 24 2021, 6:53 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a comment.Mar 24 2021, 11:46 AM

I see your point.

Would it report this issue?

int test() {
  struct Foo foo = {0, 0}; // I would expect a warning here, that 'foo' was initialized but never read.
  (void)foo;
 return 0;
}

Only nits besides this.

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
25

I don't see any new code that would depend on this header.

422–427

Eh, the indentation looks horrible.
It would be probably better to use braces here.

vsavchenko added a comment.Mar 24 2021, 11:54 AM
In D99262#2648512, @steakhal wrote:

I see your point.

Would it report this issue?

int test() {
  struct Foo foo = {0, 0}; // I would expect a warning here, that 'foo' was initialized but never read.
  (void)foo;
 return 0;
}

Only nits besides this.

We got one big fat complaint about that, and I can see the point.

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
25

llvm::all_of?

422–427

Yeah, I agree. I'm not sure braces will help much. I will try to do smith about it

Harbormaster completed remote builds in B95476: Diff 332969.Mar 24 2021, 11:54 AM
steakhal added a comment.Mar 24 2021, 12:26 PM
In D99262#2648533, @vsavchenko wrote:
In D99262#2648512, @steakhal wrote:

I see your point.

Would it report this issue?

int test() {
  struct Foo foo = {0, 0}; // I would expect a warning here, that 'foo' was initialized but never read.
  (void)foo;
 return 0;
}

Only nits besides this.

We got one big fat complaint about that, and I can see the point.

We should at least document it as testcase.

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
25

Oh sure!

vsavchenko updated this revision to Diff 333789.Mar 29 2021, 2:16 AM

Add comments

vsavchenko updated this revision to Diff 333793.Mar 29 2021, 2:25 AM

Add another test

Harbormaster completed remote builds in B96059: Diff 333789.Mar 29 2021, 3:02 AM
Harbormaster completed remote builds in B96061: Diff 333793.Mar 29 2021, 3:14 AM
vsavchenko marked an inline comment as done.Mar 30 2021, 6:03 AM
martong added inline comments.Mar 30 2021, 7:05 AM
clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
422–423

What about nested InitListExpr's?

std::array<int, 3> a1{ {1, 2, 3} };
VarDecl 0x561b200333a0 </home/egbomrt/tmp/aaa.cc:2:1, col:34> col:20 a1 'std::array<int, 3>':'std::array<int, 3>' listinit
`-InitListExpr 0x561b20036d78 <col:22, col:34> 'std::array<int, 3>':'std::array<int, 3>'
  `-InitListExpr 0x561b20036dc0 <col:24, col:32> 'typename _AT_Type::_Type':'int [3]'
    |-IntegerLiteral 0x561b20033408 <col:25> 'int' 1
    |-IntegerLiteral 0x561b20033428 <col:28> 'int' 2
    `-IntegerLiteral 0x561b20033448 <col:31> 'int' 3
vsavchenko added inline comments.Apr 6 2021, 11:13 AM
clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
422–423

I'm not sure that we'll report anything on that

NoQ accepted this revision.Apr 6 2021, 2:39 PM

Looks great and I'm also curious about nested initializers.

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
422–423

We probably won't because it's a C++ object, even though it's an aggregate so we should probably warn(?) What about a plain C object like

int x[2][2] = { { 0, 0 }, { 0, 0 } };

?

This revision is now accepted and ready to land.Apr 6 2021, 2:39 PM
vsavchenko added inline comments.Apr 7 2021, 6:05 AM
clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
422–423

The same here, we still don't warn about stores like this, but I think I can add test with nested structs

steakhal accepted this revision.Apr 7 2021, 6:14 AM

Looks good. Thank you.

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp
422–423

Should we add a C++ test case as well?

vsavchenko added a comment.Apr 7 2021, 6:16 AM
In D99262#2673825, @steakhal wrote:

Looks good. Thank you.

I guess it will do for PODs, but for regular C++ types we have an early exit until we learn about side effects from constructors.

vsavchenko updated this revision to Diff 335795.Apr 7 2021, 6:23 AM

Support nested init lists

Harbormaster completed remote builds in B97500: Diff 335795.Apr 7 2021, 7:11 AM
NoQ accepted this revision.Apr 7 2021, 10:51 AM
This revision was landed with ongoing or failed builds.Apr 8 2021, 6:20 AM
Closed by commit rG9f0d8bac144c: [analyzer] Fix dead store checker false positive (authored by vsavchenko). · Explain Why
This revision was automatically updated to reflect the committed changes.
vsavchenko added a commit: rG9f0d8bac144c: [analyzer] Fix dead store checker false positive.
martong added a comment.Apr 12 2021, 4:40 AM
In D99262#2673842, @vsavchenko wrote:

Support nested init lists

Thanks for addressing the nested lists! (And sorry for the late reply, I was on vacation)

vsavchenko added a comment.Apr 12 2021, 6:14 AM
In D99262#2682803, @martong wrote:
In D99262#2673842, @vsavchenko wrote:

Support nested init lists

Thanks for addressing the nested lists! (And sorry for the late reply, I was on vacation)

Hey, thanks for taking your time and reviewing it!

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
34 lines
test/
Analysis/
41 lines

Diff 336080

clang/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp

//==- DeadStoresChecker.cpp - Check for stores to dead variables -*- C++ -*-==// //==- DeadStoresChecker.cpp - Check for stores to dead variables -*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines a DeadStores, a flow-sensitive checker that looks for // This file defines a DeadStores, a flow-sensitive checker that looks for
// stores to variables that are no longer live. // stores to variables that are no longer live.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/ASTContext.h" #include "clang/AST/ASTContext.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/AST/RecursiveASTVisitor.h" #include "clang/AST/RecursiveASTVisitor.h"
#include "clang/Analysis/Analyses/LiveVariables.h" #include "clang/Analysis/Analyses/LiveVariables.h"
#include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "llvm/ADT/BitVector.h" #include "llvm/ADT/BitVector.h"
#include "llvm/ADT/STLExtras.h"
steakhalUnsubmitted
Not Done
ReplyInline Actions

I don't see any new code that would depend on this header.

steakhal: I don't see any new code that would depend on this header.
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

llvm::all_of?

vsavchenko: `llvm::all_of`?
steakhalUnsubmitted
Not Done
ReplyInline Actions

Oh sure!

steakhal: Oh sure!
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/SaveAndRestore.h" #include "llvm/Support/SaveAndRestore.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
▲ Show 20 LinesShow All 370 Lines▼ Show 20 Lines else if (const DeclStmt *DS = dyn_cast<DeclStmt>(S))
// is initialized. We don't flag warnings for those variables // is initialized. We don't flag warnings for those variables
// marked 'unused' or 'objc_precise_lifetime'. // marked 'unused' or 'objc_precise_lifetime'.
if (!isLive(Live, V) && if (!isLive(Live, V) &&
!V->hasAttr<UnusedAttr>() && !V->hasAttr<UnusedAttr>() &&
!V->hasAttr<ObjCPreciseLifetimeAttr>()) { !V->hasAttr<ObjCPreciseLifetimeAttr>()) {
// Special case: check for initializations with constants. // Special case: check for initializations with constants.
// //
// e.g. : int x = 0; // e.g. : int x = 0;
// struct A = {0, 1};
// struct B = {{0}, {1, 2}};
// //
// If x is EVER assigned a new value later, don't issue // If x is EVER assigned a new value later, don't issue
// a warning. This is because such initialization can be // a warning. This is because such initialization can be
// due to defensive programming. // due to defensive programming.
if (E->isEvaluatable(Ctx)) if (isConstant(E))
return; return;
if (const DeclRefExpr *DRE = if (const DeclRefExpr *DRE =
dyn_cast<DeclRefExpr>(E->IgnoreParenCasts())) dyn_cast<DeclRefExpr>(E->IgnoreParenCasts()))
if (const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl())) { if (const VarDecl *VD = dyn_cast<VarDecl>(DRE->getDecl())) {
martongUnsubmitted
Not Done
ReplyInline Actions

What about nested InitListExpr's?

std::array<int, 3> a1{ {1, 2, 3} };
VarDecl 0x561b200333a0 </home/egbomrt/tmp/aaa.cc:2:1, col:34> col:20 a1 'std::array<int, 3>':'std::array<int, 3>' listinit
`-InitListExpr 0x561b20036d78 <col:22, col:34> 'std::array<int, 3>':'std::array<int, 3>'
  `-InitListExpr 0x561b20036dc0 <col:24, col:32> 'typename _AT_Type::_Type':'int [3]'
    |-IntegerLiteral 0x561b20033408 <col:25> 'int' 1
    |-IntegerLiteral 0x561b20033428 <col:28> 'int' 2
    `-IntegerLiteral 0x561b20033448 <col:31> 'int' 3
martong: What about nested InitListExpr's? ``` std::array<int, 3> a1{ {1, 2, 3} }; ``` ``` VarDecl…
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

I'm not sure that we'll report anything on that

vsavchenko: I'm not sure that we'll report anything on that
NoQUnsubmitted
Not Done
ReplyInline Actions

We probably won't because it's a C++ object, even though it's an aggregate so we should probably warn(?) What about a plain C object like

int x[2][2] = { { 0, 0 }, { 0, 0 } };

?

NoQ: We probably won't because it's a C++ object, even though it's an aggregate so we should…
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

The same here, we still don't warn about stores like this, but I think I can add test with nested structs

vsavchenko: The same here, we still don't warn about stores like this, but I think I can add test with…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Should we add a C++ test case as well?

steakhal: Should we add a C++ test case as well?
// Special case: check for initialization from constant // Special case: check for initialization from constant
// variables. // variables.
// //
// e.g. extern const int MyConstant; // e.g. extern const int MyConstant;
steakhalUnsubmitted
Done
ReplyInline Actions

Eh, the indentation looks horrible.
It would be probably better to use braces here.

steakhal: Eh, the indentation looks horrible. It would be probably better to use braces here.
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, I agree. I'm not sure braces will help much. I will try to do smith about it

vsavchenko: Yeah, I agree. I'm not sure braces will help much. I will try to do smith about it
// int x = MyConstant; // int x = MyConstant;
// //
if (VD->hasGlobalStorage() && if (VD->hasGlobalStorage() &&
VD->getType().isConstQualified()) VD->getType().isConstQualified())
return; return;
// Special case: check for initialization from scalar // Special case: check for initialization from scalar
// parameters. This is often a form of defensive // parameters. This is often a form of defensive
// programming. Non-scalars are still an error since // programming. Non-scalars are still an error since
// because it more likely represents an actual algorithmic // because it more likely represents an actual algorithmic
// bug. // bug.
if (isa<ParmVarDecl>(VD) && VD->getType()->isScalarType()) if (isa<ParmVarDecl>(VD) && VD->getType()->isScalarType())
return; return;
} }
PathDiagnosticLocation Loc = PathDiagnosticLocation Loc =
PathDiagnosticLocation::create(V, BR.getSourceManager()); PathDiagnosticLocation::create(V, BR.getSourceManager());
Report(V, DeadInit, Loc, E->getSourceRange()); Report(V, DeadInit, Loc, E->getSourceRange());
} }
} }
} }
} }
} }
private:
/// Return true if the given init list can be interpreted as constant
bool isConstant(const InitListExpr *Candidate) const {
// We consider init list to be constant if each member of the list can be
// interpreted as constant.
return llvm::all_of(Candidate->inits(),
[this](const Expr *Init) { return isConstant(Init); });
}
/// Return true if the given expression can be interpreted as constant
bool isConstant(const Expr *E) const {
// It looks like E itself is a constant
if (E->isEvaluatable(Ctx))
return true;
// We should also allow defensive initialization of structs, i.e. { 0 }
if (const auto *ILE = dyn_cast<InitListExpr>(E->IgnoreParenCasts())) {
return isConstant(ILE);
}
return false;
}
}; };
} // end anonymous namespace } // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Driver function to invoke the Dead-Stores checker on a CFG. // Driver function to invoke the Dead-Stores checker on a CFG.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 91 LinesShow Last 20 Lines

clang/test/Analysis/dead-stores.c

Show First 20 LinesShow All 629 Lines▼ Show 20 Linesvoid testBOComma() {
int *p; int *p;
p = (getPtr(), (int *)0); // no warning p = (getPtr(), (int *)0); // no warning
} }
void testVolatile() { void testVolatile() {
volatile int v; volatile int v;
v = 0; // no warning v = 0; // no warning
} }
struct Foo {
int x;
int y;
};
struct Foo rdar34122265_getFoo(void);
int rdar34122265_test(int input) {
// This is allowed for defensive programming.
struct Foo foo = {0, 0};
if (input > 0) {
foo = rdar34122265_getFoo();
} else {
return 0;
}
return foo.x + foo.y;
}
void rdar34122265_test_cast() {
// This is allowed for defensive programming.
struct Foo foo = {0, 0};
(void)foo;
}
struct Bar {
struct Foo x, y;
};
struct Bar rdar34122265_getBar(void);
int rdar34122265_test_nested(int input) {
// This is allowed for defensive programming.
struct Bar bar = {{0, 0}, {0, 0}};
if (input > 0) {
bar = rdar34122265_getBar();
} else {
return 0;
}
return bar.x.x + bar.y.y;
}