This is an archive of the discontinued LLVM Phabricator instance.

Differential D99344

[Analyzer] Track RValue expressions
ClosedPublic

Authored by martong on Mar 25 2021, 8:08 AM.

Details

Reviewers
steakhal
NoQ
vsavchenko
Szelethus
Commits
rGefa7df1682c2: [Analyzer] Track RValue expressions
Summary

It makes sense to track rvalue expressions in the case of special
concrete integer values. The most notable special value is zero (later
we may find other values). By tracking the origin of 0, we can provide a
better explanation for users e.g. in case of division by 0 warnings.
When the divisor is a product of a multiplication then now we can show
which operand (or both) was (were) zero and why.

Diff Detail

Unit TestsFailed

TimeTest
2,230 msx64 debian > libFuzzer.libFuzzer::fuzzer-custommutator.test

Event Timeline

martong created this revision.Mar 25 2021, 8:08 AM
Herald added subscribers: ASDenysPetrov, Charusso, gamesh411 and 9 others. · View Herald TranscriptMar 25 2021, 8:08 AM
martong requested review of this revision.Mar 25 2021, 8:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 25 2021, 8:08 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added a parent revision: D99343: [Analyzer] Infer 0 value when the divisible is 0 (bug fix).Mar 25 2021, 8:09 AM
vsavchenko added a comment.Mar 25 2021, 8:22 AM

From the first glance, everything is looking good! Thanks for addressing this!
But I still need to have a deeper look.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1932–1933

I think this should become an assertion and the caller should ensure that E is actually an r-value

1950

APSInt

Harbormaster completed remote builds in B95697: Diff 333309.Mar 25 2021, 8:39 AM
steakhal added a comment.Mar 25 2021, 8:57 AM

I really like it. Looks good.
I'm letting someone else accept this as I've not really touched the trackExpression parts.

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
119–124

It is supposed to be called by the trackExpressionValue().
Why do we expose this function then?

martong updated this revision to Diff 333346.Mar 25 2021, 10:46 AM
  • Rebase
martong updated this revision to Diff 333347.Mar 25 2021, 10:47 AM
  • Assert in the callee and check in the caller
  • Fix typo in comment
martong marked an inline comment as done.Mar 25 2021, 10:51 AM
martong added inline comments.
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
119–124

I was thinking about that maybe some Checkers could explicitly want to track RValues only. On the other hand, maybe it just complicates the public API. Anyway, I'd like to hear what other people say about this.

Harbormaster completed remote builds in B95722: Diff 333347.Mar 25 2021, 11:28 AM
Harbormaster completed remote builds in B95721: Diff 333346.Mar 25 2021, 11:55 AM
NoQ added a comment.Mar 25 2021, 1:54 PM

I think this is a good targeted fix for that problem we've discussed, demonstrated by tests.

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
119–124

I suggest keep it private until there's an actual use case. As of now literally nobody understands how these functions are even supposed to work so it's way too early to give API promises.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1945

SVal::isZeroConstant() please ^.^

martong updated this revision to Diff 333508.Mar 26 2021, 1:38 AM
martong marked 5 inline comments as done.
  • Use isZeroConstant()
  • Make trackRValueExpression private (static function)
  • Fix clang-tidy report: auto *BO ---> const auto *BO
martong added a comment.Mar 26 2021, 1:40 AM

Guys, thanks for the review! :)

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1945

Yeah good catch, I wish I knew this before :)

Harbormaster completed remote builds in B95842: Diff 333508.Mar 26 2021, 2:30 AM
steakhal added a comment.Mar 26 2021, 3:18 AM

Some minor logical issues inline.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1944–1945

There are only 3 multiplicative operators:

BINARY_OPERATION(Mul, "*")
BINARY_OPERATION(Div, "/")
BINARY_OPERATION(Rem, "%")

So, the opcode can never be BO_MulAssign later.
The comment for the else block is also inaccurate for the same reason.

martong updated this revision to Diff 333848.Mar 29 2021, 6:40 AM
  • Remove handling of assignment
martong marked an inline comment as done.Mar 29 2021, 6:43 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1944–1945

Yep, good catch! The reason why the assignment test case passed is that we already handle assignment operations in the FindLastStoreBRVisitor.

// If this is an assignment expression, we can track the value
// being assigned.
if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
  if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>())
    if (BO->isAssignmentOp())
      InitE = BO->getRHS();

So, I could just remove the handling of the assignment from the new function.

martong marked an inline comment as done.Mar 29 2021, 6:44 AM
Harbormaster completed remote builds in B96104: Diff 333848.Mar 29 2021, 7:22 AM
steakhal added inline comments.Mar 30 2021, 1:44 AM
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1958–1959

Both divisions and modulo operations can flow here.

martong updated this revision to Diff 334093.Mar 30 2021, 3:12 AM
  • Update comment
martong marked an inline comment as done.Mar 30 2021, 3:12 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1958–1959

Ok, I updated the comment.

steakhal accepted this revision.Mar 30 2021, 3:50 AM

land it

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1938

This note is not strictly for this patch.

At first, it wasn't clear to me why you call getSValAsScalarOrLoc().
That just returns unknown if the Region is not boundable. Unfortunately, the MemRegion::isBoundable() has no documentation. IMO all virtual call deserves documentation.

This revision is now accepted and ready to land.Mar 30 2021, 3:50 AM
Harbormaster completed remote builds in B96273: Diff 334093.Mar 30 2021, 3:52 AM
Closed by commit rGefa7df1682c2: [Analyzer] Track RValue expressions (authored by martong). · Explain WhyMar 30 2021, 5:57 AM
This revision was automatically updated to reflect the committed changes.
martong marked an inline comment as done.
martong added a commit: rGefa7df1682c2: [Analyzer] Track RValue expressions.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
7 lines
lib/
StaticAnalyzer/
Core/
60 lines
test/
Analysis/
11 lines
98 lines
2 lines

Diff 333347

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 110 Lines▼ Show 20 Lines
/// \return Whether or not the function was able to add visitors for this /// \return Whether or not the function was able to add visitors for this
/// statement. Note that returning \c true does not actually imply /// statement. Note that returning \c true does not actually imply
/// that any visitors were added. /// that any visitors were added.
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, bool trackExpressionValue(const ExplodedNode *N, const Expr *E,
PathSensitiveBugReport &R, PathSensitiveBugReport &R,
TrackingKind TKind = TrackingKind::Thorough, TrackingKind TKind = TrackingKind::Thorough,
bool EnableNullFPSuppression = true); bool EnableNullFPSuppression = true);
/// Attempts to add visitors to track an RValue expression back to its point of
/// origin. Works similarly to trackExpressionValue, but accepts only RValues.
void trackRValueExpression(const ExplodedNode *N, const Expr *E,
PathSensitiveBugReport &R,
TrackingKind TKind = TrackingKind::Thorough,
bool EnableNullFPSuppression = true);
steakhalUnsubmitted
Done
ReplyInline Actions

It is supposed to be called by the trackExpressionValue().
Why do we expose this function then?

steakhal: It is supposed to be called by the `trackExpressionValue()`. Why do we expose this function…
martongAuthorUnsubmitted
Done
ReplyInline Actions

I was thinking about that maybe some Checkers could explicitly want to track RValues only. On the other hand, maybe it just complicates the public API. Anyway, I'd like to hear what other people say about this.

martong: I was thinking about that maybe some Checkers could explicitly want to track RValues only. On…
NoQUnsubmitted
Done
ReplyInline Actions

I suggest keep it private until there's an actual use case. As of now literally nobody understands how these functions are even supposed to work so it's way too early to give API promises.

NoQ: I suggest keep it private until there's an actual use case. As of now literally nobody…
const Expr *getDerefExpr(const Stmt *S); const Expr *getDerefExpr(const Stmt *S);
} // namespace bugreporter } // namespace bugreporter
/// Finds last store into the given region, /// Finds last store into the given region,
/// which is different from a given symbolic value. /// which is different from a given symbolic value.
class FindLastStoreBRVisitor final : public BugReporterVisitor { class FindLastStoreBRVisitor final : public BugReporterVisitor {
const MemRegion *R; const MemRegion *R;
▲ Show 20 LinesShow All 281 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 1,918 Lines▼ Show 20 Linesstatic const ExplodedNode* findNodeForExpression(const ExplodedNode *N,
while (N) { while (N) {
if (N->getStmtForDiagnostics() == Inner) if (N->getStmtForDiagnostics() == Inner)
return N; return N;
N = N->getFirstPred(); N = N->getFirstPred();
} }
return N; return N;
} }
void bugreporter::trackRValueExpression(const ExplodedNode *InputNode,
const Expr *E,
PathSensitiveBugReport &report,
bugreporter::TrackingKind TKind,
bool EnableNullFPSuppression) {
assert(E->isRValue() && "The expression is not an rvalue!");
const ExplodedNode *RVNode = findNodeForExpression(InputNode, E);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

I think this should become an assertion and the caller should ensure that E is actually an r-value

vsavchenko: I think this should become an assertion and the caller should ensure that `E` is actually an r…
if (!RVNode)
return;
ProgramStateRef RVState = RVNode->getState();
SVal V = RVState->getSValAsScalarOrLoc(E, RVNode->getLocationContext());
auto *BO = dyn_cast<BinaryOperator>(E);
Lint: Pre-merge checks
Inline Actions

clang-tidy: warning: 'auto *BO' can be declared as 'const auto *BO' [llvm-qualified-auto]
not useful

Lint: Pre-merge checks: clang-tidy: warning: 'auto *BO' can be declared as 'const auto *BO' [llvm-qualified-auto]…
steakhalUnsubmitted
Not Done
ReplyInline Actions

This note is not strictly for this patch.

At first, it wasn't clear to me why you call getSValAsScalarOrLoc().
That just returns unknown if the Region is not boundable. Unfortunately, the MemRegion::isBoundable() has no documentation. IMO all virtual call deserves documentation.

steakhal: This note is not strictly for this patch. At first, it wasn't clear to me why you call…
if (!BO)
return;
ProgramStateManager &Mgr = RVState->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory();
auto IsZero = [&BVF](const Optional<nonloc::ConcreteInt> &CI) {
NoQUnsubmitted
Done
ReplyInline Actions

SVal::isZeroConstant() please ^.^

NoQ: `SVal::isZeroConstant()` please ^.^
steakhalUnsubmitted
Done
ReplyInline Actions

There are only 3 multiplicative operators:

BINARY_OPERATION(Mul, "*")
BINARY_OPERATION(Div, "/")
BINARY_OPERATION(Rem, "%")

So, the opcode can never be BO_MulAssign later.
The comment for the else block is also inaccurate for the same reason.

steakhal: There are only 3 multiplicative operators: ``` BINARY_OPERATION(Mul, "*") BINARY_OPERATION(Div…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yeah good catch, I wish I knew this before :)

martong: Yeah good catch, I wish I knew this before :)
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yep, good catch! The reason why the assignment test case passed is that we already handle assignment operations in the FindLastStoreBRVisitor.

// If this is an assignment expression, we can track the value
// being assigned.
if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
  if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>())
    if (BO->isAssignmentOp())
      InitE = BO->getRHS();

So, I could just remove the handling of the assignment from the new function.

martong: Yep, good catch! The reason why the assignment test case passed is that we already handle…
if (!CI)
return false;
const llvm::APSInt &Zero = BVF.getValue(0, BVF.getContext().IntTy);
// Do the comparison with the same canonical APSInt.
return CI->getValue() == BVF.Convert(CI->getValue(), Zero);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

APSInt

vsavchenko: `APSInt`
};
auto CI = V.getAs<nonloc::ConcreteInt>();
if (!IsZero(CI))
return;
if (!BO->isMultiplicativeOp())
return;
steakhalUnsubmitted
Done
ReplyInline Actions

Both divisions and modulo operations can flow here.

steakhal: Both divisions and modulo operations can flow here.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I updated the comment.

martong: Ok, I updated the comment.
SVal RHSV = RVState->getSVal(BO->getRHS(), RVNode->getLocationContext());
SVal LHSV = RVState->getSVal(BO->getLHS(), RVNode->getLocationContext());
// Track both LHS and RHS of a multiplication.
if (BO->getOpcode() == BO_Mul || BO->getOpcode() == BO_MulAssign) {
if (IsZero(LHSV.getAs<nonloc::ConcreteInt>())) {
trackExpressionValue(InputNode, BO->getLHS(), report, TKind,
EnableNullFPSuppression);
}
if (IsZero(RHSV.getAs<nonloc::ConcreteInt>())) {
trackExpressionValue(InputNode, BO->getRHS(), report, TKind,
EnableNullFPSuppression);
}
// Track only the LHS of divisions.
} else {
if (IsZero(LHSV.getAs<nonloc::ConcreteInt>())) {
trackExpressionValue(InputNode, BO->getLHS(), report, TKind,
EnableNullFPSuppression);
}
}
}
bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode, bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
const Expr *E, const Expr *E,
PathSensitiveBugReport &report, PathSensitiveBugReport &report,
bugreporter::TrackingKind TKind, bugreporter::TrackingKind TKind,
bool EnableNullFPSuppression) { bool EnableNullFPSuppression) {
if (!E || !InputNode) if (!E || !InputNode)
return false; return false;
▲ Show 20 LinesShow All 129 Lines▼ Show 20 Lines if (auto L = V.getAs<loc::MemRegionVal>()) {
const MemRegion *RegionRVal = RVal.getAsRegion(); const MemRegion *RegionRVal = RVal.getAsRegion();
if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) { if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
report.markInteresting(RegionRVal, TKind); report.markInteresting(RegionRVal, TKind);
report.addVisitor(std::make_unique<TrackConstraintBRVisitor>( report.addVisitor(std::make_unique<TrackConstraintBRVisitor>(
loc::MemRegionVal(RegionRVal), /*assumption=*/false)); loc::MemRegionVal(RegionRVal), /*assumption=*/false));
} }
} }
if (Inner->isRValue())
trackRValueExpression(LVNode, Inner, report, TKind,
EnableNullFPSuppression);
return true; return true;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Implementation of NulReceiverBRVisitor. // Implementation of NulReceiverBRVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
const Expr *NilReceiverBRVisitor::getNilReceiver(const Stmt *S, const Expr *NilReceiverBRVisitor::getNilReceiver(const Stmt *S,
▲ Show 20 LinesShow All 836 LinesShow Last 20 Lines

clang/test/Analysis/division-by-zero-track-zero.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN: -analyzer-output=text \
// RUN: -verify %s
int track_mul_lhs_0(int x, int y) {
int p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = p0 * y; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}

clang/test/Analysis/division-by-zero-track-zero.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN: -analyzer-output=text \
// RUN: -verify %s
namespace test_tracking_of_lhs_multiplier {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = p0 * y; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_lhs_multiplier
namespace test_tracking_of_rhs_multiplier {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = y * p0; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_rhs_multiplier
namespace test_tracking_of_nested_multiplier {
int f(int x, int y, int z) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = y*z*p0; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_nested_multiplier
namespace test_tracking_through_multiple_stmts {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}}
bool p1 = p0 ? 0 : 1; // expected-note {{'p0' is false}} \
// expected-note {{'?' condition is false}}
bool p2 = 1 - p1; // expected-note {{'p2' initialized to 0}}
int div = p2 * y; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_through_multiple_stmts
namespace test_tracking_both_lhs_and_rhs {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
bool p1 = y < 0; // expected-note {{Assuming 'y' is >= 0}} \
// expected-note {{'p1' initialized to 0}}
int div = p0 * p1; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_both_lhs_and_rhs
namespace test_tracking_of_multiplier_and_parens {
int f(int x, int y, int z) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = y*(z*p0); // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_multiplier_and_parens
namespace test_tracking_of_divisible {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = p0 / y; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_divisible
namespace test_tracking_of_modulo {
int f(int x, int y) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = p0 % y; // expected-note {{'div' initialized to 0}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_modulo
namespace test_tracking_of_assignment {
int f(int x) {
bool p0 = x < 0; // expected-note {{Assuming 'x' is >= 0}} \
// expected-note {{'p0' initialized to 0}}
int div = 1;
div *= p0; // expected-note {{The value 0 is assigned to 'div'}}
return 1 / div; // expected-note {{Division by zero}} \
// expected-warning {{Division by zero}}
}
} // namespace test_tracking_of_assignment

clang/test/Analysis/nullptr.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
void zoo1backwards() { void zoo1backwards() {
char **p = 0; // expected-note{{'p' initialized to a null pointer value}} char **p = 0; // expected-note{{'p' initialized to a null pointer value}}
delete *(0 + p); // expected-warning{{Dereference of null pointer}} delete *(0 + p); // expected-warning{{Dereference of null pointer}}
// expected-note@-1{{Dereference of null pointer}} // expected-note@-1{{Dereference of null pointer}}
} }
typedef __INTPTR_TYPE__ intptr_t; typedef __INTPTR_TYPE__ intptr_t;
void zoo1multiply() { void zoo1multiply() {
char **p = 0; // FIXME-should-be-note:{{'p' initialized to a null pointer value}} char **p = 0; // expected-note{{'p' initialized to a null pointer value}}
delete *((char **)((intptr_t)p * 2)); // expected-warning{{Dereference of null pointer}} delete *((char **)((intptr_t)p * 2)); // expected-warning{{Dereference of null pointer}}
// expected-note@-1{{Dereference of null pointer}} // expected-note@-1{{Dereference of null pointer}}
} }
void zoo2() { void zoo2() {
int **a = 0; int **a = 0;
int **b = 0; // expected-note{{'b' initialized to a null pointer value}} int **b = 0; // expected-note{{'b' initialized to a null pointer value}}
asm ("nop" asm ("nop"
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines