[cfe-commits] r164449 - in /cfe/trunk: include/clang/StaticAnalyzer/Core/AnalyzerOptions.h lib/StaticAnalyzer/Core/AnalyzerOptions.cpp lib/StaticAnalyzer/Core/BugReporterVisitors.cpp test/Analysis/inline-plist.c test/Analysis/inlining/false-positive-suppression.c test/Analysis/inlining/path-notes.c test/Analysis/inlining/path-notes.m

Jordan Rose jordan_rose at apple.com
Fri Sep 21 18:25:06 PDT 2012


Author: jrose
Date: Fri Sep 21 20:25:06 2012
New Revision: 164449

URL: http://llvm.org/viewvc/llvm-project?rev=164449&view=rev
Log:
[analyzer] Suppress bugs whose paths go through the return of a null pointer.

This is a heuristic intended to greatly reduce the number of false
positives resulting from inlining, particularly inlining of generic,
defensive C++ methods that live in header files. The suppression is
triggered in the cases where we ask to track where a null pointer came
from, and it turns out that the source of the null pointer was an inlined
function call.

This change brings the number of bug reports in LLVM from ~1500 down to
around ~300, a much more manageable number. Yes, some true positives may
be hidden as well, but from what I looked at the vast majority of silenced
reports are false positives, and many of the true issues found by the
analyzer are still reported.

I'm hoping to improve this heuristic further by adding some exceptions
next week (cases in which a bug should still be reported).

Added:
    cfe/trunk/test/Analysis/inlining/false-positive-suppression.c
Modified:
    cfe/trunk/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
    cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
    cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
    cfe/trunk/test/Analysis/inline-plist.c
    cfe/trunk/test/Analysis/inlining/path-notes.c
    cfe/trunk/test/Analysis/inlining/path-notes.m

Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h (original)
+++ cfe/trunk/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h Fri Sep 21 20:25:06 2012
@@ -184,7 +184,10 @@
   // Cache of the "ipa-always-inline-size" setting.
   // \sa getAlwaysInlineSize
   llvm::Optional<unsigned> AlwaysInlineSize;
-  
+
+  /// \sa shouldPruneNullReturnPaths
+  llvm::Optional<bool> PruneNullReturnPaths;
+
   /// Interprets an option's string value as a boolean.
   ///
   /// Accepts the strings "true" and "false".
@@ -226,6 +229,16 @@
   /// accepts the values "true" and "false".
   bool mayInlineTemplateFunctions() const;
 
+  /// Returns whether or not paths that go through null returns should be
+  /// suppressed.
+  ///
+  /// This is a heuristic for avoiding bug reports with paths that go through
+  /// inlined functions that are more defensive than their callers.
+  ///
+  /// This is controlled by the 'suppress-null-return-paths' config option,
+  /// which accepts the values "true" and "false".
+  bool shouldPruneNullReturnPaths() const;
+
   // Returns the size of the functions (in basic blocks), which should be
   // considered to be small enough to always inline.
   //

Modified: cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp Fri Sep 21 20:25:06 2012
@@ -90,6 +90,14 @@
   return *ObjCInliningMode;
 }
 
+bool AnalyzerOptions::shouldPruneNullReturnPaths() const {
+  if (!PruneNullReturnPaths.hasValue())
+    const_cast<llvm::Optional<bool> &>(PruneNullReturnPaths) =
+      getBooleanOption("suppress-null-return-paths", /*Default=*/true);
+
+  return *PruneNullReturnPaths;
+}
+
 int AnalyzerOptions::getOptionAsInteger(StringRef Name, int DefaultVal) const {
   std::string OptStr = Config.lookup(Name);
   if (OptStr.empty())

Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Fri Sep 21 20:25:06 2012
@@ -140,9 +140,13 @@
   ReturnVisitor(const StackFrameContext *Frame)
     : StackFrame(Frame), Satisfied(false) {}
 
-  virtual void Profile(llvm::FoldingSetNodeID &ID) const {
+  static void *getTag() {
     static int Tag = 0;
-    ID.AddPointer(&Tag);
+    return static_cast<void *>(&Tag);
+  }
+
+  virtual void Profile(llvm::FoldingSetNodeID &ID) const {
+    ID.AddPointer(ReturnVisitor::getTag());
     ID.AddPointer(StackFrame);
   }
 
@@ -215,10 +219,6 @@
     // Don't print any more notes after this one.
     Satisfied = true;
 
-    // Build an appropriate message based on the return value.
-    SmallString<64> Msg;
-    llvm::raw_svector_ostream Out(Msg);
-
     const Expr *RetE = Ret->getRetValue();
     assert(RetE && "Tracking a return value for a void function");
     RetE = RetE->IgnoreParenCasts();
@@ -234,7 +234,18 @@
     // If we're returning 0, we should track where that 0 came from.
     bugreporter::trackNullOrUndefValue(N, RetE, BR);
 
+    // Build an appropriate message based on the return value.
+    SmallString<64> Msg;
+    llvm::raw_svector_ostream Out(Msg);
+
     if (isa<Loc>(V)) {
+      // If we are pruning null-return paths as unlikely error paths, mark the
+      // report invalid. We still want to emit a path note, however, in case
+      // the report is resurrected as valid later on.
+      ExprEngine &Eng = BRC.getBugReporter().getEngine();
+      if (Eng.getAnalysisManager().options.shouldPruneNullReturnPaths())
+        BR.markInvalid(ReturnVisitor::getTag(), StackFrame);
+
       if (RetE->getType()->isObjCObjectPointerType())
         Out << "Returning nil";
       else

Modified: cfe/trunk/test/Analysis/inline-plist.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inline-plist.c?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inline-plist.c (original)
+++ cfe/trunk/test/Analysis/inline-plist.c Fri Sep 21 20:25:06 2012
@@ -1,5 +1,5 @@
-// RUN: %clang --analyze %s -fblocks -Xanalyzer -analyzer-output=text -Xclang -verify %s
-// RUN: %clang --analyze %s -fblocks -o %t
+// RUN: %clang --analyze %s -fblocks -Xanalyzer -analyzer-output=text -Xanalyzer -analyzer-config -Xanalyzer suppress-null-return-paths=false -Xclang -verify %s
+// RUN: %clang --analyze %s -fblocks -Xanalyzer -analyzer-config -Xanalyzer suppress-null-return-paths=false -o %t
 // RUN: FileCheck -input-file %t %s
 
 // <rdar://problem/10967815>

Added: cfe/trunk/test/Analysis/inlining/false-positive-suppression.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/false-positive-suppression.c?rev=164449&view=auto
==============================================================================
--- cfe/trunk/test/Analysis/inlining/false-positive-suppression.c (added)
+++ cfe/trunk/test/Analysis/inlining/false-positive-suppression.c Fri Sep 21 20:25:06 2012
@@ -0,0 +1,95 @@
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-config suppress-null-return-paths=false -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -verify -DSUPPRESSED %s
+
+int opaquePropertyCheck(void *object);
+int coin();
+
+int *dynCastToInt(void *ptr) {
+  if (opaquePropertyCheck(ptr))
+    return (int *)ptr;
+  return 0;
+}
+
+int *dynCastOrNull(void *ptr) {
+  if (!ptr)
+    return 0;
+  if (opaquePropertyCheck(ptr))
+    return (int *)ptr;
+  return 0;
+}
+
+
+void testDynCast(void *p) {
+  int *casted = dynCastToInt(p);
+  *casted = 1;
+#ifndef SUPPRESSED
+  // expected-warning at -2 {{Dereference of null pointer}}
+#endif
+}
+
+void testDynCastOrNull(void *p) {
+  int *casted = dynCastOrNull(p);
+  *casted = 1;
+#ifndef SUPPRESSED
+  // expected-warning at -2 {{Dereference of null pointer}}
+#endif
+}
+
+
+void testBranch(void *p) {
+  int *casted;
+
+  // Although the report will be suppressed on one branch, it should still be
+  // valid on the other.
+  if (coin()) {
+    casted = dynCastToInt(p);
+  } else {
+    if (p)
+      return;
+    casted = (int *)p;
+  }
+
+  *casted = 1; // expected-warning {{Dereference of null pointer}}
+}
+
+void testBranchReversed(void *p) {
+  int *casted;
+
+  // Although the report will be suppressed on one branch, it should still be
+  // valid on the other.
+  if (coin()) {
+    if (p)
+      return;
+    casted = (int *)p;
+  } else {
+    casted = dynCastToInt(p);
+  }
+
+  *casted = 1; // expected-warning {{Dereference of null pointer}}
+}
+
+
+// ---------------------------------------
+// FALSE NEGATIVES (over-suppression)
+// ---------------------------------------
+
+void testDynCastOrNullOfNull() {
+  // In this case we have a known value for the argument, and thus the path
+  // through the function doesn't ever split.
+  int *casted = dynCastOrNull(0);
+  *casted = 1;
+#ifndef SUPPRESSED
+  // expected-warning at -2 {{Dereference of null pointer}}
+#endif
+}
+
+void testDynCastOfNull() {
+  // In this case all paths out of the function return 0, but they are all
+  // dominated by a branch whose condition we don't know!
+  int *casted = dynCastToInt(0);
+  *casted = 1;
+#ifndef SUPPRESSED
+  // expected-warning at -2 {{Dereference of null pointer}}
+#endif
+}
+

Modified: cfe/trunk/test/Analysis/inlining/path-notes.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/path-notes.c?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inlining/path-notes.c (original)
+++ cfe/trunk/test/Analysis/inlining/path-notes.c Fri Sep 21 20:25:06 2012
@@ -1,5 +1,5 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s
-// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=plist-multi-file %s -o %t.plist
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -analyzer-config suppress-null-return-paths=false -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=plist-multi-file -analyzer-config suppress-null-return-paths=false %s -o %t.plist
 // RUN: FileCheck --input-file=%t.plist %s
 
 void zero(int **p) {

Modified: cfe/trunk/test/Analysis/inlining/path-notes.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/path-notes.m?rev=164449&r1=164448&r2=164449&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inlining/path-notes.m (original)
+++ cfe/trunk/test/Analysis/inlining/path-notes.m Fri Sep 21 20:25:06 2012
@@ -1,5 +1,5 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -verify %s
-// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=plist-multi-file %s -o %t.plist
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=text -analyzer-config suppress-null-return-paths=false -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=core -analyzer-output=plist-multi-file -analyzer-config suppress-null-return-paths=false %s -o %t.plist
 // RUN: FileCheck --input-file=%t.plist %s
 
 @interface Test





More information about the cfe-commits mailing list