[PATCH] D23300: [analyzer] Add "Assuming..." diagnostic pieces for unsupported condition expressions.

Artem Dergachev via cfe-commits cfe-commits at lists.llvm.org
Tue Aug 9 02:22:55 PDT 2016


NoQ created this revision.
NoQ added reviewers: zaks.anna, dcoughlin, xazax.hun, a.sidorin.
NoQ added a subscriber: cfe-commits.

In path diagnostics, the "Assuming ..." diagnostic piece represents the event (i.e. yellow in html diagnostics) of adding constraint to a symbol, and there are also "Taking ..." diagnostic pieces, which represent the decision on program path that was made based on existing constraints.

For example:
```
void foo(int x) {
  if (x == 2) // Assuming and Taking.
  {
    if (x == 3) { // Only Taking.
    } else {
      1 / 0; // Bug.
    }
  }
}
```
1. This code would produce the "Assuming `x` is equal to `2`" piece, which represents that on the previous execution path it was not known that `x` is equal to `2`, but now we consider this path as separate.
2. Then this code would produce the "Taking true branch" piece, which would tell the user that we inevitably follow the true branch because of the assumption we made earlier.
3. Then in the inner `if`, this code would produce the "Taking false branch" piece. However, it would not produce the new "Assuming `x` is not equal to `3`" piece, because it doesn't need to assume this - it is already inevitable.

Now, the problem with "Assuming ..." pieces is that they are "pretty". If the analyzer fails to pretty-print the assumption - i.e. transform "(x == 2)" to "`x` is equal to `2`" - then it fails to add the piece, and the user gets a false impression that taking the branch was inevitable.

Expressions unsupported by the pretty-printer are fairly common and include function call expressions, field or instance variable expressions, and logical operators.

This patch adds the generic "Assuming the condition is true/false" pieces whenever the pretty-printing fails. This way we keep understanding why the analyzer thinks that a certain branch is feasible.

This patch helps a lot with understanding bug reports, which originally seem like false-positives.

I've eye-inspected all the changes on tests, and i like all the newly added pieces.

This mechanism can still be improved by supporting more expression pretty-printing.

A couple of examples: {F2256294} {F2256295}

https://reviews.llvm.org/D23300

Files:
  include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h
  lib/StaticAnalyzer/Core/BugReporter.cpp
  lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
  test/Analysis/DeallocUseAfterFreeErrors.m
  test/Analysis/conditional-path-notes.c
  test/Analysis/edges-new.mm
  test/Analysis/generics.m
  test/Analysis/inlining/path-notes.m
  test/Analysis/localization.m
  test/Analysis/malloc-plist.c
  test/Analysis/model-file.cpp
  test/Analysis/plist-output.m

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D23300.67298.patch
Type: text/x-patch
Size: 155741 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20160809/6b1083bb/attachment-0001.bin>


More information about the cfe-commits mailing list