[PATCH] D18860: [analyzer] Fix the "Zombie symbols" issue.
Artem Dergachev via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Nov 9 18:55:05 PST 2018
NoQ updated this revision to Diff 173487.
NoQ added a comment.
Add an interesting test for the `MisusedMovedObject` checker that demonstrates one more potential source of false positives caused by the zombie symbol problem. In this test there are, well, //no symbols//. Therefore, there are no dead symbols or zombie symbols. Therefore `SymReaper.hasDeadSymbols()` is always `false`. Therefore `checkDeadSymbols()` is never called at all. However, `MisusedMovedObject` checker is not interested in symbols; it is only interested in regions, including concrete regions that aren't based on symbols. So it was missing the `checkDeadSymbols()` callback that would have unmarked the region for variable `e` (in inlined function or not in inlined function - doesn't matter). And next time it sees variable `e` in that function within the same stack frame, it thinks it's the same variable that has just been moved.
This problem was already discussed in D24246?id=82469#inline-249803 <https://reviews.llvm.org/D24246?id=82469#inline-249803>.
Add tests in `loop-block-counts.c` that demonstrate the other source of the problem in `MisusedMovedObject`: in fact, variable `e` should not be the same variable on different iterations of the loop. In case of the inlined function, the problem is caused by how our `StackFrameContext` doesn't contain "block count" for the entrance - which is a hack to discriminate between different iterations of the loop that is used for, eg., conjured symbols, but, unfortunately, not for addresses of variables / temporaries. In case of non-inlined functions, the problem is deeper: we simply don't have a `LocationContext` for a single loop iteration, so there's no way we can discriminate between loop locals on different loop iterations by their memory spaces.
https://reviews.llvm.org/D18860
Files:
include/clang/StaticAnalyzer/Core/PathSensitive/SMTConstraintManager.h
include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h
lib/StaticAnalyzer/Checkers/CStringChecker.cpp
lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
lib/StaticAnalyzer/Checkers/MPI-Checker/MPIChecker.cpp
lib/StaticAnalyzer/Checkers/MacOSKeychainAPIChecker.cpp
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
lib/StaticAnalyzer/Checkers/StreamChecker.cpp
lib/StaticAnalyzer/Core/Environment.cpp
lib/StaticAnalyzer/Core/ExprEngine.cpp
lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
lib/StaticAnalyzer/Core/RegionStore.cpp
lib/StaticAnalyzer/Core/SymbolManager.cpp
test/Analysis/MisusedMovedObject.cpp
test/Analysis/keychainAPI.m
test/Analysis/loop-block-counts.c
test/Analysis/pr22954.c
test/Analysis/retain-release-cpp-classes.cpp
test/Analysis/self-assign.cpp
test/Analysis/simple-stream-checks.c
test/Analysis/unions.cpp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D18860.173487.patch
Type: text/x-patch
Size: 25551 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20181110/e32ed384/attachment-0001.bin>
More information about the cfe-commits
mailing list