[PATCH] D69726: [analyzer] DynamicSize: Store the dynamic size

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Sun Mar 15 19:20:49 PDT 2020 

NoQ added inline comments.


================
Comment at: clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h:25
 
-/// Get the stored dynamic size for the region \p MR.
+/// \returns The stored dynamic size for the region \p MR.
 DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
----------------
Naming: I believe we should keep using the word "Extent". There's no need to introduce a new term for the existing concept; it makes it harder to explain on the mailing list :) Let's make a follow-up patch to change the naming back (so that not to screw the review).


================
Comment at: clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h:41-44
+/// Set the dynamic size of a CXXNewExpr \p NE by its region \p MR.
+ProgramStateRef setDynamicSize(ProgramStateRef State, const MemRegion *MR,
+                               const CXXNewExpr *NE,
+                               const LocationContext *LCtx, SValBuilder &SVB);
----------------
This function is probably going to be used exactly once in the whole code. There's no need to turn it into a public API.


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:99
+          .Case("clang_analyzer_region", &ExprInspectionChecker::analyzerRegion)
+          .Case("clang_analyzer_size", &ExprInspectionChecker::analyzerDumpSize)
+          .Case("clang_analyzer_elementCount",
----------------
`clang_analyzer_dump_extent()`? Or just `clang_analyzer_dump(clang_analyzer_getExtent())`.


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:100
+          .Case("clang_analyzer_size", &ExprInspectionChecker::analyzerDumpSize)
+          .Case("clang_analyzer_elementCount",
+                &ExprInspectionChecker::analyzerDumpElementCount)
----------------
`clang_analyzer_dumpElementCount()`. We need subjects in our sentences because they tend to vary quite a bit here and therefore cannot be implied (dump, return, express, ...).


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:183-185
+  const Expr *Arg = nullptr;
+  if (!(Arg = getArgExpr(CE, C)))
+    return nullptr;
----------------
```lang=c++
  const Expr *Arg = getArgExpr(CE, C);
  if (!Arg)
    return nullptr;
```

No need for gymnastics >.>


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:283
+  llvm::raw_svector_ostream Out(Msg);
+  Out << MR;
+  reportBug(Out.str(), C);
----------------
So, how is it different from the existing `clang_analyzer_dump()`?


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:289-291
+  const MemRegion *MR = nullptr;
+  if (!(MR = getArgRegion(CE, C)))
+    return;
----------------
```lang=c++
  const MemRegion *MR = getArgRegion(CE, C);
  if (!MR)
    return;
```
... and so on.


================
Comment at: clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp:310-311
+
+  QualType Ty = TVR ? TVR->getDesugaredValueType(C.getASTContext())
+                    : CE->getArg(0)->IgnoreParenImpCasts()->getType();
+
----------------
How is this better than `getValueType()`? Are you sure you're not getting a pointer type instead in the `!TVR` case? I.e., can you test this on a non-heap `SymRegion`?


================
Comment at: clang/lib/StaticAnalyzer/Core/DynamicSize.cpp:85
+    if (CI->getValue().isUnsigned())
+      Size = SVB.makeIntVal(CI->getValue(), /*IsUnsigned=*/false);
+
----------------
Charusso wrote:
> That one is interesting. Some of the checkers / SValBuilder(?) generate unsigned integers which should not happen, I believe. May we need a FIXME and an assertion about signedness. What do you think?
`SymbolExtent` has type `size_t` and both `malloc` and `operator new` accept `size_t` as a parameter. Therefore everything needs to be //unsigned// and we need to assert this.

That said, array indexes are //signed// (as per implementation of `ElementRegion`).


================
Comment at: clang/test/Analysis/misc-ps-region-store.m:1190
+        tmp2[x] = am; // expected-warning \
+        {{Access out-of-bound array element (buffer overflow)}}
       }
----------------
Charusso wrote:
> That is the single regression which I do not get.
Well, please debug. Like, look at the full report, dump egraph, see what changed. Try to `creduce` the example further under the condition "behavior changed with the patch", maybe that'll clear something up (though if it's a true positive after creduce it doesn't guarantee that it's a true positive before creduce).


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D69726/new/

https://reviews.llvm.org/D69726

More information about the cfe-commits mailing list