[PATCH] D86029: [analyzer] Add modeling for unque_ptr::get()

Nithin VR via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Wed Aug 19 15:36:12 PDT 2020 

vrnithinkumar marked 2 inline comments as done.
vrnithinkumar added inline comments.


================
Comment at: clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:362-363
+  const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);
+  if (!InnerPointVal)
+    return;
+
----------------
xazax.hun wrote:
> NoQ wrote:
> > You'll have to actively handle this case, sooner or later. Consider the following test cases that won't work until you do:
> > ```lang=c++
> > void foo(std::unique_ptr<A> p) {
> >   A *x = p.get();
> >   A *y = p.get();
> >   clang_analyzer_eval(x == y); // expected-warning{{TRUE}}
> >   if (!x) {
> >     y->foo(); // expected-warning{{Called C++ object pointer is null}}
> >   }
> > }
> > 
> > ```
> You mean the case where we do not have an inner pointer registered in the state yet, right?
> 
> I believe we might also have to handle similar cases for `operator bool()` as well. 
Added the above test case. 
Using conjureSymbolVal in case of missing inner pointer value


================
Comment at: clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:362-363
+  const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);
+  if (!InnerPointVal)
+    return;
+
----------------
vrnithinkumar wrote:
> xazax.hun wrote:
> > NoQ wrote:
> > > You'll have to actively handle this case, sooner or later. Consider the following test cases that won't work until you do:
> > > ```lang=c++
> > > void foo(std::unique_ptr<A> p) {
> > >   A *x = p.get();
> > >   A *y = p.get();
> > >   clang_analyzer_eval(x == y); // expected-warning{{TRUE}}
> > >   if (!x) {
> > >     y->foo(); // expected-warning{{Called C++ object pointer is null}}
> > >   }
> > > }
> > > 
> > > ```
> > You mean the case where we do not have an inner pointer registered in the state yet, right?
> > 
> > I believe we might also have to handle similar cases for `operator bool()` as well. 
> Added the above test case. 
> Using conjureSymbolVal in case of missing inner pointer value
```
void foo(std::unique_ptr<A> P) {
  A *X = P.get();
  if (!X) {
    P->foo(); // expected-warning {{Dereference of null smart pointer 'Pl' [alpha.cplusplus.SmartPtr]}}
  }
}
```
I was trying to add the above use case. Since we are using conjureSymbolVal in case of missing inner pointer value.

But still the inner pointer value is constrained to [0, 0] in false branch, `InnerPointVal->isZeroConstant()` returning false. 
Also I tried `State->isNull(*InnerPointVal).isConstrainedTrue();` This is also not working.
How should we check whether the conjureSymbolVal for inner pointer value is constrained to [0, 0]?


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D86029/new/

https://reviews.llvm.org/D86029

More information about the cfe-commits mailing list