[PATCH] D104550: [analyzer] Implement getType for SVal

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Jun 22 05:01:27 PDT 2021 

NoQ added inline comments.


================
Comment at: clang/lib/StaticAnalyzer/Core/SVals.cpp:151
+  Optional<QualType> VisitNonLocLazyCompoundVal(nonloc::LazyCompoundVal LCV) {
+    return Visit(LCV.getRegion());
+  }
----------------
vsavchenko wrote:
> NoQ wrote:
> > vsavchenko wrote:
> > > NoQ wrote:
> > > > This is correct except you need to get the value type, not the pointer type.
> > > > 
> > > > `LazyCompoundVal` is a `prvalue` and its parent region is the location in which this `prvalue` resided some time in the past. So the parent region is of the right type and it's always typed but you need the pointee type.
> > > OK then, can you maybe hint how can I write a test where this is going to be a pointer type (or maybe then `getType` for regions works incorrectly).
> > Regions have `getLocationType()` (the pointer type) and `getValueType()` (the pointee type). I think you need to call the latter directly in this case, bypassing recursion.
> > 
> > In order to obtain a live `LazyCompoundVal` specimen for testing purposes, you need to load an entire compound object (not necessarily represented by a `CompoundVal`) from Region Store.
> > 
> > Eg.,
> > ```lang=c
> >   struct MyStruct a;
> >   // ...
> >   struct MyStruct b = a; // Avoid C++ though, constructors are a different beast.
> > ```
> > 
> > Or you could construct one directly. But that, of course, wouldn't give you any hints about the appropriate type.
> > 
> > > maybe then `getType` for regions works incorrectly
> > 
> > Hmm that's actually a good separate question. How do you know if a region represents a prvalue of pointer type or a glvalue of pointee type (including, but not limited to, references)? This can't be figured out without more context just by looking at the `SVal`.
> > In order to obtain a live LazyCompoundVal specimen for testing purposes.
> That's not a problem:
> ```
> TestUnion d = {.c=b};
> ```
> does produce LazyCompundVal and we don't get a pointer, but the value type.  That's why I was asking how I can construct an example when this current implementation fails.
> 
> > Hmm that's actually a good separate question. How do you know if a region represents a prvalue of pointer type or a glvalue of pointee type (including, but not limited to, references)? This can't be figured out without more context just by looking at the SVal.
> Value categories are orthogonal to types, so I don't see why we should care for those in `getType`.  How do you think it should affect this particular functionality?
> `TestUnion d = {.c=b};`

```
(lldb) p D.dump()
compoundVal{ lazyCompoundVal{0x1110b3950,temp_object{struct TestStruct, S1276}}}
```

It's an eager compound value that contains a lazy compound value as the initializer for field `.c`.

You're still testing an eager compound value. You never visit the lazy compound value recursively.

`MemRegion::getLocationType()` is always a pointer type.

> Value categories are orthogonal to types, so I don't see why we should care for those in `getType`. How do you think it should affect this particular functionality?

The static analyzer basically models operators `*` and `&` as no-op but from the perspective of the standard's formalism they jump across objects.

For example, a load from parameter `int *p` would produce a value `&SymRegion{reg_$0<p>}` that represents both the rvalue of `p` (which has the type `int *`) and the lvalue of `*p` (which is an entirely different object of type `int`).


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D104550/new/

https://reviews.llvm.org/D104550

More information about the cfe-commits mailing list