[clang] b611376 - [clang][dataflow] Singleton pointer values for null pointers.
Dmitri Gribenko via cfe-commits
cfe-commits at lists.llvm.org
Mon Jun 27 05:17:40 PDT 2022
Author: Wei Yi Tee
Date: 2022-06-27T14:17:34+02:00
New Revision: b611376e7eb5ea8bd0b32c2911e039b29828b9a8
URL: https://github.com/llvm/llvm-project/commit/b611376e7eb5ea8bd0b32c2911e039b29828b9a8
DIFF: https://github.com/llvm/llvm-project/commit/b611376e7eb5ea8bd0b32c2911e039b29828b9a8.diff
LOG: [clang][dataflow] Singleton pointer values for null pointers.
When a `nullptr` is assigned to a pointer variable, it is wrapped in a `ImplicitCastExpr` with cast kind `CK_NullTo(Member)Pointer`. This patch assigns singleton pointer values representing null to these expressions.
For each pointee type, a singleton null `PointerValue` is created and stored in the `NullPointerVals` map of the `DataflowAnalysisContext` class. The pointee type is retrieved from the implicit cast expression, and used to initialise the `PointeeLoc` field of the `PointerValue`. The `PointeeLoc` created is not mapped to any `Value`, reflecting the absence of value indicated by null pointers.
Reviewed By: gribozavr2, sgatev, xazax.hun
Differential Revision: https://reviews.llvm.org/D128056
Added:
Modified:
clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
clang/lib/Analysis/FlowSensitive/Transfer.cpp
clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
Removed:
################################################################################
diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
index 2e6b8ea7b0da..c1100d8474aa 100644
--- a/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
+++ b/clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
@@ -17,6 +17,7 @@
#include "clang/AST/Decl.h"
#include "clang/AST/Expr.h"
+#include "clang/AST/TypeOrdering.h"
#include "clang/Analysis/FlowSensitive/Solver.h"
#include "clang/Analysis/FlowSensitive/StorageLocation.h"
#include "clang/Analysis/FlowSensitive/Value.h"
@@ -152,6 +153,10 @@ class DataflowAnalysisContext {
return ThisPointeeLoc;
}
+ /// Returns a pointer value that represents a null pointer. Calls with
+ /// `PointeeType` that are canonically equivalent will return the same result.
+ PointerValue &getOrCreateNullPointerValue(QualType PointeeType);
+
/// Returns a symbolic boolean value that models a boolean literal equal to
/// `Value`.
AtomicBoolValue &getBoolLiteralValue(bool Value) const {
@@ -300,6 +305,14 @@ class DataflowAnalysisContext {
StorageLocation *ThisPointeeLoc = nullptr;
+ // Null pointer values, keyed by the canonical pointee type.
+ //
+ // FIXME: The pointer values are indexed by the pointee types which are
+ // required to initialize the `PointeeLoc` field in `PointerValue`. Consider
+ // creating a type-independent `NullPointerValue` without a `PointeeLoc`
+ // field.
+ llvm::DenseMap<QualType, PointerValue *> NullPointerVals;
+
AtomicBoolValue &TrueVal;
AtomicBoolValue &FalseVal;
diff --git a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
index ac49d22995c1..302e35d337e6 100644
--- a/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
+++ b/clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
@@ -203,6 +203,10 @@ class Environment {
/// in the environment.
StorageLocation *getThisPointeeStorageLocation() const;
+ /// Returns a pointer value that represents a null pointer. Calls with
+ /// `PointeeType` that are canonically equivalent will return the same result.
+ PointerValue &getOrCreateNullPointerValue(QualType PointeeType);
+
/// Creates a value appropriate for `Type`, if `Type` is supported, otherwise
/// return null. If `Type` is a pointer or reference type, creates all the
/// necessary storage locations and values for indirections until it finds a
diff --git a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
index de48fd71b065..4c7f0d1f94fa 100644
--- a/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
+++ b/clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
@@ -55,6 +55,19 @@ DataflowAnalysisContext::getStableStorageLocation(const Expr &E) {
return Loc;
}
+PointerValue &
+DataflowAnalysisContext::getOrCreateNullPointerValue(QualType PointeeType) {
+ assert(!PointeeType.isNull());
+ auto CanonicalPointeeType = PointeeType.getCanonicalType();
+ auto Res = NullPointerVals.try_emplace(CanonicalPointeeType, nullptr);
+ if (Res.second) {
+ auto &PointeeLoc = getStableStorageLocation(CanonicalPointeeType);
+ Res.first->second =
+ &takeOwnership(std::make_unique<PointerValue>(PointeeLoc));
+ }
+ return *Res.first->second;
+}
+
static std::pair<BoolValue *, BoolValue *>
makeCanonicalBoolValuePair(BoolValue &LHS, BoolValue &RHS) {
auto Res = std::make_pair(&LHS, &RHS);
diff --git a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
index 7711302ef7b6..3aea670f20aa 100644
--- a/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
+++ b/clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
@@ -332,6 +332,10 @@ StorageLocation *Environment::getThisPointeeStorageLocation() const {
return DACtx->getThisPointeeStorageLocation();
}
+PointerValue &Environment::getOrCreateNullPointerValue(QualType PointeeType) {
+ return DACtx->getOrCreateNullPointerValue(PointeeType);
+}
+
void Environment::setValue(const StorageLocation &Loc, Value &Val) {
LocToVal[&Loc] = &Val;
diff --git a/clang/lib/Analysis/FlowSensitive/Transfer.cpp b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
index befd3c626311..500e1a7a9390 100644
--- a/clang/lib/Analysis/FlowSensitive/Transfer.cpp
+++ b/clang/lib/Analysis/FlowSensitive/Transfer.cpp
@@ -251,6 +251,16 @@ class TransferVisitor : public ConstStmtVisitor<TransferVisitor> {
Env.setStorageLocation(*S, *SubExprLoc);
break;
}
+ case CK_NullToPointer:
+ case CK_NullToMemberPointer: {
+ auto &Loc = Env.createStorageLocation(S->getType());
+ Env.setStorageLocation(*S, Loc);
+
+ auto &NullPointerVal =
+ Env.getOrCreateNullPointerValue(S->getType()->getPointeeType());
+ Env.setValue(Loc, NullPointerVal);
+ break;
+ }
default:
break;
}
diff --git a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
index 3a8e2ac8588a..a0b753ff9e31 100644
--- a/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
+++ b/clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
@@ -2214,6 +2214,93 @@ TEST_F(TransferTest, IntegralToBooleanCastFromBool) {
});
}
+TEST_F(TransferTest, NullToPointerCast) {
+ std::string Code = R"(
+ struct Baz {};
+ void target() {
+ int *FooX = nullptr;
+ int *FooY = nullptr;
+ bool **Bar = nullptr;
+ Baz *Baz = nullptr;
+ // [[p]]
+ }
+ )";
+ runDataflow(Code,
+ [](llvm::ArrayRef<
+ std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+ Results,
+ ASTContext &ASTCtx) {
+ ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+ const Environment &Env = Results[0].second.Env;
+
+ const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX");
+ ASSERT_THAT(FooXDecl, NotNull());
+
+ const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY");
+ ASSERT_THAT(FooYDecl, NotNull());
+
+ const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
+ ASSERT_THAT(BarDecl, NotNull());
+
+ const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz");
+ ASSERT_THAT(BazDecl, NotNull());
+
+ const auto *FooXVal =
+ cast<PointerValue>(Env.getValue(*FooXDecl, SkipPast::None));
+ const auto *FooYVal =
+ cast<PointerValue>(Env.getValue(*FooYDecl, SkipPast::None));
+ const auto *BarVal =
+ cast<PointerValue>(Env.getValue(*BarDecl, SkipPast::None));
+ const auto *BazVal =
+ cast<PointerValue>(Env.getValue(*BazDecl, SkipPast::None));
+
+ EXPECT_EQ(FooXVal, FooYVal);
+ EXPECT_NE(FooXVal, BarVal);
+ EXPECT_NE(FooXVal, BazVal);
+ EXPECT_NE(BarVal, BazVal);
+
+ const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc();
+ EXPECT_TRUE(isa<ScalarStorageLocation>(FooPointeeLoc));
+ EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull());
+
+ const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc();
+ EXPECT_TRUE(isa<ScalarStorageLocation>(BarPointeeLoc));
+ EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull());
+
+ const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc();
+ EXPECT_TRUE(isa<AggregateStorageLocation>(BazPointeeLoc));
+ EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull());
+ });
+}
+
+TEST_F(TransferTest, NullToMemberPointerCast) {
+ std::string Code = R"(
+ struct Foo {};
+ void target(Foo *Foo) {
+ int Foo::*MemberPointer = nullptr;
+ // [[p]]
+ }
+ )";
+ runDataflow(
+ Code, [](llvm::ArrayRef<
+ std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+ Results,
+ ASTContext &ASTCtx) {
+ ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+ const Environment &Env = Results[0].second.Env;
+
+ const ValueDecl *MemberPointerDecl =
+ findValueDecl(ASTCtx, "MemberPointer");
+ ASSERT_THAT(MemberPointerDecl, NotNull());
+
+ const auto *MemberPointerVal = cast<PointerValue>(
+ Env.getValue(*MemberPointerDecl, SkipPast::None));
+
+ const StorageLocation &MemberLoc = MemberPointerVal->getPointeeLoc();
+ EXPECT_THAT(Env.getValue(MemberLoc), IsNull());
+ });
+}
+
TEST_F(TransferTest, AddrOfValue) {
std::string Code = R"(
void target() {
More information about the cfe-commits
mailing list