[PATCH] D135763: [analyzer] Workaround crash on encountering Class non-type template parameters

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Wed Oct 12 04:35:44 PDT 2022 

steakhal created this revision.
steakhal added reviewers: NoQ, martong, Szelethus, xazax.hun.
Herald added subscribers: manas, ASDenysPetrov, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware.
Herald added a project: All.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

The Clang Static Analyzer will crash on this code:

  struct Box {
    int value;
  };
  template <Box V> int get() {
    return V.value;
  }
  template int get<Box{-1}>();

https://godbolt.org/z/5Yb1sMMMb

The problem is that we don't account for encountering `TemplateParamObjectDecl`s
within the `DeclRefExpr` handler in the `ExprEngine`.

IMO we should create a new memregion for representing such template
param objects, to model their language semantics.
Such as:

- it should have global static storage
- for two identical values, their addresses should be identical as well

http://eel.is/c%2B%2Bdraft/temp.param#8

I was thinking of introducing a `TemplateParamObjectRegion` under `DeclRegion`
for this purpose. It could have `TemplateParamObjectDecl` as a field.

The `TemplateParamObjectDecl::getValue()` returns `APValue`, which might
represent multiple levels of structures, unions and other goodies -
making the transformation from `APValue` to `SVal` a bit complicated.

That being said, for now, I think having `Unknowns` for such cases is
definitely an improvement to crashing, hence I'm proposing this patch.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D135763

Files:
  clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
  clang/test/Analysis/template-param-objects.cpp


Index: clang/test/Analysis/template-param-objects.cpp
===================================================================
--- /dev/null
+++ clang/test/Analysis/template-param-objects.cpp
@@ -0,0 +1,33 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
+// RUN:    -analyzer-config eagerly-assume=false -std=c++20 -verify %s
+
+template <class T> void clang_analyzer_dump(T);
+void clang_analyzer_eval(bool);
+
+struct Box {
+  int value;
+};
+bool operator ==(Box lhs, Box rhs) {
+  return lhs.value == rhs.value;
+}
+template <Box V> void dumps() {
+  clang_analyzer_dump(V);        // expected-warning {{lazyCompoundVal}}
+  clang_analyzer_dump(&V);       // expected-warning {{Unknown}}
+  clang_analyzer_dump(V.value);  // expected-warning {{Unknown}} FIXME: It should be '6 S32b'.
+  clang_analyzer_dump(&V.value); // expected-warning {{Unknown}}
+}
+template void dumps<Box{6}>();
+
+// [temp.param].7.3.2:
+// "All such template parameters in the program of the same type with the
+// same value denote the same template parameter object."
+template <Box A1, Box A2, Box B1, Box B2> void stable_addresses() {
+  clang_analyzer_eval(&A1 == &A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(&B1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(&A1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
+
+  clang_analyzer_eval(A1 == A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(B1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(A1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
+}
+template void stable_addresses<Box{1}, Box{1}, Box{2}, Box{2}>();
Index: clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
+++ clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -3158,6 +3158,12 @@
     return;
   }
 
+  if (const auto *TPO = dyn_cast<TemplateParamObjectDecl>(D)) {
+    // FIXME: We should meaningfully implement this.
+    (void)TPO;
+    return;
+  }
+
   llvm_unreachable("Support for this Decl not implemented.");
 }
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D135763.467087.patch
Type: text/x-patch
Size: 2258 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20221012/6ea9df3a/attachment.bin>

More information about the cfe-commits mailing list