[clang] [analyzer] Limit Store by region-store-binding-limit (PR #127602)
Balázs Benics via cfe-commits
cfe-commits at lists.llvm.org
Tue Feb 18 01:53:53 PST 2025
https://github.com/balazs-benics-sonarsource created https://github.com/llvm/llvm-project/pull/127602
In our test pool, the max entry point RT was improved by this change: 1'181 seconds (~19.7 minutes) -> 94 seconds (1.6 minutes)
BTW, the 1.6 minutes is still really bad. But a few orders of magnitude better than it was before.
This was the most servere RT edge-case as you can see from the numbers. There are are more known RT bottlenecks, such as:
- Large environment sizes, and `removeDead`. See more about the failed attempt on improving it at: https://discourse.llvm.org/t/unsuccessful-attempts-to-fix-a-slow-analysis-case-related-to-removedead-and-environment-size/84650
- Large chunk of time could be spend inside `assume`, to reach a fixed point. This is something we want to look into a bit later if we have time.
We have 3'075'607 entry points in our test set.
About 393'352 entry points ran longer than 1 second when measured.
To give a sense of the distribution, if we ignore the slowest 500 entry points, then the maximum entry point runs for about 14 seconds. These 500 slow entry points are in 332 translation units.
By this patch, out of the slowest 500 entry points, 72 entry points were improved by at least 10x after this change.
We measured no RT regression on the "usual" entry points.
(The dashed lines represent the maximum of their RT)
CPP-6092
>From f5cd6b22fb83c0bfb584717cde6899cd65fc1274 Mon Sep 17 00:00:00 2001
From: Balazs Benics <balazs.benics at sonarsource.com>
Date: Wed, 5 Feb 2025 17:13:34 +0100
Subject: [PATCH] [analyzer] Limit Store by region-store-binding-limit
In our test pool, the max entry point RT was improved by this change:
1'181 seconds (~19.7 minutes) -> 94 seconds (1.6 minutes)
BTW, the 1.6 minutes is still really bad. But a few orders of magnitude
better than it was before.
This was the most servere RT edge-case as you can see from the numbers.
There are are more known RT bottlenecks, such as:
- Large environment sizes, and `removeDead`. See more about the failed
attempt on improving it at:
https://discourse.llvm.org/t/unsuccessful-attempts-to-fix-a-slow-analysis-case-related-to-removedead-and-environment-size/84650
- Large chunk of time could be spend inside `assume`, to reach a fixed
point. This is something we want to look into a bit later if we have
time.
We have 3'075'607 entry points in our test set.
About 393'352 entry points ran longer than 1 second when measured.
To give a sense of the distribution, if we ignore the slowest 500
entry points, then the maximum entry point runs for about 14 seconds.
These 500 slow entry points are in 332 translation units.
By this patch, out of the slowest 500 entry points, 72 entry points
were improved by at least 10x after this change.
We measured no RT regression on the "usual" entry points.
CPP-6092
---
.../StaticAnalyzer/Core/AnalyzerOptions.def | 8 +
.../Core/PathSensitive/ExprEngine.h | 2 +-
.../StaticAnalyzer/Core/PathSensitive/Store.h | 10 +-
.../lib/StaticAnalyzer/Core/ProgramState.cpp | 18 +-
clang/lib/StaticAnalyzer/Core/RegionStore.cpp | 210 +++++++----
clang/lib/StaticAnalyzer/Core/Store.cpp | 7 +-
clang/test/Analysis/analyzer-config.c | 1 +
clang/test/Analysis/region-store.cpp | 336 +++++++++++++++++-
clang/unittests/StaticAnalyzer/StoreTest.cpp | 7 +-
9 files changed, 525 insertions(+), 74 deletions(-)
diff --git a/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def b/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
index a9b8d0753673b..f05c8724d583d 100644
--- a/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
+++ b/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
@@ -483,6 +483,14 @@ ANALYZER_OPTION(
"behavior, set the option to 0.",
5)
+ANALYZER_OPTION(
+ unsigned, RegionStoreMaxBindingFanOut, "region-store-max-binding-fanout",
+ "This option limits how many sub-bindings a single binding operation can "
+ "scatter into. For example, binding an array would scatter into binding "
+ "each individual element. Setting this to zero means unlimited, but then "
+ "modelling large array initializers may take proportional time to their "
+ "size.", 100)
+
//===----------------------------------------------------------------------===//
// String analyzer options.
//===----------------------------------------------------------------------===//
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
index 20c446e33ef9a..9fd07ce47175c 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
@@ -659,13 +659,13 @@ class ExprEngine {
SVal Loc, SVal Val,
const LocationContext *LCtx);
+public:
/// A simple wrapper when you only need to notify checkers of pointer-escape
/// of some values.
ProgramStateRef escapeValues(ProgramStateRef State, ArrayRef<SVal> Vs,
PointerEscapeKind K,
const CallEvent *Call = nullptr) const;
-public:
// FIXME: 'tag' should be removed, and a LocationContext should be used
// instead.
// FIXME: Comment on the meaning of the arguments, when 'St' may not
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
index 332855a3c9c45..ebf00d49b6cc8 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h
@@ -50,6 +50,14 @@ class SymbolReaper;
using InvalidatedSymbols = llvm::DenseSet<SymbolRef>;
+struct BindResult {
+ StoreRef ResultingStore;
+
+ // If during the bind operation we exhaust the allowed binding budget, we set
+ // this to the beginning of the escaped part of the region.
+ llvm::SmallVector<SVal, 0> FailedToBindValues;
+};
+
class StoreManager {
protected:
SValBuilder &svalBuilder;
@@ -105,7 +113,7 @@ class StoreManager {
/// \return A StoreRef object that contains the same
/// bindings as \c store with the addition of having the value specified
/// by \c val bound to the location given for \c loc.
- virtual StoreRef Bind(Store store, Loc loc, SVal val) = 0;
+ virtual BindResult Bind(Store store, Loc loc, SVal val) = 0;
/// Return a store with the specified value bound to all sub-regions of the
/// region. The region must not have previous bindings. If you need to
diff --git a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
index 34ab2388cbd2f..325b44c9cb05c 100644
--- a/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ProgramState.cpp
@@ -116,13 +116,23 @@ ProgramStateRef ProgramState::bindLoc(Loc LV,
const LocationContext *LCtx,
bool notifyChanges) const {
ProgramStateManager &Mgr = getStateManager();
- ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(),
- LV, V));
+ ExprEngine &Eng = Mgr.getOwningEngine();
+ BindResult BindRes = Mgr.StoreMgr->Bind(getStore(), LV, V);
+ ProgramStateRef State = makeWithStore(BindRes.ResultingStore);
const MemRegion *MR = LV.getAsRegion();
+
+ // We must always notify the checkers for failing binds because otherwise they
+ // may keep stale traits for these symbols.
+ // Eg., Malloc checker may report leaks if we failed to bind that symbol.
+ if (!BindRes.FailedToBindValues.empty()) {
+ State =
+ Eng.escapeValues(State, BindRes.FailedToBindValues, PSK_EscapeOnBind);
+ }
+
if (MR && notifyChanges)
- return Mgr.getOwningEngine().processRegionChange(newState, MR, LCtx);
+ return Eng.processRegionChange(State, MR, LCtx);
- return newState;
+ return State;
}
ProgramStateRef
diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
index d01b6ae55f611..ee821f9b19e73 100644
--- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -164,6 +164,7 @@ namespace {
class RegionBindingsRef : public llvm::ImmutableMapRef<const MemRegion *,
ClusterBindings> {
ClusterBindings::Factory *CBFactory;
+ SmallVectorImpl<SVal> *EscapedValuesDuringBind;
// This flag indicates whether the current bindings are within the analysis
// that has started from main(). It affects how we perform loads from
@@ -176,31 +177,59 @@ class RegionBindingsRef : public llvm::ImmutableMapRef<const MemRegion *,
// however that would have made the manager needlessly stateful.
bool IsMainAnalysis;
+ unsigned BindingsLeft;
+
public:
+ unsigned bindingsLeft() const { return BindingsLeft; }
+
+ bool hasExhaustedBindingLimit() const { return BindingsLeft == 0; }
+
+ RegionBindingsRef escapeValue(SVal V) const {
+ assert(EscapedValuesDuringBind);
+ EscapedValuesDuringBind->push_back(V);
+ return *this;
+ }
+ RegionBindingsRef escapeValues(nonloc::CompoundVal::iterator Begin,
+ nonloc::CompoundVal::iterator End) const {
+ for (SVal V : llvm::make_range(Begin, End))
+ escapeValue(V);
+ return *this;
+ }
+
typedef llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>
ParentTy;
RegionBindingsRef(ClusterBindings::Factory &CBFactory,
+ SmallVectorImpl<SVal> *EscapedValuesDuringBind,
const RegionBindings::TreeTy *T,
- RegionBindings::TreeTy::Factory *F,
- bool IsMainAnalysis)
- : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(T, F),
- CBFactory(&CBFactory), IsMainAnalysis(IsMainAnalysis) {}
-
- RegionBindingsRef(const ParentTy &P,
- ClusterBindings::Factory &CBFactory,
- bool IsMainAnalysis)
- : llvm::ImmutableMapRef<const MemRegion *, ClusterBindings>(P),
- CBFactory(&CBFactory), IsMainAnalysis(IsMainAnalysis) {}
+ RegionBindings::TreeTy::Factory *F, bool IsMainAnalysis,
+ unsigned BindingsLeft)
+ : RegionBindingsRef(ParentTy(T, F), CBFactory, EscapedValuesDuringBind,
+ IsMainAnalysis, BindingsLeft) {}
+
+ RegionBindingsRef(const ParentTy &P, ClusterBindings::Factory &CBFactory,
+ SmallVectorImpl<SVal> *EscapedValuesDuringBind,
+ bool IsMainAnalysis, unsigned BindingsLeft)
+ : ParentTy(P), CBFactory(&CBFactory),
+ EscapedValuesDuringBind(EscapedValuesDuringBind),
+ IsMainAnalysis(IsMainAnalysis), BindingsLeft(BindingsLeft) {}
+
+ RegionBindingsRef add(key_type_ref K, data_type_ref D,
+ unsigned NewBindingsLeft) const {
+ return RegionBindingsRef(static_cast<const ParentTy *>(this)->add(K, D),
+ *CBFactory, EscapedValuesDuringBind,
+ IsMainAnalysis, NewBindingsLeft);
+ }
RegionBindingsRef add(key_type_ref K, data_type_ref D) const {
- return RegionBindingsRef(static_cast<const ParentTy *>(this)->add(K, D),
- *CBFactory, IsMainAnalysis);
+ unsigned NewBindingsLeft = BindingsLeft ? BindingsLeft - 1 : BindingsLeft;
+ return add(K, D, NewBindingsLeft);
}
RegionBindingsRef remove(key_type_ref K) const {
return RegionBindingsRef(static_cast<const ParentTy *>(this)->remove(K),
- *CBFactory, IsMainAnalysis);
+ *CBFactory, EscapedValuesDuringBind,
+ IsMainAnalysis, BindingsLeft);
}
RegionBindingsRef addBinding(BindingKey K, SVal V) const;
@@ -345,14 +374,21 @@ RegionBindingsRef::getDefaultBinding(const MemRegion *R) const {
}
RegionBindingsRef RegionBindingsRef::addBinding(BindingKey K, SVal V) const {
+ // If we are about to exhaust the binding limit, highjack this bind call for
+ // the default binding.
+ if (BindingsLeft == 1) {
+ escapeValue(V);
+ K = BindingKey::Make(K.getRegion(), BindingKey::Default);
+ V = UnknownVal();
+ }
+
const MemRegion *Base = K.getBaseRegion();
const ClusterBindings *ExistingCluster = lookup(Base);
ClusterBindings Cluster =
(ExistingCluster ? *ExistingCluster : CBFactory->getEmptyMap());
- ClusterBindings NewCluster = CBFactory->add(Cluster, K, V);
- return add(Base, NewCluster);
+ return add(Base, CBFactory->add(Cluster, K, V));
}
@@ -417,7 +453,7 @@ class RegionStoreManager : public StoreManager {
///
/// This is controlled by 'region-store-small-struct-limit' option.
/// To disable all small-struct-dependent behavior, set the option to "0".
- unsigned SmallStructLimit;
+ const unsigned SmallStructLimit;
/// The largest number of element an array can have and still be
/// considered "small".
@@ -427,7 +463,13 @@ class RegionStoreManager : public StoreManager {
///
/// This is controlled by 'region-store-small-struct-limit' option.
/// To disable all small-struct-dependent behavior, set the option to "0".
- unsigned SmallArrayLimit;
+ const unsigned SmallArrayLimit;
+
+ /// The number of bindings a single bind operation can scatter into.
+ /// For example, binding the initializer-list of an array would recurse and
+ /// bind all the individual array elements, potentially causing scalability
+ /// issues.
+ const unsigned RegionStoreMaxBindingFanOut;
/// A helper used to populate the work list with the given set of
/// regions.
@@ -435,15 +477,21 @@ class RegionStoreManager : public StoreManager {
ArrayRef<SVal> Values,
InvalidatedRegions *TopLevelRegions);
+ const AnalyzerOptions &getOptions() {
+ return StateMgr.getOwningEngine().getAnalysisManager().options;
+ }
+
public:
RegionStoreManager(ProgramStateManager &mgr)
: StoreManager(mgr), RBFactory(mgr.getAllocator()),
- CBFactory(mgr.getAllocator()), SmallStructLimit(0), SmallArrayLimit(0) {
- ExprEngine &Eng = StateMgr.getOwningEngine();
- AnalyzerOptions &Options = Eng.getAnalysisManager().options;
- SmallStructLimit = Options.RegionStoreSmallStructLimit;
- SmallArrayLimit = Options.RegionStoreSmallArrayLimit;
- }
+ CBFactory(mgr.getAllocator()),
+ SmallStructLimit(getOptions().RegionStoreSmallStructLimit),
+ SmallArrayLimit(getOptions().RegionStoreSmallArrayLimit),
+ RegionStoreMaxBindingFanOut(
+ getOptions().RegionStoreMaxBindingFanOut == 0
+ ? -1U
+ : getOptions().RegionStoreMaxBindingFanOut +
+ /*for the default binding*/ 1) {}
/// setImplicitDefaultValue - Set the default binding for the provided
/// MemRegion to the value implicitly defined for compound literals when
@@ -465,9 +513,13 @@ class RegionStoreManager : public StoreManager {
bool IsMainAnalysis = false;
if (const auto *FD = dyn_cast<FunctionDecl>(InitLoc->getDecl()))
IsMainAnalysis = FD->isMain() && !Ctx.getLangOpts().CPlusPlus;
- return StoreRef(RegionBindingsRef(
- RegionBindingsRef::ParentTy(RBFactory.getEmptyMap(), RBFactory),
- CBFactory, IsMainAnalysis).asStore(), *this);
+ return StoreRef(
+ RegionBindingsRef(
+ RegionBindingsRef::ParentTy(RBFactory.getEmptyMap(), RBFactory),
+ CBFactory, /*EscapedValuesDuringBind=*/nullptr, IsMainAnalysis,
+ RegionStoreMaxBindingFanOut)
+ .asStore(),
+ *this);
}
//===-------------------------------------------------------------------===//
@@ -502,9 +554,13 @@ class RegionStoreManager : public StoreManager {
QualType ElemT);
public: // Part of public interface to class.
-
- StoreRef Bind(Store store, Loc LV, SVal V) override {
- return StoreRef(bind(getRegionBindings(store), LV, V).asStore(), *this);
+ BindResult Bind(Store store, Loc LV, SVal V) override {
+ llvm::SmallVector<SVal, 0> EscapedValuesDuringBind;
+ return BindResult{
+ StoreRef(bind(getRegionBindings(store, &EscapedValuesDuringBind), LV, V)
+ .asStore(),
+ *this),
+ EscapedValuesDuringBind};
}
RegionBindingsRef bind(RegionBindingsConstRef B, Loc LV, SVal V);
@@ -513,7 +569,7 @@ class RegionStoreManager : public StoreManager {
// a default value.
StoreRef BindDefaultInitial(Store store, const MemRegion *R,
SVal V) override {
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
// Use other APIs when you have to wipe the region that was initialized
// earlier.
assert(!(B.getDefaultBinding(R) || B.getDirectBinding(R)) &&
@@ -538,7 +594,7 @@ class RegionStoreManager : public StoreManager {
if (BR->getDecl()->isEmpty())
return StoreRef(store, *this);
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
SVal V = svalBuilder.makeZeroVal(Ctx.CharTy);
B = removeSubRegionBindings(B, cast<SubRegion>(R));
B = B.addBinding(BindingKey::Make(R, BindingKey::Default), V);
@@ -587,14 +643,14 @@ class RegionStoreManager : public StoreManager {
StoreRef killBinding(Store ST, Loc L) override;
void incrementReferenceCount(Store store) override {
- getRegionBindings(store).manualRetain();
+ getRegionBindingsWithUnboundedLimit(store).manualRetain();
}
/// If the StoreManager supports it, decrement the reference count of
/// the specified Store object. If the reference count hits 0, the memory
/// associated with the object is recycled.
void decrementReferenceCount(Store store) override {
- getRegionBindings(store).manualRelease();
+ getRegionBindingsWithUnboundedLimit(store).manualRelease();
}
bool includedInBindings(Store store, const MemRegion *region) const override;
@@ -613,7 +669,7 @@ class RegionStoreManager : public StoreManager {
/// else
/// return symbolic
SVal getBinding(Store S, Loc L, QualType T) override {
- return getBinding(getRegionBindings(S), L, T);
+ return getBinding(getRegionBindingsWithUnboundedLimit(S), L, T);
}
std::optional<SVal> getUniqueDefaultBinding(RegionBindingsConstRef B,
@@ -622,7 +678,7 @@ class RegionStoreManager : public StoreManager {
getUniqueDefaultBinding(nonloc::LazyCompoundVal LCV) const;
std::optional<SVal> getDefaultBinding(Store S, const MemRegion *R) override {
- RegionBindingsRef B = getRegionBindings(S);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(S);
// Default bindings are always applied over a base region so look up the
// base region's default binding, otherwise the lookup will fail when R
// is at an offset from R->getBaseRegion().
@@ -700,21 +756,23 @@ class RegionStoreManager : public StoreManager {
// Utility methods.
//===------------------------------------------------------------------===//
- RegionBindingsRef getRegionBindings(Store store) const {
- llvm::PointerIntPair<Store, 1, bool> Ptr;
- Ptr.setFromOpaqueValue(const_cast<void *>(store));
- return RegionBindingsRef(
- CBFactory,
- static_cast<const RegionBindings::TreeTy *>(Ptr.getPointer()),
- RBFactory.getTreeFactory(),
- Ptr.getInt());
+ RegionBindingsRef
+ getRegionBindings(Store store,
+ SmallVectorImpl<SVal> *EscapedValuesDuringBind) const {
+ return getRegionBindingsImpl(store, EscapedValuesDuringBind,
+ /*BindingsLeft=*/RegionStoreMaxBindingFanOut);
+ }
+
+ RegionBindingsRef getRegionBindingsWithUnboundedLimit(Store store) const {
+ return getRegionBindingsImpl(store, /*EscapedValuesDuringBind=*/nullptr,
+ /*BindingsLeft=*/-1U);
}
void printJson(raw_ostream &Out, Store S, const char *NL = "\n",
unsigned int Space = 0, bool IsDot = false) const override;
void iterBindings(Store store, BindingsHandler& f) override {
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
for (const auto &[Region, Cluster] : B) {
for (const auto &[Key, Value] : Cluster) {
if (!Key.isDirect())
@@ -727,6 +785,19 @@ class RegionStoreManager : public StoreManager {
}
}
}
+
+private:
+ RegionBindingsRef
+ getRegionBindingsImpl(Store store,
+ SmallVectorImpl<SVal> *EscapedValuesDuringBind,
+ unsigned BindingsLeft) const {
+ llvm::PointerIntPair<Store, 1, bool> Ptr;
+ Ptr.setFromOpaqueValue(const_cast<void *>(store));
+ return RegionBindingsRef(
+ CBFactory, EscapedValuesDuringBind,
+ static_cast<const RegionBindings::TreeTy *>(Ptr.getPointer()),
+ RBFactory.getTreeFactory(), Ptr.getInt(), BindingsLeft);
+ }
};
} // end anonymous namespace
@@ -852,7 +923,7 @@ class ClusterAnalysis {
bool RegionStoreManager::scanReachableSymbols(Store S, const MemRegion *R,
ScanReachableSymbols &Callbacks) {
assert(R == R->getBaseRegion() && "Should only be called for base regions");
- RegionBindingsRef B = getRegionBindings(S);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(S);
const ClusterBindings *Cluster = B.lookup(R);
if (!Cluster)
@@ -1038,7 +1109,9 @@ RegionStoreManager::removeSubRegionBindings(RegionBindingsConstRef B,
if (Result.isEmpty())
return B.remove(ClusterHead);
- return B.add(ClusterHead, Result.asImmutableMap());
+ // Make this "add" free by using the old "BindingsLeft".
+ return B.add(ClusterHead, Result.asImmutableMap(),
+ /*BindingsLeft=*/B.bindingsLeft());
}
namespace {
@@ -1375,7 +1448,7 @@ StoreRef RegionStoreManager::invalidateRegions(
GlobalsFilter = GFK_None;
}
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
InvalidateRegionsWorker W(*this, StateMgr, B, S, Count, LCtx, IS, ITraits,
Invalidated, GlobalsFilter);
@@ -2136,8 +2209,9 @@ RegionStoreManager::getBindingForFieldOrElementCommon(RegionBindingsConstRef B,
const SubRegion *lazyBindingRegion = nullptr;
std::tie(lazyBindingStore, lazyBindingRegion) = findLazyBinding(B, R, R);
if (lazyBindingRegion)
- return getLazyBinding(lazyBindingRegion,
- getRegionBindings(lazyBindingStore));
+ return getLazyBinding(
+ lazyBindingRegion,
+ getRegionBindingsWithUnboundedLimit(lazyBindingStore));
// Record whether or not we see a symbolic index. That can completely
// be out of scope of our lookup.
@@ -2314,7 +2388,7 @@ RegionStoreManager::getInterestingValues(nonloc::LazyCompoundVal LCV) {
SValListTy List;
const SubRegion *LazyR = LCV.getRegion();
- RegionBindingsRef B = getRegionBindings(LCV.getStore());
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(LCV.getStore());
// If this region had /no/ bindings at the time, there are no interesting
// values to return.
@@ -2377,7 +2451,7 @@ SVal RegionStoreManager::getBindingForArray(RegionBindingsConstRef B,
bool RegionStoreManager::includedInBindings(Store store,
const MemRegion *region) const {
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
region = region->getBaseRegion();
// Quick path: if the base is the head of a cluster, the region is live.
@@ -2406,18 +2480,23 @@ bool RegionStoreManager::includedInBindings(Store store,
StoreRef RegionStoreManager::killBinding(Store ST, Loc L) {
if (std::optional<loc::MemRegionVal> LV = L.getAs<loc::MemRegionVal>())
if (const MemRegion* R = LV->getRegion())
- return StoreRef(getRegionBindings(ST).removeBinding(R)
- .asImmutableMap()
- .getRootWithoutRetain(),
+ return StoreRef(getRegionBindingsWithUnboundedLimit(ST)
+ .removeBinding(R)
+ .asImmutableMap()
+ .getRootWithoutRetain(),
*this);
return StoreRef(ST, *this);
}
-RegionBindingsRef
-RegionStoreManager::bind(RegionBindingsConstRef B, Loc L, SVal V) {
+RegionBindingsRef RegionStoreManager::bind(RegionBindingsConstRef B, Loc L,
+ SVal V) {
llvm::TimeTraceScope TimeScope("RegionStoreManager::bind",
[&L]() { return locDescr(L); });
+
+ if (B.hasExhaustedBindingLimit())
+ return B.escapeValue(V);
+
// We only care about region locations.
auto MemRegVal = L.getAs<loc::MemRegionVal>();
if (!MemRegVal)
@@ -2511,7 +2590,8 @@ std::optional<RegionBindingsRef> RegionStoreManager::tryBindSmallArray(
auto Idx = svalBuilder.makeArrayIndex(i);
const ElementRegion *SrcER =
MRMgr.getElementRegion(Ty, Idx, LCV.getRegion(), Ctx);
- SVal V = getBindingForElement(getRegionBindings(LCV.getStore()), SrcER);
+ SVal V = getBindingForElement(
+ getRegionBindingsWithUnboundedLimit(LCV.getStore()), SrcER);
const ElementRegion *DstER = MRMgr.getElementRegion(Ty, Idx, R, Ctx);
NewB = bind(NewB, loc::MemRegionVal(DstER), V);
@@ -2566,6 +2646,8 @@ RegionStoreManager::bindArray(RegionBindingsConstRef B,
// The init list might be shorter than the array length.
if (VI == VE)
break;
+ if (NewB.hasExhaustedBindingLimit())
+ return NewB.escapeValues(VI, VE);
NonLoc Idx = svalBuilder.makeArrayIndex(i);
const ElementRegion *ER = MRMgr.getElementRegion(ElementTy, Idx, R, Ctx);
@@ -2645,7 +2727,7 @@ RegionStoreManager::getUniqueDefaultBinding(RegionBindingsConstRef B,
std::optional<SVal>
RegionStoreManager::getUniqueDefaultBinding(nonloc::LazyCompoundVal LCV) const {
- RegionBindingsConstRef B = getRegionBindings(LCV.getStore());
+ auto B = getRegionBindingsWithUnboundedLimit(LCV.getStore());
return getUniqueDefaultBinding(B, LCV.getRegion());
}
@@ -2702,7 +2784,8 @@ std::optional<RegionBindingsRef> RegionStoreManager::tryBindSmallStruct(
for (const FieldDecl *Field : Fields) {
const FieldRegion *SourceFR = MRMgr.getFieldRegion(Field, LCV.getRegion());
- SVal V = getBindingForField(getRegionBindings(LCV.getStore()), SourceFR);
+ SVal V = getBindingForField(
+ getRegionBindingsWithUnboundedLimit(LCV.getStore()), SourceFR);
const FieldRegion *DestFR = MRMgr.getFieldRegion(Field, R);
NewB = bind(NewB, loc::MemRegionVal(DestFR), V);
@@ -2782,6 +2865,8 @@ RegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B,
if (VI == VE)
break;
+ if (NewB.hasExhaustedBindingLimit())
+ return NewB.escapeValues(VI, VE);
QualType BTy = B.getType();
assert(BTy->isStructureOrClassType() && "Base classes must be classes!");
@@ -2805,6 +2890,9 @@ RegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B,
if (VI == VE)
break;
+ if (NewB.hasExhaustedBindingLimit())
+ return NewB.escapeValues(VI, VE);
+
// Skip any unnamed bitfields to stay in sync with the initializers.
if (FI->isUnnamedBitField())
continue;
@@ -2984,7 +3072,7 @@ bool RemoveDeadBindingsWorker::UpdatePostponed() {
StoreRef RegionStoreManager::removeDeadBindings(Store store,
const StackFrameContext *LCtx,
SymbolReaper& SymReaper) {
- RegionBindingsRef B = getRegionBindings(store);
+ RegionBindingsRef B = getRegionBindingsWithUnboundedLimit(store);
RemoveDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx);
W.GenerateClusters();
@@ -3014,7 +3102,7 @@ StoreRef RegionStoreManager::removeDeadBindings(Store store,
void RegionStoreManager::printJson(raw_ostream &Out, Store S, const char *NL,
unsigned int Space, bool IsDot) const {
- RegionBindingsRef Bindings = getRegionBindings(S);
+ RegionBindingsRef Bindings = getRegionBindingsWithUnboundedLimit(S);
Indent(Out, Space, IsDot) << "\"store\": ";
diff --git a/clang/lib/StaticAnalyzer/Core/Store.cpp b/clang/lib/StaticAnalyzer/Core/Store.cpp
index b436dd746d21f..bb1d7cb243474 100644
--- a/clang/lib/StaticAnalyzer/Core/Store.cpp
+++ b/clang/lib/StaticAnalyzer/Core/Store.cpp
@@ -51,8 +51,11 @@ StoreRef StoreManager::enterStackFrame(Store OldStore,
SmallVector<CallEvent::FrameBindingTy, 16> InitialBindings;
Call.getInitialStackFrameContents(LCtx, InitialBindings);
- for (const auto &I : InitialBindings)
- Store = Bind(Store.getStore(), I.first.castAs<Loc>(), I.second);
+ for (const auto &[Location, Val] : InitialBindings) {
+ BindResult Res = Bind(Store.getStore(), Location.castAs<Loc>(), Val);
+ assert(Res.FailedToBindValues.empty());
+ Store = Res.ResultingStore;
+ }
return Store;
}
diff --git a/clang/test/Analysis/analyzer-config.c b/clang/test/Analysis/analyzer-config.c
index f6a49680917ac..e3f276da57703 100644
--- a/clang/test/Analysis/analyzer-config.c
+++ b/clang/test/Analysis/analyzer-config.c
@@ -116,6 +116,7 @@
// CHECK-NEXT: osx.NumberObjectConversion:Pedantic = false
// CHECK-NEXT: osx.cocoa.RetainCount:TrackNSCFStartParam = false
// CHECK-NEXT: prune-paths = true
+// CHECK-NEXT: region-store-max-binding-fanout = 100
// CHECK-NEXT: region-store-small-array-limit = 5
// CHECK-NEXT: region-store-small-struct-limit = 2
// CHECK-NEXT: report-in-main-source-file = false
diff --git a/clang/test/Analysis/region-store.cpp b/clang/test/Analysis/region-store.cpp
index ab179ceb1acc8..cab0bd75edf9b 100644
--- a/clang/test/Analysis/region-store.cpp
+++ b/clang/test/Analysis/region-store.cpp
@@ -1,5 +1,15 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s
-// expected-no-diagnostics
+// DEFINE: %{analyzer} = %clang_analyze_cc1 -Wno-array-bounds %s \
+// DEFINE: -analyzer-checker=core,cplusplus,unix,debug.ExprInspection
+
+// RUN: %{analyzer} -verify=default
+// RUN: %{analyzer} -analyzer-config region-store-max-binding-fanout=10 -verify=limit10
+// RUN: %{analyzer} -analyzer-config region-store-max-binding-fanout=0 -verify=unlimited
+
+template <class T> void clang_analyzer_dump(T);
+void clang_analyzer_eval(bool);
+
+template <class... Ts> void escape(Ts...);
+bool coin();
class Loc {
int x;
@@ -26,3 +36,325 @@ int radar13445834(Derived *Builder, Loc l) {
return Builder->accessBase();
}
+
+void boundedNumberOfBindings() {
+ int array[] {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22};
+ clang_analyzer_dump(array[0]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{0 S32b}}
+ clang_analyzer_dump(array[1]); // default-warning {{1 S32b}} unlimited-warning {{1 S32b}} limit10-warning {{1 S32b}}
+ clang_analyzer_dump(array[2]); // default-warning {{2 S32b}} unlimited-warning {{2 S32b}} limit10-warning {{2 S32b}}
+ clang_analyzer_dump(array[3]); // default-warning {{3 S32b}} unlimited-warning {{3 S32b}} limit10-warning {{3 S32b}}
+ clang_analyzer_dump(array[4]); // default-warning {{4 S32b}} unlimited-warning {{4 S32b}} limit10-warning {{4 S32b}}
+ clang_analyzer_dump(array[5]); // default-warning {{5 S32b}} unlimited-warning {{5 S32b}} limit10-warning {{5 S32b}}
+ clang_analyzer_dump(array[6]); // default-warning {{6 S32b}} unlimited-warning {{6 S32b}} limit10-warning {{6 S32b}}
+ clang_analyzer_dump(array[7]); // default-warning {{7 S32b}} unlimited-warning {{7 S32b}} limit10-warning {{7 S32b}}
+ clang_analyzer_dump(array[8]); // default-warning {{8 S32b}} unlimited-warning {{8 S32b}} limit10-warning {{8 S32b}}
+ clang_analyzer_dump(array[9]); // default-warning {{9 S32b}} unlimited-warning {{9 S32b}} limit10-warning {{9 S32b}}
+ clang_analyzer_dump(array[10]); // default-warning {{10 S32b}} unlimited-warning {{10 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[11]); // default-warning {{11 S32b}} unlimited-warning {{11 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[12]); // default-warning {{12 S32b}} unlimited-warning {{12 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[13]); // default-warning {{13 S32b}} unlimited-warning {{13 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[14]); // default-warning {{14 S32b}} unlimited-warning {{14 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[15]); // default-warning {{15 S32b}} unlimited-warning {{15 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[16]); // default-warning {{16 S32b}} unlimited-warning {{16 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[17]); // default-warning {{17 S32b}} unlimited-warning {{17 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[18]); // default-warning {{18 S32b}} unlimited-warning {{18 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[19]); // default-warning {{19 S32b}} unlimited-warning {{19 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[20]); // default-warning {{20 S32b}} unlimited-warning {{20 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[21]); // default-warning {{21 S32b}} unlimited-warning {{21 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[22]); // default-warning {{22 S32b}} unlimited-warning {{22 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[23]); // see below see below limit10-warning {{Unknown}}
+ // default-warning at -1 {{1st function call argument is an uninitialized value}}
+ // unlimited-warning at -2 {{1st function call argument is an uninitialized value}}
+ // FIXME: The last dump at index 23 should be Undefined due to out of bounds access.
+}
+
+void incompleteInitList() {
+ int array[23] {0,1,2,3,4,5,6,7,8,9,10,11 /*rest are zeroes*/ };
+ clang_analyzer_dump(array[0]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{0 S32b}}
+ clang_analyzer_dump(array[1]); // default-warning {{1 S32b}} unlimited-warning {{1 S32b}} limit10-warning {{1 S32b}}
+ clang_analyzer_dump(array[2]); // default-warning {{2 S32b}} unlimited-warning {{2 S32b}} limit10-warning {{2 S32b}}
+ clang_analyzer_dump(array[3]); // default-warning {{3 S32b}} unlimited-warning {{3 S32b}} limit10-warning {{3 S32b}}
+ clang_analyzer_dump(array[4]); // default-warning {{4 S32b}} unlimited-warning {{4 S32b}} limit10-warning {{4 S32b}}
+ clang_analyzer_dump(array[5]); // default-warning {{5 S32b}} unlimited-warning {{5 S32b}} limit10-warning {{5 S32b}}
+ clang_analyzer_dump(array[6]); // default-warning {{6 S32b}} unlimited-warning {{6 S32b}} limit10-warning {{6 S32b}}
+ clang_analyzer_dump(array[7]); // default-warning {{7 S32b}} unlimited-warning {{7 S32b}} limit10-warning {{7 S32b}}
+ clang_analyzer_dump(array[8]); // default-warning {{8 S32b}} unlimited-warning {{8 S32b}} limit10-warning {{8 S32b}}
+ clang_analyzer_dump(array[9]); // default-warning {{9 S32b}} unlimited-warning {{9 S32b}} limit10-warning {{9 S32b}}
+ clang_analyzer_dump(array[10]); // default-warning {{10 S32b}} unlimited-warning {{10 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[11]); // default-warning {{11 S32b}} unlimited-warning {{11 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[12]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[13]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[14]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[15]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[16]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[17]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[18]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[19]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[20]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[21]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[22]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(array[23]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{Unknown}}
+ // FIXME: The last dump at index 23 should be Undefined due to out of bounds access.
+}
+
+struct Inner {
+ int first;
+ int second;
+};
+struct Outer {
+ Inner upper;
+ Inner lower;
+};
+
+void nestedStructInitLists() {
+ Outer array[]{ // 7*4: 28 values
+ {{00, 01}, {02, 03}},
+ {{10, 11}, {12, 13}},
+ {{20, 21}, {22, 23}},
+ {{30, 31}, {32, 33}},
+ {{40, 41}, {42, 43}},
+ {{50, 51}, {52, 53}},
+ {{60, 61}, {62, 63}},
+ };
+
+ int *p = (int*)array;
+ clang_analyzer_dump(p[0]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{0 S32b}}
+ clang_analyzer_dump(p[1]); // default-warning {{1 S32b}} unlimited-warning {{1 S32b}} limit10-warning {{1 S32b}}
+ clang_analyzer_dump(p[2]); // default-warning {{2 S32b}} unlimited-warning {{2 S32b}} limit10-warning {{2 S32b}}
+ clang_analyzer_dump(p[3]); // default-warning {{3 S32b}} unlimited-warning {{3 S32b}} limit10-warning {{3 S32b}}
+ clang_analyzer_dump(p[4]); // default-warning {{10 S32b}} unlimited-warning {{10 S32b}} limit10-warning {{10 S32b}}
+ clang_analyzer_dump(p[5]); // default-warning {{11 S32b}} unlimited-warning {{11 S32b}} limit10-warning {{11 S32b}}
+ clang_analyzer_dump(p[6]); // default-warning {{12 S32b}} unlimited-warning {{12 S32b}} limit10-warning {{12 S32b}}
+ clang_analyzer_dump(p[7]); // default-warning {{13 S32b}} unlimited-warning {{13 S32b}} limit10-warning {{13 S32b}}
+ clang_analyzer_dump(p[8]); // default-warning {{20 S32b}} unlimited-warning {{20 S32b}} limit10-warning {{20 S32b}}
+ clang_analyzer_dump(p[9]); // default-warning {{21 S32b}} unlimited-warning {{21 S32b}} limit10-warning {{21 S32b}}
+ clang_analyzer_dump(p[10]); // default-warning {{22 S32b}} unlimited-warning {{22 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[11]); // default-warning {{23 S32b}} unlimited-warning {{23 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[12]); // default-warning {{30 S32b}} unlimited-warning {{30 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[13]); // default-warning {{31 S32b}} unlimited-warning {{31 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[14]); // default-warning {{32 S32b}} unlimited-warning {{32 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[15]); // default-warning {{33 S32b}} unlimited-warning {{33 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[16]); // default-warning {{40 S32b}} unlimited-warning {{40 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[17]); // default-warning {{41 S32b}} unlimited-warning {{41 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[18]); // default-warning {{42 S32b}} unlimited-warning {{42 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[19]); // default-warning {{43 S32b}} unlimited-warning {{43 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[20]); // default-warning {{50 S32b}} unlimited-warning {{50 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[21]); // default-warning {{51 S32b}} unlimited-warning {{51 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[22]); // default-warning {{52 S32b}} unlimited-warning {{52 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[23]); // default-warning {{53 S32b}} unlimited-warning {{53 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[24]); // default-warning {{60 S32b}} unlimited-warning {{60 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[25]); // default-warning {{61 S32b}} unlimited-warning {{61 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[26]); // default-warning {{62 S32b}} unlimited-warning {{62 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[27]); // default-warning {{63 S32b}} unlimited-warning {{63 S32b}} limit10-warning {{Unknown}}
+ clang_analyzer_dump(p[28]); // see below see below limit10-warning {{Unknown}}
+ // default-warning at -1 {{1st function call argument is an uninitialized value}}
+ // unlimited-warning at -2 {{1st function call argument is an uninitialized value}}
+ // FIXME: The last dump at index 28 should be Undefined due to out of bounds access.
+}
+
+void expectNoLeaksInWidenedInitLists() {
+ int *p[] {
+ new int(0),
+ new int(1),
+ new int(2),
+ new int(3),
+ new int(4),
+ new int(5),
+ new int(6),
+ new int(7),
+ new int(8),
+ new int(9),
+ new int(10),
+ new int(11),
+ new int(12),
+ new int(13),
+ new int(14),
+ new int(15),
+ new int(16),
+ new int(17),
+ new int(18),
+ new int(19),
+ new int(20),
+ new int(21),
+ new int(22),
+ new int(23),
+ new int(24),
+ };
+ clang_analyzer_dump(*p[0]); // default-warning {{0 S32b}} unlimited-warning {{0 S32b}} limit10-warning {{0 S32b}}
+ clang_analyzer_dump(*p[12]); // default-warning {{12 S32b}} unlimited-warning {{12 S32b}} limit10-warning {{Unknown}}
+ escape(p); // no-leaks
+}
+
+void rawArrayWithSelfReference() {
+ // If a pointer to some object escapes, that pointed object should escape too.
+ // Consequently, if the 22th initializer would escape, then the p[6] should also escape - clobbering any loads from that location later.
+ int *p[25] = {
+ new int(0),
+ new int(1),
+ new int(2),
+ new int(3),
+ new int(4),
+ new int(5),
+ new int(6),
+ new int(7),
+ p[5], // Should be a pointer to the 6th array element, but we get Undefined as the analyzer thinks that "p" is not yet initialized, thus loading from index 5 is UB. This is wrong.
+ new int(9),
+ new int(10),
+ new int(11),
+ new int(12),
+ new int(13),
+ new int(14),
+ new int(15),
+ new int(16),
+ new int(17),
+ new int(18),
+ new int(19),
+ new int(20),
+ new int(21),
+ p[6], // Should be a pointer to the 6th array element, but we get Undefined as the analyzer thinks that "p" is not yet initialized, thus loading from index 5 is UB. This is wrong.
+ new int(23),
+ new int(24),
+ };
+ clang_analyzer_dump(*p[5]); // default-warning {{5 S32b}} unlimited-warning {{5 S32b}} limit10-warning {{5 S32b}}
+ clang_analyzer_dump(*p[6]); // default-warning {{6 S32b}} unlimited-warning {{6 S32b}} limit10-warning {{6 S32b}}
+
+ if (coin()) {
+ clang_analyzer_dump(*p[8]);
+ // default-warning at -1 {{Dereference of undefined pointer value}}
+ // unlimited-warning at -2 {{Dereference of undefined pointer value}}
+ // limit10-warning at -3 {{Dereference of undefined pointer value}}
+ }
+
+ clang_analyzer_dump(*p[12]); // default-warning {{12 S32b}} unlimited-warning {{12 S32b}} limit10-warning {{Unknown}}
+
+ if (coin()) {
+ clang_analyzer_dump(*p[22]);
+ // default-warning at -1 {{Dereference of undefined pointer value}}
+ // unlimited-warning at -2 {{Dereference of undefined pointer value}}
+ // limit10-warning at -3 {{Unknown}}
+ }
+
+ clang_analyzer_dump(*p[23]); // default-warning {{23 S32b}} unlimited-warning {{23 S32b}} limit10-warning {{Unknown}}
+
+ escape(p); // no-leaks
+}
+
+template <class T, unsigned Size> struct BigArray {
+ T array[Size];
+};
+
+void fieldArrayWithSelfReference() {
+ // Similar to "rawArrayWithSelfReference", but using an aggregate object and assignment operator to achieve the element-wise binds.
+ BigArray<int *, 25> p;
+ p = {
+ new int(0),
+ new int(1),
+ new int(2),
+ new int(3),
+ new int(4),
+ new int(5),
+ new int(6),
+ new int(7),
+ p.array[5], // Pointer to the 6th array element.
+ new int(9),
+ new int(10),
+ new int(11),
+ new int(12),
+ new int(13),
+ new int(14),
+ new int(15),
+ new int(16),
+ new int(17),
+ new int(18),
+ new int(19),
+ new int(20),
+ new int(21),
+ p.array[6], // Pointer to the 7th array element.
+ new int(23),
+ new int(24),
+ };
+ clang_analyzer_dump(*p.array[5]); // default-warning {{5 S32b}} unlimited-warning {{5 S32b}} limit10-warning {{5 S32b}}
+ clang_analyzer_dump(*p.array[6]); // default-warning {{6 S32b}} unlimited-warning {{6 S32b}} limit10-warning {{6 S32b}}
+
+ if (coin()) {
+ clang_analyzer_dump(*p.array[8]);
+ // default-warning at -1 {{Unknown}}
+ // unlimited-warning at -2 {{Unknown}}
+ // limit10-warning at -3 {{Unknown}}
+ }
+
+ clang_analyzer_dump(*p.array[12]); // default-warning {{12 S32b}} unlimited-warning {{12 S32b}} limit10-warning {{Unknown}}
+
+ if (coin()) {
+ clang_analyzer_dump(*p.array[22]);
+ // default-warning at -1 {{Unknown}}
+ // unlimited-warning at -2 {{Unknown}}
+ // limit10-warning at -3 {{Unknown}}
+ }
+
+ clang_analyzer_dump(*p.array[23]); // default-warning {{23 S32b}} unlimited-warning {{23 S32b}} limit10-warning {{Unknown}}
+
+ escape(p); // no-leaks
+}
+
+struct PtrHolderBase {
+ int *ptr;
+};
+struct BigStruct : BigArray<int, 1000>, PtrHolderBase {};
+void largeBaseClasses() {
+ BigStruct D{{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24}, {new int(25)}};
+ (void)D; // no-leak here, the PtrHolderBase subobject is properly escaped.
+
+ clang_analyzer_dump(*D.ptr); // default-warning {{25 S32b}} unlimited-warning {{25 S32b}} limit10-warning {{Unknown}}
+ escape(D);
+}
+
+struct List {
+ int* ptr;
+ BigArray<int, 30> head;
+ List *tail;
+};
+void tempObjectMayEscapeArgumentsInAssignment() {
+ // This will be leaked after the assignment. However, we should not diagnose
+ // this because in the RHS of the assignment the temporary couldn't be really
+ // materialized due to the number of bindings, thus the address of `l` will
+ // escape there.
+ List l{new int(404)};
+
+ // ExprWithCleanups wraps the assignment operator call, which assigns a MaterializeTemporaryExpr.
+ l = List{new int(42), {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24}, &l};
+ (void)l;
+ // default-warning at -1 {{Potential memory leak}} We detect the leak with the default settings.
+ // unlimited-warning at -2 {{Potential memory leak}} We detect the leak with the default settings.
+ // limit10 is missing! It's because in that case we escape `&l`, thus we assume freed. This is good.
+
+ clang_analyzer_dump(*l.ptr); // default-warning {{42 S32b}} unlimited-warning {{42 S32b}} limit10-warning {{42 S32b}}
+ escape(l);
+}
+
+void tempObjNotMaterializedThusDoesntEscapeAnything() {
+ List l{new int(404)};
+ // We have no ExprWithCleanups or MaterializeTemporaryExpr here, so `&l` is never escaped. This is good.
+ (void)List{new int(42), {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24}, &l};
+ (void)l;
+ // default-warning at -1 {{Potential memory leak}} We detect the leak with the default settings.
+ // limit10-warning at -2 {{Potential memory leak}} We detect the leak with the default settings.
+ // unlimited-warning at -3 {{Potential memory leak}} We detect the leak with the default settings.
+
+ clang_analyzer_dump(*l.ptr); // default-warning {{404 S32b}} unlimited-warning {{404 S32b}} limit10-warning {{404 S32b}}
+ escape(l);
+}
+
+void theValueOfTheEscapedRegionRemainsTheSame() {
+ int *p = new int(404);
+ List l{p};
+ List l2{new int(42), {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24}, &l};
+
+ // The value of l.ptr shouldn't be clobbered after a failing to copy `&l`.
+ clang_analyzer_eval(p == l.ptr); // default-warning {{TRUE}} unlimited-warning {{TRUE}} limit10-warning {{TRUE}}
+
+ // If the bindings fit, we will know that it aliases with `p`. Otherwise, it's unknown. This is good.
+ clang_analyzer_dump(*l2.tail->ptr); // default-warning {{404 S32b}} unlimited-warning {{404 S32b}} limit10-warning {{Unknown}}
+
+ escape(l, l2);
+}
diff --git a/clang/unittests/StaticAnalyzer/StoreTest.cpp b/clang/unittests/StaticAnalyzer/StoreTest.cpp
index 17b64ce622f89..a1a37cdcfad32 100644
--- a/clang/unittests/StaticAnalyzer/StoreTest.cpp
+++ b/clang/unittests/StaticAnalyzer/StoreTest.cpp
@@ -69,7 +69,7 @@ class VariableBindConsumer : public StoreTestConsumer {
SVal NarrowZero = Builder.makeZeroVal(ASTCtxt.CharTy);
// Bind(Zero)
- Store StX0 = SManager.Bind(StInit, LX0, Zero).getStore();
+ Store StX0 = SManager.Bind(StInit, LX0, Zero).ResultingStore.getStore();
EXPECT_EQ(Zero, SManager.getBinding(StX0, LX0, ASTCtxt.IntTy));
// BindDefaultInitial(Zero)
@@ -87,7 +87,7 @@ class VariableBindConsumer : public StoreTestConsumer {
EXPECT_EQ(NarrowZero, *SManager.getDefaultBinding(StZ0, LZ0.getAsRegion()));
// Bind(One)
- Store StX1 = SManager.Bind(StInit, LX1, One).getStore();
+ Store StX1 = SManager.Bind(StInit, LX1, One).ResultingStore.getStore();
EXPECT_EQ(One, SManager.getBinding(StX1, LX1, ASTCtxt.IntTy));
// BindDefaultInitial(One)
@@ -134,7 +134,8 @@ class LiteralCompoundConsumer : public StoreTestConsumer {
Store StInit = SManager.getInitialStore(SFC).getStore();
// Let's bind constant 1 to 'test[0]'
SVal One = Builder.makeIntVal(1, Int);
- Store StX = SManager.Bind(StInit, ZeroElement, One).getStore();
+ Store StX =
+ SManager.Bind(StInit, ZeroElement, One).ResultingStore.getStore();
// And make sure that we can read this binding back as it was
EXPECT_EQ(One, SManager.getBinding(StX, ZeroElement, Int));
More information about the cfe-commits
mailing list