From: Artem Dergachev Date: Tue, 25 Jul 2017 09:44:02 +0000 (+0000) Subject: [analyzer] Treat throws as sinks for suppress-on-sink purposes. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7c823a91d83e273cc09979528b2dd0e1233dfbef;p=clang [analyzer] Treat throws as sinks for suppress-on-sink purposes. Because since r308957 the suppress-on-sink feature contains its own mini-analysis, it also needs to become aware that C++ unhandled exceptions cause sinks. Unfortunately, for now we treat all exceptions as unhandled in the analyzer, so suppress-on-sink needs to do the same. rdar://problem/28157554 Differential Revision: https://reviews.llvm.org/D35674 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@308961 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Core/BugReporter.cpp b/lib/StaticAnalyzer/Core/BugReporter.cpp index a306462605..9a30bca6f9 100644 --- a/lib/StaticAnalyzer/Core/BugReporter.cpp +++ b/lib/StaticAnalyzer/Core/BugReporter.cpp @@ -3310,13 +3310,34 @@ static const CFGBlock *findBlockForNode(const ExplodedNode *N) { return nullptr; } +static bool isNoReturnBlock(const CFGBlock *Blk) { + if (Blk->hasNoReturnElement()) + return true; + + // FIXME: Throw-expressions are currently generating sinks during analysis: + // they're not supported yet, and also often used for actually terminating + // the program. So we should treat them as sinks in this analysis as well, + // at least for now, but once we have better support for exceptions, + // we'd need to carefully handle the case when the throw is being + // immediately caught. + if (std::any_of(Blk->begin(), Blk->end(), [](const CFGElement &Elm) { + if (Optional StmtElm = Elm.getAs()) + if (isa(StmtElm->getStmt())) + return true; + return false; + })) + return true; + + return false; +} + static bool isDominatedByNoReturnBlocks(const ExplodedNode *N) { const CFG &Cfg = N->getCFG(); const CFGBlock *StartBlk = findBlockForNode(N); if (!StartBlk) return false; - if (StartBlk->hasNoReturnElement()) + if (isNoReturnBlock(StartBlk)) return true; llvm::SmallVector DFSWorkList; @@ -3336,7 +3357,7 @@ static bool isDominatedByNoReturnBlocks(const ExplodedNode *N) { return false; } - if (!SuccBlk->hasNoReturnElement() && !Visited.count(SuccBlk)) { + if (!isNoReturnBlock(SuccBlk) && !Visited.count(SuccBlk)) { // If the block has reachable child blocks that aren't no-return, // add them to the worklist. DFSWorkList.push_back(SuccBlk); diff --git a/test/Analysis/max-nodes-suppress-on-sink.cpp b/test/Analysis/max-nodes-suppress-on-sink.cpp new file mode 100644 index 0000000000..814b302789 --- /dev/null +++ b/test/Analysis/max-nodes-suppress-on-sink.cpp @@ -0,0 +1,34 @@ +// RUN: %clang_analyze_cc1 -x c++ -fcxx-exceptions -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config max-nodes=12 -verify %s + +// Here we test how "suppress on sink" feature of certain bugtypes interacts +// with reaching analysis limits. See comments in max-nodes-suppress-on-sink.c +// for more discussion. + +typedef __typeof(sizeof(int)) size_t; +void *malloc(size_t); + +void clang_analyzer_warnIfReached(void); + +// Because we don't have a better approach, we currently treat throw as +// noreturn. +void test_throw_treated_as_noreturn() { + void *p = malloc(1); // no-warning + + clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} + clang_analyzer_warnIfReached(); // no-warning + + throw 0; +} + +// FIXME: Handled throws shouldn't be suppressing us! +void test_handled_throw_treated_as_noreturn() { + void *p = malloc(1); // no-warning + + clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}} + clang_analyzer_warnIfReached(); // no-warning + + try { + throw 0; + } catch (int i) { + } +}