From 65d0c48d81b73c359f40f6c068bd89a8b91229ac Mon Sep 17 00:00:00 2001 From: Artem Dergachev Date: Fri, 23 Aug 2019 03:24:01 +0000 Subject: [PATCH] [analyzer] CastValueChecker: Provide DynamicTypeMap with pointer types only. The idea to drop this requirement is good, but for now every other user of DynamicTypeInfo expects pointer types. Fixes a crash. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@369728 91177308-0d34-0410-b5e6-96231b3b80d8 --- .../Core/PathSensitive/DynamicType.h | 2 +- .../Checkers/CastValueChecker.cpp | 45 +++++++++---------- lib/StaticAnalyzer/Core/DynamicType.cpp | 9 ++-- test/Analysis/cast-value-logic.cpp | 8 ++++ test/Analysis/cast-value-state-dump.cpp | 4 +- 5 files changed, 37 insertions(+), 31 deletions(-) diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h b/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h index f300af2c0b..356401d775 100644 --- a/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h +++ b/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h @@ -54,7 +54,7 @@ ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State, const MemRegion *MR, QualType CastFromTy, - QualType CastToTy, QualType ResultTy, + QualType CastToTy, bool IsCastSucceeds); /// Removes the dead type informations from \p State. diff --git a/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp b/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp index cd3b70db9a..a0cebd6ab8 100644 --- a/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp +++ b/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp @@ -92,18 +92,6 @@ private: }; } // namespace -static QualType getRecordType(QualType Ty) { - Ty = Ty.getCanonicalType(); - - if (Ty->isPointerType()) - Ty = Ty->getPointeeType(); - - if (Ty->isReferenceType()) - Ty = Ty.getNonReferenceType(); - - return Ty.getUnqualifiedType(); -} - static bool isInfeasibleCast(const DynamicCastInfo *CastInfo, bool CastSucceeds) { if (!CastInfo) @@ -117,8 +105,8 @@ static const NoteTag *getNoteTag(CheckerContext &C, QualType CastToTy, const Expr *Object, bool CastSucceeds, bool IsKnownCast) { std::string CastToName = - CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() - : CastToTy->getAsCXXRecordDecl()->getNameAsString(); + CastInfo ? CastInfo->to()->getPointeeCXXRecordDecl()->getNameAsString() + : CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); Object = Object->IgnoreParenImpCasts(); return C.getNoteTag( @@ -160,14 +148,14 @@ static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV, const Expr *Object; QualType CastFromTy; - QualType CastToTy = getRecordType(Call.getResultType()); + QualType CastToTy = Call.getResultType(); if (Call.getNumArgs() > 0) { Object = Call.getArgExpr(0); - CastFromTy = getRecordType(Call.parameters()[0]->getType()); + CastFromTy = Call.parameters()[0]->getType(); } else { Object = cast(&Call)->getCXXThisExpr(); - CastFromTy = getRecordType(Object->getType()); + CastFromTy = Object->getType(); } const MemRegion *MR = DV.getAsRegion(); @@ -193,7 +181,7 @@ static void addCastTransition(const CallEvent &Call, DefinedOrUnknownSVal DV, bool IsKnownCast = CastInfo || IsCheckedCast || CastFromTy == CastToTy; if (!IsKnownCast || IsCheckedCast) State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy, - Call.getResultType(), CastSucceeds); + CastSucceeds); SVal V = CastSucceeds ? DV : C.getSValBuilder().makeNull(); C.addTransition( @@ -206,8 +194,20 @@ static void addInstanceOfTransition(const CallEvent &Call, ProgramStateRef State, CheckerContext &C, bool IsInstanceOf) { const FunctionDecl *FD = Call.getDecl()->getAsFunction(); + QualType CastFromTy = Call.parameters()[0]->getType(); QualType CastToTy = FD->getTemplateSpecializationArgs()->get(0).getAsType(); - QualType CastFromTy = getRecordType(Call.parameters()[0]->getType()); + if (CastFromTy->isPointerType()) + CastToTy = C.getASTContext().getPointerType(CastToTy); + else if (CastFromTy->isLValueReferenceType() && + CastFromTy.isConstQualified()) { + CastToTy.addConst(); + CastToTy = C.getASTContext().getLValueReferenceType(CastToTy); + } else if (CastFromTy->isLValueReferenceType()) + CastToTy = C.getASTContext().getLValueReferenceType(CastToTy); + else if (CastFromTy->isRValueReferenceType()) + CastToTy = C.getASTContext().getRValueReferenceType(CastToTy); + else + return; const MemRegion *MR = DV.getAsRegion(); const DynamicCastInfo *CastInfo = @@ -228,7 +228,7 @@ static void addInstanceOfTransition(const CallEvent &Call, bool IsKnownCast = CastInfo || CastFromTy == CastToTy; if (!IsKnownCast) State = setDynamicTypeAndCastInfo(State, MR, CastFromTy, CastToTy, - Call.getResultType(), IsInstanceOf); + IsInstanceOf); C.addTransition( State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), @@ -373,11 +373,6 @@ bool CastValueChecker::evalCall(const CallEvent &Call, const CastCheck &Check = Lookup->first; CallKind Kind = Lookup->second; - // We need to obtain the record type of the call's result to model it. - if (Kind != CallKind::InstanceOf && - !getRecordType(Call.getResultType())->isRecordType()) - return false; - Optional DV; switch (Kind) { diff --git a/lib/StaticAnalyzer/Core/DynamicType.cpp b/lib/StaticAnalyzer/Core/DynamicType.cpp index e4ff132c6e..a78e0e05e9 100644 --- a/lib/StaticAnalyzer/Core/DynamicType.cpp +++ b/lib/StaticAnalyzer/Core/DynamicType.cpp @@ -91,13 +91,16 @@ ProgramStateRef setDynamicTypeInfo(ProgramStateRef State, const MemRegion *MR, ProgramStateRef setDynamicTypeAndCastInfo(ProgramStateRef State, const MemRegion *MR, QualType CastFromTy, - QualType CastToTy, QualType ResultTy, + QualType CastToTy, bool CastSucceeds) { if (!MR) return State; - if (CastSucceeds) - State = State->set(MR, ResultTy); + if (CastSucceeds) { + assert((CastToTy->isAnyPointerType() || CastToTy->isReferenceType()) && + "DynamicTypeInfo should always be a pointer."); + State = State->set(MR, CastToTy); + } DynamicCastInfo::CastResult ResultKind = CastSucceeds ? DynamicCastInfo::CastResult::Success diff --git a/test/Analysis/cast-value-logic.cpp b/test/Analysis/cast-value-logic.cpp index c5083ef57c..531772825f 100644 --- a/test/Analysis/cast-value-logic.cpp +++ b/test/Analysis/cast-value-logic.cpp @@ -15,6 +15,8 @@ struct Shape { template const T *getAs() const; + + virtual double area(); }; class Triangle : public Shape {}; class Circle : public Shape {}; @@ -141,4 +143,10 @@ void test_non_reference_temporary_crash() { auto P = foo(); auto Q = cast(std::move(P)); // no-crash } + +double test_virtual_method_after_call(Shape *S) { + if (isa(S)) + return S->area(); + return S->area() / 2; +} } // namespace crashes diff --git a/test/Analysis/cast-value-state-dump.cpp b/test/Analysis/cast-value-state-dump.cpp index 890fa18933..b8152d46da 100644 --- a/test/Analysis/cast-value-state-dump.cpp +++ b/test/Analysis/cast-value-state-dump.cpp @@ -35,8 +35,8 @@ void evalNonNullParamNonNullReturn(const Shape *S) { // CHECK-NEXT: ], // CHECK-NEXT: "dynamic_casts": [ // CHECK: { "region": "SymRegion{reg_$0}", "casts": [ - // CHECK-NEXT: { "from": "struct clang::Shape", "to": "class clang::Circle", "kind": "success" }, - // CHECK-NEXT: { "from": "struct clang::Shape", "to": "class clang::Square", "kind": "fail" } + // CHECK-NEXT: { "from": "const struct clang::Shape *", "to": "const class clang::Circle *", "kind": "success" }, + // CHECK-NEXT: { "from": "const struct clang::Shape *", "to": "const class clang::Square *", "kind": "fail" } // CHECK-NEXT: ]} (void)(1 / !C); -- 2.50.1