Re: r345099 - [analyzer] Trust summaries for OSObject::retain and OSObject::release

Mikael Holmén via cfe-commits Wed, 28 Nov 2018 02:05:37 -0800

Hi,

On 11/27/18 12:23 AM, George Karpenkov wrote:
> The error is indeed strange.
> The body is declared as
> 
>    LazyDeclStmtPtr Body;
> 
> where
> 
> using LazyDeclStmtPtr =
>      LazyOffsetPtr<Stmt, uint64_t, &ExternalASTSource::GetExternalDeclStmt>;
> 
> where
> 
> template<typename T, typename OffsT, T* (ExternalASTSource::*Get)(OffsT 
> Offset)>
> struct LazyOffsetPtr {
>    mutable uint64_t Ptr = 0;
> (…)
>    explicit operator bool() const { return Ptr != 0; }
> (…)
> }
> 
> so it does not seem like it can be uninitialized.
> Sadly on macOS I don’t have either valgrind or msan,
> so I can’t reproduce the failure.
> Do you think you could debug further?
> Is “Body” indeed uninitialized at use time? (e.g. if you print it..)

If I print Body.Ptr when isThisDeclarationADefinition() is called from 
RetainSummaryManager::canEval it's 0.

I don't know this code at all but it seems like the

     const FunctionDecl* FDD = FD->getDefinition();

call in RetainSummaryManager::canEval makes isThisDeclarationADefinition 
be run two times and Body.Ptr is 0 both times. I've no idea if thes 0s 
are by accident or it's indeed by some initialization.

> A stacktrace from a debug build should be helpful.

Stack trace the first time we end up in isThisDeclarationADefinition 
form RetainSummaryManager::canEval:

(gdb) where
#0  clang::FunctionDecl::isThisDeclarationADefinition (this=0x654a480) 
at ../tools/clang/include/clang/AST/Decl.h:1979
#1  0x0000000000c79dcd in clang::FunctionDecl::isDefined 
(this=0x654a480, Definition=@0x7fffffff82c8: 0x47929b <_start>) at 
../tools/clang/lib/AST/Decl.cpp:2720
#2  0x0000000000c90299 in clang::FunctionDecl::getDefinition 
(this=0x654a480) at ../tools/clang/include/clang/AST/Decl.h:1952
#3  0x000000000220ffe5 in clang::FunctionDecl::getDefinition 
(this=0x654a480) at ../tools/clang/include/clang/AST/Decl.h:1957
#4  0x000000000220c8c3 in clang::ento::RetainSummaryManager::canEval 
(this=0x6564e10, CE=0x655a580, FD=0x654a480, 
hasTrustedImplementationAnnotation=@0x7fffffff8857: false) at 
../tools/clang/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp:562
#5  0x0000000001f542d1 in 
clang::ento::retaincountchecker::RetainCountChecker::evalCall 
(this=0x64d29e0, CE=0x655a580, C=...) at 
../tools/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp:772
#6  0x0000000001f5b240 in 
clang::ento::eval::Call::_evalCall<clang::ento::retaincountchecker::RetainCountChecker>
 
(checker=0x64d29e0, CE=0x655a580, C=...) at 
../tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:478
#7  0x0000000002114022 in clang::ento::CheckerFn<bool (clang::CallExpr 
const*, clang::ento::CheckerContext&)>::operator()(clang::CallExpr 
const*, clang::ento::CheckerContext&) const (this=0x7fffffff8a20, 
ps=..., ps=...) at 
../tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:70
#8  0x0000000002110c98 in 
clang::ento::CheckerManager::runCheckersForEvalCall (this=0x64c57b0, 
Dst=..., Src=..., Call=..., Eng=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:662
#9  0x0000000002181729 in clang::ento::ExprEngine::evalCall 
(this=0x7fffffffa8d0, Dst=..., Pred=0x656b930, Call=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:569
#10 0x00000000021815ec in clang::ento::ExprEngine::VisitCallExpr 
(this=0x7fffffffa8d0, CE=0x655a580, Pred=0x656b930, dst=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:496
#11 0x000000000214b749 in clang::ento::ExprEngine::Visit 
(this=0x7fffffffa8d0, S=0x655a580, Pred=0x656b930, DstTop=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1540
#12 0x000000000214818a in clang::ento::ExprEngine::ProcessStmt 
(this=0x7fffffffa8d0, currStmt=0x655a580, Pred=0x656b600) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:741
#13 0x0000000002147e49 in clang::ento::ExprEngine::processCFGElement 
(this=0x7fffffffa8d0, E=..., Pred=0x656b600, StmtIdx=10, 
Ctx=0x7fffffffa398) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:579
#14 0x00000000021326a9 in clang::ento::CoreEngine::HandlePostStmt 
(this=0x7fffffffa8f0, B=0x655cc38, StmtIdx=10, Pred=0x656b600) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:439
#15 0x0000000002131f69 in clang::ento::CoreEngine::dispatchWorkItem 
(this=0x7fffffffa8f0, Pred=0x656b600, Loc=..., WU=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:193
#16 0x0000000002131a0e in clang::ento::CoreEngine::ExecuteWorkList 
(this=0x7fffffffa8f0, L=0x6563740, Steps=224988, InitState=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:149
#17 0x0000000001aeea98 in clang::ento::ExprEngine::ExecuteWorkList 
(this=0x7fffffffa8d0, L=0x6563740, Steps=225000) at 
../tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:165
#18 0x0000000001a87fa9 in (anonymous 
namespace)::AnalysisConsumer::RunPathSensitiveChecks (this=0x64c20f0, 
D=0x655a3a8, IMode=clang::ento::ExprEngine::Inline_Regular, 
VisitedCallees=0x7fffffffaf38) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:741
#19 0x0000000001a87905 in (anonymous 
namespace)::AnalysisConsumer::HandleCode (this=0x64c20f0, D=0x655a3a8, 
Mode=2, IMode=clang::ento::ExprEngine::Inline_Regular, 
VisitedCallees=0x7fffffffaf38) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:716
#20 0x0000000001a87496 in (anonymous 
namespace)::AnalysisConsumer::HandleDeclsCallGraph (this=0x64c20f0, 
LocalTUDeclsSize=53) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:507
#21 0x0000000001a85f2d in (anonymous 
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit 
(this=0x64c20f0, C=...) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:554
#22 0x0000000001a85916 in (anonymous 
namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x64c20f0, 
C=...) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:585
#23 0x0000000002444251 in 
clang::MultiplexConsumer::HandleTranslationUnit (this=0x64c2850, 
Ctx=...) at ../tools/clang/lib/Frontend/MultiplexConsumer.cpp:287
#24 0x000000000271a44a in clang::ParseAST (S=..., PrintStats=false, 
SkipFunctionBodies=false) at ../tools/clang/lib/Parse/ParseAST.cpp:170
#25 0x00000000023fd05e in clang::ASTFrontendAction::ExecuteAction 
(this=0x64cc010) at ../tools/clang/lib/Frontend/FrontendAction.cpp:1018
#26 0x00000000023fca90 in clang::FrontendAction::Execute 
(this=0x64cc010) at ../tools/clang/lib/Frontend/FrontendAction.cpp:917
#27 0x00000000023759e2 in clang::CompilerInstance::ExecuteAction 
(this=0x7fffffffb6b0, Act=...) at 
../tools/clang/lib/Frontend/CompilerInstance.cpp:968
#28 0x00000000018aa482 in 
clang::tooling::FrontendActionFactory::runInvocation 
(this=0x7fffffffc760, Invocation=std::shared_ptr (empty) 0x0, 
Files=0x64529a0, PCHContainerOps=..., DiagConsumer=0x7fffffffcb00) at 
../tools/clang/lib/Tooling/Tooling.cpp:370
#29 0x000000000116089e in 
clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, 
clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::string>, 
llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, bool, 
llvm::StringRef)::ActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>,
 
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, 
clang::DiagnosticConsumer*) (this=0x7fffffffc760, Invocation=warning: 
RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::CompilerInvocation*, 
std::default_delete<clang::CompilerInvocation>, std::allocator<void>, 
(__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::CompilerInvocation*, 
std::default_delete<clang::CompilerInvocation>, std::allocator<void>, 
(__gnu_cxx::_Lock_policy)2>'
std::shared_ptr (count 2, weak 0) 0x644f910, Files=0x64529a0, 
PCHContainerOps=warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::PCHContainerOperations*, 
std::__shared_ptr<clang::PCHContainerOperations, 
(__gnu_cxx::_Lock_policy)2>::_Deleter<std::allocator<clang::PCHContainerOperations>
 
 >, std::allocator<clang::PCHContainerOperations>, 
(__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::PCHContainerOperations*, 
std::__shared_ptr<clang::PCHContainerOperations, 
(__gnu_cxx::_Lock_policy)2>::_Deleter<std::allocator<clang::PCHContainerOperations>
 
 >, std::allocator<clang::PCHContainerOperations>, 
(__gnu_cxx::_Lock_policy)2>'
std::shared_ptr (count 3, weak 0) 0x644a270, 
DiagConsumer=0x7fffffffcb00) at 
../tools/clang/tools/extra/clang-tidy/ClangTidy.cpp:572
#30 0x00000000018aa317 in clang::tooling::ToolInvocation::runInvocation 
(this=0x7fffffffc288, BinaryName=0x6440088 "clang-tool", 
Compilation=0x644eb80, Invocation=std::shared_ptr (empty) 0x0, 
PCHContainerOps=std::shared_ptr (empty) 0x0) at 
../tools/clang/lib/Tooling/Tooling.cpp:345
#31 0x00000000018a8a59 in clang::tooling::ToolInvocation::run 
(this=0x7fffffffc288) at ../tools/clang/lib/Tooling/Tooling.cpp:330
#32 0x00000000018ab924 in clang::tooling::ClangTool::run 
(this=0x7fffffffcc10, Action=0x7fffffffc760) at 
../tools/clang/lib/Tooling/Tooling.cpp:519
#33 0x000000000115d517 in clang::tidy::runClangTidy (Context=..., 
Compilations=..., InputFiles=llvm::ArrayRef of length 1 = {...}, 
BaseFS=..., EnableCheckProfile=false, StoreCheckProfile="") at 
../tools/clang/tools/extra/clang-tidy/ClangTidy.cpp:593
#34 0x000000000047a29f in clang::tidy::clangTidyMain (argc=3, 
argv=0x7fffffffda98) at 
../tools/clang/tools/extra/clang-tidy/tool/ClangTidyMain.cpp:428
#35 0x00000000004796c2 in main (argc=5, argv=0x7fffffffda98) at 
../tools/clang/tools/extra/clang-tidy/tool/ClangTidyMain.cpp:581

And the second time:

(gdb) where
#0  clang::FunctionDecl::isThisDeclarationADefinition (this=0x654a2b0) 
at ../tools/clang/include/clang/AST/Decl.h:1979
#1  0x0000000000c79dcd in clang::FunctionDecl::isDefined 
(this=0x654a480, Definition=@0x7fffffff82c8: 0x47929b <_start>) at 
../tools/clang/lib/AST/Decl.cpp:2720
#2  0x0000000000c90299 in clang::FunctionDecl::getDefinition 
(this=0x654a480) at ../tools/clang/include/clang/AST/Decl.h:1952
#3  0x000000000220ffe5 in clang::FunctionDecl::getDefinition 
(this=0x654a480) at ../tools/clang/include/clang/AST/Decl.h:1957
#4  0x000000000220c8c3 in clang::ento::RetainSummaryManager::canEval 
(this=0x6564e10, CE=0x655a580, FD=0x654a480, 
hasTrustedImplementationAnnotation=@0x7fffffff8857: false) at 
../tools/clang/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp:562
#5  0x0000000001f542d1 in 
clang::ento::retaincountchecker::RetainCountChecker::evalCall 
(this=0x64d29e0, CE=0x655a580, C=...) at 
../tools/clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp:772
#6  0x0000000001f5b240 in 
clang::ento::eval::Call::_evalCall<clang::ento::retaincountchecker::RetainCountChecker>
 
(checker=0x64d29e0, CE=0x655a580, C=...) at 
../tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:478
#7  0x0000000002114022 in clang::ento::CheckerFn<bool (clang::CallExpr 
const*, clang::ento::CheckerContext&)>::operator()(clang::CallExpr 
const*, clang::ento::CheckerContext&) const (this=0x7fffffff8a20, 
ps=..., ps=...) at 
../tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:70
#8  0x0000000002110c98 in 
clang::ento::CheckerManager::runCheckersForEvalCall (this=0x64c57b0, 
Dst=..., Src=..., Call=..., Eng=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:662
#9  0x0000000002181729 in clang::ento::ExprEngine::evalCall 
(this=0x7fffffffa8d0, Dst=..., Pred=0x656b930, Call=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:569
#10 0x00000000021815ec in clang::ento::ExprEngine::VisitCallExpr 
(this=0x7fffffffa8d0, CE=0x655a580, Pred=0x656b930, dst=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:496
#11 0x000000000214b749 in clang::ento::ExprEngine::Visit 
(this=0x7fffffffa8d0, S=0x655a580, Pred=0x656b930, DstTop=...) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1540
#12 0x000000000214818a in clang::ento::ExprEngine::ProcessStmt 
(this=0x7fffffffa8d0, currStmt=0x655a580, Pred=0x656b600) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:741
#13 0x0000000002147e49 in clang::ento::ExprEngine::processCFGElement 
(this=0x7fffffffa8d0, E=..., Pred=0x656b600, StmtIdx=10, 
Ctx=0x7fffffffa398) at 
../tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:579
#14 0x00000000021326a9 in clang::ento::CoreEngine::HandlePostStmt 
(this=0x7fffffffa8f0, B=0x655cc38, StmtIdx=10, Pred=0x656b600) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:439
#15 0x0000000002131f69 in clang::ento::CoreEngine::dispatchWorkItem 
(this=0x7fffffffa8f0, Pred=0x656b600, Loc=..., WU=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:193
#16 0x0000000002131a0e in clang::ento::CoreEngine::ExecuteWorkList 
(this=0x7fffffffa8f0, L=0x6563740, Steps=224988, InitState=...) at 
../tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:149
#17 0x0000000001aeea98 in clang::ento::ExprEngine::ExecuteWorkList 
(this=0x7fffffffa8d0, L=0x6563740, Steps=225000) at 
../tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:165
#18 0x0000000001a87fa9 in (anonymous 
namespace)::AnalysisConsumer::RunPathSensitiveChecks (this=0x64c20f0, 
D=0x655a3a8, IMode=clang::ento::ExprEngine::Inline_Regular, 
VisitedCallees=0x7fffffffaf38) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:741
#19 0x0000000001a87905 in (anonymous 
namespace)::AnalysisConsumer::HandleCode (this=0x64c20f0, D=0x655a3a8, 
Mode=2, IMode=clang::ento::ExprEngine::Inline_Regular, 
VisitedCallees=0x7fffffffaf38) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:716
#20 0x0000000001a87496 in (anonymous 
namespace)::AnalysisConsumer::HandleDeclsCallGraph (this=0x64c20f0, 
LocalTUDeclsSize=53) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:507
#21 0x0000000001a85f2d in (anonymous 
namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit 
(this=0x64c20f0, C=...) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:554
#22 0x0000000001a85916 in (anonymous 
namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x64c20f0, 
C=...) at 
../tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:585
#23 0x0000000002444251 in 
clang::MultiplexConsumer::HandleTranslationUnit (this=0x64c2850, 
Ctx=...) at ../tools/clang/lib/Frontend/MultiplexConsumer.cpp:287
#24 0x000000000271a44a in clang::ParseAST (S=..., PrintStats=false, 
SkipFunctionBodies=false) at ../tools/clang/lib/Parse/ParseAST.cpp:170
#25 0x00000000023fd05e in clang::ASTFrontendAction::ExecuteAction 
(this=0x64cc010) at ../tools/clang/lib/Frontend/FrontendAction.cpp:1018
#26 0x00000000023fca90 in clang::FrontendAction::Execute 
(this=0x64cc010) at ../tools/clang/lib/Frontend/FrontendAction.cpp:917
#27 0x00000000023759e2 in clang::CompilerInstance::ExecuteAction 
(this=0x7fffffffb6b0, Act=...) at 
../tools/clang/lib/Frontend/CompilerInstance.cpp:968
#28 0x00000000018aa482 in 
clang::tooling::FrontendActionFactory::runInvocation 
(this=0x7fffffffc760, Invocation=std::shared_ptr (empty) 0x0, 
Files=0x64529a0, PCHContainerOps=..., DiagConsumer=0x7fffffffcb00) at 
../tools/clang/lib/Tooling/Tooling.cpp:370
#29 0x000000000116089e in 
clang::tidy::runClangTidy(clang::tidy::ClangTidyContext&, 
clang::tooling::CompilationDatabase const&, llvm::ArrayRef<std::string>, 
llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, bool, 
llvm::StringRef)::ActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>,
 
clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, 
clang::DiagnosticConsumer*) (this=0x7fffffffc760, Invocation=warning: 
RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::CompilerInvocation*, 
std::default_delete<clang::CompilerInvocation>, std::allocator<void>, 
(__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::CompilerInvocation*, 
std::default_delete<clang::CompilerInvocation>, std::allocator<void>, 
(__gnu_cxx::_Lock_policy)2>'
std::shared_ptr (count 2, weak 0) 0x644f910, Files=0x64529a0, 
PCHContainerOps=warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::PCHContainerOperations*, 
std::__shared_ptr<clang::PCHContainerOperations, 
(__gnu_cxx::_Lock_policy)2>::_Deleter<std::allocator<clang::PCHContainerOperations>
 
 >, std::allocator<clang::PCHContainerOperations>, 
(__gnu_cxx::_Lock_policy)2>'
warning: RTTI symbol not found for class 
'std::_Sp_counted_deleter<clang::PCHContainerOperations*, 
std::__shared_ptr<clang::PCHContainerOperations, 
(__gnu_cxx::_Lock_policy)2>::_Deleter<std::allocator<clang::PCHContainerOperations>
 
 >, std::allocator<clang::PCHContainerOperations>, 
(__gnu_cxx::_Lock_policy)2>'
std::shared_ptr (count 3, weak 0) 0x644a270, 
DiagConsumer=0x7fffffffcb00) at 
../tools/clang/tools/extra/clang-tidy/ClangTidy.cpp:572
#30 0x00000000018aa317 in clang::tooling::ToolInvocation::runInvocation 
(this=0x7fffffffc288, BinaryName=0x6440088 "clang-tool", 
Compilation=0x644eb80, Invocation=std::shared_ptr (empty) 0x0, 
PCHContainerOps=std::shared_ptr (empty) 0x0) at 
../tools/clang/lib/Tooling/Tooling.cpp:345
#31 0x00000000018a8a59 in clang::tooling::ToolInvocation::run 
(this=0x7fffffffc288) at ../tools/clang/lib/Tooling/Tooling.cpp:330
#32 0x00000000018ab924 in clang::tooling::ClangTool::run 
(this=0x7fffffffcc10, Action=0x7fffffffc760) at 
../tools/clang/lib/Tooling/Tooling.cpp:519
#33 0x000000000115d517 in clang::tidy::runClangTidy (Context=..., 
Compilations=..., InputFiles=llvm::ArrayRef of length 1 = {...}, 
BaseFS=..., EnableCheckProfile=false, StoreCheckProfile="") at 
../tools/clang/tools/extra/clang-tidy/ClangTidy.cpp:593
#34 0x000000000047a29f in clang::tidy::clangTidyMain (argc=3, 
argv=0x7fffffffda98) at 
../tools/clang/tools/extra/clang-tidy/tool/ClangTidyMain.cpp:428
#35 0x00000000004796c2 in main (argc=5, argv=0x7fffffffda98) at 
../tools/clang/tools/extra/clang-tidy/tool/ClangTidyMain.cpp:581

/Mikael

> 
> Thanks,
> George
> 
>> On Nov 26, 2018, at 12:03 AM, Mikael Holmén 
>> <mikael.hol...@ericsson.com <mailto:mikael.hol...@ericsson.com>> wrote:
>>
>> Hi again,
>>
>> Do you have any opinion about the below valgrind complaint that starts
>> appearing with this patch?
>>
>> valgrind still complains on it on current trunk.
>>
>> I see it when compiling with clang 3.6.0. I've also tried gcc 5.4.0 but
>> then I don't get it.
>>
>> Regards,
>> Mikael
>>
>> On 11/21/18 8:33 AM, Mikael Holmén via cfe-commits wrote:
>>> Hi George,
>>>
>>> I noticed that valgrind started complaining in one case with this patch.
>>>
>>> I've no idea if it's really due to something in the patch or if it's
>>> something old that surfaced or if it's a false flag.
>>>
>>> Anyway, with this patch the following
>>>
>>>   valgrind clang-tidy -checks='-*,clang-analyzer-*' 'memcpy.c' -- -O0
>>>
>>> gives me
>>>
>>> ==18829== Memcheck, a memory error detector
>>> ==18829== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
>>> ==18829== Using Valgrind-3.10.1 and LibVEX; rerun with -h for 
>>> copyright info
>>> ==18829== Command: build-all/bin/clang-tidy -checks=-*,clang-analyzer-*
>>> memcpy.c -- -O0
>>> ==18829==
>>> ==18829== Conditional jump or move depends on uninitialised value(s)
>>> ==18829==    at 0xE580DF:
>>> clang::ento::RetainSummaryManager::canEval(clang::CallExpr const*,
>>> clang::FunctionDecl const*, bool&) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xD034AA:
>>> clang::ento::retaincountchecker::RetainCountChecker::evalCall(clang::CallExpr
>>> const*, clang::ento::CheckerContext&) const (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDCBCD7:
>>> clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&,
>>> clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&,
>>> clang::ento::ExprEngine&) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xE033D5:
>>> clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&,
>>> clang::ento::ExplodedNode*, clang::ento::CallEvent const&) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xE03165:
>>> clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*,
>>> clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDE3D9A: clang::ento::ExprEngine::Visit(clang::Stmt
>>> const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDDEFD1:
>>> clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*,
>>> clang::ento::ExplodedNode*) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDDEBBC:
>>> clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
>>> clang::ento::ExplodedNode*, unsigned int,
>>> clang::ento::NodeBuilderContext*) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDD3154:
>>> clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*, unsigned
>>> int, clang::ento::ExplodedNode*) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xDD24D3:
>>> clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*,
>>> unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
>>> (in /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xB8E90E: (anonymous
>>> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
>>> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
>>> const*, llvm::DenseMapInfo<clang::Decl const*> >*) (in
>>> /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==    by 0xB89943: (anonymous
>>> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
>>> (in /data/repo/llvm-patch/build-all/bin/clang-tidy)
>>> ==18829==
>>>
>>> The call to
>>>
>>>      const FunctionDecl* FDD = FD->getDefinition();
>>>
>>> in RetainSummaryManager::canEval eventually ends up in
>>>
>>>    bool isThisDeclarationADefinition() const {
>>>      return isDeletedAsWritten() || isDefaulted() || Body ||
>>> hasSkippedBody() ||
>>>             isLateTemplateParsed() || willHaveBody() || 
>>> hasDefiningAttr();
>>>    }
>>>
>>> And here it seems to be the access of "Body" that valgrind complains on.
>>> If I simply comment out "Body" the complaint is gone.
>>>
>>> I really have no clue about this code, but perhaps this makes some sense
>>> to you? Or perhaps to someone else?
>>>
>>> Regards,
>>> Mikael
>>>
>>> On 10/24/18 1:11 AM, George Karpenkov via cfe-commits wrote:
>>>> Author: george.karpenkov
>>>> Date: Tue Oct 23 16:11:30 2018
>>>> New Revision: 345099
>>>>
>>>> URL: http://llvm.org/viewvc/llvm-project?rev=345099&view=rev
>>>> Log:
>>>> [analyzer] Trust summaries for OSObject::retain and OSObject::release
>>>>
>>>> Refactor the way in which summaries are consumed for safeMetaCast
>>>>
>>>> Differential Revision: https://reviews.llvm.org/D53549
>>>>
>>>> Modified:
>>>>      
>>>> cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
>>>>      cfe/trunk/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp
>>>>      cfe/trunk/test/Analysis/osobject-retain-release.cpp
>>>>
>>>> Modified: 
>>>> cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
>>>> URL: 
>>>> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp?rev=345099&r1=345098&r2=345099&view=diff
>>>> ==============================================================================
>>>> --- 
>>>> cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
>>>>  
>>>> (original)
>>>> +++ 
>>>> cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
>>>>  
>>>> Tue Oct 23 16:11:30 2018
>>>> @@ -776,31 +776,27 @@ bool RetainCountChecker::evalCall(const
>>>>
>>>>     const LocationContext *LCtx = C.getLocationContext();
>>>>
>>>> -  // Process OSDynamicCast: should just return the first argument.
>>>> -  // For now, tresting the cast as a no-op, and disregarding the 
>>>> case where
>>>> -  // the output becomes null due to the type mismatch.
>>>> -  if (FD->getNameAsString() == "safeMetaCast") {
>>>> -    state = state->BindExpr(CE, LCtx,
>>>> -                            state->getSVal(CE->getArg(0), LCtx));
>>>> -    C.addTransition(state);
>>>> -    return true;
>>>> -  }
>>>> -
>>>>     // See if it's one of the specific functions we know how to eval.
>>>>     if (!SmrMgr.canEval(CE, FD, hasTrustedImplementationAnnotation))
>>>>       return false;
>>>>
>>>>     // Bind the return value.
>>>> -  SVal RetVal = state->getSVal(CE->getArg(0), LCtx);
>>>> -  if (RetVal.isUnknown() ||
>>>> -      (hasTrustedImplementationAnnotation && !ResultTy.isNull())) {
>>>> +  // For now, all the functions which we can evaluate and which take
>>>> +  // at least one argument are identities.
>>>> +  if (CE->getNumArgs() >= 1) {
>>>> +    SVal RetVal = state->getSVal(CE->getArg(0), LCtx);
>>>> +
>>>>       // If the receiver is unknown or the function has
>>>>       // 'rc_ownership_trusted_implementation' annotate attribute, 
>>>> conjure a
>>>>       // return value.
>>>> -    SValBuilder &SVB = C.getSValBuilder();
>>>> -    RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, 
>>>> C.blockCount());
>>>> +    if (RetVal.isUnknown() ||
>>>> +        (hasTrustedImplementationAnnotation && !ResultTy.isNull())) {
>>>> +      SValBuilder &SVB = C.getSValBuilder();
>>>> +      RetVal =
>>>> +          SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, 
>>>> C.blockCount());
>>>> +    }
>>>> +    state = state->BindExpr(CE, LCtx, RetVal, false);
>>>>     }
>>>> -  state = state->BindExpr(CE, LCtx, RetVal, false);
>>>>
>>>>     C.addTransition(state);
>>>>     return true;
>>>>
>>>> Modified: cfe/trunk/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp
>>>> URL: 
>>>> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp?rev=345099&r1=345098&r2=345099&view=diff
>>>> ==============================================================================
>>>> --- cfe/trunk/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp 
>>>> (original)
>>>> +++ cfe/trunk/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp Tue 
>>>> Oct 23 16:11:30 2018
>>>> @@ -102,9 +102,6 @@ RetainSummaryManager::generateSummary(co
>>>>       return getPersistentStopSummary();
>>>>     }
>>>>
>>>> -  // [PR 3337] Use 'getAs<FunctionType>' to strip away any typedefs 
>>>> on the
>>>> -  // function's type.
>>>> -  const FunctionType *FT = FD->getType()->getAs<FunctionType>();
>>>>     const IdentifierInfo *II = FD->getIdentifier();
>>>>     if (!II)
>>>>       return getDefaultSummary();
>>>> @@ -115,7 +112,8 @@ RetainSummaryManager::generateSummary(co
>>>>     // down below.
>>>>     FName = FName.substr(FName.find_first_not_of('_'));
>>>>
>>>> -  // Inspect the result type.
>>>> +  // Inspect the result type. Strip away any typedefs.
>>>> +  const auto *FT = FD->getType()->getAs<FunctionType>();
>>>>     QualType RetTy = FT->getReturnType();
>>>>     std::string RetTyName = RetTy.getAsString();
>>>>
>>>> @@ -506,12 +504,6 @@ bool RetainSummaryManager::isTrustedRefe
>>>>   bool RetainSummaryManager::canEval(const CallExpr *CE,
>>>>                                      const FunctionDecl *FD,
>>>>                                      bool 
>>>> &hasTrustedImplementationAnnotation) {
>>>> -  // For now, we're only handling the functions that return aliases 
>>>> of their
>>>> -  // arguments: CFRetain (and its families).
>>>> -  // Eventually we should add other functions we can model entirely,
>>>> -  // such as CFRelease, which don't invalidate their arguments or 
>>>> globals.
>>>> -  if (CE->getNumArgs() != 1)
>>>> -    return false;
>>>>
>>>>     IdentifierInfo *II = FD->getIdentifier();
>>>>     if (!II)
>>>> @@ -533,6 +525,13 @@ bool RetainSummaryManager::canEval(const
>>>>         return isRetain(FD, FName) || isAutorelease(FD, FName) ||
>>>>                isMakeCollectable(FName);
>>>>
>>>> +    // Process OSDynamicCast: should just return the first argument.
>>>> +    // For now, treating the cast as a no-op, and disregarding the 
>>>> case where
>>>> +    // the output becomes null due to the type mismatch.
>>>> +    if (TrackOSObjects && FName == "safeMetaCast") {
>>>> +      return true;
>>>> +    }
>>>> +
>>>>       const FunctionDecl* FDD = FD->getDefinition();
>>>>       if (FDD && isTrustedReferenceCountImplementation(FDD)) {
>>>>         hasTrustedImplementationAnnotation = true;
>>>> @@ -540,6 +539,12 @@ bool RetainSummaryManager::canEval(const
>>>>       }
>>>>     }
>>>>
>>>> +  if (const auto *MD = dyn_cast<CXXMethodDecl>(FD)) {
>>>> +    const CXXRecordDecl *Parent = MD->getParent();
>>>> +    if (TrackOSObjects && Parent && isOSObjectSubclass(Parent))
>>>> +      return FName == "release" || FName == "retain";
>>>> +  }
>>>> +
>>>>     return false;
>>>>
>>>>   }
>>>>
>>>> Modified: cfe/trunk/test/Analysis/osobject-retain-release.cpp
>>>> URL: 
>>>> http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/osobject-retain-release.cpp?rev=345099&r1=345098&r2=345099&view=diff
>>>> ==============================================================================
>>>> --- cfe/trunk/test/Analysis/osobject-retain-release.cpp (original)
>>>> +++ cfe/trunk/test/Analysis/osobject-retain-release.cpp Tue Oct 23 
>>>> 16:11:30 2018
>>>> @@ -9,7 +9,7 @@ struct OSMetaClass;
>>>>
>>>>   struct OSObject {
>>>>     virtual void retain();
>>>> -  virtual void release();
>>>> +  virtual void release() {};
>>>>     virtual ~OSObject(){}
>>>>
>>>>     static OSObject *generateObject(int);
>>>>
>>>>
>>>> _______________________________________________
>>>> cfe-commits mailing list
>>>> cfe-commits@lists.llvm.org <mailto:cfe-commits@lists.llvm.org>
>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>>>>
>>>>
>>>> _______________________________________________
>>>> cfe-commits mailing list
>>>> cfe-commits@lists.llvm.org <mailto:cfe-commits@lists.llvm.org>
>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>> <memcpy.c>
> 

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Re: r345099 - [analyzer] Trust summaries for OSObject::retain and OSObject::release

Reply via email to