[clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

2023-12-14 Thread Tom Ritter via cfe-commits 

tomrittervg wrote:

Hm, testing these patches on the original testcase in #62663 (the one where we 
use statements 1B and 2B) - I don't think this patchset solves that scenario...

https://github.com/llvm/llvm-project/pull/69057
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

2023-12-01 Thread Tom Ritter via cfe-commits 

tomrittervg wrote:

This sounds crazy, but I think I found a bug in this patchset.  I applied it on 
top of the 17.0.2 tag, and then ran the whole analysis on mozilla-central.  I 
got segfaults on about 4000 executions, all with the same stack trace:

```
1.   parser at end of file
2.  While analyzing stack: 
#0 Calling mozilla::FailureLatch::SetFailureFrom(const FailureLatch &) 
at line 
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:151:5
#1 Calling 
mozilla::baseprofiler::ChunkedJSONWriteFunc::ChangeFailureLatchAndForwardState(FailureLatch
 &) at line 
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:465:12
#2 Calling 
mozilla::baseprofiler::SpliceableChunkedJSONWriter::ChangeFailureLatchAndForwardState(FailureLatch
 &) at line 
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/BaseProfileJSONWriter.h:570:5
#3 Calling 
mozilla::baseprofiler::UniqueJSONStrings::ChangeFailureLatchAndForwardState(FailureLatch
 &)
3.  
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36:
 Error evaluating statement
4.  
/home/tom/Documents/moz/static-analysis/mozilla-unified/objdir/dist/include/mozilla/FailureLatch.h:65:36:
 Error evaluating statement
 #0 0x7f9378f09cb8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782cb8)
 #1 0x7f9378f09813 llvm::sys::CleanupOnSignal(unsigned long) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libLLVM-17.so+0x2782813)
 #2 0x7f9378ea11fe (anonymous 
namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) 
CrashRecoveryContext.cpp:0:0
 #3 0x7f9378ea13ae CrashRecoverySignalHandler(int) 
CrashRecoveryContext.cpp:0:0
 #4 0x7f937626c520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #5 0x7f937da6ed08 clang::ento::CXXInstanceCall::getRuntimeDefinition() 
const 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f09d08)
 #6 0x7f937da6f038 clang::ento::CXXMemberCall::getRuntimeDefinition() const 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f0a038)
 #7 0x7f937daa9796 
clang::ento::ExprEngine::defaultEvalCall(clang::ento::NodeBuilder&, 
clang::ento::ExplodedNode*, clang::ento::CallEvent const&, 
clang::ento::EvalCallOptions const&) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f44796)
 #8 0x7f937da776ea 
clang::ento::CheckerManager::runCheckersForEvalCall(clang::ento::ExplodedNodeSet&,
 clang::ento::ExplodedNodeSet const&, clang::ento::CallEvent const&, 
clang::ento::ExprEngine&, clang::ento::EvalCallOptions const&) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f126ea)
 #9 0x7f937daa7c64 
clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, 
clang::ento::ExplodedNode*, clang::ento::CallEvent const&) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42c64)
#10 0x7f937daa7a67 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr 
const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f42a67)
#11 0x7f937da8d503 clang::ento::ExprEngine::Visit(clang::Stmt const*, 
clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f28503)
#12 0x7f937da8abec clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, 
clang::ento::ExplodedNode*) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f25bec)
#13 0x7f937da8a9bd 
clang::ento::ExprEngine::processCFGElement(clang::CFGElement, 
clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f259bd)
#14 0x7f937da7bb7c clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock 
const*, unsigned int, clang::ento::ExplodedNode*) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f16b7c)
#15 0x7f937da7ae62 
clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, 
unsigned int, llvm::IntrusiveRefCntPtr) 
(/home/tom/Documents/moz/static-analysis/clang-17-2023-11-22-patches-from-tc/bin/../lib/libclang-cpp.so.17+0x2f15e62)
#16 0x7f937dcf3206 (anonymous 
namespace)::AnalysisConsumer::Han

[llvm] [clang-tools-extra] [clang] [analyzer] Trust base to derived casts for dynamic types (PR #69057)

2024-01-02 Thread Tom Ritter via cfe-commits 

tomrittervg wrote:

> However, what should we do if multiple (N) classes implement Base? Trying 
> each N, and basically splitting the state to (N+1) ways is not going to 
> scale. Unless N is of course really small, like 2 or 3 at most.

That's kind of what I imagined - try them all.  The Analyzer has a built-in 
timeout mechanism that will come into play.  

If you wanted to be fancy, there could be an obscure config option, with a 
default of N=3.  If config value is not set, and N>3 it asserts, alerting the 
user to the situation. If config value is set, it limits to analyzing the first 
N.

https://github.com/llvm/llvm-project/pull/69057
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits