[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
// RUN: %clang_analyze_cc1 %s \
|
|
|
|
// RUN: -verify=expected,tracking \
|
|
|
|
// RUN: -analyzer-config track-conditions=true \
|
|
|
|
// RUN: -analyzer-output=text \
|
|
|
|
// RUN: -analyzer-checker=core
|
2019-07-05 22:00:08 +08:00
|
|
|
|
|
|
|
// RUN: not %clang_analyze_cc1 -verify %s \
|
|
|
|
// RUN: -analyzer-checker=core \
|
|
|
|
// RUN: -analyzer-config track-conditions-debug=true \
|
|
|
|
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-DEBUG
|
|
|
|
|
|
|
|
// CHECK-INVALID-DEBUG: (frontend): invalid input for analyzer-config option
|
|
|
|
// CHECK-INVALID-DEBUG-SAME: 'track-conditions-debug', that expects
|
|
|
|
// CHECK-INVALID-DEBUG-SAME: 'track-conditions' to also be enabled
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
//
|
2019-07-05 22:00:08 +08:00
|
|
|
// RUN: %clang_analyze_cc1 %s \
|
|
|
|
// RUN: -verify=expected,tracking,debug \
|
|
|
|
// RUN: -analyzer-config track-conditions=true \
|
|
|
|
// RUN: -analyzer-config track-conditions-debug=true \
|
|
|
|
// RUN: -analyzer-output=text \
|
|
|
|
// RUN: -analyzer-checker=core
|
|
|
|
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
// RUN: %clang_analyze_cc1 %s -verify \
|
|
|
|
// RUN: -analyzer-output=text \
|
|
|
|
// RUN: -analyzer-checker=core
|
|
|
|
|
|
|
|
namespace example_1 {
|
|
|
|
int flag;
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
void foo() {
|
|
|
|
flag = coin(); // tracking-note{{Value assigned to 'flag'}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void test() {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
flag = 1;
|
|
|
|
|
|
|
|
foo(); // TODO: Add nodes here about flag's value being invalidated.
|
|
|
|
if (flag) // expected-note {{Assuming 'flag' is 0}}
|
|
|
|
// expected-note@-1{{Taking false branch}}
|
|
|
|
x = new int;
|
|
|
|
|
|
|
|
foo(); // tracking-note{{Calling 'foo'}}
|
|
|
|
// tracking-note@-1{{Returning from 'foo'}}
|
|
|
|
|
|
|
|
if (flag) // expected-note {{Assuming 'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
|
|
|
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace example_1
|
|
|
|
|
|
|
|
namespace example_2 {
|
|
|
|
int flag;
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
void foo() {
|
|
|
|
flag = coin(); // tracking-note{{Value assigned to 'flag'}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void test() {
|
|
|
|
int *x = 0;
|
|
|
|
flag = 1;
|
|
|
|
|
|
|
|
foo();
|
|
|
|
if (flag) // expected-note {{Assuming 'flag' is 0}}
|
|
|
|
// expected-note@-1{{Taking false branch}}
|
|
|
|
x = new int;
|
|
|
|
|
|
|
|
x = 0; // expected-note{{Null pointer value stored to 'x'}}
|
|
|
|
|
|
|
|
foo(); // tracking-note{{Calling 'foo'}}
|
|
|
|
// tracking-note@-1{{Returning from 'foo'}}
|
|
|
|
|
|
|
|
if (flag) // expected-note {{Assuming 'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
|
|
|
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace example_2
|
|
|
|
|
|
|
|
namespace global_variable_invalidation {
|
|
|
|
int flag;
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
void foo() {
|
|
|
|
// coin() could write bar, do it's invalidated.
|
|
|
|
flag = coin(); // tracking-note{{Value assigned to 'flag'}}
|
|
|
|
// tracking-note@-1{{Value assigned to 'bar'}}
|
|
|
|
}
|
|
|
|
|
|
|
|
int bar;
|
|
|
|
|
|
|
|
void test() {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
flag = 1;
|
|
|
|
|
|
|
|
foo(); // tracking-note{{Calling 'foo'}}
|
|
|
|
// tracking-note@-1{{Returning from 'foo'}}
|
|
|
|
|
|
|
|
if (bar) // expected-note {{Assuming 'bar' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'bar'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
if (flag) // expected-note {{Assuming 'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
|
|
|
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace global_variable_invalidation
|
|
|
|
|
|
|
|
namespace variable_declaration_in_condition {
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
bool foo() {
|
|
|
|
return coin(); // tracking-note{{Returning value}}
|
|
|
|
}
|
|
|
|
|
|
|
|
int bar;
|
|
|
|
|
|
|
|
void test() {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
|
|
|
|
if (int flag = foo()) // tracking-note{{Calling 'foo'}}
|
|
|
|
// tracking-note@-1{{Returning from 'foo'}}
|
|
|
|
// tracking-note@-2{{'flag' initialized here}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-3{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
// expected-note@-4{{Assuming 'flag' is not equal to 0}}
|
|
|
|
// expected-note@-5{{Taking true branch}}
|
|
|
|
|
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace variable_declaration_in_condition
|
|
|
|
|
|
|
|
namespace conversion_to_bool {
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
struct ConvertsToBool {
|
|
|
|
operator bool() const { return coin(); } // tracking-note{{Returning value}}
|
|
|
|
};
|
|
|
|
|
|
|
|
void test() {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
|
|
|
|
if (ConvertsToBool())
|
|
|
|
// tracking-note@-1 {{Calling 'ConvertsToBool::operator bool'}}
|
|
|
|
// tracking-note@-2{{Returning from 'ConvertsToBool::operator bool'}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-3{{Tracking condition 'ConvertsToBool()'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
// expected-note@-4{{Assuming the condition is true}}
|
|
|
|
// expected-note@-5{{Taking true branch}}
|
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
|
|
|
|
} // end of namespace variable_declaration_in_condition
|
|
|
|
|
|
|
|
namespace unimportant_returning_value_note {
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
bool flipCoin() { return coin(); } // tracking-note{{Returning value}}
|
|
|
|
|
|
|
|
void i(int *ptr) {
|
|
|
|
if (ptr) // expected-note{{Assuming 'ptr' is null}}
|
|
|
|
// expected-note@-1{{Taking false branch}}
|
|
|
|
;
|
|
|
|
if (!flipCoin())
|
|
|
|
// tracking-note@-1{{Calling 'flipCoin'}}
|
|
|
|
// tracking-note@-2{{Returning from 'flipCoin'}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-3{{Tracking condition '!flipCoin()'}}
|
|
|
|
// expected-note@-4{{Assuming the condition is true}}
|
|
|
|
// expected-note@-5{{Taking true branch}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*ptr = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace unimportant_returning_value_note
|
|
|
|
|
|
|
|
namespace important_returning_value_note {
|
|
|
|
bool coin();
|
|
|
|
|
|
|
|
bool flipCoin() {
|
|
|
|
if (coin()) // tracking-note{{Assuming the condition is false}}
|
|
|
|
// tracking-note@-1{{Taking false branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'coin()'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
return true;
|
|
|
|
return coin(); // tracking-note{{Returning value}}
|
|
|
|
}
|
|
|
|
|
|
|
|
void i(int *ptr) {
|
|
|
|
if (ptr) // expected-note{{Assuming 'ptr' is null}}
|
|
|
|
// expected-note@-1{{Taking false branch}}
|
|
|
|
;
|
|
|
|
if (!flipCoin())
|
|
|
|
// tracking-note@-1{{Calling 'flipCoin'}}
|
|
|
|
// tracking-note@-2{{Returning from 'flipCoin'}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-3{{Tracking condition '!flipCoin()'}}
|
|
|
|
// expected-note@-4{{Assuming the condition is true}}
|
|
|
|
// expected-note@-5{{Taking true branch}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*ptr = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace important_returning_value_note
|
|
|
|
|
|
|
|
namespace tracked_condition_is_only_initialized {
|
|
|
|
int getInt();
|
|
|
|
|
|
|
|
void f() {
|
|
|
|
int flag = getInt(); // tracking-note{{'flag' initialized here}}
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
if (flag) // expected-note{{Assuming 'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace tracked_condition_is_only_initialized
|
|
|
|
|
|
|
|
namespace tracked_condition_written_in_same_stackframe {
|
|
|
|
int flag;
|
|
|
|
int getInt();
|
|
|
|
|
|
|
|
void f(int y) {
|
|
|
|
y = 1; // tracking-note{{The value 1 is assigned to 'y'}}
|
|
|
|
flag = y; // tracking-note{{The value 1 is assigned to 'flag'}}
|
|
|
|
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
if (flag) // expected-note{{'flag' is 1}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace tracked_condition_written_in_same_stackframe
|
|
|
|
|
|
|
|
namespace tracked_condition_written_in_nested_stackframe {
|
|
|
|
int flag;
|
|
|
|
int getInt();
|
|
|
|
|
|
|
|
void foo() {
|
|
|
|
int y;
|
|
|
|
y = 1; // tracking-note{{The value 1 is assigned to 'y'}}
|
|
|
|
flag = y; // tracking-note{{The value 1 is assigned to 'flag'}}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
void f(int y) {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
|
|
|
|
foo(); // tracking-note{{Calling 'foo'}}
|
|
|
|
// tracking-note@-1{{Returning from 'foo'}}
|
|
|
|
|
|
|
|
if (flag) // expected-note{{'flag' is 1}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
} // end of namespace tracked_condition_written_in_nested_stackframe
|
|
|
|
|
|
|
|
namespace collapse_point_not_in_condition {
|
|
|
|
|
|
|
|
[[noreturn]] void halt();
|
|
|
|
|
|
|
|
void assert(int b) {
|
|
|
|
if (!b) // tracking-note{{Assuming 'b' is not equal to 0}}
|
|
|
|
// tracking-note@-1{{Taking false branch}}
|
|
|
|
halt();
|
|
|
|
}
|
|
|
|
|
|
|
|
void f(int flag) {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
|
|
|
|
assert(flag); // tracking-note{{Calling 'assert'}}
|
|
|
|
// tracking-note@-1{{Returning from 'assert'}}
|
|
|
|
|
|
|
|
if (flag) // expected-note{{'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
|
|
|
|
} // end of namespace collapse_point_not_in_condition
|
|
|
|
|
|
|
|
namespace unimportant_write_before_collapse_point {
|
|
|
|
|
|
|
|
[[noreturn]] void halt();
|
|
|
|
|
|
|
|
void assert(int b) {
|
|
|
|
if (!b) // tracking-note{{Assuming 'b' is not equal to 0}}
|
|
|
|
// tracking-note@-1{{Taking false branch}}
|
|
|
|
halt();
|
|
|
|
}
|
|
|
|
int getInt();
|
|
|
|
|
|
|
|
void f(int flag) {
|
|
|
|
int *x = 0; // expected-note{{'x' initialized to a null pointer value}}
|
|
|
|
|
|
|
|
flag = getInt(); // tracking-note{{Value assigned to 'flag'}}
|
|
|
|
assert(flag); // tracking-note{{Calling 'assert'}}
|
|
|
|
// tracking-note@-1{{Returning from 'assert'}}
|
|
|
|
|
|
|
|
if (flag) // expected-note{{'flag' is not equal to 0}}
|
|
|
|
// expected-note@-1{{Taking true branch}}
|
2019-07-05 22:00:08 +08:00
|
|
|
// debug-note@-2{{Tracking condition 'flag'}}
|
[analyzer] Track terminator conditions on which a tracked expression depends
This patch is a major part of my GSoC project, aimed to improve the bug
reports of the analyzer.
TL;DR: Help the analyzer understand that some conditions are important,
and should be explained better. If an CFGBlock is a control dependency
of a block where an expression value is tracked, explain the condition
expression better by tracking it.
if (A) // let's explain why we believe A to be true
10 / x; // division by zero
This is an experimental feature, and can be enabled by the
off-by-default analyzer configuration "track-conditions".
In detail:
This idea was inspired by the program slicing algorithm. Essentially,
two things are used to produce a program slice (a subset of the program
relevant to a (statement, variable) pair): data and control
dependencies. The bug path (the linear path in the ExplodedGraph that leads
from the beginning of the analysis to the error node) enables to
analyzer to argue about data dependencies with relative ease.
Control dependencies are a different slice of the cake entirely.
Just because we reached a branch during symbolic execution, it
doesn't mean that that particular branch has any effect on whether the
bug would've occured. This means that we can't simply rely on the bug
path to gather control dependencies.
In previous patches, LLVM's IDFCalculator, which works on a control flow
graph rather than the ExplodedGraph was generalized to solve this issue.
We use this information to heuristically guess that the value of a tracked
expression depends greatly on it's control dependencies, and start
tracking them as well.
After plenty of evaluations this was seen as great idea, but still
lacking refinements (we should have different descriptions about a
conditions value), hence it's off-by-default.
Differential Revision: https://reviews.llvm.org/D62883
llvm-svn: 365207
2019-07-05 21:29:54 +08:00
|
|
|
*x = 5; // expected-warning{{Dereference of null pointer}}
|
|
|
|
// expected-note@-1{{Dereference of null pointer}}
|
|
|
|
}
|
|
|
|
|
|
|
|
} // end of namespace unimportant_write_before_collapse_point
|