[analyzer] Use dynamic type when invalidating by a member function call #111138
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When instantiating "callable<T>", the "class CallableType" nested type will only have a declaration in the copy for the instantiation - because it's not refered to directly by any other code that would need a complete definition. However, in the past, when conservative eval calling member function, we took the static type of the "this" expr, and looked up the CXXRecordDecl it refered to to see if it has any mutable members (to decide if it needs to refine invalidation or not). Unfortunately, that query needs a definition, and it asserts otherwise, thus we crashed. To fix this, we should consult the dynamic type of the object, because that will have the definition. I anyways added a check for "hasDefinition" just to be on the safe side. Fixes llvm#77378
|
@llvm/pr-subscribers-clang @llvm/pr-subscribers-clang-static-analyzer-1 Author: Balazs Benics (steakhal) ChangesWhen instantiating "callable<T>", the "class CallableType" nested type will only have a declaration in the copy for the instantiation - because it's not refereed to directly by any other code that would need a complete definition. However, in the past, when conservative eval calling member function, we took the static type of the "this" expr, and looked up the CXXRecordDecl it refereed to to see if it has any mutable members (to decide if it needs to refine invalidation or not). Unfortunately, that query needs a definition, and it asserts otherwise, thus we crashed. To fix this, we should consult the dynamic type of the object, because that will have the definition. Fixes #77378 Full diff: https://github.com/llvm/llvm-project/pull/111138.diff 3 Files Affected:
diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
index 549c864dc91ef2..209f40b5b9f4c5 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
@@ -690,6 +690,10 @@ class CXXInstanceCall : public AnyFunctionCall {
ValueList &Values,
RegionAndSymbolInvalidationTraits *ETraits) const override;
+ /// Returns the decl refered to by the "dynamic type" of the current object.
+ /// This may be null.
+ const CXXRecordDecl *getDeclForDynamicType() const;
+
public:
/// Returns the expression representing the implicit 'this' object.
virtual const Expr *getCXXThisExpr() const { return nullptr; }
diff --git a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
index 1efac6ac1c57f4..2c04b42629b756 100644
--- a/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
+++ b/clang/lib/StaticAnalyzer/Core/CallEvent.cpp
@@ -711,18 +711,17 @@ void CXXInstanceCall::getExtraInvalidatedValues(
if (const auto *D = cast_or_null<CXXMethodDecl>(getDecl())) {
if (!D->isConst())
return;
- // Get the record decl for the class of 'This'. D->getParent() may return a
- // base class decl, rather than the class of the instance which needs to be
- // checked for mutable fields.
- // TODO: We might as well look at the dynamic type of the object.
- const Expr *Ex = getCXXThisExpr()->IgnoreParenBaseCasts();
- QualType T = Ex->getType();
- if (T->isPointerType()) // Arrow or implicit-this syntax?
- T = T->getPointeeType();
- const CXXRecordDecl *ParentRecord = T->getAsCXXRecordDecl();
- assert(ParentRecord);
+
+ // Get the record decl for the class of 'This'. D->getParent() may return
+ // a base class decl, rather than the class of the instance which needs to
+ // be checked for mutable fields.
+ const CXXRecordDecl *ParentRecord = getDeclForDynamicType();
+ if (!ParentRecord || !ParentRecord->hasDefinition())
+ return;
+
if (ParentRecord->hasMutableFields())
return;
+
// Preserve CXXThis.
const MemRegion *ThisRegion = ThisVal.getAsRegion();
if (!ThisRegion)
@@ -748,6 +747,22 @@ SVal CXXInstanceCall::getCXXThisVal() const {
return ThisVal;
}
+const CXXRecordDecl *CXXInstanceCall::getDeclForDynamicType() const {
+ const MemRegion *R = getCXXThisVal().getAsRegion();
+ if (!R)
+ return nullptr;
+
+ DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
+ if (!DynType.isValid())
+ return nullptr;
+
+ QualType Ty = DynType.getType()->getPointeeType();
+ if (Ty.isNull())
+ return nullptr;
+
+ return Ty->getAsCXXRecordDecl();
+}
+
RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
// Do we have a decl at all?
const Decl *D = getDecl();
@@ -759,21 +774,7 @@ RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
if (!MD->isVirtual())
return AnyFunctionCall::getRuntimeDefinition();
- // Do we know the implicit 'this' object being called?
- const MemRegion *R = getCXXThisVal().getAsRegion();
- if (!R)
- return {};
-
- // Do we know anything about the type of 'this'?
- DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
- if (!DynType.isValid())
- return {};
-
- // Is the type a C++ class? (This is mostly a defensive check.)
- QualType RegionType = DynType.getType()->getPointeeType();
- assert(!RegionType.isNull() && "DynamicTypeInfo should always be a pointer.");
-
- const CXXRecordDecl *RD = RegionType->getAsCXXRecordDecl();
+ const CXXRecordDecl *RD = getDeclForDynamicType();
if (!RD || !RD->hasDefinition())
return {};
@@ -797,6 +798,10 @@ RuntimeDefinition CXXInstanceCall::getRuntimeDefinition() const {
return {};
}
+ const MemRegion *R = getCXXThisVal().getAsRegion();
+ DynamicTypeInfo DynType = getDynamicTypeInfo(getState(), R);
+ assert(DynType.isValid() && "ensured by getDeclForDynamicType()");
+
// Does the decl that we found have an implementation?
const FunctionDecl *Definition;
if (!Result->hasBody(Definition)) {
diff --git a/clang/test/Analysis/const-method-call.cpp b/clang/test/Analysis/const-method-call.cpp
index 8e1fd3b125f0e2..7da7ca5554a23e 100644
--- a/clang/test/Analysis/const-method-call.cpp
+++ b/clang/test/Analysis/const-method-call.cpp
@@ -271,3 +271,49 @@ void checkThatConstMethodCallDoesInvalidateObjectForCircularReferences() {
// FIXME: Should be UNKNOWN.
clang_analyzer_eval(t.x); // expected-warning{{TRUE}}
}
+
+namespace gh77378 {
+template <typename Signature> class callable;
+
+template <typename R> class callable<R()> {
+ struct CallableType {
+ bool operator()();
+ };
+ using MethodType = R (CallableType::*)();
+ CallableType *object_{nullptr};
+ MethodType method_;
+
+public:
+ callable() = default;
+
+ template <typename T>
+ constexpr callable(const T &obj)
+ : object_{reinterpret_cast<CallableType *>(&const_cast<T &>(obj))},
+ method_{reinterpret_cast<MethodType>(
+ static_cast<bool (T::*)() const>(&T::operator()))} {}
+
+ constexpr bool const_method() const {
+ return (object_->*(method_))();
+ }
+
+ callable call() const & {
+ static const auto L = [this]() {
+ while (true) {
+ // This should not crash when conservative eval calling the member function
+ // when it unwinds the call stack due to exhausting the budget or reaching
+ // the inlining limit.
+ if (this->const_method()) {
+ break;
+ }
+ }
+ return true;
+ };
+ return L;
+ }
+};
+
+void entry() {
+ callable<bool()>{}.call().const_method();
+ // expected-warning@-1 {{Address of stack memory associated with temporary object of type 'callable<bool ()>' is still referred to by the static variable 'L' upon returning to the caller. This will be a dangling reference}}
+}
+} // namespace gh77378
|
|
I haven't checked this change internally. Only on the LIT tests. |
|
FYI this crashed since clang-7 I think. |
|
Ping |
Xazax-hun
approved these changes
Oct 23, 2024
Closed
NoumanAmir657
pushed a commit
to NoumanAmir657/llvm-project
that referenced
this pull request
Nov 4, 2024
…ll (llvm#111138) When instantiating "callable<T>", the "class CallableType" nested type will only have a declaration in the copy for the instantiation - because it's not refereed to directly by any other code that would need a complete definition. However, in the past, when conservative eval calling member function, we took the static type of the "this" expr, and looked up the CXXRecordDecl it refereed to to see if it has any mutable members (to decide if it needs to refine invalidation or not). Unfortunately, that query needs a definition, and it asserts otherwise, thus we crashed. To fix this, we should consult the dynamic type of the object, because that will have the definition. I anyways added a check for "hasDefinition" just to be on the safe side. Fixes llvm#77378
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When instantiating "callable", the "class CallableType" nested type will only have a declaration in the copy for the instantiation - because it's not refereed to directly by any other code that would need a complete definition.
However, in the past, when conservative eval calling member function, we took the static type of the "this" expr, and looked up the CXXRecordDecl it refereed to to see if it has any mutable members (to decide if it needs to refine invalidation or not). Unfortunately, that query needs a definition, and it asserts otherwise, thus we crashed.
To fix this, we should consult the dynamic type of the object, because that will have the definition.
I anyways added a check for "hasDefinition" just to be on the safe side.
Fixes #77378