wyt created this revision.
Herald added subscribers: martong, tschuett, xazax.hun.
Herald added a project: All.
wyt requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.
When a `nullptr` is assigned to a pointer variable, it is wrapped in a
`ImplicitCastExpr` with cast kind `CK_NullTo(Member)Pointer`. This patch
assigns singleton pointer values representing null to these expressions.
For each pointee type, a singleton null `PointerValue` is created and stored in
the `NullPointerVals` map of the `DataflowAnalysisContext` class. The pointee
type is retrieved from the implicit cast expression, and used to initialise the
`PointeeLoc` field of the `PointerValue`. The `PointeeLoc` created is not
mapped to any `Value`, reflecting the absence of value indicated by null
pointers.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D128056
Files:
clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
clang/lib/Analysis/FlowSensitive/Transfer.cpp
clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
Index: clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
===================================================================
--- clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
+++ clang/unittests/Analysis/FlowSensitive/TransferTest.cpp
@@ -2214,6 +2214,93 @@
});
}
+TEST_F(TransferTest, NullToPointerCast) {
+ std::string Code = R"(
+ struct Baz {};
+ void target() {
+ int *FooX = nullptr;
+ int *FooY = nullptr;
+ bool **Bar = nullptr;
+ Baz *Baz = nullptr;
+ // [[p]]
+ }
+ )";
+ runDataflow(Code,
+ [](llvm::ArrayRef<
+ std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+ Results,
+ ASTContext &ASTCtx) {
+ ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+ const Environment &Env = Results[0].second.Env;
+
+ const ValueDecl *FooXDecl = findValueDecl(ASTCtx, "FooX");
+ ASSERT_THAT(FooXDecl, NotNull());
+
+ const ValueDecl *FooYDecl = findValueDecl(ASTCtx, "FooY");
+ ASSERT_THAT(FooYDecl, NotNull());
+
+ const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
+ ASSERT_THAT(BarDecl, NotNull());
+
+ const ValueDecl *BazDecl = findValueDecl(ASTCtx, "Baz");
+ ASSERT_THAT(BazDecl, NotNull());
+
+ const auto *FooXVal =
+ cast<PointerValue>(Env.getValue(*FooXDecl, SkipPast::None));
+ const auto *FooYVal =
+ cast<PointerValue>(Env.getValue(*FooYDecl, SkipPast::None));
+ const auto *BarVal =
+ cast<PointerValue>(Env.getValue(*BarDecl, SkipPast::None));
+ const auto *BazVal =
+ cast<PointerValue>(Env.getValue(*BazDecl, SkipPast::None));
+
+ EXPECT_EQ(FooXVal, FooYVal);
+ EXPECT_NE(FooXVal, BarVal);
+ EXPECT_NE(FooXVal, BazVal);
+ EXPECT_NE(BarVal, BazVal);
+
+ const StorageLocation &FooPointeeLoc = FooXVal->getPointeeLoc();
+ EXPECT_TRUE(isa<ScalarStorageLocation>(FooPointeeLoc));
+ EXPECT_THAT(Env.getValue(FooPointeeLoc), IsNull());
+
+ const StorageLocation &BarPointeeLoc = BarVal->getPointeeLoc();
+ EXPECT_TRUE(isa<ScalarStorageLocation>(BarPointeeLoc));
+ EXPECT_THAT(Env.getValue(BarPointeeLoc), IsNull());
+
+ const StorageLocation &BazPointeeLoc = BazVal->getPointeeLoc();
+ EXPECT_TRUE(isa<AggregateStorageLocation>(BazPointeeLoc));
+ EXPECT_THAT(Env.getValue(BazPointeeLoc), IsNull());
+ });
+}
+
+TEST_F(TransferTest, NullToMemberPointerCast) {
+ std::string Code = R"(
+ struct Foo {};
+ void target(Foo *Foo) {
+ int Foo::*MemberPointer = nullptr;
+ // [[p]]
+ }
+ )";
+ runDataflow(
+ Code, [](llvm::ArrayRef<
+ std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
+ Results,
+ ASTContext &ASTCtx) {
+ ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
+ const Environment &Env = Results[0].second.Env;
+
+ const ValueDecl *MemberPointerDecl =
+ findValueDecl(ASTCtx, "MemberPointer");
+ ASSERT_THAT(MemberPointerDecl, NotNull());
+
+ const auto *MemberPointerVal = cast<PointerValue>(
+ Env.getValue(*MemberPointerDecl, SkipPast::None));
+
+ const StorageLocation &MemberLoc = MemberPointerVal->getPointeeLoc();
+ EXPECT_THAT(Env.getValue(MemberLoc), IsNull());
+ });
+}
+
TEST_F(TransferTest, AddrOfValue) {
std::string Code = R"(
void target() {
Index: clang/lib/Analysis/FlowSensitive/Transfer.cpp
===================================================================
--- clang/lib/Analysis/FlowSensitive/Transfer.cpp
+++ clang/lib/Analysis/FlowSensitive/Transfer.cpp
@@ -246,6 +246,16 @@
Env.setStorageLocation(*S, *SubExprLoc);
break;
}
+ case CK_NullToPointer:
+ case CK_NullToMemberPointer: {
+ auto &Loc = Env.createStorageLocation(S->getType());
+ Env.setStorageLocation(*S, Loc);
+
+ auto &NullPointerVal =
+ Env.getOrCreateNullPointerValue(S->getType()->getPointeeType());
+ Env.setValue(Loc, NullPointerVal);
+ break;
+ }
default:
break;
}
Index: clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
===================================================================
--- clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
+++ clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
@@ -546,5 +546,15 @@
return DACtx->flowConditionImplies(*FlowConditionToken, Val);
}
+PointerValue &Environment::getOrCreateNullPointerValue(QualType PointeeType) {
+ auto *PointerVal = DACtx->getNullPointerVal(PointeeType);
+ if (PointerVal == nullptr) {
+ auto &PointeeLoc = createStorageLocation(PointeeType);
+ PointerVal = &takeOwnership(std::make_unique<PointerValue>(PointeeLoc));
+ DACtx->setNullPointerVal(PointeeType, *PointerVal);
+ }
+ return *PointerVal;
+}
+
} // namespace dataflow
} // namespace clang
Index: clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
===================================================================
--- clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
+++ clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h
@@ -313,6 +313,10 @@
/// imply that `Val` is true.
bool flowConditionImplies(BoolValue &Val) const;
+ /// Returns the singleton pointer value representing null pointers of
+ /// `PointeeType`. The singleton value will be created if it doesn't exist.
+ PointerValue &getOrCreateNullPointerValue(QualType PointeeType);
+
private:
/// Creates a value appropriate for `Type`, if `Type` is supported, otherwise
/// return null.
Index: clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
===================================================================
--- clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
+++ clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
@@ -136,6 +136,26 @@
return ThisPointeeLoc;
}
+ /// Assigns `Val` as the singleton pointer value representing null pointers of
+ /// `PointeeType`
+ ///
+ /// Requirements:
+ ///
+ /// There must not already exist a singleton value corresponding to
+ /// `PointeeType`.
+ void setNullPointerVal(QualType PointeeType, PointerValue &Val) {
+ assert(NullPointerVals.find(PointeeType.getAsString()) ==
+ NullPointerVals.end());
+ NullPointerVals[PointeeType.getAsString()] = &Val;
+ }
+
+ /// Returns the singleton pointer value representing null pointers of
+ /// `PointeeType` or null if there is no corresponding singleton value.
+ PointerValue *getNullPointerVal(QualType PointeeType) const {
+ auto It = NullPointerVals.find(PointeeType.getAsString());
+ return It == NullPointerVals.end() ? nullptr : It->second;
+ }
+
/// Returns a symbolic boolean value that models a boolean literal equal to
/// `Value`.
AtomicBoolValue &getBoolLiteralValue(bool Value) const {
@@ -216,6 +236,10 @@
StorageLocation *ThisPointeeLoc = nullptr;
+ // Index used to avoid recreating pointer values for null pointers of the
+ // same pointee type
+ llvm::StringMap<PointerValue *> NullPointerVals;
+
AtomicBoolValue &TrueVal;
AtomicBoolValue &FalseVal;
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
