[clang][dataflow] Fix an issue with `Environment::getResultObjectLocation()`. (#75483)

So far, if there was a chain of record type prvalues,
`getResultObjectLocation()` would assign a different resu

[clang][dataflow] Fix an issue with `Environment::getResultObjectLocation()`. (#75483)

So far, if there was a chain of record type prvalues,
`getResultObjectLocation()` would assign a different result object
location to
each one. This makes no sense, of course, as all of these prvalues end
up
initializing the same result object.

This patch fixes this by propagating storage locations up through the
entire
chain of prvalues.

The new implementation also has the desirable effect of making it
possible to
make `getResultObjectLocation()` const, which seems appropriate given
that,
logically, it is just an accessor.

show more ...

[clang][dataflow] Strengthen widening of boolean values. (#73484)

Before we widen to top, we now check if both values can be proved either
true or
false in their respective environments; if so, wide

[clang][dataflow] Strengthen widening of boolean values. (#73484)

Before we widen to top, we now check if both values can be proved either
true or
false in their respective environments; if so, widening returns a true
or false
literal. The idea is that we avoid losing information if posssible.

This patch includes a test that fails without this change to widening.

This change does mean that we call the SAT solver in more places, but
this seems
acceptable given the additional precision we gain.

In tests on an internal codebase, the number of SAT solver timeouts we
observe
with Crubit's nullability checker does increase by about 25%. They can
be
brought back to the previous level by doubling the SAT solver work
limit.

show more ...

[clang][dataflow] Fix buggy assertion: Compare an unqualified type to an unqualified type. (#71573)

Includes crash-reproducing test case.

---------

Co-authored-by: martinboehme <mboehme@google

[clang][dataflow] Fix buggy assertion: Compare an unqualified type to an unqualified type. (#71573)

Includes crash-reproducing test case.

---------

Co-authored-by: martinboehme <mboehme@google.com>

show more ...

[clang][dataflow] Fix assert-fail when calling assignment operator with by-value parameter. (#71384)

The code assumed that the source parameter of an assignment operator is
always
passed by referenc

[clang][dataflow] Fix assert-fail when calling assignment operator with by-value parameter. (#71384)

The code assumed that the source parameter of an assignment operator is
always
passed by reference, but it is legal for it to be passed by value.

This patch includes a test that assert-fails without the fix.

show more ...

[clang][nullability] Use `proves()` and `assume()` instead of deprecated synonyms. (#70297)

[clang][dataflow] Remove `declToLocConsistent()` assertion. (#69819)

As described [here](https://discourse.llvm.org/t/70086/6), there are
legitimate
non-bug scenarios where two `DeclToLoc` maps to b

[clang][dataflow] Remove `declToLocConsistent()` assertion. (#69819)

As described [here](https://discourse.llvm.org/t/70086/6), there are
legitimate
non-bug scenarios where two `DeclToLoc` maps to be joined contain
different
storage locations for the same declaration. This patch also adds a test
containing an example of such a situation. (The test fails without the
other
changes in this patch.)

With the assertion removed, the existing logic in `intersectDenseMaps()`
will
remove the corresponding declaration from the joined DeclToLoc map.

We also remove `removeDecl()`'s precondition (that the declaration must
be
associated with a storage location) because this may no longer hold if
the
declaration was previously removed during a join, as described above.

show more ...

Reapply "[dataflow] use true/false literals in formulas, rather than variables"

This reverts commit 3353f7dd3d91c9b2b6a15ba9229bee53e0cb8196.

Fixed test bug (unspecified order of arg evaluation)

[clang][dataflow] Check for backedges directly (instead of loop statements). (#68923)

Widen on backedge nodes, instead of nodes with a loop statement as
terminator.
This fixes #67834 and a precision

[clang][dataflow] Check for backedges directly (instead of loop statements). (#68923)

Widen on backedge nodes, instead of nodes with a loop statement as
terminator.
This fixes #67834 and a precision loss from assignment in a loop
condition. The
commit contains tests for both of these issues.

show more ...

[clang][dataflow] Add support for lambda captures (#68558)

This adds support for copy, ref, and this lambda captures to the core
framework and also adds relevant tests in UncheckedOptionalAccessTes

[clang][dataflow] Add support for lambda captures (#68558)

This adds support for copy, ref, and this lambda captures to the core
framework and also adds relevant tests in UncheckedOptionalAccessTest.

show more ...

[clang][dataflow] Remove declarations from `DeclToLoc` when their lifetime ends. (#67300)

After https://reviews.llvm.org/D153273, we're now able to use
`CFGLifetimeEnds`
together with the other CFG

[clang][dataflow] Remove declarations from `DeclToLoc` when their lifetime ends. (#67300)

After https://reviews.llvm.org/D153273, we're now able to use
`CFGLifetimeEnds`
together with the other CFG options we use.

show more ...

Revert "[dataflow] use true/false literals in formulas, rather than variables"

This reverts commit 36bd5bd888f193b70abf43a09bb4fc04cd2a2ff1.

This change is causing a test failure on several build b

Revert "[dataflow] use true/false literals in formulas, rather than variables"

This reverts commit 36bd5bd888f193b70abf43a09bb4fc04cd2a2ff1.

This change is causing a test failure on several build bots:
- https://lab.llvm.org/buildbot/#/builders/139/builds/50255
- https://lab.llvm.org/buildbot/#/builders/216/builds/27735
- https://lab.llvm.org/buildbot/#/builders/247/builds/9334

show more ...

[dataflow] use true/false literals in formulas, rather than variables

And simplify formulas containing true/false
It's unclear to me how useful this is, it does make formulas more
conveniently self-

[dataflow] use true/false literals in formulas, rather than variables

And simplify formulas containing true/false
It's unclear to me how useful this is, it does make formulas more
conveniently self-contained now (we can usefully print them without
carrying around the "true/false" labels)

(while here, simplify !!X to X, too)

Differential Revision: https://reviews.llvm.org/D153485

show more ...

[clang][dataflow] Fix two null pointer dereferences in `getMemberForAccessor()`. (#66742)

The additions to the test trigger crashes without the fixes.

[clang][dataflow] Model the fields that are accessed via inline accessors (#66368)

So that the values that are accessed via such accessors can be analyzed
as a limited version of context-sensitive

[clang][dataflow] Model the fields that are accessed via inline accessors (#66368)

So that the values that are accessed via such accessors can be analyzed
as a limited version of context-sensitive analysis. We can potentially
do this only when some option is set, but doing additional modeling like
this won't be expensive and intrusive, so we do it by default for now.

show more ...

[clang][dataflow] Add a test for context-sensitive analysis on a self-referential class. (#66359)

The test demonstrates that the `this` pointer seen in the constructor
has the
same value as the addr

[clang][dataflow] Add a test for context-sensitive analysis on a self-referential class. (#66359)

The test demonstrates that the `this` pointer seen in the constructor
has the
same value as the address of the variable the object is constructed
into.

show more ...

[clang][dataflow] Ignore assignment where base class's operator is used (#66364)

In C++ it seems it is legit to use base class's operator (e.g. `using
Base::operator=`) to perform copy if the base

[clang][dataflow] Ignore assignment where base class's operator is used (#66364)

In C++ it seems it is legit to use base class's operator (e.g. `using
Base::operator=`) to perform copy if the base class is the common
ancestor of the source and destination object. In such a case we
shouldn't try to access fields beyond that of the base class, however
such a case seems to be very rare (typical code would implement a copy
constructor instead), and could add complexities, so in this patch we
simply bail if the method operator's parent class is different from the
type of the destination object that this framework recognizes.

show more ...

[clang][dataflow] Rename test target function to `target()`. (#66195)

Otherwise, the test doesn't actually do anything.

[clang][dataflow] Eliminate `RecordValue::getChild()`. (#65586)

We want to eliminate the `RecordStorageLocation` from `RecordValue` and,
ultimately, eliminate `RecordValue` entirely (see the discuss

[clang][dataflow] Eliminate `RecordValue::getChild()`. (#65586)

We want to eliminate the `RecordStorageLocation` from `RecordValue` and,
ultimately, eliminate `RecordValue` entirely (see the discussion linked
in the
`RecordValue` class comment). This is one step in that direction.

To eliminate `RecordValue::getChild()`, we also eliminate the last
remaining
caller, namely the `getFieldValue(const RecordValue *, ...)` overload.
Calls
to this overload have been rewritten to use the
`getFieldValue(const RecordStorageLocation *, ...)` overload. Note that
this
also makes the code slightly simpler in many cases.

show more ...

Fix some typos in comments: evalute -> evaluate (NFC) (#65906)

[clang][dataflow] Don't crash when BlockToState is called from unreachable path (#65732)

When we call `getEnvironment`, `BlockToState[BlockId]` for the block can
return null even if CFCtx.isBlockRe

[clang][dataflow] Don't crash when BlockToState is called from unreachable path (#65732)

When we call `getEnvironment`, `BlockToState[BlockId]` for the block can
return null even if CFCtx.isBlockReachable(B) returns true if it is
called from a particular block that is marked unreachable to the block.

show more ...

[clang][dataflow] Unsoundly treat "Unknown" as "Equivalent" in widening.

This change makes widening act the same as equivalence checking. When the
analysis does not provide an answer regarding the e

[clang][dataflow] Unsoundly treat "Unknown" as "Equivalent" in widening.

This change makes widening act the same as equivalence checking. When the
analysis does not provide an answer regarding the equivalence of two distinct
values, the framework treats them as equivalent. This is an unsound choice that
enables convergence.

Differential Revision: https://reviews.llvm.org/D159355

show more ...

[clang][dataflow] Fix Record initialization with InitListExpr and inheritances

Usually RecordValues for record objects (e.g. struct) are initialized with
`Environment::createValue()` which internall

[clang][dataflow] Fix Record initialization with InitListExpr and inheritances

Usually RecordValues for record objects (e.g. struct) are initialized with
`Environment::createValue()` which internally calls `getObjectFields()` to
collects all fields from the current and base classes, and then filter them
with `ModeledValues` via `DACtx::getModeledFields()` so that the fields that
are actually referenced are modeled.

The consistent set of fields should be initialized when a record is initialized
with an initializer list (InitListExpr), however the existing code's behavior
was different.

Before this patch:
* When a struct is initialized with InitListExpr, its fields are
initialized based on what is returned by `getFieldsForInitListExpr()`, which
only collects the direct fields in the current class, but not from the base
classes. Moreover, if the base classes have their own InitListExpr, values
that are initialized by their InitListExpr's weren't merged into the
child objects.

After this patch:
* When a struct is initialized with InitListExpr, it collects and merges the
fields in the base classes that were initialized by their InitListExpr's.
The code also asserts that the consistent set of fields are initialized
with the ModeledFields.

Reviewed By: mboehme

Differential Revision: https://reviews.llvm.org/D159284

show more ...

[clang][dataflow] Emit an error if source code is not compiled as C++. (#65301)

The shape of certain elements of the AST can vary depending on the
langugage.
We currently only support C++.

[clang][dataflow] Eliminate uses of `RecordValue::getChild()`. (#65329)

We want to work towards eliminating the `RecordStorageLocation` from
`RecordValue`. These particular uses of `RecordValue::get

[clang][dataflow] Eliminate uses of `RecordValue::getChild()`. (#65329)

We want to work towards eliminating the `RecordStorageLocation` from
`RecordValue`. These particular uses of `RecordValue::getChild()` can
simply
be replaced with `RecordStorageLocation::getChild()`.

show more ...

[clang][dataflow] Eliminate deprecated `DataflowAnalysis` constructor.

Reviewed By: ymandel, xazax.hun

Differential Revision: https://reviews.llvm.org/D159261