New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSA Exploded Graph will end on multiple non-shouldInlineCall
destructors
#60412
Comments
@llvm/issue-subscribers-clang-static-analyzer |
Yeah looks like a program point bug, the next step receives the same program point, so when the state is also accidentally the same, the exploded graph turns into a loop. Also in this case the state is the same because conjured symbol identity is broken as it requires a statement but destructors don't correspond to any statement, which is an old bug in and of itself. @isuckatcs you might enjoy this one! Also I don't recommend using the dead code checker. It's alpha for a reason. Even without bugs like this, it cannot work correctly until we explicitly annotate all places where we intentionally drop coverage. |
Thanks for the reply! I have tried to let the adjacent destructor have different types but it also fails, but I have no idea why this will happen. struct Test {
Test() {}
~Test();
};
struct Test1 {
Test1() {}
~Test1();
};
int foo() {
struct a {
Test b;
Test1 c;
Test d;
Test1 e;
} z;
return 1;
}
int main() {
if (foo()) return 1;
} |
In this new example the loop still looks correct, because you loop trough the same sequence of nodes. The destructors are called in the following order: ~Test1() -> ~Test() -> ~Test1() -> ~Test()
^ here the pattern repeats itself, hence the loop If I modify struct a {
Test b;
Test1 c;
}; |
The exploded graph shouldn't contain a loop unless the program under analysis contains an actual loop. The loop in the program could be implemented with gotos or recursion, but simply calling the same function twice in a row shouldn't cause loops in the graph, because there's simply no way for it to go through the same context-sensitive program point more than once. |
Requirements to trigger the bug:
T
.T
must be a class that has a non-inlineable (a.k.aExprEngine::shouldInlineCall
return false) dtor.llvm-project/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
Line 1076 in 5bc4e1c
Test::~Test
. And I also tried to add a default dtor onTest
(which will makeshouldInlineCall
returntrue
) but forceshouldInlineCall
to returnfalse
when analyzingb::~Test()
andc::~Test()
, and the exploded graph will also end immediately.Since the exploded graph ends here, it will report a false positive on unreachable code in the end.
I found this patch aac73a3 may be related since it remove the following comments. And I tried to fix the bug by imitating this patch but failed.
The text was updated successfully, but these errors were encountered: