[analyzer] Support PointerType in getCXXRecordDecl for ContainerModeling

[shenjunjiekoda]

Summary

Static analysis for container models with pointer iterators lacked proper support, failing to detect invalidated iterator access in cases involving PointerTypes. This change enhanced static analysis by adding support for PointerType in container models, ensuring accurate detection of invalidated iterator accesses.

Changes

Updated getCXXRecordDecl to recognize PointerType, complementing existing ReferenceType handling.
This enables precise modeling across containers using pointer iterators, improving the identification of iterator invalidation.

Test Case

Added invalidated_access_via_end_iterator_after_push_back to illustrate how the update catches previously undetected invalidated iterator accesses, preventing potential bugs.

For this testcase , auto Type = TI.getType(); in function getCXXRecordDecl would dump like this:

PointerType 0x561a9d57e260 'cont_with_ptr_iterator<int> *'
`-ElaboratedType 0x561a9d57c530 'cont_with_ptr_iterator<int>' sugar
  `-TemplateSpecializationType 0x561a9d57c4e0 'cont_with_ptr_iterator<int>' sugar cont_with_ptr_iterator
    |-TemplateArgument type 'int'
    | `-BuiltinType 0x561a9d45a8b0 'int'
    `-RecordType 0x561a9d57c4c0 'struct cont_with_ptr_iterator<int>'
      `-ClassTemplateSpecialization 0x561a9d57c3e8 'cont_with_ptr_iterator'

Impact

This targeted update focuses on refining getCXXRecordDecl. Review for any wider implications on static analysis is advisable.

Request for Feedback

Feedback on this approach, additional test scenarios, or compatibility concerns is highly appreciated to ensure a robust enhancement.

Thanks for considering this contribution aimed at bolstering static analysis capabilities.

[github-actions]

Thank you for submitting a Pull Request (PR) to the LLVM Project!

This PR will be automatically labeled and the relevant teams will be
notified.

If you wish to, you can add reviewers by using the "Reviewers" section on this page.

If this is not working for you, it is probably because you do not have write
permissions for the repository. In which case you can instead tag reviewers by
name in a comment by using @ followed by their GitHub username.

If you have received no comments on your PR for a week, you can request a review
by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate
is once a week. Please remember that you are asking for valuable time from other developers.

If you have further questions, they may be answered by the LLVM GitHub User Guide.

You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums.

[llvmbot]

@llvm/pr-subscribers-clang-static-analyzer-1

@llvm/pr-subscribers-clang

Author: Junjie Shen (shenjunjiekoda)

Changes

Summary

Static analysis for container models with pointer iterators lacked proper support, failing to detect invalidated iterator access in cases involving PointerTypes. This change enhanced static analysis by adding support for PointerType in container models, ensuring accurate detection of invalidated iterator accesses.

Changes

Updated getCXXRecordDecl to recognize PointerType, complementing existing ReferenceType handling.
This enables precise modeling across containers using pointer iterators, improving the identification of iterator invalidation.

Test Case

Added invalidated_access_via_end_iterator_after_push_back to illustrate how the update catches previously undetected invalidated iterator accesses, preventing potential bugs.

For this testcase , auto Type = TI.getType(); in function getCXXRecordDecl would dump like this:

PointerType 0x561a9d57e260 'cont_with_ptr_iterator<int> *'
`-ElaboratedType 0x561a9d57c530 'cont_with_ptr_iterator<int>' sugar
  `-TemplateSpecializationType 0x561a9d57c4e0 'cont_with_ptr_iterator<int>' sugar cont_with_ptr_iterator
    |-TemplateArgument type 'int'
    | `-BuiltinType 0x561a9d45a8b0 'int'
    `-RecordType 0x561a9d57c4c0 'struct cont_with_ptr_iterator<int>'
      `-ClassTemplateSpecialization 0x561a9d57c3e8 'cont_with_ptr_iterator'

Impact

This targeted update focuses on refining getCXXRecordDecl. Review for any wider implications on static analysis is advisable.

Request for Feedback

Feedback on this approach, additional test scenarios, or compatibility concerns is highly appreciated to ensure a robust enhancement.

Thanks for considering this contribution aimed at bolstering static analysis capabilities.

---

Full diff: https://github.com/llvm/llvm-project/pull/87787.diff

2 Files Affected:

• (modified) clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp (+4)
• (modified) clang/test/Analysis/invalidated-iterator.cpp (+9-1)

diff --git a/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp b/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
index 65a2ec4076fdf6..009c0d3fb93686 100644
--- a/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/ContainerModeling.cpp
@@ -770,6 +770,10 @@ const CXXRecordDecl *getCXXRecordDecl(ProgramStateRef State,
     Type = RefT->getPointeeType();
   }
 
+  if (const auto *PtrT = Type->getAs<PointerType>()) {
+    Type = PtrT->getPointeeType();
+  }
+
   return Type->getUnqualifiedDesugaredType()->getAsCXXRecordDecl();
 }
 
diff --git a/clang/test/Analysis/invalidated-iterator.cpp b/clang/test/Analysis/invalidated-iterator.cpp
index 778a8e01d99380..c940dbf7276d34 100644
--- a/clang/test/Analysis/invalidated-iterator.cpp
+++ b/clang/test/Analysis/invalidated-iterator.cpp
@@ -130,6 +130,14 @@ struct cont_with_ptr_iterator {
   T* erase(T*);
 };
 
+void invalidated_access_via_end_iterator_after_push_back() {
+  cont_with_ptr_iterator<int> C;
+  C.push_back(1);
+  auto i = C.end();
+  C.push_back(2);
+  auto j = i[-1]; // expected-warning{{Invalidated iterator accessed}}
+}
+
 void invalidated_dereference_end_ptr_iterator(cont_with_ptr_iterator<int> &C) {
   auto i = C.begin();
   C.erase(i);
@@ -196,4 +204,4 @@ void invalidated_subscript_end_ptr_iterator(cont_with_ptr_iterator<int> &C) {
   auto i = C.begin();
   C.erase(i);
   (void) i[1]; // expected-warning{{Invalidated iterator accessed}}
-}
+}
\ No newline at end of file

[steakhal]

Looks clean to me, even though I haven't checked how the ContainerModeling checker works.

[shenjunjiekoda]

Looks clean to me, even though I haven't checked how the ContainerModeling checker works.

Dear @steakhal , I hope this message finds you well. I find my pull request (PR#87787) submitted a week ago, which has been approved but not yet merged into the LLVM base branch. I'm looking forward to see the PR merged to contribute to the project's progress.

If there are any additional checks, testing, or information required on my part to facilitate the merge, please let me know, and I will address them promptly.

Thank you for reviewing my contribution and for your continued support.

[github-actions]

@shenjunjiekoda Congratulations on having your first Pull Request (PR) merged into the LLVM Project!

Your changes will be combined with recent changes from other authors, then tested
by our build bots. If there is a problem with a build, you may receive a report in an email or a comment on this PR.

Please check whether problems have been caused by your change specifically, as
the builds can include changes from many authors. It is not uncommon for your
change to be included in a build that fails due to someone else's changes, or
infrastructure issues.

How to do this, and the rest of the post-merge process, is covered in detail here.

If your change does cause a problem, it may be reverted, or you can revert it yourself.
This is a normal part of LLVM development. You can fix your changes and open a new PR to merge them again.

If you don't get any reports, no action is required from you. Your changes are working as expected, well done!