Skip to content

[analyzer] Improve bug report hashing, merge similar reports #98621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 22, 2024
Merged

[analyzer] Improve bug report hashing, merge similar reports #98621

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2765bc9
[analyzer] Don't display the offset value in underflows
NagyDonat Jul 12, 2024
d7b71a2
Alternative approach: tweak the `Profile()`` method of `BugReport`s
NagyDonat Jul 12, 2024
83b87b1
Fix an obsolete comment
NagyDonat Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,14 +373,14 @@ static std::optional<int64_t> getConcreteValue(std::optional<NonLoc> SV) {
}

static Messages getPrecedesMsgs(const SubRegion *Region, NonLoc Offset) {
std::string RegName = getRegionName(Region);
SmallString<128> Buf;
llvm::raw_svector_ostream Out(Buf);
Out << "Access of " << RegName << " at negative byte offset";
if (auto ConcreteIdx = Offset.getAs<nonloc::ConcreteInt>())
Out << ' ' << ConcreteIdx->getValue();
return {formatv("Out of bound access to memory preceding {0}", RegName),
std::string(Buf)};
std::string RegName = getRegionName(Region), OffsetStr = "";

if (auto ConcreteOffset = getConcreteValue(Offset))
OffsetStr = formatv(" {0}", ConcreteOffset);

return {
formatv("Out of bound access to memory preceding {0}", RegName),
formatv("Access of {0} at negative byte offset{1}", RegName, OffsetStr)};
}

/// Try to divide `Val1` and `Val2` (in place) by `Divisor` and return true if
Expand Down Expand Up @@ -609,7 +609,7 @@ void ArrayBoundCheckerV2::performCheck(const Expr *E, CheckerContext &C) const {
// CHECK UPPER BOUND
DefinedOrUnknownSVal Size = getDynamicExtent(State, Reg, SVB);
if (auto KnownSize = Size.getAs<NonLoc>()) {
// In a situation where both overflow and overflow are possible (but the
// In a situation where both underflow and overflow are possible (but the
// index is either tainted or known to be invalid), the logic of this
// checker will first assume that the offset is non-negative, and then
// (with this additional assumption) it will detect an overflow error.
Expand Down
4 changes: 2 additions & 2 deletions clang/lib/StaticAnalyzer/Core/BugReporter.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2198,7 +2198,7 @@ const Decl *PathSensitiveBugReport::getDeclWithIssue() const {
void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const {
hash.AddInteger(static_cast<int>(getKind()));
hash.AddPointer(&BT);
hash.AddString(Description);
hash.AddString(getShortDescription());
assert(Location.isValid());
Location.Profile(hash);

Expand All @@ -2213,7 +2213,7 @@ void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const {
void PathSensitiveBugReport::Profile(llvm::FoldingSetNodeID &hash) const {
hash.AddInteger(static_cast<int>(getKind()));
hash.AddPointer(&BT);
hash.AddString(Description);
hash.AddString(getShortDescription());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional that you use a member function here instead of the member variable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it's intentional, because the method call getShortDescription() is equivalent to ShortDescripton.empty() ? Description : ShortDescription. (The common case when the short and full descriptions are identical is represented internally by an empty ShortDescription and the shared value stored in Description.)

PathDiagnosticLocation UL = getUniqueingLocation();
if (UL.isValid()) {
UL.Profile(hash);
Expand Down
21 changes: 21 additions & 0 deletions clang/test/Analysis/out-of-bounds-diagnostics.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,27 @@ int underflowWithDeref(void) {
// expected-note@-2 {{Access of 'TenElements' at negative byte offset -4}}
}

int rng(void);
int getIndex(void) {
switch (rng()) {
case 1: return -152;
case 2: return -160;
case 3: return -168;
default: return -172;
}
}

void gh86959(void) {
// Previously code like this produced many almost-identical bug reports that
// only differed in the offset value. Verify that now we only see one report.

// expected-note@+1 {{Entering loop body}}
while (rng())
TenElements[getIndex()] = 10;
// expected-warning@-1 {{Out of bound access to memory preceding 'TenElements'}}
// expected-note@-2 {{Access of 'TenElements' at negative byte offset -688}}
}

int scanf(const char *restrict fmt, ...);

void taintedIndex(void) {
Expand Down
Loading