[analyzer] Workaround crash on encountering Class non-type template parameters

steakhal · tstellar · commit 11c3a21f8d1b · 2022-11-15T15:37:36.000-08:00
The Clang Static Analyzer will crash on this code: ```lang=C++ struct Box { int value; }; template <Box V> int get() { return V.value; } template int get<Box{-1}>(); ``` https://godbolt.org/z/5Yb1sMMMb The problem is that we don't account for encountering `TemplateParamObjectDecl`s within the `DeclRefExpr` handler in the `ExprEngine`. IMO we should create a new memregion for representing such template param objects, to model their language semantics. Such as: - it should have global static storage - for two identical values, their addresses should be identical as well http://eel.is/c%2B%2Bdraft/temp.param#8 I was thinking of introducing a `TemplateParamObjectRegion` under `DeclRegion` for this purpose. It could have `TemplateParamObjectDecl` as a field. The `TemplateParamObjectDecl::getValue()` returns `APValue`, which might represent multiple levels of structures, unions and other goodies - making the transformation from `APValue` to `SVal` a bit complicated. That being said, for now, I think having `Unknowns` for such cases is definitely an improvement to crashing, hence I'm proposing this patch. Reviewed By: xazax.hun Differential Revision: https://reviews.llvm.org/D135763 (cherry picked from commit b062ee7)
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
@@ -2839,6 +2839,12 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
     return;
   }
 
+  if (const auto *TPO = dyn_cast<TemplateParamObjectDecl>(D)) {
+    // FIXME: We should meaningfully implement this.
+    (void)TPO;
+    return;
+  }
+
   llvm_unreachable("Support for this Decl not implemented.");
 }
 
diff --git a/clang/test/Analysis/template-param-objects.cpp b/clang/test/Analysis/template-param-objects.cpp
@@ -0,0 +1,33 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
+// RUN:    -analyzer-config eagerly-assume=false -std=c++20 -verify %s
+
+template <class T> void clang_analyzer_dump(T);
+void clang_analyzer_eval(bool);
+
+struct Box {
+  int value;
+};
+bool operator ==(Box lhs, Box rhs) {
+  return lhs.value == rhs.value;
+}
+template <Box V> void dumps() {
+  clang_analyzer_dump(V);        // expected-warning {{lazyCompoundVal}}
+  clang_analyzer_dump(&V);       // expected-warning {{Unknown}}
+  clang_analyzer_dump(V.value);  // expected-warning {{Unknown}} FIXME: It should be '6 S32b'.
+  clang_analyzer_dump(&V.value); // expected-warning {{Unknown}}
+}
+template void dumps<Box{6}>();
+
+// [temp.param].7.3.2:
+// "All such template parameters in the program of the same type with the
+// same value denote the same template parameter object."
+template <Box A1, Box A2, Box B1, Box B2> void stable_addresses() {
+  clang_analyzer_eval(&A1 == &A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(&B1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(&A1 == &B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
+
+  clang_analyzer_eval(A1 == A2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(B1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be TRUE.
+  clang_analyzer_eval(A1 == B2); // expected-warning {{UNKNOWN}} FIXME: It should be FALSE.
+}
+template void stable_addresses<Box{1}, Box{1}, Box{2}, Box{2}>();

Original file line number	Diff line number	Diff line change
`@@ -2839,6 +2839,12 @@ void ExprEngine::VisitCommonDeclRefExpr(const Expr Ex, const NamedDecl D,`
`2839`	`2839`	`return;`
`2840`	`2840`	`}`
`2841`	`2841`
	`2842`	`+ if (const auto *TPO = dyn_cast<TemplateParamObjectDecl>(D)) {`
	`2843`	`+ // FIXME: We should meaningfully implement this.`
	`2844`	`+ (void)TPO;`
	`2845`	`+ return;`
	`2846`	`+ }`
	`2847`	`+`
`2842`	`2848`	`llvm_unreachable("Support for this Decl not implemented.");`
`2843`	`2849`	`}`
`2844`	`2850`