This is an archive of the discontinued LLVM Phabricator instance.

Differential D12251

Analyzer: Calculate field offset correctly
Needs RevisionPublic

Authored by ismailp on Aug 21 2015, 3:12 PM.

Details

Reviewers
dcoughlin
krememek
zaks.anna
Summary

StoreManager::getLValueFieldOrIvar should return loc as
base + field-offset, instead of just base.

Diff Detail

Event Timeline

ismailp updated this revision to Diff 32871.Aug 21 2015, 3:12 PM
ismailp retitled this revision from to Analyzer: Calculate field offset correctly.
ismailp updated this object.
ismailp added reviewers: krememek, zaks.anna.
ismailp added a subscriber: cfe-commits.
dcoughlin added a subscriber: dcoughlin.Aug 26 2015, 1:50 PM
xazax.hun added a subscriber: xazax.hun.Aug 26 2015, 2:38 PM
ismailp added a comment.Sep 11 2015, 5:23 PM

Ping!

dcoughlin added a reviewer: dcoughlin.Sep 11 2015, 5:30 PM
ismailp added a comment.Sep 22 2015, 3:27 PM

Ping!

dcoughlin requested changes to this revision.Sep 25 2015, 6:35 PM
dcoughlin edited edge metadata.

Thanks for the patch Ismail! Some comments inline.

lib/StaticAnalyzer/Core/Store.cpp
408

You can use auto *FD = dyn_cast<const FieldDecl>(D) here to avoid repeating the type.

410

getFieldOffset() will assert when the field is an Objective-C instance variable because it expects the field's parent to be a record. For example: int *x = &((SomeClass *)0x10)->someIVar;

test/Analysis/array-struct-region.cpp
128

This test doesn't cover the new logic you added in Store.cpp because it is never the case in this test that the base is a non-zero ConcreteInt Loc. In addition to your test with PFONull, you should add tests with something like struct FieldOffset *PFOConstant = (struct FieldOffset *) 0x22;. I think it is also important to add tests for Objective-C instance variables after addressing the assertion failure in that case.

This revision now requires changes to proceed.Sep 25 2015, 6:35 PM
ismailp updated this revision to Diff 36123.Sep 30 2015, 9:59 AM
ismailp edited edge metadata.
  • Don't try to calculate field offset for Objective-C instance variables
  • Added test for Objective-C instance variables
  • Added a non-null pointer in test
ismailp marked 3 inline comments as done.Sep 30 2015, 10:10 AM
ismailp added inline comments.
test/Analysis/array-struct-region.cpp
128

I might be missing something, and would be very happy if you could explain why it is necessary to add PFOConstant.

At line 122, for example, where &FO is always non-null. Likewise, I'd expect line 128 to be non-null, because new in this translation unit either throws -- in which case, we shouldn't be executing this line -- or succeeds -- in which case, PFONew is non-null.

dcoughlin added inline comments.Sep 30 2015, 11:53 AM
test/Analysis/array-struct-region.cpp
128

Sorry I wasn't clear. The branch of the case that you modified here only executes when the base is an int with a known value, such as '0xa' (see the code comment with the FIXME you removed.) This means that your test with PFONew doesn't exercise your new code at all. The PFONull case does exercise this case branch (because NULL is the 0 concreteInt) but it does not exercise your newly added logic for calculating field offsets (because for NULL, Base.isZeroConstant() is true). This means there were no tests exercising that logic (try removing the logic and adding assert(false) -- your old tests would still pass).

Separately, as I mentioned before, I think it is important to leave a FIXME here documenting that the NULL case still doesn't work properly. That is, even with your changes, the analyzer still incorrectly says that &(((struct foo *) NULL)->f == 0. (Fixing this would be quite an undertaking.) It would probably also be good to add comments to the tests saying the behavior they expect for PFONull is incorrect so that if we ever fix this issue we will know it is safe to update the tests:

clang_analyzer_eval((void *)&PFONull->secondField != (void *)&PFONull->thirdField); // expected-warning{{FALSE}}
clang_analyzer_eval((void *)&PFONull->secondField == (void *)0); // expected-warning{{TRUE}}

(If we handled NULL properly, the first would be TRUE and second would be FALSE.)

Note that your updated version doesn't calculate field offsets for ObjC ivars with concreteInt bases, so the analyzer also still won't properly say &((Root *)0x10)->uniqueID != (Root *)0x10). Please add it to the FIXME comment, as well.

zixuw mentioned this in D122446: [clang][extract-api] Add Objective-C interface support.Mar 28 2022, 5:13 PM
This revision now requires changes to proceed.Mar 28 2022, 5:13 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
22 lines
test/
Analysis/
22 lines
5 lines

Diff 36123

lib/StaticAnalyzer/Core/Store.cpp

Show All 9 Lines
// This file defined the types Store and StoreManager. // This file defined the types Store and StoreManager.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h" #include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
#include "clang/AST/CXXInheritance.h" #include "clang/AST/CXXInheritance.h"
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/AST/DeclObjC.h" #include "clang/AST/DeclObjC.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
StoreManager::StoreManager(ProgramStateManager &stateMgr) StoreManager::StoreManager(ProgramStateManager &stateMgr)
: svalBuilder(stateMgr.getSValBuilder()), StateMgr(stateMgr), : svalBuilder(stateMgr.getSValBuilder()), StateMgr(stateMgr),
▲ Show 20 LinesShow All 370 Lines▼ Show 20 LinesSVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {
case loc::MemRegionKind: case loc::MemRegionKind:
BaseR = BaseL.castAs<loc::MemRegionVal>().getRegion(); BaseR = BaseL.castAs<loc::MemRegionVal>().getRegion();
break; break;
case loc::GotoLabelKind: case loc::GotoLabelKind:
// These are anormal cases. Flag an undefined value. // These are anormal cases. Flag an undefined value.
return UndefinedVal(); return UndefinedVal();
case loc::ConcreteIntKind: case loc::ConcreteIntKind: {
// While these seem funny, this can happen through casts. // Don't allow field offset calculations, if base is null.
// FIXME: What we should return is the field offset. For example, if (!Base.isZeroConstant()) {
// add the field offset to the integer value. That way funny things if (const auto *FD = dyn_cast<const FieldDecl>(D)) {
dcoughlinUnsubmitted
Done
ReplyInline Actions

You can use auto *FD = dyn_cast<const FieldDecl>(D) here to avoid repeating the type.

dcoughlin: You can use `auto *FD = dyn_cast<const FieldDecl>(D)` here to avoid repeating the type.
// like this work properly: &(((struct foo *) 0xa)->f) if (FD->getKind() != Decl::ObjCIvar) {
ASTContext &Ctx = D->getASTContext();
dcoughlinUnsubmitted
Done
ReplyInline Actions

getFieldOffset() will assert when the field is an Objective-C instance variable because it expects the field's parent to be a record. For example: int *x = &((SomeClass *)0x10)->someIVar;

dcoughlin: `getFieldOffset()` will assert when the field is an Objective-C instance variable because it…
CharUnits CU = Ctx.toCharUnitsFromBits(Ctx.getFieldOffset(FD));
loc::ConcreteInt BasePtr = BaseL.castAs<loc::ConcreteInt>();
llvm::APSInt Offset(Ctx.getTypeSize(Ctx.VoidPtrTy));
Offset = CU.getQuantity();
Offset += BasePtr.getValue();
return svalBuilder.makeIntLocVal(Offset);
}
}
}
return Base; return Base;
}
default: default:
llvm_unreachable("Unhandled Base."); llvm_unreachable("Unhandled Base.");
} }
// NOTE: We must have this check first because ObjCIvarDecl is a subclass // NOTE: We must have this check first because ObjCIvarDecl is a subclass
// of FieldDecl. // of FieldDecl.
if (const ObjCIvarDecl *ID = dyn_cast<ObjCIvarDecl>(D)) if (const ObjCIvarDecl *ID = dyn_cast<ObjCIvarDecl>(D))
▲ Show 20 LinesShow All 93 LinesShow Last 20 Lines

test/Analysis/array-struct-region.cpp

Show First 20 LinesShow All 100 Lines▼ Show 20 Lines
#if __cplusplus #if __cplusplus
clang_analyzer_eval(((getS())).check()); // expected-warning{{TRUE}} clang_analyzer_eval(((getS())).check()); // expected-warning{{TRUE}}
clang_analyzer_eval(!((getS()))); // expected-warning{{FALSE}} clang_analyzer_eval(!((getS()))); // expected-warning{{FALSE}}
clang_analyzer_eval(~((getS()))); // expected-warning{{FALSE}} clang_analyzer_eval(~((getS()))); // expected-warning{{FALSE}}
#endif #endif
} }
struct FieldOffset {
int firstField;
char secondField[63];
void *thirdField;
};
void testFieldOffsets() {
struct FieldOffset FO;
struct FieldOffset *PFONull = 0;
struct FieldOffset *PFOConstant = (struct FieldOffset *) 0x22;
#if __cplusplus
struct FieldOffset *PFONew = new struct FieldOffset;
#endif
clang_analyzer_eval((void *)&FO.secondField != (void*)&FO); // expected-warning{{TRUE}}
clang_analyzer_eval((void *)&FO.secondField != (void*)&FO.thirdField); // expected-warning{{TRUE}}
clang_analyzer_eval((void *)&PFONull->secondField != (void *)&PFONull->thirdField); // expected-warning{{FALSE}}
clang_analyzer_eval((void *)&PFONull->secondField == (void *)0); // expected-warning{{TRUE}}
clang_analyzer_eval((void *)&PFOConstant->secondField != (void*)PFOConstant); // expected-warning{{TRUE}}
#if __cplusplus
clang_analyzer_eval((void *)&PFONew->secondField != (void *)&PFONew); // expected-warning{{TRUE}}
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

This test doesn't cover the new logic you added in Store.cpp because it is never the case in this test that the base is a non-zero ConcreteInt Loc. In addition to your test with PFONull, you should add tests with something like struct FieldOffset *PFOConstant = (struct FieldOffset *) 0x22;. I think it is also important to add tests for Objective-C instance variables after addressing the assertion failure in that case.

dcoughlin: This test doesn't cover the new logic you added in Store.cpp because it is never the case in…
ismailpAuthorUnsubmitted
Not Done
ReplyInline Actions

I might be missing something, and would be very happy if you could explain why it is necessary to add PFOConstant.

At line 122, for example, where &FO is always non-null. Likewise, I'd expect line 128 to be non-null, because new in this translation unit either throws -- in which case, we shouldn't be executing this line -- or succeeds -- in which case, PFONew is non-null.

ismailp: I might be missing something, and would be very happy if you could explain why it is necessary…
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Sorry I wasn't clear. The branch of the case that you modified here only executes when the base is an int with a known value, such as '0xa' (see the code comment with the FIXME you removed.) This means that your test with PFONew doesn't exercise your new code at all. The PFONull case does exercise this case branch (because NULL is the 0 concreteInt) but it does not exercise your newly added logic for calculating field offsets (because for NULL, Base.isZeroConstant() is true). This means there were no tests exercising that logic (try removing the logic and adding assert(false) -- your old tests would still pass).

Separately, as I mentioned before, I think it is important to leave a FIXME here documenting that the NULL case still doesn't work properly. That is, even with your changes, the analyzer still incorrectly says that &(((struct foo *) NULL)->f == 0. (Fixing this would be quite an undertaking.) It would probably also be good to add comments to the tests saying the behavior they expect for PFONull is incorrect so that if we ever fix this issue we will know it is safe to update the tests:

clang_analyzer_eval((void *)&PFONull->secondField != (void *)&PFONull->thirdField); // expected-warning{{FALSE}}
clang_analyzer_eval((void *)&PFONull->secondField == (void *)0); // expected-warning{{TRUE}}

(If we handled NULL properly, the first would be TRUE and second would be FALSE.)

Note that your updated version doesn't calculate field offsets for ObjC ivars with concreteInt bases, so the analyzer also still won't properly say &((Root *)0x10)->uniqueID != (Root *)0x10). Please add it to the FIXME comment, as well.

dcoughlin: Sorry I wasn't clear. The branch of the case that you modified here only executes when the base…
#endif
}
//-------------------- //--------------------
// C++-only tests // C++-only tests
//-------------------- //--------------------
#if __cplusplus #if __cplusplus
void testReferenceAssignment() { void testReferenceAssignment() {
const S &s = getS(); const S &s = getS();
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

test/Analysis/ivars.m

Show First 20 LinesShow All 132 Lines▼ Show 20 Lines
int testNull(Root *obj) { int testNull(Root *obj) {
if (obj) return 0; if (obj) return 0;
int *x = &obj->uniqueID; int *x = &obj->uniqueID;
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
} }
void testFieldOffset() {
int *v = &((Root *)0x10)->uniqueID;
(void)v;
}