This is an archive of the discontinued LLVM Phabricator instance.

Differential D12725

[analyzer] A fix for substraction of an integer from a pointer.
ClosedPublic

Authored by NoQ on Sep 9 2015, 4:46 AM.

Details

Reviewers
dcoughlin
krememek
zaks.anna
jordan_rose
Commits
rGc4b28a8f7419: [analyzer] A fix for substraction of an integer from a pointer.
rC248021: [analyzer] A fix for substraction of an integer from a pointer.
rL248021: [analyzer] A fix for substraction of an integer from a pointer.
Summary

In Clang Static Analyzer, there's a typo in evalBinOpLN() which leads to incorrect modeling of pointer arithmetic: when substracting an integral value from a pointer value (assuming the latter is a SubRegion that is not an ElementRegion), the index value of the newly produced ElementRegion has incorrect sign.

The patch fixes the problem and adds relevant regression tests.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ updated this revision to Diff 34318.Sep 9 2015, 4:46 AM
NoQ retitled this revision from to [analyzer] A fix for substraction of an integer from a pointer..
NoQ updated this object.
NoQ added reviewers: zaks.anna, jordan_rose, krememek.
NoQ set the repository for this revision to rL LLVM.
NoQ added a subscriber: dergachev.a.
NoQ updated this revision to Diff 34320.Sep 9 2015, 4:59 AM
NoQ removed rL LLVM as the repository for this revision.
NoQ added a subscriber: cfe-commits.
dcoughlin added a reviewer: dcoughlin.Sep 9 2015, 9:07 AM
xazax.hun added a subscriber: xazax.hun.Sep 9 2015, 1:18 PM
zaks.anna edited edge metadata.Sep 9 2015, 3:34 PM

Let's make the test more explicit about what is being tested; for example,
void negativeIndex(char *str) {

char *ptr = str + 1;
*ptr = 'a';
clang_analyzer_eval(*ptr == 'a'); // expected-warning{{TRUE}}
ptr = str - 1;
clang_analyzer_eval(*ptr == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(*(str + 1) == 'a'); // expected-warning{{TRUE}}
ptr = str;
ptr -= 1;
clang_analyzer_eval(*ptr == 'a'); // expected-warning{{UNKNOWN}}
ptr = str;
--ptr;
clang_analyzer_eval(*ptr == 'a'); // expected-warning{{UNKNOWN}}

}

Otherwise, LGTM

NoQ updated this revision to Diff 34423.Sep 10 2015, 2:58 AM
NoQ edited edge metadata.

Make the tests easier to understand.

NoQ added a comment.Sep 10 2015, 3:54 AM

Thanks, fixed :)

zaks.anna accepted this revision.Sep 10 2015, 6:54 PM
zaks.anna edited edge metadata.
This revision is now accepted and ready to land.Sep 10 2015, 6:54 PM
xazax.hun added a comment.Sep 18 2015, 10:53 AM
In D12725#243150, @NoQ wrote:

Thanks, fixed :)

Can you commit this or do you need someone to commit this for you?

NoQ added a comment.Sep 18 2015, 11:28 AM

I've got no commit access yet, sorry, that's my first patch here actually :)

Closed by commit rL248021: [analyzer] A fix for substraction of an integer from a pointer. (authored by xazax). · Explain WhySep 18 2015, 12:14 PM
This revision was automatically updated to reflect the committed changes.
xazax.hun added a comment.Sep 18 2015, 12:17 PM
In D12725#248931, @NoQ wrote:

I've got no commit access yet, sorry, that's my first patch here actually :)

No problem, I committed it in r248021. Thank you for your contribution!

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
3 lines
test/
Analysis/
17 lines

Diff 35122

cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 905 Lines▼ Show 20 Lines if (const MemRegion *region = lhs.getAsRegion()) {
if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) { if (const ElementRegion *elemReg = dyn_cast<ElementRegion>(region)) {
assert(op == BO_Add || op == BO_Sub); assert(op == BO_Add || op == BO_Sub);
index = evalBinOpNN(state, op, elemReg->getIndex(), rhs, index = evalBinOpNN(state, op, elemReg->getIndex(), rhs,
getArrayIndexType()); getArrayIndexType());
superR = elemReg->getSuperRegion(); superR = elemReg->getSuperRegion();
elementType = elemReg->getElementType(); elementType = elemReg->getElementType();
} }
else if (isa<SubRegion>(region)) { else if (isa<SubRegion>(region)) {
assert(op == BO_Add || op == BO_Sub);
index = (op == BO_Add) ? rhs : evalMinus(rhs);
superR = region; superR = region;
index = rhs;
if (resultTy->isAnyPointerType()) if (resultTy->isAnyPointerType())
elementType = resultTy->getPointeeType(); elementType = resultTy->getPointeeType();
} }
if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) { if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) {
return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV,
superR, getContext())); superR, getContext()));
} }
Show All 21 Lines

cfe/trunk/test/Analysis/ptr-arith.c

Show First 20 LinesShow All 290 Lines▼ Show 20 Linesstruct Point {
int y; int y;
}; };
void symbolicFieldRegion(struct Point *points, int i, int j) { void symbolicFieldRegion(struct Point *points, int i, int j) {
clang_analyzer_eval(&points[i].x == &points[j].x);// expected-warning{{UNKNOWN}} clang_analyzer_eval(&points[i].x == &points[j].x);// expected-warning{{UNKNOWN}}
clang_analyzer_eval(&points[i].x == &points[i].y);// expected-warning{{FALSE}} clang_analyzer_eval(&points[i].x == &points[i].y);// expected-warning{{FALSE}}
clang_analyzer_eval(&points[i].x < &points[i].y);// expected-warning{{TRUE}} clang_analyzer_eval(&points[i].x < &points[i].y);// expected-warning{{TRUE}}
} }
void negativeIndex(char *str) {
*(str + 1) = 'a';
clang_analyzer_eval(*(str + 1) == 'a'); // expected-warning{{TRUE}}
clang_analyzer_eval(*(str - 1) == 'a'); // expected-warning{{UNKNOWN}}
char *ptr1 = str - 1;
clang_analyzer_eval(*ptr1 == 'a'); // expected-warning{{UNKNOWN}}
char *ptr2 = str;
ptr2 -= 1;
clang_analyzer_eval(*ptr2 == 'a'); // expected-warning{{UNKNOWN}}
char *ptr3 = str;
--ptr3;
clang_analyzer_eval(*ptr3 == 'a'); // expected-warning{{UNKNOWN}}
}