This is an archive of the discontinued LLVM Phabricator instance.

Differential D38801

[analyzer] In getSVal() API, disable auto-detection of void type as char type.
ClosedPublic

Authored by NoQ on Oct 11 2017, 7:42 AM.

Details

Reviewers
zaks.anna
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
Commits
rG3ef5deb3a790: [analyzer] In getSVal() API, disable auto-detection of void type as char type.
rC320451: [analyzer] In getSVal() API, disable auto-detection of void type as char type.
rL320451: [analyzer] In getSVal() API, disable auto-detection of void type as char type.
Summary

In D38358, we ended up believing that reading the first byte of the void pointer is not the intended behavior of ProgramState::getSVal(Loc) when the type of the loaded value is not specified/hinted by the user and gets auto-detected as void. Therefore, instead of replacing the auto-detected void type with char and returning the first byte, fail with an easy-to-understand assertion to warn the user that it's better to specify the type explicitly in his case (even if he'd have to specify ACtx.CharTy anyway).

Additionally, allow specifying the type in the ProgramState::getSVal(const MemRegion *) override, because with the new assertion, a new use-case immediately shows up that requires such change. And, generally, it's a good idea to be able to specify the type here.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Oct 11 2017, 7:42 AM
Herald added a subscriber: szepet. · View Herald TranscriptOct 11 2017, 7:42 AM
danielmarjamaki added a subscriber: danielmarjamaki.Oct 16 2017, 5:43 AM

LGTM

xazax.hun edited edge metadata.Oct 30 2017, 4:01 AM

I like the idea of making ProgramState::getSVal(const MemRegion *) symmetric to ProgramState::getSVal(Loc).

Just some philosophical questions which should probably be addressed in the future:
But also I wonder, should we maintain all these overloads? I mean, a lot of the APIs accept both SVal/Loc and MemRegion *. Usually, one of the implementations will end up just calling the other after some wrapping/unwrapping. Maybe ripping MemRegion * from the APIs would make it easier to use? E.g.: CallAndMessageChecker just unwraps the region from an SVal just to wrap it back again within the API call. However, we tend to use MemRegion * when storing info in the program state.

Otherwise LGTM!

include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
307 ↗(On Diff #118616)

The whitespace here is a bit off. I know it is not related to this patch, but this could be fixed if we already touch this file.

NoQ added a comment.Oct 30 2017, 4:34 AM

Yeah, cleaning up this API would be great - as long as everybody loves to have the API broken and rewrite stuff.

If we are to simplify some APIs, i'd definitely start with getAsSymExpr()/getAsSymbol()/getAsSymbolicExpression().

Essentially we only need getSVal(MR) because only MR can be bound to, while other types of Loc cannot be bound to. Technically, only (base MR, offset) pairs can be bound to, but this is "implementation detail" that we're still trying to keep that way (even though it leaks like hell everywhere). So i'd rather think of the Loc overload as of a convenient wrapper (i.e., the user receives Loc in some checkLocation callback, so he wants to put it directly into the API to find his binding). And people would still need to operate with regions from time to time (eg., construct a sub-region manually when we expect it to be there, or strip casts).

Also the overload between getSVal(Ex, LC) and getSVal(R, Ty), when they do completely different things, seems confusing.

NoQ edited the summary of this revision. (Show Details)Oct 31 2017, 7:40 AM
NoQ mentioned this in D39862: [analyzer] do not crash when trying to convert an APSInt to an unexpected type.Nov 9 2017, 1:20 PM
dcoughlin accepted this revision.Nov 10 2017, 11:20 AM

LGTM. Thanks!

In D38801#910524, @NoQ wrote:

Also the overload between getSVal(Ex, LC) and getSVal(R, Ty), when they do completely different things, seems confusing.

Yes! I think we should change this (possibly rename them both?). I think it is a big barrier to entry -- I certainly found it super confusing when first getting started on the analyzer code base.

This revision is now accepted and ready to land.Nov 10 2017, 11:20 AM
NoQ updated this revision to Diff 125555.Dec 5 2017, 9:36 AM

Rebase on top of D39862 (attn. George!~).

Herald added a subscriber: rnkovacs. · View Herald TranscriptDec 5 2017, 9:36 AM
Closed by commit rL320451: [analyzer] In getSVal() API, disable auto-detection of void type as char type. (authored by dergachev). · Explain WhyDec 11 2017, 6:28 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
11 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
17 lines
Core/
5 lines

Diff 126493

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show First 20 LinesShow All 302 Lines▼ Show 20 Linespublic:
/// Returns UnknownVal() if none found. /// Returns UnknownVal() if none found.
SVal getSVal(Loc LV, QualType T = QualType()) const; SVal getSVal(Loc LV, QualType T = QualType()) const;
/// Returns the "raw" SVal bound to LV before any value simplfication. /// Returns the "raw" SVal bound to LV before any value simplfication.
SVal getRawSVal(Loc LV, QualType T= QualType()) const; SVal getRawSVal(Loc LV, QualType T= QualType()) const;
/// \brief Return the value bound to the specified location. /// \brief Return the value bound to the specified location.
/// Returns UnknownVal() if none found. /// Returns UnknownVal() if none found.
SVal getSVal(const MemRegion* R) const; SVal getSVal(const MemRegion* R, QualType T = QualType()) const;
/// \brief Return the value bound to the specified location, assuming
/// that the value is a scalar integer or an enumeration or a pointer.
/// Returns UnknownVal() if none found or the region is not known to hold
/// a value of such type.
SVal getSValAsScalarOrLoc(const MemRegion *R) const; SVal getSValAsScalarOrLoc(const MemRegion *R) const;
/// \brief Visits the symbols reachable from the given SVal using the provided /// \brief Visits the symbols reachable from the given SVal using the provided
/// SymbolVisitor. /// SymbolVisitor.
/// ///
/// This is a convenience API. Consider using ScanReachableSymbols class /// This is a convenience API. Consider using ScanReachableSymbols class
/// directly when making multiple scans on the same state with the same /// directly when making multiple scans on the same state with the same
/// visitor to avoid repeated initialization cost. /// visitor to avoid repeated initialization cost.
▲ Show 20 LinesShow All 432 Lines▼ Show 20 LinesProgramState::getSValAsScalarOrLoc(const Stmt *S,
return UnknownVal(); return UnknownVal();
} }
inline SVal ProgramState::getRawSVal(Loc LV, QualType T) const { inline SVal ProgramState::getRawSVal(Loc LV, QualType T) const {
return getStateManager().StoreMgr->getBinding(getStore(), LV, T); return getStateManager().StoreMgr->getBinding(getStore(), LV, T);
} }
inline SVal ProgramState::getSVal(const MemRegion* R) const { inline SVal ProgramState::getSVal(const MemRegion* R, QualType T) const {
return getStateManager().StoreMgr->getBinding(getStore(), return getStateManager().StoreMgr->getBinding(getStore(),
loc::MemRegionVal(R)); loc::MemRegionVal(R),
T);
} }
inline BasicValueFactory &ProgramState::getBasicVals() const { inline BasicValueFactory &ProgramState::getBasicVals() const {
return getStateManager().getBasicVals(); return getStateManager().getBasicVals();
} }
inline SymbolManager &ProgramState::getSymbolManager() const { inline SymbolManager &ProgramState::getSymbolManager() const {
return getStateManager().getSymbolManager(); return getStateManager().getSymbolManager();
▲ Show 20 LinesShow All 94 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp

Show First 20 LinesShow All 173 Lines▼ Show 20 Linesbool CallAndMessageChecker::uninitRefOrPointer(
} else } else
return false; return false;
if(!ParamDecl->getType()->getPointeeType().isConstQualified()) if(!ParamDecl->getType()->getPointeeType().isConstQualified())
return false; return false;
if (const MemRegion *SValMemRegion = V.getAsRegion()) { if (const MemRegion *SValMemRegion = V.getAsRegion()) {
const ProgramStateRef State = C.getState(); const ProgramStateRef State = C.getState();
const SVal PSV = State->getSVal(SValMemRegion); const SVal PSV = State->getSVal(SValMemRegion, C.getASTContext().CharTy);
if (PSV.isUndef()) { if (PSV.isUndef()) {
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
LazyInit_BT(BD, BT); LazyInit_BT(BD, BT);
auto R = llvm::make_unique<BugReport>(*BT, Os.str(), N); auto R = llvm::make_unique<BugReport>(*BT, Os.str(), N);
R->addRange(ArgRange); R->addRange(ArgRange);
if (ArgEx) { if (ArgEx) {
bugreporter::trackNullOrUndefValue(N, ArgEx, *R); bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
} }
▲ Show 20 LinesShow All 427 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 460 Lines▼ Show 20 Linesbool GenericTaintChecker::checkPre(const CallExpr *CE, CheckerContext &C) const{
if (checkTaintedBufferSize(CE, FDecl, C)) if (checkTaintedBufferSize(CE, FDecl, C))
return true; return true;
return false; return false;
} }
Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C, Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C,
const Expr* Arg) { const Expr *Arg) {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal AddrVal = State->getSVal(Arg->IgnoreParens(), C.getLocationContext()); SVal AddrVal = State->getSVal(Arg->IgnoreParens(), C.getLocationContext());
if (AddrVal.isUnknownOrUndef()) if (AddrVal.isUnknownOrUndef())
return None; return None;
Optional<Loc> AddrLoc = AddrVal.getAs<Loc>(); Optional<Loc> AddrLoc = AddrVal.getAs<Loc>();
if (!AddrLoc) if (!AddrLoc)
return None; return None;
const PointerType *ArgTy = QualType ArgTy = Arg->getType().getCanonicalType();
dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr()); if (!ArgTy->isPointerType())
return State->getSVal(*AddrLoc, ArgTy ? ArgTy->getPointeeType(): QualType()); return None;
QualType ValTy = ArgTy->getPointeeType();
// Do not dereference void pointers. Treat them as byte pointers instead.
// FIXME: we might want to consider more than just the first byte.
if (ValTy->isVoidType())
ValTy = C.getASTContext().CharTy;
return State->getSVal(*AddrLoc, ValTy);
} }
ProgramStateRef ProgramStateRef
GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE, GenericTaintChecker::TaintPropagationRule::process(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Check for taint in arguments. // Check for taint in arguments.
▲ Show 20 LinesShow All 288 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 1,399 Lines▼ Show 20 Lines if (T.isNull()) {
if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR)) if (const TypedRegion *TR = dyn_cast<TypedRegion>(MR))
T = TR->getLocationType()->getPointeeType(); T = TR->getLocationType()->getPointeeType();
else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR)) else if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(MR))
T = SR->getSymbol()->getType()->getPointeeType(); T = SR->getSymbol()->getType()->getPointeeType();
else if (isa<AllocaRegion>(MR)) else if (isa<AllocaRegion>(MR))
T = Ctx.VoidTy; T = Ctx.VoidTy;
} }
assert(!T.isNull() && "Unable to auto-detect binding type!"); assert(!T.isNull() && "Unable to auto-detect binding type!");
if (T->isVoidType()) { assert(!T->isVoidType() && "Attempting to dereference a void pointer!");
// When trying to dereference a void pointer, read the first byte.
T = Ctx.CharTy;
}
MR = GetElementZeroRegion(cast<SubRegion>(MR), T); MR = GetElementZeroRegion(cast<SubRegion>(MR), T);
} }
// FIXME: Perhaps this method should just take a 'const MemRegion*' argument // FIXME: Perhaps this method should just take a 'const MemRegion*' argument
// instead of 'Loc', and have the other Loc cases handled at a higher level. // instead of 'Loc', and have the other Loc cases handled at a higher level.
const TypedValueRegion *R = cast<TypedValueRegion>(MR); const TypedValueRegion *R = cast<TypedValueRegion>(MR);
QualType RTy = R->getValueType(); QualType RTy = R->getValueType();
▲ Show 20 LinesShow All 1,085 LinesShow Last 20 Lines