This is an archive of the discontinued LLVM Phabricator instance.

Differential D105184

[analyzer] Ignore IncompleteArrayTypes in getStaticSize() for FAMs
ClosedPublic

Authored by steakhal on Jun 30 2021, 4:30 AM.

Details

Reviewers
NoQ
vsavchenko
martong
Szelethus
ASDenysPetrov
Commits
rG360ced3b8fd2: [analyzer] Ignore IncompleteArrayTypes in getStaticSize() for FAMs
Summary

Currently only ConstantArrayType is considered for flexible array
members (FAMs) in getStaticSize().
However, IncompleteArrayType also shows up in practice as FAMs.

This patch will ignore the IncompleteArrayType and return Unknown
for that case as well. This way it will be at least consistent with
the current behavior until we start modeling them accurately.

I'm expecting that this will resolve a bunch of false-positives internally,
caused by the ArrayBoundV2.

Diff Detail

Event Timeline

steakhal created this revision.Jun 30 2021, 4:30 AM
Herald added subscribers: manas, dkrupp, donat.nagy and 7 others. · View Herald TranscriptJun 30 2021, 4:30 AM
steakhal requested review of this revision.Jun 30 2021, 4:30 AM
martong added a comment.Jun 30 2021, 4:56 AM

Thanks!

clang/test/Analysis/out-of-bounds-new.cpp
171 ↗(On Diff #355504)

Should we have test cases with data[1] (and data[0] if that makes sense at all) ?
Would data[1] behave the same way? And if not, even then perhaps we should have test cases just to document that.

Harbormaster completed remote builds in B111723: Diff 355504.Jun 30 2021, 5:09 AM
steakhal added inline comments.Jun 30 2021, 5:24 AM
clang/test/Analysis/out-of-bounds-new.cpp
171 ↗(On Diff #355504)

We could add tests for them in a subsequent patch.
But strictly speaking, those arrays would be of ConstantArrayType types.
That being said, those were indistinguishable from FAMs or just a regular array of size N.

Maybe we can figure out some heuristics driving this, but that's definitely out of the scope of this patch.

martong added inline comments.Jul 1 2021, 9:53 AM
clang/test/Analysis/out-of-bounds-new.cpp
169 ↗(On Diff #355504)

We could add tests for them in a subsequent patch.

Strictly speaking, flexible array members are defined in C99 (6.7.2.1), thus I think we should have these tests at least with a different RUN line (i.e. with -std=c99) or in a different file. But if we create a new test file then that could easily handle data[1] and data[0] cases as well.
So I am okay with this change if I can see the subsequent patch in the stack.

ASDenysPetrov added a comment.EditedJul 19 2021, 4:00 AM

The fix seems pretty resonable to me. Indeed IncompleteArrayType can happen according to this paper https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
I'd like to see more test cases mentioned by @martong.

steakhal updated this revision to Diff 366964.Aug 17 2021, 11:33 AM
  • wrapped the FAM detection into a lambda, which could be extended later if needed
  • added test cases for: [0], [] and [1] array members, on the stack (automatic storage), alloca malloc using a bunch of C and C++ versions.
steakhal added a child revision: D108230: [analyzer] Ignore single element arrays in getStaticSize() conditionally.Aug 17 2021, 12:02 PM
steakhal added a subscriber: vabridgers.
Harbormaster completed remote builds in B119947: Diff 366964.Aug 17 2021, 1:54 PM
ASDenysPetrov added inline comments.Aug 18 2021, 6:56 AM
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
776–779

I think we can omit getAsArrayType, since we check for certain array types anyway.

clang/test/Analysis/flexible-array-members.c
6–10

AFAIK, FAM is not a part of C++ Standard. Does clang support it as extension?

73

I'd like to use another naming here, because int data[1] is not actually a flexible array.

steakhal marked 2 inline comments as done.Aug 18 2021, 7:37 AM
steakhal added inline comments.
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
776–779

No, we can't. ASTContext::getAsArrayType() returns a canonical type, which could be used later by the regular isa/dyn_cast API, but you cannot use them on Ty.
In fact, first I tried what you proposed, but I hit a static assertion checking for exactly this.

clang/test/Analysis/flexible-array-members.c
6–10

You are completely correct.

73

What do you think would be a better fit?
I already highlighted this at the variable declaration with the name likely_fam - at least that was my concept.

ASDenysPetrov added inline comments.Aug 18 2021, 8:43 AM
clang/lib/StaticAnalyzer/Core/MemRegion.cpp
776–779

I see. OK, then.

clang/test/Analysis/flexible-array-members.c
73

You can name it as SAM kinda Static Array Member or AM - Array Member. Whatever. My point is just to be closer to the meaning. But you can ignore this if you want, because we can understand what you mean from the context.

ASDenysPetrov accepted this revision.Aug 18 2021, 11:10 AM
This revision is now accepted and ready to land.Aug 18 2021, 11:10 AM
steakhal marked 2 inline comments as done.Aug 25 2021, 4:20 AM

Thank you for the review @ASDenysPetrov! I'd like to commit this in its current form.

Closed by commit rG360ced3b8fd2: [analyzer] Ignore IncompleteArrayTypes in getStaticSize() for FAMs (authored by steakhal). · Explain WhyAug 25 2021, 7:14 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG360ced3b8fd2: [analyzer] Ignore IncompleteArrayTypes in getStaticSize() for FAMs.
Herald added a project: Restricted Project. · View Herald TranscriptAug 25 2021, 7:14 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal added a reverting change: rGdf1f4e0cc6ec: Revert "[analyzer] Ignore IncompleteArrayTypes in getStaticSize() for FAMs".Aug 25 2021, 7:44 AM
steakhal mentioned this in rGe5646b9254e0: Revert "Revert "[analyzer] Ignore IncompleteArrayTypes in getStaticSize() for….Aug 25 2021, 8:19 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
23 lines
test/
Analysis/
96 lines

Diff 366964

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 762 Lines▼ Show 20 Lines case MemRegion::ObjCStringRegionKind: {
return getElementExtent(Ty, SVB); return getElementExtent(Ty, SVB);
} }
case MemRegion::FieldRegionKind: { case MemRegion::FieldRegionKind: {
// Force callers to deal with bitfields explicitly. // Force callers to deal with bitfields explicitly.
if (cast<FieldRegion>(SR)->getDecl()->isBitField()) if (cast<FieldRegion>(SR)->getDecl()->isBitField())
return UnknownVal(); return UnknownVal();
QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx); QualType Ty = cast<TypedValueRegion>(SR)->getDesugaredValueType(Ctx);
DefinedOrUnknownSVal Size = getElementExtent(Ty, SVB); const DefinedOrUnknownSVal Size = getElementExtent(Ty, SVB);
// A zero-length array at the end of a struct often stands for dynamically // A zero-length array at the end of a struct often stands for dynamically
// allocated extra memory. // allocated extra memory.
if (Size.isZeroConstant()) { const auto isFlexibleArrayMemberCandidate = [this](QualType Ty) -> bool {
if (isa<ConstantArrayType>(Ty)) const ArrayType *AT = Ctx.getAsArrayType(Ty);
return UnknownVal(); if (!AT)
return false;
if (isa<IncompleteArrayType>(AT))
ASDenysPetrovUnsubmitted
Done
ReplyInline Actions
const auto isFlexibleArrayMemberCandidate = [this](QualType Ty) -> bool {
- const ArrayType *AT = Ctx.getAsArrayType(Ty);
- if (!AT)
- return false;
if (isa<IncompleteArrayType>(AT))
return true;

I think we can omit getAsArrayType, since we check for certain array types anyway.

ASDenysPetrov: I think we can omit `getAsArrayType`, since we check for certain array types anyway.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

No, we can't. ASTContext::getAsArrayType() returns a canonical type, which could be used later by the regular isa/dyn_cast API, but you cannot use them on Ty.
In fact, first I tried what you proposed, but I hit a static assertion checking for exactly this.

steakhal: No, we can't. `ASTContext::getAsArrayType()` returns a canonical type, which could be used…
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions

I see. OK, then.

ASDenysPetrov: I see. OK, then.
return true;
if (const auto *CAT = dyn_cast<ConstantArrayType>(AT)) {
const llvm::APInt &Size = CAT->getSize();
if (Size.isNullValue())
return true;
} }
return false;
};
if (isFlexibleArrayMemberCandidate(Ty))
return UnknownVal();
return Size; return Size;
} }
// FIXME: The following are being used in 'SimpleSValBuilder' and in // FIXME: The following are being used in 'SimpleSValBuilder' and in
// 'ArrayBoundChecker::checkLocation' because there is no symbol to // 'ArrayBoundChecker::checkLocation' because there is no symbol to
// represent the regions more appropriately. // represent the regions more appropriately.
case MemRegion::BlockDataRegionKind: case MemRegion::BlockDataRegionKind:
case MemRegion::BlockCodeRegionKind: case MemRegion::BlockCodeRegionKind:
▲ Show 20 LinesShow All 943 LinesShow Last 20 Lines

clang/test/Analysis/flexible-array-members.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c90
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c99
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c11
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c17
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c++98 -x c++
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c++03 -x c++
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c++11 -x c++
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c++14 -x c++
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection %s -verify -std=c++17 -x c++
ASDenysPetrovUnsubmitted
Done
ReplyInline Actions

AFAIK, FAM is not a part of C++ Standard. Does clang support it as extension?

ASDenysPetrov: AFAIK, FAM is not a part of C++ Standard. Does clang support it as extension?
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

You are completely correct.

steakhal: You are completely correct.
typedef __typeof(sizeof(int)) size_t;
size_t clang_analyzer_getExtent(void *);
void clang_analyzer_dump(size_t);
void *alloca(size_t size);
void *malloc(size_t size);
void free(void *ptr);
void test_incomplete_array_fam() {
typedef struct FAM {
char c;
int data[];
} FAM;
FAM fam;
clang_analyzer_dump(clang_analyzer_getExtent(&fam));
clang_analyzer_dump(clang_analyzer_getExtent(fam.data));
// expected-warning@-2 {{4 S64b}}
// expected-warning@-2 {{Unknown}}
FAM *p = (FAM *)alloca(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(p));
clang_analyzer_dump(clang_analyzer_getExtent(p->data));
// expected-warning@-2 {{4 U64b}}
// expected-warning@-2 {{Unknown}}
FAM *q = (FAM *)malloc(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(q));
clang_analyzer_dump(clang_analyzer_getExtent(q->data));
// expected-warning@-2 {{4 U64b}}
// expected-warning@-2 {{Unknown}}
free(q);
}
void test_zero_length_array_fam() {
typedef struct FAM {
char c;
int data[0];
} FAM;
FAM fam;
clang_analyzer_dump(clang_analyzer_getExtent(&fam));
clang_analyzer_dump(clang_analyzer_getExtent(fam.data));
// expected-warning@-2 {{4 S64b}}
// expected-warning@-2 {{Unknown}}
FAM *p = (FAM *)alloca(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(p));
clang_analyzer_dump(clang_analyzer_getExtent(p->data));
// expected-warning@-2 {{4 U64b}}
// expected-warning@-2 {{Unknown}}
FAM *q = (FAM *)malloc(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(q));
clang_analyzer_dump(clang_analyzer_getExtent(q->data));
// expected-warning@-2 {{4 U64b}}
// expected-warning@-2 {{Unknown}}
free(q);
}
void test_single_element_array_possible_fam() {
typedef struct FAM {
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions

I'd like to use another naming here, because int data[1] is not actually a flexible array.

ASDenysPetrov: I'd like to use another naming here, because `int data[1]` is not actually a //flexible// array.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

What do you think would be a better fit?
I already highlighted this at the variable declaration with the name likely_fam - at least that was my concept.

steakhal: What do you think would be a better fit? I already highlighted this at the variable declaration…
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions

You can name it as SAM kinda Static Array Member or AM - Array Member. Whatever. My point is just to be closer to the meaning. But you can ignore this if you want, because we can understand what you mean from the context.

ASDenysPetrov: You can name it as `SAM` kinda //Static Array Member// or `AM` - //Array Member//. Whatever. My…
char c;
int data[1];
} FAM;
FAM likely_fam;
clang_analyzer_dump(clang_analyzer_getExtent(&likely_fam));
clang_analyzer_dump(clang_analyzer_getExtent(likely_fam.data));
// expected-warning@-2 {{8 S64b}}
// expected-warning@-2 {{4 S64b}}
FAM *p = (FAM *)alloca(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(p));
clang_analyzer_dump(clang_analyzer_getExtent(p->data));
// expected-warning@-2 {{8 U64b}}
// expected-warning@-2 {{4 S64b}}
FAM *q = (FAM *)malloc(sizeof(FAM));
clang_analyzer_dump(clang_analyzer_getExtent(q));
clang_analyzer_dump(clang_analyzer_getExtent(q->data));
// expected-warning@-2 {{8 U64b}}
// expected-warning@-2 {{4 S64b}}
free(q);
}