This is an archive of the discontinued LLVM Phabricator instance.

Differential D114718

[analyzer] Implement a new checker for Strict Aliasing Rule.
Needs ReviewPublic

Authored by ASDenysPetrov on Nov 29 2021, 9:39 AM.

Details

Reviewers
rsmith
martong
NoQ
vsavchenko
steakhal
aaron.ballman
xazax.hun
Szelethus
Summary

StrictAliasingChecker implements checks on violation of the next paragraph (C++20 7.2.1 p11 [basic.lval]) of the C++20 Standard which is known as Strict Aliasing Rule. It operates on variable loads and stores. The checker compares the original type of the value with the type of the pointer with which the value is aliased.
Example:

int x = 42;
auto c = *((char*)&x); // The original type is `int`. The aliased type is `char`. OK. 
auto f = *((float*)&x); // The original type is `int`. The aliased type is `float`. UB.

At the moment the checker supports only C++20.

NOTE: Below are differences in strict aliasing rules between C, C++ Standard versions. Do we need to support defective items?

Evolution of C++ Standard

C++98C++11C++14C++17C++20 (Fixed Issue 2051)
If a program attempts to access the stored value of an object through a glvalue of other than one of the following types the behavior is undefined:---If a program attempts to access (3.1) the stored value of an object through a glvalue of other than whose type is not similar to one of the following types the behavior is undefined:
- the dynamic type of the object----
- a cv-qualified version of the dynamic type of the object---Removed as duplicated of similar type.
blank- a type similar to the dynamic type of the object--Moved to the paragraph's main text (first row).
- a type that is the signed or unsigned type corresponding to the dynamic type of the object----
- a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object---Removed as duplicated of similar type.
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union)---Removed as a core defect (Issue 2051). This cannot arise in C++.
- a type that is a (possibly cv-qualified) base class type of the dynamic type of the object---Removed as a core defect (Issue 2051). This cannot arise in C++.
- a char, unsigned char--- a char, unsigned char, or std::byte type-

Paragraph from C Standard is true for all versions

C
An object shall have its stored value accessed only by an lvalue expression that has one of the following types:
- a type compatible with the effective type of the object
- a qualified version of a type compatible with the effective type of the object
- a type that is the signed or unsigned type corresponding to the effective type of the object
- a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union)
- a character type

Differences are in the type concepts between C and C++

has concept?CC++
effective typeyesno
compatible typeyesno
dynamic typenoyes
similar typenoyes

Thus, the interpretation of the paragraph is different, depending on type concept meaning. E.g. the first statement "... similar to ... the dynamic type of the object" vs "a type compatible with the effective type of the object".

Diff Detail

Unit TestsFailed

TimeTest
1,610 msx64 debian > AddressSanitizer-x86_64-linux.TestCases::non-executable-pc.cpp
130 msx64 debian > Clang.Analysis/Checkers/StrictAliasingChecker::strict-aliasing.cpp
40 msx64 debian > LLVM.Bindings/Go::go.test

Event Timeline

ASDenysPetrov created this revision.Nov 29 2021, 9:39 AM
Herald added subscribers: manas, jeroen.dobbelaere, dkrupp and 7 others. · View Herald TranscriptNov 29 2021, 9:39 AM
ASDenysPetrov requested review of this revision.Nov 29 2021, 9:39 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptNov 29 2021, 9:39 AM
ASDenysPetrov added a comment.EditedNov 29 2021, 9:45 AM

@rsmith, @aaron.ballman I kindly invite you to join the review process especially in a part of the Standard interpretation. Specifically @rsmith made proposals in this part of the Standard.

ASDenysPetrov edited the summary of this revision. (Show Details)Nov 29 2021, 9:47 AM
ASDenysPetrov edited the summary of this revision. (Show Details)
ASDenysPetrov edited the summary of this revision. (Show Details)Nov 29 2021, 9:55 AM
Harbormaster completed remote builds in B136472: Diff 390387.Nov 29 2021, 11:17 AM
NoQ added a comment.Nov 29 2021, 12:57 PM

Awesome, I love it!

What would it take to enable this by default? Note that we can enable the checker without emitting any warnings; sinking exotic execution paths (on which strict aliasing is known to be violated) is valuable on its own.

Other than that, we'll probably need a bug visitor to add a note for where the original type comes from (it should probably be the place where the location becomes *live*), and then some real-world testing.

clang/lib/StaticAnalyzer/Checkers/StrictAliasingChecker.cpp
49–50

assert() it? Or maybe canonicalize defensively so that not to duplicate code in the caller, given that there's really only one correct way to do that?

81

The modern solution is

BugType BT{this, "...", "..."};
114

I suspect it might also be UnknownVal (?) It usually makes sense to protect against such scenarios with an early return.

142–146

You're basically running into https://bugs.llvm.org/show_bug.cgi?id=43364 here. The element region is not necessarily a consequence of a pointer cast; it may also be a legitimate array element access, and there's no way to figure out what it really was. So I suspect that you may fail the following test case:

void foo() {
  int x[10];
  int *p = &x[1];
  *p = 1; // int incompatible with int[10]
}

Separately from that, ultimatetly you'll most likely have to handle regions with symbolic base separately. These regions are special because they are built when the information about the original type is not really unavailable. For now you're dodging this problem by only supporting VarRegions with element sub-regions. But in the general case you may encounter code like this

void foo(void *p) {
  int *x = p;
  float *y = x;
  *y = 1.0;
}

which may be valid if the original pointer p points to a float. But this can be delayed until later.

158

I suggest a fatal error node. Undefined behavior already occured, there's nothing interesting in the follow-up.

179–180

We should probably keep the checker disabled in these language modes until we're sure it works correctly (in a conservative sense, i.e. doesn't emit false positives).

Can we check whether -fstrict-aliasing is enabled here? That's probably appropriate.

xazax.hun added inline comments.Nov 29 2021, 1:03 PM
clang/lib/StaticAnalyzer/Checkers/StrictAliasingChecker.cpp
59

I'd love to see some detailed descriptions of the strict aliasing rule, what parts are we checking for and what parts we don't. E.g. it would be nice to document the differences between C and C++ aliasing rules. I do remember something about prefixes, i.e.: it would be well defined to access something with the dynamic type struct { int x, y; }; and read struct{ int x; }; from it. Does that not apply to C++?

ASDenysPetrov added inline comments.Nov 30 2021, 8:31 AM
clang/lib/StaticAnalyzer/Checkers/StrictAliasingChecker.cpp
49–50

Or maybe canonicalize defensively so that not to duplicate code in the caller,

We need canonical types in the bug report as well, so we have to get them on the caller side.

59

I'd love to see some detailed descriptions of the strict aliasing rule,

I've added a description in the header.

it would be nice to document the differences between C and C++ aliasing rules.

I need some time to gather those differences and will add them to the description as well.

it would be well defined to access something with the dynamic type struct { int x, y; }; and read struct{ int x; }; from it. Does that not apply to C++?

AFAIK it's UB if you do any access to the object which lifetime is not started in C++.

81

Got it.

114

I'll try to add some tests to model this.

142–146

Oh, unfortunately I've stumbled upon these representation issues:

int arr[2][8]
auto p1 = (int(*)[8])arr[0]; // &Element{arr,0 S64b,int[8]}
auto p2 = (int(*)[8])arr;    // &Element{arr,0 S64b,int[8]}
auto p3 = (int(*)[7])arr[0]; // &Element{arr,0 S64b,int[7]}
auto x = *p1; // OK
auto y = *p2; // UB
auto z = *p3; // UB

I think we need some sort of a new region CastRegion that we can store the provenance/origin and cast type separately (in a canonical form), like I did for integers in D103096. I can investigate it soon. And ElementRegion would be in charge of arrays only.
Or
We could modificate ElementRegion to be always in a canonical form which we could easily differentiate.

158

I suggest a fatal error node.

That's a big discussion what would be correct :-) since 98.99% of modern compilers treat e.g. *((short*)x) as a truncation and the following flow works as most users expect (who doesn't aware about UB). So here we could just warn about UB and explore the rest of the code for similar UB's without sinking. That's why I decided using non-fatal node.

179–180

Can we check whether -fstrict-aliasing is enabled here? That's probably appropriate.

Basically, I've already tried to do some preparations for using -fstrict-aliasing in D114006. But now it needs a bit modification. I'll update it.

We should probably keep the checker disabled in these language modes until we're sure it works correctly (in a conservative sense, i.e. doesn't emit false positives).

I did it for the testing purposes. Several extisting tests help to find uncovered cases (As you can see, those, which have failed in pre-merge checks).
Agree. I'll change the condition to LO.CPlusPlus20 || LO.CPlusPlus2b.

ASDenysPetrov edited the summary of this revision. (Show Details)Dec 2 2021, 8:34 AM

@xazax.hun Updated the summary for better undersanding differencies between the Standards.

ASDenysPetrov edited the summary of this revision. (Show Details)Dec 2 2021, 9:05 AM
ASDenysPetrov mentioned this in D114006: [analyzer][NFC] Enable access to CodeGenOptions from analyzer's instances.Dec 7 2021, 3:10 PM
ASDenysPetrov added a parent revision: D114006: [analyzer][NFC] Enable access to CodeGenOptions from analyzer's instances.
ASDenysPetrov updated this revision to Diff 392821.Dec 8 2021, 9:51 AM

Improved dynamic type recognition. Provided -fstrict-aliasing compiler flag dependency.
Still has issues with some cases (see it at the bottom of the test file). WIP.

Harbormaster completed remote builds in B138200: Diff 392821.Dec 8 2021, 10:34 AM
ASDenysPetrov added inline comments.Dec 9 2021, 5:00 AM
clang/lib/StaticAnalyzer/Checkers/StrictAliasingChecker.cpp
114

'ExprEngine::evalLocation' has an early check for unknown, so Location is never be unknown.

ASDenysPetrov updated this revision to Diff 394290.Dec 14 2021, 9:33 AM

Changed handler check:: functions. Reworked. Covered more cases.

Several cases left (marked as FIXME in the test file). For the glance some of them we can't handle because of (possibly) wrong symbolic modeling.

WIP.

Harbormaster completed remote builds in B139247: Diff 394290.Dec 14 2021, 10:35 AM
steakhal added a comment.Dec 16 2021, 3:24 AM

I haven't checked the code, but only the tests and expectations for scalar values.
I'll dive deeper if we settled on those.

A couple of remarks:

  1. I would rather use top-level function parameters of the given type instead of declaring an instance of that type and taking the address of that object. I think it would reflect more a real-world scenario when we don't see the allocation of the object, thus we don't know the dynamic/effective type of that object.
  2. Using an alias or the underlying type does not matter in this context; You should not duplicate the tests for this reason. A single test demonstrating that the checker is able to look through type aliases (by using the canonical type) is enough.
  3. Marking signed an already signed type won't introduce new coverage. unlike for char you can be sure that short, int, long, long long are signed by default.
  4. Constness does not matter in this context, since type similarity effectively removes any CVR anyway. I would rather remove those test cases, and leave a single one demonstrating that we thought about them and it works the same way as without const.
  5. Please, also test when you have two pointers with a different number of indirections: long * and long **; gcc expects *p and *q not aliasing.
  6. Consider adding all the test cases from Detecting Strict Aliasing Violations in the Wild paper by Pascal Cuoq et al.

They cover a lot of really interesting cases. BTW in the paper, they already set up the godbolt links demonstrating their findings: https://godbolt.org/g/ggZzQo

I think if we are done with these, we can move on to the more complicated cases involving standard layout types with/without inheritance, unions with common prefixes, and other interesting cases like function pointers, pointers to members, pointers to arrays.

The test expectations for (int, Class), (int, ClassInt), (int, UnionUchar), (int, UnionInt), (int, std::byte), (int, std::OtherByte), (int, EnumInt), (int, char), (int, unsigned char), (int, signed char), (int, short), (int, unsigned short), (int, int), (int, volatile unsigned int), (int, long), (int, unsigned long), (int, long long), (int, unsigned long long), (int, float), (int, double), (int, long double), (int, unsigned), look right.

I'll continue the review when I can spare some time for this.

I would like to see this as an alpha.core checker displayed as two checkers: StrictAliasingModeling and StrictAliasingChecker. You could implement this as a single checker, similarly to how the CStringChecker does for example. Do the reporting only if the StrictAliasingChecker is enabled, but emit the sink node unconditionally, restricting the exploration space.
To get this checker into the core package we will need a couple of checker options, relaxing the strict-aliasing rules for unions and for example the signed char as well; since it seems like both gcc and clang respects aliasing involving them via extensions.

Lastly, I'd like to thank you for working on this. I'm really excited about covering these types of issues.

clang/test/Analysis/Checkers/StrictAliasingChecker/strict-aliasing.cpp
2

I think fno-strict-aliasing should achieve this, by which the driver should transform that flag into the -relaxed-aliasing flag consumed by the backend.

ASDenysPetrov added a comment.Dec 17 2021, 4:31 AM

@steakhal Thanks! I appreciate your comprehensive comment! I'll take everything you suggested into account.

clang/test/Analysis/Checkers/StrictAliasingChecker/strict-aliasing.cpp
2

Yes, but here in the RUN line you should use a backend flag -relaxed-aliasing instead of -fno-strict-aliasing. -fno-strict-aliasing won't work here. I've tried.
P.S. Note that the checker works relying on the presentence of -relaxed-aliasing, so here the absense of -relaxed-aliasing is en equivalent of -fstrict-aliasing.

ASDenysPetrov updated this revision to Diff 395486.Dec 20 2021, 9:58 AM

Improved AccessInferrer::isOppositeSign. Reworked tests.
TODO: Write more synthetic and real-world tests.

Harbormaster completed remote builds in B140115: Diff 395486.Dec 20 2021, 10:32 AM
ASDenysPetrov updated this revision to Diff 395881.EditedDec 22 2021, 9:10 AM

Added more tests for records (classes, structs, unions). Improved AccessInferrer. Removed support of cast kinds such as DerivedToBase and BaseToDerived, since they are not implied in C++20 7.2.1 p11 paragraph.
TODO: White tests for multi-level casts, e.g.:

T1 a;              // a
auto* b = (T2*)&a; // {a, T2}
auto* c = (T3*)b;  // {{a, T2}, T3}
auto* d = (T4*)c;  // {{{a, T2}, T3}, T4}
auto e = *d;

TODO: Fix case with loc::ConcreteInt, e.g.:

T1 *a = nullptr;   // 0 loc
auto* b = (T2*)&a; // 0 loc
auto c = *d;       // We are not able to detect an original type and aliased type from ConcreteInt.
ASDenysPetrov edited the summary of this revision. (Show Details)Dec 22 2021, 9:53 AM
Harbormaster completed remote builds in B140408: Diff 395881.Dec 22 2021, 10:12 AM
ASDenysPetrov updated this revision to Diff 398986.Jan 11 2022, 9:33 AM

Improved the checker. Reworked tests.

ASDenysPetrov added a child revision: D117033: [analyzer] Added more tests for scalars and enums for StrictAliasingChecker.Jan 11 2022, 9:38 AM
Harbormaster completed remote builds in B142680: Diff 398986.Jan 11 2022, 10:15 AM
steakhal mentioned this in D130491: [analyzer] Handle false positives caused by funny addressing.Jul 26 2022, 4:00 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
6 lines
lib/
StaticAnalyzer/
Checkers/
1 line
201 lines
test/
Analysis/
Checkers/
StrictAliasingChecker/
811 lines

Diff 394290

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 292 Lines▼ Show 20 Linesdef PthreadLockBase : Checker<"PthreadLockBase">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def C11LockChecker : Checker<"C11Lock">, def C11LockChecker : Checker<"C11Lock">,
HelpText<"Simple lock -> unlock checker">, HelpText<"Simple lock -> unlock checker">,
Dependencies<[PthreadLockBase]>, Dependencies<[PthreadLockBase]>,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def StrictAliasingChecker : Checker<"StrictAliasing">,
HelpText<"Check conformity with Strict Alising Rule. Check an access to the "
"stored value through a glvalue whose type is not allowed by "
"the Standard. ([basic.lval])">,
Documentation<HasAlphaDocumentation>;
} // end "alpha.core" } // end "alpha.core"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Nullability checkers. // Nullability checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = Nullability in { let ParentPackage = Nullability in {
▲ Show 20 LinesShow All 1,390 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 99 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
RunLoopAutoreleaseLeakChecker.cpp RunLoopAutoreleaseLeakChecker.cpp
SimpleStreamChecker.cpp SimpleStreamChecker.cpp
SmartPtrChecker.cpp SmartPtrChecker.cpp
SmartPtrModeling.cpp SmartPtrModeling.cpp
StackAddrEscapeChecker.cpp StackAddrEscapeChecker.cpp
StdLibraryFunctionsChecker.cpp StdLibraryFunctionsChecker.cpp
STLAlgorithmModeling.cpp STLAlgorithmModeling.cpp
StreamChecker.cpp StreamChecker.cpp
StrictAliasingChecker.cpp
StringChecker.cpp StringChecker.cpp
Taint.cpp Taint.cpp
TaintTesterChecker.cpp TaintTesterChecker.cpp
TestAfterDivZeroChecker.cpp TestAfterDivZeroChecker.cpp
TraversalChecker.cpp TraversalChecker.cpp
TrustNonnullChecker.cpp TrustNonnullChecker.cpp
UndefBranchChecker.cpp UndefBranchChecker.cpp
UndefCapturedBlockVarChecker.cpp UndefCapturedBlockVarChecker.cpp
Show All 30 Lines

clang/lib/StaticAnalyzer/Checkers/StrictAliasingChecker.cpp

  • This file was added.
//===- StrictAliasingChecker - ... ------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// StrictAliasingChecker implements checks on violation of the next paragraph of
// the Standard which is known as `Strict Aliasing Rule`.
// C++20 7.2.1 p11 [basic.lval]:
// If a program attempts to access the stored value of an object through a
// glvalue whose type is not similar to one of the following types the behavior
// is undefined:
// - the dynamic type of the object,
// - a type that is the signed or unsigned type corresponding to the dynamic
// type of the object, or
// - a char, unsigned char, or std::byte type.
//
// NOTE: The checker operates only when strict-aliasing is enabled with
// corresponding compiler flag.
//
// NOTE: There are differences in strict aliasing rules between C, C++
// Standards. Now we only impelement checks since C++20 Standard (there were
// changes applied in C++20 http://wg21.link/cwg2051).
//
// TODO: Support C++98/11/14/17. Shall we?
// TODO: Support C.
//
//===----------------------------------------------------------------------===//
#include "clang/AST/Attr.h"
#include "clang/AST/ExprCXX.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
class AccessInferrer {
QualType From;
QualType To;
ASTContext &Ctx;
public:
// Check whether the given types submit to the Strict Aliasing Rule.
//
NoQUnsubmitted
Not Done
ReplyInline Actions

assert() it? Or maybe canonicalize defensively so that not to duplicate code in the caller, given that there's really only one correct way to do that?

NoQ: `assert()` it? Or maybe canonicalize defensively so that not to duplicate code in the caller…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

Or maybe canonicalize defensively so that not to duplicate code in the caller,

We need canonical types in the bug report as well, so we have to get them on the caller side.

ASDenysPetrov: >Or maybe canonicalize defensively so that not to duplicate code in the caller, We need…
// NOTE: User must provide canonical and unqualified QualType's for the
// correct result.
static bool canAccess(QualType From, QualType To, ASTContext &Ctx) {
// NOTE: Despite the function name `isCanonical()`, it also check whether
// the type is unqualified. (See implementation)
assert(From.isCanonical() && "The type shall be an unqualified canonical.");
assert(To.isCanonical() && "The type shall be an unqualified canonical.");
AccessInferrer AI(From, To, Ctx);
return AI.canAccessImpl();
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

I'd love to see some detailed descriptions of the strict aliasing rule, what parts are we checking for and what parts we don't. E.g. it would be nice to document the differences between C and C++ aliasing rules. I do remember something about prefixes, i.e.: it would be well defined to access something with the dynamic type struct { int x, y; }; and read struct{ int x; }; from it. Does that not apply to C++?

xazax.hun: I'd love to see some detailed descriptions of the strict aliasing rule, what parts are we…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

I'd love to see some detailed descriptions of the strict aliasing rule,

I've added a description in the header.

it would be nice to document the differences between C and C++ aliasing rules.

I need some time to gather those differences and will add them to the description as well.

it would be well defined to access something with the dynamic type struct { int x, y; }; and read struct{ int x; }; from it. Does that not apply to C++?

AFAIK it's UB if you do any access to the object which lifetime is not started in C++.

ASDenysPetrov: >I'd love to see some detailed descriptions of the strict aliasing rule, I've added a…
}
private:
AccessInferrer(QualType From, QualType To, ASTContext &Ctx)
: From(From), To(To), Ctx(Ctx) {}
bool canAccessImpl() {
return isSameDynamic() || isCharOrByte() || isOppositeSign();
}
// - the dynamic type of the object
bool isSameDynamic() {
if (From == To)
return true;
if (const CXXRecordDecl *FromDecl = From->getAsCXXRecordDecl())
if (const CXXRecordDecl *ToDecl = To->getAsCXXRecordDecl())
return FromDecl->isDerivedFrom(ToDecl);
return false;
}
// - a char, unsigned char, or std::byte type.
bool isCharOrByte() {
return To == Ctx.CharTy || To == Ctx.UnsignedCharTy || To->isStdByteType();
NoQUnsubmitted
Not Done
ReplyInline Actions

The modern solution is

BugType BT{this, "...", "..."};
NoQ: The modern solution is ```lang=c++ BugType BT{this, "...", "..."}; ```
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

Got it.

ASDenysPetrov: Got it.
}
// - a type that is the signed or unsigned type corresponding to the dynamic
// type of the object
bool isOppositeSign() {
QualType OppositeSignTy;
if (To->isUnsignedIntegerOrEnumerationType())
OppositeSignTy = Ctx.getCorrespondingSignedType(To);
else if (To->isSignedIntegerOrEnumerationType())
OppositeSignTy = Ctx.getCorrespondingUnsignedType(To);
return From == OppositeSignTy;
}
};
class StrictAliasingChecker : public Checker<check::PreStmt<UnaryOperator>,
check::PreStmt<ArraySubscriptExpr>,
check::PreStmt<MemberExpr>> {
BugType BT{this, "Strict Aliasing Rule",
"Access Violation through unallowed type."};
public:
void checkPreStmt(const MemberExpr *ME, CheckerContext &C) const {
checkAccess(ME->getBase(), ME->getBase()->getType()->getPointeeType(), C);
}
void checkPreStmt(const ArraySubscriptExpr *ASE, CheckerContext &C) const {
checkAccess(ASE->getBase(), ASE->getType(), C);
}
void checkPreStmt(const UnaryOperator *UO, CheckerContext &C) const {
// Handle indirection operator '*' only.
if (UO->getOpcode() == UO_Deref)
checkAccess(UO->getSubExpr(), UO->getType(), C);
}
NoQUnsubmitted
Not Done
ReplyInline Actions

I suspect it might also be UnknownVal (?) It usually makes sense to protect against such scenarios with an early return.

NoQ: I suspect it might also be `UnknownVal` (?) It usually makes sense to protect against such…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

I'll try to add some tests to model this.

ASDenysPetrov: I'll try to add some tests to model this.
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

'ExprEngine::evalLocation' has an early check for unknown, so Location is never be unknown.

ASDenysPetrov: 'ExprEngine::evalLocation' has an early check for //unknown//, so `Location` is never be…
private:
void checkAccess(const Expr *OrigEx, QualType AliasedTy,
CheckerContext &C) const {
AliasedTy = getCanonicalUnqualifiedType(AliasedTy);
// TODO: Handle this case in a proper way, if any.
if (AliasedTy.isNull())
return;
const QualType OrigTy = getOriginalType(OrigEx, C);
// TODO: Handle this case in a proper way, if any.
if (OrigTy.isNull())
return;
if (!AccessInferrer::canAccess(OrigTy, AliasedTy, C.getASTContext()))
reportBug(C, OrigTy, AliasedTy);
}
// FIXME: Probably, we should have such function in QualType class.
// Existing `T->getCanonicalTypeUnqualified()` does not return unqualified
// type which, apparently, is expected.
QualType getCanonicalUnqualifiedType(QualType T) const {
if (!T.isNull()) {
T = T->getCanonicalTypeUnqualified();
T.removeLocalFastQualifiers();
}
return T;
}
QualType getOriginalType(const Expr *OrigEx, CheckerContext &C) const {
QualType T;
NoQUnsubmitted
Not Done
ReplyInline Actions

You're basically running into https://bugs.llvm.org/show_bug.cgi?id=43364 here. The element region is not necessarily a consequence of a pointer cast; it may also be a legitimate array element access, and there's no way to figure out what it really was. So I suspect that you may fail the following test case:

void foo() {
  int x[10];
  int *p = &x[1];
  *p = 1; // int incompatible with int[10]
}

Separately from that, ultimatetly you'll most likely have to handle regions with symbolic base separately. These regions are special because they are built when the information about the original type is not really unavailable. For now you're dodging this problem by only supporting VarRegions with element sub-regions. But in the general case you may encounter code like this

void foo(void *p) {
  int *x = p;
  float *y = x;
  *y = 1.0;
}

which may be valid if the original pointer p points to a float. But this can be delayed until later.

NoQ: You're basically running into https://bugs.llvm.org/show_bug.cgi?id=43364 here. The element…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

Oh, unfortunately I've stumbled upon these representation issues:

int arr[2][8]
auto p1 = (int(*)[8])arr[0]; // &Element{arr,0 S64b,int[8]}
auto p2 = (int(*)[8])arr;    // &Element{arr,0 S64b,int[8]}
auto p3 = (int(*)[7])arr[0]; // &Element{arr,0 S64b,int[7]}
auto x = *p1; // OK
auto y = *p2; // UB
auto z = *p3; // UB

I think we need some sort of a new region CastRegion that we can store the provenance/origin and cast type separately (in a canonical form), like I did for integers in D103096. I can investigate it soon. And ElementRegion would be in charge of arrays only.
Or
We could modificate ElementRegion to be always in a canonical form which we could easily differentiate.

ASDenysPetrov: Oh, unfortunately I've stumbled upon these representation issues: ``` int arr[2][8] auto p1 =…
SVal V = C.getSVal(OrigEx->IgnoreParens());
if (V.isUnknownOrUndef())
return T;
if (auto MRV = V.getAs<loc::MemRegionVal>()) {
// Unwrap ElementRegion and CXXBaseObjectRegion nesting to get the base
// region.
const MemRegion *Base = MRV->getRegion()->StripCasts(true);
// Get type of the original declaration.
if (const auto *VR = dyn_cast<VarRegion>(Base))
T = VR->getValueType();
else if (const auto *SR = dyn_cast<SymbolicRegion>(Base))
NoQUnsubmitted
Not Done
ReplyInline Actions

I suggest a fatal error node. Undefined behavior already occured, there's nothing interesting in the follow-up.

NoQ: I suggest a fatal error node. Undefined behavior already occured, there's nothing interesting…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

I suggest a fatal error node.

That's a big discussion what would be correct :-) since 98.99% of modern compilers treat e.g. *((short*)x) as a truncation and the following flow works as most users expect (who doesn't aware about UB). So here we could just warn about UB and explore the rest of the code for similar UB's without sinking. That's why I decided using non-fatal node.

ASDenysPetrov: > I suggest a fatal error node. That's a big discussion what would be correct :-) since 98.99%…
T = SR->getSymbol()->getType()->getPointeeType();
// TODO: Support other regions in a proper way if would need.
}
// Get type from other types.
// NOTE: This is very inaccurate but it's better than NULL though.
if (T.isNull())
T = V.getType(C.getASTContext());
return getCanonicalUnqualifiedType(T);
}
void reportBug(CheckerContext &C, QualType From, QualType To) const {
SmallString<256> Buf;
llvm::raw_svector_ostream OS(Buf);
OS << "Undefined behavior. Attempting to access the stored value of type ";
OS << "'" << From.getAsString() << "'";
OS << " through unallowed type ";
OS << "'" << To.getAsString() << "'.";
ExplodedNode *Node = C.generateNonFatalErrorNode();
auto Report = std::make_unique<PathSensitiveBugReport>(BT, OS.str(), Node);
NoQUnsubmitted
Not Done
ReplyInline Actions

We should probably keep the checker disabled in these language modes until we're sure it works correctly (in a conservative sense, i.e. doesn't emit false positives).

Can we check whether -fstrict-aliasing is enabled here? That's probably appropriate.

NoQ: We should probably keep the checker disabled in these language modes until we're sure it works…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

Can we check whether -fstrict-aliasing is enabled here? That's probably appropriate.

Basically, I've already tried to do some preparations for using -fstrict-aliasing in D114006. But now it needs a bit modification. I'll update it.

We should probably keep the checker disabled in these language modes until we're sure it works correctly (in a conservative sense, i.e. doesn't emit false positives).

I did it for the testing purposes. Several extisting tests help to find uncovered cases (As you can see, those, which have failed in pre-merge checks).
Agree. I'll change the condition to LO.CPlusPlus20 || LO.CPlusPlus2b.

ASDenysPetrov: > Can we check whether -fstrict-aliasing is enabled here? That's probably appropriate.
C.emitReport(std::move(Report));
}
};
} // end anonymous namespace
//===----------------------------------------------------------------------===//
// Registration.
//===----------------------------------------------------------------------===//
void ento::registerStrictAliasingChecker(CheckerManager &CM) {
CM.registerChecker<StrictAliasingChecker>();
}
bool ento::shouldRegisterStrictAliasingChecker(const CheckerManager &CM) {
const LangOptions &LO = CM.getLangOpts();
const bool IsStrictAliasing = !CM.getCodeGenOpts().RelaxedAliasing;
// Support from C++20 for now.
// TODO: Support C++98/11/14/17. Shall we?
// TODO: Support C.
return IsStrictAliasing && (LO.CPlusPlus20 || LO.CPlusPlus2b);
}

clang/test/Analysis/Checkers/StrictAliasingChecker/strict-aliasing.cpp

  • This file was added.
// RUN: %clang_cc1 -std=c++20 -analyze -analyzer-config eagerly-assume=false -analyzer-checker=debug.ExprInspection,alpha.core.StrictAliasing -verify %s
// NOTE: -relaxed-aliasing flag disables StrictAliasing checker.
steakhalUnsubmitted
Not Done
ReplyInline Actions

I think fno-strict-aliasing should achieve this, by which the driver should transform that flag into the -relaxed-aliasing flag consumed by the backend.

steakhal: I think `fno-strict-aliasing` should achieve this, by which the driver should transform that…
ASDenysPetrovAuthorUnsubmitted
Done
ReplyInline Actions

Yes, but here in the RUN line you should use a backend flag -relaxed-aliasing instead of -fno-strict-aliasing. -fno-strict-aliasing won't work here. I've tried.
P.S. Note that the checker works relying on the presentence of -relaxed-aliasing, so here the absense of -relaxed-aliasing is en equivalent of -fstrict-aliasing.

ASDenysPetrov: Yes, but here in the RUN line you should use a backend flag `-relaxed-aliasing` instead of `…
template <typename T>
void clang_analyzer_dump(T x);
void clang_analyzer_eval(int);
namespace std {
enum class byte : unsigned char {};
enum class OtherByte : unsigned char {};
}; // namespace std
enum class EnumInt : int {};
union UnionUchar {
unsigned char x;
char y;
};
union UnionInt {
int x;
};
class Class {};
class ClassInt {
public:
int x;
};
class Base {
public:
int x;
};
struct AnotherBase {
int y;
};
class Derived : public AnotherBase, public Base {
int z;
};
class MostDerived : public Derived {
int w;
};
using AliasedStdByte = std::byte;
using AliasedChar = char;
using AliasedSChar = const signed char;
using AliasedInt = int;
using AliasedUInt = const unsigned int;
using AliasedULong = unsigned long;
using AliasedBase = Base;
using AliasedAnotherBase = AnotherBase;
namespace ns1 {
void int_casts() {
using MyInt = int;
MyInt x = {};
// int to records
{
auto *ptr = (Class *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (ClassInt *)&x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionUchar *)&x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionInt *)&x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
// int to records
{
auto *ptr = (std::byte *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (std::OtherByte *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior. Attempting to access the stored value of type}}
}
{
auto *ptr = (EnumInt *)&x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
// int to scalars
{
auto *ptr = (const char *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (unsigned char *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed char *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (short *)&x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned short *)&x;
ptr[0] = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed short *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (int *)&x;
ptr[0] = 42; // no-warning
}
{
auto *ptr = (const volatile unsigned int *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed int *)&x;
*ptr = 24; // no-warning
}
{
auto *ptr = (long *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long long *)&x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long long *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long long *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (float *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (double *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long double *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
// int to aliases
{
auto *ptr = (AliasedStdByte *)&x;
auto y = ptr[0]; // no-warning
}
{
auto *ptr = (AliasedChar *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedSChar *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)&x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedInt *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedUInt *)&x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedULong *)&x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
}
void intptr_casts(int *x) {
// int to records
{
auto *ptr = (Class *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (ClassInt *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionUchar *)x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionInt *)x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
// int to records
{
auto *ptr = (std::byte *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (std::OtherByte *)x;
auto y = *ptr; // expected-warning{{Undefined behavior. Attempting to access the stored value of type}}
}
{
auto *ptr = (EnumInt *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
// int to scalars
{
auto *ptr = (const char *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (unsigned char *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed char *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (short *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned short *)x;
ptr[0] = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed short *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (int *)x;
ptr[0] = 42; // no-warning
}
{
auto *ptr = (const volatile unsigned int *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed int *)x;
*ptr = 24; // no-warning
}
{
auto *ptr = (long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long long *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (float *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (double *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long double *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
// int to aliases
{
auto *ptr = (AliasedStdByte *)x;
auto y = ptr[0]; // no-warning
}
{
auto *ptr = (AliasedChar *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedSChar *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedInt *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedUInt *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedULong *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
}
void intptr_casts2() {
int *x = 0;
// int to records
{
auto *ptr = (Class *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (ClassInt *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionUchar *)x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionInt *)x;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
// int to records
{
auto *ptr = (std::byte *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (std::OtherByte *)x;
auto y = *ptr; // expected-warning{{Undefined behavior. Attempting to access the stored value of type}}
}
{
auto *ptr = (EnumInt *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
// int to scalars
{
auto *ptr = (const char *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (unsigned char *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed char *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (short *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned short *)x;
ptr[0] = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed short *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (int *)x;
// FIXME: This shall not warn.
ptr[0] = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (const volatile unsigned int *)x;
// FIXME: This shall not warn.
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed int *)x;
// FIXME: This shall not warn.
*ptr = 24; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long long *)x;
// FIXME: This should warn {{Undefined behavior}}.
auto y = ptr[0]; // no-warning
}
{
auto *ptr = (unsigned long long *)x;
// FIXME: This should warn {{Undefined behavior}}.
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed long long *)x;
// FIXME: This should warn {{Undefined behavior}}.
auto y = *ptr; // no-warning
}
{
auto *ptr = (float *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (double *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long double *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
// int to aliases
{
auto *ptr = (AliasedStdByte *)x;
auto y = ptr[0]; // no-warning
}
{
auto *ptr = (AliasedChar *)x;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedSChar *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)x;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedInt *)x;
// FIXME: This shall not warn.
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedUInt *)x;
// FIXME: This shall not warn.
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)x;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
}
void derived_class_casts() {
Derived d;
// record to records
{
auto *ptr = (MostDerived *)&d;
// FIXME: This should warn {{Undefined behavior}}.
auto y = ptr->x; // no-warning
}
{
auto *ptr = (Derived *)&d;
auto y = ptr->x; // no-warning
}
{
auto *ptr = (Base *)&d;
auto y = ptr->x; // no-warning
}
{
auto *ptr = (const AnotherBase *)&d;
auto y = ptr->y; // no-warning
}
{
auto *ptr = (ClassInt *)&d;
auto y = ptr->x; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (Class *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (const ClassInt *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionUchar *)&d;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionInt *)&d;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
// record to scalars
{
auto *ptr = (char *)&d;
auto y = *ptr; // no-warning
}
{
auto *ptr = (const unsigned char *)&d;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed char *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (short *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned short *)&d;
ptr[0] = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed short *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (int *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned int *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed int *)&d;
*ptr = 24; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long *)&d;
auto y = ptr[0]; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long long *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long long *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long long *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (float *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (double *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long double *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
// record to aliases
{
auto *ptr = (AliasedStdByte *)&d;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedChar *)&d;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedSChar *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedInt *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedUInt *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)&d;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedBase *)&d;
auto y = ptr->x; // no-warning
}
{
auto *ptr = (AliasedAnotherBase *)&d;
auto y = (*ptr).y; // no-warning
}
}
void base_class_casts() {
Base b;
// record to records
{
auto *ptr = (MostDerived *)&b;
// FIXME: This should warn {{Undefined behavior}}.
auto y = ptr->x; // no-warning
}
{
auto *ptr = (Derived *)&b;
// FIXME: This should warn {{Undefined behavior}}.
ptr->x = 42; // no-warning
}
{
auto *ptr = (Base *)&b;
auto y = ptr->x; // no-warning
}
{
auto *ptr = (const AnotherBase *)&b;
auto y = (*ptr).y; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (ClassInt *)&b;
auto y = ptr[0].x; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (Class *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (const ClassInt *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionUchar *)&b;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (UnionInt *)&b;
ptr->x = 42; // expected-warning{{Undefined behavior}}
}
// record to scalars
{
auto *ptr = (char *)&b;
auto y = *ptr; // no-warning
}
{
auto *ptr = (const unsigned char *)&b;
auto y = *ptr; // no-warning
}
{
auto *ptr = (signed char *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (short *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned short *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed short *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (int *)&b;
ptr[0] = 24; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned int *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed int *)&b;
*ptr = 24; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (unsigned long long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (signed long long *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (float *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (double *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (long double *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
// record to aliases
{
auto *ptr = (AliasedStdByte *)&b;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedChar *)&b;
auto y = *ptr; // no-warning
}
{
auto *ptr = (AliasedSChar *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedInt *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedUInt *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedULong *)&b;
auto y = *ptr; // expected-warning{{Undefined behavior}}
}
{
auto *ptr = (AliasedBase *)&b;
auto y = ptr[0].x; // no-warning
}
{
auto *ptr = (AliasedAnotherBase *)&b;
auto y = (*ptr).y; // expected-warning{{Undefined behavior}}
}
}
// This produces nested CXXBaseObjectRegion.
void nested_casts() {
MostDerived md;
{
auto *ptr1 = (Derived *)&md; // Base{md,Derived}
auto *ptr2 = (Base *)ptr1; // Base{Base{md,Derived},Base}
auto y = ptr2->x; // no-warning
}
{
auto *ptr1 = (Base *)&md;
auto *ptr2 = (Derived *)ptr1;
auto y = ptr2->x; // no-warning
}
{
auto *ptr1 = (Base *)&md;
auto *ptr2 = (AnotherBase *)ptr1;
auto *ptr3 = (MostDerived *)ptr2;
ptr3->x = 42; // no-warning
}
{
auto *ptr1 = (Base *)&md;
auto *ptr2 = (MostDerived *)ptr1;
auto *ptr3 = (char *)ptr2;
auto y = *ptr3; // no-warning
}
{
auto *ptr1 = (UnionInt *)&md;
auto *ptr2 = (char *)ptr1;
auto *ptr3 = (Base *)ptr2;
auto y = ptr3->x; // no-warning
}
{
auto *ptr1 = (AliasedUInt *)&md;
auto *ptr2 = (short *)ptr1;
auto *ptr3 = (AliasedStdByte *)ptr2;
auto y = ptr3[0]; // no-warning
}
}
} // namespace ns1