This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
ValistChecker.cpp
-
test/Analysis/
-
Analysis/
-
valist-uninitialized-no-undef.c

Differential D124239

[analyzer] Fix ValistChecker false-positive involving symbolic pointers
ClosedPublic

Authored by steakhal on Apr 22 2022, 1:47 AM.

Download Raw Diff

Details

Reviewers

NoQ
martong
xazax.hun
Szelethus
ASDenysPetrov

Commits

rGbe744da01f9d: [analyzer] Fix ValistChecker false-positive involving symbolic pointers

Summary

In the following example:

int va_list_get_int(va_list *va) {
  return va_arg(*va, int); // FP
}

The *va expression will be something like Element{SymRegion{va}, 0, va_list}.
We use ElementRegions for representing the result of the dereference.
In this case, the IsSymbolic was set to false in the
getVAListAsRegion().

Hence, before checking if the memregion is a SymRegion, we should take
the base of that region.

Analogously to the previous example, one can craft other cases:

struct MyVaList {
  va_list l;
};
int va_list_get_int(struct MyVaList va) {
  return va_arg(va.l, int); // FP
}

But it would also work if the va_list would be in the base or derived
part of a class. ObjCIvarRegions are likely also susceptible.
I'm not explicitly demonstrating these cases.

PS: Check the MemRegion::getBaseRegion() definition.

Fixes #55009

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

steakhal created this revision.Apr 22 2022, 1:47 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2022, 1:47 AM

Herald added subscribers: manas, dkrupp, donat.nagy and 5 others. · View Herald Transcript

steakhal requested review of this revision.Apr 22 2022, 1:47 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2022, 1:47 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B160802: Diff 424403.Apr 22 2022, 1:49 AM

xazax.hun accepted this revision.Apr 22 2022, 6:21 AM

This revision is now accepted and ready to land.Apr 22 2022, 6:21 AM

fix test

Harbormaster completed remote builds in B160858: Diff 424478.Apr 22 2022, 8:22 AM

Closed by commit rGbe744da01f9d: [analyzer] Fix ValistChecker false-positive involving symbolic pointers (authored by steakhal). · Explain WhyApr 25 2022, 11:49 PM

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rGbe744da01f9d: [analyzer] Fix ValistChecker false-positive involving symbolic pointers.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ValistChecker.cpp

2 lines

test/

Analysis/

valist-uninitialized-no-undef.c

17 lines

Diff 425128

clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp

Show First 20 Lines • Show All 172 Lines • ▼ Show 20 Lines	if (const auto *Cast = dyn_cast<CastExpr>(E)) {
QualType Ty = Cast->getType();		QualType Ty = Cast->getType();
VaListModelledAsArray =		VaListModelledAsArray =
Ty->isPointerType() && Ty->getPointeeType()->isRecordType();		Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
}		}
if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {		if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
if (isa<ParmVarDecl>(DeclReg->getDecl()))		if (isa<ParmVarDecl>(DeclReg->getDecl()))
Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();		Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
}		}
IsSymbolic = Reg && Reg->getAs<SymbolicRegion>();		IsSymbolic = Reg && Reg->getBaseRegion()->getAs<SymbolicRegion>();
// Some VarRegion based VA lists reach here as ElementRegions.		// Some VarRegion based VA lists reach here as ElementRegions.
const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);		const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);
return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;		return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
}		}

void ValistChecker::checkPreStmt(const VAArgExpr *VAA,		void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
CheckerContext &C) const {		CheckerContext &C) const {
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
▲ Show 20 Lines • Show All 237 Lines • Show Last 20 Lines

clang/test/Analysis/valist-uninitialized-no-undef.c

	Show All 10 Lines

	void call_inlined_uses_arg(int fst, ...) {			void call_inlined_uses_arg(int fst, ...) {
	va_list va;			va_list va;
	inlined_uses_arg(va); // expected-note{{Calling 'inlined_uses_arg'}}			inlined_uses_arg(va); // expected-note{{Calling 'inlined_uses_arg'}}
	}			}

	void f6(va_list *fst, ...) {			void f6(va_list *fst, ...) {
	va_start(*fst, fst);			va_start(*fst, fst);
	// FIXME: There should be no warning for this.			(void)va_arg(*fst, int);
	(void)va_arg(*fst, int); // expected-warning{{va_arg() is called on an uninitialized va_list}}
	// expected-note@-1{{va_arg() is called on an uninitialized va_list}}
	va_end(*fst);			va_end(*fst);
	}			}

				int va_list_get_int(va_list *va) {
				return va_arg(*va, int); // no-warning
				}

				struct MyVaList {
				va_list l;
				};
				int va_list_get_int2(struct MyVaList *va) {
				return va_arg(va->l, int); // no-warning
				}

	void call_vprintf_bad(int isstring, ...) {			void call_vprintf_bad(int isstring, ...) {
	va_list va;			va_list va;
	vprintf(isstring ? "%s" : "%d", va); // expected-warning{{Function 'vprintf' is called with an uninitialized va_list argument}}			vprintf(isstring ? "%s" : "%d", va); // expected-warning{{Function 'vprintf' is called with an uninitialized va_list argument}}
	// expected-note@-1{{Function 'vprintf' is called with an uninitialized va_list argument}}			// expected-note@-1{{Function 'vprintf' is called with an uninitialized va_list argument}}
	// expected-note@-2{{Assuming 'isstring' is 0}}			// expected-note@-2{{Assuming 'isstring' is 0}}
	// expected-note@-3{{'?' condition is false}}			// expected-note@-3{{'?' condition is false}}
	}			}

	void call_vsprintf_bad(char *buffer, ...) {			void call_vsprintf_bad(char *buffer, ...) {
	va_list va;			va_list va;
	va_start(va, buffer); // expected-note{{Initialized va_list}}			va_start(va, buffer); // expected-note{{Initialized va_list}}
	va_end(va); // expected-note{{Ended va_list}}			va_end(va); // expected-note{{Ended va_list}}
	vsprintf(buffer, "%s %d %d %lf %03d", va); // expected-warning{{Function 'vsprintf' is called with an uninitialized va_list argument}}			vsprintf(buffer, "%s %d %d %lf %03d", va); // expected-warning{{Function 'vsprintf' is called with an uninitialized va_list argument}}
	// expected-note@-1{{Function 'vsprintf' is called with an uninitialized va_list argument}}			// expected-note@-1{{Function 'vsprintf' is called with an uninitialized va_list argument}}
	}			}