This is an archive of the discontinued LLVM Phabricator instance.

Differential D124349

[analyzer] Get direct binding for specific punned case
ClosedPublic

Authored by vabridgers on Apr 24 2022, 12:14 PM.

Details

Reviewers
NoQ
steakhal
martong
Commits
rGdf5801806d03: [analyzer] Get direct binding for specific punned case
Summary

Region store was not able to see through this case to the actual
initialized value of STRUCT ff. This change addresses this case by
getting the direct binding. This was found and debugged in a downstream
compiler, with debug guidance from @steakhal. A positive and negative
test case is added.

The specific case where this issue was exposed.

typedef struct {
  int a:1;
  int b[2];
} STRUCT;

int main() {
  STRUCT ff = {0};
  STRUCT* pff = &ff;
  int a = ((int)pff + 1);
  return a;
}

Diff Detail

Event Timeline

vabridgers created this revision.Apr 24 2022, 12:14 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 24 2022, 12:14 PM
Herald added subscribers: manas, ASDenysPetrov, martong and 8 others. · View Herald Transcript
vabridgers requested review of this revision.Apr 24 2022, 12:14 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 24 2022, 12:14 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
vabridgers updated this revision to Diff 424796.Apr 24 2022, 12:16 PM

clang-format

Harbormaster completed remote builds in B161082: Diff 424796.Apr 24 2022, 12:52 PM
steakhal accepted this revision.Apr 25 2022, 12:11 AM

Looks good.
Wait for an other accept.

clang/test/Analysis/array-struct-region.c
362–366 ↗(On Diff #424796)
void array_struct_bitfield_1() {
  BITFIELD_CAST ff = {0};
  BITFIELD_CAST *pff = &ff;
  clang_analyzer_eval(*((int *)pff + 1) == 0); // expected-warning{{TRUE}}
  ff.b[0] = 3;
  clang_analyzer_eval(*((int *)pff + 1) == 3); // expected-warning{{TRUE}}
}
This revision is now accepted and ready to land.Apr 25 2022, 12:11 AM
vabridgers added inline comments.Apr 25 2022, 1:30 AM
clang/test/Analysis/array-struct-region.c
362–366 ↗(On Diff #424796)

Good suggestion, thanks. I'll add this and wait for another accept.

vabridgers updated this revision to Diff 424844.Apr 25 2022, 1:36 AM

update LIT per comments from @steakhal

vabridgers marked an inline comment as done.Apr 25 2022, 1:37 AM
Harbormaster completed remote builds in B161122: Diff 424844.Apr 25 2022, 2:16 AM
vabridgers added a reviewer: martong.Apr 26 2022, 2:58 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptApr 26 2022, 2:58 AM
vabridgers added a comment.Apr 27 2022, 3:38 AM

polite ping to @NoQ and/or @martong. @steakhal is ok with this change, are you ok if I land this? Thanks!

martong added a comment.May 4 2022, 1:34 AM

Can we have a test for this, got idea from here (https://stackoverflow.com/questions/4129961/how-is-the-size-of-a-struct-with-bit-fields-determined-measured)

typedef struct
{
        unsigned int a:1;
        unsigned int x:31;
        unsigned int c:1;
        int b[2];
} mystruct;
...
ff.b[0] = 3;
clang_analyzer_eval(*((int *)pff + 2) == 3); // expected-warning{{TRUE}}  // Or should this be `pff + 3` ???
clang/test/Analysis/array-struct-region.c
1 ↗(On Diff #424844)

Should we pin the target, shouldn't we?

365 ↗(On Diff #424844)

My gut feeling is that we should pin the target for these arithmetics.

steakhal added a comment.May 4 2022, 3:27 AM
In D124349#3490524, @martong wrote:

Can we have a test for this, got idea from here (https://stackoverflow.com/questions/4129961/how-is-the-size-of-a-struct-with-bit-fields-determined-measured)

typedef struct
{
        unsigned int a:1;
        unsigned int x:31;
        unsigned int c:1;
        int b[2];
} mystruct;
...
ff.b[0] = 3;
clang_analyzer_eval(*((int *)pff + 2) == 3); // expected-warning{{TRUE}}  // Or should this be `pff + 3` ???

Generally, you are right. But in this case, we are talking about a *single bit* bitfield.
That bitfield cannot span across multiple unsigned objects. And int is supposed to be at least one byte large, hence there is plenty of room for an additional CHAR_BIT - 1 bits along with this one and we would be still portable.

clang/test/Analysis/array-struct-region.c
1 ↗(On Diff #424844)

There is no need for that.
The sizeof(int) might change, but the operator+ will accommodate for that in the pointer arithmetic. And the field after bitfields is by default aligned to its preferred alignment.

vabridgers added a comment.May 4 2022, 11:34 AM

Thanks for the comments! Per our discussion, I'll create a different test case with a pinned target and add the additional test case to be sure we see expected behavior. Best!

vabridgers updated this revision to Diff 427106.May 4 2022, 12:32 PM

Address comments from @martong

Harbormaster completed remote builds in B162775: Diff 427106.May 4 2022, 2:53 PM
martong accepted this revision.May 5 2022, 12:16 AM

LGTM! Thanks Vince!

clang/test/Analysis/array-punned-region.c
39
vabridgers updated this revision to Diff 427246.May 5 2022, 2:47 AM

fix a stupid leftover cut/paste mistake in the test case :/

vabridgers marked an inline comment as done.May 5 2022, 2:48 AM

Thanks @martong. I fixed the "typo" :/, landing. Best!

This revision was landed with ongoing or failed builds.May 5 2022, 2:54 AM
Closed by commit rGdf5801806d03: [analyzer] Get direct binding for specific punned case (authored by einvbri <vince.a.bridgers@ericsson.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
einvbri <vince.a.bridgers@ericsson.com> added a commit: rGdf5801806d03: [analyzer] Get direct binding for specific punned case.
Harbormaster completed remote builds in B162863: Diff 427246.May 5 2022, 3:21 AM
isuckatcs added a subscriber: isuckatcs.May 19 2023, 8:56 AM
isuckatcs added inline comments.
clang/test/Analysis/array-punned-region.c
24

@steakhal @martong @NoQ

Isn't this actually a false positive here?

(int *)pff + 2 points to ff.b[1], which is initialized to 0.

https://godbolt.org/z/Gh8a4aMe8

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
7 lines
test/
Analysis/
39 lines

Diff 427246

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 2,141 Lines▼ Show 20 Lines if (R->hasStackNonParametersStorage()) {
// FIXME: We also need to take ElementRegions with symbolic indexes into // FIXME: We also need to take ElementRegions with symbolic indexes into
// account. This case handles both directly accessing an ElementRegion // account. This case handles both directly accessing an ElementRegion
// with a symbolic offset, but also fields within an element with // with a symbolic offset, but also fields within an element with
// a symbolic offset. // a symbolic offset.
if (hasSymbolicIndex) if (hasSymbolicIndex)
return UnknownVal(); return UnknownVal();
// Additionally allow introspection of a block's internal layout. // Additionally allow introspection of a block's internal layout.
if (!hasPartialLazyBinding && !isa<BlockDataRegion>(R->getBaseRegion())) // Try to get direct binding if all other attempts failed thus far.
// Else, return UndefinedVal()
if (!hasPartialLazyBinding && !isa<BlockDataRegion>(R->getBaseRegion())) {
if (const Optional<SVal> &V = B.getDefaultBinding(R))
return *V;
return UndefinedVal(); return UndefinedVal();
} }
}
// All other values are symbolic. // All other values are symbolic.
return svalBuilder.getRegionValueSymbolVal(R); return svalBuilder.getRegionValueSymbolVal(R);
} }
SVal RegionStoreManager::getBindingForObjCIvar(RegionBindingsConstRef B, SVal RegionStoreManager::getBindingForObjCIvar(RegionBindingsConstRef B,
const ObjCIvarRegion* R) { const ObjCIvarRegion* R) {
// Check if the region has a binding. // Check if the region has a binding.
▲ Show 20 LinesShow All 725 LinesShow Last 20 Lines

clang/test/Analysis/array-punned-region.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -verify -analyzer-config eagerly-assume=false -triple x86_64-pc-linux-gnu %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core,debug.ExprInspection -verify -analyzer-config eagerly-assume=false -triple i386-pc-linux-gnu %s
int clang_analyzer_eval(int);
typedef struct {
int a : 1;
int b[2];
} BITFIELD_CAST;
void array_struct_bitfield_1() {
BITFIELD_CAST ff = {0};
BITFIELD_CAST *pff = &ff;
clang_analyzer_eval(*((int *)pff + 1) == 0); // expected-warning{{TRUE}}
ff.b[0] = 3;
clang_analyzer_eval(*((int *)pff + 1) == 3); // expected-warning{{TRUE}}
}
int array_struct_bitfield_2() {
BITFIELD_CAST ff = {0};
BITFIELD_CAST *pff = &ff;
int a = *((int *)pff + 2); // expected-warning{{Assigned value is garbage or undefined [core.uninitialized.Assign]}}
return a;
isuckatcsUnsubmitted
Not Done
ReplyInline Actions

@steakhal @martong @NoQ

Isn't this actually a false positive here?

(int *)pff + 2 points to ff.b[1], which is initialized to 0.

https://godbolt.org/z/Gh8a4aMe8

isuckatcs: @steakhal @martong @NoQ Isn't this actually a false positive here? `(int *)pff + 2` points…
}
typedef struct {
unsigned int a : 1;
unsigned int x : 31;
unsigned int c : 1;
int b[2];
} mystruct;
void array_struct_bitfield_3() {
mystruct ff;
mystruct *pff = &ff;
ff.b[0] = 3;
clang_analyzer_eval(*((int *)pff + 2) == 3); // expected-warning{{TRUE}}
}
martongUnsubmitted
Done
ReplyInline Actions
ff.b[0] = 3;
- clang_analyzer_eval(*((int *)pff + 2) == 3); // expected-warning{{TRUE}} // Or should this be `pff + 3` ???
- }
+ clang_analyzer_eval(*((int *)pff + 2) == 3); // expected-warning{{TRUE}}}
martong: