This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
1
ExprEngineCallAndReturn.cpp
-
test/Analysis/
-
Analysis/
2/2
Issue56873.cpp

Differential D130974

[analyzer] Fix for the crash in #56873
ClosedPublic

Authored by isuckatcs on Aug 2 2022, 2:34 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
Szelethus
t-rasmud
ziqingluo-90
usama54321
martong

Commits

rG10a7ee0bac21: [analyzer] Fix for the crash in #56873

Summary

In ExprEngine::bindReturnValue() we cast an SVal to DefinedOrUnknownSVal,
however this SVal can also be Undefined, which leads to an assertion failure.

Fixes: #56873

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

isuckatcs created this revision.Aug 2 2022, 2:34 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 2 2022, 2:34 AM

Herald added subscribers: steakhal, manas, ASDenysPetrov and 8 others. · View Herald Transcript

isuckatcs requested review of this revision.Aug 2 2022, 2:34 AM

Harbormaster completed remote builds in B178725: Diff 449233.Aug 2 2022, 3:51 AM

Thanks, LGTM!

clang/test/Analysis/Issue56873.cpp
13	I think, MallocChecker (or another checker?) should issue a warning if the extent is undefined. Do you plan to address that?

This revision is now accepted and ready to land.Aug 2 2022, 7:05 AM

isuckatcs marked an inline comment as done.Aug 2 2022, 8:17 AM

isuckatcs added inline comments.

clang/test/Analysis/Issue56873.cpp
13	I agree that we should warn in this case, though I don't plan to address this in the near future. I keep this idea in mind, however if you or someone else wants to look into it, feel free to do so.

isuckatcs marked an inline comment as done.Aug 2 2022, 8:17 AM

Closed by commit rG10a7ee0bac21: [analyzer] Fix for the crash in #56873 (authored by isuckatcs). · Explain WhyAug 3 2022, 10:25 AM

This revision was automatically updated to reflect the committed changes.

isuckatcs added a commit: rG10a7ee0bac21: [analyzer] Fix for the crash in #56873.

Herald added a project: Restricted Project. · View Herald TranscriptAug 3 2022, 10:25 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Some checker should have caught the uninitialized value earlier than the defaultEvalCall().
I guess, the MallocCkecher could have checked for it in PreStmt<CXXNewExpr>.
Or alternatively, the CallAndMessageChecker::preCall() already does something like this in the PreVisitProcessArg(). I know that CXXNewExpr is not a call, but you get the idea.
WDYT, worth catching it?

Other than that, I think it's a good practice to not rely on some checkers to catch things to prevent crashes; so this 'fix' seems reasonable to me.

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
768	I'm not a fan of mutating values like this. Alternatively we could have used something like this at the point of use: `Size.getAs<DefinedOrUnknownSVal>().getValueOr(UnknownVal{})` I'm not sure if it's more readable :D

Some checker should have caught the uninitialized value earlier than the defaultEvalCall().
I guess, the MallocCkecher could have checked for it in PreStmt<CXXNewExpr>.
Or alternatively, the CallAndMessageChecker::preCall() already does something like this in the PreVisitProcessArg(). I know that CXXNewExpr is not a call, but you get the idea.
WDYT, worth catching it?

I definitely think it's worth catching it. I'm working on a checker which addresses this in D131299. It was originally intended to be a part of MallocChecker but has been moved to a separate one.

In D130974#3709502, @isuckatcs wrote:

Some checker should have caught the uninitialized value earlier than the defaultEvalCall().
I guess, the MallocCkecher could have checked for it in PreStmt<CXXNewExpr>.
Or alternatively, the CallAndMessageChecker::preCall() already does something like this in the PreVisitProcessArg(). I know that CXXNewExpr is not a call, but you get the idea.
WDYT, worth catching it?

I definitely think it's worth catching it. I'm working on a checker which addresses this in D131299. It was originally intended to be a part of MallocChecker but has been moved to a separate one.

If so, shouldn't be some dependencies across these revisions? You could also specify an additional RUN line to demonstrate that this can be caught by an experimental configuration.

If so, shouldn't be some dependencies across these revisions?

I don't think they are that closely related.

This patch is about fixing an assertion failure. This assertion failure happens because we don't handle a case not because the checker doesn't exist.
Also the checker alone wouldn't solve the problem, because if it's turned off, the same crash will happen.

isuckatcs mentioned this in D136671: [analyzer] Fix crash for array-delete of UnknownVal values..Nov 1 2022, 12:36 PM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

ExprEngineCallAndReturn.cpp

5 lines

test/

Analysis/

Issue56873.cpp

24 lines

Diff 449702

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 Lines • Show All 756 Lines • ▼ Show 20 Lines	if (CNE && CNE->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
}		}

SVal ElementSize = getElementExtent(CNE->getAllocatedType(), svalBuilder);		SVal ElementSize = getElementExtent(CNE->getAllocatedType(), svalBuilder);

SVal Size =		SVal Size =
svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,		svalBuilder.evalBinOp(State, BO_Mul, ElementCount, ElementSize,
svalBuilder.getArrayIndexType());		svalBuilder.getArrayIndexType());

		// FIXME: This line is to prevent a crash. For more details please check
		// issue #56264.
		if (Size.isUndef())
		Size = UnknownVal();
		steakhalUnsubmitted Not Done Reply Inline Actions I'm not a fan of mutating values like this. Alternatively we could have used something like this at the point of use: `Size.getAs<DefinedOrUnknownSVal>().getValueOr(UnknownVal{})` I'm not sure if it's more readable :D steakhal: I'm not a fan of mutating values like this. Alternatively we could have used something like…

State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),		State = setDynamicExtent(State, MR, Size.castAs<DefinedOrUnknownSVal>(),
svalBuilder);		svalBuilder);
} else {		} else {
R = svalBuilder.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);		R = svalBuilder.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
}		}
}		}
return State->BindExpr(E, LCtx, R);		return State->BindExpr(E, LCtx, R);
}		}
▲ Show 20 Lines • Show All 474 Lines • Show Last 20 Lines

clang/test/Analysis/Issue56873.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s

				void clang_analyzer_warnIfReached();

				struct S {
				};

				void Issue56873_1() {
				int n;

				// This line used to crash
				S *arr = new S[n];

				martongUnsubmitted Done Reply Inline Actions I think, MallocChecker (or another checker?) should issue a warning if the extent is undefined. Do you plan to address that? martong: I think, MallocChecker (or another checker?) should issue a warning if the extent is undefined.
				isuckatcsAuthorUnsubmitted Done Reply Inline Actions I agree that we should warn in this case, though I don't plan to address this in the near future. I keep this idea in mind, however if you or someone else wants to look into it, feel free to do so. isuckatcs: I agree that we should warn in this case, though I don't plan to address this in the near…
				clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
				}

				void Issue56873_2() {
				int n;

				// This line used to crash
				int *arr = new int[n];

				clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
				}