This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
DynamicExtent.cpp
3/3
ExprEngine.cpp
-
test/Analysis/
-
Analysis/
-
dtor-array.cpp

Differential D136671

[analyzer] Fix crash for array-delete of UnknownVal values.
ClosedPublic

Authored by tomasz-kaminski-sonarsource on Oct 25 2022, 2:26 AM.

Download Raw Diff

Details

Reviewers

NoQ
isuckatcs
steakhal
martong
xazax.hun

Commits

rG2fb3bec932ed: [analyzer] Fix crash for array-delete of UnknownVal values.

Summary

We now skip the destruction of array elements for delete[] p,
if the value of p is UnknownVal and does not have corresponding region.
This eliminate the crash in getDynamicElementCount on that
region and matches the behavior for deleting the array of
non-constant range.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

tomasz-kaminski-sonarsource created this revision.Oct 25 2022, 2:26 AM

Herald added a reviewer: NoQ. · View Herald TranscriptOct 25 2022, 2:26 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 9 others. · View Herald Transcript

tomasz-kaminski-sonarsource requested review of this revision.Oct 25 2022, 2:26 AM

Herald added a project: Restricted Project. · View Herald TranscriptOct 25 2022, 2:26 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

tomasz-kaminski-sonarsource added reviewers: isuckatcs, steakhal, martong, xazax.hun.Oct 25 2022, 2:28 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptOct 25 2022, 2:28 AM

This eliminate the crash in getDynamicElementCount on that region

I think that if the crash comes from getDynamicElementCount, we should address it there too, so
when the function is called elsewhere under the same circumstances it won't crash again.

What do you think?

In D136671#3882166, @isuckatcs wrote:

This eliminate the crash in getDynamicElementCount on that region

I think that if the crash comes from getDynamicElementCount, we should address it there too, so
when the function is called elsewhere under the same circumstances it won't crash again.

What do you think?

Good point .
I was also wondering about it and went for the current approach or preserving the precondition that the passed region cannot be null, because:

For other uses of prepareStateForArrayDestruction in case of automatic variables or members, the destroyed should be always known, so this precondition makes sense. In this context delete[] p of unknown pointer is special case, so localized handling made sense.
This case of ArgR being null was already handled in the code, so extending it seemed to be more consistent.

Does it make sense to you?

In D136671#3882166, @isuckatcs wrote:

This eliminate the crash in getDynamicElementCount on that region

I think that if the crash comes from getDynamicElementCount, we should address it there too, so
when the function is called elsewhere under the same circumstances it won't crash again.

What do you think?

For me, it makes sense that getDynamicElementCount() is not intended to be called on a null MemRegion. So, from my point of view, the bug is at some callsite.

For me, it makes sense that getDynamicElementCount() is not intended to be called on a null MemRegion.

It would still be helpful to have an assertion on that inside getDynamicElementCount(), so the caller will know it right away.

What I want to say is that it seems there are multiple error prone snippets involved in this crash and I think we should address all
of them, because some might cause another crash somewhere else.

Added assertion.

Harbormaster completed remote builds in B194180: Diff 470489.Oct 25 2022, 1:52 PM

isuckatcs added inline comments.Nov 1 2022, 12:36 PM

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
1244	I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. DefinedOrUnknownSVal getDynamicElementCount(..., const MemRegion *MR, ...) { MR = MR->StripCasts(); <-- crash here if MR is a nullptr DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB); SVal ElementSize = getElementExtent(ElementTy, SVB); SVal ElementCount = SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType()); <-- this could be the origin of a crash too return ElementCount.castAs<DefinedOrUnknownSVal>(); } Also `SVB.evalBinOp()` can technically return an `UndefinedVal` and if it does that, then `ElementCount.castAs<DefinedOrUnknownSVal>()` will also cause a crash as it happened in D130974. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense?

Added assert

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
1244	I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. DefinedOrUnknownSVal getDynamicElementCount(..., const MemRegion *MR, ...) { MR = MR->StripCasts(); <-- crash here if MR is a nullptr DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB); SVal ElementSize = getElementExtent(ElementTy, SVB); SVal ElementCount = SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType()); <-- this could be the origin of a crash too return ElementCount.castAs<DefinedOrUnknownSVal>(); } Also `SVB.evalBinOp()` can technically return an `UndefinedVal` and if it does that, then `ElementCount.castAs<DefinedOrUnknownSVal>()` will also cause a crash as it happened in D130974. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense?
1244	I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. I see. I will add the assert. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense? I still believe that passing `nullptr` as `MR` to this function is bug on the caller side, and not expected behavior. This is why I would prefer to have to assert here, instead of returning some symbol, as this will hide such bugs.

Harbormaster completed remote builds in B196093: Diff 473166.Nov 4 2022, 8:04 AM

I have nothing else to add, this patch looks good to me. If the others don't have anything to add either, feel free to commit.

This revision is now accepted and ready to land.Nov 7 2022, 2:51 AM

Closed by commit rG2fb3bec932ed: [analyzer] Fix crash for array-delete of UnknownVal values. (authored by tomasz-kaminski-sonarsource). · Explain WhyNov 9 2022, 6:17 AM

This revision was automatically updated to reflect the committed changes.

tomasz-kaminski-sonarsource added a commit: rG2fb3bec932ed: [analyzer] Fix crash for array-delete of UnknownVal values..

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

DynamicExtent.cpp

1 line

ExprEngine.cpp

34 lines

test/

Analysis/

dtor-array.cpp

33 lines

Diff 474253

clang/lib/StaticAnalyzer/Core/DynamicExtent.cpp

Show All 38 Lines	DefinedOrUnknownSVal getElementExtent(QualType Ty, SValBuilder &SVB) {
return SVB.makeIntVal(SVB.getContext().getTypeSizeInChars(Ty).getQuantity(),		return SVB.makeIntVal(SVB.getContext().getTypeSizeInChars(Ty).getQuantity(),
SVB.getArrayIndexType());		SVB.getArrayIndexType());
}		}

DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,		DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR,		const MemRegion *MR,
SValBuilder &SVB,		SValBuilder &SVB,
QualType ElementTy) {		QualType ElementTy) {
		assert(MR != nullptr && "Not-null region expected");
MR = MR->StripCasts();		MR = MR->StripCasts();

DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB);		DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB);
SVal ElementSize = getElementExtent(ElementTy, SVB);		SVal ElementSize = getElementExtent(ElementTy, SVB);

SVal ElementCount =		SVal ElementCount =
SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType());		SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType());

Show All 38 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 Lines • Show All 1,235 Lines • ▼ Show 20 Lines
}		}

std::pair<ProgramStateRef, uint64_t>		std::pair<ProgramStateRef, uint64_t>
ExprEngine::prepareStateForArrayDestruction(const ProgramStateRef State,		ExprEngine::prepareStateForArrayDestruction(const ProgramStateRef State,
const MemRegion *Region,		const MemRegion *Region,
const QualType &ElementTy,		const QualType &ElementTy,
const LocationContext *LCtx,		const LocationContext *LCtx,
SVal *ElementCountVal) {		SVal *ElementCountVal) {
		assert(Region != nullptr && "Not-null region expected");
		isuckatcsUnsubmitted Done Reply Inline Actions I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. DefinedOrUnknownSVal getDynamicElementCount(..., const MemRegion MR, ...) { MR = MR->StripCasts(); <-- crash here if MR is a nullptr DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB); SVal ElementSize = getElementExtent(ElementTy, SVB); SVal ElementCount = SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType()); <-- this could be the origin of a crash too return ElementCount.castAs<DefinedOrUnknownSVal>(); } Also `SVB.evalBinOp()` can technically return an `UndefinedVal` and if it does that, then `ElementCount.castAs<DefinedOrUnknownSVal>()` will also cause a crash as it happened in D130974. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense? isuckatcs:* I meant to assert this inside `getDynamicElementCount()` as that's the function that…
		tomasz-kaminski-sonarsourceAuthorUnsubmitted Done Reply Inline Actions I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. DefinedOrUnknownSVal getDynamicElementCount(..., const MemRegion MR, ...) { MR = MR->StripCasts(); <-- crash here if MR is a nullptr DefinedOrUnknownSVal Size = getDynamicExtent(State, MR, SVB); SVal ElementSize = getElementExtent(ElementTy, SVB); SVal ElementCount = SVB.evalBinOp(State, BO_Div, Size, ElementSize, SVB.getArrayIndexType()); <-- this could be the origin of a crash too return ElementCount.castAs<DefinedOrUnknownSVal>(); } Also `SVB.evalBinOp()` can technically return an `UndefinedVal` and if it does that, then `ElementCount.castAs<DefinedOrUnknownSVal>()` will also cause a crash as it happened in D130974. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense? tomasz-kaminski-sonarsource:* > I meant to assert this inside `getDynamicElementCount()` as that's the function that…
		tomasz-kaminski-sonarsourceAuthorUnsubmitted Done Reply Inline Actions I meant to assert this inside `getDynamicElementCount()` as that's the function that dereferences the pointer. I see. I will add the assert. Also since this function can return an `UnknownSVal`, what do you think about returning that if `MR` is a `nullptr` instead of stopping execution? Would that behaviour even make sense? I still believe that passing `nullptr` as `MR` to this function is bug on the caller side, and not expected behavior. This is why I would prefer to have to assert here, instead of returning some symbol, as this will hide such bugs. tomasz-kaminski-sonarsource: > I meant to assert this inside `getDynamicElementCount()` as that's the function that…

QualType Ty = ElementTy.getDesugaredType(getContext());		QualType Ty = ElementTy.getDesugaredType(getContext());
while (const auto *NTy = dyn_cast<ArrayType>(Ty))		while (const auto *NTy = dyn_cast<ArrayType>(Ty))
Ty = NTy->getElementType().getDesugaredType(getContext());		Ty = NTy->getElementType().getDesugaredType(getContext());

auto ElementCount = getDynamicElementCount(State, Region, svalBuilder, Ty);		auto ElementCount = getDynamicElementCount(State, Region, svalBuilder, Ty);

if (ElementCountVal)		if (ElementCountVal)
▲ Show 20 Lines • Show All 163 Lines • ▼ Show 20 Lines	auto getDtorDecl = [](const QualType &DTy) {
return RD->getDestructor();		return RD->getDestructor();
};		};

unsigned Idx = 0;		unsigned Idx = 0;
EvalCallOptions CallOpts;		EvalCallOptions CallOpts;
const MemRegion *ArgR = ArgVal.getAsRegion();		const MemRegion *ArgR = ArgVal.getAsRegion();

if (DE->isArrayForm()) {		if (DE->isArrayForm()) {
SVal ElementCount;
std::tie(State, Idx) =
prepareStateForArrayDestruction(State, ArgR, DTy, LCtx, &ElementCount);

CallOpts.IsArrayCtorOrDtor = true;		CallOpts.IsArrayCtorOrDtor = true;
// Yes, it may even be a multi-dimensional array.		// Yes, it may even be a multi-dimensional array.
while (const auto *AT = getContext().getAsArrayType(DTy))		while (const auto *AT = getContext().getAsArrayType(DTy))
DTy = AT->getElementType();		DTy = AT->getElementType();

		if (ArgR) {
		SVal ElementCount;
		std::tie(State, Idx) = prepareStateForArrayDestruction(
		State, ArgR, DTy, LCtx, &ElementCount);

// If we're about to destruct a 0 length array, don't run any of the		// If we're about to destruct a 0 length array, don't run any of the
// destructors.		// destructors.
if (ElementCount.isConstant() &&		if (ElementCount.isConstant() &&
ElementCount.getAsInteger()->getLimitedValue() == 0) {		ElementCount.getAsInteger()->getLimitedValue() == 0) {

static SimpleProgramPointTag PT(		static SimpleProgramPointTag PT(
"ExprEngine", "Skipping 0 length array delete destruction");		"ExprEngine", "Skipping 0 length array delete destruction");
PostImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT);		PostImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT);
NodeBuilder Bldr(Pred, Dst, *currBldrCtx);		NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
Bldr.generateNode(PP, Pred->getState(), Pred);		Bldr.generateNode(PP, Pred->getState(), Pred);
return;		return;
}		}

if (ArgR)
ArgR = State->getLValue(DTy, svalBuilder.makeArrayIndex(Idx), ArgVal)		ArgR = State->getLValue(DTy, svalBuilder.makeArrayIndex(Idx), ArgVal)
.getAsRegion();		.getAsRegion();
}		}
		}

NodeBuilder Bldr(Pred, Dst, getBuilderContext());		NodeBuilder Bldr(Pred, Dst, getBuilderContext());
static SimpleProgramPointTag PT("ExprEngine",		static SimpleProgramPointTag PT("ExprEngine",
"Prepare for object destruction");		"Prepare for object destruction");
PreImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT);		PreImplicitCall PP(getDtorDecl(DTy), DE->getBeginLoc(), LCtx, &PT);
Pred = Bldr.generateNode(PP, State, Pred);		Pred = Bldr.generateNode(PP, State, Pred);

if (!Pred)		if (!Pred)
▲ Show 20 Lines • Show All 2,478 Lines • Show Last 20 Lines

clang/test/Analysis/dtor-array.cpp

Show First 20 Lines • Show All 338 Lines • ▼ Show 20 Lines	void nonConstantRegionExtent(){
InlineDtor *arr = new InlineDtor[x];		InlineDtor *arr = new InlineDtor[x];
clang_analyzer_dumpElementCount(arr); // expected-warning {{conj_$0}}		clang_analyzer_dumpElementCount(arr); // expected-warning {{conj_$0}}
delete [] arr;		delete [] arr;

//FIXME: This should be TRUE but memset also sets this		//FIXME: This should be TRUE but memset also sets this
// region to a conjured symbol.		// region to a conjured symbol.
clang_analyzer_eval(InlineDtor::dtorCalled == 0); // expected-warning {{TRUE}} expected-warning {{FALSE}}		clang_analyzer_eval(InlineDtor::dtorCalled == 0); // expected-warning {{TRUE}} expected-warning {{FALSE}}
}		}

		namespace crash6 {

		struct NonTrivialItem {
		~NonTrivialItem();
		};

		struct WeirdVec {
		void clear() {
		delete[] data;
		size = 0;
		}
		NonTrivialItem *data;
		unsigned size;
		};

		void top(int j) {
		WeirdVec *p = new WeirdVec;

		p[j].size = 0;
		delete[] p->data; // no-crash
		}

		template <typename T>
		T make_unknown() {
		return reinterpret_cast<T>(static_cast<int>(0.404));
		}

		void directUnknownSymbol() {
		delete[] make_unknown<NonTrivialItem*>(); // no-crash
		}

		}