This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2
ReturnPointerRangeChecker.cpp
-
test/Analysis/
-
Analysis/
-
return-ptr-range.cpp

Differential D138713

Fix assertion failure "PathDiagnosticSpotPiece's must have a valid location." in ReturnPtrRange checker on builtin functions
ClosedPublic

Authored by arseniy-sonar on Nov 25 2022, 7:00 AM.

Download Raw Diff

Details

Reviewers

xazax.hun
martong
NoQ
Szelethus
steakhal

Commits

rG98d55095d851: Fix assertion failure "PathDiagnosticSpotPiece's must have a valid location."…

Summary

Fixes #55347
Builtin functions (such ast std::move, std::forward, std::as_const) have a body generated during the analysis not related to any source file so their statements have no valid source locations.
ReturnPtrRange checker should not report issues for these builtin functions because they only forward its parameter and do not create any new pointers.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

arseniy-sonar created this revision.Nov 25 2022, 7:00 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 25 2022, 7:00 AM

Herald added a subscriber: rnkovacs. · View Herald Transcript

arseniy-sonar requested review of this revision.Nov 25 2022, 7:00 AM

Herald added a subscriber: cfe-commits. · View Herald TranscriptNov 25 2022, 7:00 AM

I already reviewed this internally. For me, it looks great.

@arseniy-sonar consider adding the Fixes #55347 marker to the summary, so the commit will auto-reference the fixed issue.
Also mention the commit author sign to which we should accredit this revision if accepted.

Herald added a subscriber: steakhal. · View Herald TranscriptNov 25 2022, 7:08 AM

arseniy-sonar edited the summary of this revision. (Show Details)Nov 25 2022, 7:17 AM

Harbormaster completed remote builds in B199543: Diff 477952.Nov 25 2022, 7:46 AM

LGTM, thanks!

This patch seems obvious but please upload with context next time (https://llvm.org/docs/Phabricator.html#phabricator-request-review-web).

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
48	I suspect that you might run into more similar problems with functions coming from "body farms". A direct check like RetE->getBeginLoc().isValid() might be more reliable. You might need to check the entire range though. We probably need a unified solution for such checks, because many checkers end up implementing them.

This revision is now accepted and ready to land.Nov 28 2022, 1:14 PM

steakhal added inline comments.Nov 28 2022, 2:13 PM

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp
48	We were actually considering it. We decided against it to keep the impact of this fix minimal. That being said, I wonder if a similar check should be at some higher level API, lets say inside the emitReport. That way no chevker would experience such crashes. WDYT?

Closed by commit rG98d55095d851: Fix assertion failure "PathDiagnosticSpotPiece's must have a valid location."… (authored by arseniy-sonar, committed by steakhal). · Explain WhyJan 26 2023, 8:36 AM

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rG98d55095d851: Fix assertion failure "PathDiagnosticSpotPiece's must have a valid location."….

I think we should backport this to release/16.x.
Here is the ticket for it: https://github.com/llvm/llvm-project/issues/61115

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

ReturnPointerRangeChecker.cpp

4 lines

test/

Analysis/

return-ptr-range.cpp

11 lines

Diff 492465

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

	Show All 35 Lines
	void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,			void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
	CheckerContext &C) const {			CheckerContext &C) const {
	ProgramStateRef state = C.getState();			ProgramStateRef state = C.getState();

	const Expr *RetE = RS->getRetValue();			const Expr *RetE = RS->getRetValue();
	if (!RetE)			if (!RetE)
	return;			return;

				// Skip "body farmed" functions.
				if (RetE->getSourceRange().isInvalid())
				return;

	SVal V = C.getSVal(RetE);			SVal V = C.getSVal(RetE);
				NoQUnsubmitted Not Done Reply Inline Actions I suspect that you might run into more similar problems with functions coming from "body farms". A direct check like RetE->getBeginLoc().isValid() might be more reliable. You might need to check the entire range though. We probably need a unified solution for such checks, because many checkers end up implementing them. NoQ: I suspect that you might run into more similar problems with functions coming from "body farms".
				steakhalUnsubmitted Not Done Reply Inline Actions We were actually considering it. We decided against it to keep the impact of this fix minimal. That being said, I wonder if a similar check should be at some higher level API, lets say inside the emitReport. That way no chevker would experience such crashes. WDYT? steakhal: We were actually considering it. We decided against it to keep the impact of this fix minimal.
	const MemRegion *R = V.getAsRegion();			const MemRegion *R = V.getAsRegion();

	const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);			const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
	if (!ER)			if (!ER)
	return;			return;

	DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();			DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
	// Zero index is always in bound, this also passes ElementRegions created for			// Zero index is always in bound, this also passes ElementRegions created for
	▲ Show 20 Lines • Show All 78 Lines • Show Last 20 Lines

clang/test/Analysis/return-ptr-range.cpp

Show First 20 Lines • Show All 109 Lines • ▼ Show 20 Lines	if (I != 11) // expected-note{{Assuming 'I' is equal to 11}}
return DataArr;		return DataArr;
return DataArr + I; // expected-warning{{Returned pointer value points outside the original object}}		return DataArr + I; // expected-warning{{Returned pointer value points outside the original object}}
// expected-note@-1{{Returned pointer value points outside the original object}}		// expected-note@-1{{Returned pointer value points outside the original object}}
// expected-note@-2{{Original object 'DataArr' is an array of 10 'test_array_of_struct::Data' objects, returned pointer points at index 11}}		// expected-note@-2{{Original object 'DataArr' is an array of 10 'test_array_of_struct::Data' objects, returned pointer points at index 11}}
}		}

}		}

		namespace std {
		// A builtin function with the body generated on the fly.
		template <typename T> T&& move(T &&) noexcept;
		} // namespace std

		char buf[2];

		void top() {
		// see https://github.com/llvm/llvm-project/issues/55347
		(void)std::move(*(buf + 3)); // no-crash
		}