This is an archive of the discontinued LLVM Phabricator instance.

Differential D140753

[clang][dataflow] Fix crash when having boolean-to-integral casts.
ClosedPublic

Authored by junaire on Dec 29 2022, 1:16 AM.

Details

Reviewers
NoQ
ymandel
sgatev
gribozavr2
Commits
rGeda2eaabf294: [clang][dataflow] Fix crash when having boolean-to-integral casts.
Summary

Since now we just ignore all (implicit) integral casts, treating the
resulting value as the same as the underlying value, it could cause
inconsistency between values after Join if in some paths the type
doesn't strictly match. This could cause intermittent crashes.

std::optional<bool> o;
int x;
if (o.has_value()) {
  x = o.value();
}

Fixes: https://github.com/llvm/llvm-project/issues/59728

Signed-off-by: Jun Zhang <jun@junz.org>

Diff Detail

Event Timeline

junaire created this revision.Dec 29 2022, 1:16 AM
Herald added a reviewer: NoQ. · View Herald TranscriptDec 29 2022, 1:16 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, xazax.hun. · View Herald Transcript
junaire requested review of this revision.Dec 29 2022, 1:16 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 29 2022, 1:16 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
junaire added reviewers: ymandel, sgatev, gribozavr2.Dec 29 2022, 1:20 AM
Harbormaster completed remote builds in B205141: Diff 485590.Dec 29 2022, 1:53 AM
gribozavr2 requested changes to this revision.Dec 29 2022, 2:32 AM

Thank you for your contribution!

While adding a conditional check fixes the crash, the problem's root cause must be deeper. Mismatched types indicate that one code path in dataflow analysis computes a bool type for a storage location, while a different code path computes an integer type. That's the actual root cause. Could you try to investigate the reasons for that, and try to fix it? The dataflow analysis should be computing values of the same type no matter through which path we arrived at a program point.

This revision now requires changes to proceed.Dec 29 2022, 2:32 AM
junaire added a comment.Dec 29 2022, 3:03 AM
In D140753#4019322, @gribozavr2 wrote:

Thank you for your contribution!

While adding a conditional check fixes the crash, the problem's root cause must be deeper. Mismatched types indicate that one code path in dataflow analysis computes a bool type for a storage location, while a different code path computes an integer type. That's the actual root cause. Could you try to investigate the reasons for that, and try to fix it? The dataflow analysis should be computing values of the same type no matter through which path we arrived at a program point.

Thanks for your thoughts about the bug. Sure I'd love to try to investigate and will let you know what I finally got :)

junaire updated this revision to Diff 485654.Dec 29 2022, 6:24 PM

Update patch according to @ymandel 's suggestion. Thanks!

junaire retitled this revision from [clang][dataflow] Check both operand's type in mergeDistinctValues to [clang][dataflow] Fix crash when having boolean-to-integral casts..Dec 29 2022, 6:25 PM
junaire edited the summary of this revision. (Show Details)
junaire updated this revision to Diff 485657.Dec 29 2022, 6:31 PM

Fix typos

Harbormaster completed remote builds in B205191: Diff 485657.Dec 29 2022, 7:06 PM
gribozavr2 accepted this revision.Dec 29 2022, 7:55 PM
gribozavr2 added inline comments.
clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp
97–106
This revision is now accepted and ready to land.Dec 29 2022, 7:55 PM
This revision was landed with ongoing or failed builds.Dec 29 2022, 9:16 PM
Closed by commit rGeda2eaabf294: [clang][dataflow] Fix crash when having boolean-to-integral casts. (authored by junaire). · Explain Why
This revision was automatically updated to reflect the committed changes.
junaire added a commit: rGeda2eaabf294: [clang][dataflow] Fix crash when having boolean-to-integral casts..

Revision Contents

PathSize
clang/
lib/
Analysis/
FlowSensitive/
14 lines
unittests/
Analysis/
FlowSensitive/
17 lines

Diff 485669

clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp

Show First 20 LinesShow All 87 Lines▼ Show 20 Lines
/// meaning depends on `Model`. /// meaning depends on `Model`.
static Value *mergeDistinctValues(QualType Type, Value &Val1, static Value *mergeDistinctValues(QualType Type, Value &Val1,
const Environment &Env1, Value &Val2, const Environment &Env1, Value &Val2,
const Environment &Env2, const Environment &Env2,
Environment &MergedEnv, Environment &MergedEnv,
Environment::ValueModel &Model) { Environment::ValueModel &Model) {
// Join distinct boolean values preserving information about the constraints // Join distinct boolean values preserving information about the constraints
// in the respective path conditions. // in the respective path conditions.
if (auto *Expr1 = dyn_cast<BoolValue>(&Val1)) { if (Type->isBooleanType()) {
// FIXME: The type check above is a workaround and should be unnecessary.
// However, right now we can end up with BoolValue's in integer-typed
// variables due to our incorrect handling of boolean-to-integer casts (we
// just propagate the BoolValue to the result of the cast). For example:
// std::optional<bool> o;
//
//
// int x;
// if (o.has_value()) {
// x = o.value();
gribozavr2Unsubmitted
Not Done
ReplyInline Actions
if (Type->isBooleanType()) {
- // FIXME: This is sort of workaround. Since now we just ignore all (implicit)
- // integral casts, treating the resulting value as the same as the underlying
- // value, it could cause inconsistency between values after `Join` if in
- // some paths the type doesn't strictly match:
+ // FIXME: The type check above is a workaround and should be unnecessary. However, right now we can end up with BoolValue's in integer-typed variables due to our incorrect handling of boolean-to-integer casts (we just propagate the BoolValue to the result of the cast). For example:
//
// std::optional<bool> o;
// int x;
// if (o.has_value()) {
// x = o.value();
// }
auto *Expr1 = cast<BoolValue>(&Val1);
gribozavr2:
// }
auto *Expr1 = cast<BoolValue>(&Val1);
auto *Expr2 = cast<BoolValue>(&Val2); auto *Expr2 = cast<BoolValue>(&Val2);
auto &MergedVal = MergedEnv.makeAtomicBoolValue(); auto &MergedVal = MergedEnv.makeAtomicBoolValue();
MergedEnv.addToFlowCondition(MergedEnv.makeOr( MergedEnv.addToFlowCondition(MergedEnv.makeOr(
MergedEnv.makeAnd(Env1.getFlowConditionToken(), MergedEnv.makeAnd(Env1.getFlowConditionToken(),
MergedEnv.makeIff(MergedVal, *Expr1)), MergedEnv.makeIff(MergedVal, *Expr1)),
MergedEnv.makeAnd(Env2.getFlowConditionToken(), MergedEnv.makeAnd(Env2.getFlowConditionToken(),
MergedEnv.makeIff(MergedVal, *Expr2)))); MergedEnv.makeIff(MergedVal, *Expr2))));
return &MergedVal; return &MergedVal;
▲ Show 20 LinesShow All 634 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/UncheckedOptionalAccessModelTest.cpp

Show First 20 LinesShow All 2,964 Lines▼ Show 20 Lines struct Target {
opt.value(); opt.value();
} }
$ns::$optional<int> opt; $ns::$optional<int> opt;
}; };
)", )",
cxxConstructorDecl(ofClass(hasName("Target")))); cxxConstructorDecl(ofClass(hasName("Target"))));
} }
// This is regression test, it shouldn't crash.
TEST_P(UncheckedOptionalAccessTest, Bitfield) {
using namespace ast_matchers;
ExpectDiagnosticsFor(
R"(
#include "unchecked_optional_access_test.h"
struct Dst {
unsigned int n : 1;
};
void target() {
$ns::$optional<bool> v;
Dst d;
if (v.has_value())
d.n = v.value();
}
)");
}
// FIXME: Add support for: // FIXME: Add support for:
// - constructors (copy, move) // - constructors (copy, move)
// - assignment operators (default, copy, move) // - assignment operators (default, copy, move)
// - invalidation (passing optional by non-const reference/pointer) // - invalidation (passing optional by non-const reference/pointer)