This is an archive of the discontinued LLVM Phabricator instance.

Differential D142627

[analyzer] Fix crash exposed by D140059
ClosedPublic

Authored by vabridgers on Jan 26 2023, 6:36 AM.

Details

Reviewers
Peter
steakhal
Commits
rGf027dd55f32a: [analyzer] Fix crash exposed by D140059
Summary

Change https://reviews.llvm.org/D140059 exposed the following crash in
Z3Solver, where bit widths were not checked consistently with that
change. This change makes the check consistent, and fixes the crash.

clang: <root>/llvm/include/llvm/ADT/APSInt.h:99:
  int64_t llvm::APSInt::getExtValue() const: Assertion
  `isRepresentableByInt64() && "Too many bits for int64_t"' failed.
...
Stack dump:
0. Program arguments: clang -cc1 -internal-isystem <root>/lib/clang/16/include
  -nostdsysteminc -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection
  -analyzer-config crosscheck-with-z3=true -verify reproducer.c

 #0 0x00000000045b3476 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int)
  <root>/llvm/lib/Support/Unix/Signals.inc:567:22
 #1 0x00000000045b3862 PrintStackTraceSignalHandler(void*)
  <root>/llvm/lib/Support/Unix/Signals.inc:641:1
 #2 0x00000000045b14a5 llvm::sys::RunSignalHandlers()
  <root>/llvm/lib/Support/Signals.cpp:104:20
 #3 0x00000000045b2eb4 SignalHandler(int)
  <root>/llvm/lib/Support/Unix/Signals.inc:412:1
 ...
 #9 0x0000000004be2eb3 llvm::APSInt::getExtValue() const
  <root>/llvm/include/llvm/ADT/APSInt.h:99:5
  <root>/llvm/lib/Support/Z3Solver.cpp:740:53
  clang::ASTContext&, clang::ento::SymExpr const*, llvm::APSInt const&, llvm::APSInt const&, bool)
  <root>/clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h:552:61

Diff Detail

Event Timeline

vabridgers created this revision.Jan 26 2023, 6:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 26 2023, 6:36 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald Transcript
vabridgers requested review of this revision.Jan 26 2023, 6:36 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJan 26 2023, 6:36 AM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
vabridgers mentioned this in D140059: [APSInt] Fix bug in APSInt mentioned in https://github.com/llvm/llvm-project/issues/59515.Jan 26 2023, 6:38 AM
vabridgers added a reviewer: Peter.Jan 26 2023, 6:41 AM
vabridgers edited the summary of this revision. (Show Details)
vabridgers added a subscriber: uabelho.
steakhal accepted this revision.Jan 26 2023, 7:41 AM

I would not mind less artificial-looking test code, but I'll let you decide if you want to make action about it.

Have you thought about the rest of the callsites of getBitWidth()? Are they also vulnerable to similar bugs?

This revision is now accepted and ready to land.Jan 26 2023, 7:41 AM
Harbormaster completed remote builds in B210116: Diff 492432.Jan 26 2023, 8:07 AM
This revision was landed with ongoing or failed builds.Jan 26 2023, 10:56 AM
Closed by commit rGf027dd55f32a: [analyzer] Fix crash exposed by D140059 (authored by einvbri <vince.a.bridgers@ericsson.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
einvbri <vince.a.bridgers@ericsson.com> added a commit: rGf027dd55f32a: [analyzer] Fix crash exposed by D140059.
steakhal added a comment.Mar 3 2023, 12:03 AM

I'm backporting this to clang-16.
https://github.com/llvm/llvm-project/issues/61149

Revision Contents

PathSize
clang/
test/
Analysis/
12 lines
llvm/
lib/
Support/
2 lines

Diff 492521

clang/test/Analysis/z3-crosscheck.c

Show First 20 LinesShow All 71 Lines▼ Show 20 Linesvoid floatUnaryLNotInEq(int h, int l) {
int j; int j;
clang_analyzer_dump(!(float)h); // expected-warning{{Unknown}} clang_analyzer_dump(!(float)h); // expected-warning{{Unknown}}
clang_analyzer_dump((float)l); // expected-warning-re {{(float) (reg_${{[0-9]+}}<int l>)}} clang_analyzer_dump((float)l); // expected-warning-re {{(float) (reg_${{[0-9]+}}<int l>)}}
if ((!(float)h) != (float)l) { // should not crash if ((!(float)h) != (float)l) { // should not crash
j += 10; j += 10;
// expected-warning@-1{{garbage}} // expected-warning@-1{{garbage}}
} }
} }
// don't crash, and also produce a core.CallAndMessage finding
void a(int);
typedef struct {
int b;
} c;
c *d;
void e() {
(void)d->b;
int f;
a(f); // expected-warning {{1st function call argument is an uninitialized value [core.CallAndMessage]}}
}

llvm/lib/Support/Z3Solver.cpp

Show First 20 LinesShow All 723 Lines▼ Show 20 Lines SMTExprRef mkBoolean(const bool b) override {
return newExprRef(Z3Expr(Context, b ? Z3_mk_true(Context.Context) return newExprRef(Z3Expr(Context, b ? Z3_mk_true(Context.Context)
: Z3_mk_false(Context.Context))); : Z3_mk_false(Context.Context)));
} }
SMTExprRef mkBitvector(const llvm::APSInt Int, unsigned BitWidth) override { SMTExprRef mkBitvector(const llvm::APSInt Int, unsigned BitWidth) override {
const Z3_sort Z3Sort = toZ3Sort(*getBitvectorSort(BitWidth)).Sort; const Z3_sort Z3Sort = toZ3Sort(*getBitvectorSort(BitWidth)).Sort;
// Slow path, when 64 bits are not enough. // Slow path, when 64 bits are not enough.
if (LLVM_UNLIKELY(Int.getBitWidth() > 64u)) { if (LLVM_UNLIKELY(!Int.isRepresentableByInt64())) {
SmallString<40> Buffer; SmallString<40> Buffer;
Int.toString(Buffer, 10); Int.toString(Buffer, 10);
return newExprRef(Z3Expr( return newExprRef(Z3Expr(
Context, Z3_mk_numeral(Context.Context, Buffer.c_str(), Z3Sort))); Context, Z3_mk_numeral(Context.Context, Buffer.c_str(), Z3Sort)));
} }
const int64_t BitReprAsSigned = Int.getExtValue(); const int64_t BitReprAsSigned = Int.getExtValue();
const uint64_t BitReprAsUnsigned = const uint64_t BitReprAsUnsigned =
▲ Show 20 LinesShow All 178 LinesShow Last 20 Lines