This is an archive of the discontinued LLVM Phabricator instance.

Fix ProgramState::isNull for non-region symbols
Needs ReviewPublic

Authored by chrisbazley on Jan 27 2023, 8:54 AM.

Download Raw Diff

Details

Reviewers

Summary

This method was good at telling that a pointer
definitely is null, but bad at telling that it
definitely isn't null. For example, it returned
'not sure' in the following trivial case:

int main(void)
{

int p;
int _Optional *q = &p;
if (q) {
  *q = 0; // spurious warning
}
return 0;

}

When analyzing the above program, the statement
if (q) does not create a constraint such as range
[1, 18446744073709551615] for use in future
inferences about the value of q. The reason is
that SimpleConstraintManager::assumeInternal
replaces the condition specified by its caller with
1 if invoked on a symbol (such as q) that lacks an
associated memory region. Constraints are not
recorded for integer constants.

Added fallback in ProgramState::isNull to do the same
conversion and check for a zero result if invoked
on an expression which is not a constant and does
not wrap a symbol (or wraps a symbol that lacks a
memory region).

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

chrisbazley created this revision.Jan 27 2023, 8:54 AM

Herald added a reviewer: NoQ. · View Herald TranscriptJan 27 2023, 8:54 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, martong. · View Herald Transcript

chrisbazley requested review of this revision.Jan 27 2023, 8:54 AM

Herald added a project: Restricted Project. · View Herald TranscriptJan 27 2023, 8:54 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

chrisbazley added a parent revision: D142739: Standalone checker for use of _Optional qualifier.Jan 27 2023, 8:54 AM

chrisbazley added a child revision: D142742: Generate ImplicitNullDerefEvent from CallAndMessageChecker.

Harbormaster completed remote builds in B210387: Diff 492789.Jan 27 2023, 11:11 AM

Please refer to https://discourse.llvm.org/t/rfc-optional-a-type-qualifier-to-indicate-pointer-nullability/ and https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3089.pdf for the wider context of this commit.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

ProgramState.cpp

18 lines

Diff 492789

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

	Show First 20 Lines • Show All 380 Lines • ▼ Show 20 Lines
	ConditionTruthVal ProgramState::isNull(SVal V) const {			ConditionTruthVal ProgramState::isNull(SVal V) const {
	if (V.isZeroConstant())			if (V.isZeroConstant())
	return true;			return true;

	if (V.isConstant())			if (V.isConstant())
	return false;			return false;

	SymbolRef Sym = V.getAsSymbol(/* IncludeBaseRegion */ true);			SymbolRef Sym = V.getAsSymbol(/* IncludeBaseRegion */ true);
	if (!Sym)			if (!Sym) {
				if (Optional<Loc> LV = V.getAs<Loc>()) {
				SValBuilder &SVB = stateMgr->getSValBuilder();
				QualType T;
				const MemRegion *MR = LV->getAsRegion();
				if (const TypedRegion *TR = dyn_cast_or_null<TypedRegion>(MR))
				T = TR->getLocationType();
				else
				T = SVB.getContext().VoidPtrTy;

				V = SVB.evalCast(*LV, SVB.getContext().BoolTy, T);
				auto const integer = V.getAsInteger();
				if (integer) {
				return integer->isZero();
				}
				}
	return ConditionTruthVal();			return ConditionTruthVal();
				}

	return getStateManager().ConstraintMgr->isNull(this, Sym);			return getStateManager().ConstraintMgr->isNull(this, Sym);
	}			}

	ProgramStateRef ProgramStateManager::getInitialState(const LocationContext *InitLoc) {			ProgramStateRef ProgramStateManager::getInitialState(const LocationContext *InitLoc) {
	ProgramState State(this,			ProgramState State(this,
	EnvMgr.getInitialEnvironment(),			EnvMgr.getInitialEnvironment(),
	StoreMgr->getInitialStore(InitLoc),			StoreMgr->getInitialStore(InitLoc),
	▲ Show 20 Lines • Show All 260 Lines • Show Last 20 Lines