This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
1
CStringChecker.cpp
-
Core/
15
RegionStore.cpp
-
test/Analysis/
-
Analysis/
-
initializer-list-struct-analysis-crash.c

Differential D144977

[analyzer] Fix of the initialization list parsing.
Needs ReviewPublic

Authored by earnol on Feb 28 2023, 8:45 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
isuckatcs

Summary

What had been done:
 - Passing a proper QualType for the initlist conversion
 - Compatibility fixes for unit tests introduced.
 - Various contingencies added to make sure the new code will be
   invoked only where it is needed.
 - New tests added to cover some cases in which new code will work
   properly. The cases where it will fail were not added
   intentionally as proper solution requires less localized
   changes.
 - Account for the case when source type info unavailable.

NB: Negative test cases were not added as problem was not fully
fixed and interlaced combinations of compound structures will
still cause crash, like union in array or array in struct
containing array with struct.

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	260 ms	libcxx CI Modules > llvm-libc++-shared-cfg-in.libcxx/ranges/range_adaptors/range_all::all.nodiscard.verify.cpp
	200 ms	libcxx CI Modules > llvm-libc++-shared-cfg-in.libcxx/ranges/range_adaptors/range_common_view::adaptor.nodiscard.verify.cpp
	280 ms	libcxx CI Modules > llvm-libc++-shared-cfg-in.libcxx/ranges/range_adaptors/range_reverse::adaptor.nodiscard.verify.cpp
	460 ms	libcxx CI Modules > llvm-libc++-shared-cfg-in.libcxx/ranges/range_adaptors/range_transform::adaptor.nodiscard.verify.cpp
	2,950 ms	libcxx CI Modules > llvm-libc++-shared-cfg-in.std/algorithms/alg_modifying_operations/alg_copy::ranges.copy.segmented.pass.cpp
		View Full Test Results (22 Failed)

Event Timeline

earnol created this revision.Feb 28 2023, 8:45 AM

Herald added a reviewer: NoQ. · View Herald TranscriptFeb 28 2023, 8:45 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 9 others. · View Herald Transcript

earnol requested review of this revision.Feb 28 2023, 8:45 AM

Herald added a project: Restricted Project. · View Herald TranscriptFeb 28 2023, 8:45 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B216491: Diff 501164.Feb 28 2023, 10:11 AM

Hi, looks very interesting! We definitely have troubles with some initializer lists.

It looks like you're primarily interested in the alpha/unsupported checker, but your patch probably affects behavior of the default setup as well. If you've found any difference in results for the default setup, please include a test case! These are much more valuable. You can often use tools like creduce/cvise to reduce entire real-world translation units to tiny test cases, under the test predicate that "two compiler versions produce different output".

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
564–565	There's a bit of a confusing tradition here, mostly documented in my unsorted long rants in earlier patches, let me try to explain. `RegionStore` was built to recognize that type punning is a thing. You can write a value while treating the target location/region R as if it's supposed to hold a value of type T₁ and then load the value by treating the same memory location as if it holds a value of type T₂≠T₁. You can achieve it by having unions or by reinterpret-casting pointers. RegionStore needs to handle this reasonably well, no matter what T₁ and T₂ are. Even though strict aliasing rules put some restrictions on what T₁ and T₂ could be, the analyzer is still required to work correctly when the programmer actively relies on `-fno-strict-aliasing`. On top of that, every `MemRegion` R can have a type T(R) associated with it (accessed as `R->getValueType()`). This was probably a bad idea from the start, for at least three reasons: Again, type punning exists. Just because the region has a type, doesn't mean it holds a value of that type. In many cases we deal with regions with no associated type. For example, an unknown (symbolic) pointer of type `void *` definitely points to a certain memory region (we call it `SymbolicRegion`), but the type of the object in that region is most certainly not `void`. Finally, polymorphism: C++ pointers to base class type may actually point to objects of any derived class type. Not only the specific derived type is often unknown, but also the true derived type may not be necessarily available in the current translation unit, so we often don't have the AST to even describe it. This makes the type of `MemRegion` largely immaterial and hard to rely upon. Which is why `State->getSVal(R)` accepts an optional parameter T₂ which may be different from both T₁ and T(R). However, after some back-and-forth bugfixing, we've settled on agreeing that when T(R) exists, it doesn't make sense to pass any T₂ into `State->getSVal(R, T₂)` other than `T₂=T(R)`. Basically, if R already carries a type, then you don't have a good reason to pass a different type as T₂, given that you can always pass a different region R' instead, that represents the same memory location as R but has the desired value type T₂. So T₂ is only required when it's fundamentally impossible to discover the type from the region. So in order to eliminate the confusion, `getSVal()` tries to get rid of the extra parameter `T₂` as early as possible, and have a single source of truth going further down the call stack. I honestly no longer think this is a healthy strategy long-term. Ideally I think we should get rid of region types entirely; they cause more problems than they solve. But that's a much bigger change, and I'm worried that a partial step in this direction, not supported by any strategic vision, will only multiply confusion. So, long story short, given that `ElementRegion`s are always typed, I'm wondering if it's easier to simply recast the region in your case as well, instead of reintroducing such duplication of types.
1920	The lifetime of `InitList` is the same as lifetime of `factory`. Because `factory` is a local variable, this is going to be a use-after-free. You need to use the factory that lives inside `svalBuilder` instead, accessible through methods `getEmptySValList ()` and `prependSVal()` of `svalBuilder.getBasicValueFactory()`.

Szelethus added reviewers: xazax.hun, isuckatcs.Mar 2 2023, 5:44 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 2 2023, 5:44 AM

isuckatcs added inline comments.Mar 2 2023, 7:39 AM

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1787	I assume `targetType` is the type we want to interpret the region as. Below this condition we seem to work with arrays. If `targetType` is an array, then we return something here instead of going further and returning something else we probably want. Why aren't we going further in that case?
1869	What about classes? class A { public: int x; }; struct B { int x; } `A` and `B` are technically the same, but `A` will fall into the true branch, `B` will fall into the false branch.
1891	This crashes if `ElemExpr` is a `nullptr`.
1914	Consider moving this into the for loop to avoid confusion.

earnol planned changes to this revision.Mar 2 2023, 1:49 PM

earnol added inline comments.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
564–565	You are right. Let me explain the situation. The initialization list does not always correct and full initialize variable in it's entirety. This is the issue i want to address. You may say having `T(R)` is good enough and in case of functions like `memcpy` it exists always, but the problem i want to address is whether the original memory region was fully and properly initialized or not. The proposed solution is neither full nor complete, it just slightly improve situation when we have structs and array intertwined. So in some cases existence `T(R)` is not something what we want as `T₂` is indeed different. Please also allow me amend the statement: `ElementRegions` are always typed. While they are do typed they are not always correctly typed. For example what type will have following initialization list: `{ {1, 2}, {3,4} }`? It can be array of 2 structures, or just 1 structure with 2 structures inside or it can be 2-dimentsional array. For this purpose we need to know true `T₂` while constructing and checking relevant SVal.
1920	Thank you for the great pointer. It makes sense to make changes this way. From my perspective `makeCompoundVal` accepted second parameter by value which made me bold enough to use local `InitList`

earnol requested review of this revision.Mar 2 2023, 2:09 PM

earnol added inline comments.

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
1787	A good comment and the answer would be because i wanted to limit my changes to the case of the struct/array of structs/nested structs only. To properly implement support of all cases the changes should be more global and more intrusive. My goal was to limit a scope and make baby step improvement. In short: because this code is not written yet and adding what you suggested will increase scope more than i wanted.
1869	Classes are currently not supported and were not tested. But adding class support would be no brainier here. However i wanted to limit the scope of the changes.
1891	Accepted. `nullptr` should never pop up with correctly constructed initialization list in the line 1890, but nobody promised me to have a correct initialization list here.
1914	If i am to do it i'll need to move line 1883 into the for loop as well for consistency making for loop bulky and cumbersome. Do you really think it will make code easier to understand? I propose to move iterator advance somewhere line 1890 so all `for` associated operation will be close to the for operator. How about it?

isuckatcs added inline comments.Mar 2 2023, 4:27 PM

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
432	I did some digging into the other parts of the checker and I'm not sure that we guarantee that every time `AccessKind::read` is performed, `Buffer` will be the source and not the destination. We just check an arbitrary element in an arbitrary buffer. For example if you look at `CStringChecker::evalMemcmp()`, it has the following content: // int memcmp(const void s1, const void s2, size_t n); CurrentFunctionDescription = "memory comparison function"; AnyArgExpr Left = {CE->getArg(0), 0}; AnyArgExpr Right = {CE->getArg(1), 1}; SizeArgExpr Size = {CE->getArg(2), 2}; ... State = CheckBufferAccess(C, State, Right, Size, AccessKind::read, CK); State = CheckBufferAccess(C, State, Left, Size, AccessKind::read, CK); `CStringChecker::CheckBufferAccess()` will eventually call your code and in the first case, you will deduce the type based on the destination and not the source. This logic might needs to be moved to a higher level function unless you can guarantee that always the correct type will be deduced. Or if the intention is not to deduce some information about the source array in a `memcpy` like function, it might be clearer to rename this variable to something that doesn't have either src or dst in it.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
564–565	the problem i want to address is whether the original memory region was fully and properly initialized or not I think you can only do this outside `RegionStore`. The problem is that `RegionStore` only knows about the beginning of a region, but doesn't know about the size of it. If I understand correctly you want to bind the type to the region so that you can deduce whether a specific region is fully initialized or not based on the types, however you can do this outside `RegionStore` in any checker for the mentioned arrays and structs. Consider the following example: int arr[5] = {1, 2, 3, 4, 5}; You can see that the array has 5 elements and the initializer list also has 5 elements, so the array is initialized properly. What you might try doing here is that you create like a `set` that tracks every region that has been initialized and use it as a source of information to silence a false positive. E.g.: void false_positive() { int src[] = {1, 2, 3, 4}; <- add `src` to the set, so you mark it initialized int dst[5] = {0}; <- add `dst` to the set, so you mark it initialized memcpy(dst, src, 4 * sizeof(int)); // false-positive: // The 'src' buffer was correctly initialized, yet we cannot conclude // that since the analyzer could not see a direct initialization of the // very last byte of the source buffer. ^ Analyzer fails to recognize that the buffer is initialized, so it attempts to report a warning. Before you let that happen you look up `src` in the set that contains initialized buffers and decide if the warning is valid or not. } You might need to store more information, like the length of the array, but this approach might still improve the false positive rate. `ASTMatcher`s will be helpful if you think it worths pursuing. The same approach can be used for structs but then you compare init list elements with the number of fields
1891	You checked it on line 1848 too, that's why I thought I point this out.
1914	We do something similar to this loop in `ExprEngine::VisitLambdaExpr()`, I think it is perfectly readable but you can leave it like this if you want.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

CStringChecker.cpp

44 lines

Core/

RegionStore.cpp

107 lines

test/

Analysis/

initializer-list-struct-analysis-crash.c

30 lines

Diff 501164

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

//= CStringChecker.cpp - Checks calls to C string functions --------- C++ --//		//= CStringChecker.cpp - Checks calls to C string functions --------- C++ --//
		Lint: Lint Inline Actions clang-format not found in user’s local PATH; not linting file. Lint: Lint: clang-format not found in user’s local PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
▲ Show 20 Lines • Show All 346 Lines • ▼ Show 20 Lines	ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,

// From here on, assume that the value is non-null.		// From here on, assume that the value is non-null.
assert(stateNonNull);		assert(stateNonNull);
return stateNonNull;		return stateNonNull;
}		}

// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?		// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,		ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
ProgramStateRef state,		ProgramStateRef State,
AnyArgExpr Buffer, SVal Element,		AnyArgExpr Buffer, SVal Element,
AccessKind Access,		AccessKind Access,
CharKind CK) const {		CharKind CK) const {

// If a previous check has failed, propagate the failure.		// If a previous check has failed, propagate the failure.
if (!state)		if (!State)
return nullptr;		return nullptr;

// Check for out of bound array element access.		// Check for out of bound array element access.
const MemRegion *R = Element.getAsRegion();		const MemRegion *R = Element.getAsRegion();
if (!R)		if (!R)
return state;		return State;

const auto *ER = dyn_cast<ElementRegion>(R);		const auto *ER = dyn_cast<ElementRegion>(R);
if (!ER)		if (!ER)
return state;		return State;

SValBuilder &svalBuilder = C.getSValBuilder();		SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext();		ASTContext &Ctx = svalBuilder.getContext();

// Get the index of the accessed element.		// Get the index of the accessed element.
NonLoc Idx = ER->getIndex();		NonLoc Idx = ER->getIndex();

if (CK == CharKind::Regular) {		if (CK == CharKind::Regular) {
if (ER->getValueType() != Ctx.CharTy)		if (ER->getValueType() != Ctx.CharTy)
return state;		return State;
} else {		} else {
if (ER->getValueType() != Ctx.WideCharTy)		if (ER->getValueType() != Ctx.WideCharTy)
return state;		return State;

QualType SizeTy = Ctx.getSizeType();		QualType SizeTy = Ctx.getSizeType();
NonLoc WideSize =		NonLoc WideSize =
svalBuilder		svalBuilder
.makeIntVal(Ctx.getTypeSizeInChars(Ctx.WideCharTy).getQuantity(),		.makeIntVal(Ctx.getTypeSizeInChars(Ctx.WideCharTy).getQuantity(),
SizeTy)		SizeTy)
.castAs<NonLoc>();		.castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(state, BO_Mul, Idx, WideSize, SizeTy);		SVal Offset = svalBuilder.evalBinOpNN(State, BO_Mul, Idx, WideSize, SizeTy);
if (Offset.isUnknown())		if (Offset.isUnknown())
return state;		return State;
Idx = Offset.castAs<NonLoc>();		Idx = Offset.castAs<NonLoc>();
}		}

// Get the size of the array.		// Get the size of the array.
const auto *superReg = cast<SubRegion>(ER->getSuperRegion());		const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
DefinedOrUnknownSVal Size =		DefinedOrUnknownSVal Size =
getDynamicExtent(state, superReg, C.getSValBuilder());		getDynamicExtent(State, superReg, C.getSValBuilder());

ProgramStateRef StInBound, StOutBound;		ProgramStateRef StInBound, StOutBound;
std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, Size);		std::tie(StInBound, StOutBound) = State->assumeInBoundDual(Idx, Size);
if (StOutBound && !StInBound) {		if (StOutBound && !StInBound) {
// These checks are either enabled by the CString out-of-bounds checker		// These checks are either enabled by the CString out-of-bounds checker
// explicitly or implicitly by the Malloc checker.		// explicitly or implicitly by the Malloc checker.
// In the latter case we only do modeling but do not emit warning.		// In the latter case we only do modeling but do not emit warning.
if (!Filter.CheckCStringOutOfBounds)		if (!Filter.CheckCStringOutOfBounds)
return nullptr;		return nullptr;

// Emit a bug report.		// Emit a bug report.
ErrorMessage Message =		ErrorMessage Message =
createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);		createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);		emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
return nullptr;		return nullptr;
}		}

// Ensure that we wouldn't read uninitialized value.		// Ensure that we wouldn't read uninitialized value.
if (Access == AccessKind::read) {		if (Access == AccessKind::read) {
if (Filter.CheckCStringUninitializedRead &&		if (Filter.CheckCStringUninitializedRead) {
StInBound->getSVal(ER).isUndef()) {		// get the right type for future construction
		const LocationContext *LCtx = C.getLocationContext();
		SVal SrcVal = State->getSVal(Buffer.Expression, LCtx);
		isuckatcsUnsubmitted Not Done Reply Inline Actions I did some digging into the other parts of the checker and I'm not sure that we guarantee that every time `AccessKind::read` is performed, `Buffer` will be the source and not the destination. We just check an arbitrary element in an arbitrary buffer. For example if you look at `CStringChecker::evalMemcmp()`, it has the following content: // int memcmp(const void s1, const void s2, size_t n); CurrentFunctionDescription = "memory comparison function"; AnyArgExpr Left = {CE->getArg(0), 0}; AnyArgExpr Right = {CE->getArg(1), 1}; SizeArgExpr Size = {CE->getArg(2), 2}; ... State = CheckBufferAccess(C, State, Right, Size, AccessKind::read, CK); State = CheckBufferAccess(C, State, Left, Size, AccessKind::read, CK); `CStringChecker::CheckBufferAccess()` will eventually call your code and in the first case, you will deduce the type based on the destination and not the source. This logic might needs to be moved to a higher level function unless you can guarantee that always the correct type will be deduced. Or if the intention is not to deduce some information about the source array in a `memcpy` like function, it might be clearer to rename this variable to something that doesn't have either src or dst in it. isuckatcs: I did some digging into the other parts of the checker and I'm not sure that we guarantee that…
		QualType SourceValType = SrcVal.getType(C.getASTContext());
		// attempt to use type "as is"
		QualType ConstructType = SourceValType;
		// if it is a pointer ==> obtain the true type
		if (SourceValType->isPointerType()) {
		ConstructType = SourceValType->getPointeeType();
		}
		// if the type unsuitable for analysis treat it as we have no
		// information about the type
		if (ConstructType->isVoidType()) {
		ConstructType = QualType();
		}
		if (StInBound->getSVal(ER, ConstructType).isUndef()) {
emitUninitializedReadBug(C, StInBound, Buffer.Expression);		emitUninitializedReadBug(C, StInBound, Buffer.Expression);
return nullptr;		return nullptr;
}		}
}		}
		}

// Array bound check succeeded. From this point forward the array bound		// Array bound check succeeded. From this point forward the array bound
// should always succeed.		// should always succeed.
return StInBound;		return StInBound;
}		}

ProgramStateRef		ProgramStateRef
CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State,		CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
▲ Show 20 Lines • Show All 2,115 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

//== RegionStore.cpp - Field-sensitive store model --------------- C++ ---==//		//== RegionStore.cpp - Field-sensitive store model --------------- C++ ---==//
		Lint: Lint Inline Actions clang-format not found in user’s local PATH; not linting file. Lint: Lint: clang-format not found in user’s local PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
Show All 13 Lines
#include "clang/Basic/JsonSupport.h"		#include "clang/Basic/JsonSupport.h"
#include "clang/Basic/TargetInfo.h"		#include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
		#include "llvm/ADT/ImmutableList.h"
#include "llvm/ADT/ImmutableMap.h"		#include "llvm/ADT/ImmutableMap.h"
#include "llvm/Support/raw_ostream.h"		#include "llvm/Support/raw_ostream.h"
#include <optional>		#include <optional>
#include <utility>		#include <utility>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

▲ Show 20 Lines • Show All 384 Lines • ▼ Show 20 Lines	public:

bool scanReachableSymbols(Store S, const MemRegion *R,		bool scanReachableSymbols(Store S, const MemRegion *R,
ScanReachableSymbols &Callbacks) override;		ScanReachableSymbols &Callbacks) override;

RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B,		RegionBindingsRef removeSubRegionBindings(RegionBindingsConstRef B,
const SubRegion *R);		const SubRegion *R);
std::optional<SVal>		std::optional<SVal>
getConstantValFromConstArrayInitializer(RegionBindingsConstRef B,		getConstantValFromConstArrayInitializer(RegionBindingsConstRef B,
const ElementRegion *R);		const ElementRegion *R, QualType T);
std::optional<SVal>		std::optional<SVal>
getSValFromInitListExpr(const InitListExpr *ILE,		getSValFromInitListExpr(const InitListExpr *ILE, QualType VarT,
const SmallVector<uint64_t, 2> &ConcreteOffsets,		const SmallVector<uint64_t, 2> &ConcreteOffsets,
QualType ElemT);		QualType ElemT);
SVal getSValFromStringLiteral(const StringLiteral *SL, uint64_t Offset,		SVal getSValFromStringLiteral(const StringLiteral *SL, uint64_t Offset,
QualType ElemT);		QualType ElemT);

public: // Part of public interface to class.		public: // Part of public interface to class.

StoreRef Bind(Store store, Loc LV, SVal V) override {		StoreRef Bind(Store store, Loc LV, SVal V) override {
▲ Show 20 Lines • Show All 114 Lines • ▼ Show 20 Lines	std::optional<SVal> getDefaultBinding(Store S, const MemRegion *R) override {
// Default bindings are always applied over a base region so look up the		// Default bindings are always applied over a base region so look up the
// base region's default binding, otherwise the lookup will fail when R		// base region's default binding, otherwise the lookup will fail when R
// is at an offset from R->getBaseRegion().		// is at an offset from R->getBaseRegion().
return B.getDefaultBinding(R->getBaseRegion());		return B.getDefaultBinding(R->getBaseRegion());
}		}

SVal getBinding(RegionBindingsConstRef B, Loc L, QualType T = QualType());		SVal getBinding(RegionBindingsConstRef B, Loc L, QualType T = QualType());

SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R);		SVal getBindingForElement(RegionBindingsConstRef B, const ElementRegion *R,
		QualType T = QualType());
		NoQUnsubmitted Not Done Reply Inline Actions There's a bit of a confusing tradition here, mostly documented in my unsorted long rants in earlier patches, let me try to explain. `RegionStore` was built to recognize that type punning is a thing. You can write a value while treating the target location/region R as if it's supposed to hold a value of type T₁ and then load the value by treating the same memory location as if it holds a value of type T₂≠T₁. You can achieve it by having unions or by reinterpret-casting pointers. RegionStore needs to handle this reasonably well, no matter what T₁ and T₂ are. Even though strict aliasing rules put some restrictions on what T₁ and T₂ could be, the analyzer is still required to work correctly when the programmer actively relies on `-fno-strict-aliasing`. On top of that, every `MemRegion` R can have a type T(R) associated with it (accessed as `R->getValueType()`). This was probably a bad idea from the start, for at least three reasons: Again, type punning exists. Just because the region has a type, doesn't mean it holds a value of that type. In many cases we deal with regions with no associated type. For example, an unknown (symbolic) pointer of type `void ` definitely points to a certain memory region (we call it `SymbolicRegion`), but the type of the object in that region is most certainly not `void`. Finally, polymorphism: C++ pointers to base class type may actually point to objects of any derived class type. Not only the specific derived type is often unknown, but also the true derived type may not be necessarily available in the current translation unit, so we often don't have the AST to even describe it. This makes the type of `MemRegion` largely immaterial and hard to rely upon. Which is why `State->getSVal(R)` accepts an optional parameter T₂ which may be different from both T₁ and T(R). However, after some back-and-forth bugfixing, we've settled on agreeing that when T(R) exists, it doesn't make sense to pass any T₂ into `State->getSVal(R, T₂)` other than `T₂=T(R)`. Basically, if R already carries a type, then you don't have a good reason to pass a different type as T₂, given that you can always pass a different region R' instead, that represents the same memory location as R but has the desired value type T₂. So T₂ is only required when it's fundamentally impossible to discover the type from the region. So in order to eliminate the confusion, `getSVal()` tries to get rid of the extra parameter `T₂` as early as possible, and have a single source of truth going further down the call stack. I honestly no longer think this is a healthy strategy long-term. Ideally I think we should get rid of region types entirely; they cause more problems than they solve. But that's a much bigger change, and I'm worried that a partial step in this direction, not supported by any strategic vision, will only multiply confusion. So, long story short, given that `ElementRegion`s are always typed, I'm wondering if it's easier to simply recast the region in your case as well, instead of reintroducing such duplication of types. NoQ:* There's a bit of a confusing tradition here, mostly documented in my unsorted long rants in…
		earnolAuthorUnsubmitted Not Done Reply Inline Actions You are right. Let me explain the situation. The initialization list does not always correct and full initialize variable in it's entirety. This is the issue i want to address. You may say having `T(R)` is good enough and in case of functions like `memcpy` it exists always, but the problem i want to address is whether the original memory region was fully and properly initialized or not. The proposed solution is neither full nor complete, it just slightly improve situation when we have structs and array intertwined. So in some cases existence `T(R)` is not something what we want as `T₂` is indeed different. Please also allow me amend the statement: `ElementRegions` are always typed. While they are do typed they are not always correctly typed. For example what type will have following initialization list: `{ {1, 2}, {3,4} }`? It can be array of 2 structures, or just 1 structure with 2 structures inside or it can be 2-dimentsional array. For this purpose we need to know true `T₂` while constructing and checking relevant SVal. earnol: You are right. Let me explain the situation. The initialization list does not always correct…
		isuckatcsUnsubmitted Not Done Reply Inline Actions the problem i want to address is whether the original memory region was fully and properly initialized or not I think you can only do this outside `RegionStore`. The problem is that `RegionStore` only knows about the beginning of a region, but doesn't know about the size of it. If I understand correctly you want to bind the type to the region so that you can deduce whether a specific region is fully initialized or not based on the types, however you can do this outside `RegionStore` in any checker for the mentioned arrays and structs. Consider the following example: int arr[5] = {1, 2, 3, 4, 5}; You can see that the array has 5 elements and the initializer list also has 5 elements, so the array is initialized properly. What you might try doing here is that you create like a `set` that tracks every region that has been initialized and use it as a source of information to silence a false positive. E.g.: void false_positive() { int src[] = {1, 2, 3, 4}; <- add `src` to the set, so you mark it initialized int dst[5] = {0}; <- add `dst` to the set, so you mark it initialized memcpy(dst, src, 4 * sizeof(int)); // false-positive: // The 'src' buffer was correctly initialized, yet we cannot conclude // that since the analyzer could not see a direct initialization of the // very last byte of the source buffer. ^ Analyzer fails to recognize that the buffer is initialized, so it attempts to report a warning. Before you let that happen you look up `src` in the set that contains initialized buffers and decide if the warning is valid or not. } You might need to store more information, like the length of the array, but this approach might still improve the false positive rate. `ASTMatcher`s will be helpful if you think it worths pursuing. The same approach can be used for structs but then you compare init list elements with the number of fields isuckatcs: >the problem i want to address is whether the original memory region was fully and properly…

SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R);		SVal getBindingForField(RegionBindingsConstRef B, const FieldRegion *R);

SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R);		SVal getBindingForObjCIvar(RegionBindingsConstRef B, const ObjCIvarRegion *R);

SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R);		SVal getBindingForVar(RegionBindingsConstRef B, const VarRegion *R);

SVal getBindingForLazySymbol(const TypedValueRegion *R);		SVal getBindingForLazySymbol(const TypedValueRegion *R);
▲ Show 20 Lines • Show All 899 Lines • ▼ Show 20 Lines	if (const FieldRegion* FR = dyn_cast<FieldRegion>(R))
return svalBuilder.evalCast(getBindingForField(B, FR), T, QualType{});		return svalBuilder.evalCast(getBindingForField(B, FR), T, QualType{});

if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {		if (const ElementRegion* ER = dyn_cast<ElementRegion>(R)) {
// FIXME: Here we actually perform an implicit conversion from the loaded		// FIXME: Here we actually perform an implicit conversion from the loaded
// value to the element type. Eventually we want to compose these values		// value to the element type. Eventually we want to compose these values
// more intelligently. For example, an 'element' can encompass multiple		// more intelligently. For example, an 'element' can encompass multiple
// bound regions (e.g., several bound bytes), or could be a subset of		// bound regions (e.g., several bound bytes), or could be a subset of
// a larger value.		// a larger value.
return svalBuilder.evalCast(getBindingForElement(B, ER), T, QualType{});		return svalBuilder.evalCast(getBindingForElement(B, ER, T), T, QualType{});
}		}

if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) {		if (const ObjCIvarRegion *IVR = dyn_cast<ObjCIvarRegion>(R)) {
// FIXME: Here we actually perform an implicit conversion from the loaded		// FIXME: Here we actually perform an implicit conversion from the loaded
// value to the ivar type. What we should model is stores to ivars		// value to the ivar type. What we should model is stores to ivars
// that blow past the extent of the ivar. If the address of the ivar is		// that blow past the extent of the ivar. If the address of the ivar is
// reinterpretted, it is possible we stored a different value that could		// reinterpretted, it is possible we stored a different value that could
// fit within the ivar. Either we need to cast these when storing them		// fit within the ivar. Either we need to cast these when storing them
▲ Show 20 Lines • Show All 230 Lines • ▼ Show 20 Lines	for (SVal V : llvm::reverse(SrcOffsets)) {
// FIXME: We also need to take ElementRegions with symbolic indexes into		// FIXME: We also need to take ElementRegions with symbolic indexes into
// account.		// account.
return UnknownVal();		return UnknownVal();
}		}
return std::nullopt;		return std::nullopt;
}		}

std::optional<SVal> RegionStoreManager::getConstantValFromConstArrayInitializer(		std::optional<SVal> RegionStoreManager::getConstantValFromConstArrayInitializer(
RegionBindingsConstRef B, const ElementRegion *R) {		RegionBindingsConstRef B, const ElementRegion *R, QualType targetType) {
assert(R && "ElementRegion should not be null");		assert(R && "ElementRegion should not be null");

// Treat an n-dimensional array.		// Treat an n-dimensional array.
SmallVector<SVal, 2> SValOffsets;		SmallVector<SVal, 2> SValOffsets;
const MemRegion *Base;		const MemRegion *Base;
std::tie(SValOffsets, Base) = getElementRegionOffsetsWithBase(R);		std::tie(SValOffsets, Base) = getElementRegionOffsetsWithBase(R);
const VarRegion *VR = dyn_cast<VarRegion>(Base);		const VarRegion *VR = dyn_cast<VarRegion>(Base);
if (!VR)		if (!VR)
Show All 39 Lines	std::optional<SVal> RegionStoreManager::getConstantValFromConstArrayInitializer(
// int arr[1][2][3];		// int arr[1][2][3];
// auto ptr = (int(*)[42])arr;		// auto ptr = (int(*)[42])arr;
// auto x = ptr[4][2]; // UB		// auto x = ptr[4][2]; // UB
// FIXME: Should return UndefinedVal.		// FIXME: Should return UndefinedVal.
if (SValOffsets.size() != Extents.size())		if (SValOffsets.size() != Extents.size())
return std::nullopt;		return std::nullopt;

SmallVector<uint64_t, 2> ConcreteOffsets;		SmallVector<uint64_t, 2> ConcreteOffsets;
if (std::optional<SVal> V = convertOffsetsFromSvalToUnsigneds(		std::optional<SVal> V =
SValOffsets, Extents, ConcreteOffsets))		convertOffsetsFromSvalToUnsigneds(SValOffsets, Extents, ConcreteOffsets);
		if (V &&
		(!targetType->isStructureOrClassType() && !targetType->isUnionType()))
		isuckatcsUnsubmitted Not Done Reply Inline Actions I assume `targetType` is the type we want to interpret the region as. Below this condition we seem to work with arrays. If `targetType` is an array, then we return something here instead of going further and returning something else we probably want. Why aren't we going further in that case? isuckatcs: I assume `targetType` is the type we want to interpret the region as. Below this condition we…
		earnolAuthorUnsubmitted Not Done Reply Inline Actions A good comment and the answer would be because i wanted to limit my changes to the case of the struct/array of structs/nested structs only. To properly implement support of all cases the changes should be more global and more intrusive. My goal was to limit a scope and make baby step improvement. In short: because this code is not written yet and adding what you suggested will increase scope more than i wanted. earnol: A good comment and the answer would be because i wanted to limit my changes to the case of the…
return *V;		return *V;

// Handle InitListExpr.		// Handle InitListExpr.
// Example:		// Example:
// const char arr[4][2] = { { 1, 2 }, { 3 }, 4, 5 };		// const char arr[4][2] = { { 1, 2 }, { 3 }, 4, 5 };
if (const auto *ILE = dyn_cast<InitListExpr>(Init))		if (const auto *ILE = dyn_cast<InitListExpr>(Init))
return getSValFromInitListExpr(ILE, ConcreteOffsets, R->getElementType());		return getSValFromInitListExpr(ILE, targetType, ConcreteOffsets,
		R->getElementType());

// Handle StringLiteral.		// Handle StringLiteral.
// Example:		// Example:
// const char arr[] = "abc";		// const char arr[] = "abc";
if (const auto *SL = dyn_cast<StringLiteral>(Init))		if (const auto *SL = dyn_cast<StringLiteral>(Init))
return getSValFromStringLiteral(SL, ConcreteOffsets.front(),		return getSValFromStringLiteral(SL, ConcreteOffsets.front(),
R->getElementType());		R->getElementType());

Show All 15 Lines
/// sublist;		/// sublist;
/// - {3, 0} returns SVal{0}, because there's no explicit value at this		/// - {3, 0} returns SVal{0}, because there's no explicit value at this
/// position in the sublist.		/// position in the sublist.
///		///
/// NOTE: Inorder to get a valid SVal, a caller shall guarantee valid offsets		/// NOTE: Inorder to get a valid SVal, a caller shall guarantee valid offsets
/// for the given initialization list. Otherwise SVal can be an equivalent to 0		/// for the given initialization list. Otherwise SVal can be an equivalent to 0
/// or lead to assertion.		/// or lead to assertion.
std::optional<SVal> RegionStoreManager::getSValFromInitListExpr(		std::optional<SVal> RegionStoreManager::getSValFromInitListExpr(
const InitListExpr *ILE, const SmallVector<uint64_t, 2> &Offsets,		const InitListExpr *ILE, QualType VarT,
QualType ElemT) {		const SmallVector<uint64_t, 2> &Offsets, QualType ElemT) {
assert(ILE && "InitListExpr should not be null");		assert(ILE && "InitListExpr should not be null");

for (uint64_t Offset : Offsets) {		for (uint64_t Offset : Offsets) {
// C++20 [dcl.init.string] 9.4.2.1:		// C++20 [dcl.init.string] 9.4.2.1:
// An array of ordinary character type [...] can be initialized by [...]		// An array of ordinary character type [...] can be initialized by [...]
// an appropriately-typed string-literal enclosed in braces.		// an appropriately-typed string-literal enclosed in braces.
// Example:		// Example:
// const char arr[] = { "abc" };		// const char arr[] = { "abc" };
if (ILE->isStringLiteralInit())		if (ILE->isStringLiteralInit())
if (const auto *SL = dyn_cast<StringLiteral>(ILE->getInit(0)))		if (const auto *SL = dyn_cast<StringLiteral>(ILE->getInit(0)))
return getSValFromStringLiteral(SL, Offset, ElemT);		return getSValFromStringLiteral(SL, Offset, ElemT);

// C++20 [expr.add] 9.4.17.5 (excerpt):		// C++20 [expr.add] 9.4.17.5 (excerpt):
// i-th array element is value-initialized for each k < i ≤ n,		// i-th array element is value-initialized for each k < i ≤ n,
// where k is an expression-list size and n is an array extent.		// where k is an expression-list size and n is an array extent.
if (Offset >= ILE->getNumInits())		if (Offset >= ILE->getNumInits())
return svalBuilder.makeZeroVal(ElemT);		return svalBuilder.makeZeroVal(ElemT);

const Expr *E = ILE->getInit(Offset);		const Expr *E = ILE->getInit(Offset);
		// go to next if there is no expression
		if (!E)
		continue;
		// obtain init list expression if it is really one
const auto *IL = dyn_cast<InitListExpr>(E);		const auto *IL = dyn_cast<InitListExpr>(E);
if (!IL)		if (!IL)
// Return a constant value, if it is presented.		// Return a constant value, if it is presented.
// FIXME: Support other SVals.
return svalBuilder.getConstantVal(E);		return svalBuilder.getConstantVal(E);
		else {
		// if value a list to process it getting individual values
		llvm::ImmutableListFactory<SVal> factory;
		llvm::ImmutableList<SVal> InitList = factory.getEmptyList();
		const Expr *ElemExpr = nullptr;
		// HACK: This if is required for init lists like {[0][0]=1,[1][1]=2}
		// However it is a HACK as it will fail on this kind of init list of
		// structures
		if (VarT->isBuiltinType()) {
		// Go to the nested initializer list.
		ILE = IL;
		continue;
		}
		// if we are here we have struct or union?
		if (!VarT->isStructureType()) {
		isuckatcsUnsubmitted Not Done Reply Inline Actions What about classes? class A { public: int x; }; struct B { int x; } `A` and `B` are technically the same, but `A` will fall into the true branch, `B` will fall into the false branch. isuckatcs: What about classes? ``` class A { public: int x; }; struct B { int x; } ``` `A` and…
		earnolAuthorUnsubmitted Not Done Reply Inline Actions Classes are currently not supported and were not tested. But adding class support would be no brainier here. However i wanted to limit the scope of the changes. earnol: Classes are currently not supported and were not tested. But adding class support would be no…
		// TODO: support other options like unions or arrays or VLAs
		// but still attempt to deduce what we can
		std::optional<SVal> ReplacementConst = svalBuilder.getConstantVal(E);
		if (ReplacementConst) {
		return ReplacementConst;
		}
		//
		// we will return UnknownVal for something we are not properly
		// supporting
		return UnknownVal();
		}
		// obtain type iterator
		RecordDecl *RecDecl = VarT->getAsRecordDecl();
		RecordDecl::field_iterator RecIter = RecDecl->field_begin();
		// iterate over all discovered elements
		for (size_t Idx = 0; Idx < IL->getNumInits(); Idx++) {
		// having extra inits for structure is UB, so... return UB
		if (RecIter == RecDecl->field_end()) {
		return UndefinedVal();
		}
		ElemExpr = IL->getInit(Idx);
		std::optional<SVal> ConstVal = svalBuilder.getConstantVal(ElemExpr);
		isuckatcsUnsubmitted Not Done Reply Inline Actions This crashes if `ElemExpr` is a `nullptr`. isuckatcs: This crashes if `ElemExpr` is a `nullptr`.
		earnolAuthorUnsubmitted Not Done Reply Inline Actions Accepted. `nullptr` should never pop up with correctly constructed initialization list in the line 1890, but nobody promised me to have a correct initialization list here. earnol: Accepted. `nullptr` should never pop up with correctly constructed initialization list in the…
		isuckatcsUnsubmitted Not Done Reply Inline Actions You checked it on line 1848 too, that's why I thought I point this out. isuckatcs: You checked it on line 1848 too, that's why I thought I point this out.
		// if there is no value create a zero one
		if (!ConstVal.has_value()) {
		// we can create a substitution with
		// constVal = svalBuilder.makeZeroVal(elemExpr->getType());
		if (InitList.isEmpty()) {
		// or go deeper if no value and extra parsing needed
		ILE = IL;
		} else {
		// do a recursive call here and fill constVal with the result
		const InitListExpr *InListExpr = dyn_cast<InitListExpr>(ElemExpr);
		// we need this if here as there can be a function call
		if (InListExpr) {
		SmallVector<uint64_t, 2> InternalOffsetsArr;
		InternalOffsetsArr.append(1, Offset);
		QualType RecElemTrgType = (*RecIter)->getType();
		ConstVal = this->getSValFromInitListExpr(
		InListExpr, RecElemTrgType, InternalOffsetsArr, ElemT);
		} else {
		// and thus we have no idea without properly tracking
		return UndefinedVal();
		}
		}
		RecIter++;
		isuckatcsUnsubmitted Not Done Reply Inline Actions Consider moving this into the for loop to avoid confusion. isuckatcs: Consider moving this into the for loop to avoid confusion.
		earnolAuthorUnsubmitted Not Done Reply Inline Actions If i am to do it i'll need to move line 1883 into the for loop as well for consistency making for loop bulky and cumbersome. Do you really think it will make code easier to understand? I propose to move iterator advance somewhere line 1890 so all `for` associated operation will be close to the for operator. How about it? earnol: If i am to do it i'll need to move line 1883 into the for loop as well for consistency making…
		isuckatcsUnsubmitted Not Done Reply Inline Actions We do something similar to this loop in `ExprEngine::VisitLambdaExpr()`, I think it is perfectly readable but you can leave it like this if you want. isuckatcs: We do something similar to this loop in `ExprEngine::VisitLambdaExpr()`, I think it is…
		continue;
		}
		InitList = factory.add(ConstVal.value(), InitList);
		}
		if (ElemExpr) {
		return svalBuilder.makeCompoundVal(VarT, InitList);
		NoQUnsubmitted Not Done Reply Inline Actions The lifetime of `InitList` is the same as lifetime of `factory`. Because `factory` is a local variable, this is going to be a use-after-free. You need to use the factory that lives inside `svalBuilder` instead, accessible through methods `getEmptySValList ()` and `prependSVal()` of `svalBuilder.getBasicValueFactory()`. NoQ: The lifetime of `InitList` is the same as lifetime of `factory`. Because `factory` is a local…
		earnolAuthorUnsubmitted Not Done Reply Inline Actions Thank you for the great pointer. It makes sense to make changes this way. From my perspective `makeCompoundVal` accepted second parameter by value which made me bold enough to use local `InitList` earnol: Thank you for the great pointer. It makes sense to make changes this way. From my perspective…
		}
		RecIter++;
		}
// Go to the nested initializer list.		// Go to the nested initializer list.
ILE = IL;		ILE = IL;
}		}
llvm_unreachable(		llvm_unreachable(
"Unhandled InitListExpr sub-expressions or invalid offsets.");		"Unhandled InitListExpr sub-expressions or invalid offsets.");
}		}

/// Returns an SVal, if possible, for the specified position in a string		/// Returns an SVal, if possible, for the specified position in a string
▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines	if (Ctx.getTypeSizeInChars(BaseTy) >= Ctx.getTypeSizeInChars(Ty)) {
return UnknownVal();		return UnknownVal();
}		}
}		}
}		}
return std::nullopt;		return std::nullopt;
}		}

SVal RegionStoreManager::getBindingForElement(RegionBindingsConstRef B,		SVal RegionStoreManager::getBindingForElement(RegionBindingsConstRef B,
const ElementRegion* R) {		const ElementRegion *R,
		QualType targetType) {
// Check if the region has a binding.		// Check if the region has a binding.
if (const std::optional<SVal> &V = B.getDirectBinding(R))		if (const std::optional<SVal> &V = B.getDirectBinding(R))
return *V;		return *V;

const MemRegion* superR = R->getSuperRegion();		const MemRegion* superR = R->getSuperRegion();

// Check if the region is an element region of a string literal.		// Check if the region is an element region of a string literal.
if (const StringRegion *StrR = dyn_cast<StringRegion>(superR)) {		if (const StringRegion *StrR = dyn_cast<StringRegion>(superR)) {
// FIXME: Handle loads from strings where the literal is treated as		// FIXME: Handle loads from strings where the literal is treated as
// an integer, e.g., ((unsigned int)"hello"). Such loads are UB according		// an integer, e.g., ((unsigned int)"hello"). Such loads are UB according
// to C++20 7.2.1.11 [basic.lval].		// to C++20 7.2.1.11 [basic.lval].
QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType();		QualType T = Ctx.getAsArrayType(StrR->getValueType())->getElementType();
if (!Ctx.hasSameUnqualifiedType(T, R->getElementType()))		if (!Ctx.hasSameUnqualifiedType(T, R->getElementType()))
return UnknownVal();		return UnknownVal();
if (const auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) {		if (const auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) {
const llvm::APSInt &Idx = CI->getValue();		const llvm::APSInt &Idx = CI->getValue();
if (Idx < 0)		if (Idx < 0)
return UndefinedVal();		return UndefinedVal();
const StringLiteral *SL = StrR->getStringLiteral();		const StringLiteral *SL = StrR->getStringLiteral();
return getSValFromStringLiteral(SL, Idx.getZExtValue(), T);		return getSValFromStringLiteral(SL, Idx.getZExtValue(), T);
}		}
} else if (isa<ElementRegion, VarRegion>(superR)) {		} else if (isa<ElementRegion, VarRegion>(superR)) {
if (std::optional<SVal> V = getConstantValFromConstArrayInitializer(B, R))		if (std::optional<SVal> V =
		getConstantValFromConstArrayInitializer(B, R, targetType))
return *V;		return *V;
}		}

// Check for loads from a code text region. For such loads, just give up.		// Check for loads from a code text region. For such loads, just give up.
if (isa<CodeTextRegion>(superR))		if (isa<CodeTextRegion>(superR))
return UnknownVal();		return UnknownVal();

// Handle the case where we are indexing into a larger scalar object.		// Handle the case where we are indexing into a larger scalar object.
▲ Show 20 Lines • Show All 988 Lines • Show Last 20 Lines

clang/test/Analysis/initializer-list-struct-analysis-crash.c

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-checker=alpha.unix.cstring.OutOfBounds,alpha.unix.cstring.UninitializedRead -verify %s
				// expected-no-diagnostics


				// Just don't crash.

				typedef __typeof(sizeof(int)) size_t;
				void memcpy(void to, void const *from, size_t count);

				// test 1

				typedef struct _shortStruct {
				short a;
				short b;
				} shortStruct, *p_shortStruct;
				const shortStruct Info[2] = { { 0, 1, }, { 2, 3, },};
				void clang_analyzer_dump(short);
				static void xxx_shortStruct(void)
				{
				shortStruct local_info[2];
				memcpy(local_info, Info, sizeof(struct _shortStruct) * 2);
				}

				// test 2
				const short InfoArray[2][2] = { { 0, 1, }, { 2, 3, },};
				static void xxxArray(void)
				{
				short local_info[2][2];
				memcpy(local_info, InfoArray, sizeof(short) * 4);
				}