This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/StaticAnalyzer/Checkers/
-
lib/
-
StaticAnalyzer/
-
Checkers/
1/3
DynamicTypePropagation.cpp

Differential D152194

[StaticAnalyzer] Fix nullptr dereference issue found by static analyzer tool
ClosedPublic

Authored by Manna on Jun 5 2023, 1:28 PM.

Download Raw Diff

Details

Reviewers

erichkeane
NoQ
steakhal

Commits

rGa806ec4857c2: [analyzer] Refactor codes in findMethodDecl()

Summary

This patch uses castAs instead of getAs which will assert if the type doesn't match and directly uses ReceiverType->castAs<ObjCObjectPointerType>() instead of ReceiverObjectPtrType when calling canAssignObjCInterfaces() in findMethodDecl(clang::ObjCMessageExpr const *, clang::ObjCObjectPointerType const *, clang::ASTContext &).

Diff Detail

Event Timeline

Manna created this revision.Jun 5 2023, 1:28 PM

Herald added a reviewer: NoQ. · View Herald TranscriptJun 5 2023, 1:28 PM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 6 others. · View Herald Transcript

Manna requested review of this revision.Jun 5 2023, 1:28 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2023, 1:28 PM

Manna added inline comments.Jun 5 2023, 1:31 PM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
756	We are assigning: ReceiverObjectPtrType = nullptr return value from getAs. const auto *ReceiverObjectPtrType = ReceiverType->getAs<ObjCObjectPointerType>(); Then we are dereferencing nullptr ReceiverObjectPtrType when calling canAssignObjCInterfaces()

Harbormaster completed remote builds in B236715: Diff 528561.Jun 5 2023, 3:55 PM

erichkeane added inline comments.Jun 6 2023, 6:22 AM

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp
756	This isn't NFC, as `ReceiverObjectPtrType` is only used here. If the `MessageExpr` `ReceiverKind` is not `Instance` or `Class`, we never dereference this. So the declaration should be in this branch.
756	Oh, and ALSO, we don't dereference it if `ReceiverType` is `ObjCIdType` or `ObhjCClassType`.

I agree with @erichkeane.
However, I can also see that the code could be improved.

I don't understand why we have that variable hoisted from the guarded block in the first place.
We could directly use ReceiverType->castAs<ObjCObjectPointerType>() instead of ReceiverObjectPtrType.

This revision now requires changes to proceed.Jun 6 2023, 6:48 AM

Thank you @erichkeane and @steakhal for reviews and feedbacks. I have updated patch to address your review comments.

Herald added a subscriber: szepet. · View Herald TranscriptJun 6 2023, 7:45 PM

Manna edited the summary of this revision. (Show Details)Jun 6 2023, 7:47 PM

Harbormaster completed remote builds in B237153: Diff 529133.Jun 6 2023, 10:38 PM

Please update the title and the summary of this patch to reflect what it actually achieves.
We also usually use the [analyzer] tag only for changes touching StaticAnalyzer stuff.

After these, you can merge the patch.
Thanks for refactoring the to express the intent more clearly.

This revision is now accepted and ready to land.Jun 7 2023, 1:10 AM

erichkeane accepted this revision.Jun 7 2023, 6:23 AM

Thank you @erichkeane and @steakhal for reviews and comments.

In D152194#4402377, @steakhal wrote:

Please update the title and the summary of this patch to reflect what it actually achieves.
We also usually use the [analyzer] tag only for changes touching StaticAnalyzer stuff.

After these, you can merge the patch.

Yes, i will update the title and summary of this patch before merging the patch.

Closed by commit rGa806ec4857c2: [analyzer] Refactor codes in findMethodDecl() (authored by Manna). · Explain WhyJun 28 2023, 8:40 PM

This revision was automatically updated to reflect the committed changes.

Manna added a commit: rGa806ec4857c2: [analyzer] Refactor codes in findMethodDecl().

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

DynamicTypePropagation.cpp

2 lines

Diff 528561

clang/lib/StaticAnalyzer/Checkers/DynamicTypePropagation.cpp

	Show First 20 Lines • Show All 737 Lines • ▼ Show 20 Lines
	/// more likely that the parameter substitution will be successful.			/// more likely that the parameter substitution will be successful.
	static const ObjCMethodDecl *			static const ObjCMethodDecl *
	findMethodDecl(const ObjCMessageExpr *MessageExpr,			findMethodDecl(const ObjCMessageExpr *MessageExpr,
	const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {			const ObjCObjectPointerType *TrackedType, ASTContext &ASTCtxt) {
	const ObjCMethodDecl *Method = nullptr;			const ObjCMethodDecl *Method = nullptr;

	QualType ReceiverType = MessageExpr->getReceiverType();			QualType ReceiverType = MessageExpr->getReceiverType();
	const auto *ReceiverObjectPtrType =			const auto *ReceiverObjectPtrType =
	ReceiverType->getAs<ObjCObjectPointerType>();			ReceiverType->castAs<ObjCObjectPointerType>();

	// Do this "devirtualization" on instance and class methods only. Trust the			// Do this "devirtualization" on instance and class methods only. Trust the
	// static type on super and super class calls.			// static type on super and super class calls.
	if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance \|\|			if (MessageExpr->getReceiverKind() == ObjCMessageExpr::Instance \|\|
	MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {			MessageExpr->getReceiverKind() == ObjCMessageExpr::Class) {
	// When the receiver type is id, Class, or some super class of the tracked			// When the receiver type is id, Class, or some super class of the tracked
	// type, look up the method in the tracked type, not in the receiver type.			// type, look up the method in the tracked type, not in the receiver type.
	// This way we preserve more information.			// This way we preserve more information.
	if (ReceiverType->isObjCIdType() \|\| ReceiverType->isObjCClassType() \|\|			if (ReceiverType->isObjCIdType() \|\| ReceiverType->isObjCClassType() \|\|
	ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)) {			ASTCtxt.canAssignObjCInterfaces(ReceiverObjectPtrType, TrackedType)) {
				MannaAuthorUnsubmitted Done Reply Inline Actions We are assigning: ReceiverObjectPtrType = nullptr return value from getAs. const auto ReceiverObjectPtrType = ReceiverType->getAs<ObjCObjectPointerType>(); Then we are dereferencing nullptr ReceiverObjectPtrType when calling canAssignObjCInterfaces() Manna:* We are assigning: ReceiverObjectPtrType = nullptr return value from getAs. ``` const auto…
				erichkeaneUnsubmitted Not Done Reply Inline Actions This isn't NFC, as `ReceiverObjectPtrType` is only used here. If the `MessageExpr` `ReceiverKind` is not `Instance` or `Class`, we never dereference this. So the declaration should be in this branch. erichkeane: This isn't NFC, as `ReceiverObjectPtrType` is only used here. If the `MessageExpr`…
				erichkeaneUnsubmitted Not Done Reply Inline Actions Oh, and ALSO, we don't dereference it if `ReceiverType` is `ObjCIdType` or `ObhjCClassType`. erichkeane: Oh, and ALSO, we don't dereference it if `ReceiverType` is `ObjCIdType` or `ObhjCClassType`.
	const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();			const ObjCInterfaceDecl *InterfaceDecl = TrackedType->getInterfaceDecl();
	// The method might not be found.			// The method might not be found.
	Selector Sel = MessageExpr->getSelector();			Selector Sel = MessageExpr->getSelector();
	Method = InterfaceDecl->lookupInstanceMethod(Sel);			Method = InterfaceDecl->lookupInstanceMethod(Sel);
	if (!Method)			if (!Method)
	Method = InterfaceDecl->lookupClassMethod(Sel);			Method = InterfaceDecl->lookupClassMethod(Sel);
	}			}
	}			}
	▲ Show 20 Lines • Show All 353 Lines • Show Last 20 Lines