This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/Sema/
-
lib/
-
Sema/
6/6
SemaExpr.cpp

Differential D152197

Fix static analyzer bugs with null pointer dereferences in CheckSizelessVectorOperands()
AbandonedPublic

Authored by Manna on Jun 5 2023, 1:44 PM.

Download Raw Diff

Details

Reviewers

erichkeane
sdesmalen

Summary

This patch adds nullptr checks for LHSBuiltinTy and RHSBuiltinTy before using them to getBuiltinVectorTypeInfo() in clang::Sema::CheckSizelessVectorOperands(clang::ActionResult<clang::Expr *, true> &, clang::ActionResult<clang::Expr *, true> &, clang::SourceLocation, bool, clang::Sema::ArithConvKind).

Diff Detail

Event Timeline

Manna created this revision.Jun 5 2023, 1:44 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2023, 1:44 PM

Herald added subscribers: ctetreau, manas, ASDenysPetrov and 5 others. · View Herald Transcript

Manna requested review of this revision.Jun 5 2023, 1:44 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2023, 1:44 PM

Manna retitled this revision from [NFC][CLANG] Fix static analyzer bugs with dereference after null check to [NFC][CLANG] Fix static analyzer bugs with null pointer dereferences in CheckSizelessVectorOperands().Jun 5 2023, 1:46 PM

Harbormaster completed remote builds in B236719: Diff 528566.Jun 5 2023, 4:46 PM

sdesmalen added a subscriber: sdesmalen.Jun 6 2023, 12:14 AM

sdesmalen added inline comments.

clang/lib/Sema/SemaExpr.cpp
11119	This doesn't seem like a non-functional change. Here it checks that LHSBuiltinTy is not nullptr before using it, which suggests that it is valid for LHSType/RHSType not to be a builtin type. There is also nothing else guarding that the types are all VLSTBuiltinTypes. Do none of the tests fail?

The SA tool is incorrect here.

clang/lib/Sema/SemaExpr.cpp
11119	In fact they DO! Pre-commit CI found them.
11149	This is the only other use of htem, but the 1st part of the 'if' checks if these are builtin types.

This revision now requires changes to proceed.Jun 6 2023, 6:10 AM

Thank you @erichkeane and @sdesmalen for reviews and feedbacks.

Manna added a reviewer: sdesmalen.Jun 6 2023, 8:07 PM

Manna set the repository for this revision to rG LLVM Github Monorepo.

Manna marked an inline comment as done.Jun 6 2023, 8:14 PM

Manna added inline comments.

clang/lib/Sema/SemaExpr.cpp
11149	Thanks for the comments. I have added nullptr checks for LHSBuiltinTy and RHSBuiltinTy before using them to getBuiltinVectorTypeInfo() which dereferences.

Manna marked 3 inline comments as done.Jun 6 2023, 8:15 PM

Harbormaster completed remote builds in B237159: Diff 529138.Jun 6 2023, 10:41 PM

erichkeane added inline comments.Jun 7 2023, 6:44 AM

clang/lib/Sema/SemaExpr.cpp
11148	I think this is unnecessary. `isVLSTBuiltinType` only returns true if `LHSType` is a `BuiltinType` already (or at least, a subset-of). See : https://clang.llvm.org/doxygen/Type_8cpp_source.html#l02409

Manna marked an inline comment as done.Jun 22 2023, 1:06 PM

Manna added inline comments.

clang/lib/Sema/SemaExpr.cpp
11148	This makes sense to me. Thank you for the pointer and explanation!

Manna abandoned this revision.Jun 22 2023, 1:06 PM

Manna marked an inline comment as done.

Revision Contents

Path

Size

clang/

lib/

Sema/

SemaExpr.cpp

1 line

Diff 529138

clang/lib/Sema/SemaExpr.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 11,110 Lines • ▼ Show 20 Lines	QualType Sema::CheckSizelessVectorOperands(ExprResult &LHS, ExprResult &RHS,
QualType LHSType = LHS.get()->getType().getUnqualifiedType();		QualType LHSType = LHS.get()->getType().getUnqualifiedType();
QualType RHSType = RHS.get()->getType().getUnqualifiedType();		QualType RHSType = RHS.get()->getType().getUnqualifiedType();

const BuiltinType *LHSBuiltinTy = LHSType->getAs<BuiltinType>();		const BuiltinType *LHSBuiltinTy = LHSType->getAs<BuiltinType>();
const BuiltinType *RHSBuiltinTy = RHSType->getAs<BuiltinType>();		const BuiltinType *RHSBuiltinTy = RHSType->getAs<BuiltinType>();

unsigned DiagID = diag::err_typecheck_invalid_operands;		unsigned DiagID = diag::err_typecheck_invalid_operands;
if ((OperationKind == ACK_Arithmetic) &&		if ((OperationKind == ACK_Arithmetic) &&
((LHSBuiltinTy && LHSBuiltinTy->isSVEBool()) \|\|		((LHSBuiltinTy && LHSBuiltinTy->isSVEBool()) \|\|
		sdesmalenUnsubmitted Done Reply Inline Actions This doesn't seem like a non-functional change. Here it checks that LHSBuiltinTy is not nullptr before using it, which suggests that it is valid for LHSType/RHSType not to be a builtin type. There is also nothing else guarding that the types are all VLSTBuiltinTypes. Do none of the tests fail? sdesmalen: This doesn't seem like a non-functional change. Here it checks that LHSBuiltinTy is not nullptr…
		erichkeaneUnsubmitted Done Reply Inline Actions In fact they DO! Pre-commit CI found them. erichkeane: In fact they DO! Pre-commit CI found them.
(RHSBuiltinTy && RHSBuiltinTy->isSVEBool()))) {		(RHSBuiltinTy && RHSBuiltinTy->isSVEBool()))) {
Diag(Loc, DiagID) << LHSType << RHSType << LHS.get()->getSourceRange()		Diag(Loc, DiagID) << LHSType << RHSType << LHS.get()->getSourceRange()
<< RHS.get()->getSourceRange();		<< RHS.get()->getSourceRange();
return QualType();		return QualType();
}		}

if (Context.hasSameType(LHSType, RHSType))		if (Context.hasSameType(LHSType, RHSType))
return LHSType;		return LHSType;
Show All 12 Lines	if ((!LHSType->isVLSTBuiltinType() && !LHSType->isRealType()) \|\|
(!RHSType->isVLSTBuiltinType() && !RHSType->isRealType())) {		(!RHSType->isVLSTBuiltinType() && !RHSType->isRealType())) {
Diag(Loc, diag::err_typecheck_vector_not_convertable_non_scalar)		Diag(Loc, diag::err_typecheck_vector_not_convertable_non_scalar)
<< LHSType << RHSType << LHS.get()->getSourceRange()		<< LHSType << RHSType << LHS.get()->getSourceRange()
<< RHS.get()->getSourceRange();		<< RHS.get()->getSourceRange();
return QualType();		return QualType();
}		}

if (LHSType->isVLSTBuiltinType() && RHSType->isVLSTBuiltinType() &&		if (LHSType->isVLSTBuiltinType() && RHSType->isVLSTBuiltinType() &&
		LHSBuiltinTy && RHSBuiltinTy &&
		erichkeaneUnsubmitted Done Reply Inline Actions I think this is unnecessary. `isVLSTBuiltinType` only returns true if `LHSType` is a `BuiltinType` already (or at least, a subset-of). See : https://clang.llvm.org/doxygen/Type_8cpp_source.html#l02409 erichkeane: I think this is unnecessary. `isVLSTBuiltinType` only returns true if `LHSType` is a…
		MannaAuthorUnsubmitted Done Reply Inline Actions This makes sense to me. Thank you for the pointer and explanation! Manna: This makes sense to me. Thank you for the pointer and explanation!
Context.getBuiltinVectorTypeInfo(LHSBuiltinTy).EC !=		Context.getBuiltinVectorTypeInfo(LHSBuiltinTy).EC !=
		erichkeaneUnsubmitted Done Reply Inline Actions This is the only other use of htem, but the 1st part of the 'if' checks if these are builtin types. erichkeane: This is the only other use of htem, but the 1st part of the 'if' checks if these are builtin…
		MannaAuthorUnsubmitted Done Reply Inline Actions Thanks for the comments. I have added nullptr checks for LHSBuiltinTy and RHSBuiltinTy before using them to getBuiltinVectorTypeInfo() which dereferences. Manna: Thanks for the comments. I have added nullptr checks for LHSBuiltinTy and RHSBuiltinTy before…
Context.getBuiltinVectorTypeInfo(RHSBuiltinTy).EC) {		Context.getBuiltinVectorTypeInfo(RHSBuiltinTy).EC) {
Diag(Loc, diag::err_typecheck_vector_lengths_not_equal)		Diag(Loc, diag::err_typecheck_vector_lengths_not_equal)
<< LHSType << RHSType << LHS.get()->getSourceRange()		<< LHSType << RHSType << LHS.get()->getSourceRange()
<< RHS.get()->getSourceRange();		<< RHS.get()->getSourceRange();
return QualType();		return QualType();
}		}

if (LHSType->isVLSTBuiltinType() \|\| RHSType->isVLSTBuiltinType()) {		if (LHSType->isVLSTBuiltinType() \|\| RHSType->isVLSTBuiltinType()) {
▲ Show 20 Lines • Show All 10,343 Lines • Show Last 20 Lines