This is an archive of the discontinued LLVM Phabricator instance.

Differential D158295

[NFC][clang][analyzer] Avoid potential dereferencing of null pointer value
Needs RevisionPublic

Authored by Manna on Aug 18 2023, 10:34 AM.

Details

Reviewers
aaron.ballman
tahonermann
steakhal
NoQ

Diff Detail

Event Timeline

Manna created this revision.Aug 18 2023, 10:34 AM
Herald added a reviewer: NoQ. · View Herald TranscriptAug 18 2023, 10:34 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, martong and 8 others. · View Herald Transcript
Manna requested review of this revision.Aug 18 2023, 10:34 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2023, 10:34 AM
steakhal requested changes to this revision.Aug 18 2023, 11:11 AM

Thanks for the PR.
I went over the code and concluded that it can never be null.
However, the code could be improved, while making this explicit.

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
1416–1433

So state->get<RefBindings>() returns a map, and we iterate over the Key&Val pairs of that map.

const RefVal *getRefBinding(ProgramStateRef State, SymbolRef Sym) {
  return State->get<RefBindings>(Sym);
}

So, this just returns the associated value with Sym in the map.
Instead of this lookup ,we really should have just used the I.second.

Now the question is, could have map a Sym to a null pointer?

static ProgramStateRef setRefBinding(ProgramStateRef State, SymbolRef Sym,
                                     RefVal Val) {
  assert(Sym != nullptr);
  return State->set<RefBindings>(Sym, Val);
}

Nop. It's never supposed to be null.

Could you please just decompose in the loop with a structured-binding to auto [Sym, V] and use V instead of T?

This revision now requires changes to proceed.Aug 18 2023, 11:11 AM
Harbormaster completed remote builds in B253531: Diff 551565.Aug 18 2023, 12:25 PM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
RetainCountChecker/
5 lines

Diff 551565

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 LinesShow All 1,407 Lines▼ Show 20 Lines
void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper, void RetainCountChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *Pred = C.getPredecessor(); ExplodedNode *Pred = C.getPredecessor();
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
SmallVector<SymbolRef, 10> Leaked; SmallVector<SymbolRef, 10> Leaked;
// Update counts from autorelease pools // Update counts from autorelease pools
for (const auto &I: state->get<RefBindings>()) { for (const auto &I: state->get<RefBindings>()) {
SymbolRef Sym = I.first; SymbolRef Sym = I.first;
if (SymReaper.isDead(Sym)) { if (SymReaper.isDead(Sym)) {
static CheckerProgramPointTag Tag(this, "DeadSymbolAutorelease"); static CheckerProgramPointTag Tag(this, "DeadSymbolAutorelease");
const RefVal &V = I.second; const RefVal &V = I.second;
state = handleAutoreleaseCounts(state, Pred, &Tag, C, Sym, V); state = handleAutoreleaseCounts(state, Pred, &Tag, C, Sym, V);
if (!state) if (!state)
return; return;
// Fetch the new reference count from the state, and use it to handle // Fetch the new reference count from the state, and use it to handle
// this symbol. // this symbol.
state = handleSymbolDeath(state, Sym, *getRefBinding(state, Sym), Leaked); const RefVal* T = getRefBinding(state, Sym);
if (!T)
return;
state = handleSymbolDeath(state, Sym, *T, Leaked);
} }
} }
steakhalUnsubmitted
Not Done
ReplyInline Actions

So state->get<RefBindings>() returns a map, and we iterate over the Key&Val pairs of that map.

const RefVal *getRefBinding(ProgramStateRef State, SymbolRef Sym) {
  return State->get<RefBindings>(Sym);
}

So, this just returns the associated value with Sym in the map.
Instead of this lookup ,we really should have just used the I.second.

Now the question is, could have map a Sym to a null pointer?

static ProgramStateRef setRefBinding(ProgramStateRef State, SymbolRef Sym,
                                     RefVal Val) {
  assert(Sym != nullptr);
  return State->set<RefBindings>(Sym, Val);
}

Nop. It's never supposed to be null.

Could you please just decompose in the loop with a structured-binding to auto [Sym, V] and use V instead of T?

steakhal: So `state->get<RefBindings>()` returns a map, and we iterate over the Key&Val pairs of that map.
if (Leaked.empty()) { if (Leaked.empty()) {
C.addTransition(state); C.addTransition(state);
return; return;
} }
Pred = processLeaks(state, Leaked, C, Pred); Pred = processLeaks(state, Leaked, C, Pred);
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines