This is an archive of the discontinued LLVM Phabricator instance.

Differential D25727

[analyzer] Handle case of undefined values in performTrivialCopy
ClosedPublic

Authored by ilya-palachev on Oct 18 2016, 7:09 AM.

Details

Reviewers
dcoughlin
a.sidorin
zaks.anna
NoQ
Commits
rG75f9d3ac7e44: [analyzer] Allow undefined values in performTrivialCopy.
rC285640: [analyzer] Allow undefined values in performTrivialCopy.
rL285640: [analyzer] Allow undefined values in performTrivialCopy.
Summary

This patch fixes the assertion crash recently detected on some Tizen code. Since this code pattern is quite rare, it hasn't been handled yet. The patch extends the asserted statement so that to make it appropriate to possible undefined values.

Diff Detail

Repository
rL LLVM

Event Timeline

ilya-palachev updated this revision to Diff 74994.Oct 18 2016, 7:09 AM
ilya-palachev retitled this revision from to Handle case of undefined values in performTrivialCopy.
ilya-palachev updated this object.
ilya-palachev added reviewers: NoQ, zaks.anna, dcoughlin, a.sidorin.
ilya-palachev set the repository for this revision to rL LLVM.
ilya-palachev retitled this revision from Handle case of undefined values in performTrivialCopy to [analyzer] Handle case of undefined values in performTrivialCopy.Oct 18 2016, 7:12 AM
ilya-palachev added a subscriber: cfe-commits.Oct 18 2016, 7:25 AM
NoQ accepted this revision.Oct 18 2016, 7:26 AM
NoQ edited edge metadata.

This seems correct. Loading from a garbage pointer should be modeled as garbage, and/or caught by a checker. performTrivialCopy is a high-level thingy that should be able to deal with any SVal input.

The checker's warning message looks really weird, hard to figure out where's the call here, s/Function/Operator/ could have been an improvement, but that's another story.

This revision is now accepted and ready to land.Oct 18 2016, 7:26 AM
Closed by commit rL285640: [analyzer] Allow undefined values in performTrivialCopy. (authored by dergachev). · Explain WhyOct 31 2016, 2:20 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
2 lines
test/
Analysis/
34 lines

Diff 76482

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 59 Lines▼ Show 20 Linesvoid ExprEngine::performTrivialCopy(NodeBuilder &Bldr, ExplodedNode *Pred,
SVal V = Call.getArgSVal(0); SVal V = Call.getArgSVal(0);
// If the value being copied is not unknown, load from its location to get // If the value being copied is not unknown, load from its location to get
// an aggregate rvalue. // an aggregate rvalue.
if (Optional<Loc> L = V.getAs<Loc>()) if (Optional<Loc> L = V.getAs<Loc>())
V = Pred->getState()->getSVal(*L); V = Pred->getState()->getSVal(*L);
else else
assert(V.isUnknown()); assert(V.isUnknownOrUndef());
const Expr *CallExpr = Call.getOriginExpr(); const Expr *CallExpr = Call.getOriginExpr();
evalBind(Dst, CallExpr, Pred, ThisVal, V, true); evalBind(Dst, CallExpr, Pred, ThisVal, V, true);
PostStmt PS(CallExpr, LCtx); PostStmt PS(CallExpr, LCtx);
for (ExplodedNodeSet::iterator I = Dst.begin(), E = Dst.end(); for (ExplodedNodeSet::iterator I = Dst.begin(), E = Dst.end();
I != E; ++I) { I != E; ++I) {
ProgramStateRef State = (*I)->getState(); ProgramStateRef State = (*I)->getState();
▲ Show 20 LinesShow All 547 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/uninit-vals.cpp

// RUN: %clang_cc1 -analyze -analyzer-checker=core.builtin -verify -DCHECK_FOR_CRASH %s
// RUN: %clang_cc1 -analyze -analyzer-checker=core -verify %s
#ifdef CHECK_FOR_CRASH
// expected-no-diagnostics
#endif
namespace PerformTrivialCopyForUndefs {
struct A {
int x;
};
struct B {
A a;
};
struct C {
B b;
};
void foo() {
C c1;
C *c2;
#ifdef CHECK_FOR_CRASH
// If the value of variable is not defined and checkers that check undefined
// values are not enabled, performTrivialCopy should be able to handle the
// case with undefined values, too.
c1.b.a = c2->b.a;
#else
c1.b.a = c2->b.a; // expected-warning{{Function call argument is an uninitialized value}}
#endif
}
}