This is an archive of the discontinued LLVM Phabricator instance.

[StaticAnalyzer] dont show wrong 'garbage value' warning when there is array index out of bounds
ClosedPublic

Authored by danielmarjamaki on Jan 3 2017, 11:55 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
zaks.anna

Commits

rGe97838f49ef1: [analyzer] clarify 'result is garbage value' when it is out of bounds
rC296326: [analyzer] clarify 'result is garbage value' when it is out of bounds
rL296326: [analyzer] clarify 'result is garbage value' when it is out of bounds

Summary

Example code:

void f1(int x) {
  int a[20] = {0};
  if (x==25) {}
  if (a[x] == 123) {}  // <- Warning
}

If I don't enable alpha, only core, then Clang writes this misleading FP:

undef.c:5:12: warning: The left operand of '==' is a garbage value

I say it's a FP because the message is wrong. If the message correctly said "array index out of bounds" and pointed out a[x] directly, then it would be TP. This message goes away if alpha is enabled and I believe that is by intention.

Since there is a array-index-out-of-bounds check in alpha I am guessing that the UndefinedBinaryOperatorResult should not report "array index out of bounds". Therefore I remove this warning from this check.

This patch is a experimental work in progress. I would like to know if you think I should modifiy the UndefinedBinaryOperatorResult check or if I should do something in the ExprEngine? Maybe array index out of bounds should not lead to Undef SVal?

With this patch, all the existing tests succeed.

Diff Detail

Repository: rL LLVM

Event Timeline

danielmarjamaki updated this revision to Diff 83010.Jan 3 2017, 11:55 PM

danielmarjamaki retitled this revision from to [StaticAnalyzer] dont show wrong 'garbage value' warning when there is array index out of bounds.

danielmarjamaki updated this object.

danielmarjamaki added reviewers: zaks.anna, dcoughlin.

danielmarjamaki set the repository for this revision to rL LLVM.

danielmarjamaki added a subscriber: cfe-commits.

Did you experience any problems with the array out of bounds check lately? In case it was stable on large code-bases and did not give too many false positives, I think it might be worth to move that check out of alpha at the same time, so users who do not turn on alpha checks will not lose any functionality. What do you think?

In D28278#639710, @xazax.hun wrote:

Did you experience any problems with the array out of bounds check lately? In case it was stable on large code-bases and did not give too many false positives, I think it might be worth to move that check out of alpha at the same time, so users who do not turn on alpha checks will not lose any functionality. What do you think?

I don't have precise statistics. But these array-index-out-of-bounds messages are often false positives. Fixes are needed in the ExprEngine.

I think it's more valuable to report a warning here even if the error message is not very precise. Marking something as in bounds when we know it's not does not feel right and could lead to inconsistent states down the road.

I am not against that the error is shown as long as it's not misleading/wrong. To avoid misleading, in my humble opinion the error message should say "array index out of bounds".

Does the code you added detects array out of bounds cases without false positives? Is it an option to just have this checkers produce a more precise error message in the specific case.

A lot of work will probably need to be done to implement a proper array out of bounds checking and no-one is working on that.

In D28278#677905, @zaks.anna wrote:

Does the code you added detects array out of bounds cases without false positives? Is it an option to just have this checkers produce a more precise error message in the specific case.

A lot of work will probably need to be done to implement a proper array out of bounds checking and no-one is working on that.

I don't know.. maybe I can avoid some false positive. Maybe if the left operand seems to be out-of-bounds and the right operand is uninitialized maybe it would be better to complain about the right operand.

It is definitely an option for me to have this checker produce more precise error messages. I believe that will solve my problems.

Making the error message more precise.

zaks.anna added inline comments.Feb 23 2017, 1:44 PM

lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
76 ↗	(On Diff #89540)	Please, pull this out into a sub-rutine. Thanks!

Fixed review comment. Broke out function.

danielmarjamaki marked an inline comment as done.Feb 24 2017, 3:41 AM

Thank you!

This revision is now accepted and ready to land.Feb 24 2017, 10:26 PM

Closed by commit rL296326: [analyzer] clarify 'result is garbage value' when it is out of bounds (authored by danielmarjamaki). · Explain WhyFeb 27 2017, 2:56 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

UndefResultChecker.cpp

26 lines

test/

Analysis/

uninit-vals-ps.c

6 lines

Diff 89854

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show All 29 Lines	class UndefResultChecker

mutable std::unique_ptr<BugType> BT;		mutable std::unique_ptr<BugType> BT;

public:		public:
void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;		void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;
};		};
} // end anonymous namespace		} // end anonymous namespace

		static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {
		ProgramStateRef state = C.getState();
		const LocationContext *LCtx = C.getLocationContext();

		if (!isa<ArraySubscriptExpr>(Ex))
		return false;

		SVal Loc = state->getSVal(Ex, LCtx);
		if (!Loc.isValid())
		return false;

		const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();
		const ElementRegion *ER = dyn_cast<ElementRegion>(MR);
		if (!ER)
		return false;

		DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
		DefinedOrUnknownSVal NumElements = C.getStoreManager().getSizeInElements(
		state, ER->getSuperRegion(), ER->getValueType());
		ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
		ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
		return StOutBound && !StInBound;
		}

void UndefResultChecker::checkPostStmt(const BinaryOperator *B,		void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
CheckerContext &C) const {		CheckerContext &C) const {
ProgramStateRef state = C.getState();		ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext();		const LocationContext *LCtx = C.getLocationContext();
if (state->getSVal(B, LCtx).isUndef()) {		if (state->getSVal(B, LCtx).isUndef()) {

// Do not report assignments of uninitialized values inside swap functions.		// Do not report assignments of uninitialized values inside swap functions.
// This should allow to swap partially uninitialized structs		// This should allow to swap partially uninitialized structs
Show All 26 Lines	else if (state->getSVal(B->getRHS(), LCtx).isUndef()) {
isLeft = false;		isLeft = false;
}		}

if (Ex) {		if (Ex) {
OS << "The " << (isLeft ? "left" : "right")		OS << "The " << (isLeft ? "left" : "right")
<< " operand of '"		<< " operand of '"
<< BinaryOperator::getOpcodeStr(B->getOpcode())		<< BinaryOperator::getOpcodeStr(B->getOpcode())
<< "' is a garbage value";		<< "' is a garbage value";
		if (isArrayIndexOutOfBounds(C, Ex))
		OS << " due to array index out of bounds";
}		}
else {		else {
// Neither operand was undefined, but the result is undefined.		// Neither operand was undefined, but the result is undefined.
OS << "The result of the '"		OS << "The result of the '"
<< BinaryOperator::getOpcodeStr(B->getOpcode())		<< BinaryOperator::getOpcodeStr(B->getOpcode())
<< "' expression is undefined";		<< "' expression is undefined";
}		}
auto report = llvm::make_unique<BugReport>(*BT, OS.str(), N);		auto report = llvm::make_unique<BugReport>(*BT, OS.str(), N);
Show All 14 Lines

cfe/trunk/test/Analysis/uninit-vals-ps.c

	Show First 20 Lines • Show All 51 Lines • ▼ Show 20 Lines
	struct f5_struct { int x; };			struct f5_struct { int x; };
	void f5_aux(struct f5_struct* s);			void f5_aux(struct f5_struct* s);
	int f5(void) {			int f5(void) {
	struct f5_struct s;			struct f5_struct s;
	f5_aux(&s);			f5_aux(&s);
	return s.x; // no-warning			return s.x; // no-warning
	}			}

				void f6(int x) {
				int a[20];
				if (x == 25) {}
				if (a[x] == 123) {} // expected-warning{{The left operand of '==' is a garbage value due to array index out of bounds}}
				}

	int ret_uninit() {			int ret_uninit() {
	int i;			int i;
	int *p = &i;			int *p = &i;
	return *p; // expected-warning{{Undefined or garbage value returned to caller}}			return *p; // expected-warning{{Undefined or garbage value returned to caller}}
	}			}

	// <rdar://problem/6451816>			// <rdar://problem/6451816>
	typedef unsigned char Boolean;			typedef unsigned char Boolean;
	▲ Show 20 Lines • Show All 84 Lines • Show Last 20 Lines