This is an archive of the discontinued LLVM Phabricator instance.

Differential D28278

[StaticAnalyzer] dont show wrong 'garbage value' warning when there is array index out of bounds
ClosedPublic

Authored by danielmarjamaki on Jan 3 2017, 11:55 PM.

Details

Reviewers
dcoughlin
zaks.anna
Commits
rGe97838f49ef1: [analyzer] clarify 'result is garbage value' when it is out of bounds
rC296326: [analyzer] clarify 'result is garbage value' when it is out of bounds
rL296326: [analyzer] clarify 'result is garbage value' when it is out of bounds
Summary

Example code:

void f1(int x) {
  int a[20] = {0};
  if (x==25) {}
  if (a[x] == 123) {}  // <- Warning
}

If I don't enable alpha, only core, then Clang writes this misleading FP:

undef.c:5:12: warning: The left operand of '==' is a garbage value

I say it's a FP because the message is wrong. If the message correctly said "array index out of bounds" and pointed out a[x] directly, then it would be TP. This message goes away if alpha is enabled and I believe that is by intention.

Since there is a array-index-out-of-bounds check in alpha I am guessing that the UndefinedBinaryOperatorResult should not report "array index out of bounds". Therefore I remove this warning from this check.

This patch is a experimental work in progress. I would like to know if you think I should modifiy the UndefinedBinaryOperatorResult check or if I should do something in the ExprEngine? Maybe array index out of bounds should not lead to Undef SVal?

With this patch, all the existing tests succeed.

Diff Detail

Event Timeline

danielmarjamaki updated this revision to Diff 83010.Jan 3 2017, 11:55 PM
danielmarjamaki retitled this revision from to [StaticAnalyzer] dont show wrong 'garbage value' warning when there is array index out of bounds.
danielmarjamaki updated this object.
danielmarjamaki added reviewers: zaks.anna, dcoughlin.
danielmarjamaki set the repository for this revision to rL LLVM.
danielmarjamaki added a subscriber: cfe-commits.
xazax.hun added a subscriber: xazax.hun.Jan 9 2017, 6:28 AM

Did you experience any problems with the array out of bounds check lately? In case it was stable on large code-bases and did not give too many false positives, I think it might be worth to move that check out of alpha at the same time, so users who do not turn on alpha checks will not lose any functionality. What do you think?

danielmarjamaki added a comment.Jan 10 2017, 3:19 AM
In D28278#639710, @xazax.hun wrote:

Did you experience any problems with the array out of bounds check lately? In case it was stable on large code-bases and did not give too many false positives, I think it might be worth to move that check out of alpha at the same time, so users who do not turn on alpha checks will not lose any functionality. What do you think?

I don't have precise statistics. But these array-index-out-of-bounds messages are often false positives. Fixes are needed in the ExprEngine.

zaks.anna edited edge metadata.Jan 12 2017, 4:56 PM

I think it's more valuable to report a warning here even if the error message is not very precise. Marking something as in bounds when we know it's not does not feel right and could lead to inconsistent states down the road.

danielmarjamaki added a comment.Feb 15 2017, 2:55 AM

I am not against that the error is shown as long as it's not misleading/wrong. To avoid misleading, in my humble opinion the error message should say "array index out of bounds".

zaks.anna added a comment.Feb 15 2017, 2:21 PM

Does the code you added detects array out of bounds cases without false positives? Is it an option to just have this checkers produce a more precise error message in the specific case.

A lot of work will probably need to be done to implement a proper array out of bounds checking and no-one is working on that.

danielmarjamaki added a comment.Feb 23 2017, 2:35 AM
In D28278#677905, @zaks.anna wrote:

Does the code you added detects array out of bounds cases without false positives? Is it an option to just have this checkers produce a more precise error message in the specific case.

A lot of work will probably need to be done to implement a proper array out of bounds checking and no-one is working on that.

I don't know.. maybe I can avoid some false positive. Maybe if the left operand seems to be out-of-bounds and the right operand is uninitialized maybe it would be better to complain about the right operand.

It is definitely an option for me to have this checker produce more precise error messages. I believe that will solve my problems.

danielmarjamaki updated this revision to Diff 89540.Feb 23 2017, 11:45 AM

Making the error message more precise.

zaks.anna added inline comments.Feb 23 2017, 1:44 PM
lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
76

Please, pull this out into a sub-rutine. Thanks!

danielmarjamaki updated this revision to Diff 89641.Feb 24 2017, 3:40 AM

Fixed review comment. Broke out function.

danielmarjamaki marked an inline comment as done.Feb 24 2017, 3:41 AM
zaks.anna accepted this revision.Feb 24 2017, 10:26 PM

Thank you!

This revision is now accepted and ready to land.Feb 24 2017, 10:26 PM
Closed by commit rL296326: [analyzer] clarify 'result is garbage value' when it is out of bounds (authored by danielmarjamaki). · Explain WhyFeb 27 2017, 2:56 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
21 lines
test/
Analysis/
6 lines

Diff 89540

lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Context not available.
} }
if (Ex) { if (Ex) {
bool ArrayIndexOutOfBounds = false;
zaks.annaUnsubmitted
Done
ReplyInline Actions

Please, pull this out into a sub-rutine. Thanks!

zaks.anna: Please, pull this out into a sub-rutine. Thanks!
if (isa<ArraySubscriptExpr>(Ex)) {
SVal Loc = state->getSVal(Ex,LCtx);
if (Loc.isValid()) {
const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();
if (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) {
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal NumElements
= C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
if (StOutBound && !StInBound) {
ArrayIndexOutOfBounds = true;
}
}
}
}
OS << "The " << (isLeft ? "left" : "right") OS << "The " << (isLeft ? "left" : "right")
<< " operand of '" << " operand of '"
<< BinaryOperator::getOpcodeStr(B->getOpcode()) << BinaryOperator::getOpcodeStr(B->getOpcode())
<< "' is a garbage value"; << "' is a garbage value";
if (ArrayIndexOutOfBounds)
OS << " due to array index out of bounds";
} }
else { else {
// Neither operand was undefined, but the result is undefined. // Neither operand was undefined, but the result is undefined.
Context not available.

test/Analysis/uninit-vals-ps.c

Context not available.
return s.x; // no-warning return s.x; // no-warning
} }
void f6(int x) {
int a[20];
if (x == 25) {}
if (a[x] == 123) {} // expected-warning{{The left operand of '==' is a garbage value due to array index out of bounds}}
}
int ret_uninit() { int ret_uninit() {
int i; int i;
int *p = &i; int *p = &i;
Context not available.