This is an archive of the discontinued LLVM Phabricator instance.

Differential D28297

[StaticAnalyzer] Fix crash in CastToStructChecker
ClosedPublic

Authored by danielmarjamaki on Jan 4 2017, 9:11 AM.

Details

Reviewers
dcoughlin
a.sidorin
zaks.anna
NoQ
xazax.hun
Commits
rGcf715bd33006: [analyzer] Fix crashes in CastToStruct checker for undefined structs
rG1149166bb9d1: [analyzer] Fix crash in CastToStruct when there is no record definition
rC297187: [analyzer] Fix crashes in CastToStruct checker for undefined structs
rC295545: [analyzer] Fix crash in CastToStruct when there is no record definition
rL297187: [analyzer] Fix crashes in CastToStruct checker for undefined structs
rL295545: [analyzer] Fix crash in CastToStruct when there is no record definition
Summary

This fix the crash reported in https://llvm.org/bugs/show_bug.cgi?id=31173

Diff Detail

Repository
rL LLVM

Event Timeline

danielmarjamaki updated this revision to Diff 83062.Jan 4 2017, 9:11 AM
danielmarjamaki retitled this revision from to [StaticAnalyzer] Fix crash in CastToStructChecker.
danielmarjamaki updated this object.
danielmarjamaki added a reviewer: NoQ.
danielmarjamaki set the repository for this revision to rL LLVM.
danielmarjamaki added a subscriber: cfe-commits.
NoQ edited edge metadata.Jan 11 2017, 3:32 AM
NoQ added a subscriber: zaks.anna.

Looks good. I assume the crash is in getTypeInfo(); do you have any idea what are exact prerequisites for using this method? So that there were no more crashes here.

zaks.anna added a comment.Jan 11 2017, 9:02 AM

Please, subscribe cfe-commits list on the patches as described in http://llvm.org/docs/Phabricator.html.

Thanks!
Anna

danielmarjamaki added a comment.Feb 15 2017, 3:41 AM
In D28297#642523, @NoQ wrote:

Looks good. I assume the crash is in getTypeInfo(); do you have any idea what are exact prerequisites for using this method? So that there were no more crashes here.

Yes. The crash happens during the getTypeInfo() call. I don't know what prerequisites are interesting to check.

The Type pointer returned by getTypePtr() must be nonnull and valid. The method clang::Type::getTypeClass() is called using that type pointer. If that returns Type::Record then the Type pointer is casted to a RecordType. And RecordType::getDecl() is called. The RecordDecl that is returned by that call is passed to getASTRecordLayout() shown below.

The crash occurs on the first assert in this code:

const ASTRecordLayout &
ASTContext::getASTRecordLayout(const RecordDecl *D) const {
  // These asserts test different things.  A record has a definition
  // as soon as we begin to parse the definition.  That definition is
  // not a complete definition (which is what isDefinition() tests)
  // until we *finish* parsing the definition.

  if (D->hasExternalLexicalStorage() && !D->getDefinition())
    getExternalSource()->CompleteType(const_cast<RecordDecl*>(D));
    
  D = D->getDefinition();
  assert(D && "Cannot get layout of forward declarations!");
  assert(!D->isInvalidDecl() && "Cannot get layout of invalid decl!");
  assert(D->isCompleteDefinition() && "Cannot layout type before complete!");
....

I am not sure I can write testcases that prevent regressions but do you think I should add isInvalidDecl() and isCompleteDefinition() also?

NoQ accepted this revision.Feb 15 2017, 7:20 AM

I sometimes wish ASTContext methods just didn't crash :)
Oh well, let's just see if more problems show up.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
93 ↗(On Diff #83062)

I think we should move the check here then. That'd avoid double-checking if ToPointeeTy is a record type (we could cast<> directly on this branch).

This revision is now accepted and ready to land.Feb 15 2017, 7:20 AM
zaks.anna added a comment.Feb 15 2017, 2:14 PM

Please, make sure future reviews go through cfg-dev list. See http://llvm.org/docs/Phabricator.html.

Closed by commit rL295545: [analyzer] Fix crash in CastToStruct when there is no record definition (authored by danielmarjamaki). · Explain WhyFeb 18 2017, 3:30 AM
This revision was automatically updated to reflect the committed changes.
danielmarjamaki reopened this revision.Feb 21 2017, 3:40 AM

I reverted the change because there were buildbot failures.

This revision is now accepted and ready to land.Feb 21 2017, 3:40 AM
danielmarjamaki updated this revision to Diff 89507.Feb 23 2017, 7:48 AM

It was reported in the bugzilla report that my first fix did not fix all crashes. A new example code was provided that triggered a new crash. I have updated the patch so both crashes are fixed.

danielmarjamaki requested review of this revision.Feb 23 2017, 7:49 AM
danielmarjamaki edited edge metadata.

I have updated the patch and want a new review.

danielmarjamaki added reviewers: xazax.hun, dcoughlin, zaks.anna, a.sidorin.Feb 28 2017, 4:14 AM
a.sidorin edited edge metadata.Mar 3 2017, 1:33 AM

Looks like a right fix.

lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp
93 ↗(On Diff #83062)

Or just hoist it out of condition?

zaks.anna accepted this revision.Mar 3 2017, 9:50 AM

Thanks. looks good.

This revision is now accepted and ready to land.Mar 3 2017, 9:50 AM
Closed by commit rL297187: [analyzer] Fix crashes in CastToStruct checker for undefined structs (authored by danielmarjamaki). · Explain WhyMar 7 2017, 11:32 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
4 lines
test/
Analysis/
14 lines

Diff 90900

cfe/trunk/lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines if (!OrigPointeeTy->isRecordType()) {
const ValueDecl *VD = nullptr; const ValueDecl *VD = nullptr;
if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr())) if (const auto *SE = dyn_cast<DeclRefExpr>(U->getSubExpr()))
VD = dyn_cast<ValueDecl>(SE->getDecl()); VD = dyn_cast<ValueDecl>(SE->getDecl());
else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr())) else if (const auto *SE = dyn_cast<MemberExpr>(U->getSubExpr()))
VD = SE->getMemberDecl(); VD = SE->getMemberDecl();
if (!VD || VD->getType()->isReferenceType()) if (!VD || VD->getType()->isReferenceType())
return true; return true;
if (ToPointeeTy->isIncompleteType() ||
OrigPointeeTy->isIncompleteType())
return true;
// Warn when there is widening cast. // Warn when there is widening cast.
unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width; unsigned ToWidth = Ctx.getTypeInfo(ToPointeeTy).Width;
unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width; unsigned OrigWidth = Ctx.getTypeInfo(OrigPointeeTy).Width;
if (ToWidth <= OrigWidth) if (ToWidth <= OrigWidth)
return true; return true;
PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC); PathDiagnosticLocation Loc(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type", BR.EmitBasicReport(AC->getDecl(), Checker, "Widening cast to struct type",
Show All 24 Lines

cfe/trunk/test/Analysis/cast-to-struct.cpp

Show First 20 LinesShow All 59 Lines▼ Show 20 Lines
void intToStruct(int *P) { void intToStruct(int *P) {
struct ABC *Abc; struct ABC *Abc;
Abc = (struct ABC *)P; // expected-warning {{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}} Abc = (struct ABC *)P; // expected-warning {{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
// Cast from void *. // Cast from void *.
void *VP = P; void *VP = P;
Abc = (struct ABC *)VP; Abc = (struct ABC *)VP;
} }
// https://llvm.org/bugs/show_bug.cgi?id=31173
void dontCrash1(struct AB X) {
struct UndefS *S = (struct UndefS *)&X;
}
struct S;
struct T {
struct S *P;
};
extern struct S Var1, Var2;
void dontCrash2() {
((struct T *) &Var1)->P = &Var2;
}