This is an archive of the discontinued LLVM Phabricator instance.

Differential D31029

[analyzer] Fix logical not for pointers with different bit width
ClosedPublic

Authored by danielmarjamaki on Mar 16 2017, 6:48 AM.

Details

Reviewers
dcoughlin
dergachev.a
zaks.anna
xazax.hun
Commits
rG9c6e8489893e: [analyzer] Fix logical not for pointers with different bit width
rC305669: [analyzer] Fix logical not for pointers with different bit width
rL305669: [analyzer] Fix logical not for pointers with different bit width
Summary

The Static Analyzer assumed that all pointers had the same bit width. Now pass the type to the 'makeNull' method, to construct a null
pointer of the appropiate bit width.

Example code that does not work well:

int main(void) {
  __cm void *cm_p = 0;
  if (cm_p == 0)
    (void)cm_p;
}

Unfortunately there is no proper testcase here. The problem is seen with a custom target.

Diff Detail

Repository
rL LLVM

Event Timeline

danielmarjamaki created this revision.Mar 16 2017, 6:48 AM
xazax.hun edited edge metadata.Mar 16 2017, 7:26 AM

So there is no LLVM supported target with different bit width pointer types?

In case we have such a target upstreamed, you can add a test with the host-triple hardcoded into the test.

danielmarjamaki added a comment.Mar 16 2017, 8:42 AM

I am not sure where to look. I heard somebody say OpenCL has different pointer widths.

grandinj added a subscriber: grandinj.Mar 16 2017, 11:45 AM
grandinj added inline comments.
include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
313 ↗(On Diff #91994)

spelling and grammar and doxygen formatting:

/// \param type accommodate different pointer bit-widths of different address spaces.

zaks.anna edited edge metadata.Mar 16 2017, 5:26 PM

Are there other cases where makeNull would need to be replaced?

dkrupp added a subscriber: dkrupp.Mar 22 2017, 2:49 AM
danielmarjamaki updated this revision to Diff 92773.Mar 23 2017, 2:31 AM

Added a testcase that will crash without the fix. Used the amdgcn target as that happens to use different pointer bit widths for different address spaces.

Updated the comment. I am not good at english so I hope the grammar is ok.

danielmarjamaki added a comment.Mar 23 2017, 2:38 AM
In D31029#703428, @zaks.anna wrote:

Are there other cases where makeNull would need to be replaced?

There might be. As I understand it, this is the only known case at the moment.

danielmarjamaki marked an inline comment as done.Mar 23 2017, 9:05 AM
In D31029#708567, @danielmarjamaki wrote:
In D31029#703428, @zaks.anna wrote:

Are there other cases where makeNull would need to be replaced?

There might be. As I understand it, this is the only known case at the moment.

To clarify. The static analyser runs fine on plenty of code. I ran CSA using this target on a 1000's of C-files project. I think it works well.. but I can't guarantee there won't be any more issues.

danielmarjamaki added a comment.Apr 3 2017, 12:13 AM

Ping

danielmarjamaki added a comment.Apr 18 2017, 1:36 AM

Ping

danielmarjamaki added a comment.Apr 25 2017, 6:32 AM

Ping

zaks.anna added a comment.May 9 2017, 11:37 PM

Sorry for the delay!!!

include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h
180 ↗(On Diff #92773)

The isUnsigned parameter is not used and is not necessary as the type itself has this info.

Not clear if this function is expected to work for all types or only scalar types (maybe assert that the input is isScalarType()).

danielmarjamaki updated this revision to Diff 99114.May 16 2017, 1:27 AM

Fix review comments

danielmarjamaki marked an inline comment as done.May 16 2017, 1:28 AM
danielmarjamaki added a comment.May 26 2017, 1:53 AM

ping

zaks.anna accepted this revision.Jun 14 2017, 3:16 PM

Looks good with a nit!

include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h
325 ↗(On Diff #99114)

Formatting changes here look inconsistent with the rest of the code around.

This revision is now accepted and ready to land.Jun 14 2017, 3:16 PM
Closed by commit rL305669: [analyzer] Fix logical not for pointers with different bit width (authored by danielmarjamaki). · Explain WhyJun 19 2017, 1:56 AM
This revision was automatically updated to reflect the committed changes.
danielmarjamaki marked an inline comment as done.

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
5 lines
7 lines
lib/
StaticAnalyzer/
Core/
5 lines

Diff 102999

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h

Show First 20 LinesShow All 174 Lines▼ Show 20 Linespublic:
} }
inline const llvm::APSInt& Sub1(const llvm::APSInt& V) { inline const llvm::APSInt& Sub1(const llvm::APSInt& V) {
llvm::APSInt X = V; llvm::APSInt X = V;
--X; --X;
return getValue(X); return getValue(X);
} }
inline const llvm::APSInt& getZeroWithTypeSize(QualType T) {
assert(T->isScalarType());
return getValue(0, Ctx.getTypeSize(T), true);
}
inline const llvm::APSInt& getZeroWithPtrWidth(bool isUnsigned = true) { inline const llvm::APSInt& getZeroWithPtrWidth(bool isUnsigned = true) {
return getValue(0, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned); return getValue(0, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned);
} }
inline const llvm::APSInt &getIntWithPtrWidth(uint64_t X, bool isUnsigned) { inline const llvm::APSInt &getIntWithPtrWidth(uint64_t X, bool isUnsigned) {
return getValue(X, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned); return getValue(X, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned);
} }
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

Show First 20 LinesShow All 309 Lines▼ Show 20 Linespublic:
nonloc::ConcreteInt makeTruthVal(bool b, QualType type) { nonloc::ConcreteInt makeTruthVal(bool b, QualType type) {
return nonloc::ConcreteInt(BasicVals.getTruthValue(b, type)); return nonloc::ConcreteInt(BasicVals.getTruthValue(b, type));
} }
nonloc::ConcreteInt makeTruthVal(bool b) { nonloc::ConcreteInt makeTruthVal(bool b) {
return nonloc::ConcreteInt(BasicVals.getTruthValue(b)); return nonloc::ConcreteInt(BasicVals.getTruthValue(b));
} }
/// Create NULL pointer, with proper pointer bit-width for given address
/// space.
/// \param type pointer type.
Loc makeNullWithType(QualType type) {
return loc::ConcreteInt(BasicVals.getZeroWithTypeSize(type));
}
Loc makeNull() { Loc makeNull() {
return loc::ConcreteInt(BasicVals.getZeroWithPtrWidth()); return loc::ConcreteInt(BasicVals.getZeroWithPtrWidth());
} }
Loc makeLoc(SymbolRef sym) { Loc makeLoc(SymbolRef sym) {
return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
} }
Show All 30 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 974 Lines▼ Show 20 Lines case UO_Not: {
break; break;
case UO_LNot: case UO_LNot:
// C99 6.5.3.3: "The expression !E is equivalent to (0==E)." // C99 6.5.3.3: "The expression !E is equivalent to (0==E)."
// //
// Note: technically we do "E == 0", but this is the same in the // Note: technically we do "E == 0", but this is the same in the
// transfer functions as "0 == E". // transfer functions as "0 == E".
SVal Result; SVal Result;
if (Optional<Loc> LV = V.getAs<Loc>()) { if (Optional<Loc> LV = V.getAs<Loc>()) {
Loc X = svalBuilder.makeNull(); Loc X = svalBuilder.makeNullWithType(Ex->getType());
Result = evalBinOp(state, BO_EQ, *LV, X, U->getType()); Result = evalBinOp(state, BO_EQ, *LV, X, U->getType());
} } else if (Ex->getType()->isFloatingType()) {
else if (Ex->getType()->isFloatingType()) {
// FIXME: handle floating point types. // FIXME: handle floating point types.
Result = UnknownVal(); Result = UnknownVal();
} else { } else {
nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType())); nonloc::ConcreteInt X(getBasicVals().getValue(0, Ex->getType()));
Result = evalBinOp(state, BO_EQ, V.castAs<NonLoc>(), X, Result = evalBinOp(state, BO_EQ, V.castAs<NonLoc>(), X,
U->getType()); U->getType());
} }
▲ Show 20 LinesShow All 101 LinesShow Last 20 Lines