This is an archive of the discontinued LLVM Phabricator instance.

Differential D33828

[analyzer] Don't crash when the code tries to construct an Objective-C object in AllocaRegion.
ClosedPublic

Authored by NoQ on Jun 2 2017, 6:21 AM.

Details

Reviewers
zaks.anna
dcoughlin
Commits
rG11150c009a40: [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.
rC305211: [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.
rL305211: [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.
Summary

The analyzer crashes when the user tries to allocate stack memory through alloca() and then construct an Objective-C object in it. The alloca() function is handled in the analyzer by its own concrete untyped memory region, AllocaRegion, which doesn't contain any clues on what type it might carry (because there are none). getDynamicTypeInfo() therefore ignores it unless a specific type info is already available.

To think: maybe we could pickup some dynamic type info from the implicit cast. We don't always have an implicit cast though.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Jun 2 2017, 6:21 AM
Herald added a subscriber: xazax.hun. · View Herald TranscriptJun 2 2017, 6:21 AM
NoQ updated this revision to Diff 101401.Jun 5 2017, 7:01 AM

Turn the comment into an assertion.

zaks.anna accepted this revision.Jun 5 2017, 9:14 AM
This revision is now accepted and ready to land.Jun 5 2017, 9:14 AM
Closed by commit rL305211: [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion. (authored by dergachev). · Explain WhyJun 12 2017, 11:00 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
6 lines
test/
Analysis/
12 lines

Diff 102206

cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 951 Lines▼ Show 20 Lines if (!SupersType.isNull()) {
// where the call occurs. // where the call occurs.
ReceiverT = cast<ObjCObjectPointerType>(SupersType); ReceiverT = cast<ObjCObjectPointerType>(SupersType);
} else { } else {
Receiver = getReceiverSVal().getAsRegion(); Receiver = getReceiverSVal().getAsRegion();
if (!Receiver) if (!Receiver)
return RuntimeDefinition(); return RuntimeDefinition();
DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver); DynamicTypeInfo DTI = getDynamicTypeInfo(getState(), Receiver);
if (!DTI.isValid()) {
assert(isa<AllocaRegion>(Receiver) &&
"Unhandled untyped region class!");
return RuntimeDefinition();
}
QualType DynType = DTI.getType(); QualType DynType = DTI.getType();
CanBeSubClassed = DTI.canBeASubClass(); CanBeSubClassed = DTI.canBeASubClass();
ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType()); ReceiverT = dyn_cast<ObjCObjectPointerType>(DynType.getCanonicalType());
if (ReceiverT && CanBeSubClassed) if (ReceiverT && CanBeSubClassed)
if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl()) if (ObjCInterfaceDecl *IDecl = ReceiverT->getInterfaceDecl())
if (!canBeOverridenInSubclass(IDecl, Sel)) if (!canBeOverridenInSubclass(IDecl, Sel))
CanBeSubClassed = false; CanBeSubClassed = false;
▲ Show 20 LinesShow All 216 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/DynamicTypePropagation.m

// RUN: %clang_analyze_cc1 -analyzer-checker=core,osx.cocoa.ObjCGenerics -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,osx.cocoa.ObjCGenerics -verify %s
#if !__has_feature(objc_generics) #if !__has_feature(objc_generics)
# error Compiler does not support Objective-C generics? # error Compiler does not support Objective-C generics?
#endif #endif
typedef __typeof(sizeof(int)) size_t;
void *memset(void *, int, size_t);
#define nil 0 #define nil 0
typedef unsigned long NSUInteger; typedef unsigned long NSUInteger;
typedef int BOOL; typedef int BOOL;
@protocol NSCopying @protocol NSCopying
@end @end
__attribute__((objc_root_class)) __attribute__((objc_root_class))
@interface NSObject @interface NSObject
- (void) myFunction:(int*)p myParam:(int) n; - (void) myFunction:(int*)p myParam:(int) n;
@end @end
@interface MyType : NSObject <NSCopying> @interface MyType : NSObject <NSCopying>
- (void) myFunction:(int*)p myParam:(int) n; - (void) myFunction:(int*)p myParam:(int) n;
@end @end
@interface NSArray<ObjectType> : NSObject @interface NSArray<ObjectType> : NSObject
- (void) init;
- (BOOL)contains:(ObjectType)obj; - (BOOL)contains:(ObjectType)obj;
- (ObjectType)getObjAtIndex:(NSUInteger)idx; - (ObjectType)getObjAtIndex:(NSUInteger)idx;
- (ObjectType)objectAtIndexedSubscript:(NSUInteger)idx; - (ObjectType)objectAtIndexedSubscript:(NSUInteger)idx;
@property(readonly) ObjectType firstObject; @property(readonly) ObjectType firstObject;
@end @end
@implementation NSObject @implementation NSObject
- (void) myFunction:(int*)p myParam:(int) n { - (void) myFunction:(int*)p myParam:(int) n {
Show All 18 Lines
void testArgument(NSArray<MyType *> *arr, id element) { void testArgument(NSArray<MyType *> *arr, id element) {
NSArray *erased = arr; NSArray *erased = arr;
[erased contains: element]; [erased contains: element];
// TODO: myFunction currently is not dispatched to MyType. Make it dispatch to // TODO: myFunction currently is not dispatched to MyType. Make it dispatch to
// MyType! // MyType!
[element myFunction:0 myParam:0 ]; [element myFunction:0 myParam:0 ];
} }
// Do not try this at home! The analyzer shouldn't crash though when it
// tries to figure out the dynamic type behind the alloca's return value.
void testAlloca(size_t NSArrayClassSizeWeKnowSomehow) {
NSArray *arr = __builtin_alloca(NSArrayClassSizeWeKnowSomehow);
memset(arr, 0, NSArrayClassSizeWeKnowSomehow);
[arr init]; // no-crash
}