This is an archive of the discontinued LLVM Phabricator instance.

Differential D38702

[Analyzer] Do not segfault on unexpected call_once implementation
ClosedPublic

Authored by george.karpenkov on Oct 9 2017, 1:03 PM.

Details

Reviewers
dcoughlin
zaks.anna
NoQ
Commits
rG8b53f7ca6daa: [Analyzer] Do not segfault on unexpected call_once implementation
rC315250: [Analyzer] Do not segfault on unexpected call_once implementation
rL315250: [Analyzer] Do not segfault on unexpected call_once implementation
Summary

Fixes https://bugs.llvm.org/show_bug.cgi?id=34869

@dcoughlin Any advice on how to handle different stdlib implementations?
Can we conjure a separate symbol instead of relying on a particular struct layout?
For now this implementation will simply not go inside a differently implemented call_once.

Diff Detail

Repository
rL LLVM

Event Timeline

george.karpenkov created this revision.Oct 9 2017, 1:03 PM
Herald added subscribers: szepet, xazax.hun, javed.absar. · View Herald TranscriptOct 9 2017, 1:03 PM
xazax.hun added a comment.Oct 9 2017, 1:05 PM

Did you link the correct bug in the description? The one you linked was closed long ago.

george.karpenkov edited the summary of this revision. (Show Details)Oct 9 2017, 1:06 PM

Ooops, updated to https://bugs.llvm.org/show_bug.cgi?id=34869

dcoughlin edited edge metadata.Oct 9 2017, 3:51 PM

@dcoughlin Any advice on how to handle different stdlib implementations?
Can we conjure a separate symbol instead of relying on a particular struct layout?
For now this implementation will simply not go inside a differently implemented call_once.

I think that for now your solution is the best to avoid the crashes. Let's see what Alexander has to say about the standard library causing the crashes. Ideally, we don't want to fall down too hard on libstdc++.

If we really need to handle a variety of standard libraries (or versions of standard libraries) we'll probably want to to treat std::call_once more abstractly and write a checker that models its behavior instead of body farming it.

lib/Analysis/BodyFarm.cpp
365 ↗(On Diff #118258)

LLVM style is to write this null check as if (!FlagCXXDecl).

369 ↗(On Diff #118258)

This return will leak the allocated AST nodes (as will the return for __state__ below). Can you hoist the validation checks to above the AST creation?

george.karpenkov updated this revision to Diff 118291.Oct 9 2017, 4:14 PM

Review comments.

george.karpenkov marked 2 inline comments as done.Oct 9 2017, 4:14 PM
dcoughlin accepted this revision.Oct 9 2017, 4:19 PM

Looks good to me!

This revision is now accepted and ready to land.Oct 9 2017, 4:19 PM
Closed by commit rL315250: [Analyzer] Do not segfault on unexpected call_once implementation (authored by george.karpenkov). · Explain WhyOct 9 2017, 4:21 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
Analysis/
38 lines
test/
Analysis/
9 lines

Diff 118294

cfe/trunk/lib/Analysis/BodyFarm.cpp

Show First 20 LinesShow All 321 Lines▼ Show 20 Linesstatic Stmt *create_call_once(ASTContext &C, const FunctionDecl *D) {
if (D->param_size() < 2) if (D->param_size() < 2)
return nullptr; return nullptr;
ASTMaker M(C); ASTMaker M(C);
const ParmVarDecl *Flag = D->getParamDecl(0); const ParmVarDecl *Flag = D->getParamDecl(0);
const ParmVarDecl *Callback = D->getParamDecl(1); const ParmVarDecl *Callback = D->getParamDecl(1);
QualType CallbackType = Callback->getType().getNonReferenceType(); QualType CallbackType = Callback->getType().getNonReferenceType();
QualType FlagType = Flag->getType().getNonReferenceType();
CXXRecordDecl *FlagCXXDecl = FlagType->getAsCXXRecordDecl();
if (!FlagCXXDecl) {
DEBUG(llvm::dbgs() << "Flag field is not a CXX record: "
<< "unknown std::call_once implementation."
<< "Ignoring the call.\n");
return nullptr;
}
// Note: here we are assuming libc++ implementation of call_once,
// which has a struct with a field `__state_`.
// Body farming might not work for other `call_once` implementations.
NamedDecl *FoundDecl = M.findMemberField(FlagCXXDecl, "__state_");
ValueDecl *FieldDecl;
if (FoundDecl) {
FieldDecl = dyn_cast<ValueDecl>(FoundDecl);
} else {
DEBUG(llvm::dbgs() << "No field __state_ found on std::once_flag struct, "
<< "unable to synthesize call_once body, ignoring "
<< "the call.\n");
return nullptr;
}
bool isLambdaCall = CallbackType->getAsCXXRecordDecl() && bool isLambdaCall = CallbackType->getAsCXXRecordDecl() &&
CallbackType->getAsCXXRecordDecl()->isLambda(); CallbackType->getAsCXXRecordDecl()->isLambda();
SmallVector<Expr *, 5> CallArgs; SmallVector<Expr *, 5> CallArgs;
if (isLambdaCall) if (isLambdaCall)
// Lambda requires callback itself inserted as a first parameter. // Lambda requires callback itself inserted as a first parameter.
Show All 12 Lines if (isLambdaCall) {
CallbackCall = CallbackCall =
create_call_once_lambda_call(C, M, Callback, CallbackType, CallArgs); create_call_once_lambda_call(C, M, Callback, CallbackType, CallArgs);
} else { } else {
// Function pointer case. // Function pointer case.
CallbackCall = create_call_once_funcptr_call(C, M, Callback, CallArgs); CallbackCall = create_call_once_funcptr_call(C, M, Callback, CallArgs);
} }
QualType FlagType = Flag->getType().getNonReferenceType();
DeclRefExpr *FlagDecl = DeclRefExpr *FlagDecl =
M.makeDeclRefExpr(Flag, M.makeDeclRefExpr(Flag,
/* RefersToEnclosingVariableOrCapture=*/true, /* RefersToEnclosingVariableOrCapture=*/true,
/* GetNonReferenceType=*/true); /* GetNonReferenceType=*/true);
CXXRecordDecl *FlagCXXDecl = FlagType->getAsCXXRecordDecl();
// Note: here we are assuming libc++ implementation of call_once,
// which has a struct with a field `__state_`.
// Body farming might not work for other `call_once` implementations.
NamedDecl *FoundDecl = M.findMemberField(FlagCXXDecl, "__state_");
ValueDecl *FieldDecl;
if (FoundDecl) {
FieldDecl = dyn_cast<ValueDecl>(FoundDecl);
} else {
DEBUG(llvm::dbgs() << "No field __state_ found on std::once_flag struct, "
<< "unable to synthesize call_once body, ignoring "
<< "the call.\n");
return nullptr;
}
MemberExpr *Deref = M.makeMemberExpression(FlagDecl, FieldDecl); MemberExpr *Deref = M.makeMemberExpression(FlagDecl, FieldDecl);
assert(Deref->isLValue()); assert(Deref->isLValue());
QualType DerefType = Deref->getType(); QualType DerefType = Deref->getType();
// Negation predicate. // Negation predicate.
UnaryOperator *FlagCheck = new (C) UnaryOperator( UnaryOperator *FlagCheck = new (C) UnaryOperator(
/* input= */ /* input= */
▲ Show 20 LinesShow All 381 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/call_once.cpp

Show First 20 LinesShow All 225 Lines▼ Show 20 Lines
int call_once() { int call_once() {
return 5; return 5;
} }
void test_non_std_call_once() { void test_non_std_call_once() {
int x = call_once(); int x = call_once();
clang_analyzer_eval(x == 5); // expected-warning{{TRUE}} clang_analyzer_eval(x == 5); // expected-warning{{TRUE}}
} }
namespace std {
template <typename d, typename e>
void call_once(d, e);
}
void g();
void test_no_segfault_on_different_impl() {
std::call_once(g, false); // no-warning
}