This is an archive of the discontinued LLVM Phabricator instance.

Differential D41816

[analyzer] Model and check unrepresentable left shifts
ClosedPublic

Authored by rnkovacs on Jan 8 2018, 5:24 AM.

Details

Reviewers
NoQ
dcoughlin
xazax.hun
Commits
rG596fcb1b0f60: [analyzer] Model and check unrepresentable left shifts
rL323115: [analyzer] Model and check unrepresentable left shifts
rC323115: [analyzer] Model and check unrepresentable left shifts
Summary

Left shifting a signed positive value is undefined if the result is not representable in the unsigned version of the return type.

The analyzer now returns an UndefVal in this case and UndefResultChecker is updated to warn about it.

Diff Detail

Repository
rC Clang

Event Timeline

rnkovacs created this revision.Jan 8 2018, 5:24 AM
Herald added subscribers: a.sidorin, szepet, baloghadamsoftware, whisperity. · View Herald TranscriptJan 8 2018, 5:24 AM
xazax.hun added a comment.Jan 9 2018, 3:01 AM

Overall looks good to me, one comment inline. I think it is good to have these checks to prevent the analyzer executing undefined behavior. Maybe this would make it more feasible to run the analyzer with ubsan :)
In the future, it would be great to also look for these cases symbolically, but I believe it is perfectly fine to have that in a separate patch.

lib/StaticAnalyzer/Core/BasicValueFactory.cpp
238

Do you get a warning if you remove the cast above? I am not sure that we actually want to have the cast here.

rnkovacs updated this revision to Diff 129071.Jan 9 2018, 6:13 AM
rnkovacs marked an inline comment as done.
rnkovacs added a comment.Jan 9 2018, 6:18 AM
In D41816#970845, @xazax.hun wrote:

Overall looks good to me, one comment inline. I think it is good to have these checks to prevent the analyzer executing undefined behavior. Maybe this would make it more feasible to run the analyzer with ubsan :)
In the future, it would be great to also look for these cases symbolically, but I believe it is perfectly fine to have that in a separate patch.

I agree, but I thought that making these checks complete first might be a good idea.

NoQ accepted this revision.Jan 10 2018, 11:23 AM

Looks great. @dcoughlin: would you approve the warning message text?

Maybe actually we could print out the exact numbers that cause the bit shift to overflow, since we do have them when we check.

This revision is now accepted and ready to land.Jan 10 2018, 11:23 AM
rnkovacs updated this revision to Diff 129448.Jan 11 2018, 7:06 AM

I extended the warning message to include more information. What do you think?

dcoughlin added a comment.Jan 12 2018, 6:34 PM

The diagnostic text looks to me, but I do have a comment about the nested 'if' inline.

lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
156

This inner 'if' looks fishy to me because if the 'else' branch is ever taken then OS will be empty.

If the else branch can't be taken then you should turn it into an assert(). If it can be taken, then you should make sure that the fall through goes through the "default" else case at the bottom. One way to do this is to pull out the "is representable logic" into a helper function and call that in the containing 'else if'.

Something like:

if (B->getOpcode() == BinaryOperatorKind::BO_Shl && isLeftShiftResultRepresentable(LHS, RHS)) {
  OS << "The result of the left shift ..."
}
rnkovacs updated this revision to Diff 129905.Jan 15 2018, 1:51 PM
rnkovacs marked an inline comment as done.
rnkovacs added inline comments.
lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp
156

I overlooked this issue, thanks for pointing out. I pulled the logic out into a helper function.

dcoughlin accepted this revision.Jan 21 2018, 1:48 PM

Looks good to me, thanks!

Closed by commit rC323115: [analyzer] Model and check unrepresentable left shifts (authored by xazax). · Explain WhyJan 22 2018, 5:33 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
22 lines
Core/
6 lines
test/
Analysis/
6 lines

Diff 130868

lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show First 20 LinesShow All 57 Lines▼ Show 20 Linesstatic bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {
return StOutBound && !StInBound; return StOutBound && !StInBound;
} }
static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) { static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) {
return C.isGreaterOrEqual( return C.isGreaterOrEqual(
B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType())); B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType()));
} }
static bool isLeftShiftResultUnrepresentable(const BinaryOperator *B,
CheckerContext &C) {
SValBuilder &SB = C.getSValBuilder();
ProgramStateRef State = C.getState();
const llvm::APSInt *LHS = SB.getKnownValue(State, C.getSVal(B->getLHS()));
const llvm::APSInt *RHS = SB.getKnownValue(State, C.getSVal(B->getRHS()));
return (unsigned)RHS->getZExtValue() > LHS->countLeadingZeros();
}
void UndefResultChecker::checkPostStmt(const BinaryOperator *B, void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
CheckerContext &C) const { CheckerContext &C) const {
if (C.getSVal(B).isUndef()) { if (C.getSVal(B).isUndef()) {
// Do not report assignments of uninitialized values inside swap functions. // Do not report assignments of uninitialized values inside swap functions.
// This should allow to swap partially uninitialized structs // This should allow to swap partially uninitialized structs
// (radar://14129997) // (radar://14129997)
if (const FunctionDecl *EnclosingFunctionDecl = if (const FunctionDecl *EnclosingFunctionDecl =
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Lines if (Ex) {
OS << '\'' << I->getSExtValue() << "\', which is"; OS << '\'' << I->getSExtValue() << "\', which is";
OS << " greater or equal to the width of type '" OS << " greater or equal to the width of type '"
<< B->getLHS()->getType().getAsString() << "'."; << B->getLHS()->getType().getAsString() << "'.";
} else if (B->getOpcode() == BinaryOperatorKind::BO_Shl && } else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&
C.isNegative(B->getLHS())) { C.isNegative(B->getLHS())) {
OS << "The result of the left shift is undefined because the left " OS << "The result of the left shift is undefined because the left "
"operand is negative"; "operand is negative";
} else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&
isLeftShiftResultUnrepresentable(B, C)) {
ProgramStateRef State = C.getState();
SValBuilder &SB = C.getSValBuilder();
const llvm::APSInt *LHS =
SB.getKnownValue(State, C.getSVal(B->getLHS()));
const llvm::APSInt *RHS =
dcoughlinUnsubmitted
Done
ReplyInline Actions

This inner 'if' looks fishy to me because if the 'else' branch is ever taken then OS will be empty.

If the else branch can't be taken then you should turn it into an assert(). If it can be taken, then you should make sure that the fall through goes through the "default" else case at the bottom. One way to do this is to pull out the "is representable logic" into a helper function and call that in the containing 'else if'.

Something like:

if (B->getOpcode() == BinaryOperatorKind::BO_Shl && isLeftShiftResultRepresentable(LHS, RHS)) {
  OS << "The result of the left shift ..."
}
dcoughlin: This inner 'if' looks fishy to me because if the 'else' branch is ever taken then OS will be…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

I overlooked this issue, thanks for pointing out. I pulled the logic out into a helper function.

rnkovacs: I overlooked this issue, thanks for pointing out. I pulled the logic out into a helper function.
SB.getKnownValue(State, C.getSVal(B->getRHS()));
OS << "The result of the left shift is undefined due to shifting \'"
<< LHS->getSExtValue() << "\' by \'" << RHS->getZExtValue()
<< "\', which is unrepresentable in the unsigned version of "
<< "the return type \'" << B->getLHS()->getType().getAsString()
<< "\'";
} else { } else {
OS << "The result of the '" OS << "The result of the '"
<< BinaryOperator::getOpcodeStr(B->getOpcode()) << BinaryOperator::getOpcodeStr(B->getOpcode())
<< "' expression is undefined"; << "' expression is undefined";
} }
} }
auto report = llvm::make_unique<BugReport>(*BT, OS.str(), N); auto report = llvm::make_unique<BugReport>(*BT, OS.str(), N);
if (Ex) { if (Ex) {
Show All 13 Lines

lib/StaticAnalyzer/Core/BasicValueFactory.cpp

Show First 20 LinesShow All 218 Lines▼ Show 20 Lines switch (Op) {
case BO_Sub: case BO_Sub:
return &getValue( V1 - V2 ); return &getValue( V1 - V2 );
case BO_Shl: { case BO_Shl: {
// FIXME: This logic should probably go higher up, where we can // FIXME: This logic should probably go higher up, where we can
// test these conditions symbolically. // test these conditions symbolically.
// FIXME: Expand these checks to include all undefined behavior.
if (V1.isSigned() && V1.isNegative()) if (V1.isSigned() && V1.isNegative())
return nullptr; return nullptr;
if (V2.isSigned() && V2.isNegative()) if (V2.isSigned() && V2.isNegative())
return nullptr; return nullptr;
uint64_t Amt = V2.getZExtValue(); uint64_t Amt = V2.getZExtValue();
if (Amt >= V1.getBitWidth()) if (Amt >= V1.getBitWidth())
return nullptr; return nullptr;
if (V1.isSigned() && Amt > V1.countLeadingZeros())
xazax.hunUnsubmitted
Done
ReplyInline Actions

Do you get a warning if you remove the cast above? I am not sure that we actually want to have the cast here.

xazax.hun: Do you get a warning if you remove the cast above? I am not sure that we actually want to have…
return nullptr;
return &getValue( V1.operator<<( (unsigned) Amt )); return &getValue( V1.operator<<( (unsigned) Amt ));
} }
case BO_Shr: { case BO_Shr: {
// FIXME: This logic should probably go higher up, where we can // FIXME: This logic should probably go higher up, where we can
// test these conditions symbolically. // test these conditions symbolically.
// FIXME: Expand these checks to include all undefined behavior.
if (V2.isSigned() && V2.isNegative()) if (V2.isSigned() && V2.isNegative())
return nullptr; return nullptr;
uint64_t Amt = V2.getZExtValue(); uint64_t Amt = V2.getZExtValue();
if (Amt >= V1.getBitWidth()) if (Amt >= V1.getBitWidth())
return nullptr; return nullptr;
▲ Show 20 LinesShow All 88 LinesShow Last 20 Lines

test/Analysis/bitwise-ops.c

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines
} }
int testNegativeLeftShift(int a) { int testNegativeLeftShift(int a) {
if (a == -3) { if (a == -3) {
return a << 1; // expected-warning{{The result of the left shift is undefined because the left operand is negative}} return a << 1; // expected-warning{{The result of the left shift is undefined because the left operand is negative}}
} }
return 0; return 0;
} }
int testUnrepresentableLeftShift(int a) {
if (a == 8)
return a << 30; // expected-warning{{The result of the left shift is undefined due to shifting '8' by '30', which is unrepresentable in the unsigned version of the return type 'int'}}
return 0;
}