This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
PathDiagnostic.cpp
-
test/Analysis/
-
Analysis/
-
malloc.c

Differential D42396

[analyzer] Do not attempt to get the pointee of void* .
ClosedPublic

Authored by alexander-shaposhnikov on Jan 22 2018, 2:38 PM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
george.karpenkov

Commits

rG0c352b15d78e: [analyzer] Do not attempt to get the pointee of void*
rC323382: [analyzer] Do not attempt to get the pointee of void*
rL323382: [analyzer] Do not attempt to get the pointee of void*

Summary

Do not attempt to get the pointee of void* while generating a bug report
(otherwise it will trigger an assert inside RegionStoreManager::getBinding
assert(!T->isVoidType() && "Attempting to dereference a void pointer!")).
(the call stack:

(anonymous namespace)::RegionStoreManager::getBinding
clang::ento::ProgramState::getSVal
clang::ento::StackHintGeneratorForSymbol::getMessage
clang::ento::PathDiagnosticEventPiece::getCallStackMessage 
....

)
Test plan: make check-all

Diff Detail

Repository: rL LLVM

Event Timeline

alexander-shaposhnikov created this revision.Jan 22 2018, 2:38 PM

Herald added subscribers: llvm-commits, a.sidorin, szepet, xazax.hun. · View Herald TranscriptJan 22 2018, 2:38 PM

indents

smeenai added a subscriber: smeenai.Jan 22 2018, 2:48 PM

Hmm, the original code seems quite quick-and-dirty. It, indeed, tries to blindly dereference something that's accidentally "some pointer".

Could you change the type check to consider AST types instead, i.e. check that (*I)->getType() is a double-pointer type? And then pass its single-pointee type into getSVal as the second optional argument, so that it knew what to expect. This would be the correct way to express what the author was trying to say.

Because your code ignores possible layers of sub-regions contained within Reg, and i'm afraid we may loose notes because of that.

(in any case there are many more ways in which a pointer can be passed into a function that this visitor doesn't pattern-match, but that's not super problematic)

alexander-shaposhnikov updated this revision to Diff 130979.Jan 22 2018, 3:40 PM

switched to checking (*I)->getType()

Herald added a reviewer: george.karpenkov. · View Herald TranscriptJan 23 2018, 12:52 PM

Yeah, i guess that'd work as well :)

This revision is now accepted and ready to land.Jan 24 2018, 1:49 PM

Closed by commit rL323382: [analyzer] Do not attempt to get the pointee of void* (authored by alexander-shaposhnikov). · Explain WhyJan 24 2018, 2:19 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Core/

PathDiagnostic.cpp

3 lines

test/

Analysis/

malloc.c

12 lines

Diff 131352

cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp

Show First 20 Lines • Show All 1,205 Lines • ▼ Show 20 Lines	for (CallExpr::const_arg_iterator I = CE->arg_begin(),
// Check if the variable corresponding to the symbol is passed by value.		// Check if the variable corresponding to the symbol is passed by value.
SymbolRef AS = SV.getAsLocSymbol();		SymbolRef AS = SV.getAsLocSymbol();
if (AS == Sym) {		if (AS == Sym) {
return getMessageForArg(*I, ArgIndex);		return getMessageForArg(*I, ArgIndex);
}		}

// Check if the parameter is a pointer to the symbol.		// Check if the parameter is a pointer to the symbol.
if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) {		if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) {
		// Do not attempt to dereference void*.
		if ((*I)->getType()->isVoidPointerType())
		continue;
SVal PSV = N->getState()->getSVal(Reg->getRegion());		SVal PSV = N->getState()->getSVal(Reg->getRegion());
SymbolRef AS = PSV.getAsLocSymbol();		SymbolRef AS = PSV.getAsLocSymbol();
if (AS == Sym) {		if (AS == Sym) {
return getMessageForArg(*I, ArgIndex);		return getMessageForArg(*I, ArgIndex);
}		}
}		}
}		}

Show All 23 Lines

cfe/trunk/test/Analysis/malloc.c

	Show First 20 Lines • Show All 1,780 Lines • ▼ Show 20 Lines
	// of the C-string checker.			// of the C-string checker.
	void cstringchecker_bounds_nocrash() {			void cstringchecker_bounds_nocrash() {
	char *p = malloc(2);			char *p = malloc(2);
	strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}}			strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}}

	free(p);			free(p);
	}			}

				void allocateSomeMemory(void offendingParameter, void *ptr) {
				*ptr = malloc(1);
				}

				void testNoCrashOnOffendingParameter() {
				// "extern" is necessary to avoid unrelated warnings
				// on passing uninitialized value.
				extern void *offendingParameter;
				void* ptr;
				allocateSomeMemory(offendingParameter, &ptr);
				} // expected-warning {{Potential leak of memory pointed to by 'ptr'}}

	// ----------------------------------------------------------------------------			// ----------------------------------------------------------------------------
	// False negatives.			// False negatives.

	void testMallocWithParam(int **p) {			void testMallocWithParam(int **p) {
	p = (int) malloc(sizeof(int));			p = (int) malloc(sizeof(int));
	*p = 0; // FIXME: should warn here			*p = 0; // FIXME: should warn here
	}			}

	Show All 17 Lines