This is an archive of the discontinued LLVM Phabricator instance.

Differential D43218

[analyzer] Quickfix: do not overflow in calculating offset in RegionManager
ClosedPublic

Authored by george.karpenkov on Feb 12 2018, 6:32 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG585dc5db136c: [analyzer] Quickfix: do not overflow in calculating offset in RegionManager
rL326122: [analyzer] Quickfix: do not overflow in calculating offset in RegionManager
rC326122: [analyzer] Quickfix: do not overflow in calculating offset in RegionManager
Summary

Addresses https://bugs.llvm.org/show_bug.cgi?id=36206

rdar://37159026

A proper fix would be much harder, and would involve changing the appropriate code in ExprEngine to be aware of the size limitations of the type used for addressing.

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Feb 12 2018, 6:32 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptFeb 12 2018, 6:32 PM
dcoughlin added inline comments.Feb 12 2018, 9:39 PM
lib/StaticAnalyzer/Core/MemRegion.cpp
1219

I'd really like to minimize this kind of debug logging. The comment is sufficient here.

george.karpenkov added inline comments.Feb 13 2018, 3:26 PM
lib/StaticAnalyzer/Core/MemRegion.cpp
1219

@dcoughlin it would help the next person to debug a weird issue, as analyzer does many relaxing assertions in many places. If anything, we almost never use it as the enabling flag is quite bizarre.

dcoughlin added a comment.Feb 14 2018, 11:15 AM

We have a comment documenting the decision. Adding a printf doesn't seem like it would help very much here and adds untested code. I don't think we should have a policy of adding these printfs on every early return. Since these printfs make it harder to read the code and are duplicated with the comments, I think we should avoid adding one until we know it is actually generally useful.

Here is what I propose:

  • When you are debugging an issue and found a printf helpful, only commit the DEBUG printf the *second* time you found it helpful. This will avoid prematurely littering the code with printfs and ensure that the ones that are committed are generally useful rather only helpful for debugging one specific issue.
  • Add lit FileCheck tests that exercise the debug configuration and test the output. This will make sure that future refactorings and changes in behavior don't unexpectedly break the DEBUG code.
george.karpenkov updated this revision to Diff 134276.Feb 14 2018, 11:28 AM

@dcoughlin OK.

NoQ added a comment.Feb 16 2018, 6:42 PM

Dunno, it'd be great to come up with some systematic approach to those debug prints. Having some of them is really nice sometimes.

I also wish the informal // no-crash thingy was specifically saying that it's about not causing a UBSan error, not just a simple assertion failure or segfault that the reader would expect. Because we don't have many such tests, so the reader doesn't expect that, and a quick glimpse at the differential revision may not be enough to figure this out.

NoQ accepted this revision.Feb 16 2018, 6:42 PM

LGTM otherwise!

This revision is now accepted and ready to land.Feb 16 2018, 6:42 PM
george.karpenkov updated this revision to Diff 135736.Feb 23 2018, 4:48 PM

...turns out the previous version had a bug. Re-introduced logging, as I've needed that for the second time for debugging.

This version is more robust, and is more obvious, but function is considerably more generic, except I don't know a good place to put it (and it can't be MathExtras, since APInt depends on that).

george.karpenkov added a subscriber: vsk.Feb 23 2018, 4:49 PM

@vsk on the other hand if circular dependency between MathExtras and APInt is OK, I guess the code could be moved there.

vsk added a comment.Feb 23 2018, 4:57 PM
In D43218#1018103, @george.karpenkov wrote:

@vsk on the other hand if circular dependency between MathExtras and APInt is OK, I guess the code could be moved there.

Sure. As I mentioned off-list, I think it would be cleaner to implement these checked operations as overloads of SaturatingAdd, SaturatingMultiply, etc. I don't anticipate a build dependency issue there.

vsk added inline comments.Feb 23 2018, 5:02 PM
lib/StaticAnalyzer/Core/MemRegion.cpp
1216

Oh, aren't sizes non-negative? Why not just cast to unsigned and use SaturatingMultiplyAdd, or something?

george.karpenkov added inline comments.Feb 23 2018, 5:14 PM
lib/StaticAnalyzer/Core/MemRegion.cpp
1216

IIRC array offsets can be negative (yay, C), and in this case i can be negative. I suppose two calls can also do, but then if it fits in unsigned it doesn't mean it fits in signed, since the underlying type is signed.

dcoughlin added a comment.Feb 24 2018, 8:58 AM
In D43218#1018101, @george.karpenkov wrote:

...turns out the previous version had a bug. Re-introduced logging, as I've needed that for the second time for debugging.

Please make sure to add a test for the debugging output so it doesn't regress.

george.karpenkov updated this revision to Diff 135937.Feb 26 2018, 11:42 AM
Closed by commit rC326122: [analyzer] Quickfix: do not overflow in calculating offset in RegionManager (authored by george.karpenkov). · Explain WhyFeb 26 2018, 1:05 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptFeb 26 2018, 1:05 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
46 lines
test/
Analysis/
2 lines
13 lines

Diff 135957

lib/StaticAnalyzer/Core/MemRegion.cpp

Show All 17 Lines
#include "clang/AST/CharUnits.h" #include "clang/AST/CharUnits.h"
#include "clang/AST/DeclObjC.h" #include "clang/AST/DeclObjC.h"
#include "clang/AST/RecordLayout.h" #include "clang/AST/RecordLayout.h"
#include "clang/Analysis/AnalysisDeclContext.h" #include "clang/Analysis/AnalysisDeclContext.h"
#include "clang/Analysis/Support/BumpVector.h" #include "clang/Analysis/Support/BumpVector.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include "llvm/Support/Debug.h"
#include<functional>
#define DEBUG_TYPE "MemRegion"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// MemRegion Construction. // MemRegion Construction.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 1,110 Lines▼ Show 20 Linesconst SymbolicRegion *MemRegion::getSymbolicBase() const {
while (SubR) { while (SubR) {
if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SubR)) if (const SymbolicRegion *SymR = dyn_cast<SymbolicRegion>(SubR))
return SymR; return SymR;
SubR = dyn_cast<SubRegion>(SubR->getSuperRegion()); SubR = dyn_cast<SubRegion>(SubR->getSuperRegion());
} }
return nullptr; return nullptr;
} }
/// Perform a given operation on two integers, return whether it overflows.
/// Optionally write the resulting output into \p Res.
static bool checkedOp(
int64_t LHS,
int64_t RHS,
std::function<llvm::APInt(llvm::APInt *, const llvm::APInt &, bool &)> Op,
int64_t *Res = nullptr) {
llvm::APInt ALHS(/*BitSize=*/64, LHS, /*Signed=*/true);
llvm::APInt ARHS(/*BitSize=*/64, RHS, /*Signed=*/true);
bool Overflow;
llvm::APInt Out = Op(&ALHS, ARHS, Overflow);
if (!Overflow && Res)
*Res = Out.getSExtValue();
return Overflow;
}
static bool checkedAdd(
int64_t LHS,
int64_t RHS,
int64_t *Res=nullptr) {
return checkedOp(LHS, RHS, &llvm::APInt::sadd_ov, Res);
}
static bool checkedMul(
int64_t LHS,
int64_t RHS,
int64_t *Res=nullptr) {
return checkedOp(LHS, RHS, &llvm::APInt::smul_ov, Res);
}
RegionRawOffset ElementRegion::getAsArrayOffset() const { RegionRawOffset ElementRegion::getAsArrayOffset() const {
CharUnits offset = CharUnits::Zero(); CharUnits offset = CharUnits::Zero();
const ElementRegion *ER = this; const ElementRegion *ER = this;
const MemRegion *superR = nullptr; const MemRegion *superR = nullptr;
ASTContext &C = getContext(); ASTContext &C = getContext();
// FIXME: Handle multi-dimensional arrays. // FIXME: Handle multi-dimensional arrays.
Show All 11 Lines if (Optional<nonloc::ConcreteInt> CI = index.getAs<nonloc::ConcreteInt>()) {
// If we are pointing to an incomplete type, go no further. // If we are pointing to an incomplete type, go no further.
if (elemType->isIncompleteType()) { if (elemType->isIncompleteType()) {
superR = ER; superR = ER;
break; break;
} }
CharUnits size = C.getTypeSizeInChars(elemType); CharUnits size = C.getTypeSizeInChars(elemType);
int64_t Mult;
bool Overflow = checkedAdd(i, size.getQuantity(), &Mult);
vskUnsubmitted
Not Done
ReplyInline Actions

Oh, aren't sizes non-negative? Why not just cast to unsigned and use SaturatingMultiplyAdd, or something?

vsk: Oh, aren't sizes non-negative? Why not just cast to unsigned and use SaturatingMultiplyAdd, or…
george.karpenkovAuthorUnsubmitted
Not Done
ReplyInline Actions

IIRC array offsets can be negative (yay, C), and in this case i can be negative. I suppose two calls can also do, but then if it fits in unsigned it doesn't mean it fits in signed, since the underlying type is signed.

george.karpenkov: IIRC array offsets can be negative (yay, C), and in this case `i` can be negative. I suppose…
Overflow |= checkedMul(Mult, offset.getQuantity());
if (Overflow) {
DEBUG(llvm::dbgs() << "MemRegion::getAsArrayOffset: "
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

I'd really like to minimize this kind of debug logging. The comment is sufficient here.

dcoughlin: I'd really like to minimize this kind of debug logging. The comment is sufficient here.
george.karpenkovAuthorUnsubmitted
Not Done
ReplyInline Actions

@dcoughlin it would help the next person to debug a weird issue, as analyzer does many relaxing assertions in many places. If anything, we almost never use it as the enabling flag is quite bizarre.

george.karpenkov: @dcoughlin it would help the next person to debug a weird issue, as analyzer does many relaxing…
<< "offset overflowing, returning unknown\n");
return nullptr;
}
offset += (i * size); offset += (i * size);
} }
// Go to the next ElementRegion (if any). // Go to the next ElementRegion (if any).
ER = dyn_cast<ElementRegion>(superR); ER = dyn_cast<ElementRegion>(superR);
continue; continue;
} }
▲ Show 20 LinesShow All 340 LinesShow Last 20 Lines

test/Analysis/region-store.cpp

Show All 19 Linespublic:
} }
}; };
class Derived: public P1, public P2 { class Derived: public P1, public P2 {
}; };
int radar13445834(Derived *Builder, Loc l) { int radar13445834(Derived *Builder, Loc l) {
Builder->setLoc(l); Builder->setLoc(l);
return Builder->accessBase(); return Builder->accessBase();
} }
No newline at end of file

test/Analysis/region_store_overflow.c

// REQUIRES: asserts
// RUN: %clang_analyze_cc1 -analyze -analyzer-checker=core -mllvm -debug %s 2>&1 | FileCheck %s
int **h;
int overflow_in_memregion(long j) {
for (int l = 0;; ++l) {
if (j - l > 0)
return h[j - l][0]; // no-crash
}
return 0;
}
// CHECK: {{.*}}
// CHECK: MemRegion::getAsArrayOffset: offset overflowing, returning unknown