This is an archive of the discontinued LLVM Phabricator instance.

Differential D43659

[analyzer] Don't crash when dynamic type of a concrete region is hard-set with placement new.
ClosedPublic

Authored by NoQ on Feb 22 2018, 4:50 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rGf01831ebe9fb: [analyzer] Don't crash when dynamic type of a variable is set via placement new.
rC326245: [analyzer] Don't crash when dynamic type of a variable is set via placement new.
rL326245: [analyzer] Don't crash when dynamic type of a variable is set via placement new.
Summary

This is assertion removal that i find valid. With placement new (which isn't even need to be inlined, we used to model it conservatively well enough), anything of any type can have any dynamic type. Even if we have a concrete region of a variable, its dynamic type and its static type can be completely unrelated. This might be UB due to strict aliasing rules, but we shouldn't crash. This patch introduces a relatively sane behavior in this scenario that consists of evalCast()ing this-region to the assumed dynamic type during virtual calls.

In the common case when the dynamic type is a sub-class of the static type, this is worse than calling attemptDownCast() because it adds element region instead of removing base regions (which is not incorrect but produces a non-canonical representation of the SVal). But when the common-case approach is known to have failed, there doesn't seem to be a better option.

A lot of these crashes have suddenly shown up when i was testing temporaries. They have nothing to do with temporaries though, but with a weird implementation detail of std::function that suddenly got some if its methods inlined.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Feb 22 2018, 4:50 PM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptFeb 22 2018, 4:50 PM
george.karpenkov accepted this revision.Feb 22 2018, 5:04 PM

LGTM, though in general I still think we should do something on soft-failure-modes in order to aid future debugging...

Is the failure mode in this case always a UB? In this case, could we emit a warning? If not from CallEvent, then from where?

lib/StaticAnalyzer/Core/CallEvent.cpp
593 ↗(On Diff #135563)

nit: auto?

This revision is now accepted and ready to land.Feb 22 2018, 5:04 PM
NoQ updated this revision to Diff 135572.Feb 22 2018, 5:22 PM
  • Add a definitely-not-UB example (char buffers are special).
  • Bring back an accidentally deleted blank line.
NoQ added inline comments.Feb 22 2018, 5:24 PM
lib/StaticAnalyzer/Core/CallEvent.cpp
593 ↗(On Diff #135563)

Dunno, i somehow like the symmetry with the next line. "Take method decl, take record decl". Maybe it's just me.

NoQ added a comment.Feb 22 2018, 5:27 PM

In this case, could we emit a warning? If not from CallEvent, then from where?

(1) This might result in a buffer overflow, so i home that alpha.ArrayBound may eventually catch it.
(2) It might be a good idea to make a fairly generic checker for the strict aliasing rule.

NoQ added a child revision: D43804: [analyzer] Enable cfg-temporary-dtors by default?.Feb 26 2018, 8:14 PM
Closed by commit rL326245: [analyzer] Don't crash when dynamic type of a variable is set via placement new. (authored by NoQ). · Explain WhyFeb 27 2018, 12:57 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 27 2018, 12:57 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
10 lines
test/
Analysis/
28 lines

Diff 136137

cfe/trunk/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 581 Lines▼ Show 20 Lines if (!ThisVal.isUnknown()) {
if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) { if (MD->getCanonicalDecl() != getDecl()->getCanonicalDecl()) {
ASTContext &Ctx = SVB.getContext(); ASTContext &Ctx = SVB.getContext();
const CXXRecordDecl *Class = MD->getParent(); const CXXRecordDecl *Class = MD->getParent();
QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class)); QualType Ty = Ctx.getPointerType(Ctx.getRecordType(Class));
// FIXME: CallEvent maybe shouldn't be directly accessing StoreManager. // FIXME: CallEvent maybe shouldn't be directly accessing StoreManager.
bool Failed; bool Failed;
ThisVal = StateMgr.getStoreManager().attemptDownCast(ThisVal, Ty, Failed); ThisVal = StateMgr.getStoreManager().attemptDownCast(ThisVal, Ty, Failed);
assert(!Failed && "Calling an incorrectly devirtualized method"); if (Failed) {
// We might have suffered some sort of placement new earlier, so
// we're constructing in a completely unexpected storage.
// Fall back to a generic pointer cast for this-value.
const CXXMethodDecl *StaticMD = cast<CXXMethodDecl>(getDecl());
const CXXRecordDecl *StaticClass = StaticMD->getParent();
QualType StaticTy = Ctx.getPointerType(Ctx.getRecordType(StaticClass));
ThisVal = SVB.evalCast(ThisVal, Ty, StaticTy);
}
} }
if (!ThisVal.isUnknown()) if (!ThisVal.isUnknown())
Bindings.push_back(std::make_pair(ThisLoc, ThisVal)); Bindings.push_back(std::make_pair(ThisLoc, ThisVal));
} }
} }
▲ Show 20 LinesShow All 621 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/new-dynamic-types.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core -std=c++11 -verify %s
// expected-no-diagnostics
typedef __typeof(sizeof(int)) size_t;
void *operator new(size_t size, void *ptr);
struct B {
virtual void foo();
};
struct D : public B {
virtual void foo() override {}
};
void test_ub() {
// FIXME: Potentially warn because this code is pretty weird.
B b;
new (&b) D;
b.foo(); // no-crash
}
void test_non_ub() {
char c[sizeof(D)]; // Should be enough storage.
new (c) D;
((B *)c)->foo(); // no-crash
}