This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
IteratorChecker.cpp
-
test/Analysis/
-
Analysis/
-
loop-widening.c

Differential D44606

[analyzer] Fix the crash in `IteratorChecker.cpp` when `SymbolConjured` has a null Stmt.
ClosedPublic

Authored by MTC on Mar 18 2018, 1:05 AM.

Download Raw Diff

Details

Reviewers

NoQ
baloghadamsoftware
szepet
dcoughlin
george.karpenkov

Commits

rG073d5f023c19: [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a…
rC327962: [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a…
rL327962: [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a…

Summary

When the loop has a null terminator statement and sets widen-loops=true, invalidateRegions() will constructs the SymbolConjured with null Stmt. And this will lead to a crash in IteratorChecker.cpp.

Given the code below:

void null_terminator_loop_widen(int *a) {
  int c;
  for (;;) {
    c = *a;
    a++;
  }
}

I haven't found any problems with SymbolConjured containing null Stmt for the time being. So I just use
dyn_cast_or_null<> instead of dyn_cast<> in IteratorChecker.cpp, and didn't delve into the widen loop part.

Diff Detail

Repository: rL LLVM

Event Timeline

MTC created this revision.Mar 18 2018, 1:05 AM

Herald added a reviewer: george.karpenkov. · View Herald TranscriptMar 18 2018, 1:05 AM

Herald added subscribers: cfe-commits, a.sidorin, rnkovacs, xazax.hun. · View Herald Transcript

Harbormaster completed remote builds in B16185: Diff 138843.Mar 18 2018, 1:05 AM

MTC edited the summary of this revision. (Show Details)Mar 18 2018, 1:07 AM

Nice catch, it looks good to me! Thank you!
One small nit for future debugging people: Could you insert a comment line in the test case where you explain what is this all about? E.g what you just have written in the description: "invalidateRegions() will construct the SymbolConjured with null Stmt" or something like this.

Just in case: we indeed do not guarantee that SymbolConjured corresponds to a statement; it is, however, not intended, but rather a bug. Consider:

 1	void clang_analyzer_eval(bool);
 2
 3	class C {
 4	  int &x;
 5	public:
 6	  C(int &x): x(x) {}
 7	  ~C();
 8	};
 9
10	void foo() {
11	  int x = 1;
12	  {
13	    C c(x);
14	  }
15	  int y = x;
16	  {
17	    C c(x);
18	  }
19	  int z = x;
20	  clang_analyzer_eval(y == z);
21	}

We currently evaluate clang_analyzer_eval(y == z) to TRUE but that's unsound because ~C(); could have been defined as ~C() { ++x; }. We make such unsound assumption because SymbolConjured put into x during destructor call on line 14 and on line 18 is the same conjured symbol because they have no statements attached because destructors are implicit and have no corresponding statements, and everything else about these two symbols is the same. So, well, we should work around this problem somehow.

Now the real question here is whether IteratorChecker should scan any of the symbols that have no statement attached. I believe that IteratorChecker should only be interested in symbols that were returned from specific functions that return iterators. In the test case there are no iterators at all, so i suspect that the iterator checker is scanning more symbols than it needs.

Regardless, the patch makes sense :)

This revision is now accepted and ready to land.Mar 19 2018, 2:04 PM

One small nit for future debugging people: Could you insert a comment line in the test case where you explain what is this all about? E.g what you just have written in the description: "invalidateRegions() will construct the SymbolConjured with null Stmt" or something like this.

Thank you for pointing this out, and I'll add the comment.

Just in case: we indeed do not guarantee that SymbolConjured corresponds to a statement; it is, however, not intended, but rather a bug.

Thank you for your explanation and the reasonable example, NoQ.

Add the comments as suggested by @szepet .

Closed by commit rL327962: [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a… (authored by henrywong). · Explain WhyMar 20 2018, 2:32 AM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptMar 20 2018, 2:32 AM

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

IteratorChecker.cpp

2 lines

test/

Analysis/

loop-widening.c

14 lines

Diff 139091

cfe/trunk/lib/StaticAnalyzer/Checkers/IteratorChecker.cpp

Show First 20 Lines • Show All 598 Lines • ▼ Show 20 Lines	bool isDereferenceOperator(OverloadedOperatorKind OK) {
return OK == OO_Star \|\| OK == OO_Arrow \|\| OK == OO_ArrowStar \|\|		return OK == OO_Star \|\| OK == OO_Arrow \|\| OK == OO_ArrowStar \|\|
OK == OO_Subscript;		OK == OO_Subscript;
}		}

BinaryOperator::Opcode getOpcode(const SymExpr *SE) {		BinaryOperator::Opcode getOpcode(const SymExpr *SE) {
if (const auto *BSE = dyn_cast<BinarySymExpr>(SE)) {		if (const auto *BSE = dyn_cast<BinarySymExpr>(SE)) {
return BSE->getOpcode();		return BSE->getOpcode();
} else if (const auto *SC = dyn_cast<SymbolConjured>(SE)) {		} else if (const auto *SC = dyn_cast<SymbolConjured>(SE)) {
const auto *COE = dyn_cast<CXXOperatorCallExpr>(SC->getStmt());		const auto *COE = dyn_cast_or_null<CXXOperatorCallExpr>(SC->getStmt());
if (!COE)		if (!COE)
return BO_Comma; // Extremal value, neither EQ nor NE		return BO_Comma; // Extremal value, neither EQ nor NE
if (COE->getOperator() == OO_EqualEqual) {		if (COE->getOperator() == OO_EqualEqual) {
return BO_EQ;		return BO_EQ;
} else if (COE->getOperator() == OO_ExclaimEqual) {		} else if (COE->getOperator() == OO_ExclaimEqual) {
return BO_NE;		return BO_NE;
}		}
return BO_Comma; // Extremal value, neither EQ nor NE		return BO_Comma; // Extremal value, neither EQ nor NE
▲ Show 20 Lines • Show All 217 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/loop-widening.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-max-loop 4 -analyzer-config widen-loops=true -verify %s		// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-max-loop 4 -analyzer-config widen-loops=true -verify %s
		// RUN: %clang_analyze_cc1 -DTEST_NULL_TERM -analyzer-checker=core,unix.Malloc,debug.ExprInspection,alpha.cplusplus.IteratorRange -analyzer-max-loop 4 -analyzer-config widen-loops=true -verify %s

void clang_analyzer_eval(int);		void clang_analyzer_eval(int);
void clang_analyzer_warnIfReached();		void clang_analyzer_warnIfReached();

typedef __typeof(sizeof(int)) size_t;		typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);		void *malloc(size_t);
void free(void *);		void free(void *);

▲ Show 20 Lines • Show All 173 Lines • ▼ Show 20 Lines	for (i = 0; i < 2; i++) {
clang_analyzer_eval(i < 2); // expected-warning {{TRUE}}		clang_analyzer_eval(i < 2); // expected-warning {{TRUE}}
for (j = 0; j < 10; j++) {		for (j = 0; j < 10; j++) {
clang_analyzer_eval(j < 10); // expected-warning {{TRUE}}		clang_analyzer_eval(j < 10); // expected-warning {{TRUE}}
}		}
clang_analyzer_eval(j >= 10); // expected-warning {{TRUE}}		clang_analyzer_eval(j >= 10); // expected-warning {{TRUE}}
}		}
clang_analyzer_eval(i >= 2); // expected-warning {{TRUE}}		clang_analyzer_eval(i >= 2); // expected-warning {{TRUE}}
}		}

		#ifdef TEST_NULL_TERM
		void null_terminator_loop_widen(int *a) {
		int c;
		// Loop widening will call 'invalidateRegions()' and 'invalidateRegions()'
		// will construct the SymbolConjured with null Stmt because of the null
		// terminator statement. Accessing the null Stmt will cause a crash.
		for (;;) {
		c = *a; // no-crash
		a++;
		}
		}
		#endif