This is an archive of the discontinued LLVM Phabricator instance.

Differential D45071

[analyzer] Track null or undef values through pointer arithmetic.
ClosedPublic

Authored by NoQ on Mar 29 2018, 5:16 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG95f9a68b1f8f: [analyzer] Track null or undef values through pointer arithmetic.
rL328896: [analyzer] Track null or undef values through pointer arithmetic.
rC328896: [analyzer] Track null or undef values through pointer arithmetic.
Summary

Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced.

For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it.

Reproducers are reduced from WebKit's custom string implementations. CStringChecker doesn't call getDerefExpr() at all (this is probably because passing a pointer to memcpy is not an immediate null dereference - in fact i've no idea how this decision was made or how this code was actually supposed to operate). But the second test case demonstrates that simply adding getDerefExpr() to CStringChecker is insufficient. Also an older FIXME test gets fixed this way.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Mar 29 2018, 5:16 PM
Herald added subscribers: cfe-commits, rnkovacs, eraman. · View Herald TranscriptMar 29 2018, 5:16 PM
george.karpenkov accepted this revision.Mar 30 2018, 10:41 AM

LGTM with a nit.
Also I don't quite understand why being additive is important? Isn't pointer subtraction basically the same?

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
78

static.
+1 for using functions.

This revision is now accepted and ready to land.Mar 30 2018, 10:41 AM
NoQ updated this revision to Diff 140466.Mar 30 2018, 12:11 PM

Substraction is an additive operation. Added tests for that. Added even more tests.

NoQ marked an inline comment as done.Mar 30 2018, 12:11 PM
NoQ added inline comments.
lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
78

Whoops.

Closed by commit rC328896: [analyzer] Track null or undef values through pointer arithmetic. (authored by NoQ). · Explain WhyMar 30 2018, 12:32 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
26 lines
test/
Analysis/
inlining/
3 lines
45 lines

Diff 140473

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 69 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool bugreporter::isDeclRefExprToReference(const Expr *E) { bool bugreporter::isDeclRefExprToReference(const Expr *E) {
if (const auto *DRE = dyn_cast<DeclRefExpr>(E)) if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
return DRE->getDecl()->getType()->isReferenceType(); return DRE->getDecl()->getType()->isReferenceType();
return false; return false;
} }
static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) {
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

static.
+1 for using functions.

george.karpenkov: static. +1 for using functions.
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Whoops.

NoQ: Whoops.
if (B->isAdditiveOp() && B->getType()->isPointerType()) {
if (B->getLHS()->getType()->isPointerType()) {
return B->getLHS();
} else if (B->getRHS()->getType()->isPointerType()) {
return B->getRHS();
}
}
return nullptr;
}
/// Given that expression S represents a pointer that would be dereferenced, /// Given that expression S represents a pointer that would be dereferenced,
/// try to find a sub-expression from which the pointer came from. /// try to find a sub-expression from which the pointer came from.
/// This is used for tracking down origins of a null or undefined value: /// This is used for tracking down origins of a null or undefined value:
/// "this is null because that is null because that is null" etc. /// "this is null because that is null because that is null" etc.
/// We wipe away field and element offsets because they merely add offsets. /// We wipe away field and element offsets because they merely add offsets.
/// We also wipe away all casts except lvalue-to-rvalue casts, because the /// We also wipe away all casts except lvalue-to-rvalue casts, because the
/// latter represent an actual pointer dereference; however, we remove /// latter represent an actual pointer dereference; however, we remove
/// the final lvalue-to-rvalue cast before returning from this function /// the final lvalue-to-rvalue cast before returning from this function
Show All 10 Lines while (true) {
if (const auto *CE = dyn_cast<CastExpr>(E)) { if (const auto *CE = dyn_cast<CastExpr>(E)) {
if (CE->getCastKind() == CK_LValueToRValue) { if (CE->getCastKind() == CK_LValueToRValue) {
// This cast represents the load we're looking for. // This cast represents the load we're looking for.
break; break;
} }
E = CE->getSubExpr(); E = CE->getSubExpr();
} else if (const auto *B = dyn_cast<BinaryOperator>(E)) { } else if (const auto *B = dyn_cast<BinaryOperator>(E)) {
// Pointer arithmetic: '*(x + 2)' -> 'x') etc. // Pointer arithmetic: '*(x + 2)' -> 'x') etc.
if (B->getType()->isPointerType()) { if (const Expr *Inner = peelOffPointerArithmetic(B)) {
if (B->getLHS()->getType()->isPointerType()) { E = Inner;
E = B->getLHS();
} else if (B->getRHS()->getType()->isPointerType()) {
E = B->getRHS();
} else {
break;
}
} else { } else {
// Probably more arithmetic can be pattern-matched here, // Probably more arithmetic can be pattern-matched here,
// but for now give up. // but for now give up.
break; break;
} }
} else if (const auto *U = dyn_cast<UnaryOperator>(E)) { } else if (const auto *U = dyn_cast<UnaryOperator>(E)) {
if (U->getOpcode() == UO_Deref || U->getOpcode() == UO_AddrOf || if (U->getOpcode() == UO_Deref || U->getOpcode() == UO_AddrOf ||
(U->isIncrementDecrementOp() && U->getType()->isPointerType())) { (U->isIncrementDecrementOp() && U->getType()->isPointerType())) {
▲ Show 20 LinesShow All 1,287 Lines▼ Show 20 Lines do {
else else
return peelOffOuterExpr(CO->getFalseExpr(), N); return peelOffOuterExpr(CO->getFalseExpr(), N);
} }
} }
} }
NI = NI->getFirstPred(); NI = NI->getFirstPred();
} while (NI); } while (NI);
} }
if (auto *BO = dyn_cast<BinaryOperator>(Ex))
if (const Expr *SubEx = peelOffPointerArithmetic(BO))
return peelOffOuterExpr(SubEx, N);
return Ex; return Ex;
} }
/// Walk through nodes until we get one that matches the statement exactly. /// Walk through nodes until we get one that matches the statement exactly.
/// Alternately, if we hit a known lvalue for the statement, we know we've /// Alternately, if we hit a known lvalue for the statement, we know we've
/// gone too far (though we can likely track the lvalue better anyway). /// gone too far (though we can likely track the lvalue better anyway).
static const ExplodedNode* findNodeForStatement(const ExplodedNode *N, static const ExplodedNode* findNodeForStatement(const ExplodedNode *N,
const Stmt *S, const Stmt *S,
▲ Show 20 LinesShow All 906 LinesShow Last 20 Lines

test/Analysis/inlining/inline-defensive-checks.c

Show First 20 LinesShow All 153 Lines▼ Show 20 Linesvoid idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset1(struct S *s) {
idc(s); idc(s);
int *x = &(s->f2); int *x = &(s->f2);
*x = 7; // no-warning *x = 7; // no-warning
} }
void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) { void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) {
idc(s); idc(s);
int *x = &(s->f2) - 1; int *x = &(s->f2) - 1;
// FIXME: Should not warn. *x = 7; // no-warning
*x = 7; // expected-warning{{Dereference of null pointer}}
} }
void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) { void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) {
idc(s); idc(s);
int *x = &(s->f1); int *x = &(s->f1);
*x = 7; // no-warning *x = 7; // no-warning
} }
▲ Show 20 LinesShow All 72 LinesShow Last 20 Lines

test/Analysis/null-deref-path-notes.c

// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s // RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s
// Avoid the crash when finding the expression for tracking the origins // Avoid the crash when finding the expression for tracking the origins
// of the null pointer for path notes. // of the null pointer for path notes.
void pr34373() { void pr34373() {
int *a = 0; // expected-note{{'a' initialized to a null pointer value}} int *a = 0; // expected-note{{'a' initialized to a null pointer value}}
(a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}} (a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
// expected-note@-1{{Array access results in a null pointer dereference}} // expected-note@-1{{Array access results in a null pointer dereference}}
} }
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *dest, const void *src, unsigned long count);
void f1(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f2(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f3(char *source) {
char *destination = 0; // FIXME: There should be a note here as well.
destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f4(char *source) {
char *destination = 0; // FIXME: There should be a note here as well.
destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f5(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f6(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}