This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
ClosedPublic

Authored by r.stahl on Apr 12 2018, 5:14 AM.

Download Raw Diff

Details

Reviewers

xazax.hun
dcoughlin
a.sidorin
george.karpenkov

Commits

rGca7923ab004f: [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
rL330009: [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
rC330009: [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition

Summary

In D30691 code was added to getRuntimeDefinition that does not handle the case when FD==nullptr.

Add regression test.

Diff Detail

Repository: rC Clang

Event Timeline

r.stahl created this revision.Apr 12 2018, 5:14 AM

Herald added subscribers: cfe-commits, rnkovacs, szepet. · View Herald TranscriptApr 12 2018, 5:14 AM

I encountered this with a construct like this:

struct S
{
    void (*fp)();
};

int main()
{
    struct S s;
    s.fp();
}

We encountered the same problem but did not have time yet to submit the patch. We have literally the same fix internally, so it looks good to me. One minor style nit inline.

Could you add your repro as a regression test? You can also extend existing CTU tests just make sure to trigger the crash before the patch.

Thank you for the submission and the minimal reproducer.

lib/StaticAnalyzer/Core/CallEvent.cpp
392	We usually do not write the braces for single statements.

addressed review comments.

I created a new test because certain checkers would cause early exits in the engine (because of undefined func ptr) and not cause the crash.

Since I don't have commit access, please commit for me.

xazax.hun accepted this revision.Apr 13 2018, 5:33 AM

This revision is now accepted and ready to land.Apr 13 2018, 5:33 AM

Closed by commit rC330009: [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition (authored by xazax). · Explain WhyApr 13 2018, 5:42 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

CallEvent.cpp

33 lines

test/

Analysis/

undef-call.c

14 lines

Diff 142386

lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 383 Lines • ▼ Show 20 Lines	ArrayRef<ParmVarDecl*> AnyFunctionCall::parameters() const {
const FunctionDecl *D = getDecl();		const FunctionDecl *D = getDecl();
if (!D)		if (!D)
return None;		return None;
return D->parameters();		return D->parameters();
}		}

RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {		RuntimeDefinition AnyFunctionCall::getRuntimeDefinition() const {
const FunctionDecl *FD = getDecl();		const FunctionDecl *FD = getDecl();
		if (!FD)
		xazax.hunUnsubmitted Not Done Reply Inline Actions We usually do not write the braces for single statements. xazax.hun: We usually do not write the braces for single statements.
		return {};

// Note that the AnalysisDeclContext will have the FunctionDecl with		// Note that the AnalysisDeclContext will have the FunctionDecl with
// the definition (if one exists).		// the definition (if one exists).
if (FD) {
AnalysisDeclContext *AD =		AnalysisDeclContext *AD =
getLocationContext()->getAnalysisDeclContext()->		getLocationContext()->getAnalysisDeclContext()->
getManager()->getContext(FD);		getManager()->getContext(FD);
bool IsAutosynthesized;		bool IsAutosynthesized;
Stmt* Body = AD->getBody(IsAutosynthesized);		Stmt* Body = AD->getBody(IsAutosynthesized);
DEBUG({		DEBUG({
if (IsAutosynthesized)		if (IsAutosynthesized)
llvm::dbgs() << "Using autosynthesized body for " << FD->getName()		llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
<< "\n";		<< "\n";
});		});
if (Body) {		if (Body) {
const Decl* Decl = AD->getDecl();		const Decl* Decl = AD->getDecl();
return RuntimeDefinition(Decl);		return RuntimeDefinition(Decl);
}		}
}

SubEngine *Engine = getState()->getStateManager().getOwningEngine();		SubEngine *Engine = getState()->getStateManager().getOwningEngine();
AnalyzerOptions &Opts = Engine->getAnalysisManager().options;		AnalyzerOptions &Opts = Engine->getAnalysisManager().options;

// Try to get CTU definition only if CTUDir is provided.		// Try to get CTU definition only if CTUDir is provided.
if (!Opts.naiveCTUEnabled())		if (!Opts.naiveCTUEnabled())
return RuntimeDefinition();		return {};

cross_tu::CrossTranslationUnitContext &CTUCtx =		cross_tu::CrossTranslationUnitContext &CTUCtx =
*Engine->getCrossTranslationUnitContext();		*Engine->getCrossTranslationUnitContext();
llvm::Expected<const FunctionDecl *> CTUDeclOrError =		llvm::Expected<const FunctionDecl *> CTUDeclOrError =
CTUCtx.getCrossTUDefinition(FD, Opts.getCTUDir(), Opts.getCTUIndexName());		CTUCtx.getCrossTUDefinition(FD, Opts.getCTUDir(), Opts.getCTUIndexName());

if (!CTUDeclOrError) {		if (!CTUDeclOrError) {
handleAllErrors(CTUDeclOrError.takeError(),		handleAllErrors(CTUDeclOrError.takeError(),
▲ Show 20 Lines • Show All 848 Lines • Show Last 20 Lines

test/Analysis/undef-call.c

				// RUN: %clang_cc1 -fsyntax-only -analyze -analyzer-checker=debug.ExprInspection -analyzer-config experimental-enable-naive-ctu-analysis=true -analyzer-config ctu-dir=%T/ctudir -verify %s
				// expected-no-diagnostics

				struct S {
				void (*fp)();
				};

				int main() {
				struct S s;
				// This will cause the analyzer to look for a function definition that has
				// no FunctionDecl. It used to cause a crash in AnyFunctionCall::getRuntimeDefinition.
				// It would only occur when CTU analysis is enabled.
				s.fp();
				}