This is an archive of the discontinued LLVM Phabricator instance.

Differential D46224

[analyzer] pr37209: Fix casts of glvalues to references.
ClosedPublic

Authored by NoQ on Apr 27 2018, 7:24 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG2fd6aa7d5603: [analyzer] pr37209: Fix casts of glvalues to references.
rL331558: [analyzer] pr37209: Fix casts of glvalues to references.
rC331558: [analyzer] pr37209: Fix casts of glvalues to references.
Summary

In the provided test case the expression (int *&)*(int *)p is evaluated as follows:

  1. Take an lvalue p of type char *. Its symbolic value will be &p.
  2. Load an rvalue p of type char *. The resulting value is &SymRegion{reg_$0<p>}.
  3. Cast it to rvalue (int *)p of type int *. The resulting value is &element{SymRegion{reg_$0<p>}, 0, int}.
  4. Treat it as lvalue *(int *)p of type int. The resulting value is still &element{SymRegion{reg_$0<p>}, 0, int} because the analyzer doesn't discriminate between lvalues and respective pointer rvalues - both are simply "Loc".
  5. Cast it to lvalue (int *&)*(int *)p of type (int *). The resulting value is computed incorrectly as &element{SymRegion{reg_$0<p>}, 0, int}.

Note: on the last step we take an lvalue of type int and cast it to lvalue of type int *. There are no references in the expression types, but there's a reference in the type-as-written of the outer cast-expression.

Then we try to evaluate a cast from int to int *&, because the analyzer is clever enough to realize that it needs to take type-as-written for the explicit cast. The cast, of course, misbehaves - there's no intended behavior in converting a Loc from an integer to a reference-to-a-pointer.

I tried to detect that situation and work around it by saying that we should instead evaluate a cast from int & to int *&. I.e., add an artificial & to the original expression's type. It seems to work correctly (i.e., the resulting value becomes &element{SymRegion{reg_$0<p>}, 0, int *} which seems reasonable) and it should work because it's a reasonable requirement for evalCast() to support such casts. That said, i didn't investigate all various ASTs carefully yet, in order to figure out if my pattern-matching is correct, so i might have missed some corner cases, so i'll most likely try to investigate it more carefully, or at least see if it causes regressions on large codebases, before committing.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Apr 27 2018, 7:24 PM
Herald added subscribers: cfe-commits, rnkovacs, baloghadamsoftware. · View Herald TranscriptApr 27 2018, 7:24 PM
NoQ retitled this revision from [analyzer] pr37209: Fix casts of lvalues to references. to [analyzer] pr37209: Fix casts of glvalues to references..Apr 30 2018, 10:50 AM
This revision was not accepted when it landed; it landed in state Needs Review.May 4 2018, 2:43 PM
Closed by commit rC331558: [analyzer] pr37209: Fix casts of glvalues to references. (authored by NoQ). · Explain Why
This revision was automatically updated to reflect the committed changes.
NoQ added a comment.May 4 2018, 2:44 PM

i'll most likely try to investigate it more carefully, or at least see if it causes regressions on large codebases, before committing

Seemed fine, no visible change. I hope this means that i pattern-matched carefully enough.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
7 lines
test/
Analysis/
14 lines

Diff 145300

lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 251 Lines▼ Show 20 Linesvoid ExprEngine::VisitBlockExpr(const BlockExpr *BE, ExplodedNode *Pred,
// FIXME: Move all post/pre visits to ::Visit(). // FIXME: Move all post/pre visits to ::Visit().
getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this); getCheckerManager().runCheckersForPostStmt(Dst, Tmp, BE, *this);
} }
ProgramStateRef ExprEngine::handleLValueBitCast( ProgramStateRef ExprEngine::handleLValueBitCast(
ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx, ProgramStateRef state, const Expr* Ex, const LocationContext* LCtx,
QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr, QualType T, QualType ExTy, const CastExpr* CastE, StmtNodeBuilder& Bldr,
ExplodedNode* Pred) { ExplodedNode* Pred) {
if (T->isLValueReferenceType()) {
assert(!CastE->getType()->isLValueReferenceType());
ExTy = getContext().getLValueReferenceType(ExTy);
} else if (T->isRValueReferenceType()) {
assert(!CastE->getType()->isRValueReferenceType());
ExTy = getContext().getRValueReferenceType(ExTy);
}
// Delegate to SValBuilder to process. // Delegate to SValBuilder to process.
SVal OrigV = state->getSVal(Ex, LCtx); SVal OrigV = state->getSVal(Ex, LCtx);
SVal V = svalBuilder.evalCast(OrigV, T, ExTy); SVal V = svalBuilder.evalCast(OrigV, T, ExTy);
// Negate the result if we're treating the boolean as a signed i1 // Negate the result if we're treating the boolean as a signed i1
if (CastE->getCastKind() == CK_BooleanToSignedIntegral) if (CastE->getCastKind() == CK_BooleanToSignedIntegral)
V = evalMinus(V); V = evalMinus(V);
state = state->BindExpr(CastE, LCtx, V); state = state->BindExpr(CastE, LCtx, V);
if (V.isUnknown() && !OrigV.isUnknown()) { if (V.isUnknown() && !OrigV.isUnknown()) {
▲ Show 20 LinesShow All 863 LinesShow Last 20 Lines

test/Analysis/casts.cpp

Show All 15 Lines case 0:
break; break;
} }
switch ((int)(bool)c) { // no-warning switch ((int)(bool)c) { // no-warning
case 0: case 0:
break; break;
} }
} }
int *&castToIntPtrLValueRef(char *p) {
return (int *&)*(int *)p;
}
bool testCastToIntPtrLValueRef(char *p, int *s) {
return castToIntPtrLValueRef(p) != s; // no-crash
}
int *&&castToIntPtrRValueRef(char *p) {
return (int *&&)*(int *)p;
}
bool testCastToIntPtrRValueRef(char *p, int *s) {
return castToIntPtrRValueRef(p) != s; // no-crash
}