This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
Store.cpp
-
test/Analysis/
-
Analysis/
1
casts.c

Differential D46415

[analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.
ClosedPublic

Authored by NoQ on May 3 2018, 6:11 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs

Commits

rGe603e076f5b3: [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.
rL331562: [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.
rC331562: [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.

Summary

Through C cast magic it's possible to put a raw void pointer into a variable of non-void pointer type. It is fine - generally, it's possible to put anything into anywhere by temporarily re-interpreting the anywhere. We cast it back to the correct type during load - with the help of StoreManager::CastRetrievedVal().

The attached example demonstrates that we're not casting the retrieved value pedantically enough when it comes to retrieving pointer values. In fact, we don't cast pointers-to-pointers at all because SValBuilder doesn't know how to do that or even that it needs to do that at all.

In this patch i perform the pointer cast manually for the situation that causes the crash. Performing the cast more carefully in other cases is possible, but i didn't manage to produce an observable effect (the second test passes just fine without it, and works correctly).

I cannot put the castRegion() call into SValBuilder because SValBuilder doesn't have access to StoreManager when doing casts. We really need to decouple this stuff and make a single good function for handling casts, because understanding how current code for pointer casts works is a nightmare.

Diff Detail

Event Timeline

NoQ created this revision.May 3 2018, 6:11 PM

Herald added subscribers: cfe-commits, baloghadamsoftware. · View Herald TranscriptMay 3 2018, 6:11 PM

Fix test names. Add one more test, just to make sure it works.

This revision was not accepted when it landed; it landed in state Needs Review.May 4 2018, 3:14 PM

Closed by commit rC331562: [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers. (authored by NoQ). · Explain Why

This revision was automatically updated to reflect the committed changes.

isuckatcs added a subscriber: isuckatcs.May 20 2023, 2:23 PM

isuckatcs added inline comments.

test/Analysis/casts.c
166	@NoQ why is this true for both x86_64 and i386? On x86_64 `sizeof(int ) == 8` and `sizeof(int) == 4`. This means that `(((int )(&x))) = (int)&u;` writes to the lower 4 bytes of `x` and leaves the upper 4 bytes uninitialized. See this godbolt example. If I compile and run this function on my machine it segfaults. On i386 `sizeof(int ) == 4` and `sizeof(int) == 4`, so on that platform this example is correct. See on godbolt. In the x86_64 case don't we want the analyzer to report a warning a instead, as on that platform `u` is only partially initialized?

Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2023, 2:23 PM

Herald added subscribers: steakhal, manas, ASDenysPetrov and 5 others. · View Herald Transcript

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

Store.cpp

14 lines

test/

Analysis/

casts.c

22 lines

Diff 145260

lib/StaticAnalyzer/Core/Store.cpp

	Show First 20 Lines • Show All 372 Lines • ▼ Show 20 Lines
	/// CastRetrievedVal - Used by subclasses of StoreManager to implement			/// CastRetrievedVal - Used by subclasses of StoreManager to implement
	/// implicit casts that arise from loads from regions that are reinterpreted			/// implicit casts that arise from loads from regions that are reinterpreted
	/// as another region.			/// as another region.
	SVal StoreManager::CastRetrievedVal(SVal V, const TypedValueRegion *R,			SVal StoreManager::CastRetrievedVal(SVal V, const TypedValueRegion *R,
	QualType castTy) {			QualType castTy) {
	if (castTy.isNull() \|\| V.isUnknownOrUndef())			if (castTy.isNull() \|\| V.isUnknownOrUndef())
	return V;			return V;

				// When retrieving symbolic pointer and expecting a non-void pointer,
				// wrap them into element regions of the expected type if necessary.
				// SValBuilder::dispatchCast() doesn't do that, but it is necessary to
				// make sure that the retrieved value makes sense, because there's no other
				// cast in the AST that would tell us to cast it to the correct pointer type.
				// We might need to do that for non-void pointers as well.
				// FIXME: We really need a single good function to perform casts for us
				// correctly every time we need it.
				if (castTy->isPointerType() && !castTy->isVoidPointerType())
				if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion()))
				if (SR->getSymbol()->getType().getCanonicalType() !=
				castTy.getCanonicalType())
				return loc::MemRegionVal(castRegion(SR, castTy));

	return svalBuilder.dispatchCast(V, castTy);			return svalBuilder.dispatchCast(V, castTy);
	}			}

	SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {			SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {
	if (Base.isUnknownOrUndef())			if (Base.isUnknownOrUndef())
	return Base;			return Base;

	Loc BaseL = Base.castAs<Loc>();			Loc BaseL = Base.castAs<Loc>();
	▲ Show 20 Lines • Show All 124 Lines • Show Last 20 Lines

test/Analysis/casts.c

Show First 20 Lines • Show All 143 Lines • ▼ Show 20 Lines	void multiDimensionalArrayPointerCasts() {

// FIXME: should be FALSE (i.e. equal pointers).		// FIXME: should be FALSE (i.e. equal pointers).
clang_analyzer_eval(y1 - y3); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(y1 - y3); // expected-warning{{UNKNOWN}}
// FIXME: should be TRUE (i.e. same symbol).		// FIXME: should be TRUE (i.e. same symbol).
clang_analyzer_eval(y1 == y3); // expected-warning{{UNKNOWN}}		clang_analyzer_eval(y1 == y3); // expected-warning{{UNKNOWN}}

clang_analyzer_eval(((char )y1) == ((char ) y3)); // expected-warning{{TRUE}}		clang_analyzer_eval(((char )y1) == ((char ) y3)); // expected-warning{{TRUE}}
}		}

		void *getVoidPtr();

		void testCastVoidPtrToIntPtrThroughIntTypedAssignment() {
		int *x;
		(((int )(&x))) = (int)getVoidPtr();
		*x = 1; // no-crash
		}

		void testCastUIntPtrToIntPtrThroughIntTypedAssignment() {
		unsigned u;
		int *x;
		(((int )(&x))) = (int)&u;
		*x = 1;
		clang_analyzer_eval(u == 1); // expected-warning{{TRUE}}
		isuckatcsUnsubmitted Not Done Reply Inline Actions @NoQ why is this true for both x86_64 and i386? On x86_64 `sizeof(int ) == 8` and `sizeof(int) == 4`. This means that `(((int )(&x))) = (int)&u;` writes to the lower 4 bytes of `x` and leaves the upper 4 bytes uninitialized. See this godbolt example. If I compile and run this function on my machine it segfaults. On i386 `sizeof(int ) == 4` and `sizeof(int) == 4`, so on that platform this example is correct. See on godbolt. In the x86_64 case don't we want the analyzer to report a warning a instead, as on that platform `u` is only partially initialized? isuckatcs: @NoQ why is this true for both x86_64 and i386? On x86_64 `sizeof(int *) == 8` and `sizeof…
		}

		void testCastVoidPtrToIntPtrThroughUIntTypedAssignment() {
		int *x;
		(((int )(&x))) = (int)(unsigned *)getVoidPtr();
		*x = 1; // no-crash
		}