This is an archive of the discontinued LLVM Phabricator instance.

Differential D46823

[analyzer] const init: handle non-explicit cases more accurately
ClosedPublic

Authored by r.stahl on May 14 2018, 3:08 AM.

Details

Reviewers
NoQ
xazax.hun
george.karpenkov
Commits
rG0137aa8679d6: [analyzer] const init: handle non-explicit cases more accurately
rL333417: [analyzer] const init: handle non-explicit cases more accurately
rC333417: [analyzer] const init: handle non-explicit cases more accurately
Summary

If the access is out of bounds, return UndefinedVal. If it is missing an explicit init, return the implicit zero value it must have.

Diff Detail

Repository
rC Clang

Event Timeline

r.stahl created this revision.May 14 2018, 3:08 AM
Herald added subscribers: cfe-commits, a.sidorin, rnkovacs, szepet. · View Herald TranscriptMay 14 2018, 3:08 AM
NoQ added a comment.May 14 2018, 4:33 PM

Yay thanks!

I think some cornercases would need to be dealt with.

lib/StaticAnalyzer/Core/RegionStore.cpp
1650

What if we have an out-of-bounds access to a variable-length array? I don't think it'd yield zero.

1650–1652

Would this work correctly if the element is not of an integral or enumeration type? I think this needs an explicit check.

1733

Same: would this work correctly if the field is not of an integral or enumeration type?

test/Analysis/initialization.c
3

We try to avoid using dump() on tests because it makes tests test the dump syntax, which isn't the point.

For checking constants, it's easier to do something like clang_analyzer_eval(parr[i] == 2); // expected-warning{{TRUE}}.

For finding undefined values, you can enable core.uninitialized checkers and receive warnings when the argument of clang_analyzer_eval is an uninitialized value. Or just increment the value.

r.stahl updated this revision to Diff 146809.May 15 2018, 6:43 AM
r.stahl marked 2 inline comments as done.

updated test

lib/StaticAnalyzer/Core/RegionStore.cpp
1650

I'm getting "variable-sized object may not be initialized", so this case should not be possible.

1650–1652

I'm having a hard time reproducing this either.

struct S {
  int a = 3;
};
S const sarr[2] = {};
void definit() {
  int i = 1;
  clang_analyzer_dump(sarr[i].a); // expected-warning{{test}}
}

results in a symbolic value, because makeZeroVal returns an empty SVal list for arrays, records, vectors and complex types. Otherwise it just returns UnknownVal (for example for not-yet-implemented floats).

Can you think of a case where this would be an issue?

NoQ accepted this revision.May 25 2018, 11:41 AM

Looks good!

Do you have commit access? I think you should get commit access.

lib/StaticAnalyzer/Core/RegionStore.cpp
1650

Yup, sounds reasonable.

1650–1652

Had a look. This indeed looks fine, but for a completely different reason. In fact structs don't appear in getBindingForElement() because they all go through getBindingForStruct() instead. Hopefully this does take care of other cornercases.

So your test case doesn't even trigger your code to be executed, neither would S s = sarr[i]; clang_analyzer_dump(s.a);.

Still, as far as i understand, sarr here should be zero-initialized, so i think the symbolic value can be improved upon, so we might as well add this as a FIXME test.

This revision is now accepted and ready to land.May 25 2018, 11:41 AM
r.stahl updated this revision to Diff 148809.May 28 2018, 6:48 AM

Added FIXME tests.

I know my example didn't exercise your scenario, but it was the only one I could think of where returning zero would have been straight up wrong. Note that I default initialized a to 3 there, so sarr is not just zero-initialized.

I do not have access yet, but applied today!

Closed by commit rC333417: [analyzer] const init: handle non-explicit cases more accurately (authored by r.stahl). · Explain WhyMay 29 2018, 7:18 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
23 lines
test/
Analysis/
25 lines
20 lines

Diff 148905

lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 1,632 Lines▼ Show 20 Lines if (const StringRegion *StrR = dyn_cast<StringRegion>(superR)) {
const VarDecl *VD = VR->getDecl(); const VarDecl *VD = VR->getDecl();
// Either the array or the array element has to be const. // Either the array or the array element has to be const.
if (VD->getType().isConstQualified() || R->getElementType().isConstQualified()) { if (VD->getType().isConstQualified() || R->getElementType().isConstQualified()) {
if (const Expr *Init = VD->getInit()) { if (const Expr *Init = VD->getInit()) {
if (const auto *InitList = dyn_cast<InitListExpr>(Init)) { if (const auto *InitList = dyn_cast<InitListExpr>(Init)) {
// The array index has to be known. // The array index has to be known.
if (auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) { if (auto CI = R->getIndex().getAs<nonloc::ConcreteInt>()) {
int64_t i = CI->getValue().getSExtValue(); int64_t i = CI->getValue().getSExtValue();
// Return unknown value if index is out of bounds. // If it is known that the index is out of bounds, we can return
if (i < 0 || i >= InitList->getNumInits()) // an undefined value.
return UnknownVal(); if (i < 0)
return UndefinedVal();
if (auto CAT = Ctx.getAsConstantArrayType(VD->getType()))
if (CAT->getSize().sle(i))
return UndefinedVal();
// If there is a list, but no init, it must be zero.
NoQUnsubmitted
Done
ReplyInline Actions

What if we have an out-of-bounds access to a variable-length array? I don't think it'd yield zero.

NoQ: What if we have an out-of-bounds access to a variable-length array? I don't think it'd yield…
r.stahlAuthorUnsubmitted
Not Done
ReplyInline Actions

I'm getting "variable-sized object may not be initialized", so this case should not be possible.

r.stahl: I'm getting "variable-sized object may not be initialized", so this case should not be possible.
NoQUnsubmitted
Not Done
ReplyInline Actions

Yup, sounds reasonable.

NoQ: Yup, sounds reasonable.
if (i >= InitList->getNumInits())
return svalBuilder.makeZeroVal(R->getElementType());
NoQUnsubmitted
Not Done
ReplyInline Actions

Would this work correctly if the element is not of an integral or enumeration type? I think this needs an explicit check.

NoQ: Would this work correctly if the element is not of an integral or enumeration type? I think…
r.stahlAuthorUnsubmitted
Not Done
ReplyInline Actions

I'm having a hard time reproducing this either.

struct S {
  int a = 3;
};
S const sarr[2] = {};
void definit() {
  int i = 1;
  clang_analyzer_dump(sarr[i].a); // expected-warning{{test}}
}

results in a symbolic value, because makeZeroVal returns an empty SVal list for arrays, records, vectors and complex types. Otherwise it just returns UnknownVal (for example for not-yet-implemented floats).

Can you think of a case where this would be an issue?

r.stahl: I'm having a hard time reproducing this either. ``` struct S { int a = 3; }; S const sarr…
NoQUnsubmitted
Not Done
ReplyInline Actions

Had a look. This indeed looks fine, but for a completely different reason. In fact structs don't appear in getBindingForElement() because they all go through getBindingForStruct() instead. Hopefully this does take care of other cornercases.

So your test case doesn't even trigger your code to be executed, neither would S s = sarr[i]; clang_analyzer_dump(s.a);.

Still, as far as i understand, sarr here should be zero-initialized, so i think the symbolic value can be improved upon, so we might as well add this as a FIXME test.

NoQ: Had a look. This indeed looks fine, but for a completely different reason. In fact structs…
if (const Expr *ElemInit = InitList->getInit(i)) if (const Expr *ElemInit = InitList->getInit(i))
if (Optional<SVal> V = svalBuilder.getConstantVal(ElemInit)) if (Optional<SVal> V = svalBuilder.getConstantVal(ElemInit))
return *V; return *V;
} }
} }
} }
} }
▲ Show 20 LinesShow All 58 Lines▼ Show 20 LinesSVal RegionStoreManager::getBindingForField(RegionBindingsConstRef B,
const MemRegion* superR = R->getSuperRegion(); const MemRegion* superR = R->getSuperRegion();
if (const auto *VR = dyn_cast<VarRegion>(superR)) { if (const auto *VR = dyn_cast<VarRegion>(superR)) {
const VarDecl *VD = VR->getDecl(); const VarDecl *VD = VR->getDecl();
QualType RecordVarTy = VD->getType(); QualType RecordVarTy = VD->getType();
unsigned Index = FD->getFieldIndex(); unsigned Index = FD->getFieldIndex();
// Either the record variable or the field has to be const qualified. // Either the record variable or the field has to be const qualified.
if (RecordVarTy.isConstQualified() || Ty.isConstQualified()) if (RecordVarTy.isConstQualified() || Ty.isConstQualified())
if (const Expr *Init = VD->getInit()) if (const Expr *Init = VD->getInit())
if (const auto *InitList = dyn_cast<InitListExpr>(Init)) if (const auto *InitList = dyn_cast<InitListExpr>(Init)) {
if (Index < InitList->getNumInits()) if (Index < InitList->getNumInits()) {
if (const Expr *FieldInit = InitList->getInit(Index)) if (const Expr *FieldInit = InitList->getInit(Index))
if (Optional<SVal> V = svalBuilder.getConstantVal(FieldInit)) if (Optional<SVal> V = svalBuilder.getConstantVal(FieldInit))
return *V; return *V;
} else {
return svalBuilder.makeZeroVal(Ty);
NoQUnsubmitted
Not Done
ReplyInline Actions

Same: would this work correctly if the field is not of an integral or enumeration type?

NoQ: Same: would this work correctly if the field is not of an integral or enumeration type?
}
}
} }
return getBindingForFieldOrElementCommon(B, R, Ty); return getBindingForFieldOrElementCommon(B, R, Ty);
} }
Optional<SVal> Optional<SVal>
RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindingsConstRef B, RegionStoreManager::getBindingForDerivedDefaultValue(RegionBindingsConstRef B,
const MemRegion *superR, const MemRegion *superR,
▲ Show 20 LinesShow All 818 LinesShow Last 20 Lines

test/Analysis/initialization.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.builtin,debug.ExprInspection -verify %s
// expected-no-diagnostics
void clang_analyzer_eval(int);
NoQUnsubmitted
Done
ReplyInline Actions

We try to avoid using dump() on tests because it makes tests test the dump syntax, which isn't the point.

For checking constants, it's easier to do something like clang_analyzer_eval(parr[i] == 2); // expected-warning{{TRUE}}.

For finding undefined values, you can enable core.uninitialized checkers and receive warnings when the argument of clang_analyzer_eval is an uninitialized value. Or just increment the value.

NoQ: We try to avoid using `dump()` on tests because it makes tests test the dump syntax, which…
void initbug() { void initbug() {
const union { float a; } u = {}; const union { float a; } u = {};
(void)u.a; // no-crash (void)u.a; // no-crash
} }
int const parr[2] = {1};
void constarr() {
int i = 2;
clang_analyzer_eval(parr[i]); // expected-warning{{UNDEFINED}}
i = 1;
clang_analyzer_eval(parr[i] == 0); // expected-warning{{TRUE}}
i = -1;
clang_analyzer_eval(parr[i]); // expected-warning{{UNDEFINED}}
}
struct SM {
int a;
int b;
};
const struct SM sm = {.a = 1};
void multinit() {
clang_analyzer_eval(sm.a == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(sm.b == 0); // expected-warning{{TRUE}}
}

test/Analysis/initialization.cpp

// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.builtin,debug.ExprInspection -verify %s
void clang_analyzer_eval(int);
struct S {
int a = 3;
};
S const sarr[2] = {};
void definit() {
int i = 1;
// FIXME: Should recognize that it is 3.
clang_analyzer_eval(sarr[i].a); // expected-warning{{UNKNOWN}}
}
int const arr[2][2] = {};
void arr2init() {
int i = 1;
// FIXME: Should recognize that it is 0.
clang_analyzer_eval(arr[i][0]); // expected-warning{{UNKNOWN}}
}