This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
-
SVals.h
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
3
SimpleSValBuilder.cpp

Differential D48205

[analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol.
ClosedPublic

Authored by NoQ on Jun 14 2018, 8:10 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs

Commits

rGd1163790c363: [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol.
rL337227: [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol.
rC337227: [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol.

Summary

nonloc::SymbolVal that contains a pointer-type or reference-type symbol is ill-formed; our code isn't prepared to work with such values. The canonical way of representing symbolic pointers is loc::MemRegionVal that wraps a SymbolicRegion for the respective symbol. For representing results of casting pointers into integers we have nonloc::LocAsInteger.

This is the one assertion that i regret accidentally omitting in D26837, because it's very fundamental.

The assertion indeed mostly holds on our tests; i found one violation (in my own code), but the ill-formed SVal was only used in intermediate computations and was never put into the program state.

https://bugs.llvm.org/show_bug.cgi?id=37802 contains another example of an ill-formed SVal of this kind, which causes a crash. This patch doesn't address that crash yet.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Jun 14 2018, 8:10 PM

Herald added subscribers: cfe-commits, mikhail.ramalho, baloghadamsoftware. · View Herald TranscriptJun 14 2018, 8:10 PM

george.karpenkov accepted this revision.Jun 15 2018, 9:32 AM

george.karpenkov added inline comments.

lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
1241	So what is the difference here? That `SVB.makeSymbolVal` is not always a nonloc?

This revision is now accepted and ready to land.Jun 15 2018, 9:32 AM

NoQ mentioned this in D48232: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load..Jun 15 2018, 12:42 PM

NoQ added a child revision: D48232: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load..

NoQ added inline comments.Jun 25 2018, 4:50 PM

lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
1241	That's right; it will be a symbolic region instead. It won't affect the result of the calculation though (hopefully) (in the current implementation).
1241	I mean, it will sometimes be a symbolic region (when the symbol is of pointer type).

Closed by commit rC337227: [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol. (authored by NoQ). · Explain WhyJul 16 2018, 5:27 PM

This revision was automatically updated to reflect the committed changes.

mikhail.ramalho mentioned this in D49430: [analyzer] Fix Z3 backend after D48205.Jul 17 2018, 9:36 AM

Diffusion mentioned this in rL337304: [analyzer] Fix Z3 backend after D48205.Jul 17 2018, 10:45 AM

Diffusion mentioned this in rC337304: [analyzer] Fix Z3 backend after D48205.

Revision Contents

Path

Size

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

SVals.h

7 lines

lib/

StaticAnalyzer/

Core/

SimpleSValBuilder.cpp

2 lines

Diff 155795

include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

	Show First 20 Lines • Show All 337 Lines • ▼ Show 20 Lines
	};			};

	//==------------------------------------------------------------------------==//			//==------------------------------------------------------------------------==//
	// Subclasses of NonLoc.			// Subclasses of NonLoc.
	//==------------------------------------------------------------------------==//			//==------------------------------------------------------------------------==//

	namespace nonloc {			namespace nonloc {

	/// Represents symbolic expression.			/// Represents symbolic expression that isn't a location.
	class SymbolVal : public NonLoc {			class SymbolVal : public NonLoc {
	public:			public:
	SymbolVal() = delete;			SymbolVal() = delete;
	SymbolVal(SymbolRef sym) : NonLoc(SymbolValKind, sym) { assert(sym); }			SymbolVal(SymbolRef sym) : NonLoc(SymbolValKind, sym) {
				assert(sym);
				assert(!Loc::isLocType(sym->getType()));
				}

	SymbolRef getSymbol() const {			SymbolRef getSymbol() const {
	return (const SymExpr *) Data;			return (const SymExpr *) Data;
	}			}

	bool isExpression() const {			bool isExpression() const {
	return !isa<SymbolData>(getSymbol());			return !isa<SymbolData>(getSymbol());
	}			}
	▲ Show 20 Lines • Show All 321 Lines • Show Last 20 Lines

lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 Lines • Show All 1,232 Lines • ▼ Show 20 Lines	class Simplifier : public FullSValVisitor<Simplifier, SVal> {
}		}

public:		public:
Simplifier(ProgramStateRef State)		Simplifier(ProgramStateRef State)
: State(State), SVB(State->getStateManager().getSValBuilder()) {}		: State(State), SVB(State->getStateManager().getSValBuilder()) {}

SVal VisitSymbolData(const SymbolData *S) {		SVal VisitSymbolData(const SymbolData *S) {
if (const llvm::APSInt *I =		if (const llvm::APSInt *I =
SVB.getKnownValue(State, nonloc::SymbolVal(S)))		SVB.getKnownValue(State, SVB.makeSymbolVal(S)))
		george.karpenkovUnsubmitted Not Done Reply Inline Actions So what is the difference here? That `SVB.makeSymbolVal` is not always a nonloc? george.karpenkov: So what is the difference here? That `SVB.makeSymbolVal` is not always a nonloc?
		NoQAuthorUnsubmitted Not Done Reply Inline Actions That's right; it will be a symbolic region instead. It won't affect the result of the calculation though (hopefully) (in the current implementation). NoQ: That's right; it will be a symbolic region instead. It won't affect the result of the…
		NoQAuthorUnsubmitted Not Done Reply Inline Actions I mean, it will sometimes be a symbolic region (when the symbol is of pointer type). NoQ: I mean, it will sometimes be a symbolic region (when the symbol is of pointer type).
return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)		return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)
: (SVal)SVB.makeIntVal(*I);		: (SVal)SVB.makeIntVal(*I);
return SVB.makeSymbolVal(S);		return SVB.makeSymbolVal(S);
}		}

// TODO: Support SymbolCast. Support IntSymExpr when/if we actually		// TODO: Support SymbolCast. Support IntSymExpr when/if we actually
// start producing them.		// start producing them.

▲ Show 20 Lines • Show All 76 Lines • Show Last 20 Lines