This is an archive of the discontinued LLVM Phabricator instance.

Differential D48232

[analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.
ClosedPublic

Authored by NoQ on Jun 15 2018, 12:42 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
rnkovacs
Commits
rG35dbd0b1ff4b: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.
rC337228: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.
rL337228: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.
Summary

The canonical way to represent the result of casting &SymRegion{$x} to bool is ($x != 0), not $x. In fact $x is an ill-formed SVal (when`$x` is a loc-type symbol) and it gets caught by D48205. Fix the cast procedure.

Because our cast code is a spaghetti, the code that was fixed was in fact executed very rarely, because there's a duplicate guard in evalCast() that's written correctly. But when evalCastFromLoc() is called directly (eg., from CastRetrievedVal()), this becomes a problem.

Fixes https://bugs.llvm.org/show_bug.cgi?id=37802.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Jun 15 2018, 12:42 PM
Herald added subscribers: cfe-commits, mikhail.ramalho, baloghadamsoftware. · View Herald TranscriptJun 15 2018, 12:42 PM
NoQ retitled this revision from [analyzer] Fix symbolic-pointer-to-boolean casts during load. to [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load..Jun 15 2018, 12:42 PM
NoQ edited the summary of this revision. (Show Details)
NoQ added a parent revision: D48205: [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol..
george.karpenkov accepted this revision.Jun 26 2018, 6:16 PM
This revision is now accepted and ready to land.Jun 26 2018, 6:16 PM
Closed by commit rL337228: [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load. (authored by NoQ). · Explain WhyJul 16 2018, 5:47 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJul 16 2018, 5:47 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
3 lines
test/
Analysis/
6 lines
106 lines

Diff 155797

cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 153 Lines▼ Show 20 Lines switch (val.getSubKind()) {
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl())) if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(FTR->getDecl()))
if (FD->isWeak()) if (FD->isWeak())
// FIXME: Currently we are using an extent symbol here, // FIXME: Currently we are using an extent symbol here,
// because there are no generic region address metadata // because there are no generic region address metadata
// symbols to use, only content metadata. // symbols to use, only content metadata.
return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR)); return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR));
if (const SymbolicRegion *SymR = R->getSymbolicBase()) if (const SymbolicRegion *SymR = R->getSymbolicBase())
return nonloc::SymbolVal(SymR->getSymbol()); return makeNonLoc(SymR->getSymbol(), BO_NE,
BasicVals.getZeroWithPtrWidth(), castTy);
// FALL-THROUGH // FALL-THROUGH
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
} }
case loc::GotoLabelKind: case loc::GotoLabelKind:
// Labels and non-symbolic memory regions are always true. // Labels and non-symbolic memory regions are always true.
return makeTruthVal(true, castTy); return makeTruthVal(true, castTy);
▲ Show 20 LinesShow All 1,155 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/casts.cpp

Show All 29 Lines
} }
int *&&castToIntPtrRValueRef(char *p) { int *&&castToIntPtrRValueRef(char *p) {
return (int *&&)*(int *)p; return (int *&&)*(int *)p;
} }
bool testCastToIntPtrRValueRef(char *p, int *s) { bool testCastToIntPtrRValueRef(char *p, int *s) {
return castToIntPtrRValueRef(p) != s; // no-crash return castToIntPtrRValueRef(p) != s; // no-crash
} }
bool retrievePointerFromBoolean(int *p) {
bool q;
*reinterpret_cast<int **>(&q) = p;
return q;
}

cfe/trunk/test/Analysis/pr37802.cpp

// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -verify %s
// expected-no-diagnostics
void *operator new(unsigned long, void *h) { return h; }
// I've no idea what this code does, but it used to crash, so let's keep it.
namespace pr37802_v1 {
struct J {
int *p;
};
class X {
void *ar;
public:
X(void *t) : ar(t) {}
template <typename T>
void f(const T &t) {
new (ar) T(t);
}
};
class Y {
public:
template <typename T>
void f(T &&);
void f(J t) {
f(*t.p);
}
};
class Z {
int at() const {}
public:
Z(const Z &other) {
other.au(X(this));
}
template <typename T>
void au(T t) const {
void *c = const_cast<Z *>(this);
if (at()) {
t.f(*static_cast<J *>(c));
} else {
t.f(*static_cast<bool *>(c));
}
}
};
Z g() {
Z az = g();
Z e = az;
Y d;
e.au(d);
}
} // namespace pr37802_v1
// This slightly modified code crashed differently.
namespace pr37802_v2 {
struct J {
int *p;
};
class X {
void *ar;
public:
X(void *t) : ar(t) {}
void f(const J &t) { new (ar) J(t); }
void f(const bool &t) { new (ar) bool(t); }
};
class Y {
public:
void boolf(bool &&);
void f(J &&);
void f(J t) { boolf(*t.p); }
};
class Z {
int at() const {}
public:
Z(const Z &other) { other.au(X(this)); }
void au(X t) const {
void *c = const_cast<Z *>(this);
if (at()) {
t.f(*static_cast<J *>(c));
} else {
t.f(*static_cast<bool *>(c));
}
}
void au(Y t) const {
void *c = const_cast<Z *>(this);
if (at()) {
t.f(*static_cast<J *>(c));
} else {
}
}
};
Z g() {
Z az = g();
Z e = az;
Y d;
e.au(d);
}
} // namespace pr37802_v2