This is an archive of the discontinued LLVM Phabricator instance.

Differential D49199

[analyzer][UninitializedObjectChecker] Pointer/reference objects are dereferenced according to dynamic type
ClosedPublic

Authored by Szelethus on Jul 11 2018, 11:49 AM.

Details

Reviewers
NoQ
george.karpenkov
xazax.hun
rnkovacs
Commits
rGef9af05539d9: [analyzer][UninitializedObjectChecker] Pointer/reference objects are…
rL339240: [analyzer][UninitializedObjectChecker] Pointer/reference objects are…
rC339240: [analyzer][UninitializedObjectChecker] Pointer/reference objects are…
Summary

This diff fixes a long debated issues with pointers/references not being dereferenced according to their dynamic type. This also fixed an issue where regions that were pointed to by void pointers were not analyzed.

Note how I also added a test case about inheritance, clearly showing that it doesn't find an uninitialized field that it should. Because base class handling is still being discussed, I'm planning to fix that issue in a different patch. The reason why it's still in this patch is that it might be closely tied to these changes too.

Thumbs up to @NoQ for setting me on the right track!

Diff Detail

Repository
rC Clang

Event Timeline

Szelethus created this revision.Jul 11 2018, 11:49 AM
Herald added subscribers: cfe-commits, mikhail.ramalho, a.sidorin and 2 others. · View Herald TranscriptJul 11 2018, 11:49 AM
Szelethus added a parent revision: D48325: [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes.Jul 11 2018, 11:52 AM
Szelethus added inline comments.Jul 11 2018, 12:20 PM
lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp
627–645

I already have a fix for this, but I want to be extra sure, so I'm running the checker on LLVM to see whether anything breaks.

This is also important for nonloc::LocAsInteger, which I'm going add fix in yet another patch.

Szelethus added a child revision: D49228: [analyzer][UninitializedObjectChecker] Void pointer objects are casted back to their dynmic type in note message.Jul 12 2018, 5:10 AM
Szelethus updated this revision to Diff 155913.Jul 17 2018, 10:33 AM

Rebased to the latest trunk.

george.karpenkov requested changes to this revision.Jul 17 2018, 11:12 AM

Cf. my comments to https://reviews.llvm.org/D49437: is it possible to separate pointer-chasing from the rest of the checker?

This revision now requires changes to proceed.Jul 17 2018, 11:12 AM
george.karpenkov accepted this revision.Aug 2 2018, 2:35 PM
This revision is now accepted and ready to land.Aug 2 2018, 2:35 PM
Szelethus added a comment.Aug 6 2018, 4:55 AM

@NoQ, we had quite a few conversations about this fix. How do you feel about this implementation?

NoQ accepted this revision.Aug 7 2018, 1:31 PM

This looks roughly correct, but at the same time none of the tests actually exercise the dynamic type propagation. In these tests all the necessary information is obtained from the structure of the MemRegion (directly or via the initial StripCasts), not from the dynamic type map that is an additional layer of metadata over the program state. The actual test would assume, as an example, chasing undefined values through a symbolic pointer produced by operator new() - which is a symbolic void pointer, but it points to a well-defined type of object. Because we skip symbolic pointers for now, i guess you cannot really write such tests. But at the same time chasing through heap symbolic pointers (i.e., pointers in the heap memory space) should be safe (so safe that they shouldn't really have been implemented as symbolic pointers in the first place).

Szelethus added a comment.Aug 8 2018, 5:25 AM

Thanks! I plan on revisiting how heap allocated regions are handled in the future.

Szelethus updated this revision to Diff 159699.Aug 8 2018, 6:14 AM

Rebased to latest trunk.

Closed by commit rC339240: [analyzer][UninitializedObjectChecker] Pointer/reference objects are… (authored by Szelethus). · Explain WhyAug 8 2018, 6:19 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
109 lines
test/
Analysis/
23 lines
53 lines

Diff 159702

lib/StaticAnalyzer/Checkers/UninitializedObjectChecker.cpp

Show All 38 Lines
// pointee. // pointee.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include <algorithm> #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
using namespace clang; using namespace clang;
using namespace clang::ento; using namespace clang::ento;
namespace { namespace {
class UninitializedObjectChecker : public Checker<check::EndFunction> { class UninitializedObjectChecker : public Checker<check::EndFunction> {
std::unique_ptr<BuiltinBug> BT_uninitField; std::unique_ptr<BuiltinBug> BT_uninitField;
▲ Show 20 LinesShow All 175 Lines▼ Show 20 Lines
getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context); getObjectVal(const CXXConstructorDecl *CtorDecl, CheckerContext &Context);
/// Checks whether the object constructed by \p Ctor will be analyzed later /// Checks whether the object constructed by \p Ctor will be analyzed later
/// (e.g. if the object is a field of another object, in which case we'd check /// (e.g. if the object is a field of another object, in which case we'd check
/// it multiple times). /// it multiple times).
static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor, static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor,
CheckerContext &Context); CheckerContext &Context);
/// Returns whether FD can be (transitively) dereferenced to a void pointer type /// Returns whether T can be (transitively) dereferenced to a void pointer type
/// (void*, void**, ...). The type of the region behind a void pointer isn't /// (void*, void**, ...). The type of the region behind a void pointer isn't
/// known, and thus FD can not be analyzed. /// known, and thus FD can not be analyzed.
static bool isVoidPointer(const FieldDecl *FD); static bool isVoidPointer(QualType T);
/// Returns true if T is a primitive type. We defined this type so that for /// Returns true if T is a primitive type. We defined this type so that for
/// objects that we'd only like analyze as much as checking whether their /// objects that we'd only like analyze as much as checking whether their
/// value is undefined or not, such as ints and doubles, can be analyzed with /// value is undefined or not, such as ints and doubles, can be analyzed with
/// ease. This also helps ensuring that every special field type is handled /// ease. This also helps ensuring that every special field type is handled
/// correctly. /// correctly.
static bool isPrimitiveType(const QualType &T) { static bool isPrimitiveType(const QualType &T) {
return T->isBuiltinType() || T->isEnumeralType() || T->isMemberPointerType(); return T->isBuiltinType() || T->isEnumeralType() || T->isMemberPointerType();
▲ Show 20 LinesShow All 227 Lines▼ Show 20 Linesbool FindUninitializedFields::isPointerOrReferenceUninit(
const FieldRegion *FR, FieldChainInfo LocalChain) { const FieldRegion *FR, FieldChainInfo LocalChain) {
assert((FR->getDecl()->getType()->isPointerType() || assert((FR->getDecl()->getType()->isPointerType() ||
FR->getDecl()->getType()->isReferenceType()) && FR->getDecl()->getType()->isReferenceType()) &&
"This method only checks pointer/reference objects!"); "This method only checks pointer/reference objects!");
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
if (V.isUnknown() || V.isZeroConstant()) { if (V.isUnknown() || V.getAs<loc::ConcreteInt>()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
if (V.isUndef()) { if (V.isUndef()) {
return addFieldToUninits({LocalChain, FR}); return addFieldToUninits({LocalChain, FR});
} }
if (!CheckPointeeInitialization) { if (!CheckPointeeInitialization) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
const FieldDecl *FD = FR->getDecl(); assert(V.getAs<loc::MemRegionVal>() &&
"At this point V must be loc::MemRegionVal!");
auto L = V.castAs<loc::MemRegionVal>();
// TODO: The dynamic type of a void pointer may be retrieved with // We can't reason about symbolic regions, assume its initialized.
// `getDynamicTypeInfo`. // Note that this also avoids a potential infinite recursion, because
if (isVoidPointer(FD)) { // constructors for list-like classes are checked without being called, and
// the Static Analyzer will construct a symbolic region for Node *next; or
// similar code snippets.
if (L.getRegion()->getSymbolicBase()) {
IsAnyFieldInitialized = true;
return false;
}
DynamicTypeInfo DynTInfo = getDynamicTypeInfo(State, L.getRegion());
if (!DynTInfo.isValid()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
assert(V.getAs<Loc>() && "V should be Loc at this point!"); QualType DynT = DynTInfo.getType();
if (isVoidPointer(DynT)) {
IsAnyFieldInitialized = true;
return false;
}
// At this point the pointer itself is initialized and points to a valid // At this point the pointer itself is initialized and points to a valid
// location, we'll now check the pointee. // location, we'll now check the pointee.
SVal DerefdV = State->getSVal(V.castAs<Loc>()); SVal DerefdV = State->getSVal(V.castAs<Loc>(), DynT);
// TODO: Dereferencing should be done according to the dynamic type. // If DerefdV is still a pointer value, we'll dereference it again (e.g.:
while (Optional<Loc> L = DerefdV.getAs<Loc>()) { // int** -> int*).
DerefdV = State->getSVal(*L); while (auto Tmp = DerefdV.getAs<loc::MemRegionVal>()) {
if (Tmp->getRegion()->getSymbolicBase()) {
IsAnyFieldInitialized = true;
return false;
} }
// If V is a pointer pointing to a record type. DynTInfo = getDynamicTypeInfo(State, Tmp->getRegion());
if (Optional<nonloc::LazyCompoundVal> RecordV = if (!DynTInfo.isValid()) {
DerefdV.getAs<nonloc::LazyCompoundVal>()) { IsAnyFieldInitialized = true;
return false;
const TypedValueRegion *R = RecordV->getRegion(); }
// We can't reason about symbolic regions, assume its initialized. DynT = DynTInfo.getType();
// Note that this also avoids a potential infinite recursion, because if (isVoidPointer(DynT)) {
// constructors for list-like classes are checked without being called, and
// the Static Analyzer will construct a symbolic region for Node *next; or
// similar code snippets.
if (R->getSymbolicBase()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
const QualType T = R->getValueType(); DerefdV = State->getSVal(*Tmp, DynT);
}
if (T->isStructureOrClassType()) // If FR is a pointer pointing to a non-primitive type.
if (Optional<nonloc::LazyCompoundVal> RecordV =
DerefdV.getAs<nonloc::LazyCompoundVal>()) {
const TypedValueRegion *R = RecordV->getRegion();
if (DynT->getPointeeType()->isStructureOrClassType())
return isNonUnionUninit(R, {LocalChain, FR}); return isNonUnionUninit(R, {LocalChain, FR});
if (T->isUnionType()) { if (DynT->getPointeeType()->isUnionType()) {
if (isUnionUninit(R)) { if (isUnionUninit(R)) {
return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true}); return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true});
} else { } else {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
} }
if (T->isArrayType()) { if (DynT->getPointeeType()->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
llvm_unreachable("All cases are handled!"); llvm_unreachable("All cases are handled!");
} }
// TODO: If possible, it should be asserted that the DerefdV at this point is assert((isPrimitiveType(DynT->getPointeeType()) || DynT->isPointerType() ||
// primitive. DynT->isReferenceType()) &&
"At this point FR must either have a primitive dynamic type, or it "
"must be a null, undefined, unknown or concrete pointer!");
if (isPrimitiveUninit(DerefdV)) if (isPrimitiveUninit(DerefdV))
return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true}); return addFieldToUninits({LocalChain, FR, /*IsDereferenced*/ true});
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
Show All 27 Linesbool FieldChainInfo::isDereferenced() const {
return IsDereferenced; return IsDereferenced;
} }
const FieldDecl *FieldChainInfo::getEndOfChain() const { const FieldDecl *FieldChainInfo::getEndOfChain() const {
assert(!Chain.isEmpty() && "Empty fieldchain!"); assert(!Chain.isEmpty() && "Empty fieldchain!");
return (*Chain.begin())->getDecl(); return (*Chain.begin())->getDecl();
} }
// TODO: This function constructs an incorrect string if a void pointer is a
// part of the chain:
//
// struct B { int x; }
//
// struct A {
// void *vptr;
// A(void* vptr) : vptr(vptr) {}
// };
//
// void f() {
// B b;
// A a(&b);
// }
//
// The note message will be "uninitialized field 'this->vptr->x'", even though
// void pointers can't be dereferenced. This should be changed to "uninitialized
// field 'static_cast<B*>(this->vptr)->x'".
//
SzelethusAuthorUnsubmitted
Not Done
ReplyInline Actions

I already have a fix for this, but I want to be extra sure, so I'm running the checker on LLVM to see whether anything breaks.

This is also important for nonloc::LocAsInteger, which I'm going add fix in yet another patch.

Szelethus: I already have a fix for this, but I want to be extra sure, so I'm running the checker on LLVM…
// TODO: This function constructs an incorrect fieldchain string in the // TODO: This function constructs an incorrect fieldchain string in the
// following case: // following case:
// //
// struct Base { int x; }; // struct Base { int x; };
// struct D1 : Base {}; struct D2 : Base {}; // struct D1 : Base {}; struct D2 : Base {};
// //
// struct MostDerived : D1, D2 { // struct MostDerived : D1, D2 {
// MostDerived() {} // MostDerived() {}
Show All 24 Linesvoid FieldChainInfo::printTail(
Out << getVariableName(Field); Out << getVariableName(Field);
Out << (Field->getType()->isPointerType() ? "->" : "."); Out << (Field->getType()->isPointerType() ? "->" : ".");
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static bool isVoidPointer(const FieldDecl *FD) { static bool isVoidPointer(QualType T) {
QualType T = FD->getType();
while (!T.isNull()) { while (!T.isNull()) {
if (T->isVoidPointerType()) if (T->isVoidPointerType())
return true; return true;
T = T->getPointeeType(); T = T->getPointeeType();
} }
return false; return false;
} }
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

test/Analysis/cxx-uninitialized-object-inheritance.cpp

Show First 20 LinesShow All 770 Lines▼ Show 20 Lines
public: public:
VirtualDiamondInheritanceTest3() // expected-warning{{1 uninitialized field}} VirtualDiamondInheritanceTest3() // expected-warning{{1 uninitialized field}}
: VirtualFirst3(int{}) {} : VirtualFirst3(int{}) {}
}; };
void fVirtualDiamondInheritanceTest3() { void fVirtualDiamondInheritanceTest3() {
VirtualDiamondInheritanceTest3(); VirtualDiamondInheritanceTest3();
} }
//===----------------------------------------------------------------------===//
// Dynamic type test.
//===----------------------------------------------------------------------===//
struct DynTBase {};
struct DynTDerived : DynTBase {
// TODO: we'd expect the note: {{uninitialized field 'this->x'}}
int x; // no-note
};
struct DynamicTypeTest {
DynTBase *bptr;
int i = 0;
// TODO: we'd expect the warning: {{1 uninitialized field}}
DynamicTypeTest(DynTBase *bptr) : bptr(bptr) {} // no-warning
};
void f() {
DynTDerived d;
DynamicTypeTest t(&d);
};

test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show First 20 LinesShow All 190 Lines▼ Show 20 Lines
}; };
void fCharPointerTest() { void fCharPointerTest() {
CharPointerTest(); CharPointerTest();
} }
struct CyclicPointerTest { struct CyclicPointerTest {
int *ptr; int *ptr;
CyclicPointerTest() : ptr(reinterpret_cast<int*>(&ptr)) {} CyclicPointerTest() : ptr(reinterpret_cast<int *>(&ptr)) {}
}; };
void fCyclicPointerTest() { void fCyclicPointerTest() {
CyclicPointerTest(); CyclicPointerTest();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests. // Void pointer tests.
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Linesvoid fVoidPointerLRefTest() {
void *vptr = malloc(sizeof(int)); void *vptr = malloc(sizeof(int));
VoidPointerLRefTest(vptr, char()); VoidPointerLRefTest(vptr, char());
} }
struct CyclicVoidPointerTest { struct CyclicVoidPointerTest {
void *vptr; // no-crash void *vptr; // no-crash
CyclicVoidPointerTest() : vptr(&vptr) {} CyclicVoidPointerTest() : vptr(&vptr) {}
}; };
void fCyclicVoidPointerTest() { void fCyclicVoidPointerTest() {
CyclicVoidPointerTest(); CyclicVoidPointerTest();
} }
struct IntDynTypedVoidPointerTest1 {
void *vptr; // expected-note{{uninitialized pointee 'this->vptr'}}
int dontGetFilteredByNonPedanticMode = 0;
IntDynTypedVoidPointerTest1(void *vptr) : vptr(vptr) {} // expected-warning{{1 uninitialized field}}
};
void fIntDynTypedVoidPointerTest1() {
int a;
IntDynTypedVoidPointerTest1 tmp(&a);
}
struct RecordDynTypedVoidPointerTest {
struct RecordType {
int x; // expected-note{{uninitialized field 'this->vptr->x'}}
int y; // expected-note{{uninitialized field 'this->vptr->y'}}
};
void *vptr;
int dontGetFilteredByNonPedanticMode = 0;
RecordDynTypedVoidPointerTest(void *vptr) : vptr(vptr) {} // expected-warning{{2 uninitialized fields}}
};
void fRecordDynTypedVoidPointerTest() {
RecordDynTypedVoidPointerTest::RecordType a;
RecordDynTypedVoidPointerTest tmp(&a);
}
struct NestedNonVoidDynTypedVoidPointerTest {
struct RecordType {
int x; // expected-note{{uninitialized field 'this->vptr->x'}}
int y; // expected-note{{uninitialized field 'this->vptr->y'}}
void *vptr; // expected-note{{uninitialized pointee 'this->vptr->vptr'}}
};
void *vptr;
int dontGetFilteredByNonPedanticMode = 0;
NestedNonVoidDynTypedVoidPointerTest(void *vptr, void *c) : vptr(vptr) {
static_cast<RecordType *>(vptr)->vptr = c; // expected-warning{{3 uninitialized fields}}
}
};
void fNestedNonVoidDynTypedVoidPointerTest() {
NestedNonVoidDynTypedVoidPointerTest::RecordType a;
char c;
NestedNonVoidDynTypedVoidPointerTest tmp(&a, &c);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Multipointer tests. // Multipointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifdef PEDANTIC #ifdef PEDANTIC
class MultiPointerTest1 { class MultiPointerTest1 {
public: public:
struct RecordType { struct RecordType {
▲ Show 20 LinesShow All 398 LinesShow Last 20 Lines