This is an archive of the discontinued LLVM Phabricator instance.

Differential D51057

[analyzer][UninitializedObjectChecker] Fixed dereferencing
ClosedPublic

Authored by Szelethus on Aug 21 2018, 12:41 PM.

Details

Reviewers
NoQ
george.karpenkov
xazax.hun
rnkovacs
Commits
rGf0dd1016da7b: [analyzer][UninitializedObjectChecker] Fixed dereferencing
rC342213: [analyzer][UninitializedObjectChecker] Fixed dereferencing
rL342213: [analyzer][UninitializedObjectChecker] Fixed dereferencing
Summary

This patch aims to fix derefencing, which has been debated for months now.

Instead of working with SVals, the function now relies on TypedValueRegion.

Since this has been discussed since the inception of the checker, I'd very much prefer finding a permanent solution for this before moving forward.

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Aug 21 2018, 12:41 PM
Herald added subscribers: cfe-commits, mikhail.ramalho, a.sidorin and 2 others. · View Herald TranscriptAug 21 2018, 12:41 PM
Szelethus mentioned this in D50892: [analyzer][UninitializedObjectChecker] Correct dynamic type is acquired for record pointees.Aug 21 2018, 12:48 PM
Szelethus added a comment.Aug 21 2018, 12:52 PM

@NoQ, is this how you imagined derefercing to work? I'm still a little uncertain that I implemented this in a way that addresses all your concerns.

NoQ added a comment.Aug 21 2018, 1:21 PM

Yup, this looks great and that's exactly how i imagined it.

lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObject.h
261–265 ↗(On Diff #161796)

We have a fancy static Loc::isLocType().

lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
126–127 ↗(On Diff #161796)

Good catch.

It might still be possible to initialize a reference with an already-undefined pointer if core checkers are turned off, but we don't support turning them off, so i guess it's fine.

177 ↗(On Diff #161796)

Just SVal. And you should be able to pass R directly into getSVal.

210 ↗(On Diff #161796)

We usually just do .getAsRegion().

And then later dyn_cast it.

212–216 ↗(On Diff #161796)

Ok, i have a new concern that i didn't think about before.

There's nothing special about symbolic regions. You can make a linked list entirely of concrete regions:

struct List {
  List *next;
  List(): next(this) {}
};

void foo() {
  List list;
}

In this case the finite-ness of the type system won't save us.

I guess we could also memoize base regions that we visit :/ This is guaranteed to terminate because all of our concrete regions are based either on AST nodes (eg. global variables) or on certain events that happened previously during analysis (eg. local variables or temporaries, as they depend on the stack frame which must have been previously entered). I don't immediately see a better solution.

223 ↗(On Diff #161796)

We might have eliminated symbolic regions but we may still have concrete function pointers (which are TypedRegions that aren't TypedValueRegions, it's pretty weird), and i guess we might even encounter an AllocaRegion (which is completely untyped). I guess we should not try to dereference them either.

240–244 ↗(On Diff #161796)

This code seems to be duplicated with the "0th iteration" before the loop. I guess you can put everything into the loop.

Szelethus updated this revision to Diff 162198.EditedAug 23 2018, 9:17 AM

Addressed the inline comments.

  • Added a llvm::SmallSet to further ensure the termination of the loop.
  • Changed isLocType to isDereferencableType, block pointers are regarded as primitive objects.
  • Added new tests.
  • No longer using getDynamicTypeInfo, dynamic type is acquired from TypedValueRegion::getLocationType.
Szelethus marked 5 inline comments as done.Aug 23 2018, 9:27 AM
Szelethus added inline comments.
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObject.h
259 ↗(On Diff #162198)

I'm not sure this is correct -- do block pointers belong here? Since their region is not TypedValueRegion, I though they better fit here.

261–265 ↗(On Diff #161796)

Oh, good to know! However, it also returns true for nullptr_t, which also happens to be a BuiltinType. I'd like to keep isPrimitiveType and (the now renamed) isDereferencableType categories disjunctive. Primitive types require no further analysis other then checking whether they are initialized or not, which is true for nullptr_t objects.

lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
240–244 ↗(On Diff #161796)

I moved some code into the loop, but I think that I really need a 0th iteration to make the code readable.

Szelethus added a child revision: D50892: [analyzer][UninitializedObjectChecker] Correct dynamic type is acquired for record pointees.Aug 23 2018, 9:39 AM
Szelethus mentioned this in D49437: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger.Aug 23 2018, 10:32 AM
Szelethus added a child revision: D49437: [analyzer][UninitializedObjectChecker] Support for nonloc::LocAsInteger.
Szelethus added a child revision: D51305: [analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves.Aug 27 2018, 7:51 AM
Szelethus added a child revision: D51417: [analyzer][UninitializedObjectChecker] Updated comments.Aug 29 2018, 5:59 AM
Szelethus added a comment.EditedAug 29 2018, 12:23 PM

I managed to cause a bunch of crashes with this patch, so consider it as a work in progress for now :/

Szelethus updated this revision to Diff 163185.Aug 29 2018, 1:57 PM

Fixed two crashes. Interesting how many much better this approach works, as I've never encountered FunctionTyped objects or only forward declared typed pointers after dereferencing.

Szelethus added a child revision: D51531: [analyzer][UninitializedObjectChecker] Uninit regions are only reported once.Aug 31 2018, 2:14 AM
Szelethus updated this revision to Diff 163499.Aug 31 2018, 4:24 AM

Reuploaded with -U99999. Oops.

Szelethus updated this revision to Diff 163992.EditedSep 5 2018, 2:44 AM

Fixed an assertation failure where a lambda field's this capture was a part of the fieldchain.

Szelethus added inline comments.Sep 5 2018, 2:53 AM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
126–127 ↗(On Diff #161796)

I removed it, because it did crash couple times on LLVM. Note that the assert checked whether the reference for undefined, not uninitialized :/.

It's no longer in the code, but this was it:

assert(!FR->getDecl()->getType()->isReferenceType() &&
       "References must be initialized!");
test/Analysis/cxx-uninitialized-object.cpp
879–902 ↗(On Diff #163992)

I'm 99% sure this is a FP, but it doesn't originate from the checker. Shouldn't *ptr be undef after the end of the code block as lambda's lifetime ends?

Nevertheless, it did cause a crash, so here's a quick fix for it.

NoQ added inline comments.Sep 6 2018, 6:18 PM
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
126–127 ↗(On Diff #161796)

Hmm, indeed, it seems that we don't have a checker for garbage references, only for null references(?).

I guess it's a good idea for a checker.

test/Analysis/cxx-uninitialized-object.cpp
879–902 ↗(On Diff #163992)

I'm pretty sure that all sorts of contents of lambda aka *ptr are undefined once it goes out of scope. Moreover, ptr is now a dangling pointer, and reading from it would cause undefined behavior. I'm not sure if the analyzer actually models this though.

But on the other hand, even if it didn't go out of scope, i don't really see where field a was initialized here.

Soo what makes you think it's a false positive?

Szelethus added inline comments.Sep 7 2018, 3:56 AM
test/Analysis/cxx-uninitialized-object.cpp
879–902 ↗(On Diff #163992)

Soo what makes you think it's a false positive?

Poor choice of words I guess. Its not a false positive (as the entire region of that lambda is undefined), but rather a false negative, as the analyzer doesn't pick up that *ptr is a dangling pointer.

Szelethus added a comment.Sep 10 2018, 11:46 AM

I ran the checker on LLVM/Clang and grpc, and saw no crashes at all! Quite confident about the current diff. However, I'm not 100% sure it doesn't break on Objective C++ codes. Can you recommend a project like that?

NoQ accepted this revision.Sep 13 2018, 6:56 PM

Looks good i guess. I'm glad this is sorted out^^

This revision is now accepted and ready to land.Sep 13 2018, 6:56 PM
Closed by commit rL342213: [analyzer][UninitializedObjectChecker] Fixed dereferencing (authored by Szelethus). · Explain WhySep 14 2018, 2:01 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptSep 14 2018, 2:01 AM
isuckatcs added a subscriber: isuckatcs.May 20 2023, 5:03 PM
isuckatcs added inline comments.
cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp
222

@Szelethus @NoQ @xazax.hun I ran into an issue related to this line.

Consider this test case:

struct CyclicPointerTest1 {
  int *ptr; // expected-note{{object references itself 'this->ptr'}}
  int dontGetFilteredByNonPedanticMode = 0;

  CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {} // expected-warning{{1 uninitialized field}}
};

At this point, with the example above, the store looks like this:

{"kind": "Direct", "offset": 0, "extent": 64, value: &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}
{"kind": "Direct", "offset": 64, "extent": 32, value: 0 S32b}

which means the values are the following:

V = &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}
R = Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}
DynT = PointerType ... 'int *'

when State->getSVal(R, DynT) is called, eventually RegionStoreManager::getBinding() will also be invoked, where because R is an ElementRegion we reach these lines:

if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
  // FIXME: Here we actually perform an implicit conversion from the loaded
  // value to the element type.  Eventually we want to compose these values
  // more intelligently.  For example, an 'element' can encompass multiple
  // bound regions (e.g., several bound bytes), or could be a subset of
  // a larger value.
  return svalBuilder.evalCast(getBindingForElement(B, ER), T, QualType{});
}

What happens here is that we call getBindingForElement(B, ER) and whatever value it returns, we cast to T, which is int * in this example. The type of the element inside the ER however is an int, so the following lookup will be performed:

Binding being looked up: 
  {"kind": "Direct", "offset": 0, "extent": 32}
------------------------------------------------------------------------------------------------------------------------
Store:
  {"kind": "Direct", "offset": 0, "extent": 64 value: &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}
  {"kind": "Direct", "offset": 64, "extent": 32 value: 0 S32b}

Since extents are ignored by default, the returned value will be &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}, which is indeed a pointer, however I'm not sure that the lookup here is actually correct.

As far as I understand, we want to lookup an int element based on it's region and we receive a pointer value. Is it because I misunderstand something, or it's an actual issue that is hid by how region store works right now?

Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2023, 5:03 PM
Herald added subscribers: steakhal, manas, ASDenysPetrov and 5 others. · View Herald Transcript

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
UninitializedObject/
10 lines
25 lines
126 lines
test/
Analysis/
92 lines
41 lines
2 lines

Diff 165445

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObject.h

Show First 20 LinesShow All 81 Lines▼ Show 20 Linespublic:
/// "->". /// "->".
virtual void printSeparator(llvm::raw_ostream &Out) const = 0; virtual void printSeparator(llvm::raw_ostream &Out) const = 0;
virtual bool isBase() const { return false; } virtual bool isBase() const { return false; }
}; };
/// Returns with Field's name. This is a helper function to get the correct name /// Returns with Field's name. This is a helper function to get the correct name
/// even if Field is a captured lambda variable. /// even if Field is a captured lambda variable.
StringRef getVariableName(const FieldDecl *Field); std::string getVariableName(const FieldDecl *Field);
/// Represents a field chain. A field chain is a vector of fields where the /// Represents a field chain. A field chain is a vector of fields where the
/// first element of the chain is the object under checking (not stored), and /// first element of the chain is the object under checking (not stored), and
/// every other element is a field, and the element that precedes it is the /// every other element is a field, and the element that precedes it is the
/// object that contains it. /// object that contains it.
/// ///
/// Note that this class is immutable (essentially a wrapper around an /// Note that this class is immutable (essentially a wrapper around an
/// ImmutableList), and new elements can only be added by creating new /// ImmutableList), and new elements can only be added by creating new
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Lines
}; };
/// Returns true if T is a primitive type. We defined this type so that for /// Returns true if T is a primitive type. We defined this type so that for
/// objects that we'd only like analyze as much as checking whether their /// objects that we'd only like analyze as much as checking whether their
/// value is undefined or not, such as ints and doubles, can be analyzed with /// value is undefined or not, such as ints and doubles, can be analyzed with
/// ease. This also helps ensuring that every special field type is handled /// ease. This also helps ensuring that every special field type is handled
/// correctly. /// correctly.
inline bool isPrimitiveType(const QualType &T) { inline bool isPrimitiveType(const QualType &T) {
return T->isBuiltinType() || T->isEnumeralType() || T->isMemberPointerType(); return T->isBuiltinType() || T->isEnumeralType() ||
T->isMemberPointerType() || T->isBlockPointerType() ||
T->isFunctionType();
}
inline bool isDereferencableType(const QualType &T) {
return T->isAnyPointerType() || T->isReferenceType();
} }
// Template method definitions. // Template method definitions.
template <class FieldNodeT> template <class FieldNodeT>
inline FieldChainInfo FieldChainInfo::add(const FieldNodeT &FN) { inline FieldChainInfo FieldChainInfo::add(const FieldNodeT &FN) {
assert(!contains(FN.getRegion()) && assert(!contains(FN.getRegion()) &&
"Can't add a field that is already a part of the " "Can't add a field that is already a part of the "
Show All 17 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp

Show First 20 LinesShow All 246 Lines▼ Show 20 Lines
} }
bool FindUninitializedFields::isNonUnionUninit(const TypedValueRegion *R, bool FindUninitializedFields::isNonUnionUninit(const TypedValueRegion *R,
FieldChainInfo LocalChain) { FieldChainInfo LocalChain) {
assert(R->getValueType()->isRecordType() && assert(R->getValueType()->isRecordType() &&
!R->getValueType()->isUnionType() && !R->getValueType()->isUnionType() &&
"This method only checks non-union record objects!"); "This method only checks non-union record objects!");
const RecordDecl *RD = const RecordDecl *RD = R->getValueType()->getAsRecordDecl()->getDefinition();
R->getValueType()->getAs<RecordType>()->getDecl()->getDefinition();
assert(RD && "Referred record has no definition"); if (!RD) {
IsAnyFieldInitialized = true;
return true;
}
bool ContainsUninitField = false; bool ContainsUninitField = false;
// Are all of this non-union's fields initialized? // Are all of this non-union's fields initialized?
for (const FieldDecl *I : RD->fields()) { for (const FieldDecl *I : RD->fields()) {
const auto FieldVal = const auto FieldVal =
State->getLValue(I, loc::MemRegionVal(R)).castAs<loc::MemRegionVal>(); State->getLValue(I, loc::MemRegionVal(R)).castAs<loc::MemRegionVal>();
Show All 21 Lines if (T->isUnionType()) {
continue; continue;
} }
if (T->isArrayType()) { if (T->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
continue; continue;
} }
if (T->isAnyPointerType() || T->isReferenceType() || if (isDereferencableType(T)) {
T->isBlockPointerType()) {
if (isPointerOrReferenceUninit(FR, LocalChain)) if (isPointerOrReferenceUninit(FR, LocalChain))
ContainsUninitField = true; ContainsUninitField = true;
continue; continue;
} }
if (isPrimitiveType(T)) { if (isPrimitiveType(T)) {
SVal V = State->getSVal(FieldVal); SVal V = State->getSVal(FieldVal);
▲ Show 20 LinesShow All 177 Lines▼ Show 20 Lines while ((LC = LC->getParent())) {
// during the analysis of OtherObject. // during the analysis of OtherObject.
if (CurrentObject->getRegion()->isSubRegionOf(OtherObject->getRegion())) if (CurrentObject->getRegion()->isSubRegionOf(OtherObject->getRegion()))
return true; return true;
} }
return false; return false;
} }
StringRef clang::ento::getVariableName(const FieldDecl *Field) { std::string clang::ento::getVariableName(const FieldDecl *Field) {
// If Field is a captured lambda variable, Field->getName() will return with // If Field is a captured lambda variable, Field->getName() will return with
// an empty string. We can however acquire it's name from the lambda's // an empty string. We can however acquire it's name from the lambda's
// captures. // captures.
const auto *CXXParent = dyn_cast<CXXRecordDecl>(Field->getParent()); const auto *CXXParent = dyn_cast<CXXRecordDecl>(Field->getParent());
if (CXXParent && CXXParent->isLambda()) { if (CXXParent && CXXParent->isLambda()) {
assert(CXXParent->captures_begin()); assert(CXXParent->captures_begin());
auto It = CXXParent->captures_begin() + Field->getFieldIndex(); auto It = CXXParent->captures_begin() + Field->getFieldIndex();
return It->getCapturedVar()->getName();
if (It->capturesVariable())
return llvm::Twine("/*captured variable*/" +
It->getCapturedVar()->getName())
.str();
if (It->capturesThis())
return "/*'this' capture*/";
llvm_unreachable("No other capture type is expected!");
} }
return Field->getName(); return Field->getName();
} }
void ento::registerUninitializedObjectChecker(CheckerManager &Mgr) { void ento::registerUninitializedObjectChecker(CheckerManager &Mgr) {
auto Chk = Mgr.registerChecker<UninitializedObjectChecker>(); auto Chk = Mgr.registerChecker<UninitializedObjectChecker>();
Chk->IsPedantic = Mgr.getAnalyzerOptions().getBooleanOption( Chk->IsPedantic = Mgr.getAnalyzerOptions().getBooleanOption(
"Pedantic", /*DefaultVal*/ false, Chk); "Pedantic", /*DefaultVal*/ false, Chk);
Chk->ShouldConvertNotesToWarnings = Mgr.getAnalyzerOptions().getBooleanOption( Chk->ShouldConvertNotesToWarnings = Mgr.getAnalyzerOptions().getBooleanOption(
"NotesAsWarnings", /*DefaultVal*/ false, Chk); "NotesAsWarnings", /*DefaultVal*/ false, Chk);
Chk->CheckPointeeInitialization = Mgr.getAnalyzerOptions().getBooleanOption( Chk->CheckPointeeInitialization = Mgr.getAnalyzerOptions().getBooleanOption(
"CheckPointeeInitialization", /*DefaultVal*/ false, Chk); "CheckPointeeInitialization", /*DefaultVal*/ false, Chk);
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp

Show First 20 LinesShow All 89 Lines▼ Show 20 Lines
// Utility function declarations. // Utility function declarations.
/// Returns whether T can be (transitively) dereferenced to a void pointer type /// Returns whether T can be (transitively) dereferenced to a void pointer type
/// (void*, void**, ...). The type of the region behind a void pointer isn't /// (void*, void**, ...). The type of the region behind a void pointer isn't
/// known, and thus FD can not be analyzed. /// known, and thus FD can not be analyzed.
static bool isVoidPointer(QualType T); static bool isVoidPointer(QualType T);
/// Dereferences \p V and returns the value and dynamic type of the pointee, as using DereferenceInfo = std::pair<const TypedValueRegion *, bool>;
/// well as whether \p FR needs to be casted back to that type. If for whatever
/// reason dereferencing fails, returns with None. /// Dereferences \p FR and returns with the pointee's region, and whether it
static llvm::Optional<std::tuple<SVal, QualType, bool>> /// needs to be casted back to it's location type. If for whatever reason
dereference(ProgramStateRef State, const FieldRegion *FR); /// dereferencing fails, returns with None.
static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
const FieldRegion *FR);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods for FindUninitializedFields. // Methods for FindUninitializedFields.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Note that pointers/references don't contain fields themselves, so in this // Note that pointers/references don't contain fields themselves, so in this
// function we won't add anything to LocalChain. // function we won't add anything to LocalChain.
bool FindUninitializedFields::isPointerOrReferenceUninit( bool FindUninitializedFields::isPointerOrReferenceUninit(
const FieldRegion *FR, FieldChainInfo LocalChain) { const FieldRegion *FR, FieldChainInfo LocalChain) {
assert((FR->getDecl()->getType()->isAnyPointerType() || assert(isDereferencableType(FR->getDecl()->getType()) &&
FR->getDecl()->getType()->isReferenceType() || "This method only checks dereferencable objects!");
FR->getDecl()->getType()->isBlockPointerType()) &&
"This method only checks pointer/reference objects!");
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
if (V.isUnknown() || V.getAs<loc::ConcreteInt>()) { if (V.isUnknown() || V.getAs<loc::ConcreteInt>()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
if (V.isUndef()) { if (V.isUndef()) {
return addFieldToUninits( return addFieldToUninits(
LocalChain.add(LocField(FR, /*IsDereferenced*/ false))); LocalChain.add(LocField(FR, /*IsDereferenced*/ false)));
} }
if (!CheckPointeeInitialization) { if (!CheckPointeeInitialization) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
// At this point the pointer itself is initialized and points to a valid // At this point the pointer itself is initialized and points to a valid
// location, we'll now check the pointee. // location, we'll now check the pointee.
llvm::Optional<std::tuple<SVal, QualType, bool>> DerefInfo = llvm::Optional<DereferenceInfo> DerefInfo = dereference(State, FR);
dereference(State, FR);
if (!DerefInfo) { if (!DerefInfo) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
V = std::get<0>(*DerefInfo); const TypedValueRegion *R = DerefInfo->first;
QualType DynT = std::get<1>(*DerefInfo); const bool NeedsCastBack = DerefInfo->second;
bool NeedsCastBack = std::get<2>(*DerefInfo);
// If FR is a pointer pointing to a non-primitive type.
if (Optional<nonloc::LazyCompoundVal> RecordV =
V.getAs<nonloc::LazyCompoundVal>()) {
const TypedValueRegion *R = RecordV->getRegion(); QualType DynT = R->getLocationType();
QualType PointeeT = DynT->getPointeeType();
if (DynT->getPointeeType()->isStructureOrClassType()) { if (PointeeT->isStructureOrClassType()) {
if (NeedsCastBack) if (NeedsCastBack)
return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT))); return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT)));
return isNonUnionUninit(R, LocalChain.add(LocField(FR))); return isNonUnionUninit(R, LocalChain.add(LocField(FR)));
} }
if (DynT->getPointeeType()->isUnionType()) { if (PointeeT->isUnionType()) {
if (isUnionUninit(R)) { if (isUnionUninit(R)) {
if (NeedsCastBack) if (NeedsCastBack)
return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT))); return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT)));
return addFieldToUninits(LocalChain.add(LocField(FR))); return addFieldToUninits(LocalChain.add(LocField(FR)));
} else { } else {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
} }
if (DynT->getPointeeType()->isArrayType()) { if (PointeeT->isArrayType()) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
llvm_unreachable("All cases are handled!"); assert((isPrimitiveType(PointeeT) || isDereferencableType(PointeeT)) &&
}
assert((isPrimitiveType(DynT->getPointeeType()) || DynT->isAnyPointerType() ||
DynT->isReferenceType()) &&
"At this point FR must either have a primitive dynamic type, or it " "At this point FR must either have a primitive dynamic type, or it "
"must be a null, undefined, unknown or concrete pointer!"); "must be a null, undefined, unknown or concrete pointer!");
if (isPrimitiveUninit(V)) { SVal PointeeV = State->getSVal(R);
if (isPrimitiveUninit(PointeeV)) {
if (NeedsCastBack) if (NeedsCastBack)
return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT))); return addFieldToUninits(LocalChain.add(NeedsCastLocField(FR, DynT)));
return addFieldToUninits(LocalChain.add(LocField(FR))); return addFieldToUninits(LocalChain.add(LocField(FR)));
} }
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static bool isVoidPointer(QualType T) { static bool isVoidPointer(QualType T) {
while (!T.isNull()) { while (!T.isNull()) {
if (T->isVoidPointerType()) if (T->isVoidPointerType())
return true; return true;
T = T->getPointeeType(); T = T->getPointeeType();
} }
return false; return false;
} }
static llvm::Optional<std::tuple<SVal, QualType, bool>> static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
dereference(ProgramStateRef State, const FieldRegion *FR) { const FieldRegion *FR) {
DynamicTypeInfo DynTInfo; llvm::SmallSet<const TypedValueRegion *, 5> VisitedRegions;
QualType DynT;
// If the static type of the field is a void pointer, we need to cast it back // If the static type of the field is a void pointer, we need to cast it back
// to the dynamic type before dereferencing. // to the dynamic type before dereferencing.
bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType()); bool NeedsCastBack = isVoidPointer(FR->getDecl()->getType());
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
assert(V.getAs<loc::MemRegionVal>() && "V must be loc::MemRegionVal!"); assert(V.getAsRegion() && "V must have an underlying region!");
// If V is multiple pointer value, we'll dereference it again (e.g.: int** -> // The region we'd like to acquire.
// int*). const auto *R = V.getAsRegion()->getAs<TypedValueRegion>();
// TODO: Dereference according to the dynamic type to avoid infinite loop for if (!R)
// these kind of fields:
// int **ptr = reinterpret_cast<int **>(&ptr);
while (auto Tmp = V.getAs<loc::MemRegionVal>()) {
// We can't reason about symbolic regions, assume its initialized.
// Note that this also avoids a potential infinite recursion, because
// constructors for list-like classes are checked without being called, and
// the Static Analyzer will construct a symbolic region for Node *next; or
// similar code snippets.
if (Tmp->getRegion()->getSymbolicBase()) {
return None; return None;
}
DynTInfo = getDynamicTypeInfo(State, Tmp->getRegion()); VisitedRegions.insert(R);
if (!DynTInfo.isValid()) {
return None; // We acquire the dynamic type of R,
} QualType DynT = R->getLocationType();
while (const MemRegion *Tmp = State->getSVal(R, DynT).getAsRegion()) {
isuckatcsUnsubmitted
Not Done
ReplyInline Actions

@Szelethus @NoQ @xazax.hun I ran into an issue related to this line.

Consider this test case:

struct CyclicPointerTest1 {
  int *ptr; // expected-note{{object references itself 'this->ptr'}}
  int dontGetFilteredByNonPedanticMode = 0;

  CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {} // expected-warning{{1 uninitialized field}}
};

At this point, with the example above, the store looks like this:

{"kind": "Direct", "offset": 0, "extent": 64, value: &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}
{"kind": "Direct", "offset": 64, "extent": 32, value: 0 S32b}

which means the values are the following:

V = &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}
R = Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}
DynT = PointerType ... 'int *'

when State->getSVal(R, DynT) is called, eventually RegionStoreManager::getBinding() will also be invoked, where because R is an ElementRegion we reach these lines:

if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
  // FIXME: Here we actually perform an implicit conversion from the loaded
  // value to the element type.  Eventually we want to compose these values
  // more intelligently.  For example, an 'element' can encompass multiple
  // bound regions (e.g., several bound bytes), or could be a subset of
  // a larger value.
  return svalBuilder.evalCast(getBindingForElement(B, ER), T, QualType{});
}

What happens here is that we call getBindingForElement(B, ER) and whatever value it returns, we cast to T, which is int * in this example. The type of the element inside the ER however is an int, so the following lookup will be performed:

Binding being looked up: 
  {"kind": "Direct", "offset": 0, "extent": 32}
------------------------------------------------------------------------------------------------------------------------
Store:
  {"kind": "Direct", "offset": 0, "extent": 64 value: &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}
  {"kind": "Direct", "offset": 64, "extent": 32 value: 0 S32b}

Since extents are ignored by default, the returned value will be &Element{temp_object{CyclicPointerTest1, S915}.ptr,0 S64b,int}}, which is indeed a pointer, however I'm not sure that the lookup here is actually correct.

As far as I understand, we want to lookup an int element based on it's region and we receive a pointer value. Is it because I misunderstand something, or it's an actual issue that is hid by how region store works right now?

isuckatcs: @Szelethus @NoQ @xazax.hun I ran into an issue related to this line. Consider this test case…
DynT = DynTInfo.getType(); R = Tmp->getAs<TypedValueRegion>();
if (isVoidPointer(DynT)) { if (!R)
return None;
// We found a cyclic pointer, like int *ptr = (int *)&ptr.
// TODO: Report these fields too.
if (!VisitedRegions.insert(R).second)
return None; return None;
}
V = State->getSVal(*Tmp, DynT); DynT = R->getLocationType();
// In order to ensure that this loop terminates, we're also checking the
// dynamic type of R, since type hierarchy is finite.
if (isDereferencableType(DynT->getPointeeType()))
break;
} }
return std::make_tuple(V, DynT, NeedsCastBack); return std::make_pair(R, NeedsCastBack);
} }

cfe/trunk/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show All 40 Linespublic:
} }
}; };
void fNullPtrTest() { void fNullPtrTest() {
NullPtrTest(); NullPtrTest();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Alloca tests.
//===----------------------------------------------------------------------===//
struct UntypedAllocaTest {
void *allocaPtr;
int dontGetFilteredByNonPedanticMode = 0;
UntypedAllocaTest() : allocaPtr(__builtin_alloca(sizeof(int))) {
// All good!
}
};
void fUntypedAllocaTest() {
UntypedAllocaTest();
}
struct TypedAllocaTest1 {
int *allocaPtr; // expected-note{{uninitialized pointee 'this->allocaPtr'}}
int dontGetFilteredByNonPedanticMode = 0;
TypedAllocaTest1() // expected-warning{{1 uninitialized field}}
: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {}
};
void fTypedAllocaTest1() {
TypedAllocaTest1();
}
struct TypedAllocaTest2 {
int *allocaPtr;
int dontGetFilteredByNonPedanticMode = 0;
TypedAllocaTest2()
: allocaPtr(static_cast<int *>(__builtin_alloca(sizeof(int)))) {
*allocaPtr = 55555;
// All good!
}
};
void fTypedAllocaTest2() {
TypedAllocaTest2();
}
//===----------------------------------------------------------------------===//
// Heap pointer tests. // Heap pointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class HeapPointerTest1 { class HeapPointerTest1 {
struct RecordType { struct RecordType {
// TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}} // TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}}
int x; // no-note int x; // no-note
// TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}} // TODO: we'd expect the note: {{uninitialized field 'this->recPtr->y'}}
▲ Show 20 LinesShow All 141 Lines▼ Show 20 Linesstruct CyclicPointerTest1 {
int *ptr; int *ptr;
CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {} CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {}
}; };
void fCyclicPointerTest1() { void fCyclicPointerTest1() {
CyclicPointerTest1(); CyclicPointerTest1();
} }
// TODO: Currently, the checker ends up in an infinite loop for the following
// test case.
/*
struct CyclicPointerTest2 { struct CyclicPointerTest2 {
int **pptr; int **pptr; // no-crash
CyclicPointerTest2() : pptr(reinterpret_cast<int **>(&pptr)) {} CyclicPointerTest2() : pptr(reinterpret_cast<int **>(&pptr)) {}
}; };
void fCyclicPointerTest2() { void fCyclicPointerTest2() {
CyclicPointerTest2(); CyclicPointerTest2();
} }
*/
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests. // Void pointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests are mainly no-crash tests. // Void pointer tests are mainly no-crash tests.
void *malloc(int size); void *malloc(int size);
▲ Show 20 LinesShow All 240 Lines▼ Show 20 Lines
void fMultiPointerTest3() { void fMultiPointerTest3() {
MultiPointerTest3::RecordType i{31, 32}; MultiPointerTest3::RecordType i{31, 32};
MultiPointerTest3::RecordType *p1 = &i; MultiPointerTest3::RecordType *p1 = &i;
MultiPointerTest3::RecordType **mptr = &p1; MultiPointerTest3::RecordType **mptr = &p1;
MultiPointerTest3(mptr, int()); // '**mptr' uninitialized MultiPointerTest3(mptr, int()); // '**mptr' uninitialized
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Incomplete pointee tests.
//===----------------------------------------------------------------------===//
class IncompleteType;
struct IncompletePointeeTypeTest {
IncompleteType *pImpl; //no-crash
int dontGetFilteredByNonPedanticMode = 0;
IncompletePointeeTypeTest(IncompleteType *A) : pImpl(A) {}
};
void fIncompletePointeeTypeTest(void *ptr) {
IncompletePointeeTypeTest(reinterpret_cast<IncompleteType *>(ptr));
}
//===----------------------------------------------------------------------===//
// Function pointer tests.
//===----------------------------------------------------------------------===//
struct FunctionPointerWithDifferentDynTypeTest {
using Func1 = void *(*)();
using Func2 = int *(*)();
Func1 f; // no-crash
FunctionPointerWithDifferentDynTypeTest(Func2 f) : f((Func1)f) {}
};
// Note that there isn't a function calling the constructor of
// FunctionPointerWithDifferentDynTypeTest, because a crash could only be
// reproduced without it.
//===----------------------------------------------------------------------===//
// Member pointer tests. // Member pointer tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
struct UsefulFunctions { struct UsefulFunctions {
int a, b; int a, b;
void print() {} void print() {}
void dump() {} void dump() {}
▲ Show 20 LinesShow All 158 Lines▼ Show 20 Linesvoid fCyclicList() {
CyclicList::Node n3; CyclicList::Node n3;
n3.next = &n2; n3.next = &n2;
n3.i = 50; n3.i = 50;
n1.next = &n3; n1.next = &n3;
// note that n1.i is uninitialized // note that n1.i is uninitialized
CyclicList(&n1, int()); CyclicList(&n1, int());
} }
struct RingListTest {
RingListTest *next; // no-crash
RingListTest() : next(this) {}
};
void fRingListTest() {
RingListTest();
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Tests for classes containing references. // Tests for classes containing references.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class ReferenceTest1 { class ReferenceTest1 {
public: public:
struct RecordType { struct RecordType {
int x; int x;
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/cxx-uninitialized-object.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject \
// RUN: -analyzer-config alpha.cplusplus.UninitializedObject:Pedantic=true -DPEDANTIC \ // RUN: -analyzer-config alpha.cplusplus.UninitializedObject:Pedantic=true -DPEDANTIC \
// RUN: -analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true \ // RUN: -analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true \
// RUN: -std=c++11 -verify %s // RUN: -std=c++14 -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject \
// RUN: -analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true \ // RUN: -analyzer-config alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=true \
// RUN: -std=c++11 -verify %s // RUN: -std=c++14 -verify %s
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Default constructor test. // Default constructor test.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class CompilerGeneratedConstructorTest { class CompilerGeneratedConstructorTest {
int a, b, c, d, e, f, g, h, i, j; int a, b, c, d, e, f, g, h, i, j;
▲ Show 20 LinesShow All 759 Lines▼ Show 20 Lines
struct LambdaTest2 { struct LambdaTest2 {
Callable functor; Callable functor;
LambdaTest2(const Callable &functor, int) : functor(functor) {} // expected-warning{{1 uninitialized field}} LambdaTest2(const Callable &functor, int) : functor(functor) {} // expected-warning{{1 uninitialized field}}
}; };
void fLambdaTest2() { void fLambdaTest2() {
int b; int b;
auto equals = [&b](int a) { return a == b; }; // expected-note{{uninitialized pointee 'this->functor.b'}} auto equals = [&b](int a) { return a == b; }; // expected-note{{uninitialized pointee 'this->functor./*captured variable*/b'}}
LambdaTest2<decltype(equals)>(equals, int()); LambdaTest2<decltype(equals)>(equals, int());
} }
#else #else
template <class Callable> template <class Callable>
struct LambdaTest2 { struct LambdaTest2 {
Callable functor; Callable functor;
LambdaTest2(const Callable &functor, int) : functor(functor) {} LambdaTest2(const Callable &functor, int) : functor(functor) {}
}; };
void fLambdaTest2() { void fLambdaTest2() {
int b; int b;
auto equals = [&b](int a) { return a == b; }; auto equals = [&b](int a) { return a == b; };
LambdaTest2<decltype(equals)>(equals, int()); LambdaTest2<decltype(equals)>(equals, int());
} }
#endif //PEDANTIC #endif //PEDANTIC
#ifdef PEDANTIC #ifdef PEDANTIC
namespace LT3Detail { namespace LT3Detail {
struct RecordType { struct RecordType {
int x; // expected-note{{uninitialized field 'this->functor.rec1.x'}} int x; // expected-note{{uninitialized field 'this->functor./*captured variable*/rec1.x'}}
int y; // expected-note{{uninitialized field 'this->functor.rec1.y'}} int y; // expected-note{{uninitialized field 'this->functor./*captured variable*/rec1.y'}}
}; };
} // namespace LT3Detail } // namespace LT3Detail
template <class Callable> template <class Callable>
struct LambdaTest3 { struct LambdaTest3 {
Callable functor; Callable functor;
LambdaTest3(const Callable &functor, int) : functor(functor) {} // expected-warning{{2 uninitialized fields}} LambdaTest3(const Callable &functor, int) : functor(functor) {} // expected-warning{{2 uninitialized fields}}
Show All 36 Linesstruct MultipleLambdaCapturesTest1 {
Callable functor; Callable functor;
int dontGetFilteredByNonPedanticMode = 0; int dontGetFilteredByNonPedanticMode = 0;
MultipleLambdaCapturesTest1(const Callable &functor, int) : functor(functor) {} // expected-warning{{2 uninitialized field}} MultipleLambdaCapturesTest1(const Callable &functor, int) : functor(functor) {} // expected-warning{{2 uninitialized field}}
}; };
void fMultipleLambdaCapturesTest1() { void fMultipleLambdaCapturesTest1() {
int b1, b2 = 3, b3; int b1, b2 = 3, b3;
auto equals = [&b1, &b2, &b3](int a) { return a == b1 == b2 == b3; }; // expected-note{{uninitialized pointee 'this->functor.b1'}} auto equals = [&b1, &b2, &b3](int a) { return a == b1 == b2 == b3; }; // expected-note{{uninitialized pointee 'this->functor./*captured variable*/b1'}}
// expected-note@-1{{uninitialized pointee 'this->functor.b3'}} // expected-note@-1{{uninitialized pointee 'this->functor./*captured variable*/b3'}}
MultipleLambdaCapturesTest1<decltype(equals)>(equals, int()); MultipleLambdaCapturesTest1<decltype(equals)>(equals, int());
} }
template <class Callable> template <class Callable>
struct MultipleLambdaCapturesTest2 { struct MultipleLambdaCapturesTest2 {
Callable functor; Callable functor;
int dontGetFilteredByNonPedanticMode = 0; int dontGetFilteredByNonPedanticMode = 0;
MultipleLambdaCapturesTest2(const Callable &functor, int) : functor(functor) {} // expected-warning{{1 uninitialized field}} MultipleLambdaCapturesTest2(const Callable &functor, int) : functor(functor) {} // expected-warning{{1 uninitialized field}}
}; };
void fMultipleLambdaCapturesTest2() { void fMultipleLambdaCapturesTest2() {
int b1, b2 = 3, b3; int b1, b2 = 3, b3;
auto equals = [b1, &b2, &b3](int a) { return a == b1 == b2 == b3; }; // expected-note{{uninitialized pointee 'this->functor.b3'}} auto equals = [b1, &b2, &b3](int a) { return a == b1 == b2 == b3; }; // expected-note{{uninitialized pointee 'this->functor./*captured variable*/b3'}}
MultipleLambdaCapturesTest2<decltype(equals)>(equals, int()); MultipleLambdaCapturesTest2<decltype(equals)>(equals, int());
} }
struct LambdaWrapper {
void *func; // no-crash
int dontGetFilteredByNonPedanticMode = 0;
LambdaWrapper(void *ptr) : func(ptr) {} // expected-warning{{1 uninitialized field}}
};
struct ThisCapturingLambdaFactory {
int a; // expected-note{{uninitialized field 'static_cast<decltype(a.ret()) *>(this->func)->/*'this' capture*/->a'}}
auto ret() {
return [this] { (void)this; };
}
};
void fLambdaFieldWithInvalidThisCapture() {
void *ptr;
{
ThisCapturingLambdaFactory a;
decltype(a.ret()) lambda = a.ret();
ptr = &lambda;
}
LambdaWrapper t(ptr);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// System header tests. // System header tests.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "Inputs/system-header-simulator-for-cxx-uninitialized-object.h" #include "Inputs/system-header-simulator-for-cxx-uninitialized-object.h"
struct SystemHeaderTest1 { struct SystemHeaderTest1 {
RecordInSystemHeader rec; // defined in the system header simulator RecordInSystemHeader rec; // defined in the system header simulator
▲ Show 20 LinesShow All 221 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/objcpp-uninitialized-object.mm

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject -std=c++11 -fblocks -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.cplusplus.UninitializedObject -std=c++11 -fblocks -verify %s
typedef void (^myBlock) (); typedef void (^myBlock) ();
struct StructWithBlock { struct StructWithBlock {
int a; int a;
myBlock z; // expected-note{{uninitialized pointer 'this->z'}} myBlock z; // expected-note{{uninitialized field 'this->z'}}
StructWithBlock() : a(0), z(^{}) {} StructWithBlock() : a(0), z(^{}) {}
// Miss initialization of field `z`. // Miss initialization of field `z`.
StructWithBlock(int pA) : a(pA) {} // expected-warning{{1 uninitialized field at the end of the constructor call}} StructWithBlock(int pA) : a(pA) {} // expected-warning{{1 uninitialized field at the end of the constructor call}}
}; };
Show All 17 Lines