This is an archive of the discontinued LLVM Phabricator instance.

Differential D51305

[analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves
ClosedPublic

Authored by Szelethus on Aug 27 2018, 7:51 AM.

Details

Reviewers
NoQ
george.karpenkov
rnkovacs
xazax.hun
Commits
rG8e5328b6f070: [analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves
rC344242: [analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves
rL344242: [analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves
Summary

I've added a new functionality, the checker is now able to detect and report fields pointing to themselves. I figured this would fit well into the checker as there's no reason for a pointer to point to itself instead of being nullptr.

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Aug 27 2018, 7:51 AM
Herald added subscribers: mikhail.ramalho, a.sidorin, szepet, whisperity. · View Herald TranscriptAug 27 2018, 7:51 AM
Szelethus added a parent revision: D51057: [analyzer][UninitializedObjectChecker] Fixed dereferencing.Aug 27 2018, 7:51 AM
george.karpenkov requested changes to this revision.Aug 27 2018, 10:45 AM

I'm not sure this is a good idea. Pointing to itself may be a common pattern in circular list structures, and in any case it doesn't seem to be related to uninitialized fields.

This revision now requires changes to proceed.Aug 27 2018, 10:45 AM
Szelethus added a comment.Aug 27 2018, 11:05 AM

Thanks for taking a look!

In D51305#1214733, @george.karpenkov wrote:

I'm not sure this is a good idea. Pointing to itself may be a common pattern in circular list structures,

I'm fine with not pursuing this one any further. I can see the value, but it isn't of a great importance to me. However, as far as I know, pointers may point to the node that contains them, but it doesn't make much sense for them to point to themselves -- why would anyone dereference such an object intentionally? The only use-case I could imagine is checking whether ptr == &ptr, but one could might as well store a nullptr for this reason.

and in any case it doesn't seem to be related to uninitialized fields.

You could say they are incorrectly initialized! ;) Also, I would imagine these kind of reports would have the greatest likelihood of finding an actual bug.

Szelethus added inline comments.Aug 27 2018, 1:30 PM
test/Analysis/cxx-uninitialized-object-ptr-ref.cpp
659–691 ↗(On Diff #162676)

Pointing to itself may be a common pattern in circular list structures

One important thing I forgot to mention, there are test cases for circular lists, and this patch only aims to report only pointer arithmetic errors.

I only possible use case I can imagine is storing an extra state, like this:

  • State 1: ptr == nullptr
  • State 2: ptr == &ptr
  • State 3: otherwise

But as a best-practices checker, I think it's fine to report these cases, as I would imagine then to be very error-prone. But then again, I may be unaware of some valid use cases.

Szelethus planned changes to this revision.Sep 5 2018, 8:23 AM

I've been made aware of some valid concerns with this patch. I'll revisit this at a later time, please ignore it for now.

Szelethus updated this revision to Diff 168593.Oct 7 2018, 9:40 AM
  • Moved some functions back into the global namespace.

@whisperity told me that alignment could be an issue, where:

struct List {
  List *next;
};

List L;
L.next = &L;

In this case, it is possible (and maybe probable) that &L and L->next is equal, but I'm checking whether the regions are equal, not where they point to.

I don't believe this patch would result in any false positives, but it isn't a big deal to me if it's undesirable.

george.karpenkov accepted this revision.Oct 10 2018, 10:55 AM

I don't have objections against this.

@Szelethus In general, have you seen this pattern, or is it just something you thought could happen?
Overall, I don't think enumerating all possible bad scenarios is a best way for writing checkers. I think it's more productive to focus on real issues you have seen,
and then iterate and be data-driven.

This revision is now accepted and ready to land.Oct 10 2018, 10:55 AM
Herald added a subscriber: donat.nagy. · View Herald TranscriptOct 10 2018, 10:55 AM
Szelethus added a comment.Oct 10 2018, 11:28 AM

Thank you so much! :)

In D51305#1260752, @george.karpenkov wrote:

[...]
@Szelethus In general, have you seen this pattern, or is it just something you thought could happen?
Overall, I don't think enumerating all possible bad scenarios is a best way for writing checkers. I think it's more productive to focus on real issues you have seen,
and then iterate and be data-driven.

This was one of the very rare occasions where I noticed this bad scenario, as you put it, before seeing it in a production code. I usually rely on data I gather from analyzing open source projects and from user feedback, but after rC339599, this was super easy to implement.

The idea came relatively naturally, as pointers pointing to themselves is a corner-case I have to cover.

But really, should this ever happen, it most definitely is a sign of a serious mess up.

Closed by commit rL344242: [analyzer][UninitializedObjectChecker] Reports Loc fields pointing to themselves (authored by Szelethus). · Explain WhyOct 11 2018, 5:00 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptOct 11 2018, 5:00 AM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
UninitializedObject/
68 lines
test/
Analysis/
17 lines

Diff 169196

cfe/trunk/lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedPointee.cpp

Show First 20 LinesShow All 83 Lines▼ Show 20 Lines virtual void printNode(llvm::raw_ostream &Out) const override {
Out << getVariableName(getDecl()) << ')'; Out << getVariableName(getDecl()) << ')';
} }
virtual void printSeparator(llvm::raw_ostream &Out) const override { virtual void printSeparator(llvm::raw_ostream &Out) const override {
Out << "->"; Out << "->";
} }
}; };
/// Represents a Loc field that points to itself.
class CyclicLocField final : public FieldNode {
public:
CyclicLocField(const FieldRegion *FR) : FieldNode(FR) {}
virtual void printNoteMsg(llvm::raw_ostream &Out) const override {
Out << "object references itself ";
}
virtual void printPrefix(llvm::raw_ostream &Out) const override {}
virtual void printNode(llvm::raw_ostream &Out) const override {
Out << getVariableName(getDecl());
}
virtual void printSeparator(llvm::raw_ostream &Out) const override {
llvm_unreachable("CyclicLocField objects must be the last node of the "
"fieldchain!");
}
};
} // end of anonymous namespace } // end of anonymous namespace
// Utility function declarations. // Utility function declarations.
/// Returns whether \p T can be (transitively) dereferenced to a void pointer struct DereferenceInfo {
/// type (void*, void**, ...). const TypedValueRegion *R;
static bool isVoidPointer(QualType T); const bool NeedsCastBack;
const bool IsCyclic;
using DereferenceInfo = std::pair<const TypedValueRegion *, bool>; DereferenceInfo(const TypedValueRegion *R, bool NCB, bool IC)
: R(R), NeedsCastBack(NCB), IsCyclic(IC) {}
};
/// Dereferences \p FR and returns with the pointee's region, and whether it /// Dereferences \p FR and returns with the pointee's region, and whether it
/// needs to be casted back to it's location type. If for whatever reason /// needs to be casted back to it's location type. If for whatever reason
/// dereferencing fails, returns with None. /// dereferencing fails, returns with None.
static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State, static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
const FieldRegion *FR); const FieldRegion *FR);
/// Returns whether \p T can be (transitively) dereferenced to a void pointer
/// type (void*, void**, ...).
static bool isVoidPointer(QualType T);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods for FindUninitializedFields. // Methods for FindUninitializedFields.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool FindUninitializedFields::isDereferencableUninit( bool FindUninitializedFields::isDereferencableUninit(
const FieldRegion *FR, FieldChainInfo LocalChain) { const FieldRegion *FR, FieldChainInfo LocalChain) {
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
Show All 20 Linesbool FindUninitializedFields::isDereferencableUninit(
// At this point the pointer itself is initialized and points to a valid // At this point the pointer itself is initialized and points to a valid
// location, we'll now check the pointee. // location, we'll now check the pointee.
llvm::Optional<DereferenceInfo> DerefInfo = dereference(State, FR); llvm::Optional<DereferenceInfo> DerefInfo = dereference(State, FR);
if (!DerefInfo) { if (!DerefInfo) {
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
const TypedValueRegion *R = DerefInfo->first; if (DerefInfo->IsCyclic)
const bool NeedsCastBack = DerefInfo->second; return addFieldToUninits(LocalChain.add(CyclicLocField(FR)));
const TypedValueRegion *R = DerefInfo->R;
const bool NeedsCastBack = DerefInfo->NeedsCastBack;
QualType DynT = R->getLocationType(); QualType DynT = R->getLocationType();
QualType PointeeT = DynT->getPointeeType(); QualType PointeeT = DynT->getPointeeType();
if (PointeeT->isStructureOrClassType()) { if (PointeeT->isStructureOrClassType()) {
if (NeedsCastBack) if (NeedsCastBack)
return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT))); return isNonUnionUninit(R, LocalChain.add(NeedsCastLocField(FR, DynT)));
return isNonUnionUninit(R, LocalChain.add(LocField(FR))); return isNonUnionUninit(R, LocalChain.add(LocField(FR)));
Show All 30 Linesbool FindUninitializedFields::isDereferencableUninit(
IsAnyFieldInitialized = true; IsAnyFieldInitialized = true;
return false; return false;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static bool isVoidPointer(QualType T) {
while (!T.isNull()) {
if (T->isVoidPointerType())
return true;
T = T->getPointeeType();
}
return false;
}
static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State, static llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
const FieldRegion *FR) { const FieldRegion *FR) {
llvm::SmallSet<const TypedValueRegion *, 5> VisitedRegions; llvm::SmallSet<const TypedValueRegion *, 5> VisitedRegions;
SVal V = State->getSVal(FR); SVal V = State->getSVal(FR);
assert(V.getAsRegion() && "V must have an underlying region!"); assert(V.getAsRegion() && "V must have an underlying region!");
Show All 15 Linesstatic llvm::Optional<DereferenceInfo> dereference(ProgramStateRef State,
while (const MemRegion *Tmp = State->getSVal(R, DynT).getAsRegion()) { while (const MemRegion *Tmp = State->getSVal(R, DynT).getAsRegion()) {
R = Tmp->getAs<TypedValueRegion>(); R = Tmp->getAs<TypedValueRegion>();
if (!R) if (!R)
return None; return None;
// We found a cyclic pointer, like int *ptr = (int *)&ptr. // We found a cyclic pointer, like int *ptr = (int *)&ptr.
// TODO: Should we report these fields too?
if (!VisitedRegions.insert(R).second) if (!VisitedRegions.insert(R).second)
return None; return DereferenceInfo{R, NeedsCastBack, /*IsCyclic*/ true};
DynT = R->getLocationType(); DynT = R->getLocationType();
// In order to ensure that this loop terminates, we're also checking the // In order to ensure that this loop terminates, we're also checking the
// dynamic type of R, since type hierarchy is finite. // dynamic type of R, since type hierarchy is finite.
if (isDereferencableType(DynT->getPointeeType())) if (isDereferencableType(DynT->getPointeeType()))
break; break;
} }
while (R->getAs<CXXBaseObjectRegion>()) { while (R->getAs<CXXBaseObjectRegion>()) {
NeedsCastBack = true; NeedsCastBack = true;
if (!isa<TypedValueRegion>(R->getSuperRegion())) if (!isa<TypedValueRegion>(R->getSuperRegion()))
break; break;
R = R->getSuperRegion()->getAs<TypedValueRegion>(); R = R->getSuperRegion()->getAs<TypedValueRegion>();
} }
return std::make_pair(R, NeedsCastBack); return DereferenceInfo{R, NeedsCastBack, /*IsCyclic*/ false};
}
static bool isVoidPointer(QualType T) {
while (!T.isNull()) {
if (T->isVoidPointerType())
return true;
T = T->getPointeeType();
}
return false;
} }

cfe/trunk/test/Analysis/cxx-uninitialized-object-ptr-ref.cpp

Show First 20 LinesShow All 251 Lines▼ Show 20 Linesstruct CharPointerTest {
CharPointerTest() : str("") {} CharPointerTest() : str("") {}
}; };
void fCharPointerTest() { void fCharPointerTest() {
CharPointerTest(); CharPointerTest();
} }
struct CyclicPointerTest1 { struct CyclicPointerTest1 {
int *ptr; int *ptr; // expected-note{{object references itself 'this->ptr'}}
CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {} int dontGetFilteredByNonPedanticMode = 0;
CyclicPointerTest1() : ptr(reinterpret_cast<int *>(&ptr)) {} // expected-warning{{1 uninitialized field}}
}; };
void fCyclicPointerTest1() { void fCyclicPointerTest1() {
CyclicPointerTest1(); CyclicPointerTest1();
} }
struct CyclicPointerTest2 { struct CyclicPointerTest2 {
int **pptr; // no-crash int **pptr; // expected-note{{object references itself 'this->pptr'}}
CyclicPointerTest2() : pptr(reinterpret_cast<int **>(&pptr)) {} int dontGetFilteredByNonPedanticMode = 0;
CyclicPointerTest2() : pptr(reinterpret_cast<int **>(&pptr)) {} // expected-warning{{1 uninitialized field}}
}; };
void fCyclicPointerTest2() { void fCyclicPointerTest2() {
CyclicPointerTest2(); CyclicPointerTest2();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Void pointer tests. // Void pointer tests.
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines
}; };
void fVoidPointerLRefTest() { void fVoidPointerLRefTest() {
void *vptr = malloc(sizeof(int)); void *vptr = malloc(sizeof(int));
VoidPointerLRefTest(vptr, char()); VoidPointerLRefTest(vptr, char());
} }
struct CyclicVoidPointerTest { struct CyclicVoidPointerTest {
void *vptr; // no-crash void *vptr; // expected-note{{object references itself 'this->vptr'}}
int dontGetFilteredByNonPedanticMode = 0;
CyclicVoidPointerTest() : vptr(&vptr) {} CyclicVoidPointerTest() : vptr(&vptr) {} // expected-warning{{1 uninitialized field}}
}; };
void fCyclicVoidPointerTest() { void fCyclicVoidPointerTest() {
CyclicVoidPointerTest(); CyclicVoidPointerTest();
} }
struct IntDynTypedVoidPointerTest1 { struct IntDynTypedVoidPointerTest1 {
void *vptr; // expected-note{{uninitialized pointee 'static_cast<int *>(this->vptr)'}} void *vptr; // expected-note{{uninitialized pointee 'static_cast<int *>(this->vptr)'}}
▲ Show 20 LinesShow All 496 LinesShow Last 20 Lines