This is an archive of the discontinued LLVM Phabricator instance.

Differential D52435

[analyzer] Prevent crashes in FindLastStoreBRVisitor
ClosedPublic

Authored by george.karpenkov on Sep 24 2018, 2:05 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG2a6deeb92887: [analyzer] Prevent crashes in FindLastStoreBRVisitor
rC342920: [analyzer] Prevent crashes in FindLastStoreBRVisitor
rL342920: [analyzer] Prevent crashes in FindLastStoreBRVisitor
Summary

This patch is a band-aid. A proper solution would be too change trackNullOrUndefValue to only try to dereference the pointer when it is relevant to the problem.

Diff Detail

Repository
rL LLVM

Event Timeline

george.karpenkov created this revision.Sep 24 2018, 2:05 PM
Herald added subscribers: Szelethus, mikhail.ramalho, a.sidorin and 3 others. · View Herald TranscriptSep 24 2018, 2:05 PM
NoQ accepted this revision.Sep 24 2018, 2:14 PM
NoQ added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1742 ↗(On Diff #166749)

I almost want to make Optional<Loc> non-convertible to bool, because it's almost always a bad idea to make decisions based on Loc-ness of SVal, as a lot of code assumes that Loc means lvalue, which is completely incorrect.

This revision is now accepted and ready to land.Sep 24 2018, 2:14 PM
Szelethus added inline comments.Sep 24 2018, 2:17 PM
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1758 ↗(On Diff #166749)

I think ShouldFindLastStore would be more descriptive.

1760 ↗(On Diff #166749)

Does this also work for void **?

clang/test/Analysis/diagnostics/find_last_store.c
1 ↗(On Diff #166749)

Space after //

george.karpenkov marked 2 inline comments as done.Sep 24 2018, 2:19 PM
george.karpenkov added inline comments.
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1760 ↗(On Diff #166749)

The problem is FindLastStoreBRVisitor will later crash without this branch when attempting to dereference the region.
This problem will not occur with void** because it's OK to dereference that.

Closed by commit rL342920: [analyzer] Prevent crashes in FindLastStoreBRVisitor (authored by george.karpenkov). · Explain WhySep 24 2018, 2:23 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptSep 24 2018, 2:23 PM
Szelethus added inline comments.Sep 24 2018, 2:25 PM
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
1760 ↗(On Diff #166749)

Oh right, thanks!

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
2 lines
lib/
StaticAnalyzer/
Core/
17 lines
test/
Analysis/
diagnostics/
17 lines

Diff 166754

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 77 Lines▼ Show 20 Linespublic:
virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0; virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;
/// Generates the default final diagnostic piece. /// Generates the default final diagnostic piece.
static std::shared_ptr<PathDiagnosticPiece> static std::shared_ptr<PathDiagnosticPiece>
getDefaultEndPath(BugReporterContext &BRC, const ExplodedNode *N, getDefaultEndPath(BugReporterContext &BRC, const ExplodedNode *N,
BugReport &BR); BugReport &BR);
}; };
/// Finds last store into the given region,
/// which is different from a given symbolic value.
class FindLastStoreBRVisitor final : public BugReporterVisitor { class FindLastStoreBRVisitor final : public BugReporterVisitor {
const MemRegion *R; const MemRegion *R;
SVal V; SVal V;
bool Satisfied = false; bool Satisfied = false;
/// If the visitor is tracking the value directly responsible for the /// If the visitor is tracking the value directly responsible for the
/// bug, we are going to employ false positive suppression. /// bug, we are going to employ false positive suppression.
bool EnableNullFPSuppression; bool EnableNullFPSuppression;
▲ Show 20 LinesShow All 295 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 1,288 Lines▼ Show 20 Lines if (DS) {
"Captured by block as "; "Captured by block as ";
if (VR) { if (VR) {
// See if we can get the BlockVarRegion. // See if we can get the BlockVarRegion.
ProgramStateRef State = StoreSite->getState(); ProgramStateRef State = StoreSite->getState();
SVal V = StoreSite->getSVal(S); SVal V = StoreSite->getSVal(S);
if (const auto *BDR = if (const auto *BDR =
dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) { dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) {
if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) { if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) {
if (Optional<KnownSVal> KV = if (auto KV = State->getSVal(OriginalR).getAs<KnownSVal>())
State->getSVal(OriginalR).getAs<KnownSVal>())
BR.addVisitor(llvm::make_unique<FindLastStoreBRVisitor>( BR.addVisitor(llvm::make_unique<FindLastStoreBRVisitor>(
*KV, OriginalR, EnableNullFPSuppression)); *KV, OriginalR, EnableNullFPSuppression));
} }
} }
} }
} }
if (action) if (action)
showBRDiagnostics(action, os, R, V, DS); showBRDiagnostics(action, os, R, V, DS);
▲ Show 20 LinesShow All 440 Lines▼ Show 20 Lines if (auto L = V.getAs<loc::MemRegionVal>()) {
// However, if the rvalue is a symbolic region, we should track it as well. // However, if the rvalue is a symbolic region, we should track it as well.
// Try to use the correct type when looking up the value. // Try to use the correct type when looking up the value.
SVal RVal; SVal RVal;
if (const auto *E = dyn_cast<Expr>(S)) if (const auto *E = dyn_cast<Expr>(S))
RVal = state->getRawSVal(L.getValue(), E->getType()); RVal = state->getRawSVal(L.getValue(), E->getType());
else else
RVal = state->getSVal(L->getRegion()); RVal = state->getSVal(L->getRegion());
// FIXME: this is a hack for fixing a later crash when attempting to
// dereference a void* pointer.
// We should not try to dereference pointers at all when we don't care
// what is written inside the pointer.
bool ShouldFindLastStore = true;
if (const auto *SR = dyn_cast<SymbolicRegion>(L->getRegion()))
if (SR->getSymbol()->getType()->getPointeeType()->isVoidType())
ShouldFindLastStore = false;
if (ShouldFindLastStore)
if (auto KV = RVal.getAs<KnownSVal>()) if (auto KV = RVal.getAs<KnownSVal>())
report.addVisitor(llvm::make_unique<FindLastStoreBRVisitor>( report.addVisitor(llvm::make_unique<FindLastStoreBRVisitor>(
*KV, L->getRegion(), EnableNullFPSuppression)); *KV, L->getRegion(), EnableNullFPSuppression));
const MemRegion *RegionRVal = RVal.getAsRegion(); const MemRegion *RegionRVal = RVal.getAsRegion();
if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) { if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
report.markInteresting(RegionRVal); report.markInteresting(RegionRVal);
report.addVisitor(llvm::make_unique<TrackConstraintBRVisitor>( report.addVisitor(llvm::make_unique<TrackConstraintBRVisitor>(
loc::MemRegionVal(RegionRVal), false)); loc::MemRegionVal(RegionRVal), false));
} }
▲ Show 20 LinesShow All 794 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/diagnostics/find_last_store.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-output=text -verify %s
typedef struct { float b; } c;
void *a();
void *d() {
return a(); // expected-note{{Returning pointer}}
}
void no_find_last_store() {
c *e = d(); // expected-note{{Calling 'd'}}
// expected-note@-1{{Returning from 'd'}}
// expected-note@-2{{'e' initialized here}}
(void)(e || e->b); // expected-note{{Assuming 'e' is null}}
// expected-note@-1{{Left side of '||' is false}}
// expected-note@-2{{Access to field 'b' results in a dereference of a null pointer (loaded from variable 'e')}}
// expected-warning@-3{{Access to field 'b' results in a dereference of a null pointer (loaded from variable 'e')}}
}