This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1
CStringChecker.cpp

Differential D55873

[analyzer] CStringChecker: Fix a crash when an argument of a weird type is encountered.
ClosedPublic

Authored by NoQ on Dec 18 2018, 6:02 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a_sidorin
george.karpenkov
rnkovacs
Szelethus
mikhail.ramalho
baloghadamsoftware

Commits

rGa749d602b542: [analyzer] CStringChecker: Add the forgotten test file.
rGbe2c0c196847: [analyzer] CStringChecker: Fix a crash on C++ overloads of standard functions.
rC349683: [analyzer] CStringChecker: Add the forgotten test file.
rL349683: [analyzer] CStringChecker: Add the forgotten test file.
rL349682: [analyzer] CStringChecker: Fix a crash on C++ overloads of standard functions.
rC349682: [analyzer] CStringChecker: Fix a crash on C++ overloads of standard functions.

Summary

It turns out that it's not all that uncommon to have a C++ override of, say, memcpy that receives a structure (or two) by reference (or by value, if it's being copied from) and copies memory from it (or into it, if it's passed by reference). In this case the argument will be of structure type (recall that expressions of reference type do not exist: instead, C++ classifies expressions into prvalues and lvalues and xvalues).

In this scenario we crash because we are trying to assume that, say, a memory region is equal to an empty CompoundValue (the non-lazy one; this is what makeZeroVal() return for compound types and it represents prvalue of an object that is initialized with an empty initializer list).

Add defensive checks. We should probably extend CallDescription so that it encapsulated these checks and we were always sure that this is the function we're looking for.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Dec 18 2018, 6:02 PM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 2 others. · View Herald TranscriptDec 18 2018, 6:02 PM

LGTM.

test/Analysis/string.cpp
23 ↗	(On Diff #178824)	I'm pretty sure you mean 'overload' instead of 'override' here and elsewhere.

This revision is now accepted and ready to land.Dec 18 2018, 8:18 PM

Cheers!

Indeed :)

NoQ mentioned this in D55875: [analyzer] pr38668: RegionStore: Do not attempt to cast loaded values of non-scalar types..Dec 19 2018, 12:21 PM

NoQ added inline comments.Dec 19 2018, 1:20 PM

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2325–2326	Yes, indeed, this patch does break modeling of `std::copy`, because, well, we did have explicit modeling of `std::copy`.

Fxd.

Closed by commit rC349682: [analyzer] CStringChecker: Fix a crash on C++ overloads of standard functions. (authored by NoQ). · Explain WhyDec 19 2018, 1:54 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

CStringChecker.cpp

90 lines

Diff 178961

lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 Lines • Show All 182 Lines • ▼ Show 20 Lines	ProgramStateRef CheckBufferAccess(CheckerContext &C,
bool WarnAboutSize = false) const;		bool WarnAboutSize = false) const;

ProgramStateRef CheckBufferAccess(CheckerContext &C,		ProgramStateRef CheckBufferAccess(CheckerContext &C,
ProgramStateRef state,		ProgramStateRef state,
const Expr *Size,		const Expr *Size,
const Expr *Buf,		const Expr *Buf,
const char *message = nullptr,		const char *message = nullptr,
bool WarnAboutSize = false) const {		bool WarnAboutSize = false) const {
// This is a convenience override.		// This is a convenience overload.
return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,		return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
WarnAboutSize);		WarnAboutSize);
}		}
ProgramStateRef CheckOverlap(CheckerContext &C,		ProgramStateRef CheckOverlap(CheckerContext &C,
ProgramStateRef state,		ProgramStateRef state,
const Expr *Size,		const Expr *Size,
const Expr *First,		const Expr *First,
const Expr *Second) const;		const Expr *Second) const;
▲ Show 20 Lines • Show All 2,049 Lines • ▼ Show 20 Lines	if (II->getName().equals(Name))
return true;		return true;

return false;		return false;
}		}
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// The driver method, and other Checker callbacks.		// The driver method, and other Checker callbacks.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {		static CStringChecker::FnCheck identifyCall(const CallExpr *CE,
		CheckerContext &C) {
const FunctionDecl *FDecl = C.getCalleeDecl(CE);		const FunctionDecl *FDecl = C.getCalleeDecl(CE);

if (!FDecl)		if (!FDecl)
return false;		return nullptr;

		// Pro-actively check that argument types are safe to do arithmetic upon.
		// We do not want to crash if someone accidentally passes a structure
		// into, say, a C++ overload of any of these functions.
		if (isCPPStdLibraryFunction(FDecl, "copy")) {
		if (CE->getNumArgs() < 3 \|\| !CE->getArg(2)->getType()->isPointerType())
		return nullptr;
		return &CStringChecker::evalStdCopy;
		} else if (isCPPStdLibraryFunction(FDecl, "copy_backward")) {
		if (CE->getNumArgs() < 3 \|\| !CE->getArg(2)->getType()->isPointerType())
		return nullptr;
		return &CStringChecker::evalStdCopyBackward;
		} else {
		// An umbrella check for all C library functions.
		for (auto I: CE->arguments()) {
		QualType T = I->getType();
		if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
		return nullptr;
		}
		}

// FIXME: Poorly-factored string switches are slow.		// FIXME: Poorly-factored string switches are slow.
FnCheck evalFunction = nullptr;
if (C.isCLibraryFunction(FDecl, "memcpy"))		if (C.isCLibraryFunction(FDecl, "memcpy"))
evalFunction = &CStringChecker::evalMemcpy;		return &CStringChecker::evalMemcpy;
else if (C.isCLibraryFunction(FDecl, "mempcpy"))		else if (C.isCLibraryFunction(FDecl, "mempcpy"))
evalFunction = &CStringChecker::evalMempcpy;		return &CStringChecker::evalMempcpy;
else if (C.isCLibraryFunction(FDecl, "memcmp"))		else if (C.isCLibraryFunction(FDecl, "memcmp"))
evalFunction = &CStringChecker::evalMemcmp;		return &CStringChecker::evalMemcmp;
else if (C.isCLibraryFunction(FDecl, "memmove"))		else if (C.isCLibraryFunction(FDecl, "memmove"))
evalFunction = &CStringChecker::evalMemmove;		return &CStringChecker::evalMemmove;
else if (C.isCLibraryFunction(FDecl, "memset") \|\|		else if (C.isCLibraryFunction(FDecl, "memset") \|\|
C.isCLibraryFunction(FDecl, "explicit_memset"))		C.isCLibraryFunction(FDecl, "explicit_memset"))
evalFunction = &CStringChecker::evalMemset;		return &CStringChecker::evalMemset;
else if (C.isCLibraryFunction(FDecl, "strcpy"))		else if (C.isCLibraryFunction(FDecl, "strcpy"))
evalFunction = &CStringChecker::evalStrcpy;		return &CStringChecker::evalStrcpy;
else if (C.isCLibraryFunction(FDecl, "strncpy"))		else if (C.isCLibraryFunction(FDecl, "strncpy"))
evalFunction = &CStringChecker::evalStrncpy;		return &CStringChecker::evalStrncpy;
else if (C.isCLibraryFunction(FDecl, "stpcpy"))		else if (C.isCLibraryFunction(FDecl, "stpcpy"))
evalFunction = &CStringChecker::evalStpcpy;		return &CStringChecker::evalStpcpy;
else if (C.isCLibraryFunction(FDecl, "strlcpy"))		else if (C.isCLibraryFunction(FDecl, "strlcpy"))
evalFunction = &CStringChecker::evalStrlcpy;		return &CStringChecker::evalStrlcpy;
else if (C.isCLibraryFunction(FDecl, "strcat"))		else if (C.isCLibraryFunction(FDecl, "strcat"))
evalFunction = &CStringChecker::evalStrcat;		return &CStringChecker::evalStrcat;
else if (C.isCLibraryFunction(FDecl, "strncat"))		else if (C.isCLibraryFunction(FDecl, "strncat"))
evalFunction = &CStringChecker::evalStrncat;		return &CStringChecker::evalStrncat;
else if (C.isCLibraryFunction(FDecl, "strlcat"))		else if (C.isCLibraryFunction(FDecl, "strlcat"))
evalFunction = &CStringChecker::evalStrlcat;		return &CStringChecker::evalStrlcat;
else if (C.isCLibraryFunction(FDecl, "strlen"))		else if (C.isCLibraryFunction(FDecl, "strlen"))
evalFunction = &CStringChecker::evalstrLength;		return &CStringChecker::evalstrLength;
else if (C.isCLibraryFunction(FDecl, "strnlen"))		else if (C.isCLibraryFunction(FDecl, "strnlen"))
evalFunction = &CStringChecker::evalstrnLength;		return &CStringChecker::evalstrnLength;
else if (C.isCLibraryFunction(FDecl, "strcmp"))		else if (C.isCLibraryFunction(FDecl, "strcmp"))
evalFunction = &CStringChecker::evalStrcmp;		return &CStringChecker::evalStrcmp;
else if (C.isCLibraryFunction(FDecl, "strncmp"))		else if (C.isCLibraryFunction(FDecl, "strncmp"))
evalFunction = &CStringChecker::evalStrncmp;		return &CStringChecker::evalStrncmp;
else if (C.isCLibraryFunction(FDecl, "strcasecmp"))		else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
evalFunction = &CStringChecker::evalStrcasecmp;		return &CStringChecker::evalStrcasecmp;
else if (C.isCLibraryFunction(FDecl, "strncasecmp"))		else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
evalFunction = &CStringChecker::evalStrncasecmp;		return &CStringChecker::evalStrncasecmp;
else if (C.isCLibraryFunction(FDecl, "strsep"))		else if (C.isCLibraryFunction(FDecl, "strsep"))
evalFunction = &CStringChecker::evalStrsep;		return &CStringChecker::evalStrsep;
else if (C.isCLibraryFunction(FDecl, "bcopy"))		else if (C.isCLibraryFunction(FDecl, "bcopy"))
evalFunction = &CStringChecker::evalBcopy;		return &CStringChecker::evalBcopy;
else if (C.isCLibraryFunction(FDecl, "bcmp"))		else if (C.isCLibraryFunction(FDecl, "bcmp"))
evalFunction = &CStringChecker::evalMemcmp;		return &CStringChecker::evalMemcmp;
		NoQAuthorUnsubmitted Not Done Reply Inline Actions Yes, indeed, this patch does break modeling of `std::copy`, because, well, we did have explicit modeling of `std::copy`. NoQ: Yes, indeed, this patch does [[ https://reviews.llvm.org/D55875#1336686 \| break ]] modeling of…
else if (isCPPStdLibraryFunction(FDecl, "copy"))
evalFunction = &CStringChecker::evalStdCopy;
else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
evalFunction = &CStringChecker::evalStdCopyBackward;
else if (C.isCLibraryFunction(FDecl, "bzero") \|\|		else if (C.isCLibraryFunction(FDecl, "bzero") \|\|
C.isCLibraryFunction(FDecl, "explicit_bzero"))		C.isCLibraryFunction(FDecl, "explicit_bzero"))
evalFunction = &CStringChecker::evalBzero;		return &CStringChecker::evalBzero;

		return nullptr;
		}

		bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {

		FnCheck evalFunction = identifyCall(CE, C);

// If the callee isn't a string function, let another checker handle it.		// If the callee isn't a string function, let another checker handle it.
if (!evalFunction)		if (!evalFunction)
return false;		return false;

// Check and evaluate the call.		// Check and evaluate the call.
(this->*evalFunction)(C, CE);		(this->*evalFunction)(C, CE);

▲ Show 20 Lines • Show All 149 Lines • Show Last 20 Lines