Page MenuHomePhabricator

[analyzer] CStringChecker: Fix a crash when an argument of a weird type is encountered.
ClosedPublic

Authored by NoQ on Dec 18 2018, 6:02 PM.

Details

Summary

It turns out that it's not all that uncommon to have a C++ override of, say, memcpy that receives a structure (or two) by reference (or by value, if it's being copied from) and copies memory from it (or into it, if it's passed by reference). In this case the argument will be of structure type (recall that expressions of reference type do not exist: instead, C++ classifies expressions into prvalues and lvalues and xvalues).

In this scenario we crash because we are trying to assume that, say, a memory region is equal to an empty CompoundValue (the non-lazy one; this is what makeZeroVal() return for compound types and it represents prvalue of an object that is initialized with an empty initializer list).

Add defensive checks. We should probably extend CallDescription so that it encapsulated these checks and we were always sure that this is the function we're looking for.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Dec 18 2018, 6:02 PM
dcoughlin accepted this revision.Dec 18 2018, 8:18 PM

LGTM.

test/Analysis/string.cpp
23 ↗(On Diff #178824)

I'm pretty sure you mean 'overload' instead of 'override' here and elsewhere.

This revision is now accepted and ready to land.Dec 18 2018, 8:18 PM
Szelethus accepted this revision.Dec 19 2018, 7:08 AM

Cheers!

NoQ updated this revision to Diff 178938.Dec 19 2018, 12:03 PM
NoQ marked an inline comment as done.

Indeed :)

NoQ added inline comments.Dec 19 2018, 1:20 PM
lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2325–2326

Yes, indeed, this patch does break modeling of std::copy, because, well, we *did* have explicit modeling of std::copy.

This revision was automatically updated to reflect the committed changes.