This is an archive of the discontinued LLVM Phabricator instance.

Differential D59901

[analyzer] PR41239: Fix a crash on invalid source location in NoStoreFuncVisitor.
ClosedPublic

Authored by NoQ on Mar 27 2019, 1:40 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso
alexfh
Commits
rG388e19ff1f10: [analyzer] PR41239: Fix a crash on invalid source location in…
rC357329: [analyzer] PR41239: Fix a crash on invalid source location in…
rL357329: [analyzer] PR41239: Fix a crash on invalid source location in…
Summary

It turns out that SourceManager::isInSystemHeader() crashes when an invalid source location is passed into it. Invalid source locations are relatively common: not only they come from body farms, but also, say, any function in C that didn't come with a forward declaration would have an implicit forward declaration with invalid source locations.

Not sure if this deserves to be fixed in SourceManager, but there's anyway a more comfy API for us to use in the Static Analyzer: CallEvent::isInSystemHeader(), so i just used that.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Mar 27 2019, 1:40 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 27 2019, 1:40 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 4 others. · View Herald Transcript
Charusso accepted this revision.Mar 27 2019, 1:52 PM

Nice solution.

This revision is now accepted and ready to land.Mar 27 2019, 1:52 PM
Szelethus accepted this revision.Mar 28 2019, 2:45 AM

An assert would be real nice in SourceManager, we should definitely add that, since some callbacks don't even receive a CallEvent object. My checker runs on checkPostCall, and also checks where fields lie in a system header.

alexfh added a comment.Mar 28 2019, 8:27 AM

I've posted another test case to https://bugs.llvm.org/show_bug.cgi?id=41239. It may already be covered by the fix. Could you check?

NoQ added a comment.Mar 29 2019, 3:53 PM

This other example seems to work and looks relatively similar, just with a different checker causing the visitor to be attached.

Closed by commit rL357329: [analyzer] PR41239: Fix a crash on invalid source location in… (authored by NoQ). · Explain WhyMar 29 2019, 3:56 PM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptMar 29 2019, 3:56 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
NoQ mentioned this in D60107: [analyzer] NoStoreFuncVisitor: Suppress bug reports with no-store in system headers..Apr 1 2019, 5:35 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
2 lines
test/
Analysis/
diagnostics/
12 lines

Diff 192935

cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 316 Lines▼ Show 20 Lines std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
// No diagnostic if region was modified inside the frame. // No diagnostic if region was modified inside the frame.
if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N)) if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N))
return nullptr; return nullptr;
CallEventRef<> Call = CallEventRef<> Call =
BR.getStateManager().getCallEventManager().getCaller(SCtx, State); BR.getStateManager().getCallEventManager().getCaller(SCtx, State);
if (SM.isInSystemHeader(Call->getDecl()->getSourceRange().getBegin())) if (Call->isInSystemHeader())
return nullptr; return nullptr;
// Region of interest corresponds to an IVar, exiting a method // Region of interest corresponds to an IVar, exiting a method
// which could have written into that IVar, but did not. // which could have written into that IVar, but did not.
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) { if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) {
const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(SelfRegion) && if (RegionOfInterest->isSubRegionOf(SelfRegion) &&
▲ Show 20 LinesShow All 2,170 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/diagnostics/no-store-func-path-notes.c

// RUN: %clang_analyze_cc1 -x c -analyzer-checker=core -analyzer-output=text -verify %s // RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text\
// RUN: -verify %s
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
void *memset(void *__s, int __c, size_t __n); void *memset(void *__s, int __c, size_t __n);
int initializer1(int *p, int x) { int initializer1(int *p, int x) {
if (x) { // expected-note{{Taking false branch}} if (x) { // expected-note{{Taking false branch}}
*p = 1; *p = 1;
return 0; return 0;
▲ Show 20 LinesShow All 229 Lines▼ Show 20 Linesint useInitializeMaybeInStruct() {
int z; // expected-note{{'z' declared without an initial value}} int z; // expected-note{{'z' declared without an initial value}}
D d; D d;
d.x = &z; d.x = &z;
initializeMaybeInStruct(&d); // expected-note{{Calling 'initializeMaybeInStruct'}} initializeMaybeInStruct(&d); // expected-note{{Calling 'initializeMaybeInStruct'}}
// expected-note@-1{{Returning from 'initializeMaybeInStruct'}} // expected-note@-1{{Returning from 'initializeMaybeInStruct'}}
return z; // expected-warning{{Undefined or garbage value returned to caller}} return z; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}} // expected-note@-1{{Undefined or garbage value returned to caller}}
} }
void test_implicit_function_decl(int *x) {
if (x) {} // expected-note{{Assuming 'x' is null}}
// expected-note@-1{{Taking false branch}}
implicit_function(x);
*x = 4; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
// expected-note@-1{{Dereference of null pointer (loaded from variable 'x')}}
}
int implicit_function(int *y) {}