This is an archive of the discontinued LLVM Phabricator instance.

Differential D60808

[analyzer] pr41335: NoStoreFuncVisitor: Fix crash when no-store event is in a body-farmed function.
ClosedPublic

Authored by NoQ on Apr 16 2019, 5:48 PM.

Details

Reviewers
dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso
alexfh
Commits
rGe2a8e4316058: [analyzer] PR41335: Fix crash when no-store event is in a body-farmed function.
rL358945: [analyzer] PR41335: Fix crash when no-store event is in a body-farmed function.
rC358945: [analyzer] PR41335: Fix crash when no-store event is in a body-farmed function.
Summary

It is getting increasingly annoying that it's so hard to construct a PathDiagnosticLocation correctly. I think we should eventually make the API more defensive to invalid source locations.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Apr 16 2019, 5:48 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 16 2019, 5:48 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 5 others. · View Herald Transcript
NoQ updated this revision to Diff 195497.Apr 16 2019, 5:51 PM

Fix comments.

NoQ added a comment.EditedApr 16 2019, 10:17 PM

Hmm, i think i'd love to know why doesn't the uninitialized variable checker fire on the if-statement as farmed by the body farm:

592   // Signature:
593   // _Bool OSAtomicCompareAndSwapPtr(void *__oldValue,
594   //                                 void *__newValue,
595   //                                 void * volatile *__theValue)
596   // Generate body:
597   //   if (oldValue == *theValue) {
598   //    *theValue = newValue;
599   //    return YES;
600   //   }
601   //   else return NO;

(closing brace accidentally omitted in the original comment as well)

alexfh accepted this revision.Apr 17 2019, 2:58 PM
alexfh added a subscriber: alexfh.

LG with a couple of nits.

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
582 ↗(On Diff #195497)

Should this be marked with a FIXME?

clang/test/Analysis/diagnostics/body-farm-crashes.c
1 ↗(On Diff #195497)

Add a space before the backslash.

This revision is now accepted and ready to land.Apr 17 2019, 2:58 PM
NoQ planned changes to this revision.Apr 17 2019, 5:35 PM
In D60808#1469734, @NoQ wrote:

Hmm, i think i'd love to know why doesn't the uninitialized variable checker fire on the if-statement as farmed by the body farm:

Passing arguments to this whole body farm thing doesn't work. It builds the body for the declaration on line 4 but then calls the declaration on line 5, and parameter variables in the synthesized body don't match parameter variables of the call, so it cannot read argument values :/

NoQ updated this revision to Diff 195810.Apr 18 2019, 1:52 PM

Don't canonicalize the decl in the body farm. The decl supplied by the AnalysisDeclContext is already the correct one (and not necessarily the canonical one).

Keep the defensive behavior for NoStoreFuncVisitor because it's generally the right thing to do for future-proofness.

This revision is now accepted and ready to land.Apr 18 2019, 1:52 PM
NoQ added a comment.Apr 18 2019, 1:52 PM

(also fix typo in the function name)

NoQ updated this revision to Diff 195850.Apr 18 2019, 5:59 PM

Separate the canonicalization change that unbreaks body farms into a separate patch.

NoQ updated this revision to Diff 195851.Apr 18 2019, 6:01 PM
NoQ marked an inline comment as done.

Add space before \.

NoQ mentioned this in D60899: [analyzer] Unbreak body farms in presence of multiple declarations..Apr 18 2019, 6:07 PM
NoQ added a child revision: D60899: [analyzer] Unbreak body farms in presence of multiple declarations..
Closed by commit rC358945: [analyzer] PR41335: Fix crash when no-store event is in a body-farmed function. (authored by NoQ). · Explain WhyApr 22 2019, 7:51 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
4 lines
lib/
StaticAnalyzer/
Core/
13 lines
test/
Analysis/
20 lines

Diff 196175

include/clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h

Show First 20 LinesShow All 307 Lines▼ Show 20 Lines if (!isValid())
return nullptr; return nullptr;
return asStmt(); return asStmt();
} }
const Decl *asDecl() const { assert(isValid()); return D; } const Decl *asDecl() const { assert(isValid()); return D; }
bool hasRange() const { return K == StmtK || K == RangeK || K == DeclK; } bool hasRange() const { return K == StmtK || K == RangeK || K == DeclK; }
bool hasValidLocation() const { return asLocation().isValid(); }
void invalidate() { void invalidate() {
*this = PathDiagnosticLocation(); *this = PathDiagnosticLocation();
} }
void flatten(); void flatten();
const SourceManager& getManager() const { assert(isValid()); return *SM; } const SourceManager& getManager() const { assert(isValid()); return *SM; }
▲ Show 20 LinesShow All 139 Lines▼ Show 20 Linesprivate:
PathDiagnosticLocation Pos; PathDiagnosticLocation Pos;
public: public:
PathDiagnosticSpotPiece(const PathDiagnosticLocation &pos, PathDiagnosticSpotPiece(const PathDiagnosticLocation &pos,
StringRef s, StringRef s,
PathDiagnosticPiece::Kind k, PathDiagnosticPiece::Kind k,
bool addPosRange = true) bool addPosRange = true)
: PathDiagnosticPiece(s, k), Pos(pos) { : PathDiagnosticPiece(s, k), Pos(pos) {
assert(Pos.isValid() && Pos.asLocation().isValid() && assert(Pos.isValid() && Pos.hasValidLocation() &&
"PathDiagnosticSpotPiece's must have a valid location."); "PathDiagnosticSpotPiece's must have a valid location.");
if (addPosRange && Pos.hasRange()) addRange(Pos.asRange()); if (addPosRange && Pos.hasRange()) addRange(Pos.asRange());
} }
PathDiagnosticLocation getLocation() const override { return Pos; } PathDiagnosticLocation getLocation() const override { return Pos; }
void flattenLocations() override { Pos.flatten(); } void flattenLocations() override { Pos.flatten(); }
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
▲ Show 20 LinesShow All 426 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 329 Lines▼ Show 20 Lines std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
// Region of interest corresponds to an IVar, exiting a method // Region of interest corresponds to an IVar, exiting a method
// which could have written into that IVar, but did not. // which could have written into that IVar, but did not.
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) { if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) {
const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(SelfRegion) && if (RegionOfInterest->isSubRegionOf(SelfRegion) &&
potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(),
IvarR->getDecl())) IvarR->getDecl()))
return maybeEmitNode(R, *Call, N, {}, SelfRegion, "self", return maybeEmitNote(R, *Call, N, {}, SelfRegion, "self",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
} }
} }
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) {
const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(ThisR) if (RegionOfInterest->isSubRegionOf(ThisR)
&& !CCall->getDecl()->isImplicit()) && !CCall->getDecl()->isImplicit())
return maybeEmitNode(R, *Call, N, {}, ThisR, "this", return maybeEmitNote(R, *Call, N, {}, ThisR, "this",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
// Do not generate diagnostics for not modified parameters in // Do not generate diagnostics for not modified parameters in
// constructors. // constructors.
return nullptr; return nullptr;
} }
ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call);
for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) {
const ParmVarDecl *PVD = parameters[I]; const ParmVarDecl *PVD = parameters[I];
SVal V = Call->getArgSVal(I); SVal V = Call->getArgSVal(I);
bool ParamIsReferenceType = PVD->getType()->isReferenceType(); bool ParamIsReferenceType = PVD->getType()->isReferenceType();
std::string ParamName = PVD->getNameAsString(); std::string ParamName = PVD->getNameAsString();
int IndirectionLevel = 1; int IndirectionLevel = 1;
QualType T = PVD->getType(); QualType T = PVD->getType();
while (const MemRegion *MR = V.getAsRegion()) { while (const MemRegion *MR = V.getAsRegion()) {
if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T)) if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T))
return maybeEmitNode(R, *Call, N, {}, MR, ParamName, return maybeEmitNote(R, *Call, N, {}, MR, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
QualType PT = T->getPointeeType(); QualType PT = T->getPointeeType();
if (PT.isNull() || PT->isVoidType()) break; if (PT.isNull() || PT->isVoidType()) break;
if (const RecordDecl *RD = PT->getAsRecordDecl()) if (const RecordDecl *RD = PT->getAsRecordDecl())
if (auto P = findRegionOfInterestInRecord(RD, State, MR)) if (auto P = findRegionOfInterestInRecord(RD, State, MR))
return maybeEmitNode(R, *Call, N, *P, RegionOfInterest, ParamName, return maybeEmitNote(R, *Call, N, *P, RegionOfInterest, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
V = State->getSVal(MR, PT); V = State->getSVal(MR, PT);
T = PT; T = PT;
IndirectionLevel++; IndirectionLevel++;
} }
} }
▲ Show 20 LinesShow All 161 Lines▼ Show 20 Lines return !Ty->getPointeeType().isNull() &&
Ty->getPointeeType().getCanonicalType().isConstQualified(); Ty->getPointeeType().getCanonicalType().isConstQualified();
} }
/// Consume the information on the no-store stack frame in order to /// Consume the information on the no-store stack frame in order to
/// either emit a note or suppress the report enirely. /// either emit a note or suppress the report enirely.
/// \return Diagnostics piece for region not modified in the current function, /// \return Diagnostics piece for region not modified in the current function,
/// if it decides to emit one. /// if it decides to emit one.
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
maybeEmitNode(BugReport &R, const CallEvent &Call, const ExplodedNode *N, maybeEmitNote(BugReport &R, const CallEvent &Call, const ExplodedNode *N,
const RegionVector &FieldChain, const MemRegion *MatchedRegion, const RegionVector &FieldChain, const MemRegion *MatchedRegion,
StringRef FirstElement, bool FirstIsReferenceType, StringRef FirstElement, bool FirstIsReferenceType,
unsigned IndirectionLevel) { unsigned IndirectionLevel) {
// Optimistically suppress uninitialized value bugs that result // Optimistically suppress uninitialized value bugs that result
// from system headers having a chance to initialize the value // from system headers having a chance to initialize the value
// but failing to do so. It's too unlikely a system header's fault. // but failing to do so. It's too unlikely a system header's fault.
// It's much more likely a situation in which the function has a failure // It's much more likely a situation in which the function has a failure
// mode that the user decided not to check. If we want to hunt such // mode that the user decided not to check. If we want to hunt such
Show All 13 Lines if (Call.isInSystemHeader()) {
if (N->getStackFrame()->getCFG()->size() > 3) if (N->getStackFrame()->getCFG()->size() > 3)
R.markInvalid(getTag(), nullptr); R.markInvalid(getTag(), nullptr);
return nullptr; return nullptr;
} }
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(N->getLocation(), SM); PathDiagnosticLocation::create(N->getLocation(), SM);
if (!L.hasValidLocation())
return nullptr;
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << "Returning without writing to '"; os << "Returning without writing to '";
// Do not generate the note if failed to pretty-print. // Do not generate the note if failed to pretty-print.
if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType, if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType,
MatchedRegion, FieldChain, IndirectionLevel, os)) MatchedRegion, FieldChain, IndirectionLevel, os))
return nullptr; return nullptr;
▲ Show 20 LinesShow All 1,941 LinesShow Last 20 Lines

test/Analysis/OSAtomic_mac.c

// RUN: %clang_analyze_cc1 -w -analyzer-checker=core,debug.ExprInspection \
// RUN: -analyzer-output=text -verify %s
int OSAtomicCompareAndSwapPtrBarrier(*, *, **);
int OSAtomicCompareAndSwapPtrBarrier() {
// There is some body in the actual header,
// but we should trust our BodyFarm instead.
}
int *invalidSLocOnRedecl() {
int *b; // expected-note{{'b' declared without an initial value}}
OSAtomicCompareAndSwapPtrBarrier(0, 0, &b); // no-crash
// FIXME: We don't really need these notes.
// expected-note@-2{{Calling 'OSAtomicCompareAndSwapPtrBarrier'}}
// expected-note@-3{{Returning from 'OSAtomicCompareAndSwapPtrBarrier'}}
return b; // expected-warning{{Undefined or garbage value returned to caller}}
// expected-note@-1{{Undefined or garbage value returned to caller}}
}