This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
RegionStore.cpp
-
test/Analysis/
-
Analysis/
-
nil-receiver.mm

Differential D60988

[analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.
ClosedPublic

Authored by NoQ on Apr 22 2019, 6:19 PM.

Download Raw Diff

Details

Reviewers

dcoughlin

Commits

rGb591845f4b48: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.
rL359262: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.
rC359262: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.

Summary

This is an Objective-C++ specific fix to a problem that's similar to D59573 and D59622 (i.e., hitting the same assertion i added in D59054).

This time, surprisingly, the assertion is in fact incorrect: there is a cornercase in Objective-C++ in which a C++ object is not constructed with a constructor, but only zero-initialized. Namely, this happens when an Objective-C message is sent to a nil and it is supposed to return a C++ object.

I made sure that the assertion is only relaxed for Objective-C++ but it's hard to relax it in a more specific way with the amount of information that RegionStore receives. The alternative solution was to conjure a LazyCompoundValue specifically for this case instead, but implementing this cornercase in SValBuilder::makeZeroVal() is hard because there's no good region to use as the base of that LazyCompoundVal, and in the checker (this modeling currently belongs to CallAndMessageChecker) it's even uglier and is bad for checker APIs.

Diff Detail

Repository: rC Clang

Event Timeline

NoQ created this revision.Apr 22 2019, 6:19 PM

Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2019, 6:19 PM

Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald Transcript

Looks good to me. This is a really interesting corner of Objective-C++!

dcoughlin accepted this revision.Apr 23 2019, 9:28 PM

This revision is now accepted and ready to land.Apr 23 2019, 9:28 PM

Closed by commit rC359262: [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil. (authored by NoQ). · Explain WhyApr 25 2019, 7:05 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

RegionStore.cpp

9 lines

test/

Analysis/

nil-receiver.mm

24 lines

Diff 196780

lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 Lines • Show All 2,355 Lines • ▼ Show 20 Lines	RegionBindingsRef RegionStoreManager::bindStruct(RegionBindingsConstRef B,
const nonloc::CompoundVal& CV = V.castAs<nonloc::CompoundVal>();		const nonloc::CompoundVal& CV = V.castAs<nonloc::CompoundVal>();
nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();		nonloc::CompoundVal::iterator VI = CV.begin(), VE = CV.end();

RegionBindingsRef NewB(B);		RegionBindingsRef NewB(B);

// In C++17 aggregates may have base classes, handle those as well.		// In C++17 aggregates may have base classes, handle those as well.
// They appear before fields in the initializer list / compound value.		// They appear before fields in the initializer list / compound value.
if (const auto *CRD = dyn_cast<CXXRecordDecl>(RD)) {		if (const auto *CRD = dyn_cast<CXXRecordDecl>(RD)) {
assert(CRD->isAggregate() &&		// If the object was constructed with a constructor, its value is a
		// LazyCompoundVal. If it's a raw CompoundVal, it means that we're
		// performing aggregate initialization. The only exception from this
		// rule is sending an Objective-C++ message that returns a C++ object
		// to a nil receiver; in this case the semantics is to return a
		// zero-initialized object even if it's a C++ object that doesn't have
		// this sort of constructor; the CompoundVal is empty in this case.
		assert((CRD->isAggregate() \|\| (Ctx.getLangOpts().ObjC && VI == VE)) &&
"Non-aggregates are constructed with a constructor!");		"Non-aggregates are constructed with a constructor!");

for (const auto &B : CRD->bases()) {		for (const auto &B : CRD->bases()) {
// (Multiple inheritance is fine though.)		// (Multiple inheritance is fine though.)
assert(!B.isVirtual() && "Aggregates cannot have virtual base classes!");		assert(!B.isVirtual() && "Aggregates cannot have virtual base classes!");

if (VI == VE)		if (VI == VE)
break;		break;
▲ Show 20 Lines • Show All 242 Lines • Show Last 20 Lines

test/Analysis/nil-receiver.mm

				// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
				// RUN: -verify %s

				#define nil ((id)0)

				void clang_analyzer_eval(int);

				struct S {
				int x;
				S();
				};

				@interface I
				@property S s;
				@end

				void foo() {
				// This produces a zero-initialized structure.
				// FIXME: This very fact does deserve the warning, because zero-initialized
				// structures aren't always valid in C++. It's particularly bad when the
				// object has a vtable.
				S s = ((I *)nil).s;
				clang_analyzer_eval(s.x == 0); // expected-warning{{TRUE}}
				}