This is an archive of the discontinued LLVM Phabricator instance.

Yes, it crashes! :-) I tried it because I did not believe it, but it does. Is there any real-world use-case for casting concrete integers to class instances? How did you find this crashing case?

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
1055 ↗	(On Diff #212004)	Why do we rename it from `FieldVal` to `FieldLoc`? Are we sure that this is a `Loc`? If so, then we should apply `castAs<Loc>()` and change the type to `Loc` as well. (Or `auto` since `castAs<Loc>()` is enough according to the LLVM coding standards.) If we are not sure, then I think it is better to leave it `FieldVal`.
clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
627 ↗	(On Diff #212004)	Could you please add some lines of comments to this code block?

In D65349#1604363, @baloghadamsoftware wrote:

Is there any real-world use-case for casting concrete integers to class instances? How did you find this crashing case?

I think in original code this value was produced by doing pointer arithmetic over a null pointer. Which is kinda weird because we normally mis-model such arithmetic as resulting in a null pointer, so that to treat dereferences of such pointers as null dereferences (and abort the analysis immediately, never reaching the destructor). See also D37478.

Also it seems that this bug has just been independently reported as https://bugs.llvm.org/show_bug.cgi?id=42816.

LG!

This revision is now accepted and ready to land.Jul 29 2019, 8:35 PM

Fxd!

Closed by commit rL369450: [analyzer] Fix a crash when destroying a non-region. (authored by NoQ). · Explain WhyAug 20 2019, 2:40 PM

This revision was automatically updated to reflect the committed changes.

Herald added a project: Restricted Project. · View Herald TranscriptAug 20 2019, 2:40 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

Path

Size

cfe/

trunk/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

ExprEngine.h

2 lines

lib/

StaticAnalyzer/

Core/

ExprEngine.cpp

23 lines

ExprEngineCXX.cpp

23 lines

test/

Analysis/

dtor.cpp

30 lines

Diff 216256

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 Lines • Show All 524 Lines • ▼ Show 20 Lines	void VisitCXXThisExpr(const CXXThisExpr TE, ExplodedNode Pred,
ExplodedNodeSet & Dst);		ExplodedNodeSet & Dst);

void VisitCXXConstructExpr(const CXXConstructExpr E, ExplodedNode Pred,		void VisitCXXConstructExpr(const CXXConstructExpr E, ExplodedNode Pred,
ExplodedNodeSet &Dst);		ExplodedNodeSet &Dst);

void VisitCXXDestructor(QualType ObjectType, const MemRegion *Dest,		void VisitCXXDestructor(QualType ObjectType, const MemRegion *Dest,
const Stmt *S, bool IsBaseDtor,		const Stmt *S, bool IsBaseDtor,
ExplodedNode *Pred, ExplodedNodeSet &Dst,		ExplodedNode *Pred, ExplodedNodeSet &Dst,
const EvalCallOptions &Options);		EvalCallOptions &Options);

void VisitCXXNewAllocatorCall(const CXXNewExpr *CNE,		void VisitCXXNewAllocatorCall(const CXXNewExpr *CNE,
ExplodedNode *Pred,		ExplodedNode *Pred,
ExplodedNodeSet &Dst);		ExplodedNodeSet &Dst);

void VisitCXXNewExpr(const CXXNewExpr CNE, ExplodedNode Pred,		void VisitCXXNewExpr(const CXXNewExpr CNE, ExplodedNode Pred,
ExplodedNodeSet &Dst);		ExplodedNodeSet &Dst);

▲ Show 20 Lines • Show All 329 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 Lines • Show All 971 Lines • ▼ Show 20 Lines	void ExprEngine::ProcessAutomaticObjDtor(const CFGAutomaticObjDtor Dtor,

// FIXME: We need to run the same destructor on every element of the array.		// FIXME: We need to run the same destructor on every element of the array.
// This workaround will just run the first destructor (which will still		// This workaround will just run the first destructor (which will still
// invalidate the entire array).		// invalidate the entire array).
EvalCallOptions CallOpts;		EvalCallOptions CallOpts;
Region = makeZeroElementRegion(state, loc::MemRegionVal(Region), varType,		Region = makeZeroElementRegion(state, loc::MemRegionVal(Region), varType,
CallOpts.IsArrayCtorOrDtor).getAsRegion();		CallOpts.IsArrayCtorOrDtor).getAsRegion();

VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(), /IsBase=/ false,		VisitCXXDestructor(varType, Region, Dtor.getTriggerStmt(),
Pred, Dst, CallOpts);		/IsBase=/false, Pred, Dst, CallOpts);
}		}

void ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor,		void ExprEngine::ProcessDeleteDtor(const CFGDeleteDtor Dtor,
ExplodedNode *Pred,		ExplodedNode *Pred,
ExplodedNodeSet &Dst) {		ExplodedNodeSet &Dst) {
ProgramStateRef State = Pred->getState();		ProgramStateRef State = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext();		const LocationContext *LCtx = Pred->getLocationContext();
const CXXDeleteExpr *DE = Dtor.getDeleteExpr();		const CXXDeleteExpr *DE = Dtor.getDeleteExpr();
▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Lines	void ExprEngine::ProcessBaseDtor(const CFGBaseDtor D,
SVal ThisVal = Pred->getState()->getSVal(ThisPtr);		SVal ThisVal = Pred->getState()->getSVal(ThisPtr);

// Create the base object region.		// Create the base object region.
const CXXBaseSpecifier *Base = D.getBaseSpecifier();		const CXXBaseSpecifier *Base = D.getBaseSpecifier();
QualType BaseTy = Base->getType();		QualType BaseTy = Base->getType();
SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, BaseTy,		SVal BaseVal = getStoreManager().evalDerivedToBase(ThisVal, BaseTy,
Base->isVirtual());		Base->isVirtual());

VisitCXXDestructor(BaseTy, BaseVal.castAs<loc::MemRegionVal>().getRegion(),		EvalCallOptions CallOpts;
CurDtor->getBody(), /IsBase=/ true, Pred, Dst, {});		VisitCXXDestructor(BaseTy, BaseVal.getAsRegion(), CurDtor->getBody(),
		/IsBase=/true, Pred, Dst, CallOpts);
}		}

void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D,		void ExprEngine::ProcessMemberDtor(const CFGMemberDtor D,
ExplodedNode *Pred, ExplodedNodeSet &Dst) {		ExplodedNode *Pred, ExplodedNodeSet &Dst) {
const FieldDecl *Member = D.getFieldDecl();		const FieldDecl *Member = D.getFieldDecl();
QualType T = Member->getType();		QualType T = Member->getType();
ProgramStateRef State = Pred->getState();		ProgramStateRef State = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext();		const LocationContext *LCtx = Pred->getLocationContext();

const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl());		const auto *CurDtor = cast<CXXDestructorDecl>(LCtx->getDecl());
Loc ThisVal = getSValBuilder().getCXXThis(CurDtor,		Loc ThisStorageLoc =
LCtx->getStackFrame());		getSValBuilder().getCXXThis(CurDtor, LCtx->getStackFrame());
SVal FieldVal =		Loc ThisLoc = State->getSVal(ThisStorageLoc).castAs<Loc>();
State->getLValue(Member, State->getSVal(ThisVal).castAs<Loc>());		SVal FieldVal = State->getLValue(Member, ThisLoc);

// FIXME: We need to run the same destructor on every element of the array.		// FIXME: We need to run the same destructor on every element of the array.
// This workaround will just run the first destructor (which will still		// This workaround will just run the first destructor (which will still
// invalidate the entire array).		// invalidate the entire array).
EvalCallOptions CallOpts;		EvalCallOptions CallOpts;
FieldVal = makeZeroElementRegion(State, FieldVal, T,		FieldVal = makeZeroElementRegion(State, FieldVal, T,
CallOpts.IsArrayCtorOrDtor);		CallOpts.IsArrayCtorOrDtor);

VisitCXXDestructor(T, FieldVal.castAs<loc::MemRegionVal>().getRegion(),		VisitCXXDestructor(T, FieldVal.getAsRegion(), CurDtor->getBody(),
CurDtor->getBody(), /IsBase=/false, Pred, Dst, CallOpts);		/IsBase=/false, Pred, Dst, CallOpts);
}		}

void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,		void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
ExplodedNode *Pred,		ExplodedNode *Pred,
ExplodedNodeSet &Dst) {		ExplodedNodeSet &Dst) {
const CXXBindTemporaryExpr *BTE = D.getBindTemporaryExpr();		const CXXBindTemporaryExpr *BTE = D.getBindTemporaryExpr();
ProgramStateRef State = Pred->getState();		ProgramStateRef State = Pred->getState();
const LocationContext *LC = Pred->getLocationContext();		const LocationContext *LC = Pred->getLocationContext();
Show All 31 Lines	void ExprEngine::ProcessTemporaryDtor(const CFGTemporaryDtor D,
// bound to default parameters.		// bound to default parameters.
assert(CleanDtorState.size() <= 1);		assert(CleanDtorState.size() <= 1);
ExplodedNode *CleanPred =		ExplodedNode *CleanPred =
CleanDtorState.empty() ? Pred : *CleanDtorState.begin();		CleanDtorState.empty() ? Pred : *CleanDtorState.begin();

EvalCallOptions CallOpts;		EvalCallOptions CallOpts;
CallOpts.IsTemporaryCtorOrDtor = true;		CallOpts.IsTemporaryCtorOrDtor = true;
if (!MR) {		if (!MR) {
CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;

// If we have no MR, we still need to unwrap the array to avoid destroying		// If we have no MR, we still need to unwrap the array to avoid destroying
// the whole array at once. Regardless, we'd eventually need to model array		// the whole array at once. Regardless, we'd eventually need to model array
// destructors properly, element-by-element.		// destructors properly, element-by-element.
while (const ArrayType *AT = getContext().getAsArrayType(T)) {		while (const ArrayType *AT = getContext().getAsArrayType(T)) {
T = AT->getElementType();		T = AT->getElementType();
CallOpts.IsArrayCtorOrDtor = true;		CallOpts.IsArrayCtorOrDtor = true;
}		}
} else {		} else {
▲ Show 20 Lines • Show All 2,048 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

	Show First 20 Lines • Show All 598 Lines • ▼ Show 20 Lines
	}			}

	void ExprEngine::VisitCXXDestructor(QualType ObjectType,			void ExprEngine::VisitCXXDestructor(QualType ObjectType,
	const MemRegion *Dest,			const MemRegion *Dest,
	const Stmt *S,			const Stmt *S,
	bool IsBaseDtor,			bool IsBaseDtor,
	ExplodedNode *Pred,			ExplodedNode *Pred,
	ExplodedNodeSet &Dst,			ExplodedNodeSet &Dst,
	const EvalCallOptions &CallOpts) {			EvalCallOptions &CallOpts) {
	assert(S && "A destructor without a trigger!");			assert(S && "A destructor without a trigger!");
	const LocationContext *LCtx = Pred->getLocationContext();			const LocationContext *LCtx = Pred->getLocationContext();
	ProgramStateRef State = Pred->getState();			ProgramStateRef State = Pred->getState();

	const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl();			const CXXRecordDecl *RecordDecl = ObjectType->getAsCXXRecordDecl();
	assert(RecordDecl && "Only CXXRecordDecls should have destructors");			assert(RecordDecl && "Only CXXRecordDecls should have destructors");
	const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor();			const CXXDestructorDecl *DtorDecl = RecordDecl->getDestructor();

	// FIXME: There should always be a Decl, otherwise the destructor call			// FIXME: There should always be a Decl, otherwise the destructor call
	// shouldn't have been added to the CFG in the first place.			// shouldn't have been added to the CFG in the first place.
	if (!DtorDecl) {			if (!DtorDecl) {
	// Skip the invalid destructor. We cannot simply return because			// Skip the invalid destructor. We cannot simply return because
	// it would interrupt the analysis instead.			// it would interrupt the analysis instead.
	static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor");			static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor");
	// FIXME: PostImplicitCall with a null decl may crash elsewhere anyway.			// FIXME: PostImplicitCall with a null decl may crash elsewhere anyway.
	PostImplicitCall PP(/Decl=/nullptr, S->getEndLoc(), LCtx, &T);			PostImplicitCall PP(/Decl=/nullptr, S->getEndLoc(), LCtx, &T);
	NodeBuilder Bldr(Pred, Dst, *currBldrCtx);			NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
	Bldr.generateNode(PP, Pred->getState(), Pred);			Bldr.generateNode(PP, Pred->getState(), Pred);
	return;			return;
	}			}

				if (!Dest) {
				// We're trying to destroy something that is not a region. This may happen
				// for a variety of reasons (unknown target region, concrete integer instead
				// of target region, etc.). The current code makes an attempt to recover.
				// FIXME: We probably don't really need to recover when we're dealing
				// with concrete integers specifically.
				CallOpts.IsCtorOrDtorWithImproperlyModeledTargetRegion = true;
				if (const Expr *E = dyn_cast_or_null<Expr>(S)) {
				Dest = MRMgr.getCXXTempObjectRegion(E, Pred->getLocationContext());
				} else {
				static SimpleProgramPointTag T("ExprEngine", "SkipInvalidDestructor");
				NodeBuilder Bldr(Pred, Dst, *currBldrCtx);
				Bldr.generateSink(Pred->getLocation().withTag(&T),
				Pred->getState(), Pred);
				return;
				}
				}

	CallEventManager &CEMgr = getStateManager().getCallEventManager();			CallEventManager &CEMgr = getStateManager().getCallEventManager();
	CallEventRef<CXXDestructorCall> Call =			CallEventRef<CXXDestructorCall> Call =
	CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, IsBaseDtor, State, LCtx);			CEMgr.getCXXDestructorCall(DtorDecl, S, Dest, IsBaseDtor, State, LCtx);

	PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),			PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
	Call->getSourceRange().getBegin(),			Call->getSourceRange().getBegin(),
	"Error evaluating destructor");			"Error evaluating destructor");

	ExplodedNodeSet DstPreCall;			ExplodedNodeSet DstPreCall;
	getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,			getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
	Call, this);			Call, this);
	▲ Show 20 Lines • Show All 283 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/dtor.cpp

	Show First 20 Lines • Show All 534 Lines • ▼ Show 20 Lines
	void f() {			void f() {
	NonTrivial nt1;			NonTrivial nt1;
	NonTrivial nt2(nt1);			NonTrivial nt2(nt1);
	nt1 = nt2;			nt1 = nt2;
	clang_analyzer_eval(__is_trivial(NonTrivial)); // expected-warning{{FALSE}}			clang_analyzer_eval(__is_trivial(NonTrivial)); // expected-warning{{FALSE}}
	clang_analyzer_eval(__alignof(NonTrivial) > 0); // expected-warning{{TRUE}}			clang_analyzer_eval(__alignof(NonTrivial) > 0); // expected-warning{{TRUE}}
	}			}
	}			}

				namespace dtor_over_loc_concrete_int {
				struct A {
				~A() {}
				};

				struct B {
				A a;
				~B() {}
				};

				struct C : A {
				~C() {}
				};

				void testB() {
				B b = (B )-1;
				b->~B(); // no-crash
				}

				void testC() {
				C c = (C )-1;
				c->~C(); // no-crash
				}

				void testAutoDtor() {
				const A &a = (A )-1;
				// no-crash
				}
				} // namespace dtor_over_loc_concrete_int

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Be more careful with destructors of non-regions.ClosedPublic

Details

Diff Detail