This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] CastValueChecker: Fix some assertions
AbandonedPublic

Authored by Charusso on Aug 22 2019, 7:27 AM.

Details

Reviewers
NoQ
Summary

-

Diff Detail

Event Timeline

Charusso created this revision.Aug 22 2019, 7:27 AM
Charusso marked an inline comment as done.Aug 22 2019, 7:29 AM

I am not sure how would I fix them, so I just commented them out.

clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
102

May it is more explicit.

NoQ added a comment.Aug 22 2019, 3:59 PM

These assertions are fundamental, so we can't remove them; i believe we messed up modeling at some point. I'll pick this up to address some nasty regressions quickly; i managed to reproduce the crashes and i already have 4 creduces running.

clang/lib/StaticAnalyzer/Core/CallEvent.cpp
743–750

I don't think this does anything:

505 QualType Type::getPointeeType() const {
506   if (const auto *PT = getAs<PointerType>())
507     return PT->getPointeeType();
508   if (const auto *OPT = getAs<ObjCObjectPointerType>())
509     return OPT->getPointeeType();
510   if (const auto *BPT = getAs<BlockPointerType>())
511     return BPT->getPointeeType();
512   if (const auto *RT = getAs<ReferenceType>())
513     return RT->getPointeeType();
514   if (const auto *MPT = getAs<MemberPointerType>())
515     return MPT->getPointeeType();
516   if (const auto *DT = getAs<DecayedType>())
517     return DT->getPointeeType();
518   return {};
519 }

This getter usually works very reliably for both pointers and references.

clang/lib/StaticAnalyzer/Core/DynamicType.cpp
118–122

We shouldn't put null regions into our maps.

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
329–336

This usually fails when we mess up lvalue/rvalue vs. loc/nonloc invariants in our modeling.

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
1079–1080

Ugh, i suspect that we can't pass through the original pointer in our cast modeling; we need to actually model pointer casts, which is annoying but necessary, given that the cast doesn't necessarily yield the same pointer value even in run-time (see multiple inheritance).

Charusso updated this revision to Diff 216737.Aug 22 2019, 4:33 PM
Charusso marked 2 inline comments as done.
  • The null MemRegion is a 0 (Loc), try to avoid to store it.
clang/lib/StaticAnalyzer/Core/CallEvent.cpp
743–750

I have measured each assertion failure one-by-one, so all of the hotfixes are necessary in order to reduce the crash-counter to zero. I have not got time to go in-depth, and have a great talk about them, sorry.

clang/lib/StaticAnalyzer/Core/DynamicType.cpp
118–122

Yes, but that is problematic. I have updated the diff.

NoQ added a comment.Aug 22 2019, 8:25 PM

Pushed my own emergency hotfixes as rC369726, rC369727, rC369728, rC369729; reduced tests included.

Charusso abandoned this revision.Aug 22 2019, 8:50 PM
Charusso marked 4 inline comments as done.

Wow, it is great you could address every of the edge cases. Thanks you so much! I believe only one problem left: we need to return false instead of plain return in order to let the Analyzer model the function call. I could fix it easily, thanks!

Wow, it is great you could address every of the edge cases. Thanks you so much! I believe only one problem left: we need to return false instead of plain return in order to let the Analyzer model the function call. I could fix it easily, thanks!

Well, not really. I have tested out and there is no difference. Thanks for the fixes!