This is an archive of the discontinued LLVM Phabricator instance.

Differential D68591

[analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor
ClosedPublic

Authored by Szelethus on Oct 7 2019, 2:07 PM.

Details

Reviewers
NoQ
xazax.hun
baloghadamsoftware
Charusso
dcoughlin
rnkovacs
Commits
rG4a5df7312ec2: [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.
rL375329: [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.
rC375329: [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.
Summary

Exactly what it says on the tin!

Diff Detail

Event Timeline

Szelethus created this revision.Oct 7 2019, 2:07 PM
Herald added subscribers: cfe-commits, gamesh411, dkrupp and 5 others. · View Herald TranscriptOct 7 2019, 2:07 PM
NoQ accepted this revision.Oct 7 2019, 5:45 PM

Thanks!!

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
2037–2040

Aha, so you're basically propagating this FIXME instead of addressing it. When it was originally added, i vaguely recall that the pointer that we were trying to dereference did not really need to be tracked to begin with. I'm really curious if that's still the case in this example.

clang/test/Analysis/novoidtypecrash.c
1–9

So does the warning get actually emitted, or is it marked as invalid? Maybe it's worth it to add -verify (and maybe even -analyzer-output=text) and assess how good the report actually is.

This revision is now accepted and ready to land.Oct 7 2019, 5:45 PM
NoQ added a comment.Oct 15 2019, 4:24 PM

I think it's worth it to commit the patch as-is, because the crash seems to be fairly popular.

Closed by commit rG4a5df7312ec2: [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor. (authored by dergachev.a). · Explain WhyOct 18 2019, 6:52 PM
This revision was automatically updated to reflect the committed changes.
NoQ added a comment.Oct 18 2019, 6:54 PM

Decided to commit myself in order to hurry things up^^
Also rC375328.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
8 lines
test/
Analysis/
29 lines

Diff 225733

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 2,028 Lines▼ Show 20 Linesbool bugreporter::trackExpressionValue(const ExplodedNode *InputNode,
// track the constraints on its contents. // track the constraints on its contents.
SVal V = LVState->getSValAsScalarOrLoc(Inner, LVNode->getLocationContext()); SVal V = LVState->getSValAsScalarOrLoc(Inner, LVNode->getLocationContext());
ReturnVisitor::addVisitorIfNecessary( ReturnVisitor::addVisitorIfNecessary(
LVNode, Inner, report, EnableNullFPSuppression, TKind); LVNode, Inner, report, EnableNullFPSuppression, TKind);
// Is it a symbolic value? // Is it a symbolic value?
if (auto L = V.getAs<loc::MemRegionVal>()) { if (auto L = V.getAs<loc::MemRegionVal>()) {
report.addVisitor(std::make_unique<UndefOrNullArgVisitor>(L->getRegion()));
// FIXME: this is a hack for fixing a later crash when attempting to // FIXME: this is a hack for fixing a later crash when attempting to
// dereference a void* pointer. // dereference a void* pointer.
// We should not try to dereference pointers at all when we don't care // We should not try to dereference pointers at all when we don't care
// what is written inside the pointer. // what is written inside the pointer.
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha, so you're basically propagating this FIXME instead of addressing it. When it was originally added, i vaguely recall that the pointer that we were trying to dereference did not really need to be tracked to begin with. I'm really curious if that's still the case in this example.

NoQ: Aha, so you're basically propagating this FIXME instead of addressing it. When it was…
bool CanDereference = true; bool CanDereference = true;
if (const auto *SR = L->getRegionAs<SymbolicRegion>()) { if (const auto *SR = L->getRegionAs<SymbolicRegion>()) {
if (SR->getSymbol()->getType()->getPointeeType()->isVoidType()) if (SR->getSymbol()->getType()->getPointeeType()->isVoidType())
CanDereference = false; CanDereference = false;
} else if (L->getRegionAs<AllocaRegion>()) } else if (L->getRegionAs<AllocaRegion>())
CanDereference = false; CanDereference = false;
// At this point we are dealing with the region's LValue. // At this point we are dealing with the region's LValue.
// However, if the rvalue is a symbolic region, we should track it as well. // However, if the rvalue is a symbolic region, we should track it as well.
// Try to use the correct type when looking up the value. // Try to use the correct type when looking up the value.
SVal RVal; SVal RVal;
if (ExplodedGraph::isInterestingLValueExpr(Inner)) if (ExplodedGraph::isInterestingLValueExpr(Inner))
RVal = LVState->getRawSVal(L.getValue(), Inner->getType()); RVal = LVState->getRawSVal(L.getValue(), Inner->getType());
else if (CanDereference) else if (CanDereference)
RVal = LVState->getSVal(L->getRegion()); RVal = LVState->getSVal(L->getRegion());
if (CanDereference) if (CanDereference) {
report.addVisitor(
std::make_unique<UndefOrNullArgVisitor>(L->getRegion()));
if (auto KV = RVal.getAs<KnownSVal>()) if (auto KV = RVal.getAs<KnownSVal>())
report.addVisitor(std::make_unique<FindLastStoreBRVisitor>( report.addVisitor(std::make_unique<FindLastStoreBRVisitor>(
*KV, L->getRegion(), EnableNullFPSuppression, TKind, SFC)); *KV, L->getRegion(), EnableNullFPSuppression, TKind, SFC));
}
const MemRegion *RegionRVal = RVal.getAsRegion(); const MemRegion *RegionRVal = RVal.getAsRegion();
if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) { if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
report.markInteresting(RegionRVal, TKind); report.markInteresting(RegionRVal, TKind);
report.addVisitor(std::make_unique<TrackConstraintBRVisitor>( report.addVisitor(std::make_unique<TrackConstraintBRVisitor>(
loc::MemRegionVal(RegionRVal), /*assumption=*/false)); loc::MemRegionVal(RegionRVal), /*assumption=*/false));
} }
} }
▲ Show 20 LinesShow All 836 LinesShow Last 20 Lines

clang/test/Analysis/novoidtypecrash.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core %s // RUN: %clang_analyze_cc1 -analyzer-checker=core %s
x;
y(void **z) { // no-crash
*z = x;
int *w;
y(&w);
*w;
}
NoQUnsubmitted
Not Done
ReplyInline Actions

So does the warning get actually emitted, or is it marked as invalid? Maybe it's worth it to add -verify (and maybe even -analyzer-output=text) and assess how good the report actually is.

NoQ: So does the warning get actually emitted, or is it marked as invalid? Maybe it's worth it to…
a; a;
b(void **c) { // no-crash b(*c) {}
*c = a; e(*c) {
int *d; void *d = f();
b(&d); b(d);
*d; *c = d;
}
void *g() {
e(&a);
return a;
}
j() {
int h;
char i = g();
if (i)
for (; h;)
;
} }