This is an archive of the discontinued LLVM Phabricator instance.

Differential D69599

[analyzer] DynamicSize: Remove 'getSizeInElements()' from store
ClosedPublic

Authored by Charusso on Oct 29 2019, 6:35 PM.

Details

Reviewers
NoQ
Commits
rGaf3d0d16286a: [analyzer] DynamicSize: Remove 'getSizeInElements()' from store
Summary

This patch uses the new DynamicSize.cpp to serve dynamic information.
Previously it was static and probably imprecise data.

Diff Detail

Event Timeline

Charusso created this revision.Oct 29 2019, 6:35 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptOct 29 2019, 6:35 PM
Charusso added a comment.Oct 29 2019, 6:42 PM

The [1] patch which introduced such static element-count data has only one test case in outofbound.c:

void f2() {
  int *p = malloc(12);
  p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}}
}

which probably wanted to be (int *)malloc(12), but in both ways the warning occurs, which is problematic. This is the first step to mitigate that issue.
[1] https://github.com/llvm/llvm-project/commit/228b0d4defb85b2e7acbb642b9f0b5dfc49d3fe7

Charusso added a parent revision: D69540: [analyzer] DynamicSize: Remove 'getExtent()' from regions.Oct 29 2019, 6:43 PM
Charusso added a child revision: D69642: [analyzer] DynamicSize: Simplify the assumption creating of sizes.Oct 30 2019, 2:19 PM
Charusso added a child revision: D69726: [analyzer] DynamicSize: Store the dynamic size.Nov 1 2019, 11:57 AM
Charusso removed a child revision: D69642: [analyzer] DynamicSize: Simplify the assumption creating of sizes.
NoQ added a comment.Nov 1 2019, 1:00 PM

This is the first step to mitigate that issue.

What's the issue?

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
38–40

Even if the size is not concrete, you can ask SValBuilder to perform the division. It's going to be a symbolic expression which we won't be able to work with anyway, but these days we believe that it's still worth it, in hope that our constraint solver eventually gets better.

Charusso updated this revision to Diff 227524.Nov 1 2019, 1:32 PM
Charusso marked 2 inline comments as done.
  • Fix.
Charusso added a comment.Nov 1 2019, 1:32 PM
In D69599#1730707, @NoQ wrote:

This is the first step to mitigate that issue.

What's the issue?

Well, after I mentioned an issue I have realized the somewhat path-insensitive getSizeInElements() does not touch the (void *) return value. Basically the expression int *foo = malloc() could not compile, and I had felt that the assumptions about the overflow are wrong. Now I see that none of the overflow tests would compile, so I think we just bypass a cast here-and-there. Therefore there is no issue, just I was surprised.

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
38–40

Good idea, thanks!

NoQ added inline comments.Nov 1 2019, 1:42 PM
clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

And then remove the manual division.

Charusso added inline comments.Nov 1 2019, 2:01 PM
clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

Hmpf.

Failing Tests (7):
    Clang :: Analysis/misc-ps-region-store.m
    Clang :: Analysis/mpichecker.cpp
    Clang :: Analysis/outofbound.c
    Clang :: Analysis/rdar-6541136-region.c
    Clang :: Analysis/return-ptr-range.cpp
    Clang :: Analysis/track-control-dependency-conditions.cpp
    Clang :: Analysis/uninit-vals.c

I would pick that solution because it may be a tiny-bit faster, and then later on investigate this issue when we model more about dynamic sizes.

NoQ added inline comments.Nov 1 2019, 2:31 PM
clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

Soooooo what does it tell us about the correctness of the new evalBinOp-based solution?

Charusso updated this revision to Diff 227543.Nov 1 2019, 2:57 PM
Charusso marked 4 inline comments as done.
  • Old division swapped by evalBinOp.
Charusso added a comment.Nov 1 2019, 2:57 PM

Thanks, now it is cool!

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

So, when I tried to inject an APSInt it converted to 0 so division by zero made that. I felt that the implicit conversion is wonky, but dividing by 0, ugh.

NoQ accepted this revision.Nov 1 2019, 3:07 PM
NoQ added inline comments.
clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

Yay, great job figuring this out!

Also the conversion wasn't implicit; you explicitly specified llvm::APSInt(...). I agree that this constructor is evil, though.

44–47

I'd rather do a castAs here. Allocating a region of garbage size should be an immediate warning; supplying a zero-size ElementTy should be an immediate crash; in all other cases the result of division must be defined.

This revision is now accepted and ready to land.Nov 1 2019, 3:07 PM
Charusso updated this revision to Diff 227546.Nov 1 2019, 3:33 PM
Charusso marked 3 inline comments as done.
  • Done.
Charusso added a comment.Nov 1 2019, 3:33 PM

Thanks for the review!

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp
40–48

getQuantity() retuns a QuantityType, but now I see: typedef int64_t QuantityType, so I was fooled.

Closed by commit rGaf3d0d16286a: [analyzer] DynamicSize: Remove 'getSizeInElements()' from store (authored by Charusso). · Explain WhyJan 30 2020, 7:55 AM
This revision was automatically updated to reflect the committed changes.
ASDenysPetrov added a subscriber: ASDenysPetrov.Jun 12 2020, 6:13 AM

@Charusso
I think this patch may fix this bug https://bugs.llvm.org/show_bug.cgi?id=25284
Could you please verify and close it if so?
At least I couldn't reproduce it on the latest build.

Herald added subscribers: martong, steakhal. · View Herald TranscriptJun 12 2020, 6:13 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
6 lines
8 lines
lib/
StaticAnalyzer/
Checkers/
10 lines
MPI-Checker/
8 lines
12 lines
9 lines
Core/
18 lines
40 lines

Diff 241460

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

Show All 20 Lines
namespace clang { namespace clang {
namespace ento { namespace ento {
/// Get the stored dynamic size for the region \p MR. /// Get the stored dynamic size for the region \p MR.
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB); SValBuilder &SVB);
/// Get the stored element count of the region \p MR.
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB,
QualType ElementTy);
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

Show First 20 LinesShow All 142 Lines▼ Show 20 Linespublic:
virtual SVal getLValueIvar(const ObjCIvarDecl *decl, SVal base); virtual SVal getLValueIvar(const ObjCIvarDecl *decl, SVal base);
virtual SVal getLValueField(const FieldDecl *D, SVal Base) { virtual SVal getLValueField(const FieldDecl *D, SVal Base) {
return getLValueFieldOrIvar(D, Base); return getLValueFieldOrIvar(D, Base);
} }
virtual SVal getLValueElement(QualType elementType, NonLoc offset, SVal Base); virtual SVal getLValueElement(QualType elementType, NonLoc offset, SVal Base);
// FIXME: This should soon be eliminated altogether; clients should deal with
// region extents directly.
virtual DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state,
const MemRegion *region,
QualType EleTy) {
return UnknownVal();
}
/// ArrayToPointer - Used by ExprEngine::VistCast to handle implicit /// ArrayToPointer - Used by ExprEngine::VistCast to handle implicit
/// conversions between arrays and pointers. /// conversions between arrays and pointers.
virtual SVal ArrayToPointer(Loc Array, QualType ElementTy) = 0; virtual SVal ArrayToPointer(Loc Array, QualType ElementTy) = 0;
/// Evaluates a chain of derived-to-base casts through the path specified in /// Evaluates a chain of derived-to-base casts through the path specified in
/// \p Cast. /// \p Cast.
SVal evalDerivedToBase(SVal Derived, const CastExpr *Cast); SVal evalDerivedToBase(SVal Derived, const CastExpr *Cast);
▲ Show 20 LinesShow All 173 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ArrayBoundChecker.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class ArrayBoundChecker : class ArrayBoundChecker :
public Checker<check::Location> { public Checker<check::Location> {
Show All 22 Linesvoid ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
// Zero index is always in bound, this also passes ElementRegions created for // Zero index is always in bound, this also passes ElementRegions created for
// pointer casts. // pointer casts.
if (Idx.isZeroConstant()) if (Idx.isZeroConstant())
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
// Get the size of the array. // Get the size of the array.
DefinedOrUnknownSVal NumElements DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
= C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true); ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateErrorNode(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Out-of-bound array access", this, "Out-of-bound array access",
Show All 27 Lines

clang/lib/StaticAnalyzer/Checkers/MPI-Checker/MPIChecker.cpp

Show All 10 Lines
/// point. It is created once for each translation unit analysed. /// point. It is created once for each translation unit analysed.
/// The checker defines path-sensitive checks, to verify correct usage of the /// The checker defines path-sensitive checks, to verify correct usage of the
/// MPI API. /// MPI API.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "MPIChecker.h" #include "MPIChecker.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
namespace mpi { namespace mpi {
void MPIChecker::checkDoubleNonblocking(const CallEvent &PreCallEvent, void MPIChecker::checkDoubleNonblocking(const CallEvent &PreCallEvent,
CheckerContext &Ctx) const { CheckerContext &Ctx) const {
if (!FuncClassifier->isNonBlockingType(PreCallEvent.getCalleeIdentifier())) { if (!FuncClassifier->isNonBlockingType(PreCallEvent.getCalleeIdentifier())) {
▲ Show 20 LinesShow All 128 Lines▼ Show 20 Lines if (FuncClassifier->isMPI_Waitall(CE.getCalleeIdentifier())) {
} }
// A single request is passed to MPI_Waitall. // A single request is passed to MPI_Waitall.
if (!SuperRegion) { if (!SuperRegion) {
ReqRegions.push_back(MR); ReqRegions.push_back(MR);
return; return;
} }
const auto &Size = Ctx.getStoreManager().getSizeInElements( DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
Ctx.getState(), SuperRegion, Ctx.getState(), SuperRegion, Ctx.getSValBuilder(),
CE.getArgExpr(1)->getType()->getPointeeType()); CE.getArgExpr(1)->getType()->getPointeeType());
const llvm::APSInt &ArrSize = Size.getAs<nonloc::ConcreteInt>()->getValue(); const llvm::APSInt &ArrSize =
ElementCount.getAs<nonloc::ConcreteInt>()->getValue();
for (size_t i = 0; i < ArrSize; ++i) { for (size_t i = 0; i < ArrSize; ++i) {
const NonLoc Idx = Ctx.getSValBuilder().makeArrayIndex(i); const NonLoc Idx = Ctx.getSValBuilder().makeArrayIndex(i);
const ElementRegion *const ER = RegionManager.getElementRegion( const ElementRegion *const ER = RegionManager.getElementRegion(
CE.getArgExpr(1)->getType()->getPointeeType(), Idx, SuperRegion, CE.getArgExpr(1)->getType()->getPointeeType(), Idx, SuperRegion,
Ctx.getASTContext()); Ctx.getASTContext());
Show All 19 Lines

clang/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class ReturnPointerRangeChecker : class ReturnPointerRangeChecker :
public Checker< check::PreStmt<ReturnStmt> > { public Checker< check::PreStmt<ReturnStmt> > {
Show All 19 Linesvoid ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
if (!ER) if (!ER)
return; return;
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
// Zero index is always in bound, this also passes ElementRegions created for // Zero index is always in bound, this also passes ElementRegions created for
// pointer casts. // pointer casts.
if (Idx.isZeroConstant()) if (Idx.isZeroConstant())
return; return;
// FIXME: All of this out-of-bounds checking should eventually be refactored // FIXME: All of this out-of-bounds checking should eventually be refactored
// into a common place. // into a common place.
DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
DefinedOrUnknownSVal NumElements ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true);
= C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false);
ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateErrorNode(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return; return;
// FIXME: This bug correspond to CWE-466. Eventually we should have bug // FIXME: This bug correspond to CWE-466. Eventually we should have bug
// types explicitly reference such exploit categories (when applicable). // types explicitly reference such exploit categories (when applicable).
Show All 26 Lines

clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
Show All 18 Lines if (!Loc.isValid())
return false; return false;
const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion(); const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();
const ElementRegion *ER = dyn_cast<ElementRegion>(MR); const ElementRegion *ER = dyn_cast<ElementRegion>(MR);
if (!ER) if (!ER)
return false; return false;
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal NumElements = C.getStoreManager().getSizeInElements( DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
state, ER->getSuperRegion(), ER->getValueType()); state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true); ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false);
return StOutBound && !StInBound; return StOutBound && !StInBound;
} }
static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) { static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) {
return C.isGreaterOrEqual( return C.isGreaterOrEqual(
B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType())); B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType()));
} }
▲ Show 20 LinesShow All 127 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

//===- DynamicSize.cpp - Dynamic size related APIs --------------*- C++ -*-===// //===- DynamicSize.cpp - Dynamic size related APIs --------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines APIs that track and query dynamic size information. // This file defines APIs that track and query dynamic size information.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/AST/Expr.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB) { SValBuilder &SVB) {
return MR->getMemRegionManager().getStaticSize(MR, SVB); return MR->getMemRegionManager().getStaticSize(MR, SVB);
} }
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB,
QualType ElementTy) {
MemRegionManager &MemMgr = MR->getMemRegionManager();
ASTContext &Ctx = MemMgr.getContext();
DefinedOrUnknownSVal Size = getDynamicSize(State, MR, SVB);
SVal ElementSizeV = SVB.makeIntVal(
Ctx.getTypeSizeInChars(ElementTy).getQuantity(), SVB.getArrayIndexType());
NoQUnsubmitted
Done
ReplyInline Actions

Even if the size is not concrete, you can ask SValBuilder to perform the division. It's going to be a symbolic expression which we won't be able to work with anyway, but these days we believe that it's still worth it, in hope that our constraint solver eventually gets better.

NoQ: Even if the size is not concrete, you can ask `SValBuilder` to perform the division. It's going…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Good idea, thanks!

Charusso: Good idea, thanks!
SVal DivisionV =
SVB.evalBinOp(State, BO_Div, Size, ElementSizeV, SVB.getArrayIndexType());
return DivisionV.castAs<DefinedOrUnknownSVal>();
}
} // namespace ento } // namespace ento
NoQUnsubmitted
Done
ReplyInline Actions

I'd rather do a castAs here. Allocating a region of garbage size should be an immediate warning; supplying a zero-size ElementTy should be an immediate crash; in all other cases the result of division must be defined.

NoQ: I'd rather do a `castAs` here. Allocating a region of garbage size should be an immediate…
} // namespace clang } // namespace clang
NoQUnsubmitted
Done
ReplyInline Actions

And then remove the manual division.

NoQ: And then remove the manual division.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Hmpf.

Failing Tests (7):
    Clang :: Analysis/misc-ps-region-store.m
    Clang :: Analysis/mpichecker.cpp
    Clang :: Analysis/outofbound.c
    Clang :: Analysis/rdar-6541136-region.c
    Clang :: Analysis/return-ptr-range.cpp
    Clang :: Analysis/track-control-dependency-conditions.cpp
    Clang :: Analysis/uninit-vals.c

I would pick that solution because it may be a tiny-bit faster, and then later on investigate this issue when we model more about dynamic sizes.

Charusso: Hmpf. ``` Failing Tests (7): Clang :: Analysis/misc-ps-region-store.m Clang…
NoQUnsubmitted
Done
ReplyInline Actions

Soooooo what does it tell us about the correctness of the new evalBinOp-based solution?

NoQ: Soooooo what does it tell us about the correctness of the new `evalBinOp`-based solution?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

So, when I tried to inject an APSInt it converted to 0 so division by zero made that. I felt that the implicit conversion is wonky, but dividing by 0, ugh.

Charusso: So, when I tried to inject an `APSInt` it converted to `0` so division by zero made that. I…
NoQUnsubmitted
Done
ReplyInline Actions

Yay, great job figuring this out!

Also the conversion wasn't implicit; you explicitly specified llvm::APSInt(...). I agree that this constructor is evil, though.

NoQ: Yay, great job figuring this out! Also the conversion wasn't implicit; you explicitly…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

getQuantity() retuns a QuantityType, but now I see: typedef int64_t QuantityType, so I was fooled.

Charusso: `getQuantity()` retuns a `QuantityType`, but now I see: `typedef int64_t QuantityType`, so I…

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

Show First 20 LinesShow All 617 Lines▼ Show 20 Linespublic: // Part of public interface to class.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
/// removeDeadBindings - Scans the RegionStore of 'state' for dead values. /// removeDeadBindings - Scans the RegionStore of 'state' for dead values.
/// It returns a new Store with these values removed. /// It returns a new Store with these values removed.
StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx, StoreRef removeDeadBindings(Store store, const StackFrameContext *LCtx,
SymbolReaper& SymReaper) override; SymbolReaper& SymReaper) override;
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
// Region "extents".
//===------------------------------------------------------------------===//
// FIXME: This method will soon be eliminated; see the note in Store.h.
DefinedOrUnknownSVal getSizeInElements(ProgramStateRef state,
const MemRegion* R,
QualType EleTy) override;
//===------------------------------------------------------------------===//
// Utility methods. // Utility methods.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
RegionBindingsRef getRegionBindings(Store store) const { RegionBindingsRef getRegionBindings(Store store) const {
llvm::PointerIntPair<Store, 1, bool> Ptr; llvm::PointerIntPair<Store, 1, bool> Ptr;
Ptr.setFromOpaqueValue(const_cast<void *>(store)); Ptr.setFromOpaqueValue(const_cast<void *>(store));
return RegionBindingsRef( return RegionBindingsRef(
CBFactory, CBFactory,
▲ Show 20 LinesShow All 740 Lines▼ Show 20 LinesRegionStoreManager::invalidateRegions(Store store,
case GFK_None: case GFK_None:
break; break;
} }
return StoreRef(B.asStore(), *this); return StoreRef(B.asStore(), *this);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Extents for regions.
//===----------------------------------------------------------------------===//
DefinedOrUnknownSVal
RegionStoreManager::getSizeInElements(ProgramStateRef state,
const MemRegion *R,
QualType EleTy) {
DefinedOrUnknownSVal Size = getDynamicSize(state, R, svalBuilder);
const llvm::APSInt *SizeInt = svalBuilder.getKnownValue(state, Size);
if (!SizeInt)
return UnknownVal();
CharUnits RegionSize = CharUnits::fromQuantity(SizeInt->getSExtValue());
if (Ctx.getAsVariableArrayType(EleTy)) {
// FIXME: We need to track extra state to properly record the size
// of VLAs. Returning UnknownVal here, however, is a stop-gap so that
// we don't have a divide-by-zero below.
return UnknownVal();
}
CharUnits EleSize = Ctx.getTypeSizeInChars(EleTy);
// If a variable is reinterpreted as a type that doesn't fit into a larger
// type evenly, round it down.
// This is a signed value, since it's used in arithmetic with signed indices.
return svalBuilder.makeIntVal(RegionSize / EleSize,
svalBuilder.getArrayIndexType());
}
//===----------------------------------------------------------------------===//
// Location and region casting. // Location and region casting.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ArrayToPointer - Emulates the "decay" of an array to a pointer /// ArrayToPointer - Emulates the "decay" of an array to a pointer
/// type. 'Array' represents the lvalue of the array being decayed /// type. 'Array' represents the lvalue of the array being decayed
/// to a pointer, and the returned SVal represents the decayed /// to a pointer, and the returned SVal represents the decayed
/// version of that lvalue (i.e., a pointer to the first element of /// version of that lvalue (i.e., a pointer to the first element of
/// the array). This is called by ExprEngine when evaluating casts /// the array). This is called by ExprEngine when evaluating casts
▲ Show 20 LinesShow All 1,262 LinesShow Last 20 Lines