This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
Store.cpp
-
test/Analysis/
-
Analysis/
1
uninit-val-const-likeness.c

Differential D70836

[analysis] Fix value tracking for pointers to qualified types
ClosedPublic

Authored by vabridgers on Nov 28 2019, 5:50 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
NoQ

Commits

rG6d3f43ec61a6: [analysis] Discard type qualifiers when casting values retrieved from the Store.

Summary

This change fixes part 1 described by Artem in the Bugzilla report 43364. The comparison done was on a canonical, but should have been done on an unqualified type. Without using the unqualified type, the type comparison in this specific case is for "const Type * const" against "Type * const", which for the purposes of static analysis can be done not considering the Type's const qualifier. This is best done using a nonqualified type comparison.
Test cases were added to cover this change.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vabridgers created this revision.Nov 28 2019, 5:50 PM

Herald added a subscriber: cfe-commits. · View Herald TranscriptNov 28 2019, 5:50 PM

ebevhan added a subscriber: ebevhan.Nov 29 2019, 5:19 AM

bjope added a subscriber: bjope.Nov 29 2019, 9:23 AM

dkrupp added a subscriber: dkrupp.Dec 4 2019, 7:35 AM

Thanks!! This definitely doesn't sort out all the problems of this kind, but that's a strict improvement.

Do you have commit access? Or i could commit for you.

clang/test/Analysis/uninit-val-const-likeness.c
22	I suggest adding `// no-warning` markers on the lines on which warnings were previously emitted. It doesn't have any physical meaning, just makes it easier to understand what the test is about when you accidentally break it.

Hmm, it was supposed to get a green tick mark. Let me re-accept.

This revision is now accepted and ready to land.Dec 11 2019, 12:48 PM

Closed by commit rG6d3f43ec61a6: [analysis] Discard type qualifiers when casting values retrieved from the Store. (authored by dergachev.a). · Explain WhyDec 17 2019, 3:00 PM

This revision was automatically updated to reflect the committed changes.

Great! I have one question though. Will this also work as intended with sugared types? (e.g. typedefs)
I believe this might be one of the main reason why the original author used canonical types in the first place.

In D70836#1789059, @xazax.hun wrote:

Will this also work as intended with sugared types? (e.g. typedefs)
I believe this might be one of the main reason why the original author used canonical types in the first place.

Whoops, indeed. Fxd in rGf0ced2ddb44e.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

Store.cpp

14 lines

test/

Analysis/

uninit-val-const-likeness.c

56 lines

Diff 234397

clang/lib/StaticAnalyzer/Core/Store.cpp

Show First 20 Lines • Show All 387 Lines • ▼ Show 20 Lines	if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) {
return loc::MemRegionVal(GetElementZeroRegion(SR, TargetType));		return loc::MemRegionVal(GetElementZeroRegion(SR, TargetType));
}		}

// We failed if the region we ended up with has perfect type info.		// We failed if the region we ended up with has perfect type info.
Failed = isa<TypedValueRegion>(MR);		Failed = isa<TypedValueRegion>(MR);
return UnknownVal();		return UnknownVal();
}		}

		static bool hasSameUnqualifiedPointeeType(QualType ty1, QualType ty2) {
		return ty1->getPointeeType().getTypePtr() ==
		ty2->getPointeeType().getTypePtr();
		}

/// CastRetrievedVal - Used by subclasses of StoreManager to implement		/// CastRetrievedVal - Used by subclasses of StoreManager to implement
/// implicit casts that arise from loads from regions that are reinterpreted		/// implicit casts that arise from loads from regions that are reinterpreted
/// as another region.		/// as another region.
SVal StoreManager::CastRetrievedVal(SVal V, const TypedValueRegion *R,		SVal StoreManager::CastRetrievedVal(SVal V, const TypedValueRegion *R,
QualType castTy) {		QualType castTy) {
if (castTy.isNull() \|\| V.isUnknownOrUndef())		if (castTy.isNull() \|\| V.isUnknownOrUndef())
return V;		return V;

Show All 12 Lines	SVal StoreManager::CastRetrievedVal(SVal V, const TypedValueRegion *R,
// wrap them into element regions of the expected type if necessary.		// wrap them into element regions of the expected type if necessary.
// SValBuilder::dispatchCast() doesn't do that, but it is necessary to		// SValBuilder::dispatchCast() doesn't do that, but it is necessary to
// make sure that the retrieved value makes sense, because there's no other		// make sure that the retrieved value makes sense, because there's no other
// cast in the AST that would tell us to cast it to the correct pointer type.		// cast in the AST that would tell us to cast it to the correct pointer type.
// We might need to do that for non-void pointers as well.		// We might need to do that for non-void pointers as well.
// FIXME: We really need a single good function to perform casts for us		// FIXME: We really need a single good function to perform casts for us
// correctly every time we need it.		// correctly every time we need it.
if (castTy->isPointerType() && !castTy->isVoidPointerType())		if (castTy->isPointerType() && !castTy->isVoidPointerType())
if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion()))		if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(V.getAsRegion())) {
if (SR->getSymbol()->getType().getCanonicalType() !=		QualType sr = SR->getSymbol()->getType();
castTy.getCanonicalType())		if (!hasSameUnqualifiedPointeeType(sr, castTy))
return loc::MemRegionVal(castRegion(SR, castTy));		return loc::MemRegionVal(castRegion(SR, castTy));
		}

return svalBuilder.dispatchCast(V, castTy);		return svalBuilder.dispatchCast(V, castTy);
}		}

SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {		SVal StoreManager::getLValueFieldOrIvar(const Decl *D, SVal Base) {
if (Base.isUnknownOrUndef())		if (Base.isUnknownOrUndef())
return Base;		return Base;

▲ Show 20 Lines • Show All 125 Lines • Show Last 20 Lines

clang/test/Analysis/uninit-val-const-likeness.c

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core %s -verify
				// expected-no-diagnostics

				#define SIZE 2

				typedef struct {
				int noOfSymbols;
				} Params;

				static void create(const Params * const params, int fooList[]) {
				int tmpList[SIZE] = {0};
				for (int i = 0; i < params->noOfSymbols; i++)
				fooList[i] = tmpList[i];
				}

				int work(Params * const params) {
				int fooList[SIZE];
				create(params, fooList);
				int sum = 0;
				for (int i = 0; i < params->noOfSymbols; i++)
				sum += fooList[i]; // no-warning
				return sum;
				NoQUnsubmitted Not Done Reply Inline Actions I suggest adding `// no-warning` markers on the lines on which warnings were previously emitted. It doesn't have any physical meaning, just makes it easier to understand what the test is about when you accidentally break it. NoQ: I suggest adding `// no-warning` markers on the lines on which warnings were previously emitted.
				}

				static void create2(const Params * const * pparams, int fooList[]) {
				const Params * params = *pparams;
				int tmpList[SIZE] = {0};
				for (int i = 0; i < params->noOfSymbols; i++)
				fooList[i] = tmpList[i];
				}

				int work2(const Params * const params) {
				int fooList[SIZE];
				create2(&params, fooList);
				int sum = 0;
				for (int i = 0; i < params->noOfSymbols; i++)
				sum += fooList[i]; // no-warning
				return sum;
				}

				static void create3(Params * const * pparams, int fooList[]) {
				const Params * params = *pparams;
				int tmpList[SIZE] = {0};
				for (int i = 0; i < params->noOfSymbols; i++)
				fooList[i] = tmpList[i];
				}

				int work3(const Params * const params) {
				int fooList[SIZE];
				Params const ptr = (Params const)&params;
				create3(ptr, fooList);
				int sum = 0;
				for (int i = 0; i < params->noOfSymbols; i++)
				sum += fooList[i]; // no-warning
				return sum;
				}