See https://bugs.llvm.org/show_bug.cgi?id=46128. The checker does not
yet comprehend constraints involving multiple symbols, so it's possible
to calculate a VLA size that's negative or 0. A LIT is added to catch
regressions, and this change simply bails if a VLA size of 0 or less is
calculated.
Details
Diff Detail
- Repository
- rG LLVM Github Monorepo
Event Timeline
Not sure this is "correct", but it passes LITs with the new case, and it will at least get the discussion started :)
clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp | ||
---|---|---|
114–115 | Do i understand correctly that this cast is the only difference between the value that has been checked and the value on which the assertion is asserted? |
clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp | ||
---|---|---|
114–115 | Yes, looks that way to me. Let's see if Balasz, Gabor, Adam or Kristof responds in the next day or two? Thanks Artem! |
clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp | ||
---|---|---|
114–115 | Yes the cast is the difference. Even if this problem is fixed (cast included in checkVLAIndexSize) the same problem happens. // Convert the array length to size_t. NonLoc SizeNL = SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs<NonLoc>(); // Check if the size is zero. ProgramStateRef StateNotZero, StateZero; std::tie(StateNotZero, StateZero) = State->assume(SizeNL); if (StateZero && !StateNotZero) { reportBug(VLA_Zero, SizeE, StateZero, C); return nullptr; } // From this point on, assume that the size is not zero. State = StateNotZero; if (const llvm::APSInt *IndexLVal = SVB.getKnownValue(State, SizeNL)) { uint64_t L = IndexLVal->getZExtValue(); llvm::errs() << SizeNL << " " << L << "\n"; assert(L != 0); } |
clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp | ||
---|---|---|
114–115 | It might be that simplifySVal isn't applied consistently. Like, assume() fails to apply it so it fails to see that the value is in fact concrete zero. Let's remove the assertion for now and add a FIXME to investigate why can't we add it back. Like, there's nothing preventing us from investigating it now but it will take some time whereas crashes are already there and we should fix them to unblock other people. |
It is no problem to return instead of the assert. I could fix the problem by using
SVal LessThanZeroVal = SVB.evalBinOp(State, BO_LE, SizeD, Zero, SizeTy);
in checkVLAIndexSize (BO_LT is used before). Still the proposed return makes the code more safe.
clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp | ||
---|---|---|
130 | I do not know if this is accurate reason for the problem, a more general text is better? And should start with uppercase. | |
131 | Can be ==. | |
134 | The assert does not look good if there is already the check before. |
Address comments from Artem and Balazs. This change just avoids the crash for now until a proper fix can be made.
Do i understand correctly that this cast is the only difference between the value that has been checked and the value on which the assertion is asserted?