This is an archive of the discontinued LLVM Phabricator instance.

Differential D83295

[Analyzer] Hotfix for various crashes in iterator checkers
ClosedPublic

Authored by baloghadamsoftware on Jul 7 2020, 4:45 AM.

Details

Reviewers
NoQ
gamesh411
martong
balazske
Szelethus
Commits
rGa59d4ae4313c: [Analyzer] Hotfix for various crashes in iterator checkers
Summary

The patch that introduces handling iterators implemented as pointers may cause crash in some projects because pointer difference is mistakenly handled as pointer decrement. (Similair case for iterators implemented as class instances are already handled correctly.) This patch fixes this issue.

The second case that causes crash is comparison of an iterator implemented as pointer and a null-pointer. This patch contains a fix for this issue as well.

The third case which causes crash is that the checker mistakenly considers all integers as nonloc::ConcreteInt when handling an increment or decrement of an iterator implemented as pointers. This patch adds a fix for this too.

The last case where crashes were detected is when checking for success of an std::advance() operation. Since the modeling of iterators implemented as pointers is still incomplete this may result in an assertion. This patch replaces the assertion with an early exit and adds a FIXME there.

Diff Detail

Event Timeline

baloghadamsoftware created this revision.Jul 7 2020, 4:45 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 7 2020, 4:45 AM
Herald added subscribers: ASDenysPetrov, steakhal, Charusso and 9 others. · View Herald Transcript
Harbormaster completed remote builds in B63181: Diff 275996.Jul 7 2020, 7:12 AM
baloghadamsoftware updated this revision to Diff 276684.Jul 9 2020, 3:13 AM
baloghadamsoftware edited the summary of this revision. (Show Details)

Test added for the third fix in this patch.

Szelethus added inline comments.Jul 9 2020, 6:22 AM
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
275–276

This doesn't look symmetrical. How does this patch interact with D83190?

baloghadamsoftware marked an inline comment as done.Jul 9 2020, 7:21 AM
baloghadamsoftware added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
275–276

This is not symmetrical. Since this patch is a hotfix for three bugs, all of them cause crashes it is more urgent to land. The other patch should be rebased on it.

gamesh411 accepted this revision.Jul 9 2020, 7:22 AM
gamesh411 added inline comments.
clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
275–276

I see that patch D83190 will need not only to be rebased, but modified slightly to take this early checking into account. I will refer to this review over there.

This revision is now accepted and ready to land.Jul 9 2020, 7:22 AM
gamesh411 added a comment.Jul 9 2020, 7:25 AM

@Szelethus thanks for being watchful, appreciated c:

Szelethus accepted this revision.Jul 9 2020, 7:36 AM

LGTM, but if we knowingly a subpar solution, we should make that clear in the surrounding code. I know the followup patch is around the corner, but just to be sure.

clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp
275–276

Please add a FIXME before commiting, if we knowingly add a hack.

466–470

Is this always okay? Shouldn't we check what the reason was behind the failure to retrieve the position? Is a TODO: at the very least appropriate?

clang/lib/StaticAnalyzer/Checkers/IteratorRangeChecker.cpp
172–173

FIXME:

baloghadamsoftware updated this revision to Diff 277340.Jul 13 2020, 1:05 AM
baloghadamsoftware edited the summary of this revision. (Show Details)

Two more crashes detected, fixes for them added.

baloghadamsoftware updated this revision to Diff 278394.Jul 16 2020, 1:31 AM

Protection against Unknown added for pointer increments and decrements. No more crashes on LLVM/Clang.

gamesh411 accepted this revision.Jul 16 2020, 6:09 AM
Closed by commit rGa59d4ae4313c: [Analyzer] Hotfix for various crashes in iterator checkers (authored by baloghadamsoftware). · Explain WhyJul 16 2020, 11:50 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
32 lines
2 lines
test/
Analysis/
18 lines
4 lines

Diff 278564

clang/lib/StaticAnalyzer/Checkers/IteratorModeling.cpp

Show First 20 LinesShow All 266 Lines▼ Show 20 Linesvoid IteratorModeling::checkPostStmt(const BinaryOperator *BO,
SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext()); SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext());
if (isSimpleComparisonOperator(BO->getOpcode())) { if (isSimpleComparisonOperator(BO->getOpcode())) {
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext()); SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
SVal Result = State->getSVal(BO, C.getLocationContext()); SVal Result = State->getSVal(BO, C.getLocationContext());
handleComparison(C, BO, Result, LVal, RVal, handleComparison(C, BO, Result, LVal, RVal,
BinaryOperator::getOverloadedOperator(OK)); BinaryOperator::getOverloadedOperator(OK));
} else if (isRandomIncrOrDecrOperator(OK)) { } else if (isRandomIncrOrDecrOperator(OK)) {
if (!BO->getRHS()->getType()->isIntegralOrEnumerationType())
return;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

This doesn't look symmetrical. How does this patch interact with D83190?

Szelethus: This doesn't look symmetrical. How does this patch interact with D83190?
gamesh411Unsubmitted
Not Done
ReplyInline Actions

I see that patch D83190 will need not only to be rebased, but modified slightly to take this early checking into account. I will refer to this review over there.

gamesh411: I see that patch D83190 will need not only to be rebased, but modified slightly to take this…
baloghadamsoftwareAuthorUnsubmitted
Done
ReplyInline Actions

This is not symmetrical. Since this patch is a hotfix for three bugs, all of them cause crashes it is more urgent to land. The other patch should be rebased on it.

baloghadamsoftware: This //is// not symmetrical. Since this patch is a hotfix for three bugs, all of them cause…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Please add a FIXME before commiting, if we knowingly add a hack.

Szelethus: Please add a FIXME before commiting, if we knowingly add a hack.
handlePtrIncrOrDecr(C, BO->getLHS(), handlePtrIncrOrDecr(C, BO->getLHS(),
BinaryOperator::getOverloadedOperator(OK), RVal); BinaryOperator::getOverloadedOperator(OK), RVal);
} }
} }
void IteratorModeling::checkPostStmt(const MaterializeTemporaryExpr *MTE, void IteratorModeling::checkPostStmt(const MaterializeTemporaryExpr *MTE,
CheckerContext &C) const { CheckerContext &C) const {
/* Transfer iterator state to temporary objects */ /* Transfer iterator state to temporary objects */
▲ Show 20 LinesShow All 173 Lines▼ Show 20 Lines State = setIteratorPosition(State, LVal,
IteratorPosition::getPosition(Cont, Sym)); IteratorPosition::getPosition(Cont, Sym));
LPos = getIteratorPosition(State, LVal); LPos = getIteratorPosition(State, LVal);
} else if (!RPos) { } else if (!RPos) {
State = setIteratorPosition(State, RVal, State = setIteratorPosition(State, RVal,
IteratorPosition::getPosition(Cont, Sym)); IteratorPosition::getPosition(Cont, Sym));
RPos = getIteratorPosition(State, RVal); RPos = getIteratorPosition(State, RVal);
} }
// If the value for which we just tried to set a new iterator position is
// an `SVal`for which no iterator position can be set then the setting was
// unsuccessful. We cannot handle the comparison in this case.
if (!LPos || !RPos)
return;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Is this always okay? Shouldn't we check what the reason was behind the failure to retrieve the position? Is a TODO: at the very least appropriate?

Szelethus: Is this always okay? Shouldn't we check what the reason was behind the failure to retrieve the…
// We cannot make assumptions on `UnknownVal`. Let us conjure a symbol // We cannot make assumptions on `UnknownVal`. Let us conjure a symbol
// instead. // instead.
if (RetVal.isUnknown()) { if (RetVal.isUnknown()) {
auto &SymMgr = C.getSymbolManager(); auto &SymMgr = C.getSymbolManager();
auto *LCtx = C.getLocationContext(); auto *LCtx = C.getLocationContext();
RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol( RetVal = nonloc::SymbolVal(SymMgr.conjureSymbol(
CE, LCtx, C.getASTContext().BoolTy, C.blockCount())); CE, LCtx, C.getASTContext().BoolTy, C.blockCount()));
State = State->BindExpr(CE, LCtx, RetVal); State = State->BindExpr(CE, LCtx, RetVal);
▲ Show 20 LinesShow All 122 Lines▼ Show 20 Lines if (AdvancedState) {
assignToContainer(C, CE, TgtVal, Pos->getContainer()); assignToContainer(C, CE, TgtVal, Pos->getContainer());
} }
} }
void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C, void IteratorModeling::handlePtrIncrOrDecr(CheckerContext &C,
const Expr *Iterator, const Expr *Iterator,
OverloadedOperatorKind OK, OverloadedOperatorKind OK,
SVal Offset) const { SVal Offset) const {
if (!Offset.getAs<DefinedSVal>())
return;
QualType PtrType = Iterator->getType(); QualType PtrType = Iterator->getType();
if (!PtrType->isPointerType()) if (!PtrType->isPointerType())
return; return;
QualType ElementType = PtrType->getPointeeType(); QualType ElementType = PtrType->getPointeeType();
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal OldVal = State->getSVal(Iterator, C.getLocationContext()); SVal OldVal = State->getSVal(Iterator, C.getLocationContext());
const IteratorPosition *OldPos = getIteratorPosition(State, OldVal); const IteratorPosition *OldPos = getIteratorPosition(State, OldVal);
if (!OldPos) if (!OldPos)
return; return;
SVal NewVal; SVal NewVal;
if (OK == OO_Plus || OK == OO_PlusEqual) if (OK == OO_Plus || OK == OO_PlusEqual) {
NewVal = State->getLValue(ElementType, Offset, OldVal); NewVal = State->getLValue(ElementType, Offset, OldVal);
else { } else {
const llvm::APSInt &OffsetInt = auto &SVB = C.getSValBuilder();
Offset.castAs<nonloc::ConcreteInt>().getValue(); SVal NegatedOffset = SVB.evalMinus(Offset.castAs<NonLoc>());
auto &BVF = C.getSymbolManager().getBasicVals();
SVal NegatedOffset = nonloc::ConcreteInt(BVF.getValue(-OffsetInt));
NewVal = State->getLValue(ElementType, NegatedOffset, OldVal); NewVal = State->getLValue(ElementType, NegatedOffset, OldVal);
} }
// `AdvancedState` is a state where the position of `Old` is advanced. We // `AdvancedState` is a state where the position of `Old` is advanced. We
// only need this state to retrieve the new position, but we do not want // only need this state to retrieve the new position, but we do not want
// ever to change the position of `OldVal`. // ever to change the position of `OldVal`.
auto AdvancedState = advancePosition(State, OldVal, OK, Offset); auto AdvancedState = advancePosition(State, OldVal, OK, Offset);
if (AdvancedState) { if (AdvancedState) {
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Linesbool IteratorModeling::noChangeInAdvance(CheckerContext &C, SVal Iter,
if (!PosAfter) if (!PosAfter)
return false; return false;
const ExplodedNode *N = findCallEnter(C.getPredecessor(), CE); const ExplodedNode *N = findCallEnter(C.getPredecessor(), CE);
assert(N && "Any call should have a `CallEnter` node."); assert(N && "Any call should have a `CallEnter` node.");
const auto StateBefore = N->getState(); const auto StateBefore = N->getState();
const auto *PosBefore = getIteratorPosition(StateBefore, Iter); const auto *PosBefore = getIteratorPosition(StateBefore, Iter);
// FIXME: `std::advance()` should not create a new iterator position but
assert(PosBefore && "`std::advance() should not create new iterator " // change existing ones. However, in case of iterators implemented as
"position but change existing ones"); // pointers the handling of parameters in `std::advance()`-like
// functions is still incomplete which may result in cases where
// the new position is assigned to the wrong pointer. This causes
// crash if we use an assertion here.
if (!PosBefore)
return false;
return PosBefore->getOffset() == PosAfter->getOffset(); return PosBefore->getOffset() == PosAfter->getOffset();
} }
void IteratorModeling::printState(raw_ostream &Out, ProgramStateRef State, void IteratorModeling::printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {
auto SymbolMap = State->get<IteratorSymbolMap>(); auto SymbolMap = State->get<IteratorSymbolMap>();
auto RegionMap = State->get<IteratorRegionMap>(); auto RegionMap = State->get<IteratorRegionMap>();
▲ Show 20 LinesShow All 122 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/IteratorRangeChecker.cpp

Show First 20 LinesShow All 163 Lines▼ Show 20 Linesvoid IteratorRangeChecker::checkPreStmt(const BinaryOperator *BO,
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
BinaryOperatorKind OK = BO->getOpcode(); BinaryOperatorKind OK = BO->getOpcode();
SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext()); SVal LVal = State->getSVal(BO->getLHS(), C.getLocationContext());
if (isDereferenceOperator(OK)) { if (isDereferenceOperator(OK)) {
verifyDereference(C, LVal); verifyDereference(C, LVal);
} else if (isRandomIncrOrDecrOperator(OK)) { } else if (isRandomIncrOrDecrOperator(OK)) {
SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext()); SVal RVal = State->getSVal(BO->getRHS(), C.getLocationContext());
if (!BO->getRHS()->getType()->isIntegralOrEnumerationType())
return;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

FIXME:

Szelethus: FIXME:
verifyRandomIncrOrDecr(C, BinaryOperator::getOverloadedOperator(OK), LVal, verifyRandomIncrOrDecr(C, BinaryOperator::getOverloadedOperator(OK), LVal,
RVal); RVal);
} }
} }
void IteratorRangeChecker::checkPreStmt(const ArraySubscriptExpr *ASE, void IteratorRangeChecker::checkPreStmt(const ArraySubscriptExpr *ASE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
▲ Show 20 LinesShow All 192 LinesShow Last 20 Lines

clang/test/Analysis/iterator-modeling.cpp

Show First 20 LinesShow All 1,942 Lines▼ Show 20 Linesvoid minus_equal_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()"); clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
i -= 2; i -= 2;
clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.end() - 2}} clang_analyzer_express(clang_analyzer_iterator_position(i)); // expected-warning{{$c.end() - 2}}
} }
void minus_equal_ptr_iterator_variable(const cont_with_ptr_iterator<int> &c,
int n) {
auto i = c.end();
i -= n; // no-crash
}
void plus_ptr_iterator(const cont_with_ptr_iterator<int> &c) { void plus_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i1 = c.begin(); auto i1 = c.begin();
clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()"); clang_analyzer_denote(clang_analyzer_container_begin(c), "$c.begin()");
auto i2 = i1 + 2; auto i2 = i1 + 2;
clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}} clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}}
clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.begin()}} clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.begin()}}
clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.begin() + 2}} clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.begin() + 2}}
} }
void minus_ptr_iterator(const cont_with_ptr_iterator<int> &c) { void minus_ptr_iterator(const cont_with_ptr_iterator<int> &c) {
auto i1 = c.end(); auto i1 = c.end();
clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()"); clang_analyzer_denote(clang_analyzer_container_end(c), "$c.end()");
auto i2 = i1 - 2; auto i2 = i1 - 2;
clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}} clang_analyzer_eval(clang_analyzer_iterator_container(i2) == &c); // expected-warning{{TRUE}}
clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.end()}} clang_analyzer_express(clang_analyzer_iterator_position(i1)); // expected-warning{{$c.end()}}
clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.end() - 2}} clang_analyzer_express(clang_analyzer_iterator_position(i2)); // expected-warning{{$c.end() - 2}}
} }
void ptr_iter_diff(cont_with_ptr_iterator<int> &c) {
auto i0 = c.begin(), i1 = c.end();
ptrdiff_t len = i1 - i0; // no-crash
}
void ptr_iter_cmp_nullptr(cont_with_ptr_iterator<int> &c) {
auto i0 = c.begin();
if (i0 != nullptr) // no-crash
++i0;
}
void clang_analyzer_printState(); void clang_analyzer_printState();
void print_state(std::vector<int> &V) { void print_state(std::vector<int> &V) {
const auto i0 = V.cbegin(); const auto i0 = V.cbegin();
clang_analyzer_printState(); clang_analyzer_printState();
// CHECK: "checker_messages": [ // CHECK: "checker_messages": [
// CHECK: { "checker": "alpha.cplusplus.IteratorModeling", "messages": [ // CHECK: { "checker": "alpha.cplusplus.IteratorModeling", "messages": [
Show All 16 Lines

clang/test/Analysis/iterator-range.cpp

Show First 20 LinesShow All 929 Lines▼ Show 20 Lines
void postfix_minus_assign_2_begin_ptr_iterator( void postfix_minus_assign_2_begin_ptr_iterator(
const cont_with_ptr_iterator<S> &c) { const cont_with_ptr_iterator<S> &c) {
auto i = c.begin(); auto i = c.begin();
i -= 2; // expected-warning{{Iterator decremented ahead of its valid range}} i -= 2; // expected-warning{{Iterator decremented ahead of its valid range}}
// expected-note@-1{{Iterator decremented ahead of its valid range}} // expected-note@-1{{Iterator decremented ahead of its valid range}}
} }
void ptr_iter_diff(cont_with_ptr_iterator<S> &c) {
auto i0 = c.begin(), i1 = c.end();
ptrdiff_t len = i1 - i0; // no-crash
}