This is an archive of the discontinued LLVM Phabricator instance.

Differential D84520

[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker.
ClosedPublic

Authored by balazske on Jul 24 2020, 5:15 AM.

Details

Reviewers
Szelethus
gamesh411
NoQ
xazax.hun
Commits
rG497d060d0a74: [Analyzer] Improve invalid dereference bug reporting in DereferenceChecker.
Summary

Report undefined pointer dereference in similar way as null pointer dereference.

Diff Detail

Event Timeline

balazske created this revision.Jul 24 2020, 5:15 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 24 2020, 5:15 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript
Harbormaster failed remote builds in B65542: Diff 280414!Jul 24 2020, 5:15 AM
balazske added a parent revision: D84494: [Analyzer] Use of BugType in DereferenceChecker (NFC)..Jul 24 2020, 5:17 AM
balazske marked an inline comment as done.Jul 24 2020, 5:23 AM

Not sure if this is a good solution. There are few tests that test the undefined reference case. But the added code should work the same way as in the null pointer case?

clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
135

Add "results in a " here?

balazske added reviewers: gamesh411, NoQ, xazax.hun.Jul 27 2020, 12:43 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 27 2020, 12:43 AM
balazske added a comment.EditedJul 27 2020, 12:46 AM

Change of the existing error messages and bug category is not necessary but it would be improvement because more uniform error messages. (And not the "logic error" is the best category for this case, if this value is used at all. Other checkers have bad values too.)

gamesh411 added a comment.Aug 4 2020, 12:46 AM

I would add one more test for the undefined case. Like a local array variable that is uninitialized. That could mirror some of the null-dereference cases.

clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
135

IMHO I would add the "results in a " part here, as this is part of the process of creating the diagnostic anyway.

Szelethus added a comment.Aug 4 2020, 3:29 AM

We definitely need more tests. The idea overall however is amazing, thanks!

clang/test/Analysis/misc-ps-region-store.m
1160

Is this the entire message? Because traditionally, analyzer warnings start with an upper case and don't terminate.

balazske updated this revision to Diff 283856.Aug 7 2020, 2:58 AM

NFC changes, added some tests.

Herald added a subscriber: whisperity. · View Herald TranscriptAug 7 2020, 2:58 AM
Harbormaster completed remote builds in B67439: Diff 283856.Aug 7 2020, 2:59 AM
NoQ added a comment.Aug 7 2020, 11:19 AM

Thanks, excellent!

Let's not change warning text without good reasons. Too few of us speak English well enough to check the articles. The original text seems concise and on-point.

balazske updated this revision to Diff 284283.Aug 10 2020, 2:20 AM

Preserve original error messages.

Harbormaster completed remote builds in B67679: Diff 284283.Aug 10 2020, 2:20 AM
balazske marked an inline comment as done.Aug 10 2020, 2:25 AM

Do the null pointer and invalid pointer dereference belong to the same checker, that is called NullDereference?

clang/test/Analysis/misc-ps-region-store.m
1160

Full message is:
Access to field 'tail' results in a dereference of an undefined pointer value (loaded from variable 'items') [core.NullDereference]

whisperity added a comment.Aug 10 2020, 3:04 AM
In D84520#2206077, @balazske wrote:

Do the null pointer and invalid pointer dereference belong to the same checker, that is called NullDereference?

I think both SA and Tidy auto-appends the checker's name into the emitted diagnostic. However, @baloghadamsoftware did implement multiple checkers in the same translation unit, so maybe he knows where to override this.

(I can tell you where to override it in the context of Tidy, and it's horribly tricky and ugly...)

NoQ added a comment.Aug 10 2020, 8:28 PM
In D84520#2206077, @balazske wrote:

Do the null pointer and invalid pointer dereference belong to the same checker, that is called NullDereference?

Yup. And that's bad.

Note that the only reason to have checker names is to allow users to enable/disable the checkers. Given that enabling/disabling core checkers was never supported to begin with, this wasn't much of an issue. Now that we're moving into the direction of allowing users to silence core checkers without disabling their modeling benefits, this becomes much more of a problem and there's a number of checker name inconsistencies that we'll have to revisit. Another famous inconsistency is having a popular case of null dereference, "calling a C++ method on a null pointer", is in fact checked by the core.CallAndMessage checker rather than by core.NullDereference.

NoQ accepted this revision.Aug 10 2020, 10:08 PM

Also thanks, let's land!

This revision is now accepted and ready to land.Aug 10 2020, 10:08 PM
balazske updated this revision to Diff 284588.Aug 10 2020, 11:55 PM
balazske marked an inline comment as done.

Rebase (bug category is LogicError).

Harbormaster completed remote builds in B67846: Diff 284588.Aug 11 2020, 12:23 AM
Closed by commit rG497d060d0a74: [Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. (authored by balazske). · Explain WhyAug 11 2020, 1:07 AM
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG497d060d0a74: [Analyzer] Improve invalid dereference bug reporting in DereferenceChecker..

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
52 lines
test/
Analysis/
32 lines
2 lines

Diff 284600

clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Show All 24 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class DereferenceChecker class DereferenceChecker
: public Checker< check::Location, : public Checker< check::Location,
check::Bind, check::Bind,
EventDispatcher<ImplicitNullDerefEvent> > { EventDispatcher<ImplicitNullDerefEvent> > {
enum DerefKind { NullPointer, UndefinedPointerValue };
BugType BT_Null{this, "Dereference of null pointer", categories::LogicError}; BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
BugType BT_Undef{this, "Dereference of undefined pointer value", BugType BT_Undef{this, "Dereference of undefined pointer value",
categories::LogicError}; categories::LogicError};
void reportBug(ProgramStateRef State, const Stmt *S, CheckerContext &C) const; void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S,
CheckerContext &C) const;
public: public:
void checkLocation(SVal location, bool isLoad, const Stmt* S, void checkLocation(SVal location, bool isLoad, const Stmt* S,
CheckerContext &C) const; CheckerContext &C) const;
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
static void AddDerefSource(raw_ostream &os, static void AddDerefSource(raw_ostream &os,
SmallVectorImpl<SourceRange> &Ranges, SmallVectorImpl<SourceRange> &Ranges,
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines
} }
static bool isDeclRefExprToReference(const Expr *E) { static bool isDeclRefExprToReference(const Expr *E) {
if (const auto *DRE = dyn_cast<DeclRefExpr>(E)) if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
return DRE->getDecl()->getType()->isReferenceType(); return DRE->getDecl()->getType()->isReferenceType();
return false; return false;
} }
void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S, void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State,
CheckerContext &C) const { const Stmt *S, CheckerContext &C) const {
const BugType *BT = nullptr;
llvm::StringRef DerefStr1;
llvm::StringRef DerefStr2;
switch (K) {
case DerefKind::NullPointer:
BT = &BT_Null;
DerefStr1 = " results in a null pointer dereference";
DerefStr2 = " results in a dereference of a null pointer";
break;
case DerefKind::UndefinedPointerValue:
BT = &BT_Undef;
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Add "results in a " here?

balazske: Add "results in a " here?
gamesh411Unsubmitted
Not Done
ReplyInline Actions

IMHO I would add the "results in a " part here, as this is part of the process of creating the diagnostic anyway.

gamesh411: IMHO I would add the "results in a " part here, as this is part of the process of creating the…
DerefStr1 = " results in an undefined pointer dereference";
DerefStr2 = " results in a dereference of an undefined pointer value";
break;
};
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateErrorNode(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SmallVector<SourceRange, 2> Ranges; SmallVector<SourceRange, 2> Ranges;
switch (S->getStmtClass()) { switch (S->getStmtClass()) {
case Stmt::ArraySubscriptExprClass: { case Stmt::ArraySubscriptExprClass: {
os << "Array access"; os << "Array access";
const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S); const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext()); State.get(), N->getLocationContext());
os << " results in a null pointer dereference"; os << DerefStr1;
break; break;
} }
case Stmt::OMPArraySectionExprClass: { case Stmt::OMPArraySectionExprClass: {
os << "Array access"; os << "Array access";
const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S); const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S);
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext()); State.get(), N->getLocationContext());
os << " results in a null pointer dereference"; os << DerefStr1;
break; break;
} }
case Stmt::UnaryOperatorClass: { case Stmt::UnaryOperatorClass: {
os << "Dereference of null pointer"; os << BT->getDescription();
const UnaryOperator *U = cast<UnaryOperator>(S); const UnaryOperator *U = cast<UnaryOperator>(S);
AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(), AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),
State.get(), N->getLocationContext(), true); State.get(), N->getLocationContext(), true);
break; break;
} }
case Stmt::MemberExprClass: { case Stmt::MemberExprClass: {
const MemberExpr *M = cast<MemberExpr>(S); const MemberExpr *M = cast<MemberExpr>(S);
if (M->isArrow() || isDeclRefExprToReference(M->getBase())) { if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {
os << "Access to field '" << M->getMemberNameInfo() os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2;
<< "' results in a dereference of a null pointer";
AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(), AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext(), true); State.get(), N->getLocationContext(), true);
} }
break; break;
} }
case Stmt::ObjCIvarRefExprClass: { case Stmt::ObjCIvarRefExprClass: {
const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S); const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);
os << "Access to instance variable '" << *IV->getDecl() os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2;
<< "' results in a dereference of a null pointer";
AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(), AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext(), true); State.get(), N->getLocationContext(), true);
break; break;
} }
default: default:
break; break;
} }
auto report = std::make_unique<PathSensitiveBugReport>( auto report = std::make_unique<PathSensitiveBugReport>(
BT_Null, buf.empty() ? BT_Null.getDescription() : StringRef(buf), N); *BT, buf.empty() ? BT->getDescription() : StringRef(buf), N);
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
for (SmallVectorImpl<SourceRange>::iterator for (SmallVectorImpl<SourceRange>::iterator
I = Ranges.begin(), E = Ranges.end(); I!=E; ++I) I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
report->addRange(*I); report->addRange(*I);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
CheckerContext &C) const { CheckerContext &C) const {
// Check for dereference of an undefined value. // Check for dereference of an undefined value.
if (l.isUndef()) { if (l.isUndef()) {
if (ExplodedNode *N = C.generateErrorNode()) { const Expr *DerefExpr = getDereferenceExpr(S);
auto report = std::make_unique<PathSensitiveBugReport>( if (!suppressReport(DerefExpr))
BT_Undef, BT_Undef.getDescription(), N); reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C);
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
C.emitReport(std::move(report));
}
return; return;
} }
DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
// Check for null dereferences. // Check for null dereferences.
if (!location.getAs<Loc>()) if (!location.getAs<Loc>())
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
ProgramStateRef notNullState, nullState; ProgramStateRef notNullState, nullState;
std::tie(notNullState, nullState) = state->assume(location); std::tie(notNullState, nullState) = state->assume(location);
if (nullState) { if (nullState) {
if (!notNullState) { if (!notNullState) {
// We know that 'location' can only be null. This is what // We know that 'location' can only be null. This is what
// we call an "explicit" null dereference. // we call an "explicit" null dereference.
const Expr *expr = getDereferenceExpr(S); const Expr *expr = getDereferenceExpr(S);
if (!suppressReport(expr)) { if (!suppressReport(expr)) {
reportBug(nullState, expr, C); reportBug(DerefKind::NullPointer, nullState, expr, C);
return; return;
} }
} }
// Otherwise, we have the case where the location could either be // Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null // null or not-null. Record the error node as an "implicit" null
// dereference. // dereference.
if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) { if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
Show All 25 Linesvoid DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
ProgramStateRef StNonNull, StNull; ProgramStateRef StNonNull, StNull;
std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>()); std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
if (StNull) { if (StNull) {
if (!StNonNull) { if (!StNonNull) {
const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true); const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);
if (!suppressReport(expr)) { if (!suppressReport(expr)) {
reportBug(StNull, expr, C); reportBug(DerefKind::NullPointer, StNull, expr, C);
return; return;
} }
} }
// At this point the value could be either null or non-null. // At this point the value could be either null or non-null.
// Record this as an "implicit" null dereference. // Record this as an "implicit" null dereference.
if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) { if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N, ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
Show All 32 Lines

clang/test/Analysis/invalid-deref.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
typedef unsigned uintptr_t;
void f1() {
int *p;
*p = 0; // expected-warning{{Dereference of undefined pointer value}}
}
struct foo_struct {
int x;
};
int f2() {
struct foo_struct *p;
return p->x++; // expected-warning{{Access to field 'x' results in a dereference of an undefined pointer value (loaded from variable 'p')}}
}
int f3() {
char *x;
int i = 2;
return x[i + 1]; // expected-warning{{Array access (from variable 'x') results in an undefined pointer dereference}}
}
int f3_b() {
char *x;
int i = 2;
return x[i + 1]++; // expected-warning{{Array access (from variable 'x') results in an undefined pointer dereference}}
}

clang/test/Analysis/misc-ps-region-store.m

Show First 20 LinesShow All 1,151 Lines▼ Show 20 Lines
struct list_pr8141 struct list_pr8141
{ {
struct list_pr8141 *tail; struct list_pr8141 *tail;
}; };
struct list_pr8141 * struct list_pr8141 *
pr8141 (void) { pr8141 (void) {
struct list_pr8141 *items; struct list_pr8141 *items;
for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{Dereference of undefined pointer value}} for (;; items = ({ do { } while (0); items->tail; })) // expected-warning{{dereference of an undefined pointer value}}
SzelethusUnsubmitted
Done
ReplyInline Actions

Is this the entire message? Because traditionally, analyzer warnings start with an upper case and don't terminate.

Szelethus: Is this the entire message? Because traditionally, analyzer warnings start with an upper case…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Full message is:
Access to field 'tail' results in a dereference of an undefined pointer value (loaded from variable 'items') [core.NullDereference]

balazske: Full message is: `Access to field 'tail' results in a dereference of an undefined pointer value…
{ {
} }
} }
// Don't crash when building the CFG. // Don't crash when building the CFG.
void do_not_crash(int x) { void do_not_crash(int x) {
while (x - ({do {} while (0); x; })) { while (x - ({do {} while (0); x; })) {
} }
▲ Show 20 LinesShow All 198 LinesShow Last 20 Lines