This is an archive of the discontinued LLVM Phabricator instance.

Differential D85817

[analyzer] Fix crash with pointer to members values
ClosedPublic

Authored by vsavchenko on Aug 12 2020, 1:17 AM.

Details

Reviewers
NoQ
dcoughlin
xazax.hun
Szelethus
Commits
rG9cbfdde2ea06: [analyzer] Fix crash with pointer to members values
Summary

This fix unifies all of the different ways we handled pointer to
members into one. The crash was caused by the fact that the type
of pointer-to-member values was void *, and while this works
for the vast majority of cases it breaks when we actually need
to explain the path for the report.

rdar://problem/64202361

Diff Detail

Event Timeline

vsavchenko created this revision.Aug 12 2020, 1:17 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 12 2020, 1:17 AM
Herald added subscribers: cfe-commits, steakhal, ASDenysPetrov and 9 others. · View Herald Transcript
vsavchenko requested review of this revision.Aug 12 2020, 1:17 AM
Harbormaster completed remote builds in B68073: Diff 285003.Aug 12 2020, 1:49 AM
NoQ added a comment.Aug 12 2020, 9:31 AM

That's a fix for https://bugs.llvm.org/show_bug.cgi?id=46264.

Your code looks great but i don't understand at a glance what the crash was caused by and how does your code fix it, can you explain? Like, the original test doesn't have any void *s and it doesn't have any indirect fields. Also the crash happens during visitor phase but the fixes are entirely during modeling phase.

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
2533–2535

Ok so you're saying that there's *always* going to be a surrounding operator &? That kind of makes sense but if you add more explanation/proof of how you figured this out that'd be great.

clang/test/Analysis/PR46264.cpp
6

I'm pretty sure the namespace is not actually important for the test. creduce is great but sometimes it misses stuff. Generally, i'm a big fan of manually cleaning up creduced test to make them look more like real code. At least turn things like b h; and e *i; into something like A a; and B *b;. Also replace class with struct because we never care about this entire public/private business and struct provides a nice default.

10

It's worth it to comment where exactly is this conversion operator used in the text (i.e., within the if-condition). People do in fact sometimes do this kind of thing in real life: provide a conversion to pointer-to-member *instead of* conversion to bool because it causes fewer potential further accidental implicit conversions to be possible.

vsavchenko added a comment.Aug 12 2020, 10:25 AM
In D85817#2213435, @NoQ wrote:

That's a fix for https://bugs.llvm.org/show_bug.cgi?id=46264.

Your code looks great but i don't understand at a glance what the crash was caused by and how does your code fix it, can you explain? Like, the original test doesn't have any void *s and it doesn't have any indirect fields. Also the crash happens during visitor phase but the fixes are entirely during modeling phase.

Sure! The problem was in the deleted code, we modeled FieldDecl and IndirectFieldDecl in such matter that &b::d ended up as void * and it was totally fine for path exploration, but the moment we try to explain such value is where we hit the assertion (I tried to explain that in the summary). I could've fixed the symptom and patch that, but it didn't seem right. It is not a pointer to void and it never was. Then I found out about the fact that we actually have a mechanism to deal with pointer to members. So I decided to remove the code with 2 FIXMEs (by doing one of the FIXMEs). Removing only FieldDecl from the condition would've fixed the original problem, but wouldn't have solved a very similar example with indirect fields (maybe I should expand the test to include that one as well). That's how I came to fixing the behavior for indirect fields as well.

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
2533–2535

I don't know actually that there's *always* a surrounding &, I mean it makes sense and I guess it is the only case we care about.

clang/test/Analysis/PR46264.cpp
6

I didn't change the code because it is the actual snippet from the bug report, but OK

10

OK, will do

NoQ accepted this revision.Aug 12 2020, 1:48 PM

Aha, i see, fair enough!

This revision is now accepted and ready to land.Aug 12 2020, 1:48 PM
vsavchenko updated this revision to Diff 285358.Aug 13 2020, 6:50 AM

Simplify the main test

vsavchenko updated this revision to Diff 285360.Aug 13 2020, 6:54 AM

Add "no crash" comments

Harbormaster completed remote builds in B68260: Diff 285360.Aug 13 2020, 7:54 AM
Closed by commit rG9cbfdde2ea06: [analyzer] Fix crash with pointer to members values (authored by vsavchenko). · Explain WhyAug 13 2020, 8:04 AM
This revision was automatically updated to reflect the committed changes.
vsavchenko added a commit: rG9cbfdde2ea06: [analyzer] Fix crash with pointer to members values.
Harbormaster completed remote builds in B68259: Diff 285358.Aug 13 2020, 8:07 AM
vsavchenko mentioned this in D95307: [StaticAnalyzer] Add checking for degenerate base class in MemRegion.Feb 1 2021, 12:22 AM
RedDocMD added a subscriber: RedDocMD.Feb 12 2021, 10:53 AM

@vsavchenko, why did you chose NamedDecl instead of ValueDecl to account for the indirect fields? I couldn't quite follow it from the discussion above.

vsavchenko added a comment.Feb 15 2021, 12:30 AM
In D85817#2560570, @RedDocMD wrote:

@vsavchenko, why did you chose NamedDecl instead of ValueDecl to account for the indirect fields? I couldn't quite follow it from the discussion above.

Looking at it now, I also don't know why 🤷

vsavchenko mentioned this in rGf8d3f47e1fd0: [analyzer] Updated comments to reflect D85817.Feb 15 2021, 12:48 AM
NoQ mentioned this in D104381: [analyzer] Added a test case for PR46264.Jun 24 2021, 9:53 AM
ASDenysPetrov mentioned this in D106152: [analyzer] Move test case to existing test file and remove duplicated test file..Jul 16 2021, 7:20 AM
ASDenysPetrov mentioned this in rG497b1b95e606: [analyzer] Move test case to existing test file and remove duplicated test file..Aug 10 2021, 9:12 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
16 lines
2 lines
4 lines
lib/
StaticAnalyzer/
Core/
25 lines
12 lines
5 lines
9 lines
16 lines
17 lines
test/
Analysis/
35 lines
58 lines

Diff 285373

clang/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h

Show First 20 LinesShow All 73 Lines▼ Show 20 Linespublic:
static void Profile(llvm::FoldingSetNodeID& ID, static void Profile(llvm::FoldingSetNodeID& ID,
const StoreRef &store, const StoreRef &store,
const TypedValueRegion *region); const TypedValueRegion *region);
void Profile(llvm::FoldingSetNodeID& ID) { Profile(ID, store, region); } void Profile(llvm::FoldingSetNodeID& ID) { Profile(ID, store, region); }
}; };
class PointerToMemberData : public llvm::FoldingSetNode { class PointerToMemberData : public llvm::FoldingSetNode {
const DeclaratorDecl *D; const NamedDecl *D;
llvm::ImmutableList<const CXXBaseSpecifier *> L; llvm::ImmutableList<const CXXBaseSpecifier *> L;
public: public:
PointerToMemberData(const DeclaratorDecl *D, PointerToMemberData(const NamedDecl *D,
llvm::ImmutableList<const CXXBaseSpecifier *> L) llvm::ImmutableList<const CXXBaseSpecifier *> L)
: D(D), L(L) {} : D(D), L(L) {}
using iterator = llvm::ImmutableList<const CXXBaseSpecifier *>::iterator; using iterator = llvm::ImmutableList<const CXXBaseSpecifier *>::iterator;
iterator begin() const { return L.begin(); } iterator begin() const { return L.begin(); }
iterator end() const { return L.end(); } iterator end() const { return L.end(); }
static void Profile(llvm::FoldingSetNodeID& ID, const DeclaratorDecl *D, static void Profile(llvm::FoldingSetNodeID &ID, const NamedDecl *D,
llvm::ImmutableList<const CXXBaseSpecifier *> L); llvm::ImmutableList<const CXXBaseSpecifier *> L);
void Profile(llvm::FoldingSetNodeID& ID) { Profile(ID, D, L); } void Profile(llvm::FoldingSetNodeID &ID) { Profile(ID, D, L); }
const DeclaratorDecl *getDeclaratorDecl() const {return D;} const NamedDecl *getDeclaratorDecl() const { return D; }
llvm::ImmutableList<const CXXBaseSpecifier *> getCXXBaseList() const { llvm::ImmutableList<const CXXBaseSpecifier *> getCXXBaseList() const {
return L; return L;
} }
}; };
class BasicValueFactory { class BasicValueFactory {
using APSIntSetTy = using APSIntSetTy =
▲ Show 20 LinesShow All 123 Lines▼ Show 20 Linespublic:
} }
const CompoundValData *getCompoundValData(QualType T, const CompoundValData *getCompoundValData(QualType T,
llvm::ImmutableList<SVal> Vals); llvm::ImmutableList<SVal> Vals);
const LazyCompoundValData *getLazyCompoundValData(const StoreRef &store, const LazyCompoundValData *getLazyCompoundValData(const StoreRef &store,
const TypedValueRegion *region); const TypedValueRegion *region);
const PointerToMemberData *getPointerToMemberData( const PointerToMemberData *
const DeclaratorDecl *DD, getPointerToMemberData(const NamedDecl *ND,
llvm::ImmutableList<const CXXBaseSpecifier *> L); llvm::ImmutableList<const CXXBaseSpecifier *> L);
llvm::ImmutableList<SVal> getEmptySValList() { llvm::ImmutableList<SVal> getEmptySValList() {
return SValListFactory.getEmptyList(); return SValListFactory.getEmptyList();
} }
llvm::ImmutableList<SVal> prependSVal(SVal X, llvm::ImmutableList<SVal> L) { llvm::ImmutableList<SVal> prependSVal(SVal X, llvm::ImmutableList<SVal> L) {
return SValListFactory.add(X, L); return SValListFactory.add(X, L);
} }
Show All 33 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

Show First 20 LinesShow All 227 Lines▼ Show 20 Lines DefinedOrUnknownSVal getDerivedRegionValueSymbolVal(
SymbolRef parentSymbol, const TypedValueRegion *region); SymbolRef parentSymbol, const TypedValueRegion *region);
DefinedSVal getMetadataSymbolVal(const void *symbolTag, DefinedSVal getMetadataSymbolVal(const void *symbolTag,
const MemRegion *region, const MemRegion *region,
const Expr *expr, QualType type, const Expr *expr, QualType type,
const LocationContext *LCtx, const LocationContext *LCtx,
unsigned count); unsigned count);
DefinedSVal getMemberPointer(const DeclaratorDecl *DD); DefinedSVal getMemberPointer(const NamedDecl *ND);
DefinedSVal getFunctionPointer(const FunctionDecl *func); DefinedSVal getFunctionPointer(const FunctionDecl *func);
DefinedSVal getBlockPointer(const BlockDecl *block, CanQualType locTy, DefinedSVal getBlockPointer(const BlockDecl *block, CanQualType locTy,
const LocationContext *locContext, const LocationContext *locContext,
unsigned blockCount); unsigned blockCount);
/// Returns the value of \p E, if it can be determined in a non-path-sensitive /// Returns the value of \p E, if it can be determined in a non-path-sensitive
▲ Show 20 LinesShow All 151 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

Show First 20 LinesShow All 514 Lines▼ Show 20 Lines
/// pointer or a member data pointer and a list of CXXBaseSpecifiers. This list /// pointer or a member data pointer and a list of CXXBaseSpecifiers. This list
/// is required to accumulate the pointer-to-member cast history to figure out /// is required to accumulate the pointer-to-member cast history to figure out
/// the correct subobject field. /// the correct subobject field.
class PointerToMember : public NonLoc { class PointerToMember : public NonLoc {
friend class ento::SValBuilder; friend class ento::SValBuilder;
public: public:
using PTMDataType = using PTMDataType =
llvm::PointerUnion<const DeclaratorDecl *, const PointerToMemberData *>; llvm::PointerUnion<const NamedDecl *, const PointerToMemberData *>;
const PTMDataType getPTMData() const { const PTMDataType getPTMData() const {
return PTMDataType::getFromOpaqueValue(const_cast<void *>(Data)); return PTMDataType::getFromOpaqueValue(const_cast<void *>(Data));
} }
bool isNullMemberPointer() const; bool isNullMemberPointer() const;
const DeclaratorDecl *getDecl() const; const NamedDecl *getDecl() const;
template<typename AdjustedDecl> template<typename AdjustedDecl>
const AdjustedDecl *getDeclAs() const { const AdjustedDecl *getDeclAs() const {
return dyn_cast_or_null<AdjustedDecl>(getDecl()); return dyn_cast_or_null<AdjustedDecl>(getDecl());
} }
using iterator = llvm::ImmutableList<const CXXBaseSpecifier *>::iterator; using iterator = llvm::ImmutableList<const CXXBaseSpecifier *>::iterator;
▲ Show 20 LinesShow All 128 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp

Show All 36 Lines
void LazyCompoundValData::Profile(llvm::FoldingSetNodeID& ID, void LazyCompoundValData::Profile(llvm::FoldingSetNodeID& ID,
const StoreRef &store, const StoreRef &store,
const TypedValueRegion *region) { const TypedValueRegion *region) {
ID.AddPointer(store.getStore()); ID.AddPointer(store.getStore());
ID.AddPointer(region); ID.AddPointer(region);
} }
void PointerToMemberData::Profile( void PointerToMemberData::Profile(
llvm::FoldingSetNodeID& ID, const DeclaratorDecl *D, llvm::FoldingSetNodeID &ID, const NamedDecl *D,
llvm::ImmutableList<const CXXBaseSpecifier *> L) { llvm::ImmutableList<const CXXBaseSpecifier *> L) {
ID.AddPointer(D); ID.AddPointer(D);
ID.AddPointer(L.getInternalPointer()); ID.AddPointer(L.getInternalPointer());
} }
using SValData = std::pair<SVal, uintptr_t>; using SValData = std::pair<SVal, uintptr_t>;
using SValPair = std::pair<SVal, SVal>; using SValPair = std::pair<SVal, SVal>;
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Lines if (!D) {
new (D) LazyCompoundValData(store, region); new (D) LazyCompoundValData(store, region);
LazyCompoundValDataSet.InsertNode(D, InsertPos); LazyCompoundValDataSet.InsertNode(D, InsertPos);
} }
return D; return D;
} }
const PointerToMemberData *BasicValueFactory::getPointerToMemberData( const PointerToMemberData *BasicValueFactory::getPointerToMemberData(
const DeclaratorDecl *DD, llvm::ImmutableList<const CXXBaseSpecifier *> L) { const NamedDecl *ND, llvm::ImmutableList<const CXXBaseSpecifier *> L) {
llvm::FoldingSetNodeID ID; llvm::FoldingSetNodeID ID;
PointerToMemberData::Profile(ID, DD, L); PointerToMemberData::Profile(ID, ND, L);
void *InsertPos; void *InsertPos;
PointerToMemberData *D = PointerToMemberData *D =
PointerToMemberDataSet.FindNodeOrInsertPos(ID, InsertPos); PointerToMemberDataSet.FindNodeOrInsertPos(ID, InsertPos);
if (!D) { if (!D) {
D = (PointerToMemberData*) BPAlloc.Allocate<PointerToMemberData>(); D = (PointerToMemberData *)BPAlloc.Allocate<PointerToMemberData>();
new (D) PointerToMemberData(DD, L); new (D) PointerToMemberData(ND, L);
PointerToMemberDataSet.InsertNode(D, InsertPos); PointerToMemberDataSet.InsertNode(D, InsertPos);
} }
return D; return D;
} }
const PointerToMemberData *BasicValueFactory::accumCXXBase( const PointerToMemberData *BasicValueFactory::accumCXXBase(
llvm::iterator_range<CastExpr::path_const_iterator> PathRange, llvm::iterator_range<CastExpr::path_const_iterator> PathRange,
const nonloc::PointerToMember &PTM) { const nonloc::PointerToMember &PTM) {
nonloc::PointerToMember::PTMDataType PTMDT = PTM.getPTMData(); nonloc::PointerToMember::PTMDataType PTMDT = PTM.getPTMData();
const DeclaratorDecl *DD = nullptr; const NamedDecl *ND = nullptr;
llvm::ImmutableList<const CXXBaseSpecifier *> PathList; llvm::ImmutableList<const CXXBaseSpecifier *> PathList;
if (PTMDT.isNull() || PTMDT.is<const DeclaratorDecl *>()) { if (PTMDT.isNull() || PTMDT.is<const NamedDecl *>()) {
if (PTMDT.is<const DeclaratorDecl *>()) if (PTMDT.is<const NamedDecl *>())
DD = PTMDT.get<const DeclaratorDecl *>(); ND = PTMDT.get<const NamedDecl *>();
PathList = CXXBaseListFactory.getEmptyList(); PathList = CXXBaseListFactory.getEmptyList();
} else { // const PointerToMemberData * } else { // const PointerToMemberData *
const PointerToMemberData *PTMD = const PointerToMemberData *PTMD = PTMDT.get<const PointerToMemberData *>();
PTMDT.get<const PointerToMemberData *>(); ND = PTMD->getDeclaratorDecl();
DD = PTMD->getDeclaratorDecl();
PathList = PTMD->getCXXBaseList(); PathList = PTMD->getCXXBaseList();
} }
for (const auto &I : llvm::reverse(PathRange)) for (const auto &I : llvm::reverse(PathRange))
PathList = prependCXXBase(I, PathList); PathList = prependCXXBase(I, PathList);
return getPointerToMemberData(DD, PathList); return getPointerToMemberData(ND, PathList);
} }
const llvm::APSInt* const llvm::APSInt*
BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op, BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
const llvm::APSInt& V1, const llvm::APSInt& V2) { const llvm::APSInt& V1, const llvm::APSInt& V2) {
switch (Op) { switch (Op) {
default: default:
llvm_unreachable("Invalid Opcode."); llvm_unreachable("Invalid Opcode.");
▲ Show 20 LinesShow All 142 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 2,524 Lines▼ Show 20 Linesvoid ExprEngine::VisitCommonDeclRefExpr(const Expr *Ex, const NamedDecl *D,
} }
if (const auto *FD = dyn_cast<FunctionDecl>(D)) { if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
SVal V = svalBuilder.getFunctionPointer(FD); SVal V = svalBuilder.getFunctionPointer(FD);
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr, Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind); ProgramPoint::PostLValueKind);
return; return;
} }
if (isa<FieldDecl>(D) || isa<IndirectFieldDecl>(D)) { if (isa<FieldDecl>(D) || isa<IndirectFieldDecl>(D)) {
// FIXME: Compute lvalue of field pointers-to-member. // Delegate all work related to pointer to members to the surrounding
// Right now we just use a non-null void pointer, so that it gives proper // operator&.
// results in boolean contexts.
// FIXME: Maybe delegate this to the surrounding operator&.
// Note how this expression is lvalue, however pointer-to-member is NonLoc.
SVal V = svalBuilder.conjureSymbolVal(Ex, LCtx, getContext().VoidPtrTy,
currBldrCtx->blockCount());
state = state->assume(V.castAs<DefinedOrUnknownSVal>(), true);
Bldr.generateNode(Ex, Pred, state->BindExpr(Ex, LCtx, V), nullptr,
ProgramPoint::PostLValueKind);
return; return;
NoQUnsubmitted
Not Done
ReplyInline Actions

Ok so you're saying that there's *always* going to be a surrounding operator &? That kind of makes sense but if you add more explanation/proof of how you figured this out that'd be great.

NoQ: Ok so you're saying that there's *always* going to be a surrounding operator `&`? That kind of…
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

I don't know actually that there's *always* a surrounding &, I mean it makes sense and I guess it is the only case we care about.

vsavchenko: I don't know actually that there's *always* a surrounding `&`, I mean it makes sense and I…
} }
if (isa<BindingDecl>(D)) { if (isa<BindingDecl>(D)) {
// FIXME: proper support for bound declarations. // FIXME: proper support for bound declarations.
// For now, let's just prevent crashing. // For now, let's just prevent crashing.
return; return;
} }
llvm_unreachable("Support for this Decl not implemented."); llvm_unreachable("Support for this Decl not implemented.");
▲ Show 20 LinesShow All 677 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 985 Lines▼ Show 20 Lines for (ExplodedNodeSet::iterator I = CheckedSet.begin(), E = CheckedSet.end();
} }
case UO_AddrOf: { case UO_AddrOf: {
// Process pointer-to-member address operation. // Process pointer-to-member address operation.
const Expr *Ex = U->getSubExpr()->IgnoreParens(); const Expr *Ex = U->getSubExpr()->IgnoreParens();
if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Ex)) { if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(Ex)) {
const ValueDecl *VD = DRE->getDecl(); const ValueDecl *VD = DRE->getDecl();
if (isa<CXXMethodDecl>(VD) || isa<FieldDecl>(VD)) { if (isa<CXXMethodDecl>(VD) || isa<FieldDecl>(VD) ||
isa<IndirectFieldDecl>(VD)) {
ProgramStateRef State = (*I)->getState(); ProgramStateRef State = (*I)->getState();
const LocationContext *LCtx = (*I)->getLocationContext(); const LocationContext *LCtx = (*I)->getLocationContext();
SVal SV = svalBuilder.getMemberPointer(cast<DeclaratorDecl>(VD)); SVal SV = svalBuilder.getMemberPointer(cast<NamedDecl>(VD));
Bldr.generateNode(U, *I, State->BindExpr(U, LCtx, SV)); Bldr.generateNode(U, *I, State->BindExpr(U, LCtx, SV));
break; break;
} }
} }
// Explicitly proceed with default handler for this case cascade. // Explicitly proceed with default handler for this case cascade.
handleUOExtension(I, U, Bldr); handleUOExtension(I, U, Bldr);
break; break;
} }
▲ Show 20 LinesShow All 169 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/SValBuilder.cpp

Show First 20 LinesShow All 230 Lines▼ Show 20 LinesSValBuilder::getDerivedRegionValueSymbolVal(SymbolRef parentSymbol,
SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region); SymbolRef sym = SymMgr.getDerivedSymbol(parentSymbol, region);
if (Loc::isLocType(T)) if (Loc::isLocType(T))
return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym)); return loc::MemRegionVal(MemMgr.getSymbolicRegion(sym));
return nonloc::SymbolVal(sym); return nonloc::SymbolVal(sym);
} }
DefinedSVal SValBuilder::getMemberPointer(const DeclaratorDecl *DD) { DefinedSVal SValBuilder::getMemberPointer(const NamedDecl *ND) {
assert(!DD || isa<CXXMethodDecl>(DD) || isa<FieldDecl>(DD)); assert(!ND || isa<CXXMethodDecl>(ND) || isa<FieldDecl>(ND) ||
isa<IndirectFieldDecl>(ND));
if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(DD)) { if (const auto *MD = dyn_cast_or_null<CXXMethodDecl>(ND)) {
// Sema treats pointers to static member functions as have function pointer // Sema treats pointers to static member functions as have function pointer
// type, so return a function pointer for the method. // type, so return a function pointer for the method.
// We don't need to play a similar trick for static member fields // We don't need to play a similar trick for static member fields
// because these are represented as plain VarDecls and not FieldDecls // because these are represented as plain VarDecls and not FieldDecls
// in the AST. // in the AST.
if (MD->isStatic()) if (MD->isStatic())
return getFunctionPointer(MD); return getFunctionPointer(MD);
} }
return nonloc::PointerToMember(DD); return nonloc::PointerToMember(ND);
} }
DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) { DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) {
return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func)); return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func));
} }
DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block, DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block,
CanQualType locTy, CanQualType locTy,
▲ Show 20 LinesShow All 394 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/SVals.cpp

Show First 20 LinesShow All 151 Lines▼ Show 20 Lines
const TypedValueRegion *nonloc::LazyCompoundVal::getRegion() const { const TypedValueRegion *nonloc::LazyCompoundVal::getRegion() const {
return static_cast<const LazyCompoundValData*>(Data)->getRegion(); return static_cast<const LazyCompoundValData*>(Data)->getRegion();
} }
bool nonloc::PointerToMember::isNullMemberPointer() const { bool nonloc::PointerToMember::isNullMemberPointer() const {
return getPTMData().isNull(); return getPTMData().isNull();
} }
const DeclaratorDecl *nonloc::PointerToMember::getDecl() const { const NamedDecl *nonloc::PointerToMember::getDecl() const {
const auto PTMD = this->getPTMData(); const auto PTMD = this->getPTMData();
if (PTMD.isNull()) if (PTMD.isNull())
return nullptr; return nullptr;
const DeclaratorDecl *DD = nullptr; const NamedDecl *ND = nullptr;
if (PTMD.is<const DeclaratorDecl *>()) if (PTMD.is<const NamedDecl *>())
DD = PTMD.get<const DeclaratorDecl *>(); ND = PTMD.get<const NamedDecl *>();
else else
DD = PTMD.get<const PointerToMemberData *>()->getDeclaratorDecl(); ND = PTMD.get<const PointerToMemberData *>()->getDeclaratorDecl();
return DD; return ND;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Other Iterators. // Other Iterators.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
nonloc::CompoundVal::iterator nonloc::CompoundVal::begin() const { nonloc::CompoundVal::iterator nonloc::CompoundVal::begin() const {
return getValue()->begin(); return getValue()->begin();
} }
nonloc::CompoundVal::iterator nonloc::CompoundVal::end() const { nonloc::CompoundVal::iterator nonloc::CompoundVal::end() const {
return getValue()->end(); return getValue()->end();
} }
nonloc::PointerToMember::iterator nonloc::PointerToMember::begin() const { nonloc::PointerToMember::iterator nonloc::PointerToMember::begin() const {
const PTMDataType PTMD = getPTMData(); const PTMDataType PTMD = getPTMData();
if (PTMD.is<const DeclaratorDecl *>()) if (PTMD.is<const NamedDecl *>())
return {}; return {};
return PTMD.get<const PointerToMemberData *>()->begin(); return PTMD.get<const PointerToMemberData *>()->begin();
} }
nonloc::PointerToMember::iterator nonloc::PointerToMember::end() const { nonloc::PointerToMember::iterator nonloc::PointerToMember::end() const {
const PTMDataType PTMD = getPTMData(); const PTMDataType PTMD = getPTMData();
if (PTMD.is<const DeclaratorDecl *>()) if (PTMD.is<const NamedDecl *>())
return {}; return {};
return PTMD.get<const PointerToMemberData *>()->end(); return PTMD.get<const PointerToMemberData *>()->end();
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Useful predicates. // Useful predicates.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 172 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 1,100 Lines▼ Show 20 Lines case loc::MemRegionValKind: {
// If we get here, we have no way of comparing the regions. // If we get here, we have no way of comparing the regions.
return UnknownVal(); return UnknownVal();
} }
} }
} }
SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state,
BinaryOperator::Opcode op, BinaryOperator::Opcode op, Loc lhs,
Loc lhs, NonLoc rhs, QualType resultTy) { NonLoc rhs, QualType resultTy) {
if (op >= BO_PtrMemD && op <= BO_PtrMemI) { if (op >= BO_PtrMemD && op <= BO_PtrMemI) {
if (auto PTMSV = rhs.getAs<nonloc::PointerToMember>()) { if (auto PTMSV = rhs.getAs<nonloc::PointerToMember>()) {
if (PTMSV->isNullMemberPointer()) if (PTMSV->isNullMemberPointer())
return UndefinedVal(); return UndefinedVal();
if (const FieldDecl *FD = PTMSV->getDeclAs<FieldDecl>()) {
auto getFieldLValue = [&](const auto *FD) -> SVal {
SVal Result = lhs; SVal Result = lhs;
for (const auto &I : *PTMSV) for (const auto &I : *PTMSV)
Result = StateMgr.getStoreManager().evalDerivedToBase( Result = StateMgr.getStoreManager().evalDerivedToBase(
Result, I->getType(),I->isVirtual()); Result, I->getType(), I->isVirtual());
return state->getLValue(FD, Result); return state->getLValue(FD, Result);
};
if (const auto *FD = PTMSV->getDeclAs<FieldDecl>()) {
return getFieldLValue(FD);
}
if (const auto *FD = PTMSV->getDeclAs<IndirectFieldDecl>()) {
return getFieldLValue(FD);
} }
} }
return rhs; return rhs;
} }
assert(!BinaryOperator::isComparisonOp(op) && assert(!BinaryOperator::isComparisonOp(op) &&
"arguments to comparison ops must be of the same type"); "arguments to comparison ops must be of the same type");
▲ Show 20 LinesShow All 226 LinesShow Last 20 Lines

clang/test/Analysis/PR46264.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
// rdar://problem/64202361
struct A {
int a;
NoQUnsubmitted
Not Done
ReplyInline Actions

I'm pretty sure the namespace is not actually important for the test. creduce is great but sometimes it misses stuff. Generally, i'm a big fan of manually cleaning up creduced test to make them look more like real code. At least turn things like b h; and e *i; into something like A a; and B *b;. Also replace class with struct because we never care about this entire public/private business and struct provides a nice default.

NoQ: I'm pretty sure the namespace is not actually important for the test. `creduce` is great but…
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

I didn't change the code because it is the actual snippet from the bug report, but OK

vsavchenko: I didn't change the code because it is the actual snippet from the bug report, but OK
struct {
struct {
int b;
union {
NoQUnsubmitted
Not Done
ReplyInline Actions

It's worth it to comment where exactly is this conversion operator used in the text (i.e., within the if-condition). People do in fact sometimes do this kind of thing in real life: provide a conversion to pointer-to-member *instead of* conversion to bool because it causes fewer potential further accidental implicit conversions to be possible.

NoQ: It's worth it to comment where exactly is this conversion operator used in the text (i.e.
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

OK, will do

vsavchenko: OK, will do
int c;
};
};
};
};
int testCrash() {
int *x = 0;
int A::*ap = &A::a;
if (ap) // no crash
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
return 10;
}
int testIndirectCrash() {
int *x = 0;
int A::*cp = &A::c;
if (cp) // no crash
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
return 10;
}

clang/test/Analysis/pointer-to-member.cpp

Show First 20 LinesShow All 227 Lines▼ Show 20 Linesvoid double_diamond() {
clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int R2::*>(static_cast<int L1::*>(&B::f)))) == 2); // expected-warning {{TRUE}} clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int R2::*>(static_cast<int L1::*>(&B::f)))) == 2); // expected-warning {{TRUE}}
clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int L2::*>(static_cast<int R1::*>(&B::f)))) == 3); // expected-warning {{TRUE}} clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int L2::*>(static_cast<int R1::*>(&B::f)))) == 3); // expected-warning {{TRUE}}
clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int R2::*>(static_cast<int R1::*>(&B::f)))) == 4); // expected-warning {{TRUE}} clang_analyzer_eval(d2.*(static_cast<int D2::*>(static_cast<int R2::*>(static_cast<int R1::*>(&B::f)))) == 4); // expected-warning {{TRUE}}
} }
} // end of testPointerToMemberDiamond namespace } // end of testPointerToMemberDiamond namespace
namespace testAnonymousMember { namespace testAnonymousMember {
struct A { struct A {
int a;
struct { struct {
int x; int b;
int c;
}; };
struct { struct {
struct { struct {
int y; int d;
int e;
}; };
}; };
struct { struct {
union { union {
int z; int f;
}; };
}; };
}; };
void test() { void test() {
clang_analyzer_eval(&A::x); // expected-warning{{TRUE}} clang_analyzer_eval(&A::a); // expected-warning{{TRUE}}
clang_analyzer_eval(&A::y); // expected-warning{{TRUE}} clang_analyzer_eval(&A::b); // expected-warning{{TRUE}}
clang_analyzer_eval(&A::z); // expected-warning{{TRUE}} clang_analyzer_eval(&A::c); // expected-warning{{TRUE}}
clang_analyzer_eval(&A::d); // expected-warning{{TRUE}}
// FIXME: These should be true. clang_analyzer_eval(&A::e); // expected-warning{{TRUE}}
int A::*l = &A::x, A::*m = &A::y, A::*n = &A::z; clang_analyzer_eval(&A::f); // expected-warning{{TRUE}}
clang_analyzer_eval(l); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m); // expected-warning{{UNKNOWN}} int A::*ap = &A::a,
clang_analyzer_eval(n); // expected-warning{{UNKNOWN}} A::*bp = &A::b,
A::*cp = &A::c,
A::*dp = &A::d,
A::*ep = &A::e,
A::*fp = &A::f;
clang_analyzer_eval(ap); // expected-warning{{TRUE}}
clang_analyzer_eval(bp); // expected-warning{{TRUE}}
clang_analyzer_eval(cp); // expected-warning{{TRUE}}
clang_analyzer_eval(dp); // expected-warning{{TRUE}}
clang_analyzer_eval(ep); // expected-warning{{TRUE}}
clang_analyzer_eval(fp); // expected-warning{{TRUE}}
// FIXME: These should be true as well.
A a; A a;
a.x = 1; a.a = 1;
clang_analyzer_eval(a.*l == 1); // expected-warning{{UNKNOWN}} a.b = 2;
a.y = 2; a.c = 3;
clang_analyzer_eval(a.*m == 2); // expected-warning{{UNKNOWN}} a.d = 4;
a.z = 3; a.e = 5;
clang_analyzer_eval(a.*n == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a.*ap == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(a.*bp == 2); // expected-warning{{TRUE}}
clang_analyzer_eval(a.*cp == 3); // expected-warning{{TRUE}}
clang_analyzer_eval(a.*dp == 4); // expected-warning{{TRUE}}
clang_analyzer_eval(a.*ep == 5); // expected-warning{{TRUE}}
} }
} // end of testAnonymousMember namespace } // namespace testAnonymousMember