This is an archive of the discontinued LLVM Phabricator instance.

Differential D86870

[analyzer] Add more tests for ArrayBoundCheckerV2
ClosedPublic

Authored by steakhal on Aug 31 2020, 4:30 AM.

Details

Reviewers
NoQ
vsavchenko
xazax.hun
Szelethus
martong
Commits
rG0dc0e2a9ab3c: [analyzer][NFC] Add more tests for ArrayBoundCheckerV2
Summary

According to a Bugzilla ticket, ArrayBoundCheckerV2 produces a false-positive report.
This patch adds a test demonstrating the current flawed behavior.
Also adds several similar test cases just to be on the safe side.

Diff Detail

Event Timeline

steakhal created this revision.Aug 31 2020, 4:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 31 2020, 4:30 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso and 8 others. · View Herald Transcript
steakhal requested review of this revision.Aug 31 2020, 4:30 AM
steakhal edited the summary of this revision. (Show Details)
steakhal added a child revision: D86873: [analyzer][NFC] Refactor ArrayBoundCheckerV2.Aug 31 2020, 4:53 AM
Harbormaster completed remote builds in B70085: Diff 288921.Aug 31 2020, 5:07 AM
martong added inline comments.Sep 1 2020, 1:23 AM
clang/test/Analysis/out-of-bounds-false-positive.c
34

Hmm, this seems to be quite redundant with the size_t tests. Why is it not enough to have test for one unsigned type?
Are you trying to check for overflow errors? Then I'd expect to have indexes around UINT_MAX and so on.

Same comment applies to the tests with the signed types.

steakhal added inline comments.Sep 1 2020, 1:52 AM
clang/test/Analysis/out-of-bounds-false-positive.c
34

In the current implementation - and in any implementation of the checker logic will have to deal with integral-promotion during the simplification of the array indexer expression and the given extent.
All of these can have different signess and bitwidth which makes the implementation quite tricky.

In fact, this resulted in the bug, which this patch-stack aims to fix.
I'm gonna highlight the related parts in the refactoring patch if you think it helps.

martong accepted this revision.Sep 1 2020, 2:04 AM
martong added inline comments.
clang/test/Analysis/out-of-bounds-false-positive.c
34

Okay, makes sense.

It's just very painful to have code repetitions, even in the test code. In gtest unittests we can have tests with type parameters to avoid this kind of repetition. But I guess, there is no way to get rid of this repetition in lit tests.

This revision is now accepted and ready to land.Sep 1 2020, 2:04 AM
steakhal added inline comments.Sep 1 2020, 2:47 AM
clang/test/Analysis/out-of-bounds-false-positive.c
34

You can imagine duplicating all of this several times, since the constant in the subscript expression could also have different types, such as: unsigned, long, unsigned long, etc. Potentially uncovering bugs.
However, I was reluctant to add those as well :|

I could introduce a macro, to expand these - but IMO macros in tests ehh. probably reduces readability.

martong added inline comments.Sep 1 2020, 2:56 AM
clang/test/Analysis/out-of-bounds-false-positive.c
34

Macros, ehh.

Could it work if we instantiated a test function template with the types as parameters? AFAIK, we analyze all instantiations as top level. The problem seems to be with the -verify and matching the expected-warning for each instantiation...

Closed by commit rG0dc0e2a9ab3c: [analyzer][NFC] Add more tests for ArrayBoundCheckerV2 (authored by Balazs Benics <balazsbenics@sigmatechnology.se>). · Explain WhyMar 10 2021, 3:36 AM
This revision was automatically updated to reflect the committed changes.
Balazs Benics <balazsbenics@sigmatechnology.se> added a commit: rG0dc0e2a9ab3c: [analyzer][NFC] Add more tests for ArrayBoundCheckerV2.

Revision Contents

PathSize
clang/
test/
Analysis/
101 lines

Diff 288921

clang/test/Analysis/out-of-bounds-false-positive.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.security.ArrayBoundV2,debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false -verify %s
void clang_analyzer_eval(int);
void clang_analyzer_printState();
typedef unsigned long long size_t;
const char a[] = "abcd"; // extent: 5 bytes
void symbolic_size_t_and_int0(size_t len) {
// FIXME: Should not warn for this.
(void)a[len + 1]; // expected-warning {{Out of bound memory access}}
// We infered that the 'len' must be in a specific range to make the previous indexing valid.
// len: [0,3]
clang_analyzer_eval(len <= 3); // expected - warning {{TRUE}}
clang_analyzer_eval(len <= 2); // expected - warning {{UNKNOWN}}
}
void symbolic_size_t_and_int1(size_t len) {
(void)a[len]; // no-warning
// len: [0,4]
clang_analyzer_eval(len <= 4); // expected-warning {{TRUE}}
clang_analyzer_eval(len <= 3); // expected-warning {{UNKNOWN}}
}
void symbolic_size_t_and_int2(size_t len) {
(void)a[len - 1]; // no-warning
// len: [1,5]
clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
clang_analyzer_eval(2 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 4); // expected-warning {{UNKNOWN}}
}
void symbolic_uint_and_int0(unsigned len) {
martongUnsubmitted
Not Done
ReplyInline Actions

Hmm, this seems to be quite redundant with the size_t tests. Why is it not enough to have test for one unsigned type?
Are you trying to check for overflow errors? Then I'd expect to have indexes around UINT_MAX and so on.

Same comment applies to the tests with the signed types.

martong: Hmm, this seems to be quite redundant with the `size_t` tests. Why is it not enough to have…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

In the current implementation - and in any implementation of the checker logic will have to deal with integral-promotion during the simplification of the array indexer expression and the given extent.
All of these can have different signess and bitwidth which makes the implementation quite tricky.

In fact, this resulted in the bug, which this patch-stack aims to fix.
I'm gonna highlight the related parts in the refactoring patch if you think it helps.

steakhal: In the current implementation - and in any implementation of the checker logic will have to…
martongUnsubmitted
Not Done
ReplyInline Actions

Okay, makes sense.

It's just very painful to have code repetitions, even in the test code. In gtest unittests we can have tests with type parameters to avoid this kind of repetition. But I guess, there is no way to get rid of this repetition in lit tests.

martong: Okay, makes sense. It's just very painful to have code repetitions, even in the test code. In…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

You can imagine duplicating all of this several times, since the constant in the subscript expression could also have different types, such as: unsigned, long, unsigned long, etc. Potentially uncovering bugs.
However, I was reluctant to add those as well :|

I could introduce a macro, to expand these - but IMO macros in tests ehh. probably reduces readability.

steakhal: You can imagine duplicating all of this several times, since the constant in the subscript…
martongUnsubmitted
Not Done
ReplyInline Actions

Macros, ehh.

Could it work if we instantiated a test function template with the types as parameters? AFAIK, we analyze all instantiations as top level. The problem seems to be with the -verify and matching the expected-warning for each instantiation...

martong: Macros, ehh. Could it work if we instantiated a test function template with the types as…
(void)a[len + 1]; // no-warning
// len: [0,3]
clang_analyzer_eval(0 <= len && len <= 3); // expected-warning {{TRUE}}
clang_analyzer_eval(1 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 2); // expected-warning {{UNKNOWN}}
}
void symbolic_uint_and_int1(unsigned len) {
(void)a[len]; // no-warning
// len: [0,4]
clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
clang_analyzer_eval(1 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 3); // expected-warning {{UNKNOWN}}
}
void symbolic_uint_and_int2(unsigned len) {
(void)a[len - 1]; // no-warning
// len: [1,5]
clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
clang_analyzer_eval(2 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 4); // expected-warning {{UNKNOWN}}
}
void symbolic_int_and_int0(int len) {
(void)a[len + 1]; // no-warning
// len: [-1,3]
clang_analyzer_eval(-1 <= len && len <= 3); // expected-warning {{TRUE}}
clang_analyzer_eval(0 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 2); // expected-warning {{UNKNOWN}}
}
void symbolic_int_and_int1(int len) {
(void)a[len]; // no-warning
// len: [0,4]
clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
clang_analyzer_eval(1 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 3); // expected-warning {{UNKNOWN}}
}
void symbolic_int_and_int2(int len) {
(void)a[len - 1]; // no-warning
// len: [1,5]
clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
clang_analyzer_eval(2 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 4); // expected-warning {{UNKNOWN}}
}
void symbolic_longlong_and_int0(long long len) {
(void)a[len + 1]; // no-warning
// len: [-1,3]
clang_analyzer_eval(-1 <= len && len <= 3); // expected-warning {{TRUE}}
clang_analyzer_eval(0 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 2); // expected-warning {{UNKNOWN}}
}
void symbolic_longlong_and_int1(long long len) {
(void)a[len]; // no-warning
// len: [0,4]
clang_analyzer_eval(0 <= len && len <= 4); // expected-warning {{TRUE}}
clang_analyzer_eval(1 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 3); // expected-warning {{UNKNOWN}}
}
void symbolic_longlong_and_int2(long long len) {
(void)a[len - 1]; // no-warning
// len: [1,5]
clang_analyzer_eval(1 <= len && len <= 5); // expected-warning {{TRUE}}
clang_analyzer_eval(2 <= len); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(len <= 4); // expected-warning {{UNKNOWN}}
}