This is an archive of the discontinued LLVM Phabricator instance.

Differential D87785

[analyzer][StdLibraryFunctionsChecker] Fix a BufferSize constraint crash
AbandonedPublic

Authored by martong on Sep 16 2020, 12:11 PM.

Details

Reviewers
steakhal
balazske
Szelethus
NoQ
Summary

It could happen that both the satisfied and unsatisfied constraints gave
a NULL state. This happened probably because the negate() functionality
was not perfect. The solution is to return both states from the assume
calls where it makes sense.
This way the code becomes cleaner, there is no need anymore for the
controversial negate().

Note that this causes a regression in our CTU builds.
http://codechecker-buildbot.eastus.cloudapp.azure.com:8080/job/ctu_pipeline_clang-master-monorepo/1720/
The error itself is not CTU related, however, the coverage and thus the path is different in that mode.

Diff Detail

Unit TestsFailed

TimeTest
510 mswindows > LLVM.DebugInfo::debuglineinfo-path.ll
140 mswindows > LLVM.DebugInfo::symbolize-build-id.test
60 mswindows > LLVM.DebugInfo::symbolize-gnu-debuglink.test
140 mswindows > LLVM.DebugInfo::symbolize.test
160 mswindows > LLVM.DebugInfo/X86::2011-09-26-GlobalVarContext.ll
View Full Test Results (10 Failed)

Event Timeline

martong created this revision.Sep 16 2020, 12:11 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 16 2020, 12:11 PM
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso and 10 others. · View Herald Transcript
martong requested review of this revision.Sep 16 2020, 12:11 PM
martong added inline comments.Sep 16 2020, 12:13 PM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
725

This is where we crashed before this fix.

Harbormaster completed remote builds in B71918: Diff 292305.Sep 16 2020, 12:43 PM
steakhal added inline comments.Sep 16 2020, 12:53 PM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
235–247

I suggest the same simpler version for the similar code segments as well.

By the same token, why do you return {State, State}?
Shouldn't you return {State, nullptr} there?
In general, one would not expect the same State being returned, IMO it's advised to avoid doing that.
Same applies for the other cases.

339–340

Why don't you castAs? That also has the corresponding assert inside.

martong updated this revision to Diff 292550.Sep 17 2020, 10:01 AM
  • apply -> assume, Add isApplicable
martong added a comment.Sep 17 2020, 10:03 AM

Alright, I refactored the change a bit. A Constraint::assume works similarly to an engine DualAssume. Plus I added isApplicable to check if it is meaningful to call the assume at all.

Harbormaster completed remote builds in B72039: Diff 292550.Sep 17 2020, 10:36 AM
martong abandoned this revision.Sep 21 2020, 2:25 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
725

assert(SuccessSt); should not ever fail. Seems like the logic is not flawed in negate rather there is an issue in the underlying RangeConstraintManager: the analyzer goes on with an unfeasible path.

See the post-commit comments here: https://reviews.llvm.org/D82445

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
233 lines
test/
Analysis/
19 lines

Diff 292550

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 98 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
/// Polymorphic base class that represents a constraint on a given argument /// Polymorphic base class that represents a constraint on a given argument
/// (or return value) of a function. Derived classes implement different kind /// (or return value) of a function. Derived classes implement different kind
/// of constraints, e.g range constraints or correlation between two /// of constraints, e.g range constraints or correlation between two
/// arguments. /// arguments.
class ValueConstraint { class ValueConstraint {
public: public:
ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {} ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
virtual ~ValueConstraint() {} virtual ~ValueConstraint() {}
/// Apply the effects of the constraint on the given program state. If null
/// is returned then the constraint is not feasible. /// Returns true if we can do any assumption on the constraint, i.e. if it
virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, /// is meaningful to call an Engine `assume` function.
virtual bool isApplicable(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const = 0; CheckerContext &C) const = 0;
virtual ValueConstraintPtr negate() const {
llvm_unreachable("Not implemented"); /// Returns the program states for the cases when the constraint is
}; /// satisfiable and non satisfiable.
virtual std::pair<ProgramStateRef, ProgramStateRef>
assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const = 0;
// Check whether the constraint is malformed or not. It is malformed if the // Check whether the constraint is malformed or not. It is malformed if the
// specified argument has a mismatch with the given FunctionDecl (e.g. the // specified argument has a mismatch with the given FunctionDecl (e.g. the
// arg number is out-of-range of the function's argument list). // arg number is out-of-range of the function's argument list).
bool checkValidity(const FunctionDecl *FD) const { bool checkValidity(const FunctionDecl *FD) const {
const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams(); const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
assert(ValidArg && "Arg out of range!"); assert(ValidArg && "Arg out of range!");
if (!ValidArg) if (!ValidArg)
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines private:
ProgramStateRef applyAsOutOfRange(ProgramStateRef State, ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
const Summary &Summary) const; const Summary &Summary) const;
ProgramStateRef applyAsWithinRange(ProgramStateRef State, ProgramStateRef applyAsWithinRange(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
const Summary &Summary) const; const Summary &Summary) const;
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, bool isApplicable(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
switch (Kind) { SVal V = getArgSVal(Call, getArgNo());
case OutOfRange: return V.getAs<NonLoc>().hasValue();
return applyAsOutOfRange(State, Call, Summary);
case WithinRange:
return applyAsWithinRange(State, Call, Summary);
}
llvm_unreachable("Unknown range kind!");
} }
ValueConstraintPtr negate() const override { std::pair<ProgramStateRef, ProgramStateRef>
RangeConstraint Tmp(*this); assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const override {
switch (Kind) { switch (Kind) {
case OutOfRange: case OutOfRange:
Tmp.Kind = WithinRange; return {applyAsOutOfRange(State, Call, Summary),
break; applyAsWithinRange(State, Call, Summary)};
case WithinRange: case WithinRange:
Tmp.Kind = OutOfRange; return {applyAsWithinRange(State, Call, Summary),
break; applyAsOutOfRange(State, Call, Summary)};
} }
return std::make_shared<RangeConstraint>(Tmp); llvm_unreachable("Unknown range kind!");
} }
bool checkSpecificValidity(const FunctionDecl *FD) const override { bool checkSpecificValidity(const FunctionDecl *FD) const override {
const bool ValidArg = const bool ValidArg =
getArgType(FD, ArgN)->isIntegralType(FD->getASTContext()); getArgType(FD, ArgN)->isIntegralType(FD->getASTContext());
assert(ValidArg && assert(ValidArg &&
"This constraint should be applied on an integral type"); "This constraint should be applied on an integral type");
return ValidArg; return ValidArg;
} }
}; };
class ComparisonConstraint : public ValueConstraint { class ComparisonConstraint : public ValueConstraint {
BinaryOperator::Opcode Opcode; BinaryOperator::Opcode Opcode;
ArgNo OtherArgN; ArgNo OtherArgN;
public: public:
virtual StringRef getName() const override { return "Comparison"; }; virtual StringRef getName() const override { return "Comparison"; };
ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode, ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
ArgNo OtherArgN) ArgNo OtherArgN)
: ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {} : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
ArgNo getOtherArgNo() const { return OtherArgN; } ArgNo getOtherArgNo() const { return OtherArgN; }
BinaryOperator::Opcode getOpcode() const { return Opcode; } BinaryOperator::Opcode getOpcode() const { return Opcode; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
bool isApplicable(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override {
SVal V = getArgSVal(Call, getArgNo());
SVal OtherV = getArgSVal(Call, getOtherArgNo());
return !(V.isUndef() || OtherV.isUndef());
}
std::pair<ProgramStateRef, ProgramStateRef>
assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const override; CheckerContext &C) const override;
}; };
class NotNullConstraint : public ValueConstraint { class NotNullConstraint : public ValueConstraint {
using ValueConstraint::ValueConstraint; using ValueConstraint::ValueConstraint;
// This variable has a role when we negate the constraint.
bool CannotBeNull = true;
public: public:
StringRef getName() const override { return "NonNull"; } StringRef getName() const override { return "NonNull"; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
bool isApplicable(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (V.isUndef()) return V.getAs<Loc>().hasValue();
return State;
DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
if (!L.getAs<Loc>())
return State;
return State->assume(L, CannotBeNull);
} }
ValueConstraintPtr negate() const override { std::pair<ProgramStateRef, ProgramStateRef>
NotNullConstraint Tmp(*this); assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
Tmp.CannotBeNull = !this->CannotBeNull; CheckerContext &C) const override {
return std::make_shared<NotNullConstraint>(Tmp); return State->assume(getArgSVal(Call, getArgNo()).castAs<Loc>());
steakhalUnsubmitted
Not Done
ReplyInline Actions
SVal V = getArgSVal(Call, getArgNo());
- if (V.isUndef())
- return {State, State};
-
- DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
- if (!L.getAs<Loc>())
- return {State, State};
-
- return State->assume(L);
+ if (const auto L = V.getAs<Loc>())
+ return State->assume(L.getValue());
+ return {State, State};
}
bool checkSpecificValidity(const FunctionDecl *FD) const override {

I suggest the same simpler version for the similar code segments as well.

By the same token, why do you return {State, State}?
Shouldn't you return {State, nullptr} there?
In general, one would not expect the same State being returned, IMO it's advised to avoid doing that.
Same applies for the other cases.

steakhal: I suggest the same //simpler// version for the similar code segments as well. By the same…
} }
bool checkSpecificValidity(const FunctionDecl *FD) const override { bool checkSpecificValidity(const FunctionDecl *FD) const override {
const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
assert(ValidArg && assert(ValidArg &&
"This constraint should be applied only on a pointer type"); "This constraint should be applied only on a pointer type");
return ValidArg; return ValidArg;
} }
Show All 13 Lines class BufferSizeConstraint : public ValueConstraint {
// The concrete value which is the minimum size for the buffer. // The concrete value which is the minimum size for the buffer.
llvm::Optional<llvm::APSInt> ConcreteSize; llvm::Optional<llvm::APSInt> ConcreteSize;
// The argument which holds the size of the buffer. // The argument which holds the size of the buffer.
llvm::Optional<ArgNo> SizeArgN; llvm::Optional<ArgNo> SizeArgN;
// The argument which is a multiplier to size. This is set in case of // The argument which is a multiplier to size. This is set in case of
// `fread` like functions where the size is computed as a multiplication of // `fread` like functions where the size is computed as a multiplication of
// two arguments. // two arguments.
llvm::Optional<ArgNo> SizeMultiplierArgN; llvm::Optional<ArgNo> SizeMultiplierArgN;
// The operator we use in apply. This is negated in negate().
BinaryOperator::Opcode Op = BO_LE;
public: public:
StringRef getName() const override { return "BufferSize"; } StringRef getName() const override { return "BufferSize"; }
BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize) BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize)
: ValueConstraint(Buffer), ConcreteSize(BufMinSize) {} : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {}
BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize) BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
: ValueConstraint(Buffer), SizeArgN(BufSize) {} : ValueConstraint(Buffer), SizeArgN(BufSize) {}
BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier) BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier)
: ValueConstraint(Buffer), SizeArgN(BufSize), : ValueConstraint(Buffer), SizeArgN(BufSize),
SizeMultiplierArgN(BufSizeMultiplier) {} SizeMultiplierArgN(BufSizeMultiplier) {}
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, bool isApplicable(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
SVal BufV = getArgSVal(Call, getArgNo());
if (BufV.isUndef())
return false;
if (SizeArgN) {
// The size argument.
SVal SizeV = getArgSVal(Call, *SizeArgN);
if (SizeV.isUndef())
return false;
if (SizeMultiplierArgN) {
SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN);
if (SizeMulV.isUndef())
return false;
}
}
return true;
}
std::pair<ProgramStateRef, ProgramStateRef>
assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const override {
SValBuilder &SvalBuilder = C.getSValBuilder(); SValBuilder &SvalBuilder = C.getSValBuilder();
// The buffer argument. // The buffer argument.
SVal BufV = getArgSVal(Call, getArgNo()); SVal BufV = getArgSVal(Call, getArgNo());
// Get the size constraint. // Get the size constraint.
const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() { const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() {
if (ConcreteSize) { if (ConcreteSize) {
return SVal(SvalBuilder.makeIntVal(*ConcreteSize)); return SVal(SvalBuilder.makeIntVal(*ConcreteSize));
Show All 11 Lines assume(ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
llvm_unreachable("The constraint must be either a concrete value or " llvm_unreachable("The constraint must be either a concrete value or "
"encoded in an arguement."); "encoded in an arguement.");
} }
}(); }();
// The dynamic size of the buffer argument, got from the analyzer engine. // The dynamic size of the buffer argument, got from the analyzer engine.
SVal BufDynSize = getDynamicSizeWithOffset(State, BufV); SVal BufDynSize = getDynamicSizeWithOffset(State, BufV);
SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize, SVal Feasible = SvalBuilder.evalBinOp(State, BO_LE, SizeV, BufDynSize,
SvalBuilder.getContext().BoolTy); SvalBuilder.getContext().BoolTy);
if (auto F = Feasible.getAs<DefinedOrUnknownSVal>()) return State->assume(Feasible.castAs<DefinedOrUnknownSVal>());
steakhalUnsubmitted
Not Done
ReplyInline Actions

Why don't you castAs? That also has the corresponding assert inside.

steakhal: Why don't you `castAs`? That also has the corresponding assert inside.
return State->assume(*F, true);
// We can get here only if the size argument or the dynamic size is
// undefined. But the dynamic size should never be undefined, only
// unknown. So, here, the size of the argument is undefined, i.e. we
// cannot apply the constraint. Actually, other checkers like
// CallAndMessage should catch this situation earlier, because we call a
// function with an uninitialized argument.
llvm_unreachable("Size argument or the dynamic size is Undefined");
}
ValueConstraintPtr negate() const override {
BufferSizeConstraint Tmp(*this);
Tmp.Op = BinaryOperator::negateComparisonOp(Op);
return std::make_shared<BufferSizeConstraint>(Tmp);
} }
bool checkSpecificValidity(const FunctionDecl *FD) const override { bool checkSpecificValidity(const FunctionDecl *FD) const override {
const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
assert(ValidArg && assert(ValidArg &&
"This constraint should be applied only on a pointer type"); "This constraint should be applied only on a pointer type");
return ValidArg; return ValidArg;
} }
▲ Show 20 LinesShow All 247 Lines▼ Show 20 LinesProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
ConstraintManager &CM = Mgr.getConstraintManager(); ConstraintManager &CM = Mgr.getConstraintManager();
QualType T = Summary.getArgType(getArgNo()); QualType T = Summary.getArgType(getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (auto N = V.getAs<NonLoc>()) { auto N = V.castAs<NonLoc>();
const IntRangeVector &R = getRanges(); const IntRangeVector &R = getRanges();
size_t E = R.size(); size_t E = R.size();
for (size_t I = 0; I != E; ++I) { for (size_t I = 0; I != E; ++I) {
const llvm::APSInt &Min = BVF.getValue(R[I].first, T); const llvm::APSInt &Min = BVF.getValue(R[I].first, T);
const llvm::APSInt &Max = BVF.getValue(R[I].second, T); const llvm::APSInt &Max = BVF.getValue(R[I].second, T);
assert(Min <= Max); assert(Min <= Max);
State = CM.assumeInclusiveRange(State, *N, Min, Max, false); State = CM.assumeInclusiveRange(State, N, Min, Max, false);
if (!State) if (!State)
break; break;
} }
}
return State; return State;
} }
ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange( ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
ProgramStateRef State, const CallEvent &Call, ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const { const Summary &Summary) const {
if (Ranges.empty()) if (Ranges.empty())
Show All 10 LinesProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
// We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary, // We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary,
// and then cut away all holes in R one by one. // and then cut away all holes in R one by one.
// //
// E.g. consider a range list R as [A, B] and [C, D] // E.g. consider a range list R as [A, B] and [C, D]
// -------+--------+------------------+------------+-----------> // -------+--------+------------------+------------+----------->
// A B C D // A B C D
// Then we assume that the value is not in [-inf, A - 1], // Then we assume that the value is not in [-inf, A - 1],
// then not in [D + 1, +inf], then not in [B + 1, C - 1] // then not in [D + 1, +inf], then not in [B + 1, C - 1]
if (auto N = V.getAs<NonLoc>()) { auto N = V.castAs<NonLoc>();
const IntRangeVector &R = getRanges(); const IntRangeVector &R = getRanges();
size_t E = R.size(); size_t E = R.size();
const llvm::APSInt &MinusInf = BVF.getMinValue(T); const llvm::APSInt &MinusInf = BVF.getMinValue(T);
const llvm::APSInt &PlusInf = BVF.getMaxValue(T); const llvm::APSInt &PlusInf = BVF.getMaxValue(T);
const llvm::APSInt &Left = BVF.getValue(R[0].first - 1ULL, T); const llvm::APSInt &Left = BVF.getValue(R[0].first - 1ULL, T);
if (Left != PlusInf) { if (Left != PlusInf) {
assert(MinusInf <= Left); assert(MinusInf <= Left);
State = CM.assumeInclusiveRange(State, *N, MinusInf, Left, false); State = CM.assumeInclusiveRange(State, N, MinusInf, Left, false);
if (!State) if (!State)
return nullptr; return nullptr;
} }
const llvm::APSInt &Right = BVF.getValue(R[E - 1].second + 1ULL, T); const llvm::APSInt &Right = BVF.getValue(R[E - 1].second + 1ULL, T);
if (Right != MinusInf) { if (Right != MinusInf) {
assert(Right <= PlusInf); assert(Right <= PlusInf);
State = CM.assumeInclusiveRange(State, *N, Right, PlusInf, false); State = CM.assumeInclusiveRange(State, N, Right, PlusInf, false);
if (!State) if (!State)
return nullptr; return nullptr;
} }
for (size_t I = 1; I != E; ++I) { for (size_t I = 1; I != E; ++I) {
const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, T); const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, T);
const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, T); const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, T);
if (Min <= Max) { if (Min <= Max) {
State = CM.assumeInclusiveRange(State, *N, Min, Max, false); State = CM.assumeInclusiveRange(State, N, Min, Max, false);
if (!State) if (!State)
return nullptr; return nullptr;
} }
} }
}
return State; return State;
} }
ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply( std::pair<ProgramStateRef, ProgramStateRef>
StdLibraryFunctionsChecker::ComparisonConstraint::assume(
ProgramStateRef State, const CallEvent &Call, const Summary &Summary, ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
QualType CondT = SVB.getConditionType(); QualType CondT = SVB.getConditionType();
QualType T = Summary.getArgType(getArgNo()); QualType T = Summary.getArgType(getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
BinaryOperator::Opcode Op = getOpcode(); BinaryOperator::Opcode Op = getOpcode();
ArgNo OtherArg = getOtherArgNo(); ArgNo OtherArg = getOtherArgNo();
SVal OtherV = getArgSVal(Call, OtherArg); SVal OtherV = getArgSVal(Call, OtherArg);
QualType OtherT = Summary.getArgType(OtherArg); QualType OtherT = Summary.getArgType(OtherArg);
// Note: we avoid integral promotion for comparison. // Note: we avoid integral promotion for comparison.
OtherV = SVB.evalCast(OtherV, T, OtherT); OtherV = SVB.evalCast(OtherV, T, OtherT);
if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT) auto CompV =
.getAs<DefinedOrUnknownSVal>()) SVB.evalBinOp(State, Op, V, OtherV, CondT).castAs<DefinedOrUnknownSVal>();
State = State->assume(*CompV, true); return State->assume(CompV);
return State;
} }
void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call, void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) { for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C); if (!Constraint->isApplicable(NewState, Call, Summary, C))
ProgramStateRef FailureSt = continue;
Constraint->negate()->apply(NewState, Call, Summary, C); ProgramStateRef SuccessSt, FailureSt;
std::tie(SuccessSt, FailureSt) =
Constraint->assume(NewState, Call, Summary, C);
// The argument constraint is not satisfied. // The argument constraint is not satisfied.
if (FailureSt && !SuccessSt) { if (FailureSt && !SuccessSt) {
if (ExplodedNode *N = C.generateErrorNode(NewState)) if (ExplodedNode *N = C.generateErrorNode(NewState))
reportBug(Call, N, Constraint.get(), C); reportBug(Call, N, Constraint.get(), C);
break; break;
} else { } else {
// We will apply the constraint even if we cannot reason about the // We will apply the constraint even if we cannot reason about the
// argument. This means both SuccessSt and FailureSt can be true. If we // argument. This means both SuccessSt and FailureSt can be true. If we
// weren't applying the constraint that would mean that symbolic // weren't applying the constraint that would mean that symbolic
// execution continues on a code whose behaviour is undefined. // execution continues on a code whose behaviour is undefined.
assert(SuccessSt); assert(SuccessSt);
martongAuthorUnsubmitted
Done
ReplyInline Actions

This is where we crashed before this fix.

martong: This is where we crashed before this fix.
martongAuthorUnsubmitted
Done
ReplyInline Actions

assert(SuccessSt); should not ever fail. Seems like the logic is not flawed in negate rather there is an issue in the underlying RangeConstraintManager: the analyzer goes on with an unfeasible path.

See the post-commit comments here: https://reviews.llvm.org/D82445

martong: `assert(SuccessSt);` should not ever fail. Seems like the logic is not flawed in `negate`…
NewState = SuccessSt; NewState = SuccessSt;
} }
} }
if (NewState && NewState != State) if (NewState && NewState != State)
C.addTransition(NewState); C.addTransition(NewState);
} }
void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
// Now apply the constraints. // Now apply the constraints.
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Apply case/branch specifications. // Apply case/branch specifications.
for (const ConstraintSet &Case : Summary.getCaseConstraints()) { for (const ConstraintSet &Case : Summary.getCaseConstraints()) {
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const ValueConstraintPtr &Constraint : Case) { for (const ValueConstraintPtr &Constraint : Case) {
NewState = Constraint->apply(NewState, Call, Summary, C); std::tie(NewState, std::ignore) =
Constraint->assume(NewState, Call, Summary, C);
if (!NewState) if (!NewState)
break; break;
} }
if (NewState && NewState != State) if (NewState && NewState != State)
C.addTransition(NewState); C.addTransition(NewState);
} }
} }
▲ Show 20 LinesShow All 1,607 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions.c

Show First 20 LinesShow All 120 Lines▼ Show 20 Lines
void test_fread_uninitialized(void) { void test_fread_uninitialized(void) {
void *ptr; void *ptr;
size_t sz; size_t sz;
size_t nmem; size_t nmem;
FILE *fp; FILE *fp;
(void)fread(ptr, sz, nmem, fp); // expected-warning {{1st function call argument is an uninitialized value}} (void)fread(ptr, sz, nmem, fp); // expected-warning {{1st function call argument is an uninitialized value}}
} }
static void test_fread_buffer_size_constraint_no_crash(FILE *f, size_t n) {
size_t rlen; /* how much to read */
size_t nr; /* number of chars actually read */
char b[8192];
rlen = 8192;
do {
char *p = b;
if (rlen > n)
rlen = n; /* cannot read more than asked */
nr = fread(p, sizeof(char), rlen, f);
n -= nr; /* still have to read `n' chars */
} while (n > 0 && nr == rlen); /* until end of count or eof */
}
// Test that we do not crash here.
void test_fread_buffer_size_constraint_no_crash_caller(FILE *f) {
/* read MAX_SIZE_T chars */
test_fread_buffer_size_constraint_no_crash(f, ~((size_t)0));
}
ssize_t getline(char **, size_t *, FILE *); ssize_t getline(char **, size_t *, FILE *);
void test_getline(FILE *fp) { void test_getline(FILE *fp) {
char *line = 0; char *line = 0;
size_t n = 0; size_t n = 0;
ssize_t len; ssize_t len;
while ((len = getline(&line, &n, fp)) != -1) { while ((len = getline(&line, &n, fp)) != -1) {
clang_analyzer_eval(len == 0); // expected-warning{{FALSE}} clang_analyzer_eval(len == 0); // expected-warning{{FALSE}}
} }
▲ Show 20 LinesShow All 117 LinesShow Last 20 Lines