[clang] [analyzer] Fix crash in BasicValueFactory.cpp with __int128_t integers (PR #67212)

Fri, 22 Sep 2023 17:04:18 -0700 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-clang-static-analyzer-1

<details>
<summary>Changes</summary>

This change avoids a crash in BasicValueFactory by checking the bit width of an 
APSInt to avoid calling getZExtValue if greater than 64-bits. This was caught 
by our internal, randomized test generator.

Clang invocation
clang -cc1 -analyzer-checker=optin.portability.UnixAPI case.c

&lt;src-root&gt;/llvm/include/llvm/ADT/APInt.h:1488:
uint64_t llvm::APInt::getZExtValue() const: Assertion `getActiveBits() &lt;= 64
  &amp;&amp; "Too many bits for uint64_t"' failed.
...

 #<!-- -->9 &lt;address&gt; llvm::APInt::getZExtValue() const
     &lt;src-root&gt;/llvm/include/llvm/ADT/APInt.h:1488:5
     clang::BinaryOperatorKind, llvm::APSInt const&amp;, llvm::APSInt 
const&amp;)
     &lt;src-root&gt;/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp:307:37
     llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;,
     clang::BinaryOperatorKind, clang::ento::NonLoc, clang::ento::NonLoc,
     clang::QualType)
     &lt;src-root&gt;/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:531:31
     llvm::IntrusiveRefCntPtr&lt;clang::ento::ProgramState const&gt;,
     clang::BinaryOperatorKind, clang::ento::SVal, clang::ento::SVal,
     clang::QualType)
     &lt;src-root&gt;/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp:532:26
...

---
Full diff: https://github.com/llvm/llvm-project/pull/67212.diff


2 Files Affected:

- (modified) clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp (+6) 
- (added) clang/test/Analysis/int128-nocrash.c (+10) 


``````````diff
diff --git a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp 
b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
index 5924f6a671c2ac1..351735cdf42dc8f 100644
--- a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
+++ b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
@@ -275,6 +275,9 @@ BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
       if (V2.isSigned() && V2.isNegative())
         return nullptr;
 
+      if (V2.getBitWidth() > 64)
+        return nullptr;
+
       uint64_t Amt = V2.getZExtValue();
 
       if (Amt >= V1.getBitWidth())
@@ -298,6 +301,9 @@ BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
       if (V2.isSigned() && V2.isNegative())
         return nullptr;
 
+      if (V2.getBitWidth() > 64)
+        return nullptr;
+
       uint64_t Amt = V2.getZExtValue();
 
       if (Amt >= V1.getBitWidth())
diff --git a/clang/test/Analysis/int128-nocrash.c 
b/clang/test/Analysis/int128-nocrash.c
new file mode 100644
index 000000000000000..0e9d2322080b8b8
--- /dev/null
+++ b/clang/test/Analysis/int128-nocrash.c
@@ -0,0 +1,10 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.portability.UnixAPI \
+// RUN:    -triple x86_64-pc-linux-gnu -x c %s
+
+// Don't crash!
+// expected-no-diagnostics
+const __int128_t a = ( ((__int128_t)1) << 64 | 1);
+
+void b() { 
+  2 >> a; 
+}

``````````

</details>


https://github.com/llvm/llvm-project/pull/67212
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to