Author: dergachev Date: Fri Mar 30 12:27:42 2018 New Revision: 328896 URL: http://llvm.org/viewvc/llvm-project?rev=328896&view=rev Log: [analyzer] Track null or undef values through pointer arithmetic.
Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced. For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it. Differential Revision: https://reviews.llvm.org/D45071 Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c cfe/trunk/test/Analysis/null-deref-path-notes.c Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=328896&r1=328895&r2=328896&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Fri Mar 30 12:27:42 2018 @@ -75,6 +75,17 @@ bool bugreporter::isDeclRefExprToReferen return false; } +static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) { + if (B->isAdditiveOp() && B->getType()->isPointerType()) { + if (B->getLHS()->getType()->isPointerType()) { + return B->getLHS(); + } else if (B->getRHS()->getType()->isPointerType()) { + return B->getRHS(); + } + } + return nullptr; +} + /// Given that expression S represents a pointer that would be dereferenced, /// try to find a sub-expression from which the pointer came from. /// This is used for tracking down origins of a null or undefined value: @@ -101,14 +112,8 @@ const Expr *bugreporter::getDerefExpr(co E = CE->getSubExpr(); } else if (const auto *B = dyn_cast<BinaryOperator>(E)) { // Pointer arithmetic: '*(x + 2)' -> 'x') etc. - if (B->getType()->isPointerType()) { - if (B->getLHS()->getType()->isPointerType()) { - E = B->getLHS(); - } else if (B->getRHS()->getType()->isPointerType()) { - E = B->getRHS(); - } else { - break; - } + if (const Expr *Inner = peelOffPointerArithmetic(B)) { + E = Inner; } else { // Probably more arithmetic can be pattern-matched here, // but for now give up. @@ -1412,6 +1417,11 @@ static const Expr *peelOffOuterExpr(cons NI = NI->getFirstPred(); } while (NI); } + + if (auto *BO = dyn_cast<BinaryOperator>(Ex)) + if (const Expr *SubEx = peelOffPointerArithmetic(BO)) + return peelOffOuterExpr(SubEx, N); + return Ex; } Modified: cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c?rev=328896&r1=328895&r2=328896&view=diff ============================================================================== --- cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c (original) +++ cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c Fri Mar 30 12:27:42 2018 @@ -159,8 +159,7 @@ void idcTrackZeroValueThroughUnaryPointe void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) { idc(s); int *x = &(s->f2) - 1; - // FIXME: Should not warn. - *x = 7; // expected-warning{{Dereference of null pointer}} + *x = 7; // no-warning } void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) { Modified: cfe/trunk/test/Analysis/null-deref-path-notes.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/null-deref-path-notes.c?rev=328896&r1=328895&r2=328896&view=diff ============================================================================== --- cfe/trunk/test/Analysis/null-deref-path-notes.c (original) +++ cfe/trunk/test/Analysis/null-deref-path-notes.c Fri Mar 30 12:27:42 2018 @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s +// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s // Avoid the crash when finding the expression for tracking the origins // of the null pointer for path notes. @@ -7,3 +7,46 @@ void pr34373() { (a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}} // expected-note@-1{{Array access results in a null pointer dereference}} } + +typedef __typeof(sizeof(int)) size_t; +void *memcpy(void *dest, const void *src, unsigned long count); + +void f1(char *source) { + char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}} + memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} + +void f2(char *source) { + char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}} + memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} + +void f3(char *source) { + char *destination = 0; // FIXME: There should be a note here as well. + destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}} + memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} + +void f4(char *source) { + char *destination = 0; // FIXME: There should be a note here as well. + destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}} + memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} + +void f5(char *source) { + char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}} + char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}} + memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} + +void f6(char *source) { + char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}} + char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}} + memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}} + // expected-note@-1{{Null pointer argument in call to memory copy function}} +} _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
