[PATCH] D30489: [analyzer] catch out of bounds for VLA

Daniel Marjamäki via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Mar 3 03:28:24 PST 2017 

danielmarjamaki added a comment.

To me it seems that the extent is calculated properly in ArrayBoundsV2.

Existing code:

  DefinedOrUnknownSVal extentVal =
    rawOffset.getRegion()->getExtent(svalBuilder);

This ugly little debug code will extract the needed VLA information from the extentVal...

  if (extentVal.getSubKind() == nonloc::SymbolValKind) {
    SymbolRef SR = extentVal.castAs<nonloc::SymbolVal>().getSymbol();
    const SymbolExtent *SE = dyn_cast<SymbolExtent>(SR);
    const MemRegion *SEMR = SE->getRegion();
    if (SEMR->getKind() == MemRegion::VarRegionKind) {
      const VarRegion *VR = cast<VarRegion>(SEMR);
      QualType T = VR->getDecl()->getType();
      ASTContext &Ctx = checkerContext.getASTContext();
      const VariableArrayType *VLA = Ctx.getAsVariableArrayType(T);

A VLA->dump() after that will output:

  VariableArrayType 0x87f6a80 'char [sz]' variably_modified 
  |-BuiltinType 0x87f6480 'char'
  `-ImplicitCastExpr 0x87f6a70 'int' <LValueToRValue>
    `-DeclRefExpr 0x87f6a58 'int' lvalue ParmVar 0x87f6948 'sz' 'int'

which is exactly what the corresponding VLA->dump() in the checkPreStmt() outputs.

As far as I see the problem is that the ProgramState does not keep the symbolic value for sz.

In checkPreStmt the state is:

  Expressions:
   (0xe4acb0,0xe04790) sz : reg_$0<int sz>
   (0xe4acb0,0xe04828) array : &array
   (0xe4acb0,0xe04840) sz : &sz
   (0xe4acb0,0xe04858) array : &element{array,0 S64b,char}
   (0xe4acb0,0xe04868) sz : reg_$0<int sz>
   (0xe4acb0,0xe048b0) 1 : 1 S8b

in checkLocation() the state is:

  Expressions:
   (0xe4acb0,0xe04878) array[sz] : &element{array,reg_$0<int sz>,char}
   (0xe4acb0,0xe048b0) 1 : 1 S8b
   (0xe4acb0,0xe048c0) array[sz] = 1 : 1 S8b
  Ranges of symbol values:
   reg_$0<int sz> : { [0, 2147483647] }

This little code works in checkPreStmt() but not in checkLocation():

  SVal sizeV = State->getSVal(VLA->getSizeExpr(), C.getLocationContext());

In checkPreStmt that returns "reg_$0<int sz>" and in checkLocation() that returns "Unknown".

Do you agree that this is the problem? Would it be a good idea to try to keep the sz in the ProgramState?


Repository:
  rL LLVM

https://reviews.llvm.org/D30489

More information about the cfe-commits mailing list