[PATCH] D41796: [analyzer] Fix extent modeling for casted operator new values.

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Jan 5 17:24:32 PST 2018

NoQ created this revision.
NoQ added reviewers: dcoughlin, xazax.hun, a.sidorin, george.karpenkov.
Herald added subscribers: cfe-commits, rnkovacs, szepet.

This continues the series of fine-tuning of how everything behaves in `-analyzer-config c++-allocator-inlining=true` mode with respects to casts (`ElementRegion`s with index 0) around the return value of `operator new()`. Old `operator new()` was always returning `&HeapSymRegion{conj_$N{C *}}`, where `C` is the type of the allocated object. In the new mode, if the operator is evaluated conservatively, this value changes to `&element{T, 0 S64b, HeapSymRegion{conj_$N{C *}}}`, which, as pointed out in https://reviews.llvm.org/D41250#959755, is not quite intended (but not addressed yet). However, if the operator is inlined, it is likely to become `&element{T, 0 S64b, HeapSymRegion{conj_$N{void *}}}` (note the `void`), where the cast is definitely intended. It means that regardless of how do we want to treat the no-op cast in the non-inlined case, the checker does not have a right to rely on the cast being absent.

This patch fixes the region extent modeling under `-analyzer-config c++-allocator-inlining=true`, which is performed by `MallocChecker` and consumed by other checkers such as `ArrayBoundChecker`. It is pointless to model the extent of the element region, when in fact we're trying to model the extent of the whole array. Note that behavior of the array `operator new[]` changes slightly, even if we're not trying to model it.

  rC Clang



Index: test/Analysis/out-of-bounds-new.cpp
--- test/Analysis/out-of-bounds-new.cpp
+++ test/Analysis/out-of-bounds-new.cpp
@@ -1,4 +1,5 @@
 // RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds -analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -verify %s
+// RUN: %clang_analyze_cc1 -std=c++11 -Wno-array-bounds -analyzer-checker=unix,core,alpha.security.ArrayBoundV2 -analyzer-config c++-allocator-inlining=true -verify %s
 // Tests doing an out-of-bounds access after the end of an array using:
 // - constant integer index
Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp
--- lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1124,7 +1124,7 @@
   } else {
     ElementCount = svalBuilder.makeIntVal(1, true);
-    Region = Target.getAsRegion()->getAs<SubRegion>();
+    Region = cast<SubRegion>(Target.getAsRegion()->StripCasts());

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D41796.128829.patch
Type: text/x-patch
Size: 1101 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180106/318f7c11/attachment-0001.bin>

More information about the cfe-commits mailing list