r328896 - [analyzer] Track null or undef values through pointer arithmetic.

Artem Dergachev via cfe-commits cfe-commits at lists.llvm.org
Fri Mar 30 12:27:42 PDT 2018 

Author: dergachev
Date: Fri Mar 30 12:27:42 2018
New Revision: 328896

URL: http://llvm.org/viewvc/llvm-project?rev=328896&view=rev
Log:
[analyzer] Track null or undef values through pointer arithmetic.

Pointer arithmetic on null or undefined pointers results in null or undefined
pointers. This is obvious for undefined pointers; for null pointers it follows
from our incorrect-but-somehow-working approach that declares that 0 (Loc)
doesn't necessarily represent a pointer of numeric address value 0, but instead
it represents any pointer that will cause a valid "null pointer dereference"
issue when dereferenced.

For now we've been seeing through pointer arithmetic at the original dereference
expression, i.e. in bugreporter::getDerefExpr(), but not during further
investigation of the value's origins in bugreporter::trackNullOrUndefValue().
The patch fixes it.

Differential Revision: https://reviews.llvm.org/D45071

Modified:
    cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
    cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c
    cfe/trunk/test/Analysis/null-deref-path-notes.c

Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=328896&r1=328895&r2=328896&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Fri Mar 30 12:27:42 2018
@@ -75,6 +75,17 @@ bool bugreporter::isDeclRefExprToReferen
   return false;
 }
 
+static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) {
+  if (B->isAdditiveOp() && B->getType()->isPointerType()) {
+    if (B->getLHS()->getType()->isPointerType()) {
+      return B->getLHS();
+    } else if (B->getRHS()->getType()->isPointerType()) {
+      return B->getRHS();
+    }
+  }
+  return nullptr;
+}
+
 /// Given that expression S represents a pointer that would be dereferenced,
 /// try to find a sub-expression from which the pointer came from.
 /// This is used for tracking down origins of a null or undefined value:
@@ -101,14 +112,8 @@ const Expr *bugreporter::getDerefExpr(co
       E = CE->getSubExpr();
     } else if (const auto *B = dyn_cast<BinaryOperator>(E)) {
       // Pointer arithmetic: '*(x + 2)' -> 'x') etc.
-      if (B->getType()->isPointerType()) {
-        if (B->getLHS()->getType()->isPointerType()) {
-          E = B->getLHS();
-        } else if (B->getRHS()->getType()->isPointerType()) {
-          E = B->getRHS();
-        } else {
-          break;
-        }
+      if (const Expr *Inner = peelOffPointerArithmetic(B)) {
+        E = Inner;
       } else {
         // Probably more arithmetic can be pattern-matched here,
         // but for now give up.
@@ -1412,6 +1417,11 @@ static const Expr *peelOffOuterExpr(cons
       NI = NI->getFirstPred();
     } while (NI);
   }
+
+  if (auto *BO = dyn_cast<BinaryOperator>(Ex))
+    if (const Expr *SubEx = peelOffPointerArithmetic(BO))
+      return peelOffOuterExpr(SubEx, N);
+
   return Ex;
 }
 

Modified: cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c?rev=328896&r1=328895&r2=328896&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c (original)
+++ cfe/trunk/test/Analysis/inlining/inline-defensive-checks.c Fri Mar 30 12:27:42 2018
@@ -159,8 +159,7 @@ void idcTrackZeroValueThroughUnaryPointe
 void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) {
   idc(s);
   int *x = &(s->f2) - 1;
-  // FIXME: Should not warn.
-  *x = 7; // expected-warning{{Dereference of null pointer}}
+  *x = 7; // no-warning
 }
 
 void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) {

Modified: cfe/trunk/test/Analysis/null-deref-path-notes.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/null-deref-path-notes.c?rev=328896&r1=328895&r2=328896&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/null-deref-path-notes.c (original)
+++ cfe/trunk/test/Analysis/null-deref-path-notes.c Fri Mar 30 12:27:42 2018
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s
+// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s
 
 // Avoid the crash when finding the expression for tracking the origins
 // of the null pointer for path notes.
@@ -7,3 +7,46 @@ void pr34373() {
   (a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
               // expected-note at -1{{Array access results in a null pointer dereference}}
 }
+
+typedef __typeof(sizeof(int)) size_t;
+void *memcpy(void *dest, const void *src, unsigned long count);
+
+void f1(char *source) {
+  char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
+  memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                       // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}
+
+void f2(char *source) {
+  char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
+  memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                       // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}
+
+void f3(char *source) {
+  char *destination = 0; // FIXME: There should be a note here as well.
+  destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}}
+  memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                   // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}
+
+void f4(char *source) {
+  char *destination = 0; // FIXME: There should be a note here as well.
+  destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}}
+  memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                   // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}
+
+void f5(char *source) {
+  char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
+  char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}}
+  memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                    // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}
+
+void f6(char *source) {
+  char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
+  char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}}
+  memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
+                                    // expected-note at -1{{Null pointer argument in call to memory copy function}}
+}

More information about the cfe-commits mailing list