[cfe-dev] Unions in the Clang Static Analyzer

Alexey Sidorin via cfe-dev cfe-dev at lists.llvm.org
Thu Mar 2 15:11:05 PST 2017 

Hi all,

There is one thing that can make the implementation a bit easier :)
The reading of a union field that was not stored last may cause 
undefined behavior. A discussion on this issue can be found on
https://www.securecoding.cert.org/confluence/display/c/EXP39-C.+Do+not+access+a+variable+through+a+pointer+of+an+incompatible+type

I guess we need some language lawyers here. Aaron, can I disturb you?


02.03.2017 20:12, Artem Dergachev via cfe-dev пишет:
> Hello,
>
> I'm not aware of any unfinished work on union support. I'd gladly give 
> a few hints.
>
> RegionStore itself already operates in a union-friendly manner: even 
> though it presents itself as a MemRegion->SVal map, internally it only 
> stores base regions and byte offsets as keys, regardless of how the 
> bytes stored are interpreted.
>
> However, i suspect bigger problems with actually representing symbolic 
> values for fields that are interpreted in multiple ways during the 
> analysis. First of all, reinterpret-casts of basic types are in 
> general modeled poorly. For example, cast from pointer to integer is 
> represented as a special LocAsInteger SVal sub-class, support for 
> which in SValBuilder is worse than for symbols; at the same time cast 
> from integer to pointer is not represented at all, as i mentioned 
> recently in 
> http://lists.llvm.org/pipermail/cfe-dev/2017-February/052769.html .
>
> Then, unions are even more fun because they challenge the concept of 
> SymbolRegionValue, which is a very basic thing. Consider an example:
>
>   union U { intptr_t x; void *p; }
>
>   void foo(union U u) {
>     intptr_t X = u.x; // reg_$0<u.x>
>     void *P = u.p; // &SymRegion{reg_$1<u.p>}
>     if (X == P) { ... }
>   }
>
> The symbolic values for X and P look completely different, the worst 
> thing here probably being that X is NonLoc while P is Loc. Yet, they 
> represent the same thing. How would we unify these values? If you come 
> up with a single symbol to represent them, what would be the type of 
> that symbol? Or would you prefer to constrain these symbols to be 
> equal, and rely on the constraint solver to figure things out?
>
> So making a proper union support is going to be a fun research 
> project. Smaller incremental improvements that fix particular cases 
> you encounter are also very much welcome. There's not necessarily much 
> thought behind the safety-first bail-outs, so if you are seeing 
> significant improvements by removing them, we could consider lifting 
> them; it may also turn out that they're necessary, and an experienced 
> eye may sometimes understand why, but as long as there is no 
> comprehensive explanation in comments and no testcase coverage, i'd 
> rather encourage you to remove them and see what happens; especially 
> considering that you've got access to a good codebase to test these 
> changes upon.
>
>
> 02/03/2017 1:53 AM, Keno Fischer via cfe-dev wrote:
>> I was having some trouble with using the static analyzer on code that 
>> involves unions. Looking through the code, it seems like this is a 
>> known problem and unions aren't particularly well supported. 
>> Personally, I was able to make some progress by just ripping out all 
>> the checks for union types, particularly in RegionStore. However, 
>> that's obviously a hacky solution, so to ensure that my check will 
>> keep working, I'd like to improve upstream support for unions if 
>> possible. Has anybody thought about this problem before/is there 
>> already a design for this? Alternatively, have people collected test 
>> cases that would benefit from improving union support? I'm sure I'm 
>> not the first person to hit this issue, so I'd appreciate any 
>> pointers to prior work.
>>
>>
>> _______________________________________________ cfe-dev mailing list 
>> cfe-dev at lists.llvm.org 
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170303/4fcc6874/attachment.html>

More information about the cfe-dev mailing list