<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [Umbrella] Pointer cast representation problems."
href="https://bugs.llvm.org/show_bug.cgi?id=43364">43364</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[Umbrella] Pointer cast representation problems.
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Static Analyzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>dcoughlin@apple.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>noqnoqneo@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>dcoughlin@apple.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>An umbrella bug for figuring out how to fix our representation of pointer
casts. The main problem with the current representation is that there are
multiple ways of representing the same pointer, however there's no canonical
way of representing a pointer, so different parts of the Analyzer are doing
this differently and only accidentally work together more or less nicely.
Here are a few examples of how they don't really work together nicely:
(1) In <a href="http://lists.llvm.org/pipermail/cfe-dev/2019-September/063308.html">http://lists.llvm.org/pipermail/cfe-dev/2019-September/063308.html</a> we
have two different symbolic values for the same actual pointer value, which
wear different constraints after dereferencing:
reg_$1<int Element{SymRegion{reg_$0<const Item * items>},0
S64b,Item}->xxs>: { [-2147483648, 0] }
reg_$2<int SymRegion{reg_$0<const Item * items>}->xxs>: { [1, 2147483647]
}
(2) Here's another example that's a bit more controversial due to strict
aliasing violation, but still problematic and slightly more obvious:
typedef struct {
int RetCode;
} A;
typedef struct {
int RetCode;
} B;
int blah(A *param, int *x) {
if (param->RetCode != 0) // reg_$1<SymRegion{reg_$0<param>}->RetCode>
return ((B *) param)->RetCode; // reg_$2{element{B, 0 S32b,
SymRegion{reg_$0<param>}->RetCore}
*x = 1;
return 0;
}
int foo(A* param) {
int x;
if (blah(param, &x) != 0) {
return 0;
}
return x; // false positive: "returning garbage value".
}
Here we have in the following:
param->RetCode: reg_$1<SymRegion{reg_$0<param>}->RetCode>
((B *) param)->RetCode: reg_$2{element{B, 0 S32b,
SymRegion{reg_$0<param>}->RetCore}
(3) The following bugs of this kind are already fixed in a non-principled
manner:
<a href="https://reviews.llvm.org/D38797">https://reviews.llvm.org/D38797</a>
<a href="https://reviews.llvm.org/D46224">https://reviews.llvm.org/D46224</a>
<a href="https://reviews.llvm.org/D46415">https://reviews.llvm.org/D46415</a>
<a href="https://reviews.llvm.org/D51191">https://reviews.llvm.org/D51191</a>
<a href="https://reviews.llvm.org/D52189">https://reviews.llvm.org/D52189</a>
<a href="https://reviews.llvm.org/D55875">https://reviews.llvm.org/D55875</a>
(4) This is also a piece of technical debt that causes annoyance when writing
new code:
<a href="https://reviews.llvm.org/D40939">https://reviews.llvm.org/D40939</a>
<a href="https://reviews.llvm.org/D41250">https://reviews.llvm.org/D41250</a>
<a href="https://reviews.llvm.org/D67079#inline-602514">https://reviews.llvm.org/D67079#inline-602514</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>