[PATCH] D86743: [analyzer] Ignore VLASizeChecker case that could cause crash

[Vince Bridgers via Phabricator via cfe-commits]

vabridgers created this revision.
vabridgers added reviewers: balazske, NoQ, martong, baloghadamsoftware, Szelethus, gamesh411.
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, xazax.hun.
Herald added a project: clang.
vabridgers requested review of this revision.

See https://bugs.llvm.org/show_bug.cgi?id=47272. The checker does not
yet comprehend constraints involving multiple symbols, so it's
possible to calculate a VLA size that's causes an assert. A LIT is added to
catch regressions, and this change simply bails if a size is calculated
that is not known.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D86743

Files:
  clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
  clang/test/Analysis/vla.c


Index: clang/test/Analysis/vla.c
===================================================================
--- clang/test/Analysis/vla.c
+++ clang/test/Analysis/vla.c
@@ -151,3 +151,22 @@
       foo();
   }
 } // no-crash
+
+
+// https://bugs.llvm.org/show_bug.cgi?id=47272
+// similar to the above case, just different enough to have not
+// been covered.
+// Just don't crash.
+int bb;
+int c() {
+  int d = 0;
+  int sum = 0;
+  while (bb) {
+    int count = bb - d;
+    int e[count];
+    if (count > 4)
+      sum++;
+    d++;
+  }
+  return sum;
+} // no-crash
Index: clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
@@ -298,8 +298,11 @@
     DefinedOrUnknownSVal SizeIsKnown = SVB.evalEQ(State, DynSize, *ArraySizeNL);
     State = State->assume(SizeIsKnown, true);
 
-    // Assume should not fail at this point.
-    assert(State);
+    // State may not be valid since constraints do not comprehend expressions
+    // used for VLAs. If State is null, just silently return.
+    // See https://bugs.llvm.org/show_bug.cgi?id=47272.
+    if (!State)
+      return;
   }
 
   // Remember our assumptions!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D86743.288470.patch
Type: text/x-patch
Size: 1292 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20200827/1c19c9c8/attachment.bin>