[PATCH] D136162: [analyzer] Fix assertion failure in RegionStore within bindArray()

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Oct 18 05:29:45 PDT 2022 

steakhal created this revision.
steakhal added reviewers: NoQ, martong, Szelethus, ASDenysPetrov, tomasz-kaminski-sonarsource, xazax.hun, isuckatcs.
Herald added subscribers: manas, dkrupp, donat.nagy, mikhail.ramalho, a.sidorin, rnkovacs, szepet, baloghadamsoftware.
Herald added a project: All.
steakhal requested review of this revision.
Herald added a project: clang.
Herald added a subscriber: cfe-commits.

It turns out we can reach the `Init.castAs<nonlock::CompoundVal>()`
expression with other kinds of SVals. Such as by `nonloc::ConcreteInt`
in this example: https://godbolt.org/z/s4fdxrcs9

  int buffer[10];
  void b();
  void top() {
    b(&buffer);
  }
  void b(int *c) {
    *c = 42; // would crash
  }

In this example, we try to store `42` to the `Elem{buffer, 0}`.
A similar situation could happen if we reinterpret cast pointers, etc.
so the situation is not limited to conflicting function prototypes.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D136162

Files:
  clang/lib/StaticAnalyzer/Core/RegionStore.cpp
  clang/test/Analysis/region-store.c


Index: clang/test/Analysis/region-store.c
===================================================================
--- clang/test/Analysis/region-store.c
+++ clang/test/Analysis/region-store.c
@@ -1,4 +1,6 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection -verify -analyzer-config eagerly-assume=false %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,debug.ExprInspection \
+// RUN:    -verify -analyzer-config eagerly-assume=false -std=c99 %s \
+// RUN:    -Wno-implicit-function-declaration
 
 int printf(const char *restrict,...);
 
@@ -54,3 +56,13 @@
     clang_analyzer_eval(values[0] == 4);// expected-warning {{UNKNOWN}}
   }
 }
+
+int buffer[10];
+void b(); // expected-warning {{a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C2x, conflicting with a subsequent definition}}
+void top() {
+  // expected-warning at +1 {{passing arguments to 'b' without a prototype is deprecated in all versions of C and is not supported in C2x}}
+  b(&buffer);
+}
+void b(int *c) { // expected-note {{conflicting prototype is here}}
+  *c = 42; // no-crash
+}
Index: clang/lib/StaticAnalyzer/Core/RegionStore.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Core/RegionStore.cpp
+++ clang/lib/StaticAnalyzer/Core/RegionStore.cpp
@@ -2497,8 +2497,8 @@
     return bindAggregate(B, R, Init);
   }
 
-  if (Init.isUnknown())
-    return bindAggregate(B, R, UnknownVal());
+  if (!isa<nonloc::CompoundVal>(Init))
+    return bindAggregate(B, R, Init);
 
   // Remaining case: explicit compound values.
   const nonloc::CompoundVal& CV = Init.castAs<nonloc::CompoundVal>();


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D136162.468497.patch
Type: text/x-patch
Size: 1724 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20221018/b492f3bb/attachment.bin>

More information about the cfe-commits mailing list