[clang] [analyzer] Avoid crashes in the stream checker (PR #100901)

via cfe-commits cfe-commits at lists.llvm.org
Sun Jul 28 11:10:46 PDT 2024 

vabridgers wrote:

A little background on how this was found, and a few debugging notes. 

This was found in a daily static analysis systems level test that we drive internally on our daily integrations, on the lz4 project, found here https://github.com/lz4/lz4.git. There are a number of open source projects that we drive these daily code analysis tests on, and in this case we seemed to have caught a regression because previous tests had been passing. 

When I looked at state after a crash through gdb, the crash occurred because StateNull in method evalFopen was NULL, and StateNotNull was not NULL - so that seemed to indicate the assumeDual(State, RetVal) operation in method evalFopen had not returned expected non null states. That led me to look at RetSym and it's constraints in Program State. See below.

I suspect the change to add assumeNoAliasingWithStdStreams somehow is causing this since when I revert b60fec27fd1bbab8c2c7a77b4be7836a1beb326f ( [analyzer] Assume the result of 'fopen' can't alias with 'std{in,out,err}' (#100085) ) I do not see this problem.

(gdb) p StateNull
$1 = {Obj = 0x0}
(gdb) p StateNotNull
$2 = {Obj = 0x5555695e79b0}

(gdb) p RetSym->dump()
conj_$3{FILE *, LC2, S801, #1}$4 = void

(gdb) p State->dump()
"program_state": {
  "store": { "pointer": "0x5555695d40e0", "items": [
    { "cluster": "SymRegion{conj_$0{int &, LC1, no stmt, #0}}", "pointer": "0x5555695d3f60", "items": [
      { "kind": "Direct", "offset": 0, "value": "0 S32b" }
    ]}
  ]},
  "environment": { "pointer": "0x5555695dc890", "items": [
    { "lctx_id": 2, "location_context": "#0 Call", "calling": "b", "location": { "line": 10, "column": 3, "file": "aa.c" }, "items": [
      { "stmt_id": 798, "kind": "ImplicitCastExpr", "pretty": "fopen", "value": "&code{fopen}" },
      { "stmt_id": 801, "kind": "CallExpr", "pretty": "fopen(&a, \"\")", "value": "&SymRegion{conj_$3{FILE *, LC2, S801, #1}}" },
      { "stmt_id": 807, "kind": "ImplicitCastExpr", "pretty": "&a", "value": "&a" },
      { "stmt_id": 813, "kind": "ImplicitCastExpr", "pretty": "\"\"", "value": "&Element{\"\",0 S64b,char}" }
    ]},
    { "lctx_id": 1, "location_context": "#1 Call", "calling": "b", "location": null, "items": [
      { "stmt_id": 864, "kind": "ImplicitCastExpr", "pretty": "b", "value": "&code{b}" }
    ]}
  ]},
  "constraints": [
    { "symbol": "conj_$3{FILE *, LC2, S801, #1}", "range": "{ [1, 18446744073709551615] }" },
    { "symbol": "reg_$2<int * stdout>", "range": "{ [0, 0] }" }
  ],


https://github.com/llvm/llvm-project/pull/100901

More information about the cfe-commits mailing list