[clang] [Webkit Checkers] Introduce a Webkit checker for memory unsafe casts (PR #114606)
Ryosuke Niwa via cfe-commits
cfe-commits at lists.llvm.org
Thu Nov 7 09:58:10 PST 2024
rniwa wrote:
I'm hitting this crash in the checker when I try to compile WebKit with this patch applied:
```
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0 clang-17 0x000000010fb6c15d llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 61
1 clang-17 0x000000010fb6c70b PrintStackTraceSignalHandler(void*) + 27
2 clang-17 0x000000010fb6a4b6 llvm::sys::RunSignalHandlers() + 134
3 clang-17 0x000000010fb6b9de llvm::sys::CleanupOnSignal(unsigned long) + 110
4 clang-17 0x000000010fa1d717 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) + 183
5 clang-17 0x000000010fa1dabb CrashRecoverySignalHandler(int) + 187
6 libsystem_platform.dylib 0x00007ff802bc637d _sigtramp + 29
7 libsystem_platform.dylib 0x00007ff7b4ce10c8 _sigtramp + 18446744072402087272
8 clang-17 0x00000001163f26f1 clang::CXXRecordDecl::isDerivedFrom(clang::CXXRecordDecl const*, clang::CXXBasePaths&) const + 33
9 clang-17 0x00000001163f2681 clang::CXXRecordDecl::isDerivedFrom(clang::CXXRecordDecl const*) const + 97
10 clang-17 0x0000000113a3768e (anonymous namespace)::WalkAST::VisitCastExpr(clang::CastExpr*) + 526
11 clang-17 0x0000000113a3746d clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitExplicitCastExpr(clang::ExplicitCastExpr*) + 29
12 clang-17 0x0000000113a361ed clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitCStyleCastExpr(clang::CStyleCastExpr*) + 29
13 clang-17 0x0000000113a3328a clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::Visit(clang::Stmt*) + 3770
14 clang-17 0x0000000113a372b2 (anonymous namespace)::WalkAST::VisitChildren(clang::Stmt*) + 146
15 clang-17 0x0000000113a3720d (anonymous namespace)::WalkAST::VisitStmt(clang::Stmt*) + 29
16 clang-17 0x0000000113a3477d clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::VisitCompoundStmt(clang::CompoundStmt*) + 29
17 clang-17 0x0000000113a328a0 clang::StmtVisitorBase<std::__1::add_pointer, (anonymous namespace)::WalkAST, void>::Visit(clang::Stmt*) + 1232
18 clang-17 0x0000000113a3237f (anonymous namespace)::MemoryUnsafeCastChecker::checkASTCodeBody(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) const + 95
19 clang-17 0x0000000113a3230d void clang::ento::check::ASTCodeBody::_checkBody<(anonymous namespace)::MemoryUnsafeCastChecker>(void*, clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) + 45
20 clang-17 0x0000000113df2901 clang::ento::CheckerFn<void (clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&)>::operator()(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) const + 49
21 clang-17 0x0000000113df29e7 clang::ento::CheckerManager::runCheckersOnASTBody(clang::Decl const*, clang::ento::AnalysisManager&, clang::ento::BugReporter&) + 215
22 clang-17 0x00000001131f63fc (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*, void>>*) + 540
23 clang-17 0x00000001131fc597 (anonymous namespace)::AnalysisConsumer::VisitFunctionDecl(clang::FunctionDecl*) + 311
24 clang-17 0x00000001131fbced clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::WalkUpFromFunctionDecl(clang::FunctionDecl*) + 93
25 clang-17 0x00000001131829cf clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseFunctionDecl(clang::FunctionDecl*) + 79
26 clang-17 0x00000001131797e6 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDecl(clang::Decl*) + 2534
27 clang-17 0x00000001131e0b18 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDeclContextHelper(clang::DeclContext*) + 200
28 clang-17 0x000000011317c495 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseLinkageSpecDecl(clang::LinkageSpecDecl*) + 165
29 clang-17 0x0000000113179103 clang::RecursiveASTVisitor<(anonymous namespace)::AnalysisConsumer>::TraverseDecl(clang::Decl*) + 771
30 clang-17 0x0000000113178c0b (anonymous namespace)::AnalysisConsumer::runAnalysisOnTranslationUnit(clang::ASTContext&) + 443
31 clang-17 0x00000001131736fe (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) + 446
32 clang-17 0x00000001141e1736 clang::ParseAST(clang::Sema&, bool, bool) + 870
33 clang-17 0x000000011131e8b1 clang::ASTFrontendAction::ExecuteAction() + 305
34 clang-17 0x000000011131df8c clang::FrontendAction::Execute() + 124
35 clang-17 0x00000001112026df clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 975
36 clang-17 0x000000011144b193 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 899
37 clang-17 0x000000010b234dca cc1_main(llvm::ArrayRef<char const*>, char const*, void*) + 1802
38 clang-17 0x000000010b2206b4 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&, llvm::ToolContext const&) + 788
39 clang-17 0x000000010b22ce6d clang_main(int, char**, llvm::ToolContext const&)::$_0::operator()(llvm::SmallVectorImpl<char const*>&) const + 29
40 clang-17 0x000000010b22ce3d int llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::callback_fn<clang_main(int, char**, llvm::ToolContext const&)::$_0>(long, llvm::SmallVectorImpl<char const*>&) + 29
41 clang-17 0x0000000110f2a671 llvm::function_ref<int (llvm::SmallVectorImpl<char const*>&)>::operator()(llvm::SmallVectorImpl<char const*>&) const + 33
42 clang-17 0x0000000110f2a638 clang::driver::CC1Command::Execute(llvm::ArrayRef<std::__1::optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const::$_1::operator()() const + 40
43 clang-17 0x0000000110f2a605 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<std::__1::optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const::$_1>(long) + 21
44 clang-17 0x000000010fa1d5b9 llvm::function_ref<void ()>::operator()() const + 25
45 clang-17 0x000000010fa1d55c llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) + 236
46 clang-17 0x0000000110f2681c clang::driver::CC1Command::Execute(llvm::ArrayRef<std::__1::optional<llvm::StringRef>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, bool*) const + 508
47 clang-17 0x0000000110eb9d7f clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&, bool) const + 799
48 clang-17 0x0000000110eba027 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&, bool) const + 167
49 clang-17 0x0000000110eda248 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::__1::pair<int, clang::driver::Command const*>>&) + 568
50 clang-17 0x000000010b21fbef clang_main(int, char**, llvm::ToolContext const&) + 4511
51 clang-17 0x000000010b27fa9d main + 61
```
I think we need an early return when `ToDerivedType` is `nullptr` like this:
```cpp
auto ToDerivedType = ToDerivedQualType->getPointeeCXXRecordDecl();
if (!ToDerivedType)
return;
```
https://github.com/llvm/llvm-project/pull/114606
More information about the cfe-commits
mailing list