[cfe-dev] [StaticAnalyzer] Potential bug in MemRegion.cpp?

Karthik Bhat blitz.opensource at gmail.com
Thu Sep 19 22:01:29 PDT 2013 

I'm not sure of the test case but the problem seems to be
in MemRegion::getAsOffset().
In switch case  case CXXBaseObjectRegionKind:
if we cannot compute the offset of the base class we need to continue in
the loop instead of moving further down-

Index: lib/StaticAnalyzer/Core/MemRegion.cpp
===================================================================
--- lib/StaticAnalyzer/Core/MemRegion.cpp (revision 190992)
+++ lib/StaticAnalyzer/Core/MemRegion.cpp (working copy)
@@ -1244,6 +1244,7 @@
       if (!Child) {
         // We cannot compute the offset of the base class.
         SymbolicOffsetBase = R;
+        continue;
       }

       if (RootIsSymbolic) {

What do you think Jordan?

Regards
Karthik Bhat


On Fri, Sep 20, 2013 at 5:51 AM, Jordan Rose <jordan_rose at apple.com> wrote:

> If it's not a private program you can create a bug at
> http://llvm.org/bugs/ and attach the preprocessed file. If it is a
> private program (corporate or something) well...you could at least report
> where the caller is and what the original MemRegion is (using
> MemRegion::dump) and I can try to figure it out from that.
>
> Jordan
>
>
> On Sep 19, 2013, at 17:15 , Aditya Kumar <hiraditya at codeaurora.org> wrote:
>
> > I was compiling a program when I hit this segmentation fault. The
> program is
> > kind of big and I don't know how to reduce it to a minimal test case.
> >
> >
> >
> >> -----Original Message-----
> >> From: Jordan Rose [mailto:jordan_rose at apple.com]
> >> Sent: Thursday, September 19, 2013 11:13 AM
> >> To: Aditya Kumar
> >> Cc: 'Clang Dev'
> >> Subject: Re: [cfe-dev] [StaticAnalyzer] Potential bug in MemRegion.cpp?
> >>
> >> I think the bug here is that "Child" should never be NULL. How are you
> >> getting into this situation?
> >>
> >> Jordan
> >>
> >> On Sep 19, 2013, at 8:15 , Aditya Kumar <hiraditya at codeaurora.org>
> wrote:
> >>
> >>> When the following function is called by (RegionOffset
> >>> MemRegion::getAsOffset() const:1257), and the first parameter (Child)
> >>> is a NULL pointer I get a segmentation fault.
> >>>
> >>> @file: MemRegion.cpp
> >>> 01164 static bool isImmediateBase(const CXXRecordDecl *Child,
> >>> 01165                             const CXXRecordDecl *Base) {
> >>> 01166   // Note that we do NOT canonicalize the base class here,
> because
> >>> 01167   // ASTRecordLayout doesn't either. If that leads us down the
> > wrong
> >>> path,
> >>> 01168   // so be it; at least we won't crash.
> >>> 01169   for (CXXRecordDecl::base_class_const_iterator I =
> >>> Child->bases_begin(),
> >>> 01170                                                 E =
> >>> Child->bases_end();
> >>> 01171        I != E; ++I) {
> >>> 01172     if (I->getType()->getAsCXXRecordDecl() == Base)
> >>> 01173       return true;
> >>> 01174   }
> >>> 01175
> >>> 01176   return false;
> >>> 01177 }
> >>>
> >>> For now I just return `false' when `Child' pointer is NULL. Is this
> >>> fix okay or there is something else required to be done?
> >>>
> >>>
> >>> Thanks,
> >>> -Aditya
> >>>
> >>>
> >>> _______________________________________________
> >>> cfe-dev mailing list
> >>> cfe-dev at cs.uiuc.edu
> >>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
> >
> >
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130920/5c704aa3/attachment.html>

More information about the cfe-dev mailing list