[cfe-dev] [StaticAnalyzer] Potential bug in MemRegion.cpp?

Aditya Kumar hiraditya at codeaurora.org
Fri Sep 20 09:02:23 PDT 2013


Karthik,

You are right. This is basically the reason I got the error.

--- lib/StaticAnalyzer/Core/MemRegion.cpp  (revision 190992)

+++ lib/StaticAnalyzer/Core/MemRegion.cpp           (working copy)

@@ -1244,6 +1244,7 @@

       if (!Child) {

         // We cannot compute the offset of the base class.

         SymbolicOffsetBase = R;

+        continue;

       }

 

In addition to what you have suggested, I think we should also return false
(in MemRegion.cpp:isImmediateBase), or may be assert when the Child pointer
is NULL.

@file: MemRegion.cpp
static bool isImmediateBase(const CXXRecordDecl *Child,
        const CXXRecordDecl *Base) {
+ if (!Child)

+ return false;

 

 

From: Karthik Bhat [mailto:blitz.opensource at gmail.com] 
Sent: Friday, September 20, 2013 12:01 AM
To: Jordan Rose
Cc: Aditya Kumar; Clang Dev
Subject: Re: [cfe-dev] [StaticAnalyzer] Potential bug in MemRegion.cpp?

 

I'm not sure of the test case but the problem seems to be in
MemRegion::getAsOffset(). 

In switch case  case CXXBaseObjectRegionKind:

if we cannot compute the offset of the base class we need to continue in the
loop instead of moving further down-

 

Index: lib/StaticAnalyzer/Core/MemRegion.cpp

===================================================================

--- lib/StaticAnalyzer/Core/MemRegion.cpp (revision 190992)

+++ lib/StaticAnalyzer/Core/MemRegion.cpp          (working copy)

@@ -1244,6 +1244,7 @@

       if (!Child) {

         // We cannot compute the offset of the base class.

         SymbolicOffsetBase = R;

+        continue;

       }

 

       if (RootIsSymbolic) {

 

What do you think Jordan?

 

Regards

Karthik Bhat

 

On Fri, Sep 20, 2013 at 5:51 AM, Jordan Rose <jordan_rose at apple.com> wrote:

If it's not a private program you can create a bug at http://llvm.org/bugs/
and attach the preprocessed file. If it is a private program (corporate or
something) well...you could at least report where the caller is and what the
original MemRegion is (using MemRegion::dump) and I can try to figure it out
from that.

Jordan



On Sep 19, 2013, at 17:15 , Aditya Kumar <hiraditya at codeaurora.org> wrote:

> I was compiling a program when I hit this segmentation fault. The program
is
> kind of big and I don't know how to reduce it to a minimal test case.
>
>
>
>> -----Original Message-----
>> From: Jordan Rose [mailto:jordan_rose at apple.com]
>> Sent: Thursday, September 19, 2013 11:13 AM
>> To: Aditya Kumar
>> Cc: 'Clang Dev'
>> Subject: Re: [cfe-dev] [StaticAnalyzer] Potential bug in MemRegion.cpp?
>>
>> I think the bug here is that "Child" should never be NULL. How are you
>> getting into this situation?
>>
>> Jordan
>>
>> On Sep 19, 2013, at 8:15 , Aditya Kumar <hiraditya at codeaurora.org> wrote:
>>
>>> When the following function is called by (RegionOffset
>>> MemRegion::getAsOffset() const:1257), and the first parameter (Child)
>>> is a NULL pointer I get a segmentation fault.
>>>
>>> @file: MemRegion.cpp
>>> 01164 static bool isImmediateBase(const CXXRecordDecl *Child,
>>> 01165                             const CXXRecordDecl *Base) {
>>> 01166   // Note that we do NOT canonicalize the base class here, because
>>> 01167   // ASTRecordLayout doesn't either. If that leads us down the
> wrong
>>> path,
>>> 01168   // so be it; at least we won't crash.
>>> 01169   for (CXXRecordDecl::base_class_const_iterator I =
>>> Child->bases_begin(),
>>> 01170                                                 E =
>>> Child->bases_end();
>>> 01171        I != E; ++I) {
>>> 01172     if (I->getType()->getAsCXXRecordDecl() == Base)
>>> 01173       return true;
>>> 01174   }
>>> 01175
>>> 01176   return false;
>>> 01177 }
>>>
>>> For now I just return `false' when `Child' pointer is NULL. Is this
>>> fix okay or there is something else required to be done?
>>>
>>>
>>> Thanks,
>>> -Aditya
>>>
>>>
>>> _______________________________________________
>>> cfe-dev mailing list
>>> cfe-dev at cs.uiuc.edu
>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>

_______________________________________________
cfe-dev mailing list
cfe-dev at cs.uiuc.edu
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130920/8fa56017/attachment.html>


More information about the cfe-dev mailing list