[cfe-dev] [analyzer] Pointer cast representation problems

Vince Bridgers via cfe-dev cfe-dev at lists.llvm.org
Mon Dec 7 03:53:53 PST 2020 

Hi all, I thought I'd look at this problem
https://bugs.llvm.org/show_bug.cgi?id=43364 (Pointer cast representation
problems). maybe use it as an opportunity to dig into the inner workings of
the analyzer and maybe even solve a concrete problem :)   But it seems I
need guidance about possible paths to pursue.

Starting with a concrete case, a simple reproducer is below. I debugged
this down to SimpleSValBuilder.cpp:evalCastFromLoc(). val is an SVal and
castTy is a Loc, and this code path attempts to extract a concrete integer
from the SVal (did I get this right?). So I think a solution to this
specific case would be to dig into the SVal to see if casted data is
concrete, and extract that data. Seems to me this would be the location for
that (evalCastFromLoc seems appropropriate enough). If that's true, can
someone point me to an example that's similar? I'll keep digging, but
thought I'd ask in case this is easy for someone to drop a few helpful
hints.

I've included some select dumps, state and a bt below in case this is
helpful.

Best

(gdb) p val.dump()
&Element{myvar,0 S64b,char}$2 = void

(gdb) p castTy.dump()
PointerType 0xf931740 'char *'
`-BuiltinType 0xf930b50 'char'
$3 = void


Invocation: clang -cc1 -analyze -analyzer-checker=core case.c

struct mystruct {
  unsigned short _u16;
};

int main(void) {
  struct mystruct myvar = { 0x1122 };

  char *p = &myvar;
  int x = 0;
  if (p[0])
    x+=1;
  if (p[1]) // Branch condition evaluates to a garbage value
[core.uninitialized.Branch]
    x+=1;
  return x;
}

(gdb) p state
$4 = {Obj = 0xf9b81b8}
(gdb) p state->dump()
"program_state": {
  "store": { "pointer": "0xf9b6fa2", "items": [
    { "cluster": "myvar", "pointer": "0xf9b2250", "items": [
      { "kind": "Direct", "offset": 0, "value": "4386 U16b" }
    ]},
    { "cluster": "p", "pointer": "0xf9b2aa8", "items": [
      { "kind": "Direct", "offset": 0, "value": "&Element{myvar,0
S64b,char}" }
    ]},
    { "cluster": "x", "pointer": "0xf9b6ed0", "items": [
      { "kind": "Direct", "offset": 0, "value": "1 S32b" }
    ]}
  ]},
  "environment": { "pointer": "0xf9b16e0", "items": [
    { "lctx_id": 1, "location_context": "#0 Call", "calling": "main",
"location": null, "items": [
      { "stmt_id": 898, "pretty": "p", "value": "&p" }
    ]}
  ]},
  "constraints": null,
  "dynamic_types": null,
  "dynamic_casts": null,
  "constructing_objects": null,
  "checker_messages": null
}$5 = void


(gdb) bt
#0  (anonymous namespace)::SimpleSValBuilder::evalCastFromLoc
(this=0xf9aedf0, val=..., castTy=...) at
../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:136
#1  0x0000000007ec6ecb in (anonymous
namespace)::SimpleSValBuilder::dispatchCast (this=0xf9aedf0, Val=...,
CastTy=...) at ../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:70
#2  0x0000000007edd75e in clang::ento::StoreManager::CastRetrievedVal
(this=0xf9b02a0, V=..., R=0xf9b2aa8, castTy=...) at
../../clang/lib/StaticAnalyzer/Core/Store.cpp:438
#3  0x0000000007ea0480 in (anonymous
namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, B=..., L=...,
T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:1511
#4  0x0000000007e9d059 in (anonymous
namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, S=0xf9b6fa2,
L=..., T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:551
#5  0x0000000007753856 in clang::ento::ProgramState::getRawSVal
(this=0xf9b81b8, LV=..., T=...) at
../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:785
#6  0x0000000007e64d61 in clang::ento::ProgramState::getSVal
(this=0xf9b81b8, location=..., T=...) at
../../clang/lib/StaticAnalyzer/Core/ProgramState.cpp:267
#7  0x0000000007df0d77 in clang::ento::ExprEngine::evalLoad
(this=0x7fffffffa828, Dst=..., NodeEx=0xf985e00, BoundEx=0xf985e00,
Pred=0xf9b8230, state=..., location=..., tag=0x0, LoadTy=...)
    at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2982
#8  0x0000000007e10402 in clang::ento::ExprEngine::VisitCast
(this=0x7fffffffa828, CastE=0xf985e00, Ex=0xf985dc0, Pred=0xf9b8230,
Dst=...) at ../../clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:313
#9  0x0000000007de88a8 in clang::ento::ExprEngine::Visit
(this=0x7fffffffa828, S=0xf985e00, Pred=0xf9b8230, DstTop=...) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1729
#10 0x0000000007de4d9c in clang::ento::ExprEngine::ProcessStmt
(this=0x7fffffffa828, currStmt=0xf985e00, Pred=0xf9b8230) at
../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791
#11 0x0000000007de4a89 in clang::ento::ExprEngine::processCFGElement
(this=0x7fffffffa828, E=..., Pred=0xf9b8230, StmtIdx=1, Ctx=0x7fffffffa338)
at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
#12 0x0000000007db6fa9 in clang::ento::CoreEngine::HandlePostStmt
(this=0x7fffffffa848, B=0xf9a8860, StmtIdx=1, Pred=0xf9b8230) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:466
#13 0x0000000007db6717 in clang::ento::CoreEngine::dispatchWorkItem
(this=0x7fffffffa848, Pred=0xf9b8230, Loc=..., WU=...) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:191
#14 0x0000000007db6323 in clang::ento::CoreEngine::ExecuteWorkList
(this=0x7fffffffa848, L=0xf9b16e0, Steps=224975, InitState=...) at
../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:147
#15 0x000000000734dc74 in clang::ento::ExprEngine::ExecuteWorkList
(this=0x7fffffffa828, L=0xf9b16e0, Steps=225000) at
../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201207/a67a2e0c/attachment-0001.html>

More information about the cfe-dev mailing list