[cfe-dev] [analyzer] Pointer cast representation problems

Balázs Benics via cfe-dev cfe-dev at lists.llvm.org
Mon Dec 7 07:40:08 PST 2020 

Ok, you are saying that we should know that `p[1]` points to an object
which was initialized. And according to the target's endianness, resolve
the DeclRefExpr to the appropriate constant value.

The dumps are probably from the line `char *p = &myvar;` if I'm right.
That is the reason why the right-hand side is evaluated to the location of
`myvar`, but wrapped into an ElementRegion of type char representing the
reinterpret cast.
IMO, it's the correct behavior to this point.

You should probably dig around the evaluation of the `DeclRefExpr` of the
expression `p[1]`. That should return your concrete value.
AFAIK, the store maps the values to expressions and the problem probably
resides there.
But it's just a wide guess :D

Unfortunately, that is all I can say about this right now :(

Balazs.

Vince Bridgers via cfe-dev <cfe-dev at lists.llvm.org> ezt írta (időpont:
2020. dec. 7., H, 11:54):

> Hi all, I thought I'd look at this problem
> https://bugs.llvm.org/show_bug.cgi?id=43364 (Pointer cast representation
> problems). maybe use it as an opportunity to dig into the inner workings of
> the analyzer and maybe even solve a concrete problem :)   But it seems I
> need guidance about possible paths to pursue.
>
> Starting with a concrete case, a simple reproducer is below. I debugged
> this down to SimpleSValBuilder.cpp:evalCastFromLoc(). val is an SVal and
> castTy is a Loc, and this code path attempts to extract a concrete integer
> from the SVal (did I get this right?). So I think a solution to this
> specific case would be to dig into the SVal to see if casted data is
> concrete, and extract that data. Seems to me this would be the location for
> that (evalCastFromLoc seems appropropriate enough). If that's true, can
> someone point me to an example that's similar? I'll keep digging, but
> thought I'd ask in case this is easy for someone to drop a few helpful
> hints.
>
> I've included some select dumps, state and a bt below in case this is
> helpful.
>
> Best
>
> (gdb) p val.dump()
> &Element{myvar,0 S64b,char}$2 = void
>
> (gdb) p castTy.dump()
> PointerType 0xf931740 'char *'
> `-BuiltinType 0xf930b50 'char'
> $3 = void
>
>
> Invocation: clang -cc1 -analyze -analyzer-checker=core case.c
>
> struct mystruct {
>   unsigned short _u16;
> };
>
> int main(void) {
>   struct mystruct myvar = { 0x1122 };
>
>   char *p = &myvar;
>   int x = 0;
>   if (p[0])
>     x+=1;
>   if (p[1]) // Branch condition evaluates to a garbage value
> [core.uninitialized.Branch]
>     x+=1;
>   return x;
> }
>
> (gdb) p state
> $4 = {Obj = 0xf9b81b8}
> (gdb) p state->dump()
> "program_state": {
>   "store": { "pointer": "0xf9b6fa2", "items": [
>     { "cluster": "myvar", "pointer": "0xf9b2250", "items": [
>       { "kind": "Direct", "offset": 0, "value": "4386 U16b" }
>     ]},
>     { "cluster": "p", "pointer": "0xf9b2aa8", "items": [
>       { "kind": "Direct", "offset": 0, "value": "&Element{myvar,0
> S64b,char}" }
>     ]},
>     { "cluster": "x", "pointer": "0xf9b6ed0", "items": [
>       { "kind": "Direct", "offset": 0, "value": "1 S32b" }
>     ]}
>   ]},
>   "environment": { "pointer": "0xf9b16e0", "items": [
>     { "lctx_id": 1, "location_context": "#0 Call", "calling": "main",
> "location": null, "items": [
>       { "stmt_id": 898, "pretty": "p", "value": "&p" }
>     ]}
>   ]},
>   "constraints": null,
>   "dynamic_types": null,
>   "dynamic_casts": null,
>   "constructing_objects": null,
>   "checker_messages": null
> }$5 = void
>
>
> (gdb) bt
> #0  (anonymous namespace)::SimpleSValBuilder::evalCastFromLoc
> (this=0xf9aedf0, val=..., castTy=...) at
> ../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:136
> #1  0x0000000007ec6ecb in (anonymous
> namespace)::SimpleSValBuilder::dispatchCast (this=0xf9aedf0, Val=...,
> CastTy=...) at ../../clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp:70
> #2  0x0000000007edd75e in clang::ento::StoreManager::CastRetrievedVal
> (this=0xf9b02a0, V=..., R=0xf9b2aa8, castTy=...) at
> ../../clang/lib/StaticAnalyzer/Core/Store.cpp:438
> #3  0x0000000007ea0480 in (anonymous
> namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, B=..., L=...,
> T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:1511
> #4  0x0000000007e9d059 in (anonymous
> namespace)::RegionStoreManager::getBinding (this=0xf9b02a0, S=0xf9b6fa2,
> L=..., T=...) at ../../clang/lib/StaticAnalyzer/Core/RegionStore.cpp:551
> #5  0x0000000007753856 in clang::ento::ProgramState::getRawSVal
> (this=0xf9b81b8, LV=..., T=...) at
> ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h:785
> #6  0x0000000007e64d61 in clang::ento::ProgramState::getSVal
> (this=0xf9b81b8, location=..., T=...) at
> ../../clang/lib/StaticAnalyzer/Core/ProgramState.cpp:267
> #7  0x0000000007df0d77 in clang::ento::ExprEngine::evalLoad
> (this=0x7fffffffa828, Dst=..., NodeEx=0xf985e00, BoundEx=0xf985e00,
> Pred=0xf9b8230, state=..., location=..., tag=0x0, LoadTy=...)
>     at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:2982
> #8  0x0000000007e10402 in clang::ento::ExprEngine::VisitCast
> (this=0x7fffffffa828, CastE=0xf985e00, Ex=0xf985dc0, Pred=0xf9b8230,
> Dst=...) at ../../clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp:313
> #9  0x0000000007de88a8 in clang::ento::ExprEngine::Visit
> (this=0x7fffffffa828, S=0xf985e00, Pred=0xf9b8230, DstTop=...) at
> ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1729
> #10 0x0000000007de4d9c in clang::ento::ExprEngine::ProcessStmt
> (this=0x7fffffffa828, currStmt=0xf985e00, Pred=0xf9b8230) at
> ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:791
> #11 0x0000000007de4a89 in clang::ento::ExprEngine::processCFGElement
> (this=0x7fffffffa828, E=..., Pred=0xf9b8230, StmtIdx=1, Ctx=0x7fffffffa338)
> at ../../clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:637
> #12 0x0000000007db6fa9 in clang::ento::CoreEngine::HandlePostStmt
> (this=0x7fffffffa848, B=0xf9a8860, StmtIdx=1, Pred=0xf9b8230) at
> ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:466
> #13 0x0000000007db6717 in clang::ento::CoreEngine::dispatchWorkItem
> (this=0x7fffffffa848, Pred=0xf9b8230, Loc=..., WU=...) at
> ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:191
> #14 0x0000000007db6323 in clang::ento::CoreEngine::ExecuteWorkList
> (this=0x7fffffffa848, L=0xf9b16e0, Steps=224975, InitState=...) at
> ../../clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:147
> #15 0x000000000734dc74 in clang::ento::ExprEngine::ExecuteWorkList
> (this=0x7fffffffa828, L=0xf9b16e0, Steps=225000) at
> ../../clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:192
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201207/d91b6171/attachment.html>

More information about the cfe-dev mailing list