maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/test/Analysis/null-deref-path-notes.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

53 lines
3.0 KiB
C
Raw Normal View History

[analyzer] Track null or undef values through pointer arithmetic. Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced. For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it. Differential Revision: https://reviews.llvm.org/D45071 llvm-svn: 328896
2018-03-31 03:27:42 +08:00
// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s
[analyzer] Fix and refactor bugreporter::getDerefExpr() API. This API is used by checkers (and other entities) in order to track where does a value originate from, by jumping from an expression value of which is equal to that value to the expression from which this value has "appeared". For example, it may be an lvalue from which the rvalue was loaded, or a function call from which the dereferenced pointer was returned. The function now avoids incorrectly unwrapping implicit lvalue-to-rvalue casts, which caused crashes and incorrect intermediate diagnostic pieces. It also no longer relies on how the expression is written when guessing what it means. Fixes pr34373 and pr34731. rdar://problem/33594502 Differential Revision: https://reviews.llvm.org/D37023 llvm-svn: 314287
2017-09-27 17:33:37 +08:00
// Avoid the crash when finding the expression for tracking the origins
[analyzer] Fix an outdated comment in a test. NFC. llvm-svn: 314298
2017-09-27 18:59:06 +08:00
// of the null pointer for path notes.
[analyzer] Fix and refactor bugreporter::getDerefExpr() API. This API is used by checkers (and other entities) in order to track where does a value originate from, by jumping from an expression value of which is equal to that value to the expression from which this value has "appeared". For example, it may be an lvalue from which the rvalue was loaded, or a function call from which the dereferenced pointer was returned. The function now avoids incorrectly unwrapping implicit lvalue-to-rvalue casts, which caused crashes and incorrect intermediate diagnostic pieces. It also no longer relies on how the expression is written when guessing what it means. Fixes pr34373 and pr34731. rdar://problem/33594502 Differential Revision: https://reviews.llvm.org/D37023 llvm-svn: 314287
2017-09-27 17:33:37 +08:00
void pr34373() {
[analyzer] Match more patterns in bugreporter::getDerefExpr() API. This function can now track null pointer through simple pointer arithmetic, such as '*&*(p + 2)' => 'p' and so on, displaying intermediate diagnostic pieces for the user to understand where the null pointer is coming from. Differential Revision: https://reviews.llvm.org/D37025 llvm-svn: 314290
2017-09-27 17:50:45 +08:00
int *a = 0; // expected-note{{'a' initialized to a null pointer value}}
[analyzer] Fix and refactor bugreporter::getDerefExpr() API. This API is used by checkers (and other entities) in order to track where does a value originate from, by jumping from an expression value of which is equal to that value to the expression from which this value has "appeared". For example, it may be an lvalue from which the rvalue was loaded, or a function call from which the dereferenced pointer was returned. The function now avoids incorrectly unwrapping implicit lvalue-to-rvalue casts, which caused crashes and incorrect intermediate diagnostic pieces. It also no longer relies on how the expression is written when guessing what it means. Fixes pr34373 and pr34731. rdar://problem/33594502 Differential Revision: https://reviews.llvm.org/D37023 llvm-svn: 314287
2017-09-27 17:33:37 +08:00
(a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
// expected-note@-1{{Array access results in a null pointer dereference}}
}
[analyzer] Track null or undef values through pointer arithmetic. Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced. For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it. Differential Revision: https://reviews.llvm.org/D45071 llvm-svn: 328896
2018-03-31 03:27:42 +08:00
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *dest, const void *src, unsigned long count);
void f1(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f2(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f3(char *source) {
[analyzer] Do not run visitors until the fixpoint, run only once. In the current implementation, we run visitors until the fixed point is reached. That is, if a visitor adds another visitor, the currently processed path is destroyed, all diagnostics is discarded, and it is regenerated again, until it's no longer modified. This pattern has a few negative implications: - This loop does not even guarantee to terminate. E.g. just imagine two visitors bouncing a diagnostics around. - Performance-wise, e.g. for sqlite3 all visitors are being re-run at least 10 times for some bugs. We have already seen a few reports where it leads to timeouts. - If we want to add more computationally intense visitors, this will become worse. - From architectural standpoint, the current layout requires copying visitors, which is conceptually wrong, and can be annoying (e.g. no unique_ptr on visitors allowed). The proposed change is a much simpler architecture: the outer loop processes nodes upwards, and whenever the visitor is added it only processes current nodes and above, thus guaranteeing termination. Differential Revision: https://reviews.llvm.org/D47856 llvm-svn: 335666
2018-06-27 05:12:08 +08:00
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
[analyzer] Track null or undef values through pointer arithmetic. Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced. For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it. Differential Revision: https://reviews.llvm.org/D45071 llvm-svn: 328896
2018-03-31 03:27:42 +08:00
destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f4(char *source) {
[analyzer] Do not run visitors until the fixpoint, run only once. In the current implementation, we run visitors until the fixed point is reached. That is, if a visitor adds another visitor, the currently processed path is destroyed, all diagnostics is discarded, and it is regenerated again, until it's no longer modified. This pattern has a few negative implications: - This loop does not even guarantee to terminate. E.g. just imagine two visitors bouncing a diagnostics around. - Performance-wise, e.g. for sqlite3 all visitors are being re-run at least 10 times for some bugs. We have already seen a few reports where it leads to timeouts. - If we want to add more computationally intense visitors, this will become worse. - From architectural standpoint, the current layout requires copying visitors, which is conceptually wrong, and can be annoying (e.g. no unique_ptr on visitors allowed). The proposed change is a much simpler architecture: the outer loop processes nodes upwards, and whenever the visitor is added it only processes current nodes and above, thus guaranteeing termination. Differential Revision: https://reviews.llvm.org/D47856 llvm-svn: 335666
2018-06-27 05:12:08 +08:00
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
[analyzer] Track null or undef values through pointer arithmetic. Pointer arithmetic on null or undefined pointers results in null or undefined pointers. This is obvious for undefined pointers; for null pointers it follows from our incorrect-but-somehow-working approach that declares that 0 (Loc) doesn't necessarily represent a pointer of numeric address value 0, but instead it represents any pointer that will cause a valid "null pointer dereference" issue when dereferenced. For now we've been seeing through pointer arithmetic at the original dereference expression, i.e. in bugreporter::getDerefExpr(), but not during further investigation of the value's origins in bugreporter::trackNullOrUndefValue(). The patch fixes it. Differential Revision: https://reviews.llvm.org/D45071 llvm-svn: 328896
2018-03-31 03:27:42 +08:00
destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f5(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f6(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}