maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[analyzer] Track null or undef values through pointer arithmetic. 

Pointer arithmetic on null or undefined pointers results in null or undefined
pointers. This is obvious for undefined pointers; for null pointers it follows
from our incorrect-but-somehow-working approach that declares that 0 (Loc)
doesn't necessarily represent a pointer of numeric address value 0, but instead
it represents any pointer that will cause a valid "null pointer dereference"
issue when dereferenced.

For now we've been seeing through pointer arithmetic at the original dereference
expression, i.e. in bugreporter::getDerefExpr(), but not during further
investigation of the value's origins in bugreporter::trackNullOrUndefValue().
The patch fixes it.

Differential Revision: https://reviews.llvm.org/D45071

llvm-svn: 328896
This commit is contained in:
Artem Dergachev 2018-03-30 19:27:42 +00:00
parent 6a5cd5e1ca
commit 95f9a68b1f
3 changed files with 63 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
View File

@ -75,6 +75,17 @@ bool bugreporter::isDeclRefExprToReference(const Expr *E) {
return false;
}
static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) {
if (B->isAdditiveOp() && B->getType()->isPointerType()) {
if (B->getLHS()->getType()->isPointerType()) {
return B->getLHS();
} else if (B->getRHS()->getType()->isPointerType()) {
return B->getRHS();
}
}
return nullptr;
}
/// Given that expression S represents a pointer that would be dereferenced,
/// try to find a sub-expression from which the pointer came from.
/// This is used for tracking down origins of a null or undefined value:
@ -101,14 +112,8 @@ const Expr *bugreporter::getDerefExpr(const Stmt *S) {
E = CE->getSubExpr();
} else if (const auto *B = dyn_cast<BinaryOperator>(E)) {
// Pointer arithmetic: '*(x + 2)' -> 'x') etc.
if (B->getType()->isPointerType()) {
if (B->getLHS()->getType()->isPointerType()) {
E = B->getLHS();
} else if (B->getRHS()->getType()->isPointerType()) {
E = B->getRHS();
} else {
break;
}
if (const Expr *Inner = peelOffPointerArithmetic(B)) {
E = Inner;
} else {
// Probably more arithmetic can be pattern-matched here,
// but for now give up.
@ -1412,6 +1417,11 @@ static const Expr *peelOffOuterExpr(const Expr *Ex,
NI = NI->getFirstPred();
} while (NI);
}
if (auto *BO = dyn_cast<BinaryOperator>(Ex))
if (const Expr *SubEx = peelOffPointerArithmetic(BO))
return peelOffOuterExpr(SubEx, N);
return Ex;
}

3
clang/test/Analysis/inlining/inline-defensive-checks.c
View File

@ -159,8 +159,7 @@ void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset1(struct S *s) {
void idcTrackZeroValueThroughUnaryPointerOperatorsWithOffset2(struct S *s) {
idc(s);
int *x = &(s->f2) - 1;
// FIXME: Should not warn.
*x = 7; // expected-warning{{Dereference of null pointer}}
*x = 7; // no-warning
}
void idcTrackZeroValueThroughUnaryPointerOperatorsWithAssignment(struct S *s) {

45
clang/test/Analysis/null-deref-path-notes.c
View File

@ -1,4 +1,4 @@
// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core -analyzer-output=text -verify %s
// RUN: %clang_analyze_cc1 -w -x c -analyzer-checker=core,unix -analyzer-output=text -verify %s
// Avoid the crash when finding the expression for tracking the origins
// of the null pointer for path notes.
@ -7,3 +7,46 @@ void pr34373() {
(a + 0)[0]; // expected-warning{{Array access results in a null pointer dereference}}
// expected-note@-1{{Array access results in a null pointer dereference}}
}
typedef __typeof(sizeof(int)) size_t;
void *memcpy(void *dest, const void *src, unsigned long count);
void f1(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination + 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f2(char *source) {
char *destination = 0; // expected-note{{'destination' initialized to a null pointer value}}
memcpy(destination - 0, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f3(char *source) {
char *destination = 0; // FIXME: There should be a note here as well.
destination = destination + 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f4(char *source) {
char *destination = 0; // FIXME: There should be a note here as well.
destination = destination - 0; // expected-note{{Null pointer value stored to 'destination'}}
memcpy(destination, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f5(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 + 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}
void f6(char *source) {
char *destination1 = 0; // expected-note{{'destination1' initialized to a null pointer value}}
char *destination2 = destination1 - 0; // expected-note{{'destination2' initialized to a null pointer value}}
memcpy(destination2, source, 10); // expected-warning{{Null pointer argument in call to memory copy function}}
// expected-note@-1{{Null pointer argument in call to memory copy function}}
}