maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[analyzer] Fix null pointer deref in CastValueChecker 

A crash was seen in CastValueChecker due to a null pointer dereference.

The fix uses QualType::getAsString to avoid the null dereference
when a CXXRecordDecl cannot be obtained. A small reproducer is added,
and cast value notes LITs are updated for the new debug messages.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D127105
This commit is contained in:
Vince Bridgers 2022-06-06 08:23:08 -04:00 committed by einvbri
parent 82040d414b
commit c7fa4e8a8b
3 changed files with 52 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
View File

@ -108,7 +108,7 @@ static const NoteTag *getNoteTag(CheckerContext &C,
bool CastSucceeds, bool IsKnownCast) { bool CastSucceeds, bool IsKnownCast) {
std::string CastToName = std::string CastToName =
CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString() CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
: CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); : CastToTy.getAsString();
Object = Object->IgnoreParenImpCasts(); Object = Object->IgnoreParenImpCasts();
return C.getNoteTag( return C.getNoteTag(
@ -163,9 +163,9 @@ static const NoteTag *getNoteTag(CheckerContext &C,
bool First = true; bool First = true;
for (QualType CastToTy: CastToTyVec) { for (QualType CastToTy: CastToTyVec) {
std::string CastToName = std::string CastToName =
CastToTy->getAsCXXRecordDecl() ? CastToTy->getAsCXXRecordDecl()
CastToTy->getAsCXXRecordDecl()->getNameAsString() : ? CastToTy->getAsCXXRecordDecl()->getNameAsString()
CastToTy->getPointeeCXXRecordDecl()->getNameAsString(); : CastToTy.getAsString();
Out << ' ' << ((CastToTyVec.size() == 1) ? "not" : Out << ' ' << ((CastToTyVec.size() == 1) ? "not" :
(First ? "neither" : "nor")) << " a '" << CastToName (First ? "neither" : "nor")) << " a '" << CastToName
<< '\''; << '\'';

63
clang/test/Analysis/cast-value-notes.cpp
View File

@ -73,7 +73,7 @@ void clang_analyzer_printState();
#if defined(X86) #if defined(X86)
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
clang_analyzer_printState(); clang_analyzer_printState();
@ -93,7 +93,7 @@ void evalReferences_addrspace(const Shape &S) {
#if defined(NOT_SUPPRESSED) #if defined(NOT_SUPPRESSED)
void evalReferences_addrspace(const Shape &S) { void evalReferences_addrspace(const Shape &S) {
const auto &C = dyn_cast<DEVICE Circle>(S); const auto &C = dyn_cast<DEVICE Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const __attribute__((address_space(3))) class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
clang_analyzer_printState(); clang_analyzer_printState();
@ -105,7 +105,7 @@ void evalReferences_addrspace(const Shape &S) {
#elif defined(MIPS) #elif defined(MIPS)
void evalReferences(const Shape &S) { void evalReferences(const Shape &S) {
const auto &C = dyn_cast<Circle>(S); const auto &C = dyn_cast<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
// expected-note@-2 {{Dereference of null pointer}} // expected-note@-2 {{Dereference of null pointer}}
// expected-warning@-3 {{Dereference of null pointer}} // expected-warning@-3 {{Dereference of null pointer}}
} }
@ -122,25 +122,25 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) {
// expected-note@-1 {{'C' initialized here}} // expected-note@-1 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) { if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Rectangle>(C)) { if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Hexagon>(C)) { if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
@ -176,29 +176,29 @@ void evalNonNullParamNonNullReturnReference(const Shape &S) {
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = cast<Circle>(S); const auto *C = cast<Circle>(S);
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
if (!dyn_cast_or_null<Circle>(C)) { if (!dyn_cast_or_null<Circle>(C)) {
// expected-note@-1 {{'C' is a 'Circle'}} // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Triangle>(C)) { if (dyn_cast_or_null<Triangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Triangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Rectangle>(C)) { if (dyn_cast_or_null<Rectangle>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
if (dyn_cast_or_null<Hexagon>(C)) { if (dyn_cast_or_null<Hexagon>(C)) {
// expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}} // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
@ -234,10 +234,10 @@ void evalNonNullParamNonNullReturn(const Shape *S) {
void evalNonNullParamNullReturn(const Shape *S) { void evalNonNullParamNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
if (const auto *T = dyn_cast_or_null<Triangle>(S)) { if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
// expected-note@-2 {{'T' initialized here}} // expected-note@-2 {{'T' initialized here}}
// expected-note@-3 {{'T' is non-null}} // expected-note@-3 {{'T' is non-null}}
// expected-note@-4 {{Taking true branch}} // expected-note@-4 {{Taking true branch}}
@ -261,7 +261,7 @@ void evalNullParamNullReturn(const Shape *S) {
void evalZeroParamNonNullReturnPointer(const Shape *S) { void evalZeroParamNonNullReturnPointer(const Shape *S) {
const auto *C = S->castAs<Circle>(); const auto *C = S->castAs<Circle>();
// expected-note@-1 {{'S' is a 'Circle'}} // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
(void)(1 / !C); (void)(1 / !C);
@ -282,12 +282,12 @@ void evalZeroParamNonNullReturn(const Shape &S) {
void evalZeroParamNullReturn(const Shape *S) { void evalZeroParamNullReturn(const Shape *S) {
const auto &C = S->getAs<Circle>(); const auto &C = S->getAs<Circle>();
// expected-note@-1 {{Assuming 'S' is not a 'Circle'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
// expected-note@-2 {{Storing null pointer value}} // expected-note@-2 {{Storing null pointer value}}
// expected-note@-3 {{'C' initialized here}} // expected-note@-3 {{'C' initialized here}}
if (!dyn_cast_or_null<Triangle>(S)) { if (!dyn_cast_or_null<Triangle>(S)) {
// expected-note@-1 {{Assuming 'S' is a 'Triangle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
@ -302,3 +302,32 @@ void evalZeroParamNullReturn(const Shape *S) {
// expected-note@-1 {{Division by zero}} // expected-note@-1 {{Division by zero}}
// expected-warning@-2 {{Division by zero}} // expected-warning@-2 {{Division by zero}}
} }
// don't crash
// CastValueChecker was using QualType()->getPointeeCXXRecordDecl(), in
// getNoteTag which evaluated to nullptr, then crashed when attempting to
// deref an invocation to getNameAsString(). The fix is to use
// QualType().getAsString().
//
// Example:
// std::string CastToName =
// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
// : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
// Changed to:
// std::string CastToName =
// CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
// : CastToTy.getAsString();
namespace llvm {
template <typename, typename a> void isa(a &);
template <typename> class PointerUnion {
public:
template <typename T> T *getAs() {
(void)isa<int>(*this);
return nullptr;
}
};
class LLVMContext {
PointerUnion<LLVMContext> c;
void d() { c.getAs<int>(); }
};
} // namespace llvm

4
clang/test/Analysis/cast-value-state-dump.cpp
View File

@ -18,12 +18,12 @@ using namespace clang;
void evalNonNullParamNonNullReturn(const Shape *S) { void evalNonNullParamNonNullReturn(const Shape *S) {
const auto *C = dyn_cast_or_null<Circle>(S); const auto *C = dyn_cast_or_null<Circle>(S);
// expected-note@-1 {{Assuming 'S' is a 'Circle'}} // expected-note@-1 {{Assuming 'S' is a 'const class clang::Circle *'}}
// expected-note@-2 {{'C' initialized here}} // expected-note@-2 {{'C' initialized here}}
// FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'. // FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
if (dyn_cast_or_null<Square>(S)) { if (dyn_cast_or_null<Square>(S)) {
// expected-note@-1 {{Assuming 'S' is not a 'Square'}} // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Square *'}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }