Author: dergachev Date: Mon Dec 11 18:27:55 2017 New Revision: 320451 URL: http://llvm.org/viewvc/llvm-project?rev=320451&view=rev Log: [analyzer] In getSVal() API, disable auto-detection of void type as char type.
This is a follow-up from r314910. When a checker developer attempts to dereference a location in memory through ProgramState::getSVal(Loc) or ProgramState::getSVal(const MemRegion *), without specifying the second optional QualType parameter for the type of the value he tries to find at this location, the type is auto-detected from location type. If the location represents a value beyond a void pointer, we thought that auto-detecting the type as 'char' is a good idea. However, in most practical cases, the correct behavior would be to specify the type explicitly, as it is available from other sources, and the few cases where we actually need to take a 'char' are workarounds rather than an intended behavior. Therefore, try to fail with an easy-to-understand assertion when asked to read from a void pointer location. Differential Revision: https://reviews.llvm.org/D38801 Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Modified: cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h?rev=320451&r1=320450&r2=320451&view=diff ============================================================================== --- cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h (original) +++ cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h Mon Dec 11 18:27:55 2017 @@ -308,8 +308,12 @@ public: /// \brief Return the value bound to the specified location. /// Returns UnknownVal() if none found. - SVal getSVal(const MemRegion* R) const; + SVal getSVal(const MemRegion* R, QualType T = QualType()) const; + /// \brief Return the value bound to the specified location, assuming + /// that the value is a scalar integer or an enumeration or a pointer. + /// Returns UnknownVal() if none found or the region is not known to hold + /// a value of such type. SVal getSValAsScalarOrLoc(const MemRegion *R) const; /// \brief Visits the symbols reachable from the given SVal using the provided @@ -758,9 +762,10 @@ inline SVal ProgramState::getRawSVal(Loc return getStateManager().StoreMgr->getBinding(getStore(), LV, T); } -inline SVal ProgramState::getSVal(const MemRegion* R) const { +inline SVal ProgramState::getSVal(const MemRegion* R, QualType T) const { return getStateManager().StoreMgr->getBinding(getStore(), - loc::MemRegionVal(R)); + loc::MemRegionVal(R), + T); } inline BasicValueFactory &ProgramState::getBasicVals() const { Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp?rev=320451&r1=320450&r2=320451&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp Mon Dec 11 18:27:55 2017 @@ -179,7 +179,7 @@ bool CallAndMessageChecker::uninitRefOrP if (const MemRegion *SValMemRegion = V.getAsRegion()) { const ProgramStateRef State = C.getState(); - const SVal PSV = State->getSVal(SValMemRegion); + const SVal PSV = State->getSVal(SValMemRegion, C.getASTContext().CharTy); if (PSV.isUndef()) { if (ExplodedNode *N = C.generateErrorNode()) { LazyInit_BT(BD, BT); Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp?rev=320451&r1=320450&r2=320451&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp Mon Dec 11 18:27:55 2017 @@ -466,7 +466,7 @@ bool GenericTaintChecker::checkPre(const } Optional<SVal> GenericTaintChecker::getPointedToSVal(CheckerContext &C, - const Expr* Arg) { + const Expr *Arg) { ProgramStateRef State = C.getState(); SVal AddrVal = State->getSVal(Arg->IgnoreParens(), C.getLocationContext()); if (AddrVal.isUnknownOrUndef()) @@ -476,9 +476,18 @@ Optional<SVal> GenericTaintChecker::getP if (!AddrLoc) return None; - const PointerType *ArgTy = - dyn_cast<PointerType>(Arg->getType().getCanonicalType().getTypePtr()); - return State->getSVal(*AddrLoc, ArgTy ? ArgTy->getPointeeType(): QualType()); + QualType ArgTy = Arg->getType().getCanonicalType(); + if (!ArgTy->isPointerType()) + return None; + + QualType ValTy = ArgTy->getPointeeType(); + + // Do not dereference void pointers. Treat them as byte pointers instead. + // FIXME: we might want to consider more than just the first byte. + if (ValTy->isVoidType()) + ValTy = C.getASTContext().CharTy; + + return State->getSVal(*AddrLoc, ValTy); } ProgramStateRef Modified: cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp?rev=320451&r1=320450&r2=320451&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp Mon Dec 11 18:27:55 2017 @@ -1405,10 +1405,7 @@ SVal RegionStoreManager::getBinding(Regi T = Ctx.VoidTy; } assert(!T.isNull() && "Unable to auto-detect binding type!"); - if (T->isVoidType()) { - // When trying to dereference a void pointer, read the first byte. - T = Ctx.CharTy; - } + assert(!T->isVoidType() && "Attempting to dereference a void pointer!"); MR = GetElementZeroRegion(cast<SubRegion>(MR), T); } _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
