[analyzer] Fix crashing __builtin_bit_cast #139188
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, CSA did not handle __builtin_bit_cast correctly. It evaluated the LvalueToRvalue conversion for the casting expression, but did not actually convert the value of the expression to be of the destination type. This commit fixes the problem. rdar://149987320
ziqingluo-90
requested review from
Xazax-hun,
haoNoQ,
malavikasamak,
steakhal,
t-rasmud,
NagyDonat and
isuckatcs
llvmbot
added
clang
|
@llvm/pr-subscribers-clang @llvm/pr-subscribers-clang-static-analyzer-1 Author: Ziqing Luo (ziqingluo-90) ChangesI am investigating a CSA crash: https://godbolt.org/z/fEExYqoWM. If one changes the Looking at the piece of code below, it seems that CSA handles The I'm trying to add the missing part. Full diff: https://github.com/llvm/llvm-project/pull/139188.diff 3 Files Affected:
diff --git a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
index 3d0a69a515ab8..f2f640f459776 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -287,10 +287,34 @@ void ExprEngine::VisitCast(const CastExpr *CastE, const Expr *Ex,
if (CastE->getCastKind() == CK_LValueToRValue ||
CastE->getCastKind() == CK_LValueToRValueBitCast) {
+ ExplodedNodeSet dstEvalLoad;
+
for (ExplodedNode *subExprNode : dstPreStmt) {
ProgramStateRef state = subExprNode->getState();
const LocationContext *LCtx = subExprNode->getLocationContext();
- evalLoad(Dst, CastE, CastE, subExprNode, state, state->getSVal(Ex, LCtx));
+ evalLoad(dstEvalLoad, CastE, CastE, subExprNode, state,
+ state->getSVal(Ex, LCtx));
+ }
+ if (CastE->getCastKind() == CK_LValueToRValue) {
+ Dst.insert(dstEvalLoad);
+ return;
+ }
+ assert(CastE->getCastKind() == CK_LValueToRValueBitCast &&
+ "unexpected cast kind");
+ // Need to simulate the actual cast operation:
+ StmtNodeBuilder Bldr(dstEvalLoad, Dst, *currBldrCtx);
+
+ for (ExplodedNode *Node : dstEvalLoad) {
+ ProgramStateRef state = Node->getState();
+ const LocationContext *LCtx = Node->getLocationContext();
+ // getAsRegion should always be successful since Ex is an lvalue:
+ SVal OrigV = state->getSVal(state->getSVal(Ex, LCtx).getAsRegion());
+ SVal CastedV =
+ svalBuilder.evalCast(svalBuilder.simplifySVal(state, OrigV),
+ CastE->getType(), Ex->getType());
+
+ state = state->BindExpr(CastE, LCtx, CastedV);
+ Bldr.generateNode(CastE, Node, state);
}
return;
}
diff --git a/clang/test/Analysis/builtin_bitcast.cpp b/clang/test/Analysis/builtin_bitcast.cpp
index 5a0d9e7189b8e..9309ca7785a92 100644
--- a/clang/test/Analysis/builtin_bitcast.cpp
+++ b/clang/test/Analysis/builtin_bitcast.cpp
@@ -39,7 +39,7 @@ struct A {
}
};
void gh_69922(size_t p) {
- // expected-warning-re@+1 {{(reg_${{[0-9]+}}<size_t p>) & 1U}}
+ // expected-warning@+1 {{Unknown}}
clang_analyzer_dump(__builtin_bit_cast(A*, p & 1));
__builtin_bit_cast(A*, p & 1)->set(2); // no-crash
@@ -49,5 +49,15 @@ void gh_69922(size_t p) {
// store to the member variable `n`.
clang_analyzer_dump(__builtin_bit_cast(A*, p & 1)->n); // Ideally, this should print "2".
- // expected-warning-re@-1 {{(reg_${{[0-9]+}}<size_t p>) & 1U}}
+ // expected-warning@-1 {{Unknown}}
+}
+
+namespace {
+ typedef unsigned long uintptr_t;
+
+ bool previously_crash(const void *& ptr) {
+ clang_analyzer_dump(__builtin_bit_cast(void*, static_cast<uintptr_t>(-1)));
+ // expected-warning-re@-1 {{{{[0-9]+}} (Loc)}}
+ return ptr == __builtin_bit_cast(void*, static_cast<uintptr_t>(-1));
+ }
}
diff --git a/clang/test/Analysis/exercise-ps.c b/clang/test/Analysis/exercise-ps.c
index 50643d5b04687..21d97a364e190 100644
--- a/clang/test/Analysis/exercise-ps.c
+++ b/clang/test/Analysis/exercise-ps.c
@@ -41,7 +41,7 @@ void f4(char *array) {
_Static_assert(sizeof(int) == 4, "Wrong triple for the test");
- clang_analyzer_dump_int(__builtin_bit_cast(int, b)); // expected-warning {{lazyCompoundVal}}
+ clang_analyzer_dump_int(__builtin_bit_cast(int, b)); // expected-warning {{Unknown}}
clang_analyzer_dump_int(array[__builtin_bit_cast(int, b)]); // expected-warning {{Unknown}}
array[__builtin_bit_cast(int, b)] = 0x10; // no crash
|
…rgument instead of evalLoad.
NagyDonat
reviewed
May 9, 2025
There was a problem hiding this comment.
Overall LGTM, thanks for fixing this crash!
I dropped one (somewhat paranoid) inline question.
Moreover, I would suggest following the coding standard and use UpperCamelCase for the variables that are freshly introduced (and perhaps also for the variables that were already existing, if you touch most references to them and could easily rename them). Unfortunately we cannot "jump to" this naming standard by globally renaming many variables (because that would heavily pollute the git history), but I think we should gradually transition by following the standard in new variables and perhaps renaming the variables in the code that we touch. (As a personal preference, I consistently update the variable names when I edit some code, but objectively it's also OK to keep the old names to preserve consistency with adjacent existing code.)
steakhal
reviewed
May 9, 2025
|
Thanks for reviewing! |
steakhal
changed the title
__builtin_bit_cast
|
LLVM Buildbot has detected a new failure on builder Full details are available at: https://lab.llvm.org/buildbot/#/builders/11/builds/15055 Here is the relevant piece of the build log for the reference |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I am investigating a CSA crash: https://godbolt.org/z/fEExYqoWM. If one changes the
__builtin_bit_castto a C-style cast, the test will be fine. So the problem is specific to__builtin_bit_cast.Looking at the piece of code below, it seems that CSA handles
__builtin_bit_castjust as anLValueToRValuecast. The actual operation of cast-to-target-type is missing.The
BuiltinBitCastExprnode always have the kindLValueToRValueBitCast. I suppose it is just associated to the second argument of a__builtin_bit_castcall.I'm trying to add the missing part.
Fixes #137417