[PATCH] D127105: [analyzer] Fix null pointer deref in CastValueChecker

Phabricator via cfe-commits Tue, 07 Jun 2022 10:35:27 -0700

This revision was automatically updated to reflect the committed changes.
Closed by commit rGc7fa4e8a8bc4: [analyzer] Fix null pointer deref in 
CastValueChecker (authored by vabridgers, committed by einvbri 
&lt;vince.a.bridg...@ericsson.com&gt;).


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D127105/new/

https://reviews.llvm.org/D127105

Files:
  clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
  clang/test/Analysis/cast-value-notes.cpp
  clang/test/Analysis/cast-value-state-dump.cpp

Index: clang/test/Analysis/cast-value-state-dump.cpp
===================================================================
--- clang/test/Analysis/cast-value-state-dump.cpp
+++ clang/test/Analysis/cast-value-state-dump.cpp
@@ -18,12 +18,12 @@
 
 void evalNonNullParamNonNullReturn(const Shape *S) {
   const auto *C = dyn_cast_or_null<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   // FIXME: We assumed that 'S' is a 'Circle' therefore it is not a 'Square'.
   if (dyn_cast_or_null<Square>(S)) {
-    // expected-note@-1 {{Assuming 'S' is not a 'Square'}}
+    // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Square *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
Index: clang/test/Analysis/cast-value-notes.cpp
===================================================================
--- clang/test/Analysis/cast-value-notes.cpp
+++ clang/test/Analysis/cast-value-notes.cpp
@@ -73,7 +73,7 @@
 #if defined(X86)
 void evalReferences(const Shape &S) {
   const auto &C = dyn_cast<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
   // expected-note@-2 {{Dereference of null pointer}}
   // expected-warning@-3 {{Dereference of null pointer}}
   clang_analyzer_printState();
@@ -93,7 +93,7 @@
 #if defined(NOT_SUPPRESSED)
 void evalReferences_addrspace(const Shape &S) {
   const auto &C = dyn_cast<DEVICE Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const __attribute__((address_space(3))) class clang::Circle &'}}
   // expected-note@-2 {{Dereference of null pointer}}
   // expected-warning@-3 {{Dereference of null pointer}}
   clang_analyzer_printState();
@@ -105,7 +105,7 @@
 #elif defined(MIPS)
 void evalReferences(const Shape &S) {
   const auto &C = dyn_cast<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle &'}}
   // expected-note@-2 {{Dereference of null pointer}}
   // expected-warning@-3 {{Dereference of null pointer}}
 }
@@ -122,25 +122,25 @@
   // expected-note@-1 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Circle>(C)) {
-    // expected-note@-1 {{'C' is a 'Circle'}}
+    // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Triangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Rectangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Hexagon>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -176,29 +176,29 @@
 
 void evalNonNullParamNonNullReturn(const Shape *S) {
   const auto *C = cast<Circle>(S);
-  // expected-note@-1 {{'S' is a 'Circle'}}
+  // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Circle>(C)) {
-    // expected-note@-1 {{'C' is a 'Circle'}}
+    // expected-note@-1 {{Assuming 'C' is a 'const class clang::Circle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Triangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Rectangle>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Rectangle'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Rectangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
 
   if (dyn_cast_or_null<Hexagon>(C)) {
-    // expected-note@-1 {{Assuming 'C' is not a 'Hexagon'}}
+    // expected-note@-1 {{Assuming 'C' is not a 'const class clang::Hexagon *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -234,10 +234,10 @@
 
 void evalNonNullParamNullReturn(const Shape *S) {
   const auto *C = dyn_cast_or_null<Circle>(S);
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
 
   if (const auto *T = dyn_cast_or_null<Triangle>(S)) {
-    // expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
     // expected-note@-2 {{'T' initialized here}}
     // expected-note@-3 {{'T' is non-null}}
     // expected-note@-4 {{Taking true branch}}
@@ -261,7 +261,7 @@
 
 void evalZeroParamNonNullReturnPointer(const Shape *S) {
   const auto *C = S->castAs<Circle>();
-  // expected-note@-1 {{'S' is a 'Circle'}}
+  // expected-note@-1 {{'S' is a 'const class clang::Circle *'}}
   // expected-note@-2 {{'C' initialized here}}
 
   (void)(1 / !C);
@@ -282,12 +282,12 @@
 
 void evalZeroParamNullReturn(const Shape *S) {
   const auto &C = S->getAs<Circle>();
-  // expected-note@-1 {{Assuming 'S' is not a 'Circle'}}
+  // expected-note@-1 {{Assuming 'S' is not a 'const class clang::Circle *'}}
   // expected-note@-2 {{Storing null pointer value}}
   // expected-note@-3 {{'C' initialized here}}
 
   if (!dyn_cast_or_null<Triangle>(S)) {
-    // expected-note@-1 {{Assuming 'S' is a 'Triangle'}}
+    // expected-note@-1 {{Assuming 'S' is a 'const class clang::Triangle *'}}
     // expected-note@-2 {{Taking false branch}}
     return;
   }
@@ -302,3 +302,32 @@
   // expected-note@-1 {{Division by zero}}
   // expected-warning@-2 {{Division by zero}}
 }
+
+// don't crash
+// CastValueChecker was using QualType()->getPointeeCXXRecordDecl(), in
+// getNoteTag which evaluated to nullptr, then crashed when attempting to
+// deref an invocation to getNameAsString(). The fix is to use
+// QualType().getAsString().
+//
+// Example:
+// std::string CastToName =
+//       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
+//                : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+// Changed to:
+// std::string CastToName =
+//       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
+//                : CastToTy.getAsString();
+namespace llvm {
+template <typename, typename a> void isa(a &);
+template <typename> class PointerUnion {
+public:
+  template <typename T> T *getAs() {
+    (void)isa<int>(*this);
+    return nullptr;
+  }
+};
+class LLVMContext {
+  PointerUnion<LLVMContext> c;
+  void d() { c.getAs<int>(); }
+};
+} // namespace llvm
Index: clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
===================================================================
--- clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
+++ clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp
@@ -108,7 +108,7 @@
                                  bool CastSucceeds, bool IsKnownCast) {
   std::string CastToName =
       CastInfo ? CastInfo->to()->getAsCXXRecordDecl()->getNameAsString()
-               : CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+               : CastToTy.getAsString();
   Object = Object->IgnoreParenImpCasts();
 
   return C.getNoteTag(
@@ -163,9 +163,9 @@
         bool First = true;
         for (QualType CastToTy: CastToTyVec) {
           std::string CastToName =
-            CastToTy->getAsCXXRecordDecl() ?
-            CastToTy->getAsCXXRecordDecl()->getNameAsString() :
-            CastToTy->getPointeeCXXRecordDecl()->getNameAsString();
+              CastToTy->getAsCXXRecordDecl()
+                  ? CastToTy->getAsCXXRecordDecl()->getNameAsString()
+                  : CastToTy.getAsString();
           Out << ' ' << ((CastToTyVec.size() == 1) ? "not" :
                          (First ? "neither" : "nor")) << " a '" << CastToName
               << '\'';

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D127105: [analyzer] Fix null pointer deref in CastValueChecker

Reply via email to