[analyzer] Fix StdLibraryFunctionsChecker crash on surprising sink node #66109
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
llvmbot
added
clang
|
@llvm/pr-subscribers-clang ChangesRecent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags. In the unlikely case when the updated state (the variable However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the This commit introduces an explicit This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.Full diff: https://github.com/llvm/llvm-project/pull/66109.diff 1 Files Affected:
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
index f5f6e3a91237686..d3a41dd9aff2891 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -1387,8 +1387,8 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
if (!NewState)
continue;
- // It is possible that NewState == State is true.
- // It can occur if another checker has applied the state before us.
+ // Here it's possible that NewState == State, e.g. when other checkers
+ // already applied the same constraints (or stricter ones).
// Still add these note tags, the other checker should add only its
// specialized note tags. These general note tags are handled always by
// StdLibraryFunctionsChecker.
@@ -1427,8 +1427,13 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
});
Pred = C.addTransition(NewState, Pred, Tag);
}
- if (!Pred)
+ if (!Pred || Pred->isSink()) {
+ // Pred may be:
+ // - a nullpointer, when the generated node is not new;
+ // - a sink, when NewState is posteriorly overconstrained.
+ // In these situations we cannot add the errno note tag.
continue;
+ }
}
// If we can get a note tag for the errno change, add this additionally to
|
|
@llvm/pr-subscribers-clang-static-analyzer-1 ChangesRecent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags. In the unlikely case when the updated state (the variable However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the This commit introduces an explicit This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.Full diff: https://github.com/llvm/llvm-project/pull/66109.diff 1 Files Affected:
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
index f5f6e3a91237686..d3a41dd9aff2891 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -1387,8 +1387,8 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
if (!NewState)
continue;
- // It is possible that NewState == State is true.
- // It can occur if another checker has applied the state before us.
+ // Here it's possible that NewState == State, e.g. when other checkers
+ // already applied the same constraints (or stricter ones).
// Still add these note tags, the other checker should add only its
// specialized note tags. These general note tags are handled always by
// StdLibraryFunctionsChecker.
@@ -1427,8 +1427,13 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
});
Pred = C.addTransition(NewState, Pred, Tag);
}
- if (!Pred)
+ if (!Pred || Pred->isSink()) {
+ // Pred may be:
+ // - a nullpointer, when the generated node is not new;
+ // - a sink, when NewState is posteriorly overconstrained.
+ // In these situations we cannot add the errno note tag.
continue;
+ }
}
// If we can get a note tag for the errno change, add this additionally to
|
balazske
reviewed
Sep 13, 2023
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
Outdated
Show resolved
Hide resolved
Recent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags. In the unlikely case when the updated state (the variable `NewState`) was posteriorly overconstrained, the engine marked the node after the first state transition as a sink to stop the "natural" graph exploration after that point. However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the `addPredecessor()` method of `ExplodedNode`. This commit introduces an explicit `isSink()` check to avoid this crash. To avoid similar bugs in the future, perhaps it would be possible to tweak `addTransition()` and ensure that it returns `nullptr` when it would return a sink node (to unify the two possible error conditions). This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.
NagyDonat
force-pushed
the
StdCLibraryFunctions_fix_overconstrained_crash
branch
from
48deb9b to
b5c4590
Compare
steakhal
approved these changes
Sep 13, 2023
kstoimenov
pushed a commit
to kstoimenov/llvm-project
that referenced
this pull request
Sep 14, 2023
…de (llvm#66109) Recent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags. In the unlikely case when the updated state (the variable `NewState`) was posteriorly overconstrained, the engine marked the node after the first state transition as a sink to stop the "natural" graph exploration after that point. However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the `addPredecessor()` method of `ExplodedNode`. This commit introduces an explicit `isSink()` check to avoid this crash. To avoid similar bugs in the future, perhaps it would be possible to tweak `addTransition()` and ensure that it returns `nullptr` when it would return a sink node (to unify the two possible error conditions). This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.
This was referenced Sep 14, 2023
ZijunZhaoCCK
pushed a commit
to ZijunZhaoCCK/llvm-project
that referenced
this pull request
Sep 19, 2023
…de (llvm#66109) Recent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags. In the unlikely case when the updated state (the variable `NewState`) was posteriorly overconstrained, the engine marked the node after the first state transition as a sink to stop the "natural" graph exploration after that point. However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the `addPredecessor()` method of `ExplodedNode`. This commit introduces an explicit `isSink()` check to avoid this crash. To avoid similar bugs in the future, perhaps it would be possible to tweak `addTransition()` and ensure that it returns `nullptr` when it would return a sink node (to unify the two possible error conditions). This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.
Guzhu-AMD
pushed a commit
to GPUOpen-Drivers/llvm-project
that referenced
this pull request
Sep 21, 2023
Local branch amd-gfx 737eb03 Merged main:602e47c5f9fd into amd-gfx:f337c8eadcf3 Remote branch main 0b2778d [analyzer] Fix StdLibraryFunctionsChecker crash on surprising sink node (llvm#66109)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recent changes in StdLibraryFunctionsChecker introduced a situation where the checker sequentially performed two state transitions to add two separate note tags.
In the unlikely case when the updated state (the variable
NewState) was posteriorly overconstrained, the engine marked the node after the first state transition as a sink to stop the "natural" graph exploration after that point.However, in this particular case the checker tried to directly add a second node, and this triggered an assertion in the
addPredecessor()method ofExplodedNode.This commit introduces an explicit
isSink()check to avoid this crash. To avoid similar bugs in the future, perhaps it would be possible to tweakaddTransition()and ensure that it returnsnullptrwhen it would return a sink node (to unify the two possible error conditions).This crash was observed in an analysis of the curl project (in a very long and complex function), and there I validated that this is the root cause, but I don't have a self-contained testcase that can trigger the creation of a PosteriorlyOverconstrained node in this situation.