diff options
| author | DonatNagyE <donat.nagy@ericsson.com> | 2023-09-14 11:51:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-14 11:51:46 +0200 |
| commit | 0b2778d5e59192331351e082a354843b0e9c1235 (patch) | |
| tree | 9d62945a5e9131a364e6e2febfc214c96f1ebb3c /clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp | |
| parent | e873280e614f8457ebbe2ffdee389b4e336739a6 (diff) | |
| download | llvm-0b2778d5e59192331351e082a354843b0e9c1235.zip llvm-0b2778d5e59192331351e082a354843b0e9c1235.tar.gz llvm-0b2778d5e59192331351e082a354843b0e9c1235.tar.bz2 | |
[analyzer] Fix StdLibraryFunctionsChecker crash on surprising sink node (#66109)
Recent changes in StdLibraryFunctionsChecker introduced a situation
where the checker sequentially performed two state transitions to add
two separate note tags.
In the unlikely case when the updated state (the variable `NewState`)
was posteriorly overconstrained, the engine marked the node after the
first state transition as a sink to stop the "natural" graph exploration
after that point.
However, in this particular case the checker tried to directly add a
second node, and this triggered an assertion in the `addPredecessor()`
method of `ExplodedNode`.
This commit introduces an explicit `isSink()` check to avoid this crash.
To avoid similar bugs in the future, perhaps it would be possible to
tweak `addTransition()` and ensure that it returns `nullptr` when it
would return a sink node (to unify the two possible error conditions).
This crash was observed in an analysis of the curl project (in a very
long and complex function), and there I validated that this is the root
cause, but I don't have a self-contained testcase that can trigger the
creation of a PosteriorlyOverconstrained node in this situation.
Diffstat (limited to 'clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp')
| -rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp index f5f6e3a..13bb9ce 100644 --- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp @@ -1387,8 +1387,8 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, if (!NewState) continue; - // It is possible that NewState == State is true. - // It can occur if another checker has applied the state before us. + // Here it's possible that NewState == State, e.g. when other checkers + // already applied the same constraints (or stricter ones). // Still add these note tags, the other checker should add only its // specialized note tags. These general note tags are handled always by // StdLibraryFunctionsChecker. @@ -1427,7 +1427,12 @@ void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, }); Pred = C.addTransition(NewState, Pred, Tag); } - if (!Pred) + + // Pred may be: + // - a nullpointer, if we reach an already existing node (theoretically); + // - a sink, when NewState is posteriorly overconstrained. + // In these situations we cannot add the errno note tag. + if (!Pred || Pred->isSink()) continue; } |