[C++ BoundsSafety] Fix false positives when pointer argument is a function call #11046
+222
−70
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ction call rdar://155952016
ziqingluo-90
changed the title
|
@patrykstefanski This is my attempt to extend the existing |
| } | ||
| } | ||
| return {E, false}; | ||
| } |
There was a problem hiding this comment.
It seems that both trySimplifyDerefAddressof and trySubstitute attempt to simplify and substitute expressions. Maybe we could consider combining them into a single function?
I was thinking about something like this:
// Simplify '*&e' and/or substitute decl. We want to perform both at the same
// time, since this pattern might occur after a substitution:
// E: *x, DependentValues: {x->&y} which results in *&y
std::pair<const Expr *, bool>
trySimplifyAndSubstitute(const Expr *const E, bool AllowSubst,
const DependentValuesTy *DependentValues) const {
const Expr *X = E->IgnoreParenImpCasts();
bool HasDeref = false;
if (const auto *DerefOp = dyn_cast<UnaryOperator>(X);
DerefOp && DerefOp->getOpcode() == UO_Deref) {
HasDeref = true;
X = DerefOp->getSubExpr()->IgnoreParenImpCasts();
}
auto trySubstitute = [&](const Expr *E) -> std::pair<const Expr *, bool> {
if (AllowSubst && DependentValues) {
if (const auto *DRE = dyn_cast<DeclRefExpr>(E)) {
if (auto It = DependentValues->find(DRE->getDecl());
It != DependentValues->end())
return {It->second->IgnoreParenImpCasts(), true};
}
}
return {E, false};
};
bool Substituted = false;
std::tie(X, Substituted) = trySubstitute(X);
if (HasDeref) {
const auto *AddrOfOp = dyn_cast<UnaryOperator>(X);
if (!AddrOfOp || AddrOfOp->getOpcode() != UO_AddrOf)
return {E, false};
X = AddrOfOp->getSubExpr()->IgnoreParenImpCasts();
}
if (!Substituted)
std::tie(X, Substituted) = trySubstitute(X);
return {X, Substituted};
}In that case, VisitDeclRefExpr and VisitUnaryOperator could look like this:
bool VisitDeclRefExpr(const DeclRefExpr *SelfDRE, const Expr *Other,
bool hasSelfBeenSubstituted,
bool hasOtherBeenSubstituted) {
const ValueDecl *SelfVD = SelfDRE->getDecl();
const auto [Self, Substituted] = trySimplifyAndSubstitute(
SelfDRE, !hasSelfBeenSubstituted, DependentValuesSelf);
if (Self != SelfDRE) {
// We only simplify '*&e', this couldn't happen here, since we have a DRE.
assert(Substituted);
// We substituted the expr, now recurse.
return Visit(Self, Other, true, hasOtherBeenSubstituted);
}
std::tie(Other, hasOtherBeenSubstituted) = trySimplifyAndSubstitute(
Other, !hasOtherBeenSubstituted, DependentValuesOther);
const auto *O = Other->IgnoreParenImpCasts();
if (const auto *OtherDRE = dyn_cast<DeclRefExpr>(O)) {
// Both SelfDRE and OtherDRE can be transformed from member expressions:
if (OtherDRE->getDecl() == SelfVD)
return true;
return false;
}
const auto *OtherME = dyn_cast<MemberExpr>(O);
if (MemberBase && OtherME) {
return OtherME->getMemberDecl() == SelfVD &&
Visit(OtherME->getBase(), MemberBase, hasSelfBeenSubstituted,
hasOtherBeenSubstituted);
}
return false;
}
bool VisitUnaryOperator(const UnaryOperator *SelfUO, const Expr *Other,
bool hasSelfBeenSubstituted,
bool hasOtherBeenSubstituted) {
if (SelfUO->getOpcode() != UO_Deref)
return false; // We don't support any other unary operator
const auto &[SimplifiedSelf, Substituted] = trySimplifyAndSubstitute(
SelfUO, !hasSelfBeenSubstituted, DependentValuesSelf);
if (SelfUO != SimplifiedSelf) {
return Visit(SimplifiedSelf, Other, Substituted, hasOtherBeenSubstituted);
}
std::tie(Other, hasOtherBeenSubstituted) = trySimplifyAndSubstitute(
Other, !hasOtherBeenSubstituted, DependentValuesOther);
if (const auto *OtherUO =
dyn_cast<UnaryOperator>(Other->IgnoreParenImpCasts())) {
if (SelfUO->getOpcode() == OtherUO->getOpcode())
return Visit(SelfUO->getSubExpr(), OtherUO->getSubExpr(),
hasSelfBeenSubstituted, hasOtherBeenSubstituted);
}
return false;
}What do you think?
| // Handle `PtrArgNoImp` has the form of `(char *) p` and `p` is a sized_by | ||
| // pointer. This will be of pattern 5 after stripping the cast: | ||
| if (const auto *CastE = dyn_cast<CastExpr>(PtrArgNoImp); CastE && isSizedBy) | ||
| PtrArgNoImp = CastE->getSubExpr(); |
There was a problem hiding this comment.
Do we have tests for such casts?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR attempts to fix false positives in such an example:
The analysis needs to compare the size of
f(len), which is specified by__counted_by(n), with the expected count of the first argument ofcb, which is specified by__counted_by(count). The comparison interprets the two comparands at two "call contexts" respectively: the countnneeds to be interpreted at the callf(len)with a mapping{n -> len}and the countcountneeds to be interpreted at the callcb(f(len), len)with a mapping{p -> f(len), count -> len}.The existing compare algorithm is extended from assuming only one comparand needs a substitution map to assuming both comparands need substitution maps.
rdar://155952016