Bounds widening for _Nt_array_ptr's #728
Conversation
Strings in Checked C are declared as _Nt_array_ptr which means they are
terminated by a null terminator. If we determine that the dereference of an
_Nt_array_ptr is non-null then we can widen the bounds of the pointer by 1
because there will always be at least the null terminator in the string.
Formally we can state the problem as:
∀ p | p ∈ _Nt_array_ptr & bounds(p) = [l, u)
*p != 0 => bounds(p) = [l, u + 1)
Example:
_Nt_array_ptr<char> p : count(0) = "abc"; // bounds = [0, 0]
if (*p) { // bounds = [0, 1) }
|
Dataflow equations: Let
|
|
Please review this PR as WIP. I am currently testing it out. Will add unit tests soon. |
clang/lib/Sema/BoundsAnalysis.cpp
Outdated
| namespace clang { | ||
|
|
||
| void BoundsAnalysis::WidenBounds() { | ||
| llvm::dbgs() << "### Debug bounds analysis\n"; |
There was a problem hiding this comment.
Will remove the debug messages soon.
mgrang
changed the title
Yes, the goal is ultimately to have a common base. We can do that in a separate clean-up PR. |
|
Thanks for your review, David. If we change Gen to be an expression instead of a constant offset how would we compute the intersection of sets? One option is to assign a number to each expression in Gen. Numbers would increase from entry to exit for a particular V. Then to compute intersection we choose the expr with the smaller number. This would represent the LUB of the sets. |
There was a problem hiding this comment.
@mgrang, you are correct that changing gen sets to be expressions would complicate the algorithm. The gen set entries should be constant offsets relative to the declared upper bound of an nt_array_ptr variable. Given
nt_array_ptr<char> p : bounds(e1, e2)
it is not correct to widen p given *p. p should be widened given a dereference of the form *(e2 + k), where k is a constant integer.
Note that we have methods for determining whether some expression e3 is equivalent to the expression e2. See AST\CanonBounds.
| // CHECK: [B8] | ||
| // CHECK: 1: p = "xy" | ||
| // CHECK: 2: *(p + 1) | ||
| // CHECK: upper_bound(p) = 1 |
There was a problem hiding this comment.
This is wrong. You need to widen against the upper bound of p, which is declared to p + j.
|
|
||
| void BoundsAnalysis::ComputeGenSets(BlockMapTy BlockMap) { | ||
| // If there is an edge B1->B2 and the edge condition is of the form | ||
| // "if (*(p + i))" then Gen[B1] = {B2, p:i} . |
There was a problem hiding this comment.
Could you clarify whether i is a constant or a variable? I know that i is a constant from context, but it could confuse people later on.
Gen sets should be constant offsets relative to the declared upper bound of a pointer. If p has declared upper bounds of e, and this is a dereference of *(e + i), then Gen[B1] = i. You'll need to handle expressions that are equivalent to e + i. Note that we already have methods for checking the equivalence of expressions.
| // For conditions of the form "if (*p)". | ||
| if (const auto *D = dyn_cast<DeclRefExpr>(Exp)) { | ||
| if (const auto *V = dyn_cast<VarDecl>(D->getDecl())) { | ||
| if (V->getType()->isCheckedPointerNtArrayType()) { |
There was a problem hiding this comment.
I agree that gen can remain a constant offset. However, it should be a constant offset relative to the declared upper bound of a pointer variable.
Thanks David. I think we still have a complication. Let's say we have a case like: and then we encounter I think a simpler option is to keep the implementation we have now as is, meaning the bounds widened by this algorithm are not relative to the declared upper bound. Instead we "adjust" the widened bounds at the call site of this algorithm. Let's say the widened bounds for If For example:
|
|
I agree it could get complicated quickly. The way we will handle this is by putting expressions in a standard form, such that the constant is on the outside. We already face similar problems when checking bounds declarations. The problem with the approach that you propose is that we cannot handle simple cases like widening bounds of a variable v with bounds(v, v + len). I think it would be appropriate to address additional cases and using standard forms in separate PRs, and finish this PR. How about you add a check that the upper bound is the variable v? This would bring it into agreement with what I am proposing, and let us finish the current PR. |
|
< How about you add a check that the upper bound is the variable v? |
|
I am suggesting that in this PR, we only widen bounds for nt_array_ptr variables whose bounds are bounds(v, v) or count(0). I am suggesting that in a future PR, we generalize this to widen bounds for dereferences involving constant offsets from the declared upper bound of a variable. |
|
Done. Latest PR widens bounds only when the declared bounds are count(0) or bounds(v, v). Also removed the more generic tests and replaced them with only tests specific to count(0) bounds. |
|
ADO Validations Passed: |
There was a problem hiding this comment.
I noticed that in the testing code, you removed code that testeds nested conditionals of the form:
if (*p) {
if (*(p + 1)) {
if (*(p + 2)) {
...
Could you add a test of this back?
Added. Because we converted warnings to errors I cannot add more intensive tests for this commit. An nt_array_ptr with a non-zero upper bound won't do any widening because we explicitly test for zero upper bound. On the other hand, for an nt_array_ptr with zero upper bound, I cannot dereference anything other than *p without running into out-of-bounds access errors.
_Nt_array_ptr's are terminated by a null terminator. If we determine that the dereference of a_Nt_array_ptris non-null then we can widen the bounds of the pointer by 1 because there will always be at least the null terminator in the string.Formally we can state the problem as:
∀ p | p ∈ _Nt_array_ptr & bounds(p) = [l, u)*p != 0 => bounds(p) = [l, u + 1)Example:
_Nt_array_ptr<char> p : count(0) = "abc"; // bounds = [0, 0]if (*p) { // bounds = [0, 1) }