[clang][StaticAnalyzer] Fix crash in SimpleSValBuilder with unsigned __int128 and negative literals #150225
Conversation
…__int128 and negative literals Fix a crash in SimpleSValBuilder::MakeSymIntVal when processing overflow builtins like __builtin_mul_overflow with unsigned __int128 and negative literal operands. The issue occurred when converting negative values to very large unsigned types (>64 bits). The original logic would convert the negative value to the large unsigned type first (creating a very large positive number), then attempt to negate it, which could cause overflow issues. The fix adds a special case for large unsigned types where we take the absolute value of the negative operand first, then convert it to the target type, avoiding the problematic intermediate conversion. Fixes llvm#150206
|
Thank you for submitting a Pull Request (PR) to the LLVM Project! This PR will be automatically labeled and the relevant teams will be notified. If you wish to, you can add reviewers by using the "Reviewers" section on this page. If this is not working for you, it is probably because you do not have write permissions for the repository. In which case you can instead tag reviewers by name in a comment by using If you have received no comments on your PR for a week, you can request a review by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate is once a week. Please remember that you are asking for valuable time from other developers. If you have further questions, they may be answered by the LLVM GitHub User Guide. You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums. |
llvmbot
added
clang
|
@llvm/pr-subscribers-clang-static-analyzer-1 Author: Cả thế giới là Rust (naoNao89) ChangesSummaryThis PR fixes a crash in the Clang static analyzer when processing overflow builtins like ProblemThe issue was reported in #150206. The crash occurred in void foo(unsigned __int128 a) {
__builtin_mul_overflow(a, -16, &a);
}The root cause was in the type conversion logic when handling negative values with very large unsigned types (>64 bits). The original logic would:
SolutionThe fix adds a special case for large unsigned types where we:
The fix is targeted and only affects:
Testing
Files Changed
Fixes #150206 Full diff: https://github.com/llvm/llvm-project/pull/150225.diff 2 Files Affected:
diff --git a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index 84a9c43d3572e..63c2bb785744b 100644
--- a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -219,7 +219,17 @@ SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS,
// subtraction/addition of the negated value.
APSIntType resultIntTy = BasicVals.getAPSIntType(resultTy);
if (isNegationValuePreserving(RHS, resultIntTy)) {
- ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
+ // For large unsigned types, we need to be careful about the conversion
+ // to avoid issues with very large intermediate values
+ if (resultIntTy.isUnsigned() && resultIntTy.getBitWidth() > 64) {
+ // For large unsigned types, convert the absolute value directly
+ // instead of converting the negative value and then negating
+ llvm::APSInt AbsRHS = RHS;
+ AbsRHS.negate();
+ ConvertedRHS = BasicVals.Convert(resultTy, AbsRHS);
+ } else {
+ ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
+ }
op = (op == BO_Add) ? BO_Sub : BO_Add;
} else {
ConvertedRHS = BasicVals.Convert(resultTy, RHS);
diff --git a/clang/test/Analysis/builtin_overflow.c b/clang/test/Analysis/builtin_overflow.c
index d290333071dc9..f2bd08d25ad1f 100644
--- a/clang/test/Analysis/builtin_overflow.c
+++ b/clang/test/Analysis/builtin_overflow.c
@@ -164,3 +164,22 @@ void test_bool_assign(void)
// should return _Bool, but not int.
_Bool ret = __builtin_mul_overflow(10, 20, &res); // no crash
}
+
+void test_unsigned_int128_negative_literal(void)
+{
+ unsigned __int128 a = 42;
+
+ // This should not crash the static analyzer.
+ // Reproduces issue from GitHub #150206 where __builtin_mul_overflow
+ // with unsigned __int128 and negative literal caused a crash in
+ // SimpleSValBuilder::MakeSymIntVal.
+ __builtin_mul_overflow(a, -16, &a); // no crash
+
+ // Test other overflow builtins with the same pattern
+ __builtin_add_overflow(a, -16, &a); // no crash
+ __builtin_sub_overflow(a, -16, &a); // no crash
+
+ // Test with different negative values
+ __builtin_mul_overflow(a, -1, &a); // no crash
+ __builtin_mul_overflow(a, -255, &a); // no crash
+}
|
|
@llvm/pr-subscribers-clang Author: Cả thế giới là Rust (naoNao89) ChangesSummaryThis PR fixes a crash in the Clang static analyzer when processing overflow builtins like ProblemThe issue was reported in #150206. The crash occurred in void foo(unsigned __int128 a) {
__builtin_mul_overflow(a, -16, &a);
}The root cause was in the type conversion logic when handling negative values with very large unsigned types (>64 bits). The original logic would:
SolutionThe fix adds a special case for large unsigned types where we:
The fix is targeted and only affects:
Testing
Files Changed
Fixes #150206 Full diff: https://github.com/llvm/llvm-project/pull/150225.diff 2 Files Affected:
diff --git a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index 84a9c43d3572e..63c2bb785744b 100644
--- a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -219,7 +219,17 @@ SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS,
// subtraction/addition of the negated value.
APSIntType resultIntTy = BasicVals.getAPSIntType(resultTy);
if (isNegationValuePreserving(RHS, resultIntTy)) {
- ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
+ // For large unsigned types, we need to be careful about the conversion
+ // to avoid issues with very large intermediate values
+ if (resultIntTy.isUnsigned() && resultIntTy.getBitWidth() > 64) {
+ // For large unsigned types, convert the absolute value directly
+ // instead of converting the negative value and then negating
+ llvm::APSInt AbsRHS = RHS;
+ AbsRHS.negate();
+ ConvertedRHS = BasicVals.Convert(resultTy, AbsRHS);
+ } else {
+ ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
+ }
op = (op == BO_Add) ? BO_Sub : BO_Add;
} else {
ConvertedRHS = BasicVals.Convert(resultTy, RHS);
diff --git a/clang/test/Analysis/builtin_overflow.c b/clang/test/Analysis/builtin_overflow.c
index d290333071dc9..f2bd08d25ad1f 100644
--- a/clang/test/Analysis/builtin_overflow.c
+++ b/clang/test/Analysis/builtin_overflow.c
@@ -164,3 +164,22 @@ void test_bool_assign(void)
// should return _Bool, but not int.
_Bool ret = __builtin_mul_overflow(10, 20, &res); // no crash
}
+
+void test_unsigned_int128_negative_literal(void)
+{
+ unsigned __int128 a = 42;
+
+ // This should not crash the static analyzer.
+ // Reproduces issue from GitHub #150206 where __builtin_mul_overflow
+ // with unsigned __int128 and negative literal caused a crash in
+ // SimpleSValBuilder::MakeSymIntVal.
+ __builtin_mul_overflow(a, -16, &a); // no crash
+
+ // Test other overflow builtins with the same pattern
+ __builtin_add_overflow(a, -16, &a); // no crash
+ __builtin_sub_overflow(a, -16, &a); // no crash
+
+ // Test with different negative values
+ __builtin_mul_overflow(a, -1, &a); // no crash
+ __builtin_mul_overflow(a, -255, &a); // no crash
+}
|
- Add null check for resultTy in SimpleSValBuilder::evalBinOpNN - Add null check for resultTy in BuiltinFunctionChecker::handleOverflowBuiltin - Add conservative handling for __int128 multiplication in BasicValueFactory::evalAPSInt - Add unknown value checks in BuiltinFunctionChecker::checkOverflow This fixes the crash when using __builtin_mul_overflow with unsigned __int128 and negative literals, which was causing segmentation faults in the static analyzer.
| @@ -149,6 +149,12 @@ BuiltinFunctionChecker::checkOverflow(CheckerContext &C, SVal RetVal, | |||
| // Calling a builtin with a non-integer type result produces compiler error. | |||
| assert(Res->isIntegerType()); | |||
|
|
|||
| // If RetVal is unknown or undefined, we can't determine overflow | |||
| if (RetVal.isUnknown() || RetVal.isUndef()) { | |||
There was a problem hiding this comment.
| if (RetVal.isUnknown() || RetVal.isUndef()) { | |
| if (RetVal.isUnknownOrUndef()) { |
My question here would be: If RetVal was unknown, then both IsLeMax and IsGeMin would become unknown, which in turn would eventually return {true,true} as I later elaborate from what I can tell reading this.
If RetVal was Undef then IsLeMax and IsGeMin would be also Undef and the IsLeMax.castAs<DefinedOrUnknownSVal>() cast would trigger an assert/crash.
Consequently, I'm not convinced that RetVal can be Undef here.
| // If the comparison results are unknown, be conservative | ||
| if (IsLeMax.isUnknown() || IsGeMin.isUnknown()) { | ||
| return {true, true}; | ||
| } | ||
|
|
There was a problem hiding this comment.
I thought that assume(x,z) is {true,true} if either of x or y are Unknown.
This would suggest to me that {MayOverflow || MayUnderflow, MayNotOverflow && MayNotUnderflow} should also result in {true,true} if x or y was Unknown.
WDYT?
// of course checking it before the assume should do no harm, it's just unnecessary.
| // If ResultType is null, we can't proceed with the evaluation | ||
| if (ResultType.isNull()) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
When can ResultType be null? Is it that the getSufficientTypeForOverflowOp of __int128 is a null QualType?
| // For large bit widths (like __int128), check for potential crashes | ||
| if (V1.getBitWidth() >= 128 || V2.getBitWidth() >= 128) { | ||
| // If either operand is zero, result is zero | ||
| if (V1 == 0 || V2 == 0) { | ||
| return getValue(llvm::APSInt(llvm::APInt::getZero(std::max(V1.getBitWidth(), V2.getBitWidth())), | ||
| V1.isUnsigned() && V2.isUnsigned())); | ||
| } | ||
|
|
||
| // For __int128 types, be conservative to avoid crashes in APInt multiplication | ||
| // This happens when multiplying unsigned __int128 with large values (like negative | ||
| // numbers converted to unsigned) | ||
| return std::nullopt; | ||
| } |
There was a problem hiding this comment.
This code does not seem convincing.
In theory, we should be able to evaluate a multiplication here regardless of the bitwidths.
Is there some safe APSInt operation that does this?
And what about the rest of the operations, like BO_Div and friends. There we would still crash if I understand this right.
| // Check if resultTy is valid before using it | ||
| if (!resultTy.isNull()) { |
There was a problem hiding this comment.
Checking the resultTy here and there without systematic guarantees doesn't seem like the right approach.
We should think about making this bulletproof somehow.
| } else { | ||
| APSIntType resultIntTy = BasicVals.getAPSIntType(resultTy); | ||
| if (isNegationValuePreserving(RHS, resultIntTy)) { | ||
| // For large unsigned types, we need to be careful about the conversion | ||
| // to avoid issues with very large intermediate values | ||
| if (resultIntTy.isUnsigned() && resultIntTy.getBitWidth() > 64) { | ||
| // For large unsigned types, convert the absolute value directly | ||
| // instead of converting the negative value and then negating | ||
| llvm::APSInt AbsRHS = RHS; | ||
| AbsRHS.negate(); | ||
| ConvertedRHS = BasicVals.Convert(resultTy, AbsRHS); | ||
| } else { | ||
| ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS)); | ||
| } | ||
| op = (op == BO_Add) ? BO_Sub : BO_Add; | ||
| } else { | ||
| ConvertedRHS = BasicVals.Convert(resultTy, RHS); | ||
| } |
There was a problem hiding this comment.
I've not checked this part. I'll come back once we finished with the rest.
You can test this locally with the following command:git-clang-format --diff HEAD~1 HEAD --extensions cpp,c -- clang/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp clang/test/Analysis/builtin_overflow.cView the diff from clang-format here.diff --git a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
index e0001acdf..8afb3f340 100644
--- a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
+++ b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp
@@ -254,13 +254,14 @@ BasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1,
if (V1.getBitWidth() >= 128 || V2.getBitWidth() >= 128) {
// If either operand is zero, result is zero
if (V1 == 0 || V2 == 0) {
- return getValue(llvm::APSInt(llvm::APInt::getZero(std::max(V1.getBitWidth(), V2.getBitWidth())),
+ return getValue(llvm::APSInt(llvm::APInt::getZero(std::max(
+ V1.getBitWidth(), V2.getBitWidth())),
V1.isUnsigned() && V2.isUnsigned()));
}
- // For __int128 types, be conservative to avoid crashes in APInt multiplication
- // This happens when multiplying unsigned __int128 with large values (like negative
- // numbers converted to unsigned)
+ // For __int128 types, be conservative to avoid crashes in APInt
+ // multiplication This happens when multiplying unsigned __int128 with
+ // large values (like negative numbers converted to unsigned)
return std::nullopt;
}
return getValue(V1 * V2);
diff --git a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
index 29a711c81..60a8eed51 100644
--- a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
+++ b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
@@ -223,17 +223,17 @@ SVal SimpleSValBuilder::MakeSymIntVal(const SymExpr *LHS,
} else {
APSIntType resultIntTy = BasicVals.getAPSIntType(resultTy);
if (isNegationValuePreserving(RHS, resultIntTy)) {
- // For large unsigned types, we need to be careful about the conversion
- // to avoid issues with very large intermediate values
- if (resultIntTy.isUnsigned() && resultIntTy.getBitWidth() > 64) {
- // For large unsigned types, convert the absolute value directly
- // instead of converting the negative value and then negating
- llvm::APSInt AbsRHS = RHS;
- AbsRHS.negate();
- ConvertedRHS = BasicVals.Convert(resultTy, AbsRHS);
- } else {
- ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
- }
+ // For large unsigned types, we need to be careful about the conversion
+ // to avoid issues with very large intermediate values
+ if (resultIntTy.isUnsigned() && resultIntTy.getBitWidth() > 64) {
+ // For large unsigned types, convert the absolute value directly
+ // instead of converting the negative value and then negating
+ llvm::APSInt AbsRHS = RHS;
+ AbsRHS.negate();
+ ConvertedRHS = BasicVals.Convert(resultTy, AbsRHS);
+ } else {
+ ConvertedRHS = BasicVals.getValue(-resultIntTy.convert(RHS));
+ }
op = (op == BO_Add) ? BO_Sub : BO_Add;
} else {
ConvertedRHS = BasicVals.Convert(resultTy, RHS);
|
Summary
This PR fixes a crash in the Clang static analyzer when processing overflow builtins like
__builtin_mul_overflowwithunsigned __int128and negative literal operands.Problem
The issue was reported in #150206. The crash occurred in
SimpleSValBuilder::MakeSymIntValwhen the static analyzer tried to process code like:The root cause was in the type conversion logic when handling negative values with very large unsigned types (>64 bits). The original logic would:
Solution
The fix adds a special case for large unsigned types where we:
The fix is targeted and only affects:
Testing
clang/test/Analysis/builtin_overflow.c__builtin_mul_overflow,__builtin_add_overflow, and__builtin_sub_overflowFiles Changed
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp: Core fix implementationclang/test/Analysis/builtin_overflow.c: Added regression testsFixes #150206