Skip to content

76 false positive invalid base reconstruction on range for pointer slot induction #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SizzleUnrlsd merged 2 commits into from
Jun 7, 2026
Merged

76 false positive invalid base reconstruction on range for pointer slot induction #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
95ce21b
test(analysis): cover pointer-slot induction false positive
SizzleUnrlsd Jun 5, 2026
da08208
fix(analysis): bound pointer-slot induction in origin tracking
SizzleUnrlsd Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 62 additions & 44 deletions src/analysis/InvalidBaseReconstruction.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,57 @@ namespace ctrace::stack::analysis
int64_t offset = 0;
};

static bool matchPointerSlotInductionStore(const llvm::Value* storedValue,
const llvm::AllocaInst* pointerSlot,
const llvm::DataLayout& DL)
{
using namespace llvm;

const Value* base = nullptr;
int64_t offset = 0;
if (!getGEPConstantOffsetAndBase(storedValue, DL, offset, base))
return false;
if (offset == 0)
return false;

const Value* strippedBase = base ? base->stripPointerCasts() : nullptr;
if (!isLoadFromAlloca(strippedBase, pointerSlot))
return false;

return true;
}

static std::string formatSourceOffsets(const std::set<int64_t>& offsets)
{
constexpr std::size_t kMaxDisplayedOffsets = 12;

auto formatOffset = [](int64_t offset)
{ return offset != 0 ? "+" + std::to_string(offset) : std::string("base"); };

if (offsets.size() == 1)
{
const int64_t offset = *offsets.begin();
return offset != 0 ? "offset +" + std::to_string(offset) : std::string("base");
}

std::ostringstream out;
out << "offsets ";
std::size_t printed = 0;
for (int64_t offset : offsets)
{
if (printed >= kMaxDisplayedOffsets)
{
out << ", ... (+" << (offsets.size() - printed) << " more)";
break;
}
if (printed != 0)
out << ", ";
out << formatOffset(offset);
++printed;
}
return out.str();
}

static void collectPointerOrigins(const llvm::Value* V, const llvm::DataLayout& DL,
llvm::SmallVectorImpl<PtrOrigin>& out, WorkBudget& budget)
{
Expand All @@ -450,19 +501,24 @@ namespace ctrace::stack::analysis
Type* allocaTy = AI->getAllocatedType();
if (allocaTy->isPointerTy())
{
SmallVector<const Value*, 8> seedStores;
for (const User* Usr : AI->users())
{
if (auto* SI = dyn_cast<StoreInst>(Usr))
{
if (SI->getPointerOperand() != AI)
continue;
const Value* StoredVal = SI->getValueOperand();
if (recordVisitedOffset(visited, StoredVal, currentOffset))
{
worklist.push_back({StoredVal, currentOffset});
}
if (matchPointerSlotInductionStore(StoredVal, AI, DL))
continue;
seedStores.push_back(StoredVal);
}
}
for (const Value* StoredVal : seedStores)
{
if (recordVisitedOffset(visited, StoredVal, currentOffset))
worklist.push_back({StoredVal, currentOffset});
}
continue;
}

Expand Down Expand Up @@ -1049,29 +1105,10 @@ namespace ctrace::stack::analysis
if (!entry.anyOutOfBounds && !entry.anyNonZeroResult)
continue;

std::ostringstream memberStr;
if (entry.memberOffsets.size() == 1)
{
int64_t mo = *entry.memberOffsets.begin();
memberStr << (mo != 0 ? "offset +" + std::to_string(mo) : "base");
}
else
{
memberStr << "offsets ";
bool first = true;
for (int64_t mo : entry.memberOffsets)
{
if (!first)
memberStr << ", ";
memberStr << (mo != 0 ? "+" + std::to_string(mo) : "base");
first = false;
}
}

InvalidBaseReconstructionIssue issue;
issue.funcName = F.getName().str();
issue.varName = entry.varName;
issue.sourceMember = memberStr.str();
issue.sourceMember = formatSourceOffsets(entry.memberOffsets);
issue.offsetUsed = kv.first.second;
issue.targetType = entry.targetType;
issue.isOutOfBounds = entry.anyOutOfBounds;
Expand Down Expand Up @@ -1157,29 +1194,10 @@ namespace ctrace::stack::analysis
if (!entry.anyOutOfBounds && !entry.anyNonZeroResult)
continue;

std::ostringstream memberStr;
if (entry.memberOffsets.size() == 1)
{
int64_t mo = *entry.memberOffsets.begin();
memberStr << (mo != 0 ? "offset +" + std::to_string(mo) : "base");
}
else
{
memberStr << "offsets ";
bool first = true;
for (int64_t mo : entry.memberOffsets)
{
if (!first)
memberStr << ", ";
memberStr << (mo != 0 ? "+" + std::to_string(mo) : "base");
first = false;
}
}

InvalidBaseReconstructionIssue issue;
issue.funcName = F.getName().str();
issue.varName = entry.varName;
issue.sourceMember = memberStr.str();
issue.sourceMember = formatSourceOffsets(entry.memberOffsets);
issue.offsetUsed = gepOffset;
issue.targetType = entry.targetType;
issue.isOutOfBounds = entry.anyOutOfBounds;
Expand Down
34 changes: 34 additions & 0 deletions test/offset_of-container_of/range_for_pointer_slot_induction_no_invalid_base.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
// SPDX-License-Identifier: Apache-2.0
// strict-diagnostic-count: false

struct ViewLike
{
const char* data;
unsigned long size;

constexpr bool ends_with(ViewLike suffix) const
{
return size >= suffix.size && suffix.data != nullptr;
}
};

int range_for_pointer_slot_induction_should_not_warn(ViewLike filename)
{
constexpr ViewLike cExtensions[] = {{".c", 2}, {".h", 2}};

for (const auto& ext : cExtensions)
{
if (filename.ends_with(ext))
return 1;
}

return 0;
}

int main(void)
{
return range_for_pointer_slot_induction_should_not_warn({"main.c", 6});
}

// not contains: potential UB: invalid base reconstruction via offsetof/container_of
// not contains: derived pointer points OUTSIDE the valid object range
Loading