search

trailofbits / vast

VAST is an experimental compiler pipeline designed for program analysis of C and C++. It provides a tower of IRs as MLIR dialects to choose the best fit representations for a program analysis or further program abstraction.
https://trailofbits.github.io/vast/
Apache License 2.0
368 stars 23 forks source link

[Bug]: Fail to find symbol associated with referenced parameter variable #625

Closed pgoodman closed 2 weeks ago

pgoodman commented 2 weeks ago

VAST version

master

LLVM version

18

Operating system

macOS

Description

Symbol lookup fails, but is never checked, for codegen for a DeclRefExpr. This manifests when .freeze() to finish a DeclRefOp tries to construct the operand list with a nullptr-initialized operand.

I think there are a few things going on:

1) A built-in assumption that the decl being visited when creating the function prototype matches the decl being visited when filling in the body. Multiplier's indexer goes and visits all of the declarations in order in the translation unit, and so this assumption is broken. I think this assumption is likely due to the behaviour of the clang and its astconsumer top-level decl visitor stuff. VAST's visitor logic is more general than that, and shouldn't depend on that behaviour. 2) An assumption that the names of parameter variables will match across prototypes for the same function. 3) An assumption that all symbol lookups will return things.

Steps to Reproduce

Minimal repro if you're indexing with multiplier: /tmp/test.c:

void foo(int);
void foo(int x) {
!!x;
}

/tmp/test.json:

[{
"file":"test.c",
"directory":"/private/tmp",
"command":"/usr/bin/clang test.c"
}]

command:

./bin/mx-index --db /tmp/repro.db --workspace /tmp/repro.ws --target /tmp/test.json