This is an archive of the discontinued LLVM Phabricator instance.

[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events.
ClosedPublic

Authored by xazax.hun on Jul 22 2015, 3:09 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
krememek
zaks.anna
jordan_rose

Commits

rGe9984b28ef53: [Static Analyzer] BugReporter.cpp:2869: Assertion failed: !RemainingNodes.empty…
rG8d3ad6b61715: [Static Analyzer] Make NonNullParamChecker emit implicit null dereference…
rC246188: [Static Analyzer] BugReporter.cpp:2869: Assertion failed: !RemainingNodes.empty…
rC246182: [Static Analyzer] Make NonNullParamChecker emit implicit null dereference…
rL246182: [Static Analyzer] Make NonNullParamChecker emit implicit null dereference…

Summary

For most of the implicit null pointer dereferences (when a pointer is dereferenced and the static analyzer can not prove that the pointer is non null, and can not prove that the pointer is null either) the DereferenceChecker will emit an event. However in some cases (e.g. binding such pointers to references in function parameters) no event will be emitted. This patch addresses this problem by extending NonNullParamChecker to emit an event in such cases. Future checkers (listening to these events) will profit from this change. For example I am working on a checker for nullability qualifiers that depend on this patch.

Diff Detail

Repository: rL LLVM

Event Timeline

xazax.hun updated this revision to Diff 30409.Jul 22 2015, 3:09 PM

xazax.hun retitled this revision from to [Static Analyzer] Make NonNullParamChecker emit implicit null dereference events..

xazax.hun updated this object.

xazax.hun added reviewers: zaks.anna, krememek, jordan_rose, dcoughlin.

xazax.hun added a subscriber: cfe-commits.

I believe we saw a regression in diagnostics with this modification. Gabor, do you recall what it was?

This revision now requires changes to proceed.Aug 17 2015, 12:13 PM

The problem here is that, this checker can emit a warning for two cases:
1, Null was bound to a reference which should be reported as a dereference
2, Null was passed to parameter that should be non-null (marked by the attribute, not the qualifier) which should be reported appropriately

Right now exactly the same event will be triggered for both cases, so the checkers that process this event has no information whether it is a dereference or a value passed to a nonnull parameter, so it can not provide appropriate diagnostic for both cases.

One possibility would be to have two separate events, the other is to have an argument to an event that determines its origin. Probably it would be better to have two separate events, since it might be confusing to have dereference in the name of the event in the second case.

What do you think?

Only send implicit dereference events, when the null pointer was bound to a reference.

Please, commit this after committing the nullability checker so that this could have tests. Two tests need to be added:

the reference case
the attribute nonnull case

Also, I'd suggest adding a field to ImplicitNullDerefEvent instead of creating a new event.

Updated to latest trunk.
Added a new field to the event with documentation.
Rebased the patch on the top of nullability checker.
Added covered cases to the nullability checker tests.

Thanks!

This revision is now accepted and ready to land.Aug 27 2015, 11:43 AM

Closed by commit rL246182: [Static Analyzer] Make NonNullParamChecker emit implicit null dereference… (authored by xazax). · Explain WhyAug 27 2015, 11:50 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

cfe/

trunk/

include/

clang/

StaticAnalyzer/

Core/

Checker.h

4 lines

lib/

StaticAnalyzer/

Checkers/

DereferenceChecker.cpp

8 lines

NonNullParamChecker.cpp

46 lines

NullabilityChecker.cpp

5 lines

test/

Analysis/

nullability.mm

8 lines

Diff 33344

cfe/trunk/include/clang/StaticAnalyzer/Core/Checker.h

	Show First 20 Lines • Show All 508 Lines • ▼ Show 20 Lines
	};			};

	/// \brief We dereferenced a location that may be null.			/// \brief We dereferenced a location that may be null.
	struct ImplicitNullDerefEvent {			struct ImplicitNullDerefEvent {
	SVal Location;			SVal Location;
	bool IsLoad;			bool IsLoad;
	ExplodedNode *SinkNode;			ExplodedNode *SinkNode;
	BugReporter *BR;			BugReporter *BR;
				// When true, the dereference is in the source code directly. When false, the
				// dereference might happen later (for example pointer passed to a parameter
				// that is marked with nonnull attribute.)
				bool IsDirectDereference;
	};			};

	/// \brief A helper class which wraps a boolean value set to false by default.			/// \brief A helper class which wraps a boolean value set to false by default.
	///			///
	/// This class should behave exactly like 'bool' except that it doesn't need to			/// This class should behave exactly like 'bool' except that it doesn't need to
	/// be explicitly initialized.			/// be explicitly initialized.
	struct DefaultBool {			struct DefaultBool {
	bool val;			bool val;
	Show All 11 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Show First 20 Lines • Show All 214 Lines • ▼ Show 20 Lines	if (!notNullState) {
reportBug(nullState, S, C);		reportBug(nullState, S, C);
return;		return;
}		}

// Otherwise, we have the case where the location could either be		// Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null		// null or not-null. Record the error node as an "implicit" null
// dereference.		// dereference.
if (ExplodedNode *N = C.generateSink(nullState)) {		if (ExplodedNode *N = C.generateSink(nullState)) {
ImplicitNullDerefEvent event = { l, isLoad, N, &C.getBugReporter() };		ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
		/IsDirectDereference=/false};
dispatchEvent(event);		dispatchEvent(event);
}		}
}		}

// From this point forward, we know that the location is not null.		// From this point forward, we know that the location is not null.
C.addTransition(notNullState);		C.addTransition(notNullState);
}		}

Show All 20 Lines	if (StNull) {
if (!StNonNull) {		if (!StNonNull) {
reportBug(StNull, S, C, /isBind=/true);		reportBug(StNull, S, C, /isBind=/true);
return;		return;
}		}

// At this point the value could be either null or non-null.		// At this point the value could be either null or non-null.
// Record this as an "implicit" null dereference.		// Record this as an "implicit" null dereference.
if (ExplodedNode *N = C.generateSink(StNull)) {		if (ExplodedNode *N = C.generateSink(StNull)) {
ImplicitNullDerefEvent event = { V, /isLoad=/true, N,		ImplicitNullDerefEvent event = {V, /isLoad=/true, N,
&C.getBugReporter() };		&C.getBugReporter(),
		/IsDirectDereference=/false};
dispatchEvent(event);		dispatchEvent(event);
}		}
}		}

// Unlike a regular null dereference, initializing a reference with a		// Unlike a regular null dereference, initializing a reference with a
// dereferenced null pointer does not actually cause a runtime exception in		// dereferenced null pointer does not actually cause a runtime exception in
// Clang's implementation of references.		// Clang's implementation of references.
//		//
Show All 18 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NonNullParamChecker.cpp

Show All 22 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

namespace {		namespace {
class NonNullParamChecker		class NonNullParamChecker
: public Checker< check::PreCall > {		: public Checker< check::PreCall, EventDispatcher<ImplicitNullDerefEvent> > {
mutable std::unique_ptr<BugType> BTAttrNonNull;		mutable std::unique_ptr<BugType> BTAttrNonNull;
mutable std::unique_ptr<BugType> BTNullRefArg;		mutable std::unique_ptr<BugType> BTNullRefArg;

public:		public:

void checkPreCall(const CallEvent &Call, CheckerContext &C) const;		void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

std::unique_ptr<BugReport>		std::unique_ptr<BugReport>
▲ Show 20 Lines • Show All 94 Lines • ▼ Show 20 Lines	if (haveAttrNonNull && !DV->getAs<Loc>()) {
continue;		continue;
}		}
}		}

ConstraintManager &CM = C.getConstraintManager();		ConstraintManager &CM = C.getConstraintManager();
ProgramStateRef stateNotNull, stateNull;		ProgramStateRef stateNotNull, stateNull;
std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);		std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);

if (stateNull && !stateNotNull) {		if (stateNull) {
		if (!stateNotNull) {
// Generate an error node. Check for a null node in case		// Generate an error node. Check for a null node in case
// we cache out.		// we cache out.
if (ExplodedNode *errorNode = C.generateSink(stateNull)) {		if (ExplodedNode *errorNode = C.generateSink(stateNull)) {

std::unique_ptr<BugReport> R;		std::unique_ptr<BugReport> R;
if (haveAttrNonNull)		if (haveAttrNonNull)
R = genReportNullAttrNonNull(errorNode, ArgE);		R = genReportNullAttrNonNull(errorNode, ArgE);
else if (haveRefTypeParam)		else if (haveRefTypeParam)
R = genReportReferenceToNullPointer(errorNode, ArgE);		R = genReportReferenceToNullPointer(errorNode, ArgE);

// Highlight the range of the argument that was null.		// Highlight the range of the argument that was null.
R->addRange(Call.getArgSourceRange(idx));		R->addRange(Call.getArgSourceRange(idx));

// Emit the bug report.		// Emit the bug report.
C.emitReport(std::move(R));		C.emitReport(std::move(R));
}		}

// Always return. Either we cached out or we just emitted an error.		// Always return. Either we cached out or we just emitted an error.
return;		return;
}		}
		if (ExplodedNode *N = C.generateSink(stateNull)) {
		ImplicitNullDerefEvent event = {
		V, false, N, &C.getBugReporter(),
		/IsDirectDereference=/haveRefTypeParam};
		dispatchEvent(event);
		}
		}

// If a pointer value passed the check we should assume that it is		// If a pointer value passed the check we should assume that it is
// indeed not null from this point forward.		// indeed not null from this point forward.
assert(stateNotNull);		assert(stateNotNull);
state = stateNotNull;		state = stateNotNull;
}		}

// If we reach here all of the arguments passed the nonnull check.		// If we reach here all of the arguments passed the nonnull check.
▲ Show 20 Lines • Show All 45 Lines • Show Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 Lines • Show All 329 Lines • ▼ Show 20 Lines	const NullabilityState *TrackedNullability =
State->get<NullabilityMap>(Region);		State->get<NullabilityMap>(Region);

if (!TrackedNullability)		if (!TrackedNullability)
return;		return;

if (Filter.CheckNullableDereferenced &&		if (Filter.CheckNullableDereferenced &&
TrackedNullability->getValue() == Nullability::Nullable) {		TrackedNullability->getValue() == Nullability::Nullable) {
BugReporter &BR = *Event.BR;		BugReporter &BR = *Event.BR;
		if (Event.IsDirectDereference)
reportBug(ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR);		reportBug(ErrorKind::NullableDereferenced, Event.SinkNode, Region, BR);
		else
		reportBug(ErrorKind::NullablePassedToNonnull, Event.SinkNode, Region, BR);
}		}
}		}

/// This method check when nullable pointer or null value is returned from a		/// This method check when nullable pointer or null value is returned from a
/// function that has nonnull return type.		/// function that has nonnull return type.
///		///
/// TODO: when nullability preconditons are violated, it is ok to violate the		/// TODO: when nullability preconditons are violated, it is ok to violate the
/// nullability postconditons (i.e.: when one of the nonnull parameters are null		/// nullability postconditons (i.e.: when one of the nonnull parameters are null
▲ Show 20 Lines • Show All 492 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/nullability.mm

	Show First 20 Lines • Show All 44 Lines • ▼ Show 20 Lines

	Dummy *_Nullable returnsNullable();			Dummy *_Nullable returnsNullable();
	Dummy *_Nonnull returnsNonnull();			Dummy *_Nonnull returnsNonnull();
	Dummy *returnsUnspecified();			Dummy *returnsUnspecified();
	int *_Nullable returnsNullableInt();			int *_Nullable returnsNullableInt();

	template <typename T> T eraseNullab(T p) { return p; }			template <typename T> T eraseNullab(T p) { return p; }

				void takesAttrNonnull(Dummy *p) __attribute((nonnull(1)));

	void testBasicRules() {			void testBasicRules() {
	Dummy *p = returnsNullable();			Dummy *p = returnsNullable();
	int *ptr = returnsNullableInt();			int *ptr = returnsNullableInt();
	// Make every dereference a different path to avoid sinks after errors.			// Make every dereference a different path to avoid sinks after errors.
	switch (getRandom()) {			switch (getRandom()) {
	case 0: {			case 0: {
	Dummy &r = *p; // expected-warning {{}}			Dummy &r = *p; // expected-warning {{}}
	} break;			} break;
	case 1: {			case 1: {
	int b = p->val; // expected-warning {{}}			int b = p->val; // expected-warning {{}}
	} break;			} break;
	case 2: {			case 2: {
	int stuff = *ptr; // expected-warning {{}}			int stuff = *ptr; // expected-warning {{}}
	} break;			} break;
	case 3:			case 3:
	takesNonnull(p); // expected-warning {{}}			takesNonnull(p); // expected-warning {{}}
	break;			break;
	case 4: {			case 4: {
	Dummy d;			Dummy d;
	takesNullable(&d);			takesNullable(&d);
	Dummy dd(d);			Dummy dd(d);
	break;			break;
	}			}
	// Here the copy constructor is called, so a reference is initialized with the			case 5: takesAttrNonnull(p); break; // expected-warning {{Nullable pointer is passed to}}
	// value of p. No ImplicitNullDereference event will be dispatched for this			default: { Dummy d = *p; } break; // expected-warning {{Nullable pointer is dereferenced}}
	// case. A followup patch is expected to fix this in NonNullParamChecker.
	default: { Dummy d = *p; } break; // No warning.
	}			}
	if (p) {			if (p) {
	takesNonnull(p);			takesNonnull(p);
	if (getRandom()) {			if (getRandom()) {
	Dummy &r = *p;			Dummy &r = *p;
	} else {			} else {
	int b = p->val;			int b = p->val;
	}			}
	▲ Show 20 Lines • Show All 94 Lines • Show Last 20 Lines