This is an archive of the discontinued LLVM Phabricator instance.

Differential D13488

[analyzer] Assume escape is possible through system functions taking void*
ClosedPublic

Authored by zaks.anna on Oct 6 2015, 4:47 PM.

Details

Reviewers
dcoughlin
Summary

The analyzer assumes that system functions will not free memory or modify the arguments in other ways, so we assume that arguments do not escape when those are called. However, this may lead to false positive leak errors. For example, in code like this where the pointers added to the rb_tree are freed later on:

		struct alarm_event *e = calloc(1, sizeof(*e));

<snip>

		rb_tree_insert_node(&alarm_tree, e);

Add a heuristic to assume that calls to system functions taking void* arguments allow for pointer escape.

Diff Detail

Event Timeline

zaks.anna updated this revision to Diff 36679.Oct 6 2015, 4:47 PM
zaks.anna retitled this revision from to [analyzer] Assume escape is possible through system functions taking void*.
zaks.anna updated this object.
zaks.anna added a reviewer: dcoughlin.
zaks.anna added subscribers: xazax.hun, cfe-commits.
Herald added a subscriber: aemerson. · View Herald TranscriptOct 6 2015, 4:47 PM
dcoughlin accepted this revision.Oct 6 2015, 6:15 PM
dcoughlin edited edge metadata.

Has a typo but otherwise LGTM.

include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
258

Did you consider using std::function<bool(QualType)> instead of a function pointer so that clients could use lambdas that capture to provide the condition?

test/Analysis/Inputs/system-header-simulator.h
85

Typo "strauctures"

This revision is now accepted and ready to land.Oct 6 2015, 6:15 PM
zaks.anna closed this revision.Nov 17 2015, 5:00 PM

Committed in r251449.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
7 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
Core/
41 lines
test/
Analysis/
Inputs/
6 lines
17 lines

Diff 36679

include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 LinesShow All 247 Lines▼ Show 20 Linespublic:
QualType getResultType() const; QualType getResultType() const;
/// \brief Returns the return value of the call. /// \brief Returns the return value of the call.
/// ///
/// This should only be called if the CallEvent was created using a state in /// This should only be called if the CallEvent was created using a state in
/// which the return value has already been bound to the origin expression. /// which the return value has already been bound to the origin expression.
SVal getReturnValue() const; SVal getReturnValue() const;
/// \brief Returns true if the type of any of the non-null arguments satisfies
/// the condition.
bool hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const;
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Did you consider using std::function<bool(QualType)> instead of a function pointer so that clients could use lambdas that capture to provide the condition?

dcoughlin: Did you consider using `std::function<bool(QualType)>` instead of a function pointer so that…
/// \brief Returns true if any of the arguments appear to represent callbacks. /// \brief Returns true if any of the arguments appear to represent callbacks.
bool hasNonZeroCallbackArg() const; bool hasNonZeroCallbackArg() const;
/// \brief Returns true if any of the arguments is void*.
bool hasVoidPointerToNonConstArg() const;
/// \brief Returns true if any of the arguments are known to escape to long- /// \brief Returns true if any of the arguments are known to escape to long-
/// term storage, even if this method will not modify them. /// term storage, even if this method will not modify them.
// NOTE: The exact semantics of this are still being defined! // NOTE: The exact semantics of this are still being defined!
// We don't really want a list of hardcoded exceptions in the long run, // We don't really want a list of hardcoded exceptions in the long run,
// but we don't want duplicated lists of known APIs in the short term either. // but we don't want duplicated lists of known APIs in the short term either.
virtual bool argumentsMayEscape() const { virtual bool argumentsMayEscape() const {
return hasNonZeroCallbackArg(); return hasNonZeroCallbackArg();
} }
▲ Show 20 LinesShow All 766 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 2,384 Lines▼ Show 20 Linesbool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
// mysterious reasons. // mysterious reasons.
if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
return true; return true;
// Check Objective-C messages by selector name. // Check Objective-C messages by selector name.
if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
// If it's not a framework call, or if it takes a callback, assume it // If it's not a framework call, or if it takes a callback, assume it
// can free memory. // can free memory.
if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
return true; return true;
// If it's a method we know about, handle it explicitly post-call. // If it's a method we know about, handle it explicitly post-call.
// This should happen before the "freeWhenDone" check below. // This should happen before the "freeWhenDone" check below.
if (isKnownDeallocObjCMethodName(*Msg)) if (isKnownDeallocObjCMethodName(*Msg))
return false; return false;
// If there's a "freeWhenDone" parameter, but the method isn't one we know // If there's a "freeWhenDone" parameter, but the method isn't one we know
▲ Show 20 LinesShow All 336 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 LinesShow All 44 Lines▼ Show 20 LinesQualType CallEvent::getResultType() const {
case VK_RValue: case VK_RValue:
// No adjustment is necessary. // No adjustment is necessary.
break; break;
} }
return ResultTy; return ResultTy;
} }
static bool isCallbackArg(SVal V, QualType T) { static bool isCallback(QualType T) {
// If the parameter is 0, it's harmless.
if (V.isZeroConstant())
return false;
// If a parameter is a block or a callback, assume it can modify pointer. // If a parameter is a block or a callback, assume it can modify pointer.
if (T->isBlockPointerType() || if (T->isBlockPointerType() ||
T->isFunctionPointerType() || T->isFunctionPointerType() ||
T->isObjCSelType()) T->isObjCSelType())
return true; return true;
// Check if a callback is passed inside a struct (for both, struct passed by // Check if a callback is passed inside a struct (for both, struct passed by
// reference and by value). Dig just one level into the struct for now. // reference and by value). Dig just one level into the struct for now.
if (T->isAnyPointerType() || T->isReferenceType()) if (T->isAnyPointerType() || T->isReferenceType())
T = T->getPointeeType(); T = T->getPointeeType();
if (const RecordType *RT = T->getAsStructureType()) { if (const RecordType *RT = T->getAsStructureType()) {
const RecordDecl *RD = RT->getDecl(); const RecordDecl *RD = RT->getDecl();
for (const auto *I : RD->fields()) { for (const auto *I : RD->fields()) {
QualType FieldT = I->getType(); QualType FieldT = I->getType();
if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType()) if (FieldT->isBlockPointerType() || FieldT->isFunctionPointerType())
return true; return true;
} }
} }
return false;
}
static bool isVoidPointerToNonConst(QualType T) {
if (const PointerType *PT = T->getAs<PointerType>()) {
QualType PointeeTy = PT->getPointeeType();
if (PointeeTy.isConstQualified())
return false;
return PointeeTy->isVoidType();
} else
return false; return false;
} }
bool CallEvent::hasNonZeroCallbackArg() const { bool CallEvent::hasNonNullArgumentsWithType(bool (*Condition)(QualType)) const {
unsigned NumOfArgs = getNumArgs(); unsigned NumOfArgs = getNumArgs();
// If calling using a function pointer, assume the function does not // If calling using a function pointer, assume the function does not
// have a callback. TODO: We could check the types of the arguments here. // satisfy the callback.
// TODO: We could check the types of the arguments here.
if (!getDecl()) if (!getDecl())
return false; return false;
unsigned Idx = 0; unsigned Idx = 0;
for (CallEvent::param_type_iterator I = param_type_begin(), for (CallEvent::param_type_iterator I = param_type_begin(),
E = param_type_end(); E = param_type_end();
I != E && Idx < NumOfArgs; ++I, ++Idx) { I != E && Idx < NumOfArgs; ++I, ++Idx) {
if (NumOfArgs <= Idx) if (NumOfArgs <= Idx)
break; break;
if (isCallbackArg(getArgSVal(Idx), *I)) // If the parameter is 0, it's harmless.
if (getArgSVal(Idx).isZeroConstant())
continue;
if (Condition(*I))
return true; return true;
} }
return false; return false;
} }
bool CallEvent::hasNonZeroCallbackArg() const {
return hasNonNullArgumentsWithType(isCallback);
}
bool CallEvent::hasVoidPointerToNonConstArg() const {
return hasNonNullArgumentsWithType(isVoidPointerToNonConst);
}
bool CallEvent::isGlobalCFunction(StringRef FunctionName) const { bool CallEvent::isGlobalCFunction(StringRef FunctionName) const {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl()); const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(getDecl());
if (!FD) if (!FD)
return false; return false;
return CheckerContext::isCLibraryFunction(FD, FunctionName); return CheckerContext::isCLibraryFunction(FD, FunctionName);
} }
▲ Show 20 LinesShow All 209 Lines▼ Show 20 Linesvoid AnyFunctionCall::getInitialStackFrameContents(
BindingsTy &Bindings) const { BindingsTy &Bindings) const {
const FunctionDecl *D = cast<FunctionDecl>(CalleeCtx->getDecl()); const FunctionDecl *D = cast<FunctionDecl>(CalleeCtx->getDecl());
SValBuilder &SVB = getState()->getStateManager().getSValBuilder(); SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this, addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
D->parameters()); D->parameters());
} }
bool AnyFunctionCall::argumentsMayEscape() const { bool AnyFunctionCall::argumentsMayEscape() const {
if (hasNonZeroCallbackArg()) if (CallEvent::argumentsMayEscape() || hasVoidPointerToNonConstArg())
return true; return true;
const FunctionDecl *D = getDecl(); const FunctionDecl *D = getDecl();
if (!D) if (!D)
return true; return true;
const IdentifierInfo *II = D->getIdentifier(); const IdentifierInfo *II = D->getIdentifier();
if (!II) if (!II)
▲ Show 20 LinesShow All 644 LinesShow Last 20 Lines

test/Analysis/Inputs/system-header-simulator.h

Show First 20 LinesShow All 76 Lines▼ Show 20 Lines
void xpc_connection_set_context(xpc_connection_t connection, void *context); void xpc_connection_set_context(xpc_connection_t connection, void *context);
void xpc_connection_set_finalizer_f(xpc_connection_t connection, xpc_finalizer_t finalizer); void xpc_connection_set_finalizer_f(xpc_connection_t connection, xpc_finalizer_t finalizer);
void xpc_connection_resume(xpc_connection_t connection); void xpc_connection_resume(xpc_connection_t connection);
//The following are fake system header functions for generic testing. //The following are fake system header functions for generic testing.
void fakeSystemHeaderCallInt(int *); void fakeSystemHeaderCallInt(int *);
void fakeSystemHeaderCallIntPtr(int **); void fakeSystemHeaderCallIntPtr(int **);
// Some data strauctures may hold onto the pointer and free it later.
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Typo "strauctures"

dcoughlin: Typo "strauctures"
void fake_insque(void *, void *);
typedef struct fake_rb_tree { void *opaque[8]; } fake_rb_tree_t;
void fake_rb_tree_init(fake_rb_tree_t *, const void *);
void *fake_rb_tree_insert_node(fake_rb_tree_t *, void *);
typedef struct __SomeStruct { typedef struct __SomeStruct {
char * p; char * p;
} SomeStruct; } SomeStruct;
void fakeSystemHeaderCall(SomeStruct *); void fakeSystemHeaderCall(SomeStruct *);

test/Analysis/malloc.c

Show First 20 LinesShow All 1,651 Lines▼ Show 20 Lines
} }
int *radar15580979() { int *radar15580979() {
int *data = (int *)malloc(32); int *data = (int *)malloc(32);
int *p = data ?: (int*)malloc(32); // no warning int *p = data ?: (int*)malloc(32); // no warning
return p; return p;
} }
// Some data structures may hold onto the pointer and free it later.
void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
int *data = (int *)malloc(32);
fake_insque(queue, data); // no warning
}
void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
int *data = (int *)malloc(32);
fake_rb_tree_init(rbt, data);
} //expected-warning{{Potential leak}}
void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
int *data = (int *)malloc(32);
fake_rb_tree_init(rbt, data);
fake_rb_tree_insert_node(rbt, data); // no warning
}
// ---------------------------------------------------------------------------- // ----------------------------------------------------------------------------
// False negatives. // False negatives.
void testMallocWithParam(int **p) { void testMallocWithParam(int **p) {
*p = (int*) malloc(sizeof(int)); *p = (int*) malloc(sizeof(int));
*p = 0; // FIXME: should warn here *p = 0; // FIXME: should warn here
} }
Show All 11 Lines