This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/lib/StaticAnalyzer/Checkers/
-
trunk/
-
lib/
-
StaticAnalyzer/
-
Checkers/
-
DanglingInternalBufferChecker.cpp

Differential D47416

[analyzer] Clean up the program state map of DanglingInternalBufferChecker
ClosedPublic

Authored by rnkovacs on May 26 2018, 11:54 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
george.karpenkov

Commits

rG7ff6a8a3168a: [analyzer] Clean up the program state map of DanglingInternalBufferChecker.
rC334352: [analyzer] Clean up the program state map of DanglingInternalBufferChecker.
rL334352: [analyzer] Clean up the program state map of DanglingInternalBufferChecker.

Summary

Symbols are cleaned up from the program state map when they go out of scope.
Memory regions are cleaned up when the corresponding object is destroyed, and
additionally in checkDeadSymbols in case destructor modeling was incomplete.

Diff Detail

Repository: rL LLVM

Event Timeline

rnkovacs created this revision.May 26 2018, 11:54 AM

Herald added subscribers: a.sidorin, dkrupp, szepet and 2 others. · View Herald TranscriptMay 26 2018, 11:54 AM

rnkovacs added a parent revision: D47135: [analyzer] A checker for dangling internal buffer pointers in C++.May 26 2018, 11:54 AM

LG!

This revision is now accepted and ready to land.May 26 2018, 12:01 PM

Yep, great stuff!

I guess, please add a comment on incomplete destructor support in the CFG and/or analyzer core that may cause the region to be never cleaned up. Or perform an extra cleanup pass - not sure if it's worth it, but it should be easy and safe.

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
94 ↗	(On Diff #148733)	It's kinda weird that something that's not a `const MemRegion *` is called "Region". I'd rather use a neutral term like "Item".

Fixed naming and added an extra pass for regions left behind by incomplete destructors.

Herald added a subscriber: mikhail.ramalho. · View Herald TranscriptJun 9 2018, 7:26 AM

NoQ added inline comments.Jun 9 2018, 11:30 AM

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
92–94 ↗	(On Diff #150625)	This optimization is in fact incorrect due to an old bug that i didn't yet get to fixing: D18860. The proposed patch would most likely remove the check anyway, because the set of dead symbols is not well-defined. So i think we shouldn't add it.
98 ↗	(On Diff #150625)	For the same reason (D18860), it should be more correct to use `!isLive()`. Otherwise you may miss some symbols.
100–103 ↗	(On Diff #150625)	I mildly advocate for braces here because that's as many as three lines to wrap.

Addressed comments.

Great, thanks!

Closed by commit rL334352: [analyzer] Clean up the program state map of DanglingInternalBufferChecker. (authored by rkovacs). · Explain WhyJun 9 2018, 2:12 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptJun 9 2018, 2:12 PM

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

DanglingInternalBufferChecker.cpp

23 lines

Diff 150638

cfe/trunk/lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp

Show All 20 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "AllocationState.h"		#include "AllocationState.h"

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

namespace {		namespace {

class DanglingInternalBufferChecker : public Checker<check::PostCall> {		class DanglingInternalBufferChecker : public Checker<check::DeadSymbols,
		check::PostCall> {
CallDescription CStrFn;		CallDescription CStrFn;

public:		public:
DanglingInternalBufferChecker() : CStrFn("c_str") {}		DanglingInternalBufferChecker() : CStrFn("c_str") {}

/// Record the connection between the symbol returned by c_str() and the		/// Record the connection between the symbol returned by c_str() and the
/// corresponding string object region in the ProgramState. Mark the symbol		/// corresponding string object region in the ProgramState. Mark the symbol
/// released if the string object is destroyed.		/// released if the string object is destroyed.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;		void checkPostCall(const CallEvent &Call, CheckerContext &C) const;

		/// Clean up the ProgramState map.
		void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
};		};

} // end anonymous namespace		} // end anonymous namespace

// FIXME: c_str() may be called on a string object many times, so it should		// FIXME: c_str() may be called on a string object many times, so it should
// have a list of symbols associated with it.		// have a list of symbols associated with it.
REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, SymbolRef)		REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, SymbolRef)

Show All 24 Lines	void DanglingInternalBufferChecker::checkPostCall(const CallEvent &Call,
}		}

if (isa<CXXDestructorCall>(ICall)) {		if (isa<CXXDestructorCall>(ICall)) {
if (State->contains<RawPtrMap>(TypedR)) {		if (State->contains<RawPtrMap>(TypedR)) {
const SymbolRef *StrBufferPtr = State->get<RawPtrMap>(TypedR);		const SymbolRef *StrBufferPtr = State->get<RawPtrMap>(TypedR);
// FIXME: What if Origin is null?		// FIXME: What if Origin is null?
const Expr *Origin = Call.getOriginExpr();		const Expr *Origin = Call.getOriginExpr();
State = allocation_state::markReleased(State, *StrBufferPtr, Origin);		State = allocation_state::markReleased(State, *StrBufferPtr, Origin);
		State = State->remove<RawPtrMap>(TypedR);
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}
}		}
}		}

		void DanglingInternalBufferChecker::checkDeadSymbols(SymbolReaper &SymReaper,
		CheckerContext &C) const {
		ProgramStateRef State = C.getState();
		RawPtrMapTy RPM = State->get<RawPtrMap>();
		for (const auto Entry : RPM) {
		if (!SymReaper.isLive(Entry.second))
		State = State->remove<RawPtrMap>(Entry.first);
		if (!SymReaper.isLiveRegion(Entry.first)) {
		// Due to incomplete destructor support, some dead regions might still
		// remain in the program state map. Clean them up.
		State = State->remove<RawPtrMap>(Entry.first);
		}
		}
		C.addTransition(State);
		}

void ento::registerDanglingInternalBufferChecker(CheckerManager &Mgr) {		void ento::registerDanglingInternalBufferChecker(CheckerManager &Mgr) {
registerNewDeleteChecker(Mgr);		registerNewDeleteChecker(Mgr);
Mgr.registerChecker<DanglingInternalBufferChecker>();		Mgr.registerChecker<DanglingInternalBufferChecker>();
}		}