This is an archive of the discontinued LLVM Phabricator instance.

Differential D49656

[analyzer] Add support for more pointer invalidating functions in InnerPointerChecker
ClosedPublic

Authored by rnkovacs on Jul 22 2018, 8:56 PM.

Details

Reviewers
NoQ
xazax.hun
george.karpenkov
Commits
rGc74cfc4215fc: [analyzer] Add support for more invalidating functions in InnerPointerChecker.
rL338259: [analyzer] Add support for more invalidating functions in InnerPointerChecker.
rC338259: [analyzer] Add support for more invalidating functions in InnerPointerChecker.
Summary

According to the standard, pointers referring to the elements of a basic_string sequence may also be invalidated if they are used as an argument to any standard library function taking a reference to non-const basic_string as an argument. This patch makes InnerPointerChecker warn for these cases as well.

Diff Detail

Event Timeline

rnkovacs created this revision.Jul 22 2018, 8:56 PM
Herald added subscribers: mikhail.ramalho, a.sidorin, dkrupp and 3 others. · View Herald TranscriptJul 22 2018, 8:56 PM
xazax.hun requested changes to this revision.Jul 23 2018, 9:01 AM

Some comments, mostly nits inline.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
169–171

Nit: This return is redundant.

199–200

Nit: no need for braces here.

201

Nit: redundant return.

251

Nit: redundant return.

253

Shouldn't we also check if the function is a standard library function? Or do we assume that user functions also invalidate the strings?

254

I am not sure if we always have a Decl here, I am afraid this might return null sometimes. Please add a test case with a function pointer (received as an argument in a top level function).

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2934

I think getDirectCallee might fail and return nullptr. One more reason to test function pointers :)

This revision now requires changes to proceed.Jul 23 2018, 9:01 AM
NoQ added a comment.Jul 23 2018, 9:54 AM

I've just one thing to add.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
169–171

Because of how easy it is to accidentally split the state, i'm on a brink of declaring return after addTransition a good practice.

248–249

I believe that this should also go into PostCall. Symbols aren't released until some point within the call.

253

That's right, it's an important thing to check.

xazax.hun added inline comments.Jul 23 2018, 10:04 AM
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
248–249

Oh, I see. But is it guaranteed that the symbols are not garbage collected until post call? Also, the environment will always contain all the bindings for the arguments?

rnkovacs updated this revision to Diff 156938.Jul 23 2018, 5:29 PM
rnkovacs marked 11 inline comments as done.

Addressed comments & added two test cases for function pointers.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
254

Um, yes, I'd already seen a crash here on a project before I saw your comment. Thanks!

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2934

You're right. Also, it needed a bit more effort to dig up the function pointer's name. Or should I go further and somehow find out the name of the function it points to?

NoQ added inline comments.Jul 23 2018, 5:31 PM
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2934

Also, it needed a bit more effort to dig up the function pointer's name.

I think it should work out of the box; Call.getDecl() is smart enough to show the right decl when a pointer to a concrete function is being called on the current path.

NoQ added inline comments.Jul 23 2018, 5:58 PM
test/Analysis/inner-pointer.cpp
41–42

Without a definition for this thing, we won't be able to test much. I suggest you to take a pointer to a function directly, i.e. define a std::swap<T>(x, y) somewhere and take a &std::swap<std::string> directly and call it (hope it actually works this way).

NoQ added inline comments.Jul 23 2018, 6:11 PM
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
250–251

We need tests for operators here, due to the problem that i recently encountered in D49627: there's different numbering for arguments and parameters within in-class operators. Namely, this-argument is counted as an argument (shifting other argument indices by 1) but not as a parameter.

250–251

(i.e., tests and most likely some actual code branch)

rnkovacs updated this revision to Diff 157278.Jul 25 2018, 8:22 AM
rnkovacs marked 2 inline comments as done.

Fix note for function pointers & handle argument counting in member operator calls.
I also refactored the code a little, because after moving things from checkPreCall to checkPostCall, the structure was a bit confusing.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
250–251

I did the coding part, but for the tests, I'm struggling to find an example of a member operator in the STL that takes a non-const string reference as an argument. Could you perhaps help me out here?

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2934

That worked, thanks!

test/Analysis/inner-pointer.cpp
41–42

I think I am missing something. This is meant to test that the checker recognizes standard library function calls taking a non-const reference to a string as an argument. At L314, func_ref is called with a string argument, and the checker seems to do all the things it should after the current patch, emitting the new kind of note and such.

I can surely add the std::swap<T>(x, y) definition too, but then the analyzer will see that the pointer was reallocated at the assignment inside the function, and place the note there. I think that would test the previous string-member-function patch more than this one.

xazax.hun added a comment.Jul 25 2018, 8:42 AM

Small comments inline.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
181–185

Nit: maybe using FunctionDecl::parameters and range based for loop is sligtly cleaner.

189

Nit: maybe using isa + bool is cleaner here?

192–198

While I cannot recall examples in the STL the number of arguments and parameters might differ. We might have ellipsis in the parameters and this way we may pass more arguments. Since we do not have the parameter type for this case, I think it is ok to not handle it. But it might be worth to have a comment. The other case, when we have default arguments. I do not really know how the analyzer behaves with default arguments but maybe it would be worth to add a test case to ensure we do not crash on that?

rnkovacs updated this revision to Diff 157286.Jul 25 2018, 9:13 AM
rnkovacs marked an inline comment as done.

Tiny bit more re-structuring.

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
181–185

Given that I am manipulating indices below, I feel that actually the plain for loop is a bit simpler here, what do you think?

xazax.hun added inline comments.Jul 25 2018, 9:17 AM
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
181–185

Indeed, I am fine with the old style loop too.

NoQ accepted this revision.Jul 25 2018, 12:56 PM

Looks great!

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
192–198

The analyzer behaves pretty badly with default arguments; we don't really model them unless they are like plain integer literals. But that's not an issue here because a default parameter/argument is still both a parameter and an argument (where the argument expression takes the form of CXXDefaultArgExpr).

250–251

Mmm mmmmm right, dunno. I thought operator>> would be our main example, but it's apparently non-member for a string, even though it is defined as a member for primitive types.

I guess let's skip the test until we find an example. We did our best to work around potential future problems, that's good.

test/Analysis/inner-pointer.cpp
41–42

Mm, aha, ok, i misunderstood this test. I thought you're trying to define something like std::function and try to see if calling a function pointer wrapped into that thing works. No idea why i was thinking that, sry.

rnkovacs updated this revision to Diff 157809.Jul 27 2018, 5:04 PM
rnkovacs marked an inline comment as done.
rnkovacs added inline comments.
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
192–198

Hm, it seems that passing objects of non-trivial types like std::string to a variadic function is implementation defined, and for clang 6.0, this means that it does not compile (does compile with gcc 8.1 though, example).

Added a test for the default parameter case.

NoQ added inline comments.Jul 27 2018, 5:09 PM
lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp
192–198

Yup, that's correct; i noticed it a few days ago too in https://reviews.llvm.org/D49443#1170831.

You can disable the warning/error with -Wno-non-pod-varargs for the purposes of testing, but you anyway won't be able to obtain the AST you'll want to test, so i don't think this requires a test.

xazax.hun accepted this revision.Jul 27 2018, 6:52 PM

LGTM!

This revision is now accepted and ready to land.Jul 27 2018, 6:52 PM
Closed by commit rC338259: [analyzer] Add support for more invalidating functions in InnerPointerChecker. (authored by rkovacs). · Explain WhyJul 30 2018, 8:44 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
188 lines
5 lines
test/
Analysis/
92 lines

Diff 157809

lib/StaticAnalyzer/Checkers/InnerPointerChecker.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Linespublic:
InnerPointerChecker() InnerPointerChecker()
: AppendFn("append"), AssignFn("assign"), ClearFn("clear"), : AppendFn("append"), AssignFn("assign"), ClearFn("clear"),
CStrFn("c_str"), DataFn("data"), EraseFn("erase"), InsertFn("insert"), CStrFn("c_str"), DataFn("data"), EraseFn("erase"), InsertFn("insert"),
PopBackFn("pop_back"), PushBackFn("push_back"), ReplaceFn("replace"), PopBackFn("pop_back"), PushBackFn("push_back"), ReplaceFn("replace"),
ReserveFn("reserve"), ResizeFn("resize"), ReserveFn("reserve"), ResizeFn("resize"),
ShrinkToFitFn("shrink_to_fit"), SwapFn("swap") {} ShrinkToFitFn("shrink_to_fit"), SwapFn("swap") {}
/// Check whether the function called on the container object is a /// Check if the object of this member function call is a `basic_string`.
/// member function that potentially invalidates pointers referring bool isCalledOnStringObject(const CXXInstanceCall *ICall) const;
/// to the objects's internal buffer.
bool mayInvalidateBuffer(const CallEvent &Call) const; /// Check whether the called member function potentially invalidates
/// pointers referring to the container object's inner buffer.
/// Record the connection between the symbol returned by c_str() and the bool isInvalidatingMemberFunction(const CallEvent &Call) const;
/// corresponding string object region in the ProgramState. Mark the symbol
/// released if the string object is destroyed. /// Mark pointer symbols associated with the given memory region released
/// in the program state.
void markPtrSymbolsReleased(const CallEvent &Call, ProgramStateRef State,
const MemRegion *ObjRegion,
CheckerContext &C) const;
/// Standard library functions that take a non-const `basic_string` argument by
/// reference may invalidate its inner pointers. Check for these cases and
/// mark the pointers released.
void checkFunctionArguments(const CallEvent &Call, ProgramStateRef State,
CheckerContext &C) const;
/// Record the connection between raw pointers referring to a container
/// object's inner buffer and the object's memory region in the program state.
/// Mark potentially invalidated pointers released.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
/// Clean up the ProgramState map. /// Clean up the program state map.
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
// [string.require] bool InnerPointerChecker::isCalledOnStringObject(
// const CXXInstanceCall *ICall) const {
// "References, pointers, and iterators referring to the elements of a const auto *ObjRegion =
// basic_string sequence may be invalidated by the following uses of that dyn_cast_or_null<TypedValueRegion>(ICall->getCXXThisVal().getAsRegion());
// basic_string object: if (!ObjRegion)
// return false;
// -- TODO: As an argument to any standard library function taking a reference
// to non-const basic_string as an argument. For example, as an argument to QualType ObjTy = ObjRegion->getValueType();
// non-member functions swap(), operator>>(), and getline(), or as an argument if (ObjTy.isNull() ||
// to basic_string::swap(). ObjTy->getAsCXXRecordDecl()->getName() != "basic_string")
// return false;
// -- Calling non-const member functions, except operator[], at, front, back,
// begin, rbegin, end, and rend." return true;
// }
bool InnerPointerChecker::mayInvalidateBuffer(const CallEvent &Call) const {
bool InnerPointerChecker::isInvalidatingMemberFunction(
const CallEvent &Call) const {
if (const auto *MemOpCall = dyn_cast<CXXMemberOperatorCall>(&Call)) { if (const auto *MemOpCall = dyn_cast<CXXMemberOperatorCall>(&Call)) {
OverloadedOperatorKind Opc = MemOpCall->getOriginExpr()->getOperator(); OverloadedOperatorKind Opc = MemOpCall->getOriginExpr()->getOperator();
if (Opc == OO_Equal || Opc == OO_PlusEqual) if (Opc == OO_Equal || Opc == OO_PlusEqual)
return true; return true;
return false; return false;
} }
return (isa<CXXDestructorCall>(Call) || Call.isCalled(AppendFn) || return (isa<CXXDestructorCall>(Call) || Call.isCalled(AppendFn) ||
Call.isCalled(AssignFn) || Call.isCalled(ClearFn) || Call.isCalled(AssignFn) || Call.isCalled(ClearFn) ||
Call.isCalled(EraseFn) || Call.isCalled(InsertFn) || Call.isCalled(EraseFn) || Call.isCalled(InsertFn) ||
Call.isCalled(PopBackFn) || Call.isCalled(PushBackFn) || Call.isCalled(PopBackFn) || Call.isCalled(PushBackFn) ||
Call.isCalled(ReplaceFn) || Call.isCalled(ReserveFn) || Call.isCalled(ReplaceFn) || Call.isCalled(ReserveFn) ||
Call.isCalled(ResizeFn) || Call.isCalled(ShrinkToFitFn) || Call.isCalled(ResizeFn) || Call.isCalled(ShrinkToFitFn) ||
Call.isCalled(SwapFn)); Call.isCalled(SwapFn));
} }
void InnerPointerChecker::checkPostCall(const CallEvent &Call, void InnerPointerChecker::markPtrSymbolsReleased(const CallEvent &Call,
ProgramStateRef State,
const MemRegion *MR,
CheckerContext &C) const { CheckerContext &C) const {
const auto *ICall = dyn_cast<CXXInstanceCall>(&Call); if (const PtrSet *PS = State->get<RawPtrMap>(MR)) {
if (!ICall) const Expr *Origin = Call.getOriginExpr();
for (const auto Symbol : *PS) {
// NOTE: `Origin` may be null, and will be stored so in the symbol's
// `RefState` in MallocChecker's `RegionState` program state map.
State = allocation_state::markReleased(State, Symbol, Origin);
}
State = State->remove<RawPtrMap>(MR);
C.addTransition(State);
return; return;
}
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: This return is redundant.

xazax.hun: Nit: This return is redundant.
NoQUnsubmitted
Done
ReplyInline Actions

Because of how easy it is to accidentally split the state, i'm on a brink of declaring return after addTransition a good practice.

NoQ: Because of how easy it is to accidentally split the state, i'm on a brink of declaring `return`…
SVal Obj = ICall->getCXXThisVal(); void InnerPointerChecker::checkFunctionArguments(const CallEvent &Call,
const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(Obj.getAsRegion()); ProgramStateRef State,
if (!ObjRegion) CheckerContext &C) const {
if (const auto *FC = dyn_cast<AnyFunctionCall>(&Call)) {
const FunctionDecl *FD = FC->getDecl();
if (!FD || !FD->isInStdNamespace())
return; return;
auto *TypeDecl = ObjRegion->getValueType()->getAsCXXRecordDecl(); for (unsigned I = 0, E = FD->getNumParams(); I != E; ++I) {
if (TypeDecl->getName() != "basic_string") QualType ParamTy = FD->getParamDecl(I)->getType();
return; if (!ParamTy->isReferenceType() ||
ParamTy->getPointeeType().isConstQualified())
continue;
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Nit: maybe using FunctionDecl::parameters and range based for loop is sligtly cleaner.

xazax.hun: Nit: maybe using `FunctionDecl::parameters` and range based for loop is sligtly cleaner.
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

Given that I am manipulating indices below, I feel that actually the plain for loop is a bit simpler here, what do you think?

rnkovacs: Given that I am manipulating indices below, I feel that actually the plain for loop is a bit…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Indeed, I am fine with the old style loop too.

xazax.hun: Indeed, I am fine with the old style loop too.
// In case of member operator calls, `this` is counted as an
// argument but not as a parameter.
bool isaMemberOpCall = isa<CXXMemberOperatorCall>(FC);
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: maybe using isa + bool is cleaner here?

xazax.hun: Nit: maybe using isa + bool is cleaner here?
unsigned ArgI = isaMemberOpCall ? I+1 : I;
SVal Arg = FC->getArgSVal(ArgI);
const auto *ArgRegion =
dyn_cast_or_null<TypedValueRegion>(Arg.getAsRegion());
if (!ArgRegion)
continue;
markPtrSymbolsReleased(Call, State, ArgRegion, C);
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

While I cannot recall examples in the STL the number of arguments and parameters might differ. We might have ellipsis in the parameters and this way we may pass more arguments. Since we do not have the parameter type for this case, I think it is ok to not handle it. But it might be worth to have a comment. The other case, when we have default arguments. I do not really know how the analyzer behaves with default arguments but maybe it would be worth to add a test case to ensure we do not crash on that?

xazax.hun: While I cannot recall examples in the STL the number of arguments and parameters might differ.
NoQUnsubmitted
Done
ReplyInline Actions

The analyzer behaves pretty badly with default arguments; we don't really model them unless they are like plain integer literals. But that's not an issue here because a default parameter/argument is still both a parameter and an argument (where the argument expression takes the form of CXXDefaultArgExpr).

NoQ: The analyzer behaves pretty badly with default arguments; we don't really model them unless…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

Hm, it seems that passing objects of non-trivial types like std::string to a variadic function is implementation defined, and for clang 6.0, this means that it does not compile (does compile with gcc 8.1 though, example).

Added a test for the default parameter case.

rnkovacs: Hm, it seems that passing objects of non-trivial types like `std::string` to a variadic…
NoQUnsubmitted
Not Done
ReplyInline Actions

Yup, that's correct; i noticed it a few days ago too in https://reviews.llvm.org/D49443#1170831.

You can disable the warning/error with -Wno-non-pod-varargs for the purposes of testing, but you anyway won't be able to obtain the AST you'll want to test, so i don't think this requires a test.

NoQ: Yup, that's correct; i noticed it a few days ago too in https://reviews.llvm.org/D49443#1170831.
}
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: no need for braces here.

xazax.hun: Nit: no need for braces here.
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: redundant return.

xazax.hun: Nit: redundant return.
// [string.require]
//
// "References, pointers, and iterators referring to the elements of a
// basic_string sequence may be invalidated by the following uses of that
// basic_string object:
//
// -- As an argument to any standard library function taking a reference
// to non-const basic_string as an argument. For example, as an argument to
// non-member functions swap(), operator>>(), and getline(), or as an argument
// to basic_string::swap().
//
// -- Calling non-const member functions, except operator[], at, front, back,
// begin, rbegin, end, and rend."
void InnerPointerChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) {
if (isCalledOnStringObject(ICall)) {
const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(
ICall->getCXXThisVal().getAsRegion());
if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) { if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
SVal RawPtr = Call.getReturnValue(); SVal RawPtr = Call.getReturnValue();
if (SymbolRef Sym = RawPtr.getAsSymbol(/*IncludeBaseRegions=*/true)) { if (SymbolRef Sym = RawPtr.getAsSymbol(/*IncludeBaseRegions=*/true)) {
// Start tracking this raw pointer by adding it to the set of symbols // Start tracking this raw pointer by adding it to the set of symbols
// associated with this container object in the program state map. // associated with this container object in the program state map.
PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>(); PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion); const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion);
PtrSet Set = SetPtr ? *SetPtr : F.getEmptySet(); PtrSet Set = SetPtr ? *SetPtr : F.getEmptySet();
assert(C.wasInlined || !Set.contains(Sym)); assert(C.wasInlined || !Set.contains(Sym));
Set = F.add(Set, Sym); Set = F.add(Set, Sym);
State = State->set<RawPtrMap>(ObjRegion, Set); State = State->set<RawPtrMap>(ObjRegion, Set);
C.addTransition(State); C.addTransition(State);
} }
return; return;
} }
if (mayInvalidateBuffer(Call)) { // Check [string.require] / second point.
if (const PtrSet *PS = State->get<RawPtrMap>(ObjRegion)) { if (isInvalidatingMemberFunction(Call)) {
// Mark all pointer symbols associated with the deleted object released. markPtrSymbolsReleased(Call, State, ObjRegion, C);
const Expr *Origin = Call.getOriginExpr();
for (const auto Symbol : *PS) {
// NOTE: `Origin` may be null, and will be stored so in the symbol's
// `RefState` in MallocChecker's `RegionState` program state map.
State = allocation_state::markReleased(State, Symbol, Origin);
}
State = State->remove<RawPtrMap>(ObjRegion);
C.addTransition(State);
return; return;
} }
} }
NoQUnsubmitted
Done
ReplyInline Actions

I believe that this should also go into PostCall. Symbols aren't released until some point within the call.

NoQ: I believe that this should also go into `PostCall`. Symbols aren't released until some point…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Oh, I see. But is it guaranteed that the symbols are not garbage collected until post call? Also, the environment will always contain all the bindings for the arguments?

xazax.hun: Oh, I see. But is it guaranteed that the symbols are not garbage collected until post call?
} }
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: redundant return.

xazax.hun: Nit: redundant return.
NoQUnsubmitted
Not Done
ReplyInline Actions

We need tests for operators here, due to the problem that i recently encountered in D49627: there's different numbering for arguments and parameters within in-class operators. Namely, this-argument is counted as an argument (shifting other argument indices by 1) but not as a parameter.

NoQ: We need tests for operators here, due to the problem that i recently encountered in D49627…
NoQUnsubmitted
Not Done
ReplyInline Actions

(i.e., tests and most likely some actual code branch)

NoQ: (i.e., tests and most likely some actual code branch)
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

I did the coding part, but for the tests, I'm struggling to find an example of a member operator in the STL that takes a non-const string reference as an argument. Could you perhaps help me out here?

rnkovacs: I did the coding part, but for the tests, I'm struggling to find an example of a member…
NoQUnsubmitted
Not Done
ReplyInline Actions

Mmm mmmmm right, dunno. I thought operator>> would be our main example, but it's apparently non-member for a string, even though it is defined as a member for primitive types.

I guess let's skip the test until we find an example. We did our best to work around potential future problems, that's good.

NoQ: Mmm mmmmm right, dunno. I thought `operator>>` would be our main example, but it's apparently…
// Check [string.require] / first point.
checkFunctionArguments(Call, State, C);
xazax.hunUnsubmitted
Done
ReplyInline Actions

Shouldn't we also check if the function is a standard library function? Or do we assume that user functions also invalidate the strings?

xazax.hun: Shouldn't we also check if the function is a standard library function? Or do we assume that…
NoQUnsubmitted
Done
ReplyInline Actions

That's right, it's an important thing to check.

NoQ: That's right, it's an important thing to check.
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

I am not sure if we always have a Decl here, I am afraid this might return null sometimes. Please add a test case with a function pointer (received as an argument in a top level function).

xazax.hun: I am not sure if we always have a `Decl` here, I am afraid this might return null sometimes.
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

Um, yes, I'd already seen a crash here on a project before I saw your comment. Thanks!

rnkovacs: Um, yes, I'd already seen a crash here on a project before I saw your comment. Thanks!
void InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper, void InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>(); PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
RawPtrMapTy RPM = State->get<RawPtrMap>(); RawPtrMapTy RPM = State->get<RawPtrMap>();
for (const auto Entry : RPM) { for (const auto Entry : RPM) {
if (!SymReaper.isLiveRegion(Entry.first)) { if (!SymReaper.isLiveRegion(Entry.first)) {
// Due to incomplete destructor support, some dead regions might // Due to incomplete destructor support, some dead regions might
Show All 14 Linesvoid InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper,
C.addTransition(State); C.addTransition(State);
} }
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
InnerPointerChecker::InnerPointerBRVisitor::VisitNode(const ExplodedNode *N, InnerPointerChecker::InnerPointerBRVisitor::VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN, const ExplodedNode *PrevN,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) { BugReport &BR) {
if (!isSymbolTracked(N->getState(), PtrToBuf) || if (!isSymbolTracked(N->getState(), PtrToBuf) ||
isSymbolTracked(PrevN->getState(), PtrToBuf)) isSymbolTracked(PrevN->getState(), PtrToBuf))
return nullptr; return nullptr;
const Stmt *S = PathDiagnosticLocation::getStmt(N); const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S) if (!S)
return nullptr; return nullptr;
Show All 25 Lines

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 2,924 Lines▼ Show 20 Lines if (isAllocated(RS, RSPrev, S)) {
OS << "destructor"; OS << "destructor";
} else { } else {
OS << "'"; OS << "'";
const Stmt *S = RS->getStmt(); const Stmt *S = RS->getStmt();
if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
OS << MemCallE->getMethodDecl()->getNameAsString(); OS << MemCallE->getMethodDecl()->getNameAsString();
} else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
OS << OpCallE->getDirectCallee()->getNameAsString(); OS << OpCallE->getDirectCallee()->getNameAsString();
} else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
auto &CEMgr = BRC.getStateManager().getCallEventManager();
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think getDirectCallee might fail and return nullptr. One more reason to test function pointers :)

xazax.hun: I think `getDirectCallee` might fail and return `nullptr`. One more reason to test function…
rnkovacsAuthorUnsubmitted
Done
ReplyInline Actions

You're right. Also, it needed a bit more effort to dig up the function pointer's name. Or should I go further and somehow find out the name of the function it points to?

rnkovacs: You're right. Also, it needed a bit more effort to dig up the function pointer's name. Or…
NoQUnsubmitted
Done
ReplyInline Actions

Also, it needed a bit more effort to dig up the function pointer's name.

I think it should work out of the box; Call.getDecl() is smart enough to show the right decl when a pointer to a concrete function is being called on the current path.

NoQ: > Also, it needed a bit more effort to dig up the function pointer's name. I think it should…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

That worked, thanks!

rnkovacs: That worked, thanks!
CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
OS << (D ? D->getNameAsString() : "unknown");
} }
OS << "'"; OS << "'";
} }
Msg = OS.str(); Msg = OS.str();
break; break;
} }
case AF_None: case AF_None:
llvm_unreachable("Unhandled allocation family!"); llvm_unreachable("Unhandled allocation family!");
▲ Show 20 LinesShow All 157 LinesShow Last 20 Lines

test/Analysis/inner-pointer.cpp

Show All 32 Linespublic:
void swap(basic_string &other); void swap(basic_string &other);
}; };
typedef basic_string<char> string; typedef basic_string<char> string;
typedef basic_string<wchar_t> wstring; typedef basic_string<wchar_t> wstring;
typedef basic_string<char16_t> u16string; typedef basic_string<char16_t> u16string;
typedef basic_string<char32_t> u32string; typedef basic_string<char32_t> u32string;
template <typename T>
void func_ref(T &a);
NoQUnsubmitted
Not Done
ReplyInline Actions

Without a definition for this thing, we won't be able to test much. I suggest you to take a pointer to a function directly, i.e. define a std::swap<T>(x, y) somewhere and take a &std::swap<std::string> directly and call it (hope it actually works this way).

NoQ: Without a definition for this thing, we won't be able to test much. I suggest you to take a…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

I think I am missing something. This is meant to test that the checker recognizes standard library function calls taking a non-const reference to a string as an argument. At L314, func_ref is called with a string argument, and the checker seems to do all the things it should after the current patch, emitting the new kind of note and such.

I can surely add the std::swap<T>(x, y) definition too, but then the analyzer will see that the pointer was reallocated at the assignment inside the function, and place the note there. I think that would test the previous string-member-function patch more than this one.

rnkovacs: I think I am missing something. This is meant to test that the checker recognizes standard…
NoQUnsubmitted
Not Done
ReplyInline Actions

Mm, aha, ok, i misunderstood this test. I thought you're trying to define something like std::function and try to see if calling a function pointer wrapped into that thing works. No idea why i was thinking that, sry.

NoQ: Mm, aha, ok, i misunderstood this test. I thought you're trying to define something like `std…
template <typename T>
void func_const_ref(const T &a);
template <typename T>
void func_value(T a);
string my_string = "default";
void default_arg(int a = 42, string &b = my_string);
} // end namespace std } // end namespace std
void consume(const char *) {} void consume(const char *) {}
void consume(const wchar_t *) {} void consume(const wchar_t *) {}
void consume(const char16_t *) {} void consume(const char16_t *) {}
void consume(const char32_t *) {} void consume(const char32_t *) {}
//=--------------------------------------=//
// `std::string` member functions //
//=--------------------------------------=//
void deref_after_scope_char(bool cond) { void deref_after_scope_char(bool cond) {
const char *c, *d; const char *c, *d;
{ {
std::string s; std::string s;
c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}} c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}}
d = s.data(); // expected-note {{Dangling inner pointer obtained here}} d = s.data(); // expected-note {{Dangling inner pointer obtained here}}
} // expected-note {{Inner pointer invalidated by call to destructor}} } // expected-note {{Inner pointer invalidated by call to destructor}}
// expected-note@-1 {{Inner pointer invalidated by call to destructor}} // expected-note@-1 {{Inner pointer invalidated by call to destructor}}
▲ Show 20 LinesShow All 90 Lines▼ Show 20 Lines if (cond) {
// expected-note@-4 {{Taking false branch}} // expected-note@-4 {{Taking false branch}}
consume(c1); // expected-warning {{Use of memory after it is freed}} consume(c1); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}} // expected-note@-1 {{Use of memory after it is freed}}
} else { } else {
consume(d1); // expected-warning {{Use of memory after it is freed}} consume(d1); // expected-warning {{Use of memory after it is freed}}
} // expected-note@-1 {{Use of memory after it is freed}} } // expected-note@-1 {{Use of memory after it is freed}}
} }
void deref_after_scope_ok(bool cond) {
const char *c, *d;
std::string s;
{
c = s.c_str();
d = s.data();
}
if (cond)
consume(c); // no-warning
else
consume(d); // no-warning
}
void deref_after_equals() { void deref_after_equals() {
const char *c; const char *c;
std::string s = "hello"; std::string s = "hello";
c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}} c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}}
s = "world"; // expected-note {{Inner pointer invalidated by call to 'operator='}} s = "world"; // expected-note {{Inner pointer invalidated by call to 'operator='}}
consume(c); // expected-warning {{Use of memory after it is freed}} consume(c); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}} // expected-note@-1 {{Use of memory after it is freed}}
} }
▲ Show 20 LinesShow All 110 Lines▼ Show 20 Linesvoid deref_after_swap() {
const char *c; const char *c;
std::string s1, s2; std::string s1, s2;
c = s1.data(); // expected-note {{Dangling inner pointer obtained here}} c = s1.data(); // expected-note {{Dangling inner pointer obtained here}}
s1.swap(s2); // expected-note {{Inner pointer invalidated by call to 'swap'}} s1.swap(s2); // expected-note {{Inner pointer invalidated by call to 'swap'}}
consume(c); // expected-warning {{Use of memory after it is freed}} consume(c); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}} // expected-note@-1 {{Use of memory after it is freed}}
} }
void deref_after_scope_ok(bool cond) { //=---------------------------=//
const char *c, *d; // Other STL functions //
//=---------------------------=//
void STL_func_ref() {
const char *c;
std::string s;
c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}}
std::func_ref(s); // expected-note {{Inner pointer invalidated by call to 'func_ref'}}
consume(c); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}}
}
void STL_func_const_ref() {
const char *c;
std::string s; std::string s;
{
c = s.c_str(); c = s.c_str();
d = s.data(); std::func_const_ref(s);
consume(c); // no-warning
} }
if (cond)
void STL_func_value() {
const char *c;
std::string s;
c = s.c_str();
std::func_value(s);
consume(c); // no-warning consume(c); // no-warning
else }
consume(d); // no-warning
void func_ptr_known() {
const char *c;
std::string s;
void (*func_ptr)(std::string &) = std::func_ref<std::string>;
c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}}
func_ptr(s); // expected-note {{Inner pointer invalidated by call to 'func_ref'}}
consume(c); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}}
}
void func_ptr_unknown(void (*func_ptr)(std::string &)) {
const char *c;
std::string s;
c = s.c_str();
func_ptr(s);
consume(c); // no-warning
}
void func_default_arg() {
const char *c;
std::string s;
c = s.c_str(); // expected-note {{Dangling inner pointer obtained here}}
default_arg(3, s); // expected-note {{Inner pointer invalidated by call to 'default_arg'}}
consume(c); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}}
} }