This is an archive of the discontinued LLVM Phabricator instance.

Differential D6793

[Static Analyzer] Fix false positive in Clang Static Analyzer
AbandonedPublic

Authored by karthikthecool on Dec 29 2014, 5:10 AM.

Details

Reviewers
zaks.anna
jordan_rose
Summary

Hi All,
We are getting few false positive in our project when we use clang SA.
Consider the below code in mylib.c(library) and main.c -
In lib.c

int* myFn(const int* v){
  int* k = v;
  return k;
}

In main.c

int* myFn(const int* v);

int main() {
  int* p = (int*)malloc(sizeof(int));
  int* k = myFn(p);
  free(k);
  return 0;
}

in the above code we don't have any memory leak as free(k) free's the memory allocated by malloc.But we get a false positive (memory leak by 'p') here. The problem seems to be that when we encorter myFn(p) which is a lib call we should have marked p as escaped but we dont seem to do so for malloced region for some reason. Any particular reason we only mark ConstPointerEscaped when it is from NewOrNewArrayFamily?
In this patch have modified the checkConstPointerEscape to mark const pointer as escaped even if it is a malloced region.

Please let me know if this is good to commit or if this check was not handled specifically for some reason.
Awaiting your valuable inputs.

Thanks and Regards
Karthik Bhat

Diff Detail

Repository
rL LLVM

Event Timeline

karthikthecool updated this revision to Diff 17667.Dec 29 2014, 5:10 AM
karthikthecool retitled this revision from to [Static Analyzer] Fix false positive in Clang Static Analyzer.
karthikthecool updated this object.
karthikthecool edited the test plan for this revision. (Show Details)
karthikthecool added reviewers: jordan_rose, zaks.anna.
karthikthecool set the repository for this revision to rL LLVM.
karthikthecool added a subscriber: Unknown Object (MLST).
karthikthecool added a comment.Jan 22 2015, 9:08 AM

ping.

zaks.anna edited edge metadata.Jan 22 2015, 9:19 AM

I'd say this works as expected. We base this heuristic on the fact that "free" cannot be called on "const int*".

Your sample code breaks this assumption, but:
warning: initializing 'int *' with an expression of type 'const int *' discards qualifiers

  [-Wincompatible-pointer-types-discards-qualifiers]
int* k = v;
dblaikie added a subscriber: dblaikie.Jan 22 2015, 9:57 AM

You've got the right people on the 'to' list, but the wrong mailing list -
this should go to cfe-commits (this might explain the lack of response, too

  • those people might deprioritize email to llvm-commits as they don't

actively work on the LLVM subproject)

karthikthecool abandoned this revision.Jan 23 2015, 1:05 AM

Thanks Anna i think it makes sense.
Yes David i noticed it just now after you pointed out i had incorrectly added llvm-commit insted of cfe.

Thanks
Karthik Bhat

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
7 lines
test/
Analysis/
4 lines
4 lines

Diff 17667

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 2,270 Lines▼ Show 20 Linesbool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
// Most system calls do not free the memory. // Most system calls do not free the memory.
return false; return false;
} }
static bool retTrue(const RefState *RS) { static bool retTrue(const RefState *RS) {
return true; return true;
} }
static bool checkIfNewOrNewArrayFamily(const RefState *RS) { static bool checkIfAllocatedFamily(const RefState *RS) {
return (RS->getAllocationFamily() == AF_CXXNewArray || return (RS->getAllocationFamily() == AF_CXXNewArray ||
RS->getAllocationFamily() == AF_CXXNew); RS->getAllocationFamily() == AF_CXXNew ||
RS->getAllocationFamily() == AF_Malloc);
} }
ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind) const { PointerEscapeKind Kind) const {
return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
} }
ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind) const { PointerEscapeKind Kind) const {
return checkPointerEscapeAux(State, Escaped, Call, Kind, return checkPointerEscapeAux(State, Escaped, Call, Kind,
&checkIfNewOrNewArrayFamily); &checkIfAllocatedFamily);
} }
ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind, PointerEscapeKind Kind,
bool(*CheckRefState)(const RefState*)) const { bool(*CheckRefState)(const RefState*)) const {
// If we know that the call does not free memory, or we want to process the // If we know that the call does not free memory, or we want to process the
▲ Show 20 LinesShow All 176 LinesShow Last 20 Lines

test/Analysis/malloc.c

Show First 20 LinesShow All 1,089 Lines▼ Show 20 Linesvoid r11160612_1() {
char *x = malloc(12); char *x = malloc(12);
const_ptr_and_callback(0, x, 12, free); // no - warning const_ptr_and_callback(0, x, 12, free); // no - warning
} }
// Null is passed as callback. // Null is passed as callback.
void r11160612_2() { void r11160612_2() {
char *x = malloc(12); char *x = malloc(12);
const_ptr_and_callback(0, x, 12, 0); const_ptr_and_callback(0, x, 12, 0);
} // expected-warning {{leak}} } // no - warning
// Callback is passed to a function defined in a system header. // Callback is passed to a function defined in a system header.
void r11160612_4() { void r11160612_4() {
char *x = malloc(12); char *x = malloc(12);
sqlite3_bind_text_my(0, x, 12, free); // no - warning sqlite3_bind_text_my(0, x, 12, free); // no - warning
} }
// Passing callbacks in a struct. // Passing callbacks in a struct.
▲ Show 20 LinesShow All 192 Lines▼ Show 20 Lineschar *testLeakWithinReturn(char *str) {
return strdup(strdup(str)); // expected-warning{{leak}} return strdup(strdup(str)); // expected-warning{{leak}}
} }
void passConstPtr(const char * ptr); void passConstPtr(const char * ptr);
void testPassConstPointer() { void testPassConstPointer() {
char * string = malloc(sizeof(char)*10); char * string = malloc(sizeof(char)*10);
passConstPtr(string); passConstPtr(string);
return; // expected-warning {{leak}} return; //no-warning
} }
void testPassConstPointerIndirectly() { void testPassConstPointerIndirectly() {
char *p = malloc(1); char *p = malloc(1);
p++; p++;
memcmp(p, p, sizeof(&p)); memcmp(p, p, sizeof(&p));
return; // expected-warning {{leak}} return; // expected-warning {{leak}}
} }
▲ Show 20 LinesShow All 218 LinesShow Last 20 Lines

test/Analysis/malloc.cpp

Show All 28 Linesvoid r11160612_3() {
char *x = (char*)malloc(12); char *x = (char*)malloc(12);
const_ptr_and_callback_def_param(0, x, 12); const_ptr_and_callback_def_param(0, x, 12);
} }
int const_ptr_and_callback_def_param_null(int, const char*, int n, void(*)(void*) = 0); int const_ptr_and_callback_def_param_null(int, const char*, int n, void(*)(void*) = 0);
void r11160612_no_callback() { void r11160612_no_callback() {
char *x = (char*)malloc(12); char *x = (char*)malloc(12);
const_ptr_and_callback_def_param_null(0, x, 12); const_ptr_and_callback_def_param_null(0, x, 12);
} // expected-warning{{leak}} } // no-warning
// Test member function pointer. // Test member function pointer.
struct CanFreeMemory { struct CanFreeMemory {
static void myFree(void*); static void myFree(void*);
}; };
//This is handled because we look at the type of the parameter(not argument). //This is handled because we look at the type of the parameter(not argument).
void r11160612_3(CanFreeMemory* p) { void r11160612_3(CanFreeMemory* p) {
char *x = (char*)malloc(12); char *x = (char*)malloc(12);
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Lines
void appendNested(NestedProperty x); void appendNested(NestedProperty x);
void appendWrapperNested(char *getterName) { void appendWrapperNested(char *getterName) {
appendNested(NestedProperty(Property(getterName))); appendNested(NestedProperty(Property(getterName)));
} }
void fooNested(const char* name) { void fooNested(const char* name) {
char* getterName = strdup(name); char* getterName = strdup(name);
appendWrapperNested(getterName); // no-warning appendWrapperNested(getterName); // no-warning
} }
No newline at end of file